From d1355cb98f9496764e8976f3047c976743943048 Mon Sep 17 00:00:00 2001
From: Josh Black <raskchanky@gmail.com>
Date: Fri, 4 Oct 2024 11:14:21 -0700
Subject: [PATCH 01/13] explain how -output-curl-string works in comments to
 avoid confusion (#28576)

---
 api/client.go        | 6 ++++++
 api/output_string.go | 6 +++++-
 command/main.go      | 5 +++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/api/client.go b/api/client.go
index 0090321caa7f..d7e61c116cee 100644
--- a/api/client.go
+++ b/api/client.go
@@ -1467,6 +1467,12 @@ START:
 	}
 
 	if outputCurlString {
+		// Note that although we're building this up here and returning it as an error object, the Error()
+		// interface method on it only gets called in a context where the actual string returned from that
+		// method is irrelevant, because it gets swallowed by an error buffer that's never output to the user.
+		// That's on purpose, not a bug, because in this case, OutputStringError is not really an _error_, per se.
+		// It's just a way of aborting the control flow so that requests don't actually execute, and instead,
+		// we can detect what's happened back in the CLI machinery and show the actual curl string to the user.
 		LastOutputStringError = &OutputStringError{
 			Request:       req,
 			TLSSkipVerify: c.config.HttpClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify,
diff --git a/api/output_string.go b/api/output_string.go
index d7777712d209..dbf37e8b3874 100644
--- a/api/output_string.go
+++ b/api/output_string.go
@@ -8,7 +8,7 @@ import (
 	"net/http"
 	"strings"
 
-	retryablehttp "github.com/hashicorp/go-retryablehttp"
+	"github.com/hashicorp/go-retryablehttp"
 )
 
 const (
@@ -25,6 +25,10 @@ type OutputStringError struct {
 	finalCurlString            string
 }
 
+// Error is here so that we can return this struct as an error from client.rawRequestWithContext(). Note that
+// the ErrOutputStringRequest constant is never actually used and is completely irrelevant to how this all functions.
+// We could've just as easily returned an empty string. What matters is the machinery that happens before then where
+// the curl string is built. So yes, this is confusing, but yes, this is also on purpose, and it is not incorrect.
 func (d *OutputStringError) Error() string {
 	if d.finalCurlString == "" {
 		cs, err := d.buildCurlString()
diff --git a/command/main.go b/command/main.go
index 465ec5e6e864..45762d559ac6 100644
--- a/command/main.go
+++ b/command/main.go
@@ -186,6 +186,8 @@ func RunCustom(args []string, runOpts *RunOptions) int {
 		runOpts.Stderr = colorable.NewNonColorable(runOpts.Stderr)
 	}
 
+	// This bytes.Buffer override of the uiErrWriter is why we don't see errors printed to the screen
+	// when running commands with e.g. -output-curl-string
 	uiErrWriter := runOpts.Stderr
 	if outputCurlString || outputPolicy {
 		uiErrWriter = &bytes.Buffer{}
@@ -318,6 +320,9 @@ func generateCurlString(exitCode int, runOpts *RunOptions, preParsingErrBuf *byt
 		return 1
 	}
 
+	// When we actually return from client.rawRequestWithContext(), this value should be set to the OutputStringError
+	// that contains the data/context required to output the actual string, so it's doubtful this chunk of code will
+	// ever run, but I'm guessing it's a defense in depth thing.
 	if api.LastOutputStringError == nil {
 		if exitCode == 127 {
 			// Usage, just pass it through

From 7307c56f59dd453f0031e65fec50b3470aa34f35 Mon Sep 17 00:00:00 2001
From: Josh Black <raskchanky@gmail.com>
Date: Fri, 4 Oct 2024 11:29:03 -0700
Subject: [PATCH 02/13] -agent-address flag should have higher precedence than
 the env var (#28574)

* -agent-address flag should have higher precedence than the env var

* add changelog
---
 changelog/28574.txt | 3 +++
 command/base.go     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelog/28574.txt

diff --git a/changelog/28574.txt b/changelog/28574.txt
new file mode 100644
index 000000000000..b3e6c34c8b92
--- /dev/null
+++ b/changelog/28574.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Fixed a CLI precedence issue where -agent-address didn't override VAULT_AGENT_ADDR as it should
+```
diff --git a/command/base.go b/command/base.go
index 47f7be04a8bc..ceba362e34ba 100644
--- a/command/base.go
+++ b/command/base.go
@@ -106,7 +106,7 @@ func (c *BaseCommand) Client() (*api.Client, error) {
 		config.Address = c.flagAddress
 	}
 	if c.flagAgentProxyAddress != "" {
-		config.Address = c.flagAgentProxyAddress
+		config.AgentAddress = c.flagAgentProxyAddress
 	}
 
 	if c.flagOutputCurlString {

From aeca0cdee64cb79d9ed71e8b28e658f35fbef5e3 Mon Sep 17 00:00:00 2001
From: Guillermo Barroso <barrosoguillermo55@gmail.com>
Date: Fri, 4 Oct 2024 20:33:09 +0200
Subject: [PATCH 03/13] secrets/aws: add sts_region parameter to root config
 (#22726)

* Set region parameter to be used for STS only on AWS secrets engine

* Add changelog

* Fix formatting

* region fix when not setting iam_endpoint or sts_endpoint

* Add 'sts_region' parameter for AWS secrets engine.

* Update TestBackend_PathConfigRoot for aws secrets

* Update changelog entry

---------

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
---
 builtin/logical/aws/client.go                | 3 +++
 builtin/logical/aws/path_config_root.go      | 8 ++++++++
 builtin/logical/aws/path_config_root_test.go | 1 +
 changelog/22726.txt                          | 3 +++
 4 files changed, 15 insertions(+)
 create mode 100644 changelog/22726.txt

diff --git a/builtin/logical/aws/client.go b/builtin/logical/aws/client.go
index dd6a58196631..802abb3d1db7 100644
--- a/builtin/logical/aws/client.go
+++ b/builtin/logical/aws/client.go
@@ -48,6 +48,9 @@ func (b *backend) getRootConfig(ctx context.Context, s logical.Storage, clientTy
 			endpoint = *aws.String(config.IAMEndpoint)
 		case clientType == "sts" && config.STSEndpoint != "":
 			endpoint = *aws.String(config.STSEndpoint)
+			if config.STSRegion != "" {
+				credsConfig.Region = config.STSRegion
+			}
 		}
 
 		if config.IdentityTokenAudience != "" {
diff --git a/builtin/logical/aws/path_config_root.go b/builtin/logical/aws/path_config_root.go
index 93fccc370e71..741c8502d08c 100644
--- a/builtin/logical/aws/path_config_root.go
+++ b/builtin/logical/aws/path_config_root.go
@@ -48,6 +48,10 @@ func pathConfigRoot(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "Endpoint to custom STS server URL",
 			},
+			"sts_region": {
+				Type:        framework.TypeString,
+				Description: "Specific region for STS API calls.",
+			},
 			"max_retries": {
 				Type:        framework.TypeInt,
 				Default:     aws.UseServiceDefaultRetries,
@@ -110,6 +114,7 @@ func (b *backend) pathConfigRootRead(ctx context.Context, req *logical.Request,
 		"region":            config.Region,
 		"iam_endpoint":      config.IAMEndpoint,
 		"sts_endpoint":      config.STSEndpoint,
+		"sts_region":        config.STSRegion,
 		"max_retries":       config.MaxRetries,
 		"username_template": config.UsernameTemplate,
 		"role_arn":          config.RoleARN,
@@ -125,6 +130,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request,
 	region := data.Get("region").(string)
 	iamendpoint := data.Get("iam_endpoint").(string)
 	stsendpoint := data.Get("sts_endpoint").(string)
+	stsregion := data.Get("sts_region").(string)
 	maxretries := data.Get("max_retries").(int)
 	roleARN := data.Get("role_arn").(string)
 	usernameTemplate := data.Get("username_template").(string)
@@ -140,6 +146,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request,
 		SecretKey:        data.Get("secret_key").(string),
 		IAMEndpoint:      iamendpoint,
 		STSEndpoint:      stsendpoint,
+		STSRegion:        stsregion,
 		Region:           region,
 		MaxRetries:       maxretries,
 		UsernameTemplate: usernameTemplate,
@@ -193,6 +200,7 @@ type rootConfig struct {
 	SecretKey        string `json:"secret_key"`
 	IAMEndpoint      string `json:"iam_endpoint"`
 	STSEndpoint      string `json:"sts_endpoint"`
+	STSRegion        string `json:"sts_region"`
 	Region           string `json:"region"`
 	MaxRetries       int    `json:"max_retries"`
 	UsernameTemplate string `json:"username_template"`
diff --git a/builtin/logical/aws/path_config_root_test.go b/builtin/logical/aws/path_config_root_test.go
index 783745ac0ed8..9c1ed0476f3a 100644
--- a/builtin/logical/aws/path_config_root_test.go
+++ b/builtin/logical/aws/path_config_root_test.go
@@ -30,6 +30,7 @@ func TestBackend_PathConfigRoot(t *testing.T) {
 		"region":                  "us-west-2",
 		"iam_endpoint":            "https://iam.amazonaws.com",
 		"sts_endpoint":            "https://sts.us-west-2.amazonaws.com",
+		"sts_region":              "",
 		"max_retries":             10,
 		"username_template":       defaultUserNameTemplate,
 		"role_arn":                "",
diff --git a/changelog/22726.txt b/changelog/22726.txt
new file mode 100644
index 000000000000..7da05f79482b
--- /dev/null
+++ b/changelog/22726.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/aws: Add sts_region parameter to root config for STS API calls.
+```
\ No newline at end of file

From bae00721d2a07299f50cdbaf3dc5348d26cc92a3 Mon Sep 17 00:00:00 2001
From: Scott Miller <smiller@hashicorp.com>
Date: Fri, 4 Oct 2024 13:59:40 -0500
Subject: [PATCH 04/13] Dont add the error from validating via issuer signature
 if the subsequent verification from extraCas succeeds (#28597)

* Dont add the error from validating via issuer signature if the subsequent verification from extraCas succeeds

* changelog
---
 changelog/28597.txt       |  3 +++
 sdk/helper/ocsp/client.go | 20 ++++++++++++--------
 2 files changed, 15 insertions(+), 8 deletions(-)
 create mode 100644 changelog/28597.txt

diff --git a/changelog/28597.txt b/changelog/28597.txt
new file mode 100644
index 000000000000..774c200f1adc
--- /dev/null
+++ b/changelog/28597.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: When using ocsp_ca_certificates, an error was produced though extra certs validation succeeded.
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
index 888d2025176b..71f75f168a4a 100644
--- a/sdk/helper/ocsp/client.go
+++ b/sdk/helper/ocsp/client.go
@@ -495,15 +495,19 @@ func validateOCSPParsedResponse(ocspRes *ocsp.Response, subject, issuer *x509.Ce
 			var matchedCA *x509.Certificate
 
 			// Assumption 1 failed, try 2
-			if err := ocspRes.Certificate.CheckSignatureFrom(issuer); err != nil {
-				// Assumption 2 failed, try 3
-				overallErr = multierror.Append(overallErr, err)
-
-				m, err := verifySignature(ocspRes, extraCas)
-				if err != nil {
-					overallErr = multierror.Append(overallErr, err)
+			if sigFromIssuerErr := ocspRes.Certificate.CheckSignatureFrom(issuer); sigFromIssuerErr != nil {
+				if len(extraCas) > 0 {
+					// Assumption 2 failed, try 3
+					m, err := verifySignature(ocspRes, extraCas)
+					if err != nil {
+						overallErr = multierror.Append(overallErr, sigFromIssuerErr)
+						overallErr = multierror.Append(overallErr, err)
+					} else {
+						overallErr = nil
+						matchedCA = m
+					}
 				} else {
-					matchedCA = m
+					overallErr = multierror.Append(overallErr, sigFromIssuerErr)
 				}
 			} else {
 				matchedCA = ocspRes.Certificate

From 05f32b69ee55b934b06ac1e32d5c96d4fd71526d Mon Sep 17 00:00:00 2001
From: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Date: Fri, 4 Oct 2024 13:07:48 -0700
Subject: [PATCH 05/13] UI: upgrade HDS to `4.12.0` (#28525)

* update hds to latest version

* yield dropdown Interactive text instead of use @text arg, results after running codemod

* remaining dropdown changes

* address sidebar nav IconButton deprecation, fix secret tests

* revert

* explicitly select popupmenu

* more test changes

* fix pki toggle button

* remove tracked prop in oidc client controller

* aaand more test updates

* change to tilde

* tilde yarn lock changes

* small cleanup items
---
 ui/app/components/sidebar/frame.hbs           |  6 +-
 ui/app/components/sidebar/user-menu.hbs       |  2 +-
 .../cluster/access/oidc/clients/client.js     | 15 ---
 .../vault/cluster/access/oidc/keys/key.js     | 14 ---
 .../cluster/access/oidc/providers/provider.js | 14 ---
 ui/app/styles/components/popup-menu.scss      |  3 +-
 ui/app/styles/core/element-styling.scss       |  5 -
 .../components/generated-item-list.hbs        | 15 ++-
 .../components/identity/popup-alias.hbs       |  9 +-
 .../components/identity/popup-members.hbs     |  2 +-
 .../components/identity/popup-metadata.hbs    |  2 +-
 .../components/identity/popup-policy.hbs      | 13 ++-
 .../mfa/login-enforcement-list-item.hbs       |  6 +-
 .../components/mfa/method-list-item.hbs       |  6 +-
 .../templates/components/oidc/client-list.hbs |  6 +-
 .../components/oidc/provider-list.hbs         |  6 +-
 .../components/raft-storage-overview.hbs      |  7 +-
 .../components/secret-list/aws-role-item.hbs  | 12 +--
 .../secret-list/database-list-item.hbs        | 19 ++--
 .../templates/components/secret-list/item.hbs | 12 +--
 .../components/secret-list/ssh-role-item.hbs  | 22 ++---
 .../secret-list/transform-list-item.hbs       |  4 +-
 .../transform-transformation-item.hbs         |  4 +-
 ui/app/templates/docs.hbs                     |  2 +-
 .../vault/cluster/access/identity/index.hbs   | 18 ++--
 .../vault/cluster/access/methods.hbs          | 21 ++---
 .../mfa/enforcements/enforcement/index.hbs    |  3 +-
 .../vault/cluster/access/namespaces/index.hbs |  2 +-
 .../cluster/access/oidc/assignments/index.hbs |  6 +-
 .../cluster/access/oidc/clients/client.hbs    |  2 +-
 .../vault/cluster/access/oidc/keys/index.hbs  |  8 +-
 .../vault/cluster/access/oidc/keys/key.hbs    |  2 +-
 .../access/oidc/providers/provider.hbs        |  2 +-
 .../cluster/access/oidc/scopes/index.hbs      |  6 +-
 .../vault/cluster/policies/index.hbs          |  9 +-
 .../vault/cluster/secrets/backends.hbs        | 12 +--
 .../addon/components/messages/page/list.hbs   |  7 +-
 .../core/addon/components/confirm-action.hbs  |  5 +-
 .../addon/templates/credentials/index.hbs     |  9 +-
 ui/lib/kmip/addon/templates/scope/roles.hbs   |  9 +-
 ui/lib/kmip/addon/templates/scopes/index.hbs  |  5 +-
 .../addon/components/page/roles.hbs           |  7 +-
 ui/lib/kv/addon/components/page/list.hbs      | 24 ++---
 .../page/secret/metadata/version-history.hbs  |  6 +-
 .../ldap/addon/components/page/libraries.hbs  | 11 ++-
 ui/lib/ldap/addon/components/page/roles.hbs   | 24 +++--
 .../addon/components/page/pki-issuer-list.hbs |  5 +-
 .../addon/components/page/pki-key-list.hbs    |  6 +-
 .../addon/templates/certificates/index.hbs    |  5 +-
 ui/lib/pki/addon/templates/roles/index.hbs    |  6 +-
 .../templates/mode/secondaries/index.hbs      |  6 +-
 .../components/secrets/page/destinations.hbs  |  9 +-
 .../page/destinations/destination/secrets.hbs | 13 +--
 .../components/secrets/page/overview.hbs      |  6 +-
 ui/package.json                               |  2 +-
 .../access/identity/_shared-tests.js          |  8 +-
 ui/tests/acceptance/auth-list-test.js         |  2 +-
 ui/tests/acceptance/mfa-method-test.js        |  8 +-
 .../acceptance/oidc-config/clients-test.js    |  4 +-
 ui/tests/acceptance/raft-storage-test.js      |  5 +-
 .../secrets/backend/engines-test.js           | 77 +++++++---------
 .../backend/kv/kv-v2-workflow-create-test.js  | 18 ++--
 .../secrets/backend/kv/secret-test.js         | 16 ++--
 .../secret-engine/secret-engine-selectors.ts  |  5 +
 .../components/kv/page/kv-page-list-test.js   |  1 +
 .../components/ldap/page/roles-test.js        |  4 +-
 ui/yarn.lock                                  | 91 ++++++++-----------
 67 files changed, 282 insertions(+), 419 deletions(-)

diff --git a/ui/app/components/sidebar/frame.hbs b/ui/app/components/sidebar/frame.hbs
index 7cd0c84b2f88..2b19db5c9b72 100644
--- a/ui/app/components/sidebar/frame.hbs
+++ b/ui/app/components/sidebar/frame.hbs
@@ -18,9 +18,11 @@
             />
           </:logo>
           <:actions>
-            <Hds::SideNav::Header::IconButton
+            <Hds::Button
+              @isIconOnly={{true}}
+              @size="large"
               @icon="terminal-screen"
-              @ariaLabel="Console toggle"
+              @text="Console toggle"
               data-test-console-toggle
               {{on "click" (fn (mut this.console.isOpen) (not this.console.isOpen))}}
             />
diff --git a/ui/app/components/sidebar/user-menu.hbs b/ui/app/components/sidebar/user-menu.hbs
index dde7f1cec8a7..c46cf1d4b588 100644
--- a/ui/app/components/sidebar/user-menu.hbs
+++ b/ui/app/components/sidebar/user-menu.hbs
@@ -12,7 +12,7 @@
   as |Dropdown|
 >
   <Dropdown.Trigger data-test-user-menu-trigger>
-    <Hds::SideNav::Header::IconButton @icon="user" @ariaLabel="User menu" />
+    <Hds::Button @isIconOnly={{true}} @size="large" @icon="user" @text="User menu" />
   </Dropdown.Trigger>
   <Dropdown.Content>
     <div class="popup-menu-content" data-test-user-menu-content>
diff --git a/ui/app/controllers/vault/cluster/access/oidc/clients/client.js b/ui/app/controllers/vault/cluster/access/oidc/clients/client.js
index e7ac62fb0769..95ecc7cf7fb8 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/clients/client.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/clients/client.js
@@ -5,22 +5,7 @@
 
 import Controller from '@ember/controller';
 import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
 
 export default class OidcClientController extends Controller {
   @service router;
-  @tracked isEditRoute;
-
-  constructor() {
-    super(...arguments);
-    this.router.on(
-      'routeDidChange',
-      ({ targetName }) => (this.isEditRoute = targetName.includes('edit') ? true : false)
-    );
-  }
-
-  get showHeader() {
-    // hide header when rendering the edit form
-    return !this.isEditRoute;
-  }
 }
diff --git a/ui/app/controllers/vault/cluster/access/oidc/keys/key.js b/ui/app/controllers/vault/cluster/access/oidc/keys/key.js
index c66fd874dc6b..833bfabd8dc1 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/keys/key.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/keys/key.js
@@ -5,21 +5,7 @@
 
 import Controller from '@ember/controller';
 import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
 
 export default class OidcKeyController extends Controller {
   @service router;
-  @tracked isEditRoute;
-
-  constructor() {
-    super(...arguments);
-    this.router.on('routeDidChange', ({ targetName }) => {
-      return (this.isEditRoute = targetName.includes('edit') ? true : false);
-    });
-  }
-
-  get showHeader() {
-    // hide header when rendering the edit form
-    return !this.isEditRoute;
-  }
 }
diff --git a/ui/app/controllers/vault/cluster/access/oidc/providers/provider.js b/ui/app/controllers/vault/cluster/access/oidc/providers/provider.js
index 1c360e102a74..53717813091d 100644
--- a/ui/app/controllers/vault/cluster/access/oidc/providers/provider.js
+++ b/ui/app/controllers/vault/cluster/access/oidc/providers/provider.js
@@ -5,21 +5,7 @@
 
 import Controller from '@ember/controller';
 import { service } from '@ember/service';
-import { tracked } from '@glimmer/tracking';
 
 export default class OidcProviderController extends Controller {
   @service router;
-  @tracked isEditRoute;
-
-  constructor() {
-    super(...arguments);
-    this.router.on('routeDidChange', ({ targetName }) => {
-      return (this.isEditRoute = targetName.includes('edit') ? true : false);
-    });
-  }
-
-  get showHeader() {
-    // hide header when rendering the edit form
-    return !this.isEditRoute;
-  }
 }
diff --git a/ui/app/styles/components/popup-menu.scss b/ui/app/styles/components/popup-menu.scss
index 2e279cd112e7..62744ee4eaef 100644
--- a/ui/app/styles/components/popup-menu.scss
+++ b/ui/app/styles/components/popup-menu.scss
@@ -55,7 +55,8 @@
     &:hover {
       background-color: $ui-gray-050;
     }
-    div {
+    div,
+    span {
       margin-left: -$spacing-4;
       font-size: $size-7;
       font-weight: $font-weight-semibold;
diff --git a/ui/app/styles/core/element-styling.scss b/ui/app/styles/core/element-styling.scss
index 596523db175c..b6a71a08bce9 100644
--- a/ui/app/styles/core/element-styling.scss
+++ b/ui/app/styles/core/element-styling.scss
@@ -195,8 +195,3 @@ label {
     cursor: not-allowed;
   }
 }
-
-// TODO remove when HDS has released fix
-.hds-form-masked-input .hds-form-masked-input__toggle-button {
-  margin-right: $spacing-12;
-}
diff --git a/ui/app/templates/components/generated-item-list.hbs b/ui/app/templates/components/generated-item-list.hbs
index f107c81a038e..8808931a10df 100644
--- a/ui/app/templates/components/generated-item-list.hbs
+++ b/ui/app/templates/components/generated-item-list.hbs
@@ -79,20 +79,17 @@
             data-test-popup-menu-trigger
           />
           <dd.Interactive
-            @text="View {{singularize @itemType}}"
             @route="vault.cluster.access.method.item.show"
             @models={{array @methodModel.id @itemType list.item.id}}
-          />
+          >View {{singularize @itemType}}</dd.Interactive>
           <dd.Interactive
-            @text="Edit {{singularize @itemType}}"
             @route="vault.cluster.access.method.item.edit"
             @models={{array @methodModel.id @itemType list.item.id}}
-          />
-          <dd.Interactive
-            @text="Delete {{singularize @itemType}}"
-            @color="critical"
-            {{on "click" (fn (mut this.itemToDelete) list.item)}}
-          />
+          >Edit {{singularize @itemType}}</dd.Interactive>
+          <dd.Interactive @color="critical" {{on "click" (fn (mut this.itemToDelete) list.item)}}>
+            Delete
+            {{singularize @itemType}}
+          </dd.Interactive>
         </Hds::Dropdown>
       </Item.menu>
       {{#if (eq list.item this.itemToDelete)}}
diff --git a/ui/app/templates/components/identity/popup-alias.hbs b/ui/app/templates/components/identity/popup-alias.hbs
index 3608b13d7068..eb56badedd4f 100644
--- a/ui/app/templates/components/identity/popup-alias.hbs
+++ b/ui/app/templates/components/identity/popup-alias.hbs
@@ -12,10 +12,9 @@
       data-test-popup-menu-trigger
     />
     <dd.Interactive
-      @text="Details"
       @route="vault.cluster.access.identity.aliases.show"
       @models={{array (pluralize @item.parentType) @item.id "details"}}
-    />
+    >Details</dd.Interactive>
     {{#if @item.updatePath.isPending}}
       <dd.Generic class="has-text-center">
         <LoadingDropdownOption />
@@ -23,18 +22,16 @@
     {{else}}
       {{#if @item.canEdit}}
         <dd.Interactive
-          @text="Edit"
           @route="vault.cluster.access.identity.aliases.edit"
           @models={{array (pluralize @item.parentType) @item.id}}
-        />
+        >Edit</dd.Interactive>
       {{/if}}
       {{#if @item.canDelete}}
         <dd.Interactive
-          @text="Remove"
           @color="critical"
           {{on "click" (fn (mut this.showConfirmModal) true)}}
           data-test-popup-menu="delete"
-        />
+        >Remove</dd.Interactive>
       {{/if}}
     {{/if}}
   </Hds::Dropdown>
diff --git a/ui/app/templates/components/identity/popup-members.hbs b/ui/app/templates/components/identity/popup-members.hbs
index ff2b30441421..51b19187bae3 100644
--- a/ui/app/templates/components/identity/popup-members.hbs
+++ b/ui/app/templates/components/identity/popup-members.hbs
@@ -11,7 +11,7 @@
       @hasChevron={{false}}
       data-test-popup-menu-trigger
     />
-    <dd.Interactive @text="Remove" @color="critical" {{on "click" (fn (mut this.showConfirmModal) true)}} />
+    <dd.Interactive @color="critical" {{on "click" (fn (mut this.showConfirmModal) true)}}>Remove</dd.Interactive>
   </Hds::Dropdown>
 </div>
 
diff --git a/ui/app/templates/components/identity/popup-metadata.hbs b/ui/app/templates/components/identity/popup-metadata.hbs
index 9954f1c78534..80c516f90bbf 100644
--- a/ui/app/templates/components/identity/popup-metadata.hbs
+++ b/ui/app/templates/components/identity/popup-metadata.hbs
@@ -6,7 +6,7 @@
 <div class="has-text-right">
   <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
     <dd.ToggleIcon @icon="more-horizontal" @text="Metadata options" @hasChevron={{false}} data-test-popup-menu-trigger />
-    <dd.Interactive @text="Remove" @color="critical" {{on "click" (fn (mut this.showConfirmModal) true)}} />
+    <dd.Interactive @color="critical" {{on "click" (fn (mut this.showConfirmModal) true)}}>Remove</dd.Interactive>
   </Hds::Dropdown>
 </div>
 
diff --git a/ui/app/templates/components/identity/popup-policy.hbs b/ui/app/templates/components/identity/popup-policy.hbs
index eef6d33d5829..6f049afdaac6 100644
--- a/ui/app/templates/components/identity/popup-policy.hbs
+++ b/ui/app/templates/components/identity/popup-policy.hbs
@@ -11,13 +11,12 @@
       @hasChevron={{false}}
       data-test-popup-menu-trigger
     />
-    <dd.Interactive @text="View policy" @route="vault.cluster.policy.show" @models={{array "acl" @policyName}} />
-    <dd.Interactive @text="Edit policy" @route="vault.cluster.policy.edit" @models={{array "acl" @policyName}} />
-    <dd.Interactive
-      @text="Remove from {{@model.identityType}}"
-      @color="critical"
-      {{on "click" (fn (mut this.showConfirmModal) true)}}
-    />
+    <dd.Interactive @route="vault.cluster.policy.show" @models={{array "acl" @policyName}}>View policy</dd.Interactive>
+    <dd.Interactive @route="vault.cluster.policy.edit" @models={{array "acl" @policyName}}>Edit policy</dd.Interactive>
+    <dd.Interactive @color="critical" {{on "click" (fn (mut this.showConfirmModal) true)}}>
+      Remove from
+      {{@model.identityType}}
+    </dd.Interactive>
   </Hds::Dropdown>
 </div>
 
diff --git a/ui/app/templates/components/mfa/login-enforcement-list-item.hbs b/ui/app/templates/components/mfa/login-enforcement-list-item.hbs
index 1827e60c27b5..804ca654e626 100644
--- a/ui/app/templates/components/mfa/login-enforcement-list-item.hbs
+++ b/ui/app/templates/components/mfa/login-enforcement-list-item.hbs
@@ -27,17 +27,15 @@
             data-test-popup-menu-trigger
           />
           <dd.Interactive
-            @text="Details"
             @route="vault.cluster.access.mfa.enforcements.enforcement"
             @model={{@model.name}}
             data-test-list-item-link="details"
-          />
+          >Details</dd.Interactive>
           <dd.Interactive
-            @text="Edit"
             @route="vault.cluster.access.mfa.enforcements.enforcement.edit"
             @model={{@model.name}}
             data-test-list-item-link="edit"
-          />
+          >Edit</dd.Interactive>
         </Hds::Dropdown>
       </div>
     </div>
diff --git a/ui/app/templates/components/mfa/method-list-item.hbs b/ui/app/templates/components/mfa/method-list-item.hbs
index 75a719a5a3e6..ef3e9bdf3845 100644
--- a/ui/app/templates/components/mfa/method-list-item.hbs
+++ b/ui/app/templates/components/mfa/method-list-item.hbs
@@ -38,17 +38,15 @@
             data-test-popup-menu-trigger
           />
           <dd.Interactive
-            @text="Details"
             @route="vault.cluster.access.mfa.methods.method"
             @model={{@model.id}}
             data-test-mfa-method-menu-link="details"
-          />
+          >Details</dd.Interactive>
           <dd.Interactive
-            @text="Edit"
             @route="vault.cluster.access.mfa.methods.method.edit"
             @model={{@model.id}}
             data-test-mfa-method-menu-link="edit"
-          />
+          >Edit</dd.Interactive>
         </Hds::Dropdown>
       </div>
     </div>
diff --git a/ui/app/templates/components/oidc/client-list.hbs b/ui/app/templates/components/oidc/client-list.hbs
index 27f00eeea09c..7e89d8665774 100644
--- a/ui/app/templates/components/oidc/client-list.hbs
+++ b/ui/app/templates/components/oidc/client-list.hbs
@@ -34,19 +34,17 @@
               />
               {{#if client.canRead}}
                 <dd.Interactive
-                  @text="Details"
                   @route="vault.cluster.access.oidc.clients.client.details"
                   @model={{client.name}}
                   data-test-oidc-client-menu-link="details"
-                />
+                >Details</dd.Interactive>
               {{/if}}
               {{#if client.canEdit}}
                 <dd.Interactive
-                  @text="Edit"
                   @route="vault.cluster.access.oidc.clients.client.edit"
                   @model={{client.name}}
                   data-test-oidc-client-menu-link="edit"
-                />
+                >Edit</dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           {{/if}}
diff --git a/ui/app/templates/components/oidc/provider-list.hbs b/ui/app/templates/components/oidc/provider-list.hbs
index d684399fb062..5850cbf07d8d 100644
--- a/ui/app/templates/components/oidc/provider-list.hbs
+++ b/ui/app/templates/components/oidc/provider-list.hbs
@@ -34,19 +34,17 @@
               />
               {{#if provider.canRead}}
                 <dd.Interactive
-                  @text="Details"
                   @route="vault.cluster.access.oidc.providers.provider.details"
                   @model={{provider.name}}
                   data-test-oidc-provider-menu-link="details"
-                />
+                >Details</dd.Interactive>
               {{/if}}
               {{#if provider.canEdit}}
                 <dd.Interactive
-                  @text="Edit"
                   @route="vault.cluster.access.oidc.providers.provider.edit"
                   @model={{provider.name}}
                   data-test-oidc-provider-menu-link="edit"
-                />
+                >Edit</dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           {{/if}}
diff --git a/ui/app/templates/components/raft-storage-overview.hbs b/ui/app/templates/components/raft-storage-overview.hbs
index 7c4e00100fc3..b9cd94daa903 100644
--- a/ui/app/templates/components/raft-storage-overview.hbs
+++ b/ui/app/templates/components/raft-storage-overview.hbs
@@ -12,13 +12,12 @@
         <dd.Interactive
           @href="/v1/sys/storage/raft/snapshot"
           @isHrefExternal={{false}}
-          @text="Download"
           {{on "click" (action "downloadViaServiceWorker")}}
-        />
+        >Download</dd.Interactive>
       {{else}}
-        <dd.Interactive @text="Download" {{on "click" (action "downloadSnapshot")}} />
+        <dd.Interactive {{on "click" (action "downloadSnapshot")}}>Download</dd.Interactive>
       {{/if}}
-      <dd.Interactive @text="Restore" @route="vault.cluster.storage-restore" />
+      <dd.Interactive @route="vault.cluster.storage-restore">Restore</dd.Interactive>
     </Hds::Dropdown>
   </PH.Actions>
 </Hds::PageHeader>
diff --git a/ui/app/templates/components/secret-list/aws-role-item.hbs b/ui/app/templates/components/secret-list/aws-role-item.hbs
index a995f16e4f15..76b8f3ce2acc 100644
--- a/ui/app/templates/components/secret-list/aws-role-item.hbs
+++ b/ui/app/templates/components/secret-list/aws-role-item.hbs
@@ -36,11 +36,10 @@
           </dd.Generic>
         {{else if @item.canGenerate}}
           <dd.Interactive
-            @text="Generate credentials"
             @route="vault.cluster.secrets.backend.credentials"
             @model={{@item.id}}
             data-test-role-aws-link="generate"
-          />
+          >Generate credentials</dd.Interactive>
         {{/if}}
         {{#if @item.updatePath.isPending}}
           <dd.Generic class="has-text-center">
@@ -49,27 +48,24 @@
         {{else}}
           {{#if @item.canRead}}
             <dd.Interactive
-              @text="Details"
               @route="vault.cluster.secrets.backend.show"
               @model={{@item.id}}
               data-test-role-ssh-link="show"
-            />
+            >Details</dd.Interactive>
           {{/if}}
           {{#if @item.canEdit}}
             <dd.Interactive
-              @text="Edit"
               @route="vault.cluster.secrets.backend.edit"
               @model={{@item.id}}
               data-test-role-ssh-link="edit"
-            />
+            >Edit</dd.Interactive>
           {{/if}}
           {{#if @item.canDelete}}
             <dd.Interactive
-              @text="Delete"
               @color="critical"
               {{on "click" (fn (mut this.showConfirmModal) true)}}
               data-test-aws-role-delete={{@item.id}}
-            />
+            >Delete</dd.Interactive>
           {{/if}}
         {{/if}}
       </Hds::Dropdown>
diff --git a/ui/app/templates/components/secret-list/database-list-item.hbs b/ui/app/templates/components/secret-list/database-list-item.hbs
index 409429dfd3aa..04ea0f438021 100644
--- a/ui/app/templates/components/secret-list/database-list-item.hbs
+++ b/ui/app/templates/components/secret-list/database-list-item.hbs
@@ -34,46 +34,41 @@
           data-test-popup-menu-trigger
         />
         {{#if @item.canEdit}}
-          <dd.Interactive @text="Edit connection" @route="vault.cluster.secrets.backend.edit" @model={{@item.id}} />
+          <dd.Interactive @route="vault.cluster.secrets.backend.edit" @model={{@item.id}}>Edit connection</dd.Interactive>
         {{/if}}
         {{#if @item.canEditRole}}
-          <dd.Interactive @text="Edit Role" @route="vault.cluster.secrets.backend.edit" @model={{concat "role/" @item.id}} />
+          <dd.Interactive @route="vault.cluster.secrets.backend.edit" @model={{concat "role/" @item.id}}>Edit Role</dd.Interactive>
         {{/if}}
         {{#if @item.canReset}}
           <dd.Interactive
-            @text="Reset connection"
             @icon={{if (eq this.actionRunning "reset") "loading"}}
             {{on "click" (fn this.resetConnection @item.id)}}
-          />
+          >Reset connection</dd.Interactive>
         {{/if}}
         {{#if (and (eq @item.type "dynamic") @item.canGenerateCredentials)}}
           <dd.Interactive
-            @text="Generate credentials"
             @route="vault.cluster.secrets.backend.credentials"
             @model={{@item.id}}
             @query={{hash roleType=this.keyTypeValue}}
-          />
+          >Generate credentials</dd.Interactive>
         {{else if (and (eq @item.type "static") @item.canGetCredentials)}}
           <dd.Interactive
-            @text="Get credentials"
             @route="vault.cluster.secrets.backend.credentials"
             @model={{@item.id}}
             @query={{hash roleType=this.keyTypeValue}}
-          />
+          >Get credentials</dd.Interactive>
         {{/if}}
         {{#if (and @item.canRotateRoleCredentials (eq this.keyTypeValue "static"))}}
           <dd.Interactive
-            @text="Rotate credentials"
             @icon={{if (eq this.actionRunning "rotateRole") "loading"}}
             {{on "click" (fn this.rotateRoleCred @item.id)}}
-          />
+          >Rotate credentials</dd.Interactive>
         {{/if}}
         {{#if @item.canRotateRoot}}
           <dd.Interactive
-            @text="Rotate root credentials"
             @icon={{if (eq this.actionRunning "rotateRoot") "loading"}}
             {{on "click" (fn this.rotateRootCred @item.id)}}
-          />
+          >Rotate root credentials</dd.Interactive>
         {{/if}}
       </Hds::Dropdown>
     </div>
diff --git a/ui/app/templates/components/secret-list/item.hbs b/ui/app/templates/components/secret-list/item.hbs
index 4aa54a69807f..12af42a3e8d4 100644
--- a/ui/app/templates/components/secret-list/item.hbs
+++ b/ui/app/templates/components/secret-list/item.hbs
@@ -21,6 +21,7 @@
         @backend={{@backendModel.id}}
         @queryParams={{secret-query-params @backendModel.type @item.type asQueryParams=true}}
         class="has-text-black has-text-weight-semibold"
+        data-test-secret-item-link={{@item.id}}
       >
         {{#if (eq @backendModel.type "transit")}}
           <Icon @name="key" class="has-text-grey-light" />
@@ -39,7 +40,7 @@
           data-test-popup-menu-trigger
         />
         {{#if @item.isFolder}}
-          <dd.Interactive @text="Contents" @route="vault.cluster.secrets.backend.list" @model={{@item.id}} />
+          <dd.Interactive @route="vault.cluster.secrets.backend.list" @model={{@item.id}}>Contents</dd.Interactive>
         {{else}}
           {{#if (or @item.versionPath.isLoading @item.secretPath.isLoading)}}
             <dd.Generic class="has-text-center">
@@ -48,27 +49,24 @@
           {{else}}
             {{#if @item.canRead}}
               <dd.Interactive
-                @text="Details"
                 @route="vault.cluster.secrets.backend.show"
                 @model={{@item.id}}
                 @query={{secret-query-params @backendModel.type @item.type asQueryParams=true}}
-              />
+              >Details</dd.Interactive>
             {{/if}}
             {{#if @item.canEdit}}
               <dd.Interactive
-                @text="Edit"
                 @route="vault.cluster.secrets.backend.edit"
                 @model={{@item.id}}
                 @query={{secret-query-params @backendModel.type @item.type asQueryParams=true}}
-              />
+              >Edit</dd.Interactive>
             {{/if}}
             {{#if @item.canDelete}}
               <dd.Interactive
-                @text="Delete"
                 @color="critical"
                 data-test-confirm-action-trigger
                 {{on "click" (fn (mut this.showConfirmModal) true)}}
-              />
+              >Delete</dd.Interactive>
             {{/if}}
           {{/if}}
         {{/if}}
diff --git a/ui/app/templates/components/secret-list/ssh-role-item.hbs b/ui/app/templates/components/secret-list/ssh-role-item.hbs
index aa6c295704e8..b137c41798e6 100644
--- a/ui/app/templates/components/secret-list/ssh-role-item.hbs
+++ b/ui/app/templates/components/secret-list/ssh-role-item.hbs
@@ -50,11 +50,10 @@
               </dd.Generic>
             {{else if @item.canGenerate}}
               <dd.Interactive
-                @text="Generate credentials"
                 @route="vault.cluster.secrets.backend.credentials"
                 @model={{@item.id}}
                 data-test-role-ssh-link="generate"
-              />
+              >Generate credentials</dd.Interactive>
             {{/if}}
           {{else if (eq @item.keyType "ca")}}
             {{#if @item.signPath.isPending}}
@@ -63,11 +62,10 @@
               </dd.Generic>
             {{else if @item.canGenerate}}
               <dd.Interactive
-                @text="Sign Keys"
                 @route="vault.cluster.secrets.backend.sign"
                 @model={{@item.id}}
                 data-test-role-ssh-link="generate"
-              />
+              >Sign Keys</dd.Interactive>
             {{/if}}
           {{/if}}
           {{#if @loadingToggleZeroAddress}}
@@ -75,10 +73,9 @@
               <LoadingDropdownOption />
             </dd.Generic>
           {{else if @item.canEditZeroAddress}}
-            <dd.Interactive
-              @text={{if @item.zeroAddress "Disable Zero Address" "Enable Zero Address"}}
-              {{on "click" @toggleZeroAddress}}
-            />
+            <dd.Interactive {{on "click" @toggleZeroAddress}}>
+              {{if @item.zeroAddress "Disable Zero Address" "Enable Zero Address"}}
+            </dd.Interactive>
           {{/if}}
           {{#if @item.updatePath.isPending}}
             <dd.Generic class="has-text-center">
@@ -87,27 +84,24 @@
           {{else}}
             {{#if @item.canRead}}
               <dd.Interactive
-                @text="Details"
                 @route="vault.cluster.secrets.backend.show"
                 @model={{@item.id}}
                 data-test-role-ssh-link="show"
-              />
+              >Details</dd.Interactive>
             {{/if}}
             {{#if @item.canEdit}}
               <dd.Interactive
-                @text="Edit"
                 @route="vault.cluster.secrets.backend.edit"
                 @model={{@item.id}}
                 data-test-role-ssh-link="edit"
-              />
+              >Edit</dd.Interactive>
             {{/if}}
             {{#if @item.canDelete}}
               <dd.Interactive
-                @text="Delete"
                 @color="critical"
                 {{on "click" (fn (mut this.showConfirmModal) true)}}
                 data-test-ssh-role-delete
-              />
+              >Delete</dd.Interactive>
             {{/if}}
           {{/if}}
         </Hds::Dropdown>
diff --git a/ui/app/templates/components/secret-list/transform-list-item.hbs b/ui/app/templates/components/secret-list/transform-list-item.hbs
index 18c176ac0db7..94e8c28a39bd 100644
--- a/ui/app/templates/components/secret-list/transform-list-item.hbs
+++ b/ui/app/templates/components/secret-list/transform-list-item.hbs
@@ -33,10 +33,10 @@
               data-test-popup-menu-trigger
             />
             {{#if @item.updatePath.canRead}}
-              <dd.Interactive @text="Details" @route="vault.cluster.secrets.backend.show" @model={{@itemPath}} />
+              <dd.Interactive @route="vault.cluster.secrets.backend.show" @model={{@itemPath}}>Details</dd.Interactive>
             {{/if}}
             {{#if @item.updatePath.canUpdate}}
-              <dd.Interactive @text="Edit" @route="vault.cluster.secrets.backend.edit" @model={{@itemPath}} />
+              <dd.Interactive @route="vault.cluster.secrets.backend.edit" @model={{@itemPath}}>Edit</dd.Interactive>
             {{/if}}
           </Hds::Dropdown>
         {{/if}}
diff --git a/ui/app/templates/components/secret-list/transform-transformation-item.hbs b/ui/app/templates/components/secret-list/transform-transformation-item.hbs
index 37fd28ccac52..a1d8cc7548ee 100644
--- a/ui/app/templates/components/secret-list/transform-transformation-item.hbs
+++ b/ui/app/templates/components/secret-list/transform-transformation-item.hbs
@@ -33,10 +33,10 @@
             data-test-popup-menu-trigger
           />
           {{#if @item.updatePath.canRead}}
-            <dd.Interactive @text="Details" @route="vault.cluster.secrets.backend.show" @model={{@item.id}} />
+            <dd.Interactive @route="vault.cluster.secrets.backend.show" @model={{@item.id}}>Details</dd.Interactive>
           {{/if}}
           {{#if @item.updatePath.canUpdate}}
-            <dd.Interactive @text="Edit" @route="vault.cluster.secrets.backend.edit" @model={{@item.id}} />
+            <dd.Interactive @route="vault.cluster.secrets.backend.edit" @model={{@item.id}}>Edit</dd.Interactive>
           {{/if}}
         </Hds::Dropdown>
       {{/if}}
diff --git a/ui/app/templates/docs.hbs b/ui/app/templates/docs.hbs
index 27b4f56a80f4..500bd5fc4349 100644
--- a/ui/app/templates/docs.hbs
+++ b/ui/app/templates/docs.hbs
@@ -15,7 +15,7 @@
                   <Hds::SideNav::Header::HomeLink @icon="vault" @route="vault" @ariaLabel="Vault dashboard" />
                 </:logo>
                 <:actions>
-                  <Hds::SideNav::Header::IconButton @icon="home" @ariaLabel="Docs index" @route="docs" />
+                  <Hds::Button @isIconOnly={{true}} @icon="home" @text="Docs index" @route="docs" />
                 </:actions>
               </Hds::SideNav::Header>
             </:header>
diff --git a/ui/app/templates/vault/cluster/access/identity/index.hbs b/ui/app/templates/vault/cluster/access/identity/index.hbs
index de21aa26f668..03cccc36df9d 100644
--- a/ui/app/templates/vault/cluster/access/identity/index.hbs
+++ b/ui/app/templates/vault/cluster/access/identity/index.hbs
@@ -41,10 +41,9 @@
               data-test-popup-menu-trigger
             />
             <dd.Interactive
-              @text="Details"
               @route="vault.cluster.access.identity.show"
               @models={{array item.id "details"}}
-            />
+            >Details</dd.Interactive>
             {{#if (or item.isReloading item.updatePath.isPending item.aliasPath.isPending)}}
               <dd.Generic class="has-text-center">
                 <LoadingDropdownOption />
@@ -55,27 +54,28 @@
                 {{#if (or (eq this.identityType "entity") (and (eq item.type "external") (not item.alias)))}}
                   <dd.Interactive
                     data-test-popup-menu="create alias"
-                    @text="Create alias"
                     @route="vault.cluster.access.identity.aliases.add"
                     @models={{array (pluralize this.identityType) item.id}}
-                  />
+                  >Create alias</dd.Interactive>
                 {{/if}}
               {{/if}}
               {{#if item.canEdit}}
-                <dd.Interactive @text="Edit" @route="vault.cluster.access.identity.edit" @model={{item.id}} />
+                <dd.Interactive @route="vault.cluster.access.identity.edit" @model={{item.id}}>Edit</dd.Interactive>
                 {{#if item.disabled}}
-                  <dd.Interactive @text="Enable" {{on "click" (action "toggleDisabled" item)}} />
+                  <dd.Interactive {{on "click" (action "toggleDisabled" item)}}>Enable</dd.Interactive>
                 {{else if (eq this.identityType "entity")}}
-                  <dd.Interactive @text="Disable" @color="critical" {{on "click" (fn (mut this.entityToDisable) item)}} />
+                  <dd.Interactive
+                    @color="critical"
+                    {{on "click" (fn (mut this.entityToDisable) item)}}
+                  >Disable</dd.Interactive>
                 {{/if}}
               {{/if}}
               {{#if item.canDelete}}
                 <dd.Interactive
-                  @text="Delete"
                   @color="critical"
                   {{on "click" (fn (mut this.itemToDelete) item)}}
                   data-test-popup-menu="delete"
-                />
+                >Delete</dd.Interactive>
               {{/if}}
             {{/if}}
           </Hds::Dropdown>
diff --git a/ui/app/templates/vault/cluster/access/methods.hbs b/ui/app/templates/vault/cluster/access/methods.hbs
index 3efa7fb88fd4..01d92eba451b 100644
--- a/ui/app/templates/vault/cluster/access/methods.hbs
+++ b/ui/app/templates/vault/cluster/access/methods.hbs
@@ -76,20 +76,19 @@
               @hasChevron={{false}}
               data-test-popup-menu-trigger
             />
-            <dd.Interactive
-              @text="View configuration"
-              @route="vault.cluster.access.method.section"
-              @models={{array method.id "configuration"}}
-            />
+            <dd.Interactive @route="vault.cluster.access.method.section" @models={{array method.id "configuration"}}>
+              View configuration
+            </dd.Interactive>
             {{#if (or method.canEdit (and (eq method.methodType "aws") method.canEditAws))}}
-              <dd.Interactive
-                @text="Edit configuration"
-                @route="vault.cluster.settings.auth.configure"
-                @model={{method.id}}
-              />
+              <dd.Interactive @route="vault.cluster.settings.auth.configure" @model={{method.id}}>
+                Edit configuration
+              </dd.Interactive>
             {{/if}}
             {{#if (and (not-eq method.methodType "token") method.canDisable)}}
-              <dd.Interactive @text="Disable" @color="critical" {{on "click" (fn (mut this.methodToDisable) method)}} />
+              <dd.Interactive
+                @color="critical"
+                {{on "click" (fn (mut this.methodToDisable) method)}}
+              >Disable</dd.Interactive>
             {{/if}}
           </Hds::Dropdown>
         </div>
diff --git a/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs b/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs
index 46900af36feb..7932f9f5f880 100644
--- a/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs
+++ b/ui/app/templates/vault/cluster/access/mfa/enforcements/enforcement/index.hbs
@@ -93,11 +93,10 @@
                     data-test-popup-menu-trigger
                   />
                   <dd.Interactive
-                    @text="Details"
                     @route={{target.link}}
                     @models={{target.linkModels}}
                     data-test-target-link={{target.title}}
-                  />
+                  >Details</dd.Interactive>
                 </Hds::Dropdown>
               </div>
             </div>
diff --git a/ui/app/templates/vault/cluster/access/namespaces/index.hbs b/ui/app/templates/vault/cluster/access/namespaces/index.hbs
index 169753405e22..6c2b8f6b3595 100644
--- a/ui/app/templates/vault/cluster/access/namespaces/index.hbs
+++ b/ui/app/templates/vault/cluster/access/namespaces/index.hbs
@@ -46,7 +46,7 @@
                 </dd.Generic>
               {{/if}}
             {{/let}}
-            <dd.Interactive @text="Delete" @color="critical" {{on "click" (fn (mut this.nsToDelete) list.item)}} />
+            <dd.Interactive @color="critical" {{on "click" (fn (mut this.nsToDelete) list.item)}}>Delete</dd.Interactive>
           </Hds::Dropdown>
           {{#if (eq this.nsToDelete list.item)}}
             <ConfirmModal
diff --git a/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs b/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs
index 25f46ddbb020..a938d1b86a17 100644
--- a/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/assignments/index.hbs
@@ -46,19 +46,17 @@
                 data-test-popup-menu-trigger
               />
               <dd.Interactive
-                @text="Details"
                 @route="vault.cluster.access.oidc.assignments.assignment.details"
                 @model={{model.name}}
                 @disabled={{eq model.canRead false}}
                 data-test-oidc-assignment-menu-link="details"
-              />
+              >Details</dd.Interactive>
               <dd.Interactive
-                @text="Edit"
                 @route="vault.cluster.access.oidc.assignments.assignment.edit"
                 @model={{model.name}}
                 @disabled={{eq model.canEdit false}}
                 data-test-oidc-assignment-menu-link="edit"
-              />
+              >Edit</dd.Interactive>
             </Hds::Dropdown>
           </div>
         </div>
diff --git a/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs b/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs
index 546493397863..ffee2802fbe8 100644
--- a/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/clients/client.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{#if this.showHeader}}
+{{#if (not-eq this.router.currentRoute.localName "edit")}}
   <PageHeader as |p|>
     <p.top>
       <Hds::Breadcrumb>
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs
index 2995b2cb5347..377e3238fe34 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/index.hbs
@@ -21,7 +21,7 @@
       <div class="level-left">
         <div>
           <Icon @name="key" class="has-text-grey-light" />
-          <span class="has-text-weight-semibold is-underline">
+          <span class="has-text-weight-semibold is-underline" data-test-item>
             {{model.name}}
           </span>
         </div>
@@ -36,19 +36,17 @@
               data-test-popup-menu-trigger
             />
             <dd.Interactive
-              @text="Details"
               @route="vault.cluster.access.oidc.keys.key.details"
               @model={{model.name}}
               @disabled={{eq model.canRead false}}
               data-test-oidc-key-menu-link="details"
-            />
+            >Details</dd.Interactive>
             <dd.Interactive
-              @text="Edit"
               @route="vault.cluster.access.oidc.keys.key.edit"
               @model={{model.name}}
               @disabled={{eq model.canEdit false}}
               data-test-oidc-key-menu-link="edit"
-            />
+            >Edit</dd.Interactive>
           </Hds::Dropdown>
         </div>
       </div>
diff --git a/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs b/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs
index 8ed90248a7e9..57b92fa36d74 100644
--- a/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/keys/key.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{#if this.showHeader}}
+{{#if (not-eq this.router.currentRoute.localName "edit")}}
   <PageHeader as |p|>
     <p.top>
       <Hds::Breadcrumb>
diff --git a/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs b/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs
index abdcb1235cc7..08407ac09ac8 100644
--- a/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/providers/provider.hbs
@@ -3,7 +3,7 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{#if this.showHeader}}
+{{#if (not-eq this.router.currentRoute.localName "edit")}}
   <PageHeader as |p|>
     <p.top>
       <Hds::Breadcrumb>
diff --git a/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs b/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs
index 0747bde83971..21237bcd31ec 100644
--- a/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs
+++ b/ui/app/templates/vault/cluster/access/oidc/scopes/index.hbs
@@ -37,19 +37,17 @@
                 data-test-popup-menu-trigger
               />
               <dd.Interactive
-                @text="Details"
                 @route="vault.cluster.access.oidc.scopes.scope.details"
                 @model={{model.name}}
                 @disabled={{eq model.canRead false}}
                 data-test-oidc-scope-menu-link="details"
-              />
+              >Details</dd.Interactive>
               <dd.Interactive
-                @text="Edit"
                 @route="vault.cluster.access.oidc.scopes.scope.edit"
                 @model={{model.name}}
                 @disabled={{eq model.canEdit false}}
                 data-test-oidc-scope-menu-link="edit"
-              />
+              >Edit</dd.Interactive>
             </Hds::Dropdown>
           </div>
         </div>
diff --git a/ui/app/templates/vault/cluster/policies/index.hbs b/ui/app/templates/vault/cluster/policies/index.hbs
index df42c3bd8735..fc010973279e 100644
--- a/ui/app/templates/vault/cluster/policies/index.hbs
+++ b/ui/app/templates/vault/cluster/policies/index.hbs
@@ -105,27 +105,24 @@
                 {{else}}
                   {{#if item.canRead}}
                     <dd.Interactive
-                      @text="Details"
                       @route="vault.cluster.policy.show"
                       @models={{array this.policyType item.id}}
                       data-test-policy-link="show"
-                    />
+                    >Details</dd.Interactive>
                   {{/if}}
                   {{#if item.canEdit}}
                     <dd.Interactive
-                      @text="Edit"
                       @route="vault.cluster.policy.edit"
                       @models={{array this.policyType item.id}}
                       data-test-policy-link="edit"
-                    />
+                    >Edit</dd.Interactive>
                   {{/if}}
                   {{#if (and item.canDelete (not-eq item.name "default"))}}
                     <dd.Interactive
-                      @text="Delete"
                       @color="critical"
                       data-test-confirm-action-trigger
                       {{on "click" (fn (mut this.policyToDelete) item)}}
-                    />
+                    >Delete</dd.Interactive>
                   {{/if}}
                 {{/if}}
               </Hds::Dropdown>
diff --git a/ui/app/templates/vault/cluster/secrets/backends.hbs b/ui/app/templates/vault/cluster/secrets/backends.hbs
index 5457cb4328e7..dc7f510cc45e 100644
--- a/ui/app/templates/vault/cluster/secrets/backends.hbs
+++ b/ui/app/templates/vault/cluster/secrets/backends.hbs
@@ -94,19 +94,15 @@
           @hasChevron={{false}}
           data-test-popup-menu-trigger
         />
-        <dd.Interactive
-          @text="View configuration"
-          @route={{backend.backendConfigurationLink}}
-          @model={{backend.id}}
-          data-test-engine-config
-        />
+        <dd.Interactive @route={{backend.backendConfigurationLink}} @model={{backend.id}} data-test-engine-config>
+          View configuration
+        </dd.Interactive>
         {{#if (not-eq backend.type "cubbyhole")}}
           <dd.Interactive
-            @text="Disable"
             @color="critical"
             {{on "click" (fn (mut this.engineToDisable) backend)}}
             data-test-confirm-action-trigger
-          />
+          >Disable</dd.Interactive>
         {{/if}}
       </Hds::Dropdown>
     </div>
diff --git a/ui/lib/config-ui/addon/components/messages/page/list.hbs b/ui/lib/config-ui/addon/components/messages/page/list.hbs
index 9b7a7c99447e..9ec8b4b285df 100644
--- a/ui/lib/config-ui/addon/components/messages/page/list.hbs
+++ b/ui/lib/config-ui/addon/components/messages/page/list.hbs
@@ -113,10 +113,13 @@
                   data-test-popup-menu-trigger
                 />
                 {{#if message.canEditCustomMessages}}
-                  <dd.Interactive @text="Edit" @route="messages.message.edit" @model={{message.id}} />
+                  <dd.Interactive @route="messages.message.edit" @model={{message.id}}>Edit</dd.Interactive>
                 {{/if}}
                 {{#if message.canDeleteCustomMessages}}
-                  <dd.Interactive @text="Delete" @color="critical" {{on "click" (fn (mut this.messageToDelete) message)}} />
+                  <dd.Interactive
+                    @color="critical"
+                    {{on "click" (fn (mut this.messageToDelete) message)}}
+                  >Delete</dd.Interactive>
                 {{/if}}
               </Hds::Dropdown>
             {{/if}}
diff --git a/ui/lib/core/addon/components/confirm-action.hbs b/ui/lib/core/addon/components/confirm-action.hbs
index 019d1246fce7..e66ee1eecb90 100644
--- a/ui/lib/core/addon/components/confirm-action.hbs
+++ b/ui/lib/core/addon/components/confirm-action.hbs
@@ -7,13 +7,14 @@
   {{! Hds component renders <li> and <button> elements }}
   <Hds::Dropdown::ListItem::Interactive
     data-test-confirm-action-trigger
-    @text={{@buttonText}}
     @color="critical"
     {{on "click" (fn (mut this.showConfirmModal) true)}}
     ...attributes
     {{! remove class when dropdown/popup menus are replaced with Hds::Dropdown }}
     class="hds-confirm-action-critical"
-  />
+  >
+    {{@buttonText}}
+  </Hds::Dropdown::ListItem::Interactive>
 {{else}}
   <Hds::Button
     data-test-confirm-action-trigger
diff --git a/ui/lib/kmip/addon/templates/credentials/index.hbs b/ui/lib/kmip/addon/templates/credentials/index.hbs
index 41595619ebc1..948a15928b59 100644
--- a/ui/lib/kmip/addon/templates/credentials/index.hbs
+++ b/ui/lib/kmip/addon/templates/credentials/index.hbs
@@ -71,22 +71,17 @@
       <Item.menu>
         <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
           <dd.ToggleIcon @icon="more-horizontal" @text="More options" @hasChevron={{false}} data-test-popup-menu-trigger />
-          <dd.Interactive
-            @text="View credentials"
-            @route="credentials.show"
-            @models={{array this.scope this.role list.item.id}}
-          />
+          <dd.Interactive @route="credentials.show" @models={{array this.scope this.role list.item.id}}>View credentials</dd.Interactive>
           {{#if list.item.deletePath.isPending}}
             <dd.Generic>
               <LoadingDropdownOption />
             </dd.Generic>
           {{else if list.item.deletePath.canDelete}}
             <dd.Interactive
-              @text="Revoke credentials"
               @color="critical"
               {{on "click" (fn (mut this.credToRevoke) list.item)}}
               data-test-confirm-action-trigger
-            />
+            >Revoke credentials</dd.Interactive>
           {{/if}}
         </Hds::Dropdown>
         {{#if (eq this.credToRevoke list.item)}}
diff --git a/ui/lib/kmip/addon/templates/scope/roles.hbs b/ui/lib/kmip/addon/templates/scope/roles.hbs
index b9370ce2cc65..b3b670f17766 100644
--- a/ui/lib/kmip/addon/templates/scope/roles.hbs
+++ b/ui/lib/kmip/addon/templates/scope/roles.hbs
@@ -71,23 +71,22 @@
       <Item.menu>
         <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
           <dd.ToggleIcon @icon="more-horizontal" @text="More options" @hasChevron={{false}} data-test-popup-menu-trigger />
-          <dd.Interactive @text="View credentials" @route="credentials" @models={{array this.scope list.item.id}} />
-          <dd.Interactive @text="View role" @route="role" @models={{array this.scope list.item.id}} />
+          <dd.Interactive @route="credentials" @models={{array this.scope list.item.id}}>View credentials</dd.Interactive>
+          <dd.Interactive @route="role" @models={{array this.scope list.item.id}}>View role</dd.Interactive>
           {{#if list.item.updatePath.isPending}}
             <dd.Generic>
               <LoadingDropdownOption />
             </dd.Generic>
           {{else}}
             {{#if list.item.updatePath.canUpdate}}
-              <dd.Interactive @text="Edit role" @route="role.edit" @models={{array this.scope list.item.id}} />
+              <dd.Interactive @route="role.edit" @models={{array this.scope list.item.id}}>Edit role</dd.Interactive>
             {{/if}}
             {{#if list.item.updatePath.canDelete}}
               <dd.Interactive
-                @text="Delete role"
                 @color="critical"
                 {{on "click" (fn (mut this.roleToDelete) list.item)}}
                 data-test-confirm-action-trigger
-              />
+              >Delete role</dd.Interactive>
             {{/if}}
           {{/if}}
         </Hds::Dropdown>
diff --git a/ui/lib/kmip/addon/templates/scopes/index.hbs b/ui/lib/kmip/addon/templates/scopes/index.hbs
index 4af903b79d9f..d9fbf3a83200 100644
--- a/ui/lib/kmip/addon/templates/scopes/index.hbs
+++ b/ui/lib/kmip/addon/templates/scopes/index.hbs
@@ -60,18 +60,17 @@
       <Item.menu>
         <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
           <dd.ToggleIcon @icon="more-horizontal" @text="More options" @hasChevron={{false}} data-test-popup-menu-trigger />
-          <dd.Interactive @text="View scope" @route="scope" @model={{list.item.id}} />
+          <dd.Interactive @route="scope" @model={{list.item.id}}>View scope</dd.Interactive>
           {{#if list.item.updatePath.isPending}}
             <dd.Generic>
               <LoadingDropdownOption />
             </dd.Generic>
           {{else if list.item.updatePath.canDelete}}
             <dd.Interactive
-              @text="Delete scope"
               @color="critical"
               {{on "click" (fn (mut this.scopeToDelete) list.item)}}
               data-test-confirm-action-trigger
-            />
+            >Delete scope</dd.Interactive>
           {{/if}}
         </Hds::Dropdown>
         {{#if (eq this.scopeToDelete list.item)}}
diff --git a/ui/lib/kubernetes/addon/components/page/roles.hbs b/ui/lib/kubernetes/addon/components/page/roles.hbs
index 810b45ae5f54..6000a103e7bf 100644
--- a/ui/lib/kubernetes/addon/components/page/roles.hbs
+++ b/ui/lib/kubernetes/addon/components/page/roles.hbs
@@ -49,18 +49,17 @@
                 data-test-popup-menu-trigger
               />
               {{#if role.canRead}}
-                <dd.Interactive @text="Details" @route="roles.role.details" @model={{role}} data-test-details />
+                <dd.Interactive @route="roles.role.details" @model={{role}} data-test-details>Details</dd.Interactive>
               {{/if}}
               {{#if role.canEdit}}
-                <dd.Interactive @text="Edit" data-test-edit @route="roles.role.edit" @model={{role}} />
+                <dd.Interactive data-test-edit @route="roles.role.edit" @model={{role}}>Edit</dd.Interactive>
               {{/if}}
               {{#if role.canDelete}}
                 <dd.Interactive
-                  @text="Delete"
                   data-test-delete
                   @color="critical"
                   {{on "click" (fn (mut this.roleToDelete) role)}}
-                />
+                >Delete</dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           {{/if}}
diff --git a/ui/lib/kv/addon/components/page/list.hbs b/ui/lib/kv/addon/components/page/list.hbs
index abc35fa329a1..64ac1bc6ccce 100644
--- a/ui/lib/kv/addon/components/page/list.hbs
+++ b/ui/lib/kv/addon/components/page/list.hbs
@@ -84,7 +84,7 @@
           <div class="level-left">
             <div>
               <Icon @name={{if metadata.pathIsDirectory "folder" "file"}} class="has-text-grey-light" />
-              <span class="has-text-weight-semibold is-underline">
+              <span class="has-text-weight-semibold is-underline" data-test-path>
                 {{metadata.path}}
               </span>
             </div>
@@ -100,35 +100,25 @@
                 />
                 {{#if metadata.pathIsDirectory}}
                   <dd.Interactive
-                    @text="Content"
                     @route="list-directory"
                     @models={{array @backend metadata.fullSecretPath}}
-                  />
+                  >Content</dd.Interactive>
                 {{else}}
                   <dd.Interactive
-                    @text="Overview"
                     @route="secret.index"
                     @models={{array @backend metadata.fullSecretPath}}
-                  />
-                  <dd.Interactive
-                    @text="Secret data"
-                    @route="secret.details"
-                    @models={{array @backend metadata.fullSecretPath}}
-                  />
+                  >Overview</dd.Interactive>
+                  <dd.Interactive @route="secret.details" @models={{array @backend metadata.fullSecretPath}}>Secret data</dd.Interactive>
                   {{#if metadata.canReadMetadata}}
-                    <dd.Interactive
-                      @text="View version history"
-                      @route="secret.metadata.versions"
-                      @models={{array @backend metadata.fullSecretPath}}
-                    />
+                    <dd.Interactive @route="secret.metadata.versions" @models={{array @backend metadata.fullSecretPath}}>
+                      View version history</dd.Interactive>
                   {{/if}}
                   {{#if metadata.canDeleteMetadata}}
                     <dd.Interactive
-                      @text="Permanently delete"
                       @color="critical"
                       {{on "click" (fn (mut this.metadataToDelete) metadata)}}
                       data-test-popup-metadata-delete
-                    />
+                    >Permanently delete</dd.Interactive>
                   {{/if}}
                 {{/if}}
               </Hds::Dropdown>
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs b/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
index db914d3345d4..3f62c6dd6658 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
+++ b/ui/lib/kv/addon/components/page/secret/metadata/version-history.hbs
@@ -98,19 +98,17 @@
                 data-test-popup-menu-trigger
               />
               <dd.Interactive
-                @text="View version {{versionData.version}}"
                 @route="secret.details"
                 @models={{array @backend @path}}
                 @query={{hash version=versionData.version}}
-              />
+              >View version {{versionData.version}}</dd.Interactive>
               {{#if (and @metadata.canCreateVersionData (not versionData.destroyed) (not versionData.isSecretDeleted))}}
                 <dd.Interactive
-                  @text="Create new version from {{versionData.version}}"
                   @route="secret.details.edit"
                   @models={{array @backend @path}}
                   @query={{hash version=versionData.version}}
                   data-test-create-new-version-from={{versionData.version}}
-                />
+                >Create new version from {{versionData.version}}</dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           </div>
diff --git a/ui/lib/ldap/addon/components/page/libraries.hbs b/ui/lib/ldap/addon/components/page/libraries.hbs
index 01f41696e8b2..b881dff58a4a 100644
--- a/ui/lib/ldap/addon/components/page/libraries.hbs
+++ b/ui/lib/ldap/addon/components/page/libraries.hbs
@@ -58,18 +58,21 @@
                 data-test-popup-menu-trigger
               />
               {{#if library.canEdit}}
-                <dd.Interactive @text="Edit" data-test-edit @route="libraries.library.edit" @model={{library}} />
+                <dd.Interactive data-test-edit @route="libraries.library.edit" @model={{library}}>Edit</dd.Interactive>
               {{/if}}
               {{#if library.canRead}}
-                <dd.Interactive @text="Details" data-test-details @route="libraries.library.details" @model={{library}} />
+                <dd.Interactive
+                  data-test-details
+                  @route="libraries.library.details"
+                  @model={{library}}
+                >Details</dd.Interactive>
               {{/if}}
               {{#if library.canDelete}}
                 <dd.Interactive
-                  @text="Delete"
                   data-test-delete
                   @color="critical"
                   {{on "click" (fn (mut this.libraryToDelete) library)}}
-                />
+                >Delete</dd.Interactive>
               {{/if}}
             </Hds::Dropdown>
           {{/if}}
diff --git a/ui/lib/ldap/addon/components/page/roles.hbs b/ui/lib/ldap/addon/components/page/roles.hbs
index 740c9d92e9b7..c2cd35bdb3b0 100644
--- a/ui/lib/ldap/addon/components/page/roles.hbs
+++ b/ui/lib/ldap/addon/components/page/roles.hbs
@@ -53,38 +53,36 @@
           <Hds::Dropdown @isInline={{true}} @listPosition="bottom-right" as |dd|>
             <dd.ToggleIcon @icon="more-horizontal" @text="More options" @hasChevron={{false}} data-test-popup-menu-trigger />
             {{#if role.canEdit}}
-              <dd.Interactive @text="Edit" data-test-edit @route="roles.role.edit" @models={{array role.type role.name}} />
-            {{/if}}
-            {{#if role.canReadCreds}}
               <dd.Interactive
-                @text="Get credentials"
-                data-test-get-creds
-                @route="roles.role.credentials"
+                data-test-edit
+                @route="roles.role.edit"
                 @models={{array role.type role.name}}
-              />
+              >Edit</dd.Interactive>
+            {{/if}}
+            {{#if role.canReadCreds}}
+              <dd.Interactive data-test-get-creds @route="roles.role.credentials" @models={{array role.type role.name}}>
+                Get credentials
+              </dd.Interactive>
             {{/if}}
             {{#if role.canRotateStaticCreds}}
               <dd.Interactive
-                @text="Rotate credentials"
                 data-test-rotate-creds
                 @color="critical"
                 {{on "click" (fn (mut this.credsToRotate) role)}}
-              />
+              >Rotate credentials</dd.Interactive>
             {{/if}}
             <dd.Interactive
-              @text="Details"
               data-test-details
               @route="roles.role.details"
               {{! this will force the roles.role model hook to fire since we may only have a partial model loaded in the list view }}
               @models={{array role.type role.name}}
-            />
+            >Details</dd.Interactive>
             {{#if role.canDelete}}
               <dd.Interactive
-                @text="Delete"
                 data-test-delete
                 @color="critical"
                 {{on "click" (fn (mut this.roleToDelete) role)}}
-              />
+              >Delete</dd.Interactive>
             {{/if}}
           </Hds::Dropdown>
         </Item.menu>
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-list.hbs b/ui/lib/pki/addon/components/page/pki-issuer-list.hbs
index 2e80e195ccd0..aa376895527e 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-list.hbs
+++ b/ui/lib/pki/addon/components/page/pki-issuer-list.hbs
@@ -108,12 +108,11 @@
                   data-test-popup-menu-trigger
                 />
                 <dd.Interactive
-                  @text="Details"
                   @route="issuers.issuer.details"
                   @models={{array @backend pkiIssuer.id}}
                   data-test-pki-issuer-details
-                />
-                <dd.Interactive @text="Edit" @route="issuers.issuer.edit" @models={{array @backend pkiIssuer.id}} />
+                >Details</dd.Interactive>
+                <dd.Interactive @route="issuers.issuer.edit" @models={{array @backend pkiIssuer.id}}>Edit</dd.Interactive>
               </Hds::Dropdown>
             </div>
           </div>
diff --git a/ui/lib/pki/addon/components/page/pki-key-list.hbs b/ui/lib/pki/addon/components/page/pki-key-list.hbs
index a01596416b31..b071c02612f5 100644
--- a/ui/lib/pki/addon/components/page/pki-key-list.hbs
+++ b/ui/lib/pki/addon/components/page/pki-key-list.hbs
@@ -54,19 +54,17 @@
                   />
                   {{#if @canRead}}
                     <dd.Interactive
-                      @text="Details"
                       @route="keys.key.details"
                       @models={{array @backend pkiKey.keyId}}
                       data-test-key-menu-link="details"
-                    />
+                    >Details</dd.Interactive>
                   {{/if}}
                   {{#if @canEdit}}
                     <dd.Interactive
-                      @text="Edit"
                       @route="keys.key.edit"
                       @models={{array @backend pkiKey.keyId}}
                       data-test-key-menu-link="edit"
-                    />
+                    >Edit</dd.Interactive>
                   {{/if}}
                 </Hds::Dropdown>
               {{/if}}
diff --git a/ui/lib/pki/addon/templates/certificates/index.hbs b/ui/lib/pki/addon/templates/certificates/index.hbs
index 2866d1ccdd32..60ea533e4786 100644
--- a/ui/lib/pki/addon/templates/certificates/index.hbs
+++ b/ui/lib/pki/addon/templates/certificates/index.hbs
@@ -38,7 +38,10 @@
                   @hasChevron={{false}}
                   data-test-popup-menu-trigger
                 />
-                <dd.Interactive @text="Details" @route="certificates.certificate.details" @model={{pkiCertificate.id}} />
+                <dd.Interactive
+                  @route="certificates.certificate.details"
+                  @model={{pkiCertificate.id}}
+                >Details</dd.Interactive>
               </Hds::Dropdown>
             </div>
           </div>
diff --git a/ui/lib/pki/addon/templates/roles/index.hbs b/ui/lib/pki/addon/templates/roles/index.hbs
index fc73331abfb2..8f54244a38bc 100644
--- a/ui/lib/pki/addon/templates/roles/index.hbs
+++ b/ui/lib/pki/addon/templates/roles/index.hbs
@@ -44,15 +44,13 @@
                   data-test-popup-menu-trigger
                 />
                 <dd.Interactive
-                  @text="Details"
                   @route="roles.role.details"
                   @models={{array this.model.parentModel.id pkiRole.id}}
-                />
+                >Details</dd.Interactive>
                 <dd.Interactive
-                  @text="Edit"
                   @route="roles.role.edit"
                   @models={{array this.model.parentModel.id pkiRole.id}}
-                />
+                >Edit</dd.Interactive>
               </Hds::Dropdown>
             </div>
           </div>
diff --git a/ui/lib/replication/addon/templates/mode/secondaries/index.hbs b/ui/lib/replication/addon/templates/mode/secondaries/index.hbs
index 5f5b63cf30e8..f47edb6433af 100644
--- a/ui/lib/replication/addon/templates/mode/secondaries/index.hbs
+++ b/ui/lib/replication/addon/templates/mode/secondaries/index.hbs
@@ -38,18 +38,16 @@
                 />
                 {{#if (eq this.replicationMode "performance")}}
                   <dd.Interactive
-                    @text="Path filter config"
                     @route="mode.secondaries.config-show"
                     @models={{array this.replicationMode secondary}}
                     data-test-replication-path-filter-link={{true}}
-                  />
+                  >Path filter config</dd.Interactive>
                 {{/if}}
                 {{#if this.model.canRevokeSecondary}}
                   <dd.Interactive
-                    @text="Revoke"
                     @color="critical"
                     {{on "click" (fn (mut this.secondaryToRevoke) secondary)}}
-                  />
+                  >Revoke</dd.Interactive>
                 {{/if}}
               </Hds::Dropdown>
             {{/if}}
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations.hbs b/ui/lib/sync/addon/components/secrets/page/destinations.hbs
index 472716c98033..4cee4d329dd3 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations.hbs
@@ -83,27 +83,24 @@
               </dd.Generic>
             {{else}}
               <dd.Interactive
-                @text="Details"
                 data-test-details
                 @route="secrets.destinations.destination.details"
                 @models={{array destination.type destination.name}}
                 @disabled={{not destination.canRead}}
-              />
+              >Details</dd.Interactive>
               {{#if destination.canEdit}}
                 <dd.Interactive
-                  @text="Edit"
                   data-test-edit
                   @route="secrets.destinations.destination.edit"
                   @models={{array destination.type destination.name}}
-                />
+                >Edit</dd.Interactive>
               {{/if}}
               {{#if destination.canDelete}}
                 <dd.Interactive
                   data-test-delete
-                  @text="Delete"
                   @color="critical"
                   {{on "click" (fn (mut this.destinationToDelete) destination)}}
-                />
+                >Delete</dd.Interactive>
               {{/if}}
             {{/if}}
           </Hds::Dropdown>
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs b/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs
index a950cfb3599e..06bed403ea7f 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.hbs
@@ -53,26 +53,21 @@
                 <dd.Separator />
               {{/if}}
               {{#if association.canSync}}
-                <dd.Interactive
-                  @text="Sync now"
-                  data-test-association-action="sync"
-                  {{on "click" (fn this.update association "set")}}
-                />
+                <dd.Interactive data-test-association-action="sync" {{on "click" (fn this.update association "set")}}>
+                  Sync now</dd.Interactive>
               {{/if}}
               <dd.Interactive
-                @text="View secret"
                 data-test-association-action="view"
                 @route="kvSecretOverview"
                 @isRouteExternal={{true}}
                 @models={{array association.mount association.secretName}}
-              />
+              >View secret</dd.Interactive>
               {{#if association.canUnsync}}
                 <dd.Interactive
                   data-test-association-action="unsync"
                   @color="critical"
-                  @text="Unsync"
                   {{on "click" (fn (mut this.secretToUnsync) association)}}
-                />
+                >Unsync</dd.Interactive>
               {{/if}}
             {{/if}}
           </Hds::Dropdown>
diff --git a/ui/lib/sync/addon/components/secrets/page/overview.hbs b/ui/lib/sync/addon/components/secrets/page/overview.hbs
index 4433e3d8e94d..f34072815f38 100644
--- a/ui/lib/sync/addon/components/secrets/page/overview.hbs
+++ b/ui/lib/sync/addon/components/secrets/page/overview.hbs
@@ -142,15 +142,13 @@
                     <dd.Interactive
                       @route="secrets.destinations.destination.sync"
                       @models={{array data.type data.name}}
-                      @text="Sync secrets"
                       data-test-overview-table-action="sync"
-                    />
+                    >Sync secrets</dd.Interactive>
                     <dd.Interactive
                       @route="secrets.destinations.destination.secrets"
                       @models={{array data.type data.name}}
-                      @text="View synced secrets"
                       data-test-overview-table-action="details"
-                    />
+                    >View synced secrets</dd.Interactive>
                   </Hds::Dropdown>
                 </B.Td>
               </B.Tr>
diff --git a/ui/package.json b/ui/package.json
index 34d2e392e54c..f694ac9dba7c 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -234,7 +234,7 @@
   },
   "dependencies": {
     "@babel/core": "^7.24.0",
-    "@hashicorp/design-system-components": "~4.7.0",
+    "@hashicorp/design-system-components": "~4.12.0",
     "@hashicorp/ember-flight-icons": "^5.1.3",
     "ember-auto-import": "^2.7.2",
     "handlebars": "4.7.7",
diff --git a/ui/tests/acceptance/access/identity/_shared-tests.js b/ui/tests/acceptance/access/identity/_shared-tests.js
index 124ea932d392..5659db01298d 100644
--- a/ui/tests/acceptance/access/identity/_shared-tests.js
+++ b/ui/tests/acceptance/access/identity/_shared-tests.js
@@ -13,7 +13,7 @@ import { GENERAL } from 'vault/tests/helpers/general-selectors';
 const SELECTORS = {
   identityRow: (name) => `[data-test-identity-row="${name}"]`,
   popupMenu: '[data-test-popup-menu-trigger]',
-  menuDelete: '[data-test-popup-menu="delete"]',
+  menuDelete: (name) => `[data-test-identity-row="${name}"] [data-test-popup-menu="delete"]`,
 };
 export const testCRUD = async (name, itemType, assert) => {
   await page.visit({ item_type: itemType });
@@ -36,8 +36,8 @@ export const testCRUD = async (name, itemType, assert) => {
   );
 
   await click(`${SELECTORS.identityRow(name)} ${SELECTORS.popupMenu}`);
-  await waitUntil(() => find(SELECTORS.menuDelete));
-  await click(SELECTORS.menuDelete);
+  await waitUntil(() => find(SELECTORS.menuDelete(name)));
+  await click(SELECTORS.menuDelete(name));
   await indexPage.confirmDelete();
   await settled();
   assert.dom(GENERAL.latestFlashContent).includesText('Successfully deleted');
@@ -57,7 +57,7 @@ export const testDeleteFromForm = async (name, itemType, assert) => {
   await click('[data-test-tab-subnav="policies"]');
   assert.dom('.list-item-row').exists({ count: 1 }, 'One item is under policies');
   await click('[data-test-tab-subnav="metadata"]');
-  assert.dom('.info-table-row').hasText('hello goodbye', 'Metadata shows on tab');
+  assert.dom('.info-table-row').hasTextContaining('hello goodbye', 'Metadata shows on tab');
   await showPage.edit();
   assert.strictEqual(
     currentRouteName(),
diff --git a/ui/tests/acceptance/auth-list-test.js b/ui/tests/acceptance/auth-list-test.js
index 38584f6b063e..ce0ff82c66e9 100644
--- a/ui/tests/acceptance/auth-list-test.js
+++ b/ui/tests/acceptance/auth-list-test.js
@@ -95,7 +95,7 @@ module('Acceptance | auth backend list', function (hooks) {
           const itemCount = type === 'token' ? 2 : 3;
           await click(`[data-test-auth-backend-link="${path}"] [data-test-popup-menu-trigger]`);
           assert
-            .dom('.hds-dropdown-list-item')
+            .dom(`[data-test-auth-backend-link="${path}"] .hds-dropdown-list-item`)
             .exists({ count: itemCount }, `shows ${itemCount} dropdown items for ${type}`);
 
           // all auth methods should be linkable
diff --git a/ui/tests/acceptance/mfa-method-test.js b/ui/tests/acceptance/mfa-method-test.js
index 499b1d028515..24be2f4821ae 100644
--- a/ui/tests/acceptance/mfa-method-test.js
+++ b/ui/tests/acceptance/mfa-method-test.js
@@ -214,10 +214,12 @@ module('Acceptance | mfa-method', function (hooks) {
       'Route transitions to method on save'
     );
     await click('[data-test-tab="enforcements"]');
-    assert.dom('[data-test-list-item]').hasText('bar', 'Enforcement is listed in method view');
+    assert.dom('[data-test-list-item]').hasTextContaining('bar', 'Enforcement is listed in method view');
     await click('[data-test-sidebar-nav-link="Multi-Factor Authentication"]');
     await click('[data-test-tab="enforcements"]');
-    assert.dom('[data-test-list-item="bar"]').hasText('bar', 'Enforcement is listed in enforcements view');
+    assert
+      .dom('[data-test-list-item="bar"]')
+      .hasTextContaining('bar', 'Enforcement is listed in enforcements view');
     await click('[data-test-list-item="bar"]');
     await click('[data-test-tab="methods"]');
     assert
@@ -242,7 +244,7 @@ module('Acceptance | mfa-method', function (hooks) {
       'Route transitions to method on save'
     );
     await click('[data-test-tab="enforcements"]');
-    assert.dom('[data-test-list-item]').hasText(name, 'Enforcement is listed in method view');
+    assert.dom('[data-test-list-item]').hasTextContaining(name, 'Enforcement is listed in method view');
   });
 
   test('it should edit methods', async function (assert) {
diff --git a/ui/tests/acceptance/oidc-config/clients-test.js b/ui/tests/acceptance/oidc-config/clients-test.js
index 775b2780e277..adbb0dbdd6ed 100644
--- a/ui/tests/acceptance/oidc-config/clients-test.js
+++ b/ui/tests/acceptance/oidc-config/clients-test.js
@@ -72,7 +72,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
       assert.dom('[data-test-tab="keys"]').hasClass('active', 'keys tab is active');
       assert.strictEqual(currentRouteName(), 'vault.cluster.access.oidc.keys.index');
       assert
-        .dom('[data-test-oidc-key-linked-block="default"]')
+        .dom('[data-test-oidc-key-linked-block="default"] [data-test-item]')
         .hasText('default', 'index page lists default key');
 
       // navigate to default key details from pop-up menu
@@ -132,7 +132,7 @@ module('Acceptance | oidc-config clients', function (hooks) {
       // edit key and limit applications
       await visit(OIDC_BASE_URL + '/keys');
       await click('[data-test-oidc-key-linked-block="test-key"] [data-test-popup-menu-trigger]');
-      await click('[data-test-oidc-key-menu-link="edit"]');
+      await click('[data-test-oidc-key-linked-block="test-key"] [data-test-oidc-key-menu-link="edit"]');
       assert.strictEqual(
         currentRouteName(),
         'vault.cluster.access.oidc.keys.key.edit',
diff --git a/ui/tests/acceptance/raft-storage-test.js b/ui/tests/acceptance/raft-storage-test.js
index 2eee76c78e3a..96b2abb427dc 100644
--- a/ui/tests/acceptance/raft-storage-test.js
+++ b/ui/tests/acceptance/raft-storage-test.js
@@ -64,10 +64,11 @@ module('Acceptance | raft storage', function (hooks) {
       return {};
     });
 
+    const row = '[data-raft-row]:nth-child(2) [data-test-raft-actions]';
     await visit('/vault/storage/raft');
     assert.dom('[data-raft-row]').exists({ count: 2 }, '2 raft peers render in table');
-    await click('[data-raft-row]:nth-child(2) [data-test-raft-actions] button');
-    await click('[data-test-confirm-action-trigger]');
+    await click(`${row} button`);
+    await click(`${row} [data-test-confirm-action-trigger]`);
     await click('[data-test-confirm-button]');
     assert.dom('[data-raft-row]').exists({ count: 1 }, 'Raft peer successfully removed');
   });
diff --git a/ui/tests/acceptance/secrets/backend/engines-test.js b/ui/tests/acceptance/secrets/backend/engines-test.js
index 79b657b77c93..dea147fc539b 100644
--- a/ui/tests/acceptance/secrets/backend/engines-test.js
+++ b/ui/tests/acceptance/secrets/backend/engines-test.js
@@ -3,69 +3,55 @@
  * SPDX-License-Identifier: BUSL-1.1
  */
 
-import { currentRouteName, settled } from '@ember/test-helpers';
+import { click, find, findAll, currentRouteName, visit } from '@ember/test-helpers';
 import { clickTrigger } from 'ember-power-select/test-support/helpers';
-import { create } from 'ember-cli-page-object';
 import { module, test } from 'qunit';
-import consoleClass from 'vault/tests/pages/components/console/ui-panel';
 import { setupApplicationTest } from 'ember-qunit';
 import { v4 as uuidv4 } from 'uuid';
 
-import mountSecrets from 'vault/tests/pages/settings/mount-secret-backend';
-import backendsPage from 'vault/tests/pages/secrets/backends';
-import authPage from 'vault/tests/pages/auth';
-import ss from 'vault/tests/pages/components/search-select';
+import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { deleteEngineCmd, mountEngineCmd, runCmd } from 'vault/tests/helpers/commands';
+import { login } from 'vault/tests/helpers/auth/auth-helpers';
 
-const consoleComponent = create(consoleClass);
-const searchSelect = create(ss);
+const SELECTORS = {
+  backendLink: (path) =>
+    path ? `[data-test-secrets-backend-link="${path}"]` : '[data-test-secrets-backend-link]',
+};
 
 module('Acceptance | secret-engine list view', function (hooks) {
   setupApplicationTest(hooks);
 
   hooks.beforeEach(function () {
     this.uid = uuidv4();
-    return authPage.login();
+    return login();
   });
 
   test('it allows you to disable an engine', async function (assert) {
     // first mount an engine so we can disable it.
     const enginePath = `alicloud-disable-${this.uid}`;
-    await mountSecrets.enable('alicloud', enginePath);
-    await settled();
-    assert.ok(backendsPage.rows.filterBy('path', `${enginePath}/`)[0], 'shows the mounted engine');
-
-    await backendsPage.visit();
-    await settled();
-    const row = backendsPage.rows.filterBy('path', `${enginePath}/`)[0];
-    await row.menu();
-    await settled();
-    await backendsPage.disableButton();
-    await settled();
-    await backendsPage.confirmDisable();
-    await settled();
+    await runCmd(mountEngineCmd('alicloud', enginePath));
+    await visit('/vault/secrets');
+    assert.dom(SELECTORS.backendLink(enginePath)).exists();
+    const row = SELECTORS.backendLink(enginePath);
+    await click(`${row} ${GENERAL.menuTrigger}`);
+    await click(`${row} ${GENERAL.confirmTrigger}`);
+    await click(GENERAL.confirmButton);
     assert.strictEqual(
       currentRouteName(),
       'vault.cluster.secrets.backends',
       'redirects to the backends page'
     );
-    assert.strictEqual(
-      backendsPage.rows.filterBy('path', `${enginePath}/`).length,
-      0,
-      'does not show the disabled engine'
-    );
+    assert.dom(SELECTORS.backendLink(enginePath)).doesNotExist('does not show the disabled engine');
   });
 
   test('it adds disabled css styling to unsupported secret engines', async function (assert) {
     assert.expect(2);
     // first mount engine that is not supported
     const enginePath = `nomad-${this.uid}`;
+    await runCmd(mountEngineCmd('nomad', enginePath));
+    await visit('/vault/secrets');
 
-    await mountSecrets.enable('nomad', enginePath);
-    await settled();
-    await backendsPage.visit();
-    await settled();
-
-    const rows = document.querySelectorAll('[data-test-secrets-backend-link]');
+    const rows = findAll(SELECTORS.backendLink());
     const rowUnsupported = Array.from(rows).filter((row) => row.innerText.includes('nomad'));
     const rowSupported = Array.from(rows).filter((row) => row.innerText.includes('cubbyhole'));
     assert
@@ -77,7 +63,7 @@ module('Acceptance | secret-engine list view', function (hooks) {
     assert.dom(rowSupported[0]).hasClass('linked-block', `linked-block class is added to supported engines.`);
 
     // cleanup
-    await consoleComponent.runCommands([`delete sys/mounts/${enginePath}`]);
+    await runCmd(deleteEngineCmd(enginePath));
   });
 
   test('it filters by name and engine type', async function (assert) {
@@ -85,32 +71,31 @@ module('Acceptance | secret-engine list view', function (hooks) {
     const enginePath1 = `aws-1-${this.uid}`;
     const enginePath2 = `aws-2-${this.uid}`;
 
-    await mountSecrets.enable('aws', enginePath1);
-    await mountSecrets.enable('aws', enginePath2);
-    await backendsPage.visit();
-    await settled();
+    await await runCmd(mountEngineCmd('aws', enginePath1));
+    await await runCmd(mountEngineCmd('aws', enginePath2));
+    await visit('/vault/secrets');
     // filter by type
     await clickTrigger('#filter-by-engine-type');
-    await searchSelect.options.objectAt(0).click();
+    await click(GENERAL.searchSelect.option());
 
-    const rows = document.querySelectorAll('[data-test-secrets-backend-link]');
+    const rows = findAll(SELECTORS.backendLink());
     const rowsAws = Array.from(rows).filter((row) => row.innerText.includes('aws'));
 
     assert.strictEqual(rows.length, rowsAws.length, 'all rows returned are aws');
     // filter by name
     await clickTrigger('#filter-by-engine-name');
-    const firstItemToSelect = searchSelect.options.objectAt(0).text;
-    await searchSelect.options.objectAt(0).click();
+    const firstItemToSelect = find(GENERAL.searchSelect.option()).innerText;
+    await click(GENERAL.searchSelect.option());
     const singleRow = document.querySelectorAll('[data-test-secrets-backend-link]');
     assert.strictEqual(singleRow.length, 1, 'returns only one row');
     assert.dom(singleRow[0]).includesText(firstItemToSelect, 'shows the filtered by name engine');
     // clear filter by engine name
-    await searchSelect.deleteButtons.objectAt(1).click();
+    await click(`#filter-by-engine-name ${GENERAL.searchSelect.removeSelected}`);
     const rowsAgain = document.querySelectorAll('[data-test-secrets-backend-link]');
     assert.ok(rowsAgain.length > 1, 'filter has been removed');
 
     // cleanup
-    await consoleComponent.runCommands([`delete sys/mounts/${enginePath1}`]);
-    await consoleComponent.runCommands([`delete sys/mounts/${enginePath2}`]);
+    await runCmd(deleteEngineCmd(enginePath1));
+    await runCmd(deleteEngineCmd(enginePath2));
   });
 });
diff --git a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
index 606267b14fa1..3615445d7390 100644
--- a/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/kv-v2-workflow-create-test.js
@@ -48,17 +48,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       const backend = this.backend;
       await visit(`/vault/secrets/${backend}/kv/list`);
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'single secret exists on list');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
       await click(PAGE.list.createSecret);
       await fillIn(FORM.inputByAttr('path'), 'jk');
       await click(FORM.cancelBtn);
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
       await click(PAGE.list.createSecret);
       await fillIn(FORM.inputByAttr('path'), 'psych');
       await click(PAGE.breadcrumbAtIdx(1));
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
     });
     test('cancel on new version rolls back model (a)', async function (assert) {
       const backend = this.backend;
@@ -500,17 +500,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       const backend = this.backend;
       await visit(`/vault/secrets/${backend}/kv/list`);
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'single secret exists on list');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
       await click(PAGE.list.createSecret);
       await fillIn(FORM.inputByAttr('path'), 'jk');
       await click(FORM.cancelBtn);
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
       await click(PAGE.list.createSecret);
       await fillIn(FORM.inputByAttr('path'), 'psych');
       await click(PAGE.breadcrumbAtIdx(1));
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
     });
     test('cancel on new version rolls back model (dlr)', async function (assert) {
       const backend = this.backend;
@@ -649,17 +649,17 @@ module('Acceptance | kv-v2 workflow | secret and version create', function (hook
       const backend = this.backend;
       await visit(`/vault/secrets/${backend}/kv/list`);
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'single secret exists on list');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
       await click(PAGE.list.createSecret);
       await fillIn(FORM.inputByAttr('path'), 'jk');
       await click(FORM.cancelBtn);
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
       await click(PAGE.list.createSecret);
       await fillIn(FORM.inputByAttr('path'), 'psych');
       await click(PAGE.breadcrumbAtIdx(1));
       assert.dom(PAGE.list.item()).exists({ count: 1 }, 'same amount of secrets');
-      assert.dom(PAGE.list.item('app/')).hasText('app/', 'expected list item');
+      assert.dom(`${PAGE.list.item('app/')} [data-test-path]`).hasText('app/', 'expected list item');
     });
     test('cancel on new version rolls back model (mm)', async function (assert) {
       const backend = this.backend;
diff --git a/ui/tests/acceptance/secrets/backend/kv/secret-test.js b/ui/tests/acceptance/secrets/backend/kv/secret-test.js
index 987a84a43b84..f4ca3bb2f719 100644
--- a/ui/tests/acceptance/secrets/backend/kv/secret-test.js
+++ b/ui/tests/acceptance/secrets/backend/kv/secret-test.js
@@ -20,6 +20,7 @@ import { runCmd } from 'vault/tests/helpers/commands';
 import { PAGE } from 'vault/tests/helpers/kv/kv-selectors';
 import codemirror from 'vault/tests/helpers/codemirror';
 import { GENERAL } from 'vault/tests/helpers/general-selectors';
+import { SECRET_ENGINE_SELECTORS as SS } from 'vault/tests/helpers/secret-engine/secret-engine-selectors';
 
 const deleteEngine = async function (enginePath, assert) {
   await logout.visit();
@@ -180,9 +181,8 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
       assert.dom('[data-test-secret-link]').exists({ count: 2 });
 
       // delete the items
-      await listPage.secrets.objectAt(0).menuToggle();
-      await settled();
-      await listPage.delete();
+      await click(SS.secretLinkMenu('1/2/3/4'));
+      await click(SS.secretLinkMenuDelete('1/2/3/4'));
       await listPage.confirmDelete();
       await settled();
       assert.strictEqual(currentRouteName(), 'vault.cluster.secrets.backend.list');
@@ -219,7 +219,7 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
         '(',
         ')',
         '"',
-        //"'",
+        // "'",
         '!',
         '#',
         '$',
@@ -243,8 +243,8 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
       await runCmd([...commands, 'refresh']);
       for (const path of paths) {
         await listPage.visit({ backend, id: path });
-        assert.ok(listPage.secrets.filterBy('text', '2')[0], `${path}: secret is displayed properly`);
-        await listPage.secrets.filterBy('text', '2')[0].click();
+        assert.dom(SS.secretLinkATag()).hasText('2', `${path}: secret is displayed properly`);
+        await click(SS.secretLink());
         assert.strictEqual(
           currentRouteName(),
           'vault.cluster.secrets.backend.show',
@@ -301,8 +301,8 @@ module('Acceptance | secrets/secret/create, read, delete', function (hooks) {
         await listPage.create();
         await editPage.createSecret(`${path}/2`, 'foo', 'bar');
         await listPage.visit({ backend, id: path });
-        assert.ok(listPage.secrets.filterBy('text', '2')[0], `${path}: secret is displayed properly`);
-        await listPage.secrets.filterBy('text', '2')[0].click();
+        assert.dom(SS.secretLinkATag()).hasText('2', `${path}: secret is displayed properly`);
+        await click(SS.secretLink());
         assert.strictEqual(
           currentRouteName(),
           'vault.cluster.secrets.backend.show',
diff --git a/ui/tests/helpers/secret-engine/secret-engine-selectors.ts b/ui/tests/helpers/secret-engine/secret-engine-selectors.ts
index eca2e967e400..af2f7e40cdef 100644
--- a/ui/tests/helpers/secret-engine/secret-engine-selectors.ts
+++ b/ui/tests/helpers/secret-engine/secret-engine-selectors.ts
@@ -19,6 +19,11 @@ export const SECRET_ENGINE_SELECTORS = {
   mountSubmit: '[data-test-mount-submit]',
   secretHeader: '[data-test-secret-header]',
   secretLink: (name: string) => (name ? `[data-test-secret-link="${name}"]` : '[data-test-secret-link]'),
+  secretLinkMenu: (name: string) => `[data-test-secret-link="${name}"] [data-test-popup-menu-trigger]`,
+  secretLinkMenuDelete: (name: string) =>
+    `[data-test-secret-link="${name}"] [data-test-confirm-action-trigger]`,
+  secretLinkATag: (name: string) =>
+    name ? `[data-test-secret-item-link="${name}"]` : '[data-test-secret-item-link]',
   viewBackend: '[data-test-backend-view-link]',
   warning: '[data-test-warning]',
   aws: {
diff --git a/ui/tests/integration/components/kv/page/kv-page-list-test.js b/ui/tests/integration/components/kv/page/kv-page-list-test.js
index e4828d58e374..0eddc52e352e 100644
--- a/ui/tests/integration/components/kv/page/kv-page-list-test.js
+++ b/ui/tests/integration/components/kv/page/kv-page-list-test.js
@@ -70,6 +70,7 @@ module('Integration | Component | kv | Page::List', function (hooks) {
       @failedDirectoryQuery={{this.failedDirectoryQuery}}
       @breadcrumbs={{this.breadcrumbs}}
       @meta={{this.model.meta}}
+      @currentRouteParams={{array this.backend}}
     />`,
       {
         owner: this.engine,
diff --git a/ui/tests/integration/components/ldap/page/roles-test.js b/ui/tests/integration/components/ldap/page/roles-test.js
index ce1c91ac73cc..98b18e6552df 100644
--- a/ui/tests/integration/components/ldap/page/roles-test.js
+++ b/ui/tests/integration/components/ldap/page/roles-test.js
@@ -110,7 +110,9 @@ module('Integration | Component | ldap | Page::Roles', function (hooks) {
     assert.dom('[data-test-delete]').hasText('Delete', 'Details link renders in menu');
 
     await click('[data-test-popup-menu-trigger]:last-of-type');
-    assert.dom('[data-test-rotate-creds]').doesNotExist('Rotate credentials link is hidden for dynamic type');
+    assert
+      .dom('[data-test-popup-menu-trigger]:last-of-type [data-test-rotate-creds]')
+      .doesNotExist('Rotate credentials link is hidden for dynamic type');
   });
 
   test('it should filter roles', async function (assert) {
diff --git a/ui/yarn.lock b/ui/yarn.lock
index bcf86973735e..7b207dfa3213 100644
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@@ -2029,7 +2029,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@embroider/addon-shim@npm:^1.0.0, @embroider/addon-shim@npm:^1.2.0, @embroider/addon-shim@npm:^1.6.0, @embroider/addon-shim@npm:^1.8.0, @embroider/addon-shim@npm:^1.8.3, @embroider/addon-shim@npm:^1.8.4, @embroider/addon-shim@npm:^1.8.6, @embroider/addon-shim@npm:^1.8.7, @embroider/addon-shim@npm:^1.8.9":
+"@embroider/addon-shim@npm:^1.0.0, @embroider/addon-shim@npm:^1.2.0, @embroider/addon-shim@npm:^1.6.0, @embroider/addon-shim@npm:^1.8.0, @embroider/addon-shim@npm:^1.8.3, @embroider/addon-shim@npm:^1.8.6, @embroider/addon-shim@npm:^1.8.7, @embroider/addon-shim@npm:^1.8.9":
   version: 1.8.9
   resolution: "@embroider/addon-shim@npm:1.8.9"
   dependencies:
@@ -2458,25 +2458,24 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@hashicorp/design-system-components@npm:~4.7.0":
-  version: 4.7.0
-  resolution: "@hashicorp/design-system-components@npm:4.7.0"
+"@hashicorp/design-system-components@npm:~4.12.0":
+  version: 4.12.0
+  resolution: "@hashicorp/design-system-components@npm:4.12.0"
   dependencies:
     "@ember/render-modifiers": ^2.0.5
     "@ember/string": ^3.1.1
     "@ember/test-waiters": ^3.1.0
     "@embroider/addon-shim": ^1.8.7
     "@floating-ui/dom": ^1.6.3
-    "@hashicorp/design-system-tokens": ^2.1.0
-    "@hashicorp/ember-flight-icons": ^5.1.3
-    "@hashicorp/flight-icons": ^3.5.0
+    "@hashicorp/design-system-tokens": ^2.2.1
+    "@hashicorp/flight-icons": ^3.6.0
     decorator-transforms: ^1.1.0
-    ember-a11y-refocus: ^4.1.0
+    ember-a11y-refocus: ^4.1.3
     ember-cli-sass: ^11.0.1
     ember-composable-helpers: ^5.0.0
     ember-element-helper: ^0.8.5
     ember-focus-trap: ^1.1.0
-    ember-keyboard: ^8.2.1
+    ember-get-config: ^2.1.1
     ember-modifier: ^4.1.0
     ember-power-select: ^8.2.0
     ember-stargate: ^0.4.3
@@ -2487,14 +2486,14 @@ __metadata:
     tippy.js: ^6.3.7
   peerDependencies:
     ember-source: ^3.28.0 || ^4.0.0 || ^5.3.0
-  checksum: 88cafa21f11d761a226d9b065af715d632b1ea38699aac8294d035a7f7ab5518263c894813d0d4dc23f11dea440aaf6e58408531c7bbb3d9b2455a9dc9a9ba5c
+  checksum: ed7c79a43e3b286b5a4d543064dc566159909bee7052700eebe160a93f99b64dfc41291cd4d81c5dd558b415fc9033bc8937b0d751b191283ce404c407d1388b
   languageName: node
   linkType: hard
 
-"@hashicorp/design-system-tokens@npm:^2.1.0":
-  version: 2.2.0
-  resolution: "@hashicorp/design-system-tokens@npm:2.2.0"
-  checksum: 654978be98a94c1f478e472793b9c1b62762bb30f9e0a097c2e1effd4fb2b4619eeef347e39599aea4dd63c451e0f41e698d887827ca2496de83a9e1e1dd8525
+"@hashicorp/design-system-tokens@npm:^2.2.1":
+  version: 2.2.1
+  resolution: "@hashicorp/design-system-tokens@npm:2.2.1"
+  checksum: 0e4348ab27b2da4725068b5dab83474ad496895d2b422708b2c08cfc39289830f3756a1b352aff6e6095f64e3476ac227034ab02c7d2e0cc49d13a81ef69f6f3
   languageName: node
   linkType: hard
 
@@ -2517,6 +2516,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@hashicorp/flight-icons@npm:^3.6.0":
+  version: 3.6.0
+  resolution: "@hashicorp/flight-icons@npm:3.6.0"
+  checksum: 5c09574c3e44b5662665271f4aaec8e9d50d0eecb858ba5e9d4d669baf0d98d0e875ce440d84ea7911bf81ff35a01440f79dd27cb78af706ca85341101d61073
+  languageName: node
+  linkType: hard
+
 "@humanwhocodes/config-array@npm:^0.11.14":
   version: 0.11.14
   resolution: "@humanwhocodes/config-array@npm:0.11.14"
@@ -7445,13 +7451,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-a11y-refocus@npm:^4.1.0":
-  version: 4.1.1
-  resolution: "ember-a11y-refocus@npm:4.1.1"
+"ember-a11y-refocus@npm:^4.1.3":
+  version: 4.1.4
+  resolution: "ember-a11y-refocus@npm:4.1.4"
   dependencies:
     ember-cli-babel: ^7.26.11
     ember-cli-htmlbars: ^6.0.1
-  checksum: b9f861f1359e8c720bf844161da3eecbe2218149739211961d216b6fcaec5e78dfd51debe5ec2707ae0d31fdbbd9cf692349e3f0f5b47d1f12bd963c021494ac
+  checksum: c1a79f9b7792f3bac674e010b231561da4ca5fc2f3f6a9a6e2263908a6c781546e1baccdb84838f367ac9104e2c76b7f688a57f06f0bd6c194a6f1a71910e422
   languageName: node
   linkType: hard
 
@@ -8283,7 +8289,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-destroyable-polyfill@npm:^2.0.1, ember-destroyable-polyfill@npm:^2.0.3":
+"ember-destroyable-polyfill@npm:^2.0.1":
   version: 2.0.3
   resolution: "ember-destroyable-polyfill@npm:2.0.3"
   dependencies:
@@ -8425,23 +8431,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-keyboard@npm:^8.2.1":
-  version: 8.2.1
-  resolution: "ember-keyboard@npm:8.2.1"
-  dependencies:
-    "@embroider/addon-shim": ^1.8.4
-    ember-destroyable-polyfill: ^2.0.3
-    ember-modifier: ^2.1.2 || ^3.1.0 || ^4.0.0
-    ember-modifier-manager-polyfill: ^1.2.0
-  peerDependencies:
-    "@ember/test-helpers": ^2.6.0 || ^3.0.0
-  peerDependenciesMeta:
-    "@ember/test-helpers":
-      optional: true
-  checksum: cfb4120aaf3b1ff3aba8ba1619b0597c6738abde31d1e0719d8bbf69512fb9967fc76bc85557351ec42856bb9b6c47354634f22f0accab0e15743d9f0e3f2be4
-  languageName: node
-  linkType: hard
-
 "ember-lifeline@npm:^7.0.0":
   version: 7.0.0
   resolution: "ember-lifeline@npm:7.0.0"
@@ -8497,7 +8486,20 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-modifier@npm:^2.1.2 || ^3.1.0 || ^4.0.0, ember-modifier@npm:^3.2.7 || ^4.0.0, ember-modifier@npm:^4.1.0":
+"ember-modifier@npm:^3.2.0, ember-modifier@npm:^3.2.7":
+  version: 3.2.7
+  resolution: "ember-modifier@npm:3.2.7"
+  dependencies:
+    ember-cli-babel: ^7.26.6
+    ember-cli-normalize-entity-name: ^1.0.0
+    ember-cli-string-utils: ^1.1.0
+    ember-cli-typescript: ^5.0.0
+    ember-compatibility-helpers: ^1.2.5
+  checksum: 2e96d9ec3939de178a9ce704d5a9360fd73f0276ffa4a9cce9f100a4087fdc8fae4a8b28bf1be22b05a4d1c61e1bb1ab93ca60576810c6556bc4d9323864c66a
+  languageName: node
+  linkType: hard
+
+"ember-modifier@npm:^3.2.7 || ^4.0.0, ember-modifier@npm:^4.1.0":
   version: 4.2.0
   resolution: "ember-modifier@npm:4.2.0"
   dependencies:
@@ -8514,19 +8516,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-modifier@npm:^3.2.0, ember-modifier@npm:^3.2.7":
-  version: 3.2.7
-  resolution: "ember-modifier@npm:3.2.7"
-  dependencies:
-    ember-cli-babel: ^7.26.6
-    ember-cli-normalize-entity-name: ^1.0.0
-    ember-cli-string-utils: ^1.1.0
-    ember-cli-typescript: ^5.0.0
-    ember-compatibility-helpers: ^1.2.5
-  checksum: 2e96d9ec3939de178a9ce704d5a9360fd73f0276ffa4a9cce9f100a4087fdc8fae4a8b28bf1be22b05a4d1c61e1bb1ab93ca60576810c6556bc4d9323864c66a
-  languageName: node
-  linkType: hard
-
 "ember-page-title@npm:^8.0.0":
   version: 8.2.3
   resolution: "ember-page-title@npm:8.2.3"
@@ -18776,7 +18765,7 @@ __metadata:
     "@ember/test-waiters": ^3.1.0
     "@glimmer/component": ^1.1.2
     "@glimmer/tracking": ^1.1.2
-    "@hashicorp/design-system-components": ~4.7.0
+    "@hashicorp/design-system-components": ~4.12.0
     "@hashicorp/ember-flight-icons": ^5.1.3
     "@icholy/duration": ^5.1.0
     "@lineal-viz/lineal": ^0.5.1

From 69411d7925daeef3b00616625db8018104a25e21 Mon Sep 17 00:00:00 2001
From: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
Date: Mon, 7 Oct 2024 10:02:17 -0400
Subject: [PATCH 06/13] VAULT-30108: Include User-Agent header in audit
 requests by default (#28596)

* include user-agent header in audit by default

* add user-agent audit tests

* update audit default headers docs

* add changelog entry

* remove temp changes from TestAuditedHeadersConfig_ApplyConfig

* more TestAuditedHeadersConfig_ApplyConfig fixes

* add some test comments

* verify type assertions in TestAudit_Headers

* more type assertion checks
---
 audit/headers.go                         |  1 +
 audit/headers_test.go                    | 30 ++++++--
 changelog/28596.txt                      |  4 ++
 vault/external_tests/audit/audit_test.go | 90 +++++++++++++++++++++++-
 website/content/docs/audit/index.mdx     |  4 ++
 5 files changed, 123 insertions(+), 6 deletions(-)
 create mode 100644 changelog/28596.txt

diff --git a/audit/headers.go b/audit/headers.go
index a6ba6b00cd14..d505ffaf360f 100644
--- a/audit/headers.go
+++ b/audit/headers.go
@@ -175,6 +175,7 @@ func (a *HeadersConfig) DefaultHeaders() map[string]*headerSettings {
 	return map[string]*headerSettings{
 		correlationID:  {},
 		xCorrelationID: {},
+		"user-agent":   {},
 	}
 }
 
diff --git a/audit/headers_test.go b/audit/headers_test.go
index 025f4a422f8b..54fce0f7ed35 100644
--- a/audit/headers_test.go
+++ b/audit/headers_test.go
@@ -254,9 +254,11 @@ func TestAuditedHeadersConfig_ApplyConfig(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	const hmacPrefix = "hmac-sha256:"
+
 	expected := map[string][]string{
 		"x-test-header":  {"foo"},
-		"x-vault-header": {"hmac-sha256:", "hmac-sha256:"},
+		"x-vault-header": {hmacPrefix, hmacPrefix},
 	}
 
 	if len(expected) != len(result) {
@@ -271,7 +273,7 @@ func TestAuditedHeadersConfig_ApplyConfig(t *testing.T) {
 		}
 
 		for i, e := range expectedValues {
-			if e == "hmac-sha256:" {
+			if e == hmacPrefix {
 				if !strings.HasPrefix(resultValues[i], e) {
 					t.Fatalf("Expected headers did not match actual: Expected %#v...\n Got %#v\n", e, resultValues[i])
 				}
@@ -609,13 +611,28 @@ func TestAuditedHeaders_invalidate_defaults(t *testing.T) {
 	require.Equal(t, len(ahc.DefaultHeaders())+1, len(ahc.headerSettings)) // (defaults + 1 new header)
 	_, ok := ahc.headerSettings["x-magic-header"]
 	require.True(t, ok)
+
 	s, ok := ahc.headerSettings["x-correlation-id"]
 	require.True(t, ok)
 	require.False(t, s.HMAC)
 
-	// Add correlation ID specifically with HMAC and make sure it doesn't get blasted away.
-	fakeHeaders1 = map[string]*headerSettings{"x-magic-header": {}, "X-Correlation-ID": {HMAC: true}}
+	s, ok = ahc.headerSettings["user-agent"]
+	require.True(t, ok)
+	require.False(t, s.HMAC)
+
+	// Add correlation ID and user-agent specifically with HMAC and make sure it doesn't get blasted away.
+	fakeHeaders1 = map[string]*headerSettings{
+		"x-magic-header": {},
+		"X-Correlation-ID": {
+			HMAC: true,
+		},
+		"User-Agent": {
+			HMAC: true,
+		},
+	}
+
 	fakeBytes1, err = json.Marshal(fakeHeaders1)
+
 	require.NoError(t, err)
 	err = view.Put(context.Background(), &logical.StorageEntry{Key: auditedHeadersEntry, Value: fakeBytes1})
 	require.NoError(t, err)
@@ -626,7 +643,12 @@ func TestAuditedHeaders_invalidate_defaults(t *testing.T) {
 	require.Equal(t, len(ahc.DefaultHeaders())+1, len(ahc.headerSettings)) // (defaults + 1 new header, 1 is also a default)
 	_, ok = ahc.headerSettings["x-magic-header"]
 	require.True(t, ok)
+
 	s, ok = ahc.headerSettings["x-correlation-id"]
 	require.True(t, ok)
 	require.True(t, s.HMAC)
+
+	s, ok = ahc.headerSettings["user-agent"]
+	require.True(t, ok)
+	require.True(t, s.HMAC)
 }
diff --git a/changelog/28596.txt b/changelog/28596.txt
new file mode 100644
index 000000000000..9e79f89a405b
--- /dev/null
+++ b/changelog/28596.txt
@@ -0,0 +1,4 @@
+```release-note:improvement
+audit: Audit logs will contain User-Agent headers when they are present in the incoming request. They are not
+HMAC'ed by default but can be configured to be via the `/sys/config/auditing/request-headers/user-agent` endpoint.
+```
diff --git a/vault/external_tests/audit/audit_test.go b/vault/external_tests/audit/audit_test.go
index dbe56fd73151..3dedb298d057 100644
--- a/vault/external_tests/audit/audit_test.go
+++ b/vault/external_tests/audit/audit_test.go
@@ -52,8 +52,8 @@ func TestAudit_HMACFields(t *testing.T) {
 	require.NoError(t, err)
 
 	// Request 1
-	// Enable the audit device. A test probe request will audited along with the associated
-	// to the creation response
+	// Enable the audit device. A test probe request will audited along
+	// with the associated creation response
 	_, err = client.Logical().Write("sys/audit/"+devicePath, deviceData)
 	require.NoError(t, err)
 
@@ -212,3 +212,89 @@ func TestAudit_HMACFields(t *testing.T) {
 	require.True(t, strings.HasPrefix(wrapInfo["token"].(string), hmacPrefix))
 	require.Equal(t, wrapInfo["token"].(string), hashedWrapToken)
 }
+
+// TestAudit_Headers validates that headers are audited correctly. This includes
+// the default headers (x-correlation-id and user-agent) along with user-specified
+// headers.
+func TestAudit_Headers(t *testing.T) {
+	cluster := minimal.NewTestSoloCluster(t, nil)
+	client := cluster.Cores[0].Client
+
+	tempDir := t.TempDir()
+	logFile, err := os.CreateTemp(tempDir, "")
+	require.NoError(t, err)
+	devicePath := "file"
+	deviceData := map[string]any{
+		"type":        "file",
+		"description": "",
+		"local":       false,
+		"options": map[string]any{
+			"file_path": logFile.Name(),
+		},
+	}
+
+	_, err = client.Logical().Write("sys/config/auditing/request-headers/x-some-header", map[string]interface{}{
+		"hmac": false,
+	})
+	require.NoError(t, err)
+
+	// User-Agent header is audited by default
+	client.AddHeader("User-Agent", "foo-agent")
+
+	// X-Some-Header has been added to audited headers manually
+	client.AddHeader("X-Some-Header", "some-value")
+
+	// X-Some-Other-Header will not be audited
+	client.AddHeader("X-Some-Other-Header", "some-other-value")
+
+	// Request 1
+	// Enable the audit device. A test probe request will audited along
+	// with the associated creation response
+	_, err = client.Logical().Write("sys/audit/"+devicePath, deviceData)
+	require.NoError(t, err)
+
+	// Request 2
+	// Ensure the device has been created.
+	devices, err := client.Sys().ListAudit()
+	require.NoError(t, err)
+	require.Len(t, devices, 1)
+
+	// Request 3
+	resp, err := client.Sys().SealStatus()
+	require.NoError(t, err)
+	require.NotEmpty(t, resp)
+
+	expectedHeaders := map[string]interface{}{
+		"user-agent":    []interface{}{"foo-agent"},
+		"x-some-header": []interface{}{"some-value"},
+	}
+
+	entries := make([]map[string]interface{}, 0)
+	scanner := bufio.NewScanner(logFile)
+
+	for scanner.Scan() {
+		entry := make(map[string]interface{})
+
+		err := json.Unmarshal(scanner.Bytes(), &entry)
+		require.NoError(t, err)
+
+		request, ok := entry["request"].(map[string]interface{})
+		require.True(t, ok)
+
+		// test probe will not have headers set
+		requestPath, ok := request["path"].(string)
+		require.True(t, ok)
+
+		if requestPath != "sys/audit/test" {
+			headers, ok := request["headers"].(map[string]interface{})
+
+			require.True(t, ok)
+			require.Equal(t, expectedHeaders, headers)
+		}
+
+		entries = append(entries, entry)
+	}
+
+	// This count includes the initial test probe upon creation of the audit device
+	require.Equal(t, 4, len(entries))
+}
diff --git a/website/content/docs/audit/index.mdx b/website/content/docs/audit/index.mdx
index 3908ac40e7eb..a3abf8ffd74a 100644
--- a/website/content/docs/audit/index.mdx
+++ b/website/content/docs/audit/index.mdx
@@ -121,6 +121,10 @@ curl \
     --data '{ "hmac": true }'
 ```
 
+Another way to identify the source of a request is through the User-Agent request header.
+Vault will automatically record this value as `user-agent` within the `headers` of a
+request entry within the audit log.
+
 
 ## Enabling/Disabling audit devices
 

From 08e8776dfb4feb2e6abfce629415458370f6498c Mon Sep 17 00:00:00 2001
From: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Date: Mon, 7 Oct 2024 08:51:30 -0700
Subject: [PATCH 07/13] Add documentation for new rootless password rotation
 workflow for DB Static Roles (#28374)

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---
 .../api-docs/secret/databases/index.mdx       |  5 ++
 .../api-docs/secret/databases/postgresql.mdx  |  4 ++
 .../docs/secrets/databases/postgresql.mdx     | 70 ++++++++++++++++++-
 3 files changed, 76 insertions(+), 3 deletions(-)

diff --git a/website/content/api-docs/secret/databases/index.mdx b/website/content/api-docs/secret/databases/index.mdx
index 2373410a042c..e788d452ed91 100644
--- a/website/content/api-docs/secret/databases/index.mdx
+++ b/website/content/api-docs/secret/databases/index.mdx
@@ -534,6 +534,11 @@ this in order to know the password.
 - `username` `(string: <required>)` – Specifies the database username that this
   Vault role corresponds to.
 
+- `self_managed_password` `(string)` – <EnterpriseAlert product="vault" inline />
+  The password corresponding to the username in the database. Required when using
+  the Rootless Password Rotation workflow for static roles. Only enabled for select
+  DB engines (Postgres).
+
 - `db_name` `(string: <required>)` - The name of the database connection to use
   for this role.
 
diff --git a/website/content/api-docs/secret/databases/postgresql.mdx b/website/content/api-docs/secret/databases/postgresql.mdx
index 009442200069..9ddfece16c56 100644
--- a/website/content/api-docs/secret/databases/postgresql.mdx
+++ b/website/content/api-docs/secret/databases/postgresql.mdx
@@ -51,6 +51,10 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
+- `self_managed` `(boolean: "false")` - <EnterpriseAlert product="vault" inline /> If
+  set, allows onboarding static roles with a rootless connection configuration. Mutually
+  exclusive with `username` and `password`. If set, will force `verify_connection` to be false.
+
 - `tls_ca` `(string: "")` - The x509 CA file for validating the certificate
   presented by the PostgreSQL server. Must be PEM encoded.
 
diff --git a/website/content/docs/secrets/databases/postgresql.mdx b/website/content/docs/secrets/databases/postgresql.mdx
index e9efbb1de1c2..2193ffc39953 100644
--- a/website/content/docs/secrets/databases/postgresql.mdx
+++ b/website/content/docs/secrets/databases/postgresql.mdx
@@ -24,9 +24,9 @@ options, including SSL options, can be found in the [pgx][pgxlib] and
 
 ## Capabilities
 
-| Plugin Name                  | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization |
-| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- |
-| `postgresql-database-plugin` | Yes                      | Yes           | Yes          | Yes (1.7+)             |
+| Plugin Name                  | Root Credential Rotation | Dynamic Roles | Static Roles | Username Customization | Credential Types             |
+| ---------------------------- | ------------------------ | ------------- | ------------ | ---------------------- | ---------------------------- |
+| `postgresql-database-plugin` | Yes                      | Yes           | Yes          | Yes (1.7+)             | password, gcp_iam            |
 
 ## Setup
 
@@ -84,6 +84,70 @@ the proper permission, it can generate credentials.
     username           v-vaultuse-my-role-x
     ```
 
+## Rootless Configuration and Password Rotation for Static Roles
+
+<EnterpriseAlert product="vault" />
+
+The PostgreSQL secrets engine supports using Static Roles and its password rotation mechanisms with a Rootless
+DB connection configuration. In this workflow, a static DB user can be onboarded onto Vault's static role rotation
+mechanism without the need of privileged root accounts to configure the connection. Instead of using a single root
+connection, multiple dedicated connections to the DB are made for each static role. This workflow does not support
+dynamic roles/credentials.
+
+~> Note: It is **highly recommended** that the DB users being onboarded as static roles
+have the minimum set of privileges. Each static role will open a new connection into the DB.
+Granting minimum privileges to the DB users being onboarded ensures that multiple
+highly-privileged connections to an external system are not being made.
+
+~> Note: Out-of-band password rotations will cause Vault to be out of sync with the state of
+the DB user, and will require manually updating the user's password in the external PostgreSQL
+DB in order to resolve any errors encountered during rotation.
+
+1.  Enable the database secrets engine if it is not already enabled:
+
+    ```shell-session
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1.  Configure connection to DB without root credentials and enable the rootless
+    workflow by setting the `self_managed` parameter:
+
+    ```shell-session
+    $ vault write database/config/my-postgresql-database \
+        plugin_name="postgresql-database-plugin" \
+        allowed_roles="my-role" \
+        connection_url="postgresql://{{username}}:{{password}}@localhost:5432/database-name" \
+        self_managed=true
+    ```
+
+1.  Configure a static role that creates a dedicated connection to a user in the DB with
+    the `self_managed_password` parameter:
+
+    ```shell-session
+    $ vault write database/static-roles/my-static-role \
+      db_name="my-postgresql-database" \
+      username="staticuser" \
+      self_managed_password="password" \
+      rotation_period="1h"
+    ```
+
+1.  Read static credentials:
+
+    ```shell-session
+    $ vault read database/static-creds/static-test
+    Key                    Value
+    ---                    -----
+    last_vault_rotation    2024-09-11T14:15:13.764783-07:00
+    password               XZY42BVc-UO5bMsbgxrW
+    rotation_period        1h
+    ttl                    59m55s
+    username               staticuser
+    ```
+
 ## Client x509 certificate authentication
 
 This plugin supports using PostgreSQl's [x509 Client-side Certificate Authentication](https://www.postgresql.org/docs/16/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT).

From c8e6169d5dbc82d99d904e468852902de98ebfd0 Mon Sep 17 00:00:00 2001
From: Ryan Cragun <me@ryan.ec>
Date: Mon, 7 Oct 2024 10:16:22 -0600
Subject: [PATCH 08/13] VAULT-31402: Add verification for all container images
 (#28605)

* VAULT-31402: Add verification for all container images

Add verification for all container images that are generated as part of
the build. Before this change we only ever tested a limited subset of
"default" containers based on Alpine Linux that we publish via the
Docker hub and AWS ECR.

Now we support testing all Alpine and UBI based container images. We
also verify the repository and tag information embedded in each by
deploying them and verifying the repo and tag metadata match our
expectations.

This does change the k8s scenario interface quite a bit. We now take in
an archive image and set image/repo/tag information based on the
scenario variants.

To enable this I also needed to add `tar` to the UBI base image. It was
already available in the Alpine image and is used to copy utilities to
the image when deploying and configuring the cluster via Enos.

Since some images contain multiple tags we also add samples for each
image and randomly select which variant to test on a given PR.

Signed-off-by: Ryan Cragun <me@ryan.ec>
---
 .github/actions/containerize/action.yml       |  74 +++++---
 .github/workflows/build-artifacts-ce.yml      |  28 ++-
 .github/workflows/build.yml                   |  12 +-
 .github/workflows/enos-run-k8s.yml            | 113 ------------
 .../test-run-enos-scenario-containers.yml     | 140 ++++++++++++++
 .../test-run-enos-scenario-matrix.yml         |   5 +-
 .github/workflows/test-run-enos-scenario.yml  | 129 +++++++++++++
 Dockerfile                                    |  25 ++-
 enos/k8s/enos-modules-k8s.hcl                 |  16 +-
 enos/k8s/enos-qualities.hcl                   |  14 ++
 enos/k8s/enos-samples-ce.hcl                  |  38 ++++
 enos/k8s/enos-scenario-k8s.hcl                | 173 ++++++++++++++----
 enos/k8s/enos-terraform-k8s.hcl               |   2 +-
 enos/k8s/enos-variables-k8s.hcl               |  42 ++---
 .../k8s_vault_verify_build_date/main.tf       |  61 ------
 .../k8s_vault_verify_build_date/variables.tf  |  36 ----
 16 files changed, 583 insertions(+), 325 deletions(-)
 delete mode 100644 .github/workflows/enos-run-k8s.yml
 create mode 100644 .github/workflows/test-run-enos-scenario-containers.yml
 create mode 100644 .github/workflows/test-run-enos-scenario.yml
 create mode 100644 enos/k8s/enos-qualities.hcl
 create mode 100644 enos/k8s/enos-samples-ce.hcl
 delete mode 100644 enos/modules/k8s_vault_verify_build_date/main.tf
 delete mode 100644 enos/modules/k8s_vault_verify_build_date/variables.tf

diff --git a/.github/actions/containerize/action.yml b/.github/actions/containerize/action.yml
index 2c43266a6ff0..c0809d3afd6f 100644
--- a/.github/actions/containerize/action.yml
+++ b/.github/actions/containerize/action.yml
@@ -10,31 +10,24 @@ description: |
 
 inputs:
   docker:
-    type: boolean
     description: |
       Package the binary into a Docker container suitable for the Docker and AWS registries. We'll
       automatically determine the correct tags and target depending on the vault edition.
-    default: true
+    default: 'true'
   goarch:
-    type: string
     description: The Go GOARCH value environment variable to set during the build.
   goos:
-    type: string
     description: The Go GOOS value environment variable to set during the build.
   redhat:
-    type: boolean
     description: Package the binary into a UBI container suitable for the Redhat Quay registry.
-    default: false
+    default: 'false'
   vault-binary-path:
-    type: string
     description: The path to the vault binary.
     default: dist/vault
   vault-edition:
-    type: string
     description: The edition of vault to build.
     default: ce
   vault-version:
-    type: string
     description: The vault version.
 
 outputs:
@@ -48,31 +41,52 @@ runs:
     - id: vars
       shell: bash
       run: |
-        if [[ '${{ inputs.vault-edition }}' =~ 'ce' ]]; then
-          # CE containers
-          container_version='${{ inputs.vault-version }}'
-          docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
-          docker_container_target='default'
-          redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
-          redhat_container_target='ubi'
-        else
-          # Ent containers
-          container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
-
-          if [[ '${{ inputs.vault-edition }}' =~ 'fips' ]]; then
-            # Ent FIPS 140-2 containers
-            docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
-            docker_container_target='ubi-fips'
-            redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
-            redhat_container_target='ubi-fips'
-          else
-            # All other Ent containers
+        case '${{ inputs.vault-edition }}' in
+          "ce")
+            container_version='${{ inputs.vault-version }}'
+            docker_container_tags='docker.io/hashicorp/vault:${{ inputs.vault-version }} public.ecr.aws/hashicorp/vault:${{ inputs.vault-version }}'
+            docker_container_target='default'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ inputs.vault-version }}-ubi'
+            redhat_container_target='ubi'
+          ;;
+          "ent")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
             docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
             docker_container_target='default'
             redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
             redhat_container_target='ubi'
-          fi
-        fi
+          ;;
+          "ent.hsm")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-hsm'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-hsm'
+          ;;
+          "ent.hsm.fips1402")
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition}} public.ecr.aws/hashicorp/vault-enterprise:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-hsm-fips'
+            redhat_container_tags='quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-hsm-fips'
+          ;;
+          "ent.fips1402")
+            # NOTE: For compatibility we still publish the ent.fips1402 containers to different
+            # namespaces. All ent, ent.hsm, and ent.hsm.fips1402 containers are released in the
+            # enterprise namespaces. After we've updated the upstream docker action to support
+            # multiple tags we can start to tag images with both namespaces, publish to both, and
+            # eventually sunset the fips1402 specific namespaces.
+            container_version='${{ inputs.vault-version }}+${{ inputs.vault-edition }}'
+            docker_container_tags='docker.io/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }} public.ecr.aws/hashicorp/vault-enterprise-fips:${{ inputs.vault-version }}-${{ inputs.vault-edition }}'
+            docker_container_target='ubi-fips'
+            redhat_container_tags='quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e:${{ inputs.vault-version }}-${{ inputs.vault-edition }}-ubi'
+            redhat_container_target='ubi-fips'
+          ;;
+          *)
+            echo "Cannot generate container tags for unknown vault edition: ${{ inputs.vault-edition }}" 2>&1
+            exit 1
+          ;;
+        esac
         {
           echo "container-version=${container_version}"
           echo "docker-container-tags=${docker_container_tags}"
diff --git a/.github/workflows/build-artifacts-ce.yml b/.github/workflows/build-artifacts-ce.yml
index 9669ae3f78dc..0d0a0731bc50 100644
--- a/.github/workflows/build-artifacts-ce.yml
+++ b/.github/workflows/build-artifacts-ce.yml
@@ -9,12 +9,15 @@ on:
     inputs:
       build-all:
         type: boolean
+        description: Build all extended artifacts
         default: false
       build-date:
         type: string
+        description: The date associated with the revision SHA
         required: true
       checkout-ref:
         type: string
+        description: The repo Git SHA to checkout
         default: ""
       compute-build:
         type: string # JSON encoded to support passing arrays
@@ -30,15 +33,19 @@ on:
         required: true
       vault-revision:
         type: string
+        description: The revision SHA of vault
         required: true
       vault-version:
         type: string
+        description: The version of vault
         required: true
       vault-version-package:
         type: string
+        description: Whether or not to package the binary as Debian and RPM packages
         required: true
       web-ui-cache-key:
         type: string
+        description: The UI asset cache key
         required: true
   workflow_call:
     inputs:
@@ -119,7 +126,26 @@ jobs:
       # Outputs are strings so we need to encode our collection outputs as JSON.
       testable-containers: |
         [
-          { "artifact": "${{ github.event.repository.name }}_default_linux_amd64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar" }
+          {
+            "sample": "ce_default_linux_amd64_ent_docker",
+            "artifact": "${{ github.event.repository.name }}_default_linux_amd64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
+            "edition": "ce"
+          },
+          {
+            "sample": "ce_default_linux_arm64_ce_docker",
+            "artifact": "${{ github.event.repository.name }}_default_linux_arm64_${{ inputs.vault-version }}_${{ inputs.vault-revision }}.docker.tar",
+            "edition": "ce"
+          },
+          {
+            "sample": "ce_ubi_linux_amd64_ce_redhat",
+            "artifact": "${{ github.event.repository.name}}_ubi_linux_amd64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
+            "edition": "ce"
+          },
+          {
+            "sample": "ce_ubi_linux_arm64_ce_redhat",
+            "artifact": "${{ github.event.repository.name}}_ubi_linux_arm64_${{ inputs.vault-version}}_${{ inputs.vault-revision }}.docker.redhat.tar",
+            "edition": "ce"
+          }
         ]
       testable-packages: |
         [
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1ab18b15ebe5..e6e142905110 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -255,16 +255,18 @@ jobs:
       - setup
       - ui
       - artifacts
-    uses: ./.github/workflows/enos-run-k8s.yml
+    uses: ./.github/workflows/test-run-enos-scenario-containers.yml
     strategy:
       fail-fast: false
       matrix:
         include: ${{ fromJSON(needs.artifacts.outputs.testable-containers) }}
     with:
-      artifact-build-date: ${{ needs.setup.outputs.build-date }}
-      artifact-name: ${{ matrix.artifact }}
-      artifact-revision: ${{ needs.setup.outputs.vault-revision }}
-      artifact-version: ${{ needs.setup.outputs.vault-version-metadata }}
+      build-artifact-name: ${{ matrix.artifact }}
+      sample-max: 1
+      sample-name: ${{ matrix.sample }}
+      vault-edition: ${{ matrix.edition }}
+      vault-revision: ${{ needs.setup.outputs.vault-revision }}
+      vault-version: ${{ needs.setup.outputs.vault-version-metadata }}
     secrets: inherit
 
   completed-successfully:
diff --git a/.github/workflows/enos-run-k8s.yml b/.github/workflows/enos-run-k8s.yml
deleted file mode 100644
index 0edf7f034e6a..000000000000
--- a/.github/workflows/enos-run-k8s.yml
+++ /dev/null
@@ -1,113 +0,0 @@
----
-name: enos-k8s
-
-on:
-  workflow_call:
-    inputs:
-      artifact-build-date:
-        required: false
-        type: string
-      artifact-name:
-        required: true
-        type: string
-      artifact-revision:
-        required: true
-        type: string
-      artifact-version:
-        required: true
-        type: string
-
-env:
-  ARTIFACT_BUILD_DATE: ${{ inputs.artifact-build-date }}
-  ARTIFACT_NAME: ${{ inputs.artifact-name }}
-  ARTIFACT_REVISION: ${{ inputs.artifact-revision }}
-  ARTIFACT_VERSION: ${{ inputs.artifact-version }}
-
-jobs:
-  enos:
-    name: Integration
-    runs-on: ${{ fromJSON(contains(inputs.artifact-name, 'vault-enterprise') && (contains(inputs.artifact-name, 'arm64') && '["self-hosted","ondemand","os=ubuntu-arm","type=c6g.xlarge"]' || '["self-hosted","linux","small"]') || '"ubuntu-latest"') }}
-    env:
-      GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          # the Terraform wrapper will break Terraform execution in Enos because
-          # it changes the output to text when we expect it to be JSON.
-          terraform_wrapper: false
-      - name: Set up Enos
-        uses: hashicorp/action-setup-enos@v1
-        with:
-          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
-      - name: Download Docker Image
-        id: download
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: ${{ inputs.artifact-name }}
-          path: ./enos/support/downloads
-      - name: Prepare for scenario execution
-        env:
-          IS_ENT: ${{ contains(env.ARTIFACT_NAME, 'vault-enterprise' ) }}
-        run: |
-          mkdir -p ./enos/support/terraform-plugin-cache
-          if [ "$IS_ENT" == true ]; then
-            echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
-            echo "edition=ent" >> "$GITHUB_ENV"
-            echo "edition set to 'ent'"
-            echo "image_repo=hashicorp/vault-enterprise" >> "$GITHUB_ENV"
-            echo "image repo set to 'hashicorp/vault-enterprise'"
-          else
-            echo "edition=ce" >> "$GITHUB_ENV"
-            echo "edition set to 'ce'"
-            echo "image_repo=hashicorp/vault" >> "$GITHUB_ENV"
-            echo "image repo set to 'hashicorp/vault'"
-          fi
-      - name: Run Enos scenario
-        id: run
-        # Continue once and retry to handle occasional blips when creating
-        # infrastructure.
-        continue-on-error: true
-        env:
-          ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
-          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }}
-          ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }}
-          ENOS_VAR_vault_product_revision: ${{ env.ARTIFACT_REVISION }}
-          ENOS_VAR_vault_docker_image_archive: ${{steps.download.outputs.download-path}}/${{ env.ARTIFACT_NAME }}
-          ENOS_VAR_vault_image_repository: ${{ env.image_repo }}
-        run: |
-          enos scenario run --timeout 10m0s --chdir ./enos/k8s edition:${{ env.edition }}
-      - name: Retry Enos scenario
-        id: run_retry
-        if: steps.run.outcome == 'failure'
-        env:
-          ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
-          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }}
-          ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }}
-          ENOS_VAR_vault_product_revision: ${{ env.ARTIFACT_REVISION }}
-          ENOS_VAR_vault_docker_image_archive: ${{steps.download.outputs.download-path}}/${{ env.ARTIFACT_NAME }}
-          ENOS_VAR_vault_image_repository: ${{ env.image_repo }}
-        run: |
-          enos scenario run --timeout 10m0s --chdir ./enos/k8s edition:${{ env.edition }}
-      - name: Destroy Enos scenario
-        if: ${{ always() }}
-        env:
-          ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
-          ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
-          ENOS_VAR_vault_build_date: ${{ env.ARTIFACT_BUILD_DATE }}
-          ENOS_VAR_vault_product_version: ${{ env.ARTIFACT_VERSION }}
-          ENOS_VAR_vault_product_revision: ${{ env.ARTIFACT_REVISION }}
-          ENOS_VAR_vault_docker_image_archive: ${{steps.download.outputs.download-path}}
-          ENOS_VAR_vault_image_repository: ${{ env.image_repo }}
-        run: |
-          enos scenario destroy --timeout 10m0s --chdir ./enos/k8s edition:${{ env.edition }}
-      - name: Cleanup Enos runtime directories
-        if: ${{ always() }}
-        run: |
-          rm -rf /tmp/enos*
-          rm -rf ./enos/support
-          rm -rf ./enos/k8s/.enos
diff --git a/.github/workflows/test-run-enos-scenario-containers.yml b/.github/workflows/test-run-enos-scenario-containers.yml
new file mode 100644
index 000000000000..bb3e146888cb
--- /dev/null
+++ b/.github/workflows/test-run-enos-scenario-containers.yml
@@ -0,0 +1,140 @@
+---
+name: enos-containers
+
+on:
+  # Only trigger this working using workflow_call. This workflow requires many
+  # secrets that must be inherited from the caller workflow.
+  workflow_call:
+    inputs:
+      # The name of the artifact that we're going to use for testing. This should
+      # match exactly to build artifacts uploaded to Github and Artifactory.
+      build-artifact-name:
+        required: true
+        type: string
+      # The maximum number of scenarios to include in the test sample.
+      sample-max:
+        default: 1
+        type: number
+      # The name of the enos scenario sample that defines compatible scenarios we can
+      # can test with.
+      sample-name:
+        required: true
+        type: string
+      vault-edition:
+        required: false
+        type: string
+        default: ce
+      # The Git commit SHA used as the revision when building vault
+      vault-revision:
+        required: true
+        type: string
+      vault-version:
+        required: true
+        type: string
+
+jobs:
+  metadata:
+    runs-on: ubuntu-latest
+    outputs:
+      build-date: ${{ steps.metadata.outputs.build-date }}
+      sample: ${{ steps.metadata.outputs.sample }}
+      vault-version: ${{ steps.metadata.outputs.vault-version }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ inputs.vault-revision }}
+      - uses: hashicorp/action-setup-enos@v1
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - id: metadata
+        run: |
+          build_date=$(make ci-get-date)
+          sample_seed=$(date +%s)
+          if ! sample=$(enos scenario sample observe "${{ inputs.sample-name }}" --chdir ./enos/k8s --min 1 --max "${{ inputs.sample-max }}" --seed "${sample_seed}" --format json | jq -c ".observation.elements"); then
+            echo "failed to do sample observation: $sample" 2>&1
+            exit 1
+          fi
+          if [[ "${{ inputs.vault-edition }}" == "ce" ]]; then
+            vault_version="${{ inputs.vault-version }}"
+          else
+            # shellcheck disable=2001
+            vault_version="$(sed 's/+ent/+${{ inputs.vault-edition }}/g' <<< '${{ inputs.vault-version }}')"
+          fi
+          {
+            echo "build-date=${build_date}"
+            echo "vault-version=${vault_version}"
+            echo "sample=${sample}"
+            echo "sample-seed=${sample_seed}" # This isn't used outside of here but is nice to know for duplicating observations
+          } | tee -a "$GITHUB_OUTPUT"
+
+  run:
+    needs: metadata
+    name: run ${{ matrix.scenario.id.filter }}
+    runs-on: ${{ fromJSON(contains(inputs.build-artifact-name, 'vault-enterprise') && (contains(inputs.build-artifact-name, 'arm64') && '["self-hosted","ondemand","os=ubuntu-arm","type=c6g.xlarge"]' || '["self-hosted","linux","small"]') || (contains(inputs.build-artifact-name, 'arm64') && '"ubuntu-22.04-arm"' || '"ubuntu-latest"')) }}
+    strategy:
+      fail-fast: false # don't fail as that can skip required cleanup steps for jobs
+      matrix:
+        include: ${{ fromJSON(needs.metadata.outputs.sample) }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          # the Terraform wrapper will break Terraform execution in Enos because
+          # it changes the output to text when we expect it to be JSON.
+          terraform_wrapper: false
+      - uses: hashicorp/action-setup-enos@v1
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - name: Download Docker Image
+        id: download
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ inputs.build-artifact-name }}
+          path: ./enos/support/downloads
+      - if: inputs.vault-edition != 'ce'
+        name: Configure license
+        run: |
+          echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic || true
+      - name: Run Enos scenario
+        id: run
+        # Continue once and retry to handle occasional blips when creating
+        # infrastructure.
+        continue-on-error: true
+        env:
+          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
+          ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
+          ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
+          ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
+          ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
+        run: |
+          mkdir -p ./enos/support/terraform-plugin-cache
+          enos scenario run --timeout 10m0s --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
+      - name: Retry Enos scenario
+        id: run_retry
+        if: steps.run.outcome == 'failure'
+        env:
+          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
+          ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
+          ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
+          ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
+          ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
+        run: |
+          enos scenario run --timeout 10m0s --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
+      - name: Destroy Enos scenario
+        if: ${{ always() }}
+        env:
+          ENOS_VAR_terraform_plugin_cache_dir: ../support/terraform-plugin-cache
+          ENOS_VAR_vault_build_date: ${{ needs.metadata.outputs.build-date }}
+          ENOS_VAR_vault_version: ${{ needs.metadata.outputs.vault-version }}
+          ENOS_VAR_vault_revision: ${{ inputs.vault-revision }}
+          ENOS_VAR_container_image_archive: ${{steps.download.outputs.download-path}}/${{ inputs.build-artifact-name }}
+        run: |
+          enos scenario destroy --timeout 10m0s --grpc-listen http://localhost --chdir ./enos/k8s ${{ matrix.scenario.id.filter }}
+      - name: Cleanup Enos runtime directories
+        if: ${{ always() }}
+        run: |
+          rm -rf /tmp/enos*
+          rm -rf ./enos/support
+          rm -rf ./enos/k8s/.enos
diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml
index 6ab0d4176df3..826a5a51c7f8 100644
--- a/.github/workflows/test-run-enos-scenario-matrix.yml
+++ b/.github/workflows/test-run-enos-scenario-matrix.yml
@@ -59,7 +59,10 @@ jobs:
         run: |
           build_date=$(make ci-get-date)
           sample_seed=$(date +%s)
-          sample=$(enos scenario sample observe "${{ inputs.sample-name }}" --chdir ./enos --min 1 --max "${{ inputs.sample-max }}" --seed "${sample_seed}" --format json | jq -c ".observation.elements")
+          if ! sample=$(enos scenario sample observe "${{ inputs.sample-name }}" --chdir ./enos --min 1 --max "${{ inputs.sample-max }}" --seed "${sample_seed}" --format json | jq -c ".observation.elements"); then
+            echo "failed to do sample observation: $sample" 2>&1
+            exit 1
+          fi
           if [[ "${{ inputs.vault-edition }}" == "ce" ]]; then
             vault_version="${{ inputs.vault-version }}"
           else
diff --git a/.github/workflows/test-run-enos-scenario.yml b/.github/workflows/test-run-enos-scenario.yml
new file mode 100644
index 000000000000..b8f1a5c0ca65
--- /dev/null
+++ b/.github/workflows/test-run-enos-scenario.yml
@@ -0,0 +1,129 @@
+# Reusable workflow called by interactive scenario tests in GHA
+name: Test run Vault Enos scenario
+
+on:
+  workflow_call:
+    inputs:
+      artifact-source:
+        type: string
+        description: "The artifact source to test artifactory or local (use local for current branch)"
+        required: true
+      artifact-type:
+        type: string
+        description: "The Vault artifact type to test"
+        required: true
+      distro:
+        type: string
+        description: "Linux distribution that Vault replication will be tested on"
+        required: true
+      product-version:
+        type: string
+        description: "Vault version to test (vault_product_version)"
+        required: false
+      scenario:
+        type: string
+        description: "Enos test scenario to run"
+        required: true
+      ssh-key-name:
+        type: string
+        default: ${{ github.event.repository.name }}-ci-ssh-key
+      vault-revision:
+        type: string
+        description: "The git SHA of the Vault release (vault_revision)"
+        required: false
+
+jobs:
+  enos-run-vault-interactive-test:
+    name:  Enos run Vault interactive test
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    env:
+      GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      # Pass in enos variables
+      ENOS_VAR_aws_ssh_keypair_name: ${{ inputs.ssh-key-name }}
+      ENOS_VAR_vault_log_level: trace
+      ENOS_VAR_aws_ssh_private_key_path: ./support/private_key.pem
+      ENOS_VAR_tfc_api_token: ${{ secrets.TF_API_TOKEN }}
+      ENOS_VAR_artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+      ENOS_VAR_artifactory_token: ${{ secrets.ARTIFACTORY_TOKEN }}
+      ENOS_VAR_terraform_plugin_cache_dir: ./support/terraform-plugin-cache
+      ENOS_VAR_vault_license_path: ./support/vault.hclic
+      ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos-debug-data
+      VAULT_METADATA: ent
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set product version and revision
+        # If the Vault version and revision are not provided as workflow inputs, incase of
+        # testing local artifact, the environment variables ENOS_VAR_vault_product_version
+        # and ENOS_VAR_vault_revision are set using the current branch
+        id: set-version-sha
+        run: |
+          [[ -n "${{ inputs.product-version }}" ]] && echo "ENOS_VAR_vault_product_version=${{ inputs.product-version }}" >> "$GITHUB_ENV" || echo "ENOS_VAR_vault_product_version=$(make ci-get-version)" >> "$GITHUB_ENV"
+          [[ -n "${{ inputs.vault-revision }}" ]] && echo "ENOS_VAR_vault_revision=${{ inputs.vault-revision }}" >> "$GITHUB_ENV" || echo "ENOS_VAR_vault_revision=$(make ci-get-revision)" >> "$GITHUB_ENV"
+      - uses: ./.github/actions/set-up-go
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - name: Configure Git
+        run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
+      - name: Set up node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 14
+          cache-dependency-path: ui/yarn.lock
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          # the Terraform wrapper will break Terraform execution in Enos because
+          # it changes the output to text when we expect it to be JSON.
+          terraform_wrapper: false
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CI }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CI }}
+          aws-region: 'us-west-1'
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_CI }}
+          role-skip-session-tagging: true
+          role-duration-seconds: 3600
+      - uses: hashicorp/action-setup-enos@v1
+        with:
+          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      - name: Prepare scenario dependencies
+        id: scenario-deps
+        run: |
+          mkdir -p ./enos/support/terraform-plugin-cache
+          mkdir -p /tmp/enos-scenario-logs
+          echo logsdir="/tmp/enos-scenario-logs" >> "$GITHUB_OUTPUT"
+          echo "${{ secrets.SSH_KEY_PRIVATE_CI }}" > ./enos/support/private_key.pem
+          chmod 600 ./enos/support/private_key.pem
+      - name: Setup Vault Enterprise License
+        id: license
+        run: echo "${{ secrets.VAULT_LICENSE }}" > ./enos/support/vault.hclic
+      - name: Run Enos scenario
+        id: run
+        run: enos scenario run --timeout 60m0s --chdir ./enos ${{ inputs.scenario }}
+      - name: Collect logs when scenario fails
+        id: collect_logs
+        if: ${{ always() }}
+        run: |
+          bash -x ./scripts/gha_enos_logs.sh "${{ steps.scenario-deps.outputs.logsdir }}" "${{ inputs.scenario }}" "${{ inputs.distro }}" "${{ inputs.artifact-type }}" 2>/dev/null
+          find "${{ steps.scenario-deps.outputs.logsdir }}" -maxdepth 0 -empty -exec rmdir {} \;
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        if: ${{ always() }}
+        with:
+          name: enos-scenario-logs
+          path: ${{ steps.scenario-deps.outputs.logsdir }}
+          retention-days: 1
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        if: ${{ always() }}
+        with:
+          name: enos-debug-data-logs
+          path: ${{ env.ENOS_DEBUG_DATA_ROOT_DIR }}
+          retention-days: 1
+      - name: Ensure scenario has been destroyed
+        if: ${{ always() }}
+        run: enos scenario destroy --timeout 60m0s --grpc-listen http://localhost --chdir ./enos ${{ inputs.scenario }}
+      - name: Clean up Enos runtime directories
+        if: ${{ always() }}
+        run: |
+          rm -rf /tmp/enos*
+          rm -rf ./enos/support
+          rm -rf ./enos/.enos
diff --git a/Dockerfile b/Dockerfile
index 254a264319f9..4bdf1b0ce5b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 ## DOCKERHUB DOCKERFILE ##
-FROM alpine:3 as default
+FROM alpine:3 AS default
 
 ARG BIN_NAME
 # NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
@@ -34,7 +34,11 @@ ENV VERSION=$VERSION
 # Create a non-root user to run the software.
 RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}
 
-RUN apk add --no-cache libcap su-exec dumb-init tzdata
+RUN apk add --no-cache libcap su-exec dumb-init tzdata curl && \
+    mkdir -p /usr/share/doc/vault && \
+    curl -o /usr/share/doc/vault/EULA.txt https://eula.hashicorp.com/EULA.txt && \
+    curl -o /usr/share/doc/vault/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt && \
+    apk del curl
 
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
 
@@ -75,7 +79,7 @@ CMD ["server", "-dev"]
 
 
 ## UBI DOCKERFILE ##
-FROM registry.access.redhat.com/ubi8/ubi-minimal as ubi
+FROM registry.access.redhat.com/ubi8/ubi-minimal AS ubi
 
 ARG BIN_NAME
 # NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
@@ -111,7 +115,7 @@ COPY LICENSE /licenses/LICENSE.txt
 # this (https://github.com/hashicorp/docker-vault/blob/master/ubi/Dockerfile),
 # we copy in the Vault binary from CRT.
 RUN set -eux; \
-    microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux
+    microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux tar
 
 # Create a non-root user to run the software.
 RUN groupadd --gid 1000 vault && \
@@ -127,7 +131,7 @@ COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
 # storage backend, if desired; the server will be started with /vault/config as
 # the configuration directory so you can add additional config files in that
 # location.
-ENV HOME /home/vault
+ENV HOME=/home/vault
 RUN mkdir -p /vault/logs && \
     mkdir -p /vault/file && \
     mkdir -p /vault/config && \
@@ -136,6 +140,11 @@ RUN mkdir -p /vault/logs && \
     chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
     chgrp -R 0 /vault && chmod -R g+rwX /vault
 
+# Include EULA and Terms of Eval
+RUN mkdir -p /usr/share/doc/vault && \
+    curl -o /usr/share/doc/vault/EULA.txt https://eula.hashicorp.com/EULA.txt && \
+    curl -o /usr/share/doc/vault/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt
+
 # Expose the logs directory as a volume since there's potentially long-running
 # state in there
 VOLUME /vault/logs
@@ -162,3 +171,9 @@ USER vault
 # # By default you'll get a single-node development server that stores everything
 # # in RAM and bootstraps itself. Don't use this configuration for production.
 CMD ["server", "-dev"]
+
+FROM ubi AS ubi-fips
+
+FROM ubi AS ubi-hsm
+
+FROM ubi AS ubi-hsm-fips
diff --git a/enos/k8s/enos-modules-k8s.hcl b/enos/k8s/enos-modules-k8s.hcl
index 2e815eac62b6..3350535016b8 100644
--- a/enos/k8s/enos-modules-k8s.hcl
+++ b/enos/k8s/enos-modules-k8s.hcl
@@ -12,39 +12,39 @@ module "load_docker_image" {
 module "k8s_deploy_vault" {
   source = "../modules/k8s_deploy_vault"
 
-  vault_instance_count = var.vault_instance_count
+  vault_instance_count = var.instance_count
 }
 
 module "k8s_verify_build_date" {
   source = "../modules/k8s_vault_verify_build_date"
 
-  vault_instance_count = var.vault_instance_count
+  vault_instance_count = var.instance_count
 }
 
 module "k8s_verify_replication" {
   source = "../modules/k8s_vault_verify_replication"
 
-  vault_instance_count = var.vault_instance_count
+  vault_instance_count = var.instance_count
 }
 
 module "k8s_verify_ui" {
   source = "../modules/k8s_vault_verify_ui"
 
-  vault_instance_count = var.vault_instance_count
+  vault_instance_count = var.instance_count
 }
 
 module "k8s_verify_version" {
   source = "../modules/k8s_vault_verify_version"
 
-  vault_instance_count   = var.vault_instance_count
-  vault_product_version  = var.vault_product_version
-  vault_product_revision = var.vault_product_revision
+  vault_instance_count   = var.instance_count
+  vault_product_version  = var.vault_version
+  vault_product_revision = var.vault_revision
 }
 
 module "k8s_verify_write_data" {
   source = "../modules/k8s_vault_verify_write_data"
 
-  vault_instance_count = var.vault_instance_count
+  vault_instance_count = var.instance_count
 }
 
 module "read_license" {
diff --git a/enos/k8s/enos-qualities.hcl b/enos/k8s/enos-qualities.hcl
new file mode 100644
index 000000000000..2dfe81f97ae7
--- /dev/null
+++ b/enos/k8s/enos-qualities.hcl
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+quality "vault_artifact_container_alpine" {
+  description = "The candidate binary packaged as an Alpine package is used for testing"
+}
+
+quality "vault_artifact_container_ubi" {
+  description = "The candidate binary packaged as an UBI package is used for testing"
+}
+
+quality "vault_artifact_container_tags" {
+  description = "The candidate binary has the expected tags"
+}
diff --git a/enos/k8s/enos-samples-ce.hcl b/enos/k8s/enos-samples-ce.hcl
new file mode 100644
index 000000000000..7839b5a52177
--- /dev/null
+++ b/enos/k8s/enos-samples-ce.hcl
@@ -0,0 +1,38 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+sample "ce_default_linux_amd64_ent_docker" {
+  subset "k8s" {
+    matrix {
+      repo    = ["docker", "ecr"]
+      edition = ["ce"]
+    }
+  }
+}
+
+sample "ce_default_linux_arm64_ce_docker" {
+  subset "k8s" {
+    matrix {
+      repo    = ["docker", "ecr"]
+      edition = ["ce"]
+    }
+  }
+}
+
+sample "ce_ubi_linux_amd64_ce_redhat" {
+  subset "k8s" {
+    matrix {
+      repo    = ["quay"]
+      edition = ["ce"]
+    }
+  }
+}
+
+sample "ce_ubi_linux_arm64_ce_redhat" {
+  subset "k8s" {
+    matrix {
+      repo    = ["quay"]
+      edition = ["ce"]
+    }
+  }
+}
diff --git a/enos/k8s/enos-scenario-k8s.hcl b/enos/k8s/enos-scenario-k8s.hcl
index 33508249c645..7ba9be2c0355 100644
--- a/enos/k8s/enos-scenario-k8s.hcl
+++ b/enos/k8s/enos-scenario-k8s.hcl
@@ -2,8 +2,17 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 scenario "k8s" {
+  description = <<-EOF
+    The k8s scenario verifies Vault when running in Kubernetes mode. The build can be a container
+    in a remote repository or a local container archive tarball.
+
+    The scenario creates a new kind kubernetes cluster in Docker and creates a Vault Cluster using
+    the candidate artifact and verifies behavior against the Vault cluster.
+  EOF
+
   matrix {
-    edition = ["ce", "ent"]
+    edition = ["ce", "ent", "ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
+    repo    = ["docker", "ecr", "quay"]
   }
 
   terraform_cli = terraform_cli.default
@@ -15,15 +24,106 @@ scenario "k8s" {
   ]
 
   locals {
-    image_path = abspath(var.vault_docker_image_archive)
-
-    image_repo = var.vault_image_repository != null ? var.vault_image_repository : matrix.edition == "ce" ? "hashicorp/vault" : "hashicorp/vault-enterprise"
-    image_tag  = replace(var.vault_product_version, "+ent", "-ent")
-
+    // For now this works as the vault_version includes metadata. If we ever get to the point that
+    // vault_version excludes metadata we'll have to include the matrix.edition here as well.
+    tag_version     = replace(var.vault_version, "+ent", "-ent")
+    tag_version_ubi = "${local.tag_version}-ubi"
+    // When we load candidate images into our k8s cluster we verify that the archives embedded
+    // repository and tag match our expectations. This is the source of truth for what we _expect_
+    // various artifacts to have. The source of truth for what we use when building is defined in
+    // .github/actions/containerize. If you are modifying these expectations you likely need to
+    // modify the source of truth there.
+    repo_metadata = {
+      "ce" = {
+        docker = {
+          // https://hub.docker.com/r/hashicorp/vault
+          repo = "hashicorp/vault"
+          tag  = local.tag_version
+        }
+        ecr = {
+          // https://gallery.ecr.aws/hashicorp/vault
+          repo = "public.ecr.aws/hashicorp/vault"
+          tag  = local.tag_version
+        }
+        quay = {
+          // https://catalog.redhat.com/software/containers/hashicorp/vault/5fda55bd2937386820429e0c
+          repo = "quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a"
+          tag  = local.tag_version_ubi
+        }
+      },
+      "ent" = {
+        docker = {
+          // https://hub.docker.com/r/hashicorp/vault-enterprise
+          repo = "hashicorp/vault-enterprise"
+          tag  = local.tag_version
+        }
+        ecr = {
+          // https://gallery.ecr.aws/hashicorp/vault-enterprise
+          repo = "public.ecr.aws/hashicorp/vault-enterprise"
+          tag  = local.tag_version
+        }
+        quay = {
+          // https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise/5fda5633ac3db90370a26443
+          repo = "quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2"
+          tag  = local.tag_version_ubi
+        }
+      },
+      "ent.fips1402" = {
+        docker = {
+          // https://hub.docker.com/r/hashicorp/vault-enterprise-fips
+          repo = "hashicorp/vault-enterprise-fips"
+          tag  = local.tag_version
+        }
+        ecr = {
+          // https://gallery.ecr.aws/hashicorp/vault-enterprise-fips
+          repo = "public.ecr.aws/hashicorp/vault-enterprise-fips"
+          tag  = local.tag_version
+        }
+        quay = {
+          // https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise-fips/628d50e37ff70c66a88517ea
+          repo = "quay.io/redhat-isv-containers/6283f645d02c6b16d9caeb8e"
+          tag  = local.tag_version_ubi
+        }
+      },
+      "ent.hsm" = {
+        docker = {
+          // https://hub.docker.com/r/hashicorp/vault-enterprise
+          repo = "hashicorp/vault-enterprise"
+          tag  = local.tag_version
+        }
+        ecr = {
+          // https://gallery.ecr.aws/hashicorp/vault-enterprise
+          repo = "public.ecr.aws/hashicorp/vault-enterprise"
+          tag  = local.tag_version
+        }
+        quay = {
+          // https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise/5fda5633ac3db90370a26443
+          repo = "quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2"
+          tag  = local.tag_version_ubi
+        }
+      },
+      "ent.hsm.fips1402" = {
+        docker = {
+          // https://hub.docker.com/r/hashicorp/vault-enterprise
+          repo = "hashicorp/vault-enterprise"
+          tag  = local.tag_version
+        }
+        ecr = {
+          // https://gallery.ecr.aws/hashicorp/vault-enterprise
+          repo = "public.ecr.aws/hashicorp/vault-enterprise"
+          tag  = local.tag_version
+        }
+        quay = {
+          // https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise/5fda5633ac3db90370a26443
+          repo = "quay.io/redhat-isv-containers/5f89bb9242e382c85087dce2"
+          tag  = local.tag_version_ubi
+        }
+      },
+    }
     // The additional '-0' is required in the constraint since without it, the semver function will
     // only compare the non-pre-release parts (Major.Minor.Patch) of the version and the constraint,
     // which can lead to unexpected results.
-    version_includes_build_date = semverconstraint(var.vault_product_version, ">=1.11.0-0")
+    version_includes_build_date = semverconstraint(var.vault_version, ">=1.11.0-0")
   }
 
   step "read_license" {
@@ -44,20 +144,34 @@ scenario "k8s" {
   }
 
   step "load_docker_image" {
-    module = module.load_docker_image
+    description = <<-EOF
+      Load an verify the tags of a Vault container image into the kind k8s cluster. If no
+      var.container_image_archive has been set it will attempt to load an image matching the
+      var.vault_version from the matrix.repo.
+    EOF
+    module      = module.load_docker_image
+    depends_on  = [step.create_kind_cluster]
+
+    verifies = [
+      quality.vault_artifact_container_alpine,
+      quality.vault_artifact_container_ubi,
+      quality.vault_artifact_container_tags,
+    ]
 
     variables {
       cluster_name = step.create_kind_cluster.cluster_name
-      image        = local.image_repo
-      tag          = local.image_tag
-      archive      = var.vault_docker_image_archive
+      image        = local.repo_metadata[matrix.edition][matrix.repo].repo
+      tag          = local.repo_metadata[matrix.edition][matrix.repo].tag
+      archive      = var.container_image_archive
     }
-
-    depends_on = [step.create_kind_cluster]
   }
 
   step "deploy_vault" {
     module = module.k8s_deploy_vault
+    depends_on = [
+      step.load_docker_image,
+      step.create_kind_cluster,
+    ]
 
     variables {
       image_tag         = step.load_docker_image.tag
@@ -65,29 +179,14 @@ scenario "k8s" {
       image_repository  = step.load_docker_image.repository
       kubeconfig_base64 = step.create_kind_cluster.kubeconfig_base64
       vault_edition     = matrix.edition
-      vault_log_level   = var.vault_log_level
+      vault_log_level   = var.log_level
       ent_license       = matrix.edition != "ce" ? step.read_license.license : null
     }
-
-    depends_on = [step.load_docker_image, step.create_kind_cluster]
-  }
-
-  step "verify_build_date" {
-    skip_step = !local.version_includes_build_date
-    module    = module.k8s_verify_build_date
-
-    variables {
-      vault_pods        = step.deploy_vault.vault_pods
-      vault_root_token  = step.deploy_vault.vault_root_token
-      kubeconfig_base64 = step.create_kind_cluster.kubeconfig_base64
-      context_name      = step.create_kind_cluster.context_name
-    }
-
-    depends_on = [step.deploy_vault]
   }
 
   step "verify_replication" {
-    module = module.k8s_verify_replication
+    module     = module.k8s_verify_replication
+    depends_on = [step.deploy_vault]
 
     variables {
       vault_pods        = step.deploy_vault.vault_pods
@@ -95,12 +194,11 @@ scenario "k8s" {
       kubeconfig_base64 = step.create_kind_cluster.kubeconfig_base64
       context_name      = step.create_kind_cluster.context_name
     }
-
-    depends_on = [step.deploy_vault]
   }
 
   step "verify_version" {
-    module = module.k8s_verify_version
+    module     = module.k8s_verify_version
+    depends_on = [step.deploy_vault]
 
     variables {
       vault_pods        = step.deploy_vault.vault_pods
@@ -111,12 +209,11 @@ scenario "k8s" {
       check_build_date  = local.version_includes_build_date
       vault_build_date  = var.vault_build_date
     }
-
-    depends_on = [step.deploy_vault]
   }
 
   step "verify_write_data" {
-    module = module.k8s_verify_write_data
+    module     = module.k8s_verify_write_data
+    depends_on = [step.deploy_vault]
 
     variables {
       vault_pods        = step.deploy_vault.vault_pods
@@ -124,7 +221,5 @@ scenario "k8s" {
       kubeconfig_base64 = step.create_kind_cluster.kubeconfig_base64
       context_name      = step.create_kind_cluster.context_name
     }
-
-    depends_on = [step.deploy_vault]
   }
 }
diff --git a/enos/k8s/enos-terraform-k8s.hcl b/enos/k8s/enos-terraform-k8s.hcl
index 9b884ef12109..d7a14538c5e6 100644
--- a/enos/k8s/enos-terraform-k8s.hcl
+++ b/enos/k8s/enos-terraform-k8s.hcl
@@ -6,7 +6,7 @@ terraform "k8s" {
 
   required_providers {
     enos = {
-      source  = "registry.terraform.io/hashicorp-forge/enos"
+      source = "registry.terraform.io/hashicorp-forge/enos"
     }
 
     helm = {
diff --git a/enos/k8s/enos-variables-k8s.hcl b/enos/k8s/enos-variables-k8s.hcl
index 52ffd8d8225c..26ea3d0ce8ec 100644
--- a/enos/k8s/enos-variables-k8s.hcl
+++ b/enos/k8s/enos-variables-k8s.hcl
@@ -1,37 +1,19 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-variable "vault_image_repository" {
-  description = "The repository for the docker image to load, i.e. hashicorp/vault"
+variable "container_image_archive" {
+  description = "The path to the location of the container image archive to test"
   type        = string
-  default     = null
+  default     = null # If none is given we'll simply load a container from a repo
 }
 
-variable "vault_log_level" {
+variable "log_level" {
   description = "The server log level for Vault logs. Supported values (in order of detail) are trace, debug, info, warn, and err."
   type        = string
-  default     = "info"
-}
-
-variable "vault_product_version" {
-  description = "The vault product version to test"
-  type        = string
-  default     = null
-}
-
-variable "vault_product_revision" {
-  type        = string
-  description = "The vault product revision to test"
-  default     = null
+  default     = "trace"
 }
 
-variable "vault_docker_image_archive" {
-  description = "The path to the location of the docker image archive to test"
-  type        = string
-  default     = null
-}
-
-variable "vault_instance_count" {
+variable "instance_count" {
   description = "How many instances to create for the Vault cluster"
   type        = number
   default     = 3
@@ -44,7 +26,17 @@ variable "terraform_plugin_cache_dir" {
 }
 
 variable "vault_build_date" {
-  description = "The build date for the vault docker image"
+  description = "The expected vault build date"
   type        = string
   default     = ""
 }
+
+variable "vault_revision" {
+  type        = string
+  description = "The expected vault revision"
+}
+
+variable "vault_version" {
+  description = "The expected vault version"
+  type        = string
+}
diff --git a/enos/modules/k8s_vault_verify_build_date/main.tf b/enos/modules/k8s_vault_verify_build_date/main.tf
deleted file mode 100644
index dadf92ee5f30..000000000000
--- a/enos/modules/k8s_vault_verify_build_date/main.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
-
-terraform {
-  required_providers {
-    enos = {
-      source = "registry.terraform.io/hashicorp-forge/enos"
-    }
-  }
-}
-
-locals {
-  vault_instances = toset([for idx in range(var.vault_instance_count) : tostring(idx)])
-}
-
-# Get the date from the vault status command      - status_date
-# Format the original status output with ISO-8601 - formatted_date
-# Format the original status output with awk      - awk_date
-# Compare the formatted outputs                   - date_comparison
-resource "enos_remote_exec" "status_date" {
-  for_each = local.vault_instances
-
-  transport = {
-    kubernetes = {
-      kubeconfig_base64 = var.kubeconfig_base64
-      context_name      = var.context_name
-      pod               = var.vault_pods[each.key].name
-      namespace         = var.vault_pods[each.key].namespace
-    }
-  }
-
-  inline = ["${var.vault_bin_path} status -format=json | grep build_date | cut -d \\\" -f 4"]
-}
-
-resource "enos_remote_exec" "formatted_date" {
-  for_each = local.vault_instances
-
-  transport = {
-    kubernetes = {
-      kubeconfig_base64 = var.kubeconfig_base64
-      context_name      = var.context_name
-      pod               = var.vault_pods[each.key].name
-      namespace         = var.vault_pods[each.key].namespace
-    }
-  }
-
-  inline = ["date -d \"${enos_remote_exec.status_date[each.key].stdout}\" -D '%Y-%m-%dT%H:%M:%SZ' -I"]
-}
-
-resource "enos_local_exec" "awk_date" {
-  for_each = local.vault_instances
-
-  inline = ["echo ${enos_remote_exec.status_date[each.key].stdout} | awk -F\"T\" '{printf $1}'"]
-}
-
-resource "enos_local_exec" "date_comparison" {
-  for_each = local.vault_instances
-
-  inline = ["[[ ${enos_local_exec.awk_date[each.key].stdout} == ${enos_remote_exec.formatted_date[each.key].stdout} ]] && echo \"Verification for build date format ${enos_remote_exec.status_date[each.key].stdout} succeeded\" || \"invalid build_date, must be formatted as RFC 3339: ${enos_remote_exec.status_date[each.key].stdout}\""]
-}
diff --git a/enos/modules/k8s_vault_verify_build_date/variables.tf b/enos/modules/k8s_vault_verify_build_date/variables.tf
deleted file mode 100644
index 4e1754ebe9f1..000000000000
--- a/enos/modules/k8s_vault_verify_build_date/variables.tf
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: BUSL-1.1
-
-variable "vault_instance_count" {
-  type        = number
-  description = "How many vault instances are in the cluster"
-}
-
-variable "vault_pods" {
-  type = list(object({
-    name      = string
-    namespace = string
-  }))
-  description = "The vault instances for the cluster to verify"
-}
-
-variable "vault_bin_path" {
-  type        = string
-  description = "The path to the vault binary"
-  default     = "/bin/vault"
-}
-
-variable "vault_root_token" {
-  type        = string
-  description = "The vault root token"
-}
-
-variable "kubeconfig_base64" {
-  type        = string
-  description = "The base64 encoded version of the Kubernetes configuration file"
-}
-
-variable "context_name" {
-  type        = string
-  description = "The name of the k8s context for Vault"
-}

From 9808006be9cde0163eafb0fe4d5fc2d424db1e0e Mon Sep 17 00:00:00 2001
From: Steven Clark <steven.clark@hashicorp.com>
Date: Mon, 7 Oct 2024 16:18:45 -0400
Subject: [PATCH 09/13] Update Vault PKCS11 Provider docs (#28615)

- Add a missing architecture that we have published for a while
- Add a Changelog to the end of the page
---
 .../docs/enterprise/pkcs11-provider/index.mdx | 33 ++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/enterprise/pkcs11-provider/index.mdx b/website/content/docs/enterprise/pkcs11-provider/index.mdx
index 40fd82fc02aa..a2357d82591e 100644
--- a/website/content/docs/enterprise/pkcs11-provider/index.mdx
+++ b/website/content/docs/enterprise/pkcs11-provider/index.mdx
@@ -28,11 +28,12 @@ This library works with Vault Enterprise 1.11+ with the advanced data protection
 with the KMIP Secrets Engine.
 
 | Operating System | Architecture | Distribution      | glibc   |
-| ---------------- | -------------| ----------------- | ------- |
+| ---------------- | ------------ | ----------------- | ------- |
 | Linux            | x86-64       | RHEL 7 compatible | 2.17    |
 | Linux            | x86-64       | RHEL 8 compatible | 2.28    |
 | Linux            | x86-64       | RHEL 9 compatible | 2.34    |
 | macOS            | x86-64       | &mdash;           | &mdash; |
+| macOS            | arm64        | &mdash;           | &mdash; |
 
 _Note:_ `vault-pkcs11-provider` runs on _any_ glibc-based Linux distribution. The versions above are given in RHEL-compatible GLIBC versions; for your
 distro's glibc version, choose the `vault-pkcs11-provider` built against the same or older version as what your distro provides.
@@ -429,3 +430,33 @@ Due to the nature of Vault, the KMIP Secrets Engine, and PKCS#11, there are some
 - The object attribute cache is valid only for a single object per session, and will be cleared when another object's attributes are queried.
 - The random number generator function, `C_GenerateRandom`, is currently implemented in software in the library by calling out to Go's [`crypto/rand`](https://pkg.go.dev/crypto/rand) package,
   and does **not** call Vault.
+
+## Changelog
+
+### v0.2.1
+
+ * Go update to 1.22.7 and Go dependency updates
+ * Add license files to artifacts
+
+### v0.2.0
+
+ * Introduced support for RSA and HMAC operations
+
+### v0.1.3
+
+ * Go update to 1.19.4 and Go dependency updates
+ * Added missing checksum for EL9 builds
+
+### v0.1.2
+
+ * Added arm64 support on macOS
+ * Go update to 1.19.2 and Go dependency updates
+
+### v0.1.1
+
+  * KMIP: Set activation date attribute required by Vault 1.12
+  * KMIP: Revoke a key prior to destroy
+
+### v0.1.0
+
+  * Initial release

From 0687353788a4846b23b69a8e33bb7229795635b5 Mon Sep 17 00:00:00 2001
From: Steven Clark <steven.clark@hashicorp.com>
Date: Mon, 7 Oct 2024 16:20:57 -0400
Subject: [PATCH 10/13] Cleanup some duplication in the PKI tidy response field
 definitions (#28614)

---
 builtin/logical/pki/path_tidy.go | 522 +++++++++++--------------------
 1 file changed, 178 insertions(+), 344 deletions(-)

diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
index 5e7a4b037681..e82cce13b991 100644
--- a/builtin/logical/pki/path_tidy.go
+++ b/builtin/logical/pki/path_tidy.go
@@ -156,6 +156,179 @@ var defaultTidyConfig = tidyConfig{
 	CMPV2NonceStore:         false,
 }
 
+var tidyStatusResponseFields = map[string]*framework.FieldSchema{
+	"safety_buffer": {
+		Type:        framework.TypeInt,
+		Description: `Safety buffer time duration`,
+		Required:    true,
+	},
+	"issuer_safety_buffer": {
+		Type:        framework.TypeInt,
+		Description: `Issuer safety buffer`,
+		Required:    true,
+	},
+	"revocation_queue_safety_buffer": {
+		Type:        framework.TypeInt,
+		Description: `Revocation queue safety buffer`,
+		Required:    true,
+	},
+	"acme_account_safety_buffer": {
+		Type:        framework.TypeInt,
+		Description: `Safety buffer after creation after which accounts lacking orders are revoked`,
+		Required:    false,
+	},
+	"tidy_cert_store": {
+		Type:        framework.TypeBool,
+		Description: `Tidy certificate store`,
+		Required:    true,
+	},
+	"tidy_revoked_certs": {
+		Type:        framework.TypeBool,
+		Description: `Tidy revoked certificates`,
+		Required:    true,
+	},
+	"tidy_revoked_cert_issuer_associations": {
+		Type:        framework.TypeBool,
+		Description: `Tidy revoked certificate issuer associations`,
+		Required:    true,
+	},
+	"tidy_expired_issuers": {
+		Type:        framework.TypeBool,
+		Description: `Tidy expired issuers`,
+		Required:    true,
+	},
+	"tidy_cross_cluster_revoked_certs": {
+		Type:        framework.TypeBool,
+		Description: `Tidy the cross-cluster revoked certificate store`,
+		Required:    false,
+	},
+	"tidy_acme": {
+		Type:        framework.TypeBool,
+		Description: `Tidy Unused Acme Accounts, and Orders`,
+		Required:    true,
+	},
+	"tidy_cert_metadata": {
+		Type:        framework.TypeBool,
+		Description: `Tidy cert metadata`,
+		Required:    true,
+	},
+	"tidy_cmpv2_nonce_store": {
+		Type:        framework.TypeBool,
+		Description: `Tidy CMPv2 nonce store`,
+		Required:    true,
+	},
+	"pause_duration": {
+		Type:        framework.TypeString,
+		Description: `Duration to pause between tidying certificates`,
+		Required:    true,
+	},
+	"state": {
+		Type:        framework.TypeString,
+		Description: `One of Inactive, Running, Finished, or Error`,
+		Required:    true,
+	},
+	"error": {
+		Type:        framework.TypeString,
+		Description: `The error message`,
+		Required:    true,
+	},
+	"time_started": {
+		Type:        framework.TypeString,
+		Description: `Time the operation started`,
+		Required:    true,
+	},
+	"time_finished": {
+		Type:        framework.TypeString,
+		Description: `Time the operation finished`,
+		Required:    false,
+	},
+	"last_auto_tidy_finished": {
+		Type:        framework.TypeString,
+		Description: `Time the last auto-tidy operation finished`,
+		Required:    true,
+	},
+	"message": {
+		Type:        framework.TypeString,
+		Description: `Message of the operation`,
+		Required:    true,
+	},
+	"cert_store_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of certificate storage entries deleted`,
+		Required:    true,
+	},
+	"revoked_cert_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of revoked certificate entries deleted`,
+		Required:    true,
+	},
+	"current_cert_store_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of revoked certificate entries deleted`,
+		Required:    true,
+	},
+	"cross_revoked_cert_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: ``,
+		Required:    true,
+	},
+	"current_revoked_cert_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of revoked certificate entries deleted`,
+		Required:    true,
+	},
+	"revocation_queue_deleted_count": {
+		Type:     framework.TypeInt,
+		Required: true,
+	},
+	"tidy_move_legacy_ca_bundle": {
+		Type:     framework.TypeBool,
+		Required: true,
+	},
+	"tidy_revocation_queue": {
+		Type:     framework.TypeBool,
+		Required: true,
+	},
+	"missing_issuer_cert_count": {
+		Type:     framework.TypeInt,
+		Required: true,
+	},
+	"internal_backend_uuid": {
+		Type:     framework.TypeString,
+		Required: true,
+	},
+	"total_acme_account_count": {
+		Type:        framework.TypeInt,
+		Description: `Total number of acme accounts iterated over`,
+		Required:    false,
+	},
+	"acme_account_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of revoked acme accounts removed`,
+		Required:    false,
+	},
+	"acme_account_revoked_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of unused acme accounts revoked`,
+		Required:    false,
+	},
+	"acme_orders_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of expired, unused acme orders removed`,
+		Required:    false,
+	},
+	"cert_metadata_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of metadata entries removed`,
+		Required:    false,
+	},
+	"cmpv2_nonce_deleted_count": {
+		Type:        framework.TypeInt,
+		Description: `The number of CMPv2 nonces removed`,
+		Required:    false,
+	},
+}
+
 func pathTidy(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "tidy$",
@@ -199,177 +372,7 @@ func pathTidyCancel(b *backend) *framework.Path {
 				Responses: map[int][]framework.Response{
 					http.StatusOK: {{
 						Description: "OK",
-						Fields: map[string]*framework.FieldSchema{
-							"safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Safety buffer time duration`,
-								Required:    false,
-							},
-							"issuer_safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Issuer safety buffer`,
-								Required:    false,
-							},
-							"revocation_queue_safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Revocation queue safety buffer`,
-								Required:    true,
-							},
-							"tidy_cert_store": {
-								Type:        framework.TypeBool,
-								Description: `Tidy certificate store`,
-								Required:    false,
-							},
-							"tidy_revoked_certs": {
-								Type:        framework.TypeBool,
-								Description: `Tidy revoked certificates`,
-								Required:    false,
-							},
-							"tidy_revoked_cert_issuer_associations": {
-								Type:        framework.TypeBool,
-								Description: `Tidy revoked certificate issuer associations`,
-								Required:    false,
-							},
-							"tidy_acme": {
-								Type:        framework.TypeBool,
-								Description: `Tidy Unused Acme Accounts, and Orders`,
-								Required:    false,
-							},
-							"acme_account_safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Safety buffer after creation after which accounts lacking orders are revoked`,
-								Required:    false,
-							},
-							"tidy_expired_issuers": {
-								Type:        framework.TypeBool,
-								Description: `Tidy expired issuers`,
-								Required:    false,
-							},
-							"tidy_cert_metadata": {
-								Type:        framework.TypeBool,
-								Description: `Tidy cert metadata`,
-								Required:    false,
-							},
-							"tidy_cmpv2_nonce_store": {
-								Type:        framework.TypeBool,
-								Description: `Tidy CMPv2 nonce store`,
-								Required:    false,
-							},
-							"pause_duration": {
-								Type:        framework.TypeString,
-								Description: `Duration to pause between tidying certificates`,
-								Required:    false,
-							},
-							"state": {
-								Type:        framework.TypeString,
-								Description: `One of Inactive, Running, Finished, or Error`,
-								Required:    false,
-							},
-							"error": {
-								Type:        framework.TypeString,
-								Description: `The error message`,
-								Required:    false,
-							},
-							"time_started": {
-								Type:        framework.TypeString,
-								Description: `Time the operation started`,
-								Required:    false,
-							},
-							"time_finished": {
-								Type:        framework.TypeString,
-								Description: `Time the operation finished`,
-								Required:    false,
-							},
-							"last_auto_tidy_finished": {
-								Type:        framework.TypeString,
-								Description: `Time the last auto-tidy operation finished`,
-								Required:    true,
-							},
-							"message": {
-								Type:        framework.TypeString,
-								Description: `Message of the operation`,
-								Required:    false,
-							},
-							"cert_store_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of certificate storage entries deleted`,
-								Required:    false,
-							},
-							"revoked_cert_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked certificate entries deleted`,
-								Required:    false,
-							},
-							"current_cert_store_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked certificate entries deleted`,
-								Required:    false,
-							},
-							"current_revoked_cert_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked certificate entries deleted`,
-								Required:    false,
-							},
-							"missing_issuer_cert_count": {
-								Type:     framework.TypeInt,
-								Required: false,
-							},
-							"tidy_move_legacy_ca_bundle": {
-								Type:     framework.TypeBool,
-								Required: false,
-							},
-							"tidy_cross_cluster_revoked_certs": {
-								Type:        framework.TypeBool,
-								Description: `Tidy the cross-cluster revoked certificate store`,
-								Required:    false,
-							},
-							"tidy_revocation_queue": {
-								Type:     framework.TypeBool,
-								Required: false,
-							},
-							"revocation_queue_deleted_count": {
-								Type:     framework.TypeInt,
-								Required: false,
-							},
-							"cross_revoked_cert_deleted_count": {
-								Type:     framework.TypeInt,
-								Required: false,
-							},
-							"internal_backend_uuid": {
-								Type:     framework.TypeString,
-								Required: false,
-							},
-							"total_acme_account_count": {
-								Type:        framework.TypeInt,
-								Description: `Total number of acme accounts iterated over`,
-								Required:    false,
-							},
-							"acme_account_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked acme accounts removed`,
-								Required:    false,
-							},
-							"acme_account_revoked_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of unused acme accounts revoked`,
-								Required:    false,
-							},
-							"acme_orders_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of expired, unused acme orders removed`,
-								Required:    false,
-							},
-							"cert_metadata_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of metadata entries removed`,
-								Required:    false,
-							},
-							"cmpv2_nonce_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of CMPv2 nonces removed`,
-								Required:    false,
-							},
-						},
+						Fields:      tidyStatusResponseFields,
 					}},
 				},
 				ForwardPerformanceStandby: true,
@@ -396,178 +399,7 @@ func pathTidyStatus(b *backend) *framework.Path {
 				Responses: map[int][]framework.Response{
 					http.StatusOK: {{
 						Description: "OK",
-						Fields: map[string]*framework.FieldSchema{
-							"safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Safety buffer time duration`,
-								Required:    true,
-							},
-							"issuer_safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Issuer safety buffer`,
-								Required:    true,
-							},
-							"revocation_queue_safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Revocation queue safety buffer`,
-								Required:    true,
-							},
-							"acme_account_safety_buffer": {
-								Type:        framework.TypeInt,
-								Description: `Safety buffer after creation after which accounts lacking orders are revoked`,
-								Required:    false,
-							},
-							"tidy_cert_store": {
-								Type:        framework.TypeBool,
-								Description: `Tidy certificate store`,
-								Required:    true,
-							},
-							"tidy_revoked_certs": {
-								Type:        framework.TypeBool,
-								Description: `Tidy revoked certificates`,
-								Required:    true,
-							},
-							"tidy_revoked_cert_issuer_associations": {
-								Type:        framework.TypeBool,
-								Description: `Tidy revoked certificate issuer associations`,
-								Required:    true,
-							},
-							"tidy_expired_issuers": {
-								Type:        framework.TypeBool,
-								Description: `Tidy expired issuers`,
-								Required:    true,
-							},
-							"tidy_cross_cluster_revoked_certs": {
-								Type:        framework.TypeBool,
-								Description: `Tidy the cross-cluster revoked certificate store`,
-								Required:    false,
-							},
-							"tidy_acme": {
-								Type:        framework.TypeBool,
-								Description: `Tidy Unused Acme Accounts, and Orders`,
-								Required:    true,
-							},
-							"tidy_cert_metadata": {
-								Type:        framework.TypeBool,
-								Description: `Tidy cert metadata`,
-								Required:    true,
-							},
-							"tidy_cmpv2_nonce_store": {
-								Type:        framework.TypeBool,
-								Description: `Tidy CMPv2 nonce store`,
-								Required:    true,
-							},
-							"pause_duration": {
-								Type:        framework.TypeString,
-								Description: `Duration to pause between tidying certificates`,
-								Required:    true,
-							},
-							"state": {
-								Type:        framework.TypeString,
-								Description: `One of Inactive, Running, Finished, or Error`,
-								Required:    true,
-							},
-							"error": {
-								Type:        framework.TypeString,
-								Description: `The error message`,
-								Required:    true,
-							},
-							"time_started": {
-								Type:        framework.TypeString,
-								Description: `Time the operation started`,
-								Required:    true,
-							},
-							"time_finished": {
-								Type:        framework.TypeString,
-								Description: `Time the operation finished`,
-								Required:    false,
-							},
-							"last_auto_tidy_finished": {
-								Type:        framework.TypeString,
-								Description: `Time the last auto-tidy operation finished`,
-								Required:    true,
-							},
-							"message": {
-								Type:        framework.TypeString,
-								Description: `Message of the operation`,
-								Required:    true,
-							},
-							"cert_store_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of certificate storage entries deleted`,
-								Required:    true,
-							},
-							"revoked_cert_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked certificate entries deleted`,
-								Required:    true,
-							},
-							"current_cert_store_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked certificate entries deleted`,
-								Required:    true,
-							},
-							"cross_revoked_cert_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: ``,
-								Required:    true,
-							},
-							"current_revoked_cert_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked certificate entries deleted`,
-								Required:    true,
-							},
-							"revocation_queue_deleted_count": {
-								Type:     framework.TypeInt,
-								Required: true,
-							},
-							"tidy_move_legacy_ca_bundle": {
-								Type:     framework.TypeBool,
-								Required: true,
-							},
-							"tidy_revocation_queue": {
-								Type:     framework.TypeBool,
-								Required: true,
-							},
-							"missing_issuer_cert_count": {
-								Type:     framework.TypeInt,
-								Required: true,
-							},
-							"internal_backend_uuid": {
-								Type:     framework.TypeString,
-								Required: true,
-							},
-							"total_acme_account_count": {
-								Type:        framework.TypeInt,
-								Description: `Total number of acme accounts iterated over`,
-								Required:    false,
-							},
-							"acme_account_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of revoked acme accounts removed`,
-								Required:    false,
-							},
-							"acme_account_revoked_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of unused acme accounts revoked`,
-								Required:    false,
-							},
-							"acme_orders_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of expired, unused acme orders removed`,
-								Required:    false,
-							},
-							"cert_metadata_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of metadata entries removed`,
-								Required:    false,
-							},
-							"cmpv2_nonce_deleted_count": {
-								Type:        framework.TypeInt,
-								Description: `The number of CMPv2 nonces removed`,
-								Required:    false,
-							},
-						},
+						Fields:      tidyStatusResponseFields,
 					}},
 				},
 				ForwardPerformanceStandby: true,
@@ -1778,6 +1610,8 @@ func (b *backend) pathTidyStatusRead(_ context.Context, _ *logical.Request, _ *f
 	resp.Data["cmpv2_nonce_deleted_count"] = b.tidyStatus.cmpv2NonceDeletedCount
 
 	switch b.tidyStatus.state {
+	case tidyStatusInactive:
+		resp.Data["state"] = "Inactive"
 	case tidyStatusStarted:
 		resp.Data["state"] = "Running"
 	case tidyStatusFinished:
@@ -2012,7 +1846,7 @@ func (b *backend) tidyStatusStop(err error) {
 	b.tidyStatus.err = err
 	if err == nil {
 		b.tidyStatus.state = tidyStatusFinished
-	} else if err == tidyCancelledError {
+	} else if errors.Is(err, tidyCancelledError) {
 		b.tidyStatus.state = tidyStatusCancelled
 	} else {
 		b.tidyStatus.state = tidyStatusError

From b6145bc3bb960726924d8be010b991ba24b3f692 Mon Sep 17 00:00:00 2001
From: Ryan Cragun <me@ryan.ec>
Date: Mon, 7 Oct 2024 14:54:51 -0600
Subject: [PATCH 11/13] protobuf: rebuild protos with protobuf 1.35.1 (main)
 (#28617)

* protobuf: rebuild protos with protobuf 1.35.1
* protobuf: unpin protoc-gen-go-grpc on main

Signed-off-by: Ryan Cragun <me@ryan.ec>
---
 .../actions/install-external-tools/action.yml |    2 +-
 builtin/logical/pki/metadata.pb.go            |   26 +-
 helper/forwarding/types.pb.go                 |   92 +-
 helper/identity/mfa/types.pb.go               |  180 +--
 helper/identity/types.pb.go                   |  136 +-
 helper/storagepacker/types.pb.go              |   48 +-
 physical/raft/types.pb.go                     |  136 +-
 sdk/database/dbplugin/database.pb.go          |  378 +-----
 sdk/database/dbplugin/database_grpc.pb.go     |   25 +-
 sdk/database/dbplugin/v5/proto/database.pb.go |  334 +----
 .../dbplugin/v5/proto/database_grpc.pb.go     |   25 +-
 .../generation/generate_data.pb.go            |  136 +-
 sdk/helper/pluginutil/multiplexing.pb.go      |   48 +-
 sdk/helper/pluginutil/multiplexing_grpc.pb.go |   25 +-
 sdk/logical/event.pb.go                       |   70 +-
 sdk/logical/identity.pb.go                    |  136 +-
 sdk/logical/plugin.pb.go                      |   26 +-
 sdk/logical/version.pb.go                     |   48 +-
 sdk/logical/version_grpc.pb.go                |   25 +-
 sdk/plugin/pb/backend.pb.go                   | 1192 +++--------------
 sdk/plugin/pb/backend_grpc.pb.go              |   82 +-
 tools/tools.sh                                |    2 +-
 vault/activity/activity_log.pb.go             |  114 +-
 .../proto/link_control/link_control.pb.go     |   48 +-
 .../link_control/link_control_grpc.pb.go      |   25 +-
 vault/hcp_link/proto/meta/meta.pb.go          |  378 +-----
 vault/hcp_link/proto/meta/meta_grpc.pb.go     |   25 +-
 vault/hcp_link/proto/node_status/status.pb.go |   48 +-
 vault/request_forwarding_service.pb.go        |  136 +-
 vault/request_forwarding_service_grpc.pb.go   |   69 +-
 vault/seal/multi_wrap_value.pb.go             |   26 +-
 vault/tokens/token.pb.go                      |   48 +-
 32 files changed, 895 insertions(+), 3194 deletions(-)

diff --git a/.github/actions/install-external-tools/action.yml b/.github/actions/install-external-tools/action.yml
index 1357618ce350..99ab0cd6b1b7 100644
--- a/.github/actions/install-external-tools/action.yml
+++ b/.github/actions/install-external-tools/action.yml
@@ -24,7 +24,7 @@ runs:
       # up here.
     - run: ./.github/scripts/retry-command.sh go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
       shell: bash
-    - run: ./.github/scripts/retry-command.sh go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.4.0
+    - run: ./.github/scripts/retry-command.sh go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
       shell: bash
     - run: ./.github/scripts/retry-command.sh go install github.com/favadi/protoc-go-inject-tag@latest
       shell: bash
diff --git a/builtin/logical/pki/metadata.pb.go b/builtin/logical/pki/metadata.pb.go
index 209f5fcce0f7..c13d0ee81ef0 100644
--- a/builtin/logical/pki/metadata.pb.go
+++ b/builtin/logical/pki/metadata.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: builtin/logical/pki/metadata.proto
 
@@ -37,11 +37,9 @@ type CertificateMetadata struct {
 
 func (x *CertificateMetadata) Reset() {
 	*x = CertificateMetadata{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_builtin_logical_pki_metadata_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_builtin_logical_pki_metadata_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *CertificateMetadata) String() string {
@@ -52,7 +50,7 @@ func (*CertificateMetadata) ProtoMessage() {}
 
 func (x *CertificateMetadata) ProtoReflect() protoreflect.Message {
 	mi := &file_builtin_logical_pki_metadata_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -152,20 +150,6 @@ func file_builtin_logical_pki_metadata_proto_init() {
 	if File_builtin_logical_pki_metadata_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_builtin_logical_pki_metadata_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*CertificateMetadata); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	file_builtin_logical_pki_metadata_proto_msgTypes[0].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
diff --git a/helper/forwarding/types.pb.go b/helper/forwarding/types.pb.go
index 66b6decb991a..bb257c8c3938 100644
--- a/helper/forwarding/types.pb.go
+++ b/helper/forwarding/types.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: helper/forwarding/types.proto
 
@@ -42,11 +42,9 @@ type Request struct {
 
 func (x *Request) Reset() {
 	*x = Request{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_forwarding_types_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_forwarding_types_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Request) String() string {
@@ -57,7 +55,7 @@ func (*Request) ProtoMessage() {}
 
 func (x *Request) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_forwarding_types_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -142,11 +140,9 @@ type URL struct {
 
 func (x *URL) Reset() {
 	*x = URL{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_forwarding_types_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_forwarding_types_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *URL) String() string {
@@ -157,7 +153,7 @@ func (*URL) ProtoMessage() {}
 
 func (x *URL) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_forwarding_types_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -231,11 +227,9 @@ type HeaderEntry struct {
 
 func (x *HeaderEntry) Reset() {
 	*x = HeaderEntry{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_forwarding_types_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_forwarding_types_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HeaderEntry) String() string {
@@ -246,7 +240,7 @@ func (*HeaderEntry) ProtoMessage() {}
 
 func (x *HeaderEntry) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_forwarding_types_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -286,11 +280,9 @@ type Response struct {
 
 func (x *Response) Reset() {
 	*x = Response{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_forwarding_types_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_forwarding_types_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Response) String() string {
@@ -301,7 +293,7 @@ func (*Response) ProtoMessage() {}
 
 func (x *Response) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_forwarding_types_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -448,56 +440,6 @@ func file_helper_forwarding_types_proto_init() {
 	if File_helper_forwarding_types_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_helper_forwarding_types_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Request); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_forwarding_types_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*URL); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_forwarding_types_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*HeaderEntry); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_forwarding_types_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*Response); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/helper/identity/mfa/types.pb.go b/helper/identity/mfa/types.pb.go
index 55c992fc8a09..e12266b58612 100644
--- a/helper/identity/mfa/types.pb.go
+++ b/helper/identity/mfa/types.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: helper/identity/mfa/types.proto
 
@@ -57,11 +57,9 @@ type Config struct {
 
 func (x *Config) Reset() {
 	*x = Config{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Config) String() string {
@@ -72,7 +70,7 @@ func (*Config) ProtoMessage() {}
 
 func (x *Config) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -222,11 +220,9 @@ type TOTPConfig struct {
 
 func (x *TOTPConfig) Reset() {
 	*x = TOTPConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TOTPConfig) String() string {
@@ -237,7 +233,7 @@ func (*TOTPConfig) ProtoMessage() {}
 
 func (x *TOTPConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -329,11 +325,9 @@ type DuoConfig struct {
 
 func (x *DuoConfig) Reset() {
 	*x = DuoConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *DuoConfig) String() string {
@@ -344,7 +338,7 @@ func (*DuoConfig) ProtoMessage() {}
 
 func (x *DuoConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -415,11 +409,9 @@ type OktaConfig struct {
 
 func (x *OktaConfig) Reset() {
 	*x = OktaConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *OktaConfig) String() string {
@@ -430,7 +422,7 @@ func (*OktaConfig) ProtoMessage() {}
 
 func (x *OktaConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -504,11 +496,9 @@ type PingIDConfig struct {
 
 func (x *PingIDConfig) Reset() {
 	*x = PingIDConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PingIDConfig) String() string {
@@ -519,7 +509,7 @@ func (*PingIDConfig) ProtoMessage() {}
 
 func (x *PingIDConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -600,11 +590,9 @@ type Secret struct {
 
 func (x *Secret) Reset() {
 	*x = Secret{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Secret) String() string {
@@ -615,7 +603,7 @@ func (*Secret) ProtoMessage() {}
 
 func (x *Secret) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -691,11 +679,9 @@ type TOTPSecret struct {
 
 func (x *TOTPSecret) Reset() {
 	*x = TOTPSecret{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TOTPSecret) String() string {
@@ -706,7 +692,7 @@ func (*TOTPSecret) ProtoMessage() {}
 
 func (x *TOTPSecret) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -796,11 +782,9 @@ type MFAEnforcementConfig struct {
 
 func (x *MFAEnforcementConfig) Reset() {
 	*x = MFAEnforcementConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_mfa_types_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_mfa_types_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MFAEnforcementConfig) String() string {
@@ -811,7 +795,7 @@ func (*MFAEnforcementConfig) ProtoMessage() {}
 
 func (x *MFAEnforcementConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_mfa_types_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1052,104 +1036,6 @@ func file_helper_identity_mfa_types_proto_init() {
 	if File_helper_identity_mfa_types_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_helper_identity_mfa_types_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Config); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*TOTPConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*DuoConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*OktaConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*PingIDConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*Secret); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*TOTPSecret); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_mfa_types_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*MFAEnforcementConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	file_helper_identity_mfa_types_proto_msgTypes[0].OneofWrappers = []any{
 		(*Config_TOTPConfig)(nil),
 		(*Config_OktaConfig)(nil),
diff --git a/helper/identity/types.pb.go b/helper/identity/types.pb.go
index fbdcb636735d..40f8bdf6894b 100644
--- a/helper/identity/types.pb.go
+++ b/helper/identity/types.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: helper/identity/types.proto
 
@@ -86,11 +86,9 @@ type Group struct {
 
 func (x *Group) Reset() {
 	*x = Group{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_types_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_types_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Group) String() string {
@@ -101,7 +99,7 @@ func (*Group) ProtoMessage() {}
 
 func (x *Group) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_types_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -219,11 +217,9 @@ type LocalAliases struct {
 
 func (x *LocalAliases) Reset() {
 	*x = LocalAliases{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_types_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_types_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LocalAliases) String() string {
@@ -234,7 +230,7 @@ func (*LocalAliases) ProtoMessage() {}
 
 func (x *LocalAliases) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_types_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -325,11 +321,9 @@ type Entity struct {
 
 func (x *Entity) Reset() {
 	*x = Entity{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_types_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_types_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Entity) String() string {
@@ -340,7 +334,7 @@ func (*Entity) ProtoMessage() {}
 
 func (x *Entity) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_types_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -510,11 +504,9 @@ type Alias struct {
 
 func (x *Alias) Reset() {
 	*x = Alias{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_types_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_types_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Alias) String() string {
@@ -525,7 +517,7 @@ func (*Alias) ProtoMessage() {}
 
 func (x *Alias) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_types_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -658,11 +650,9 @@ type EntityStorageEntry struct {
 
 func (x *EntityStorageEntry) Reset() {
 	*x = EntityStorageEntry{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_types_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_types_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EntityStorageEntry) String() string {
@@ -673,7 +663,7 @@ func (*EntityStorageEntry) ProtoMessage() {}
 
 func (x *EntityStorageEntry) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_types_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -778,11 +768,9 @@ type PersonaIndexEntry struct {
 
 func (x *PersonaIndexEntry) Reset() {
 	*x = PersonaIndexEntry{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_identity_types_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_identity_types_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PersonaIndexEntry) String() string {
@@ -793,7 +781,7 @@ func (*PersonaIndexEntry) ProtoMessage() {}
 
 func (x *PersonaIndexEntry) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_identity_types_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1161,80 +1149,6 @@ func file_helper_identity_types_proto_init() {
 	if File_helper_identity_types_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_helper_identity_types_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Group); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_types_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*LocalAliases); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_types_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*Entity); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_types_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*Alias); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_types_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*EntityStorageEntry); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_identity_types_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*PersonaIndexEntry); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/helper/storagepacker/types.pb.go b/helper/storagepacker/types.pb.go
index fd73a0ebb2e9..0e0f4d9eb720 100644
--- a/helper/storagepacker/types.pb.go
+++ b/helper/storagepacker/types.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: helper/storagepacker/types.proto
 
@@ -42,11 +42,9 @@ type Item struct {
 
 func (x *Item) Reset() {
 	*x = Item{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_storagepacker_types_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_storagepacker_types_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Item) String() string {
@@ -57,7 +55,7 @@ func (*Item) ProtoMessage() {}
 
 func (x *Item) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_storagepacker_types_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -107,11 +105,9 @@ type Bucket struct {
 
 func (x *Bucket) Reset() {
 	*x = Bucket{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_helper_storagepacker_types_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_helper_storagepacker_types_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Bucket) String() string {
@@ -122,7 +118,7 @@ func (*Bucket) ProtoMessage() {}
 
 func (x *Bucket) ProtoReflect() protoreflect.Message {
 	mi := &file_helper_storagepacker_types_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -226,32 +222,6 @@ func file_helper_storagepacker_types_proto_init() {
 	if File_helper_storagepacker_types_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_helper_storagepacker_types_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Item); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_helper_storagepacker_types_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*Bucket); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/physical/raft/types.pb.go b/physical/raft/types.pb.go
index 9790739d7c88..15f60d8f4b5e 100644
--- a/physical/raft/types.pb.go
+++ b/physical/raft/types.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: physical/raft/types.proto
 
@@ -40,11 +40,9 @@ type LogOperation struct {
 
 func (x *LogOperation) Reset() {
 	*x = LogOperation{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_physical_raft_types_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_physical_raft_types_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LogOperation) String() string {
@@ -55,7 +53,7 @@ func (*LogOperation) ProtoMessage() {}
 
 func (x *LogOperation) ProtoReflect() protoreflect.Message {
 	mi := &file_physical_raft_types_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -108,11 +106,9 @@ type LogData struct {
 
 func (x *LogData) Reset() {
 	*x = LogData{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_physical_raft_types_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_physical_raft_types_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LogData) String() string {
@@ -123,7 +119,7 @@ func (*LogData) ProtoMessage() {}
 
 func (x *LogData) ProtoReflect() protoreflect.Message {
 	mi := &file_physical_raft_types_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -156,11 +152,9 @@ type IndexValue struct {
 
 func (x *IndexValue) Reset() {
 	*x = IndexValue{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_physical_raft_types_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_physical_raft_types_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *IndexValue) String() string {
@@ -171,7 +165,7 @@ func (*IndexValue) ProtoMessage() {}
 
 func (x *IndexValue) ProtoReflect() protoreflect.Message {
 	mi := &file_physical_raft_types_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -212,11 +206,9 @@ type Server struct {
 
 func (x *Server) Reset() {
 	*x = Server{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_physical_raft_types_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_physical_raft_types_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Server) String() string {
@@ -227,7 +219,7 @@ func (*Server) ProtoMessage() {}
 
 func (x *Server) ProtoReflect() protoreflect.Message {
 	mi := &file_physical_raft_types_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -274,11 +266,9 @@ type ConfigurationValue struct {
 
 func (x *ConfigurationValue) Reset() {
 	*x = ConfigurationValue{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_physical_raft_types_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_physical_raft_types_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ConfigurationValue) String() string {
@@ -289,7 +279,7 @@ func (*ConfigurationValue) ProtoMessage() {}
 
 func (x *ConfigurationValue) ProtoReflect() protoreflect.Message {
 	mi := &file_physical_raft_types_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -328,11 +318,9 @@ type LocalNodeConfigValue struct {
 
 func (x *LocalNodeConfigValue) Reset() {
 	*x = LocalNodeConfigValue{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_physical_raft_types_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_physical_raft_types_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LocalNodeConfigValue) String() string {
@@ -343,7 +331,7 @@ func (*LocalNodeConfigValue) ProtoMessage() {}
 
 func (x *LocalNodeConfigValue) ProtoReflect() protoreflect.Message {
 	mi := &file_physical_raft_types_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -440,80 +428,6 @@ func file_physical_raft_types_proto_init() {
 	if File_physical_raft_types_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_physical_raft_types_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*LogOperation); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_physical_raft_types_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*LogData); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_physical_raft_types_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*IndexValue); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_physical_raft_types_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*Server); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_physical_raft_types_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*ConfigurationValue); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_physical_raft_types_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*LocalNodeConfigValue); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/database/dbplugin/database.pb.go b/sdk/database/dbplugin/database.pb.go
index 825813ec9349..cd03bead7642 100644
--- a/sdk/database/dbplugin/database.pb.go
+++ b/sdk/database/dbplugin/database.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/database/dbplugin/database.proto
 
@@ -36,11 +36,9 @@ type InitializeRequest struct {
 
 func (x *InitializeRequest) Reset() {
 	*x = InitializeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitializeRequest) String() string {
@@ -51,7 +49,7 @@ func (*InitializeRequest) ProtoMessage() {}
 
 func (x *InitializeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -91,11 +89,9 @@ type InitRequest struct {
 
 func (x *InitRequest) Reset() {
 	*x = InitRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitRequest) String() string {
@@ -106,7 +102,7 @@ func (*InitRequest) ProtoMessage() {}
 
 func (x *InitRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -147,11 +143,9 @@ type CreateUserRequest struct {
 
 func (x *CreateUserRequest) Reset() {
 	*x = CreateUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *CreateUserRequest) String() string {
@@ -162,7 +156,7 @@ func (*CreateUserRequest) ProtoMessage() {}
 
 func (x *CreateUserRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -210,11 +204,9 @@ type RenewUserRequest struct {
 
 func (x *RenewUserRequest) Reset() {
 	*x = RenewUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RenewUserRequest) String() string {
@@ -225,7 +217,7 @@ func (*RenewUserRequest) ProtoMessage() {}
 
 func (x *RenewUserRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -272,11 +264,9 @@ type RevokeUserRequest struct {
 
 func (x *RevokeUserRequest) Reset() {
 	*x = RevokeUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RevokeUserRequest) String() string {
@@ -287,7 +277,7 @@ func (*RevokeUserRequest) ProtoMessage() {}
 
 func (x *RevokeUserRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -326,11 +316,9 @@ type RotateRootCredentialsRequest struct {
 
 func (x *RotateRootCredentialsRequest) Reset() {
 	*x = RotateRootCredentialsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RotateRootCredentialsRequest) String() string {
@@ -341,7 +329,7 @@ func (*RotateRootCredentialsRequest) ProtoMessage() {}
 
 func (x *RotateRootCredentialsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -393,11 +381,9 @@ type Statements struct {
 
 func (x *Statements) Reset() {
 	*x = Statements{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Statements) String() string {
@@ -408,7 +394,7 @@ func (*Statements) ProtoMessage() {}
 
 func (x *Statements) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -501,11 +487,9 @@ type UsernameConfig struct {
 
 func (x *UsernameConfig) Reset() {
 	*x = UsernameConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *UsernameConfig) String() string {
@@ -516,7 +500,7 @@ func (*UsernameConfig) ProtoMessage() {}
 
 func (x *UsernameConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -555,11 +539,9 @@ type InitResponse struct {
 
 func (x *InitResponse) Reset() {
 	*x = InitResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitResponse) String() string {
@@ -570,7 +552,7 @@ func (*InitResponse) ProtoMessage() {}
 
 func (x *InitResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -603,11 +585,9 @@ type CreateUserResponse struct {
 
 func (x *CreateUserResponse) Reset() {
 	*x = CreateUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *CreateUserResponse) String() string {
@@ -618,7 +598,7 @@ func (*CreateUserResponse) ProtoMessage() {}
 
 func (x *CreateUserResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -657,11 +637,9 @@ type TypeResponse struct {
 
 func (x *TypeResponse) Reset() {
 	*x = TypeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TypeResponse) String() string {
@@ -672,7 +650,7 @@ func (*TypeResponse) ProtoMessage() {}
 
 func (x *TypeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -704,11 +682,9 @@ type RotateRootCredentialsResponse struct {
 
 func (x *RotateRootCredentialsResponse) Reset() {
 	*x = RotateRootCredentialsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RotateRootCredentialsResponse) String() string {
@@ -719,7 +695,7 @@ func (*RotateRootCredentialsResponse) ProtoMessage() {}
 
 func (x *RotateRootCredentialsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -749,11 +725,9 @@ type Empty struct {
 
 func (x *Empty) Reset() {
 	*x = Empty{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Empty) String() string {
@@ -764,7 +738,7 @@ func (*Empty) ProtoMessage() {}
 
 func (x *Empty) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -789,11 +763,9 @@ type GenerateCredentialsResponse struct {
 
 func (x *GenerateCredentialsResponse) Reset() {
 	*x = GenerateCredentialsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[13]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GenerateCredentialsResponse) String() string {
@@ -804,7 +776,7 @@ func (*GenerateCredentialsResponse) ProtoMessage() {}
 
 func (x *GenerateCredentialsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[13]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -838,11 +810,9 @@ type StaticUserConfig struct {
 
 func (x *StaticUserConfig) Reset() {
 	*x = StaticUserConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[14]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StaticUserConfig) String() string {
@@ -853,7 +823,7 @@ func (*StaticUserConfig) ProtoMessage() {}
 
 func (x *StaticUserConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[14]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -900,11 +870,9 @@ type SetCredentialsRequest struct {
 
 func (x *SetCredentialsRequest) Reset() {
 	*x = SetCredentialsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[15]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SetCredentialsRequest) String() string {
@@ -915,7 +883,7 @@ func (*SetCredentialsRequest) ProtoMessage() {}
 
 func (x *SetCredentialsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[15]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -955,11 +923,9 @@ type SetCredentialsResponse struct {
 
 func (x *SetCredentialsResponse) Reset() {
 	*x = SetCredentialsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_database_proto_msgTypes[16]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SetCredentialsResponse) String() string {
@@ -970,7 +936,7 @@ func (*SetCredentialsResponse) ProtoMessage() {}
 
 func (x *SetCredentialsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_database_proto_msgTypes[16]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1241,212 +1207,6 @@ func file_sdk_database_dbplugin_database_proto_init() {
 	if File_sdk_database_dbplugin_database_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_database_dbplugin_database_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*InitializeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*InitRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*CreateUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*RenewUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*RevokeUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*RotateRootCredentialsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*Statements); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*UsernameConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*InitResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*CreateUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*TypeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[11].Exporter = func(v any, i int) any {
-			switch v := v.(*RotateRootCredentialsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[12].Exporter = func(v any, i int) any {
-			switch v := v.(*Empty); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[13].Exporter = func(v any, i int) any {
-			switch v := v.(*GenerateCredentialsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[14].Exporter = func(v any, i int) any {
-			switch v := v.(*StaticUserConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[15].Exporter = func(v any, i int) any {
-			switch v := v.(*SetCredentialsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_database_proto_msgTypes[16].Exporter = func(v any, i int) any {
-			switch v := v.(*SetCredentialsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/database/dbplugin/database_grpc.pb.go b/sdk/database/dbplugin/database_grpc.pb.go
index 57a0c059adf6..b6f20e5cb509 100644
--- a/sdk/database/dbplugin/database_grpc.pb.go
+++ b/sdk/database/dbplugin/database_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: sdk/database/dbplugin/database.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	Database_Type_FullMethodName                  = "/dbplugin.Database/Type"
@@ -162,7 +162,7 @@ func (c *databaseClient) Initialize(ctx context.Context, in *InitializeRequest,
 
 // DatabaseServer is the server API for Database service.
 // All implementations must embed UnimplementedDatabaseServer
-// for forward compatibility
+// for forward compatibility.
 type DatabaseServer interface {
 	Type(context.Context, *Empty) (*TypeResponse, error)
 	CreateUser(context.Context, *CreateUserRequest) (*CreateUserResponse, error)
@@ -178,9 +178,12 @@ type DatabaseServer interface {
 	mustEmbedUnimplementedDatabaseServer()
 }
 
-// UnimplementedDatabaseServer must be embedded to have forward compatible implementations.
-type UnimplementedDatabaseServer struct {
-}
+// UnimplementedDatabaseServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedDatabaseServer struct{}
 
 func (UnimplementedDatabaseServer) Type(context.Context, *Empty) (*TypeResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Type not implemented")
@@ -213,6 +216,7 @@ func (UnimplementedDatabaseServer) Initialize(context.Context, *InitializeReques
 	return nil, status.Errorf(codes.Unimplemented, "method Initialize not implemented")
 }
 func (UnimplementedDatabaseServer) mustEmbedUnimplementedDatabaseServer() {}
+func (UnimplementedDatabaseServer) testEmbeddedByValue()                  {}
 
 // UnsafeDatabaseServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to DatabaseServer will
@@ -222,6 +226,13 @@ type UnsafeDatabaseServer interface {
 }
 
 func RegisterDatabaseServer(s grpc.ServiceRegistrar, srv DatabaseServer) {
+	// If the following call pancis, it indicates UnimplementedDatabaseServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&Database_ServiceDesc, srv)
 }
 
diff --git a/sdk/database/dbplugin/v5/proto/database.pb.go b/sdk/database/dbplugin/v5/proto/database.pb.go
index 376315758927..6b52c6ad0552 100644
--- a/sdk/database/dbplugin/v5/proto/database.pb.go
+++ b/sdk/database/dbplugin/v5/proto/database.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/database/dbplugin/v5/proto/database.proto
 
@@ -39,11 +39,9 @@ type InitializeRequest struct {
 
 func (x *InitializeRequest) Reset() {
 	*x = InitializeRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitializeRequest) String() string {
@@ -54,7 +52,7 @@ func (*InitializeRequest) ProtoMessage() {}
 
 func (x *InitializeRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -93,11 +91,9 @@ type InitializeResponse struct {
 
 func (x *InitializeResponse) Reset() {
 	*x = InitializeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitializeResponse) String() string {
@@ -108,7 +104,7 @@ func (*InitializeResponse) ProtoMessage() {}
 
 func (x *InitializeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -147,11 +143,9 @@ type NewUserRequest struct {
 
 func (x *NewUserRequest) Reset() {
 	*x = NewUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *NewUserRequest) String() string {
@@ -162,7 +156,7 @@ func (*NewUserRequest) ProtoMessage() {}
 
 func (x *NewUserRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -244,11 +238,9 @@ type UsernameConfig struct {
 
 func (x *UsernameConfig) Reset() {
 	*x = UsernameConfig{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *UsernameConfig) String() string {
@@ -259,7 +251,7 @@ func (*UsernameConfig) ProtoMessage() {}
 
 func (x *UsernameConfig) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -298,11 +290,9 @@ type NewUserResponse struct {
 
 func (x *NewUserResponse) Reset() {
 	*x = NewUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *NewUserResponse) String() string {
@@ -313,7 +303,7 @@ func (*NewUserResponse) ProtoMessage() {}
 
 func (x *NewUserResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -353,11 +343,9 @@ type UpdateUserRequest struct {
 
 func (x *UpdateUserRequest) Reset() {
 	*x = UpdateUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *UpdateUserRequest) String() string {
@@ -368,7 +356,7 @@ func (*UpdateUserRequest) ProtoMessage() {}
 
 func (x *UpdateUserRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -436,11 +424,9 @@ type ChangePassword struct {
 
 func (x *ChangePassword) Reset() {
 	*x = ChangePassword{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ChangePassword) String() string {
@@ -451,7 +437,7 @@ func (*ChangePassword) ProtoMessage() {}
 
 func (x *ChangePassword) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -491,11 +477,9 @@ type ChangePublicKey struct {
 
 func (x *ChangePublicKey) Reset() {
 	*x = ChangePublicKey{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ChangePublicKey) String() string {
@@ -506,7 +490,7 @@ func (*ChangePublicKey) ProtoMessage() {}
 
 func (x *ChangePublicKey) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -546,11 +530,9 @@ type ChangeExpiration struct {
 
 func (x *ChangeExpiration) Reset() {
 	*x = ChangeExpiration{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ChangeExpiration) String() string {
@@ -561,7 +543,7 @@ func (*ChangeExpiration) ProtoMessage() {}
 
 func (x *ChangeExpiration) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -598,11 +580,9 @@ type UpdateUserResponse struct {
 
 func (x *UpdateUserResponse) Reset() {
 	*x = UpdateUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *UpdateUserResponse) String() string {
@@ -613,7 +593,7 @@ func (*UpdateUserResponse) ProtoMessage() {}
 
 func (x *UpdateUserResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -642,11 +622,9 @@ type DeleteUserRequest struct {
 
 func (x *DeleteUserRequest) Reset() {
 	*x = DeleteUserRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *DeleteUserRequest) String() string {
@@ -657,7 +635,7 @@ func (*DeleteUserRequest) ProtoMessage() {}
 
 func (x *DeleteUserRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -694,11 +672,9 @@ type DeleteUserResponse struct {
 
 func (x *DeleteUserResponse) Reset() {
 	*x = DeleteUserResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *DeleteUserResponse) String() string {
@@ -709,7 +685,7 @@ func (*DeleteUserResponse) ProtoMessage() {}
 
 func (x *DeleteUserResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -737,11 +713,9 @@ type TypeResponse struct {
 
 func (x *TypeResponse) Reset() {
 	*x = TypeResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TypeResponse) String() string {
@@ -752,7 +726,7 @@ func (*TypeResponse) ProtoMessage() {}
 
 func (x *TypeResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -787,11 +761,9 @@ type Statements struct {
 
 func (x *Statements) Reset() {
 	*x = Statements{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[13]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Statements) String() string {
@@ -802,7 +774,7 @@ func (*Statements) ProtoMessage() {}
 
 func (x *Statements) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[13]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -832,11 +804,9 @@ type Empty struct {
 
 func (x *Empty) Reset() {
 	*x = Empty{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[14]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Empty) String() string {
@@ -847,7 +817,7 @@ func (*Empty) ProtoMessage() {}
 
 func (x *Empty) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[14]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1081,188 +1051,6 @@ func file_sdk_database_dbplugin_v5_proto_database_proto_init() {
 	if File_sdk_database_dbplugin_v5_proto_database_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*InitializeRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*InitializeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*NewUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*UsernameConfig); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*NewUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*UpdateUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*ChangePassword); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*ChangePublicKey); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*ChangeExpiration); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*UpdateUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteUserRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[11].Exporter = func(v any, i int) any {
-			switch v := v.(*DeleteUserResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[12].Exporter = func(v any, i int) any {
-			switch v := v.(*TypeResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[13].Exporter = func(v any, i int) any {
-			switch v := v.(*Statements); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_database_dbplugin_v5_proto_database_proto_msgTypes[14].Exporter = func(v any, i int) any {
-			switch v := v.(*Empty); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/database/dbplugin/v5/proto/database_grpc.pb.go b/sdk/database/dbplugin/v5/proto/database_grpc.pb.go
index 28c8d775238a..37f366a35ae8 100644
--- a/sdk/database/dbplugin/v5/proto/database_grpc.pb.go
+++ b/sdk/database/dbplugin/v5/proto/database_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: sdk/database/dbplugin/v5/proto/database.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	Database_Initialize_FullMethodName = "/dbplugin.v5.Database/Initialize"
@@ -112,7 +112,7 @@ func (c *databaseClient) Close(ctx context.Context, in *Empty, opts ...grpc.Call
 
 // DatabaseServer is the server API for Database service.
 // All implementations must embed UnimplementedDatabaseServer
-// for forward compatibility
+// for forward compatibility.
 type DatabaseServer interface {
 	Initialize(context.Context, *InitializeRequest) (*InitializeResponse, error)
 	NewUser(context.Context, *NewUserRequest) (*NewUserResponse, error)
@@ -123,9 +123,12 @@ type DatabaseServer interface {
 	mustEmbedUnimplementedDatabaseServer()
 }
 
-// UnimplementedDatabaseServer must be embedded to have forward compatible implementations.
-type UnimplementedDatabaseServer struct {
-}
+// UnimplementedDatabaseServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedDatabaseServer struct{}
 
 func (UnimplementedDatabaseServer) Initialize(context.Context, *InitializeRequest) (*InitializeResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Initialize not implemented")
@@ -146,6 +149,7 @@ func (UnimplementedDatabaseServer) Close(context.Context, *Empty) (*Empty, error
 	return nil, status.Errorf(codes.Unimplemented, "method Close not implemented")
 }
 func (UnimplementedDatabaseServer) mustEmbedUnimplementedDatabaseServer() {}
+func (UnimplementedDatabaseServer) testEmbeddedByValue()                  {}
 
 // UnsafeDatabaseServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to DatabaseServer will
@@ -155,6 +159,13 @@ type UnsafeDatabaseServer interface {
 }
 
 func RegisterDatabaseServer(s grpc.ServiceRegistrar, srv DatabaseServer) {
+	// If the following call pancis, it indicates UnimplementedDatabaseServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&Database_ServiceDesc, srv)
 }
 
diff --git a/sdk/helper/clientcountutil/generation/generate_data.pb.go b/sdk/helper/clientcountutil/generation/generate_data.pb.go
index 29267282e90f..6ecdf98e6fda 100644
--- a/sdk/helper/clientcountutil/generation/generate_data.pb.go
+++ b/sdk/helper/clientcountutil/generation/generate_data.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/helper/clientcountutil/generation/generate_data.proto
 
@@ -92,11 +92,9 @@ type ActivityLogMockInput struct {
 
 func (x *ActivityLogMockInput) Reset() {
 	*x = ActivityLogMockInput{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ActivityLogMockInput) String() string {
@@ -107,7 +105,7 @@ func (*ActivityLogMockInput) ProtoMessage() {}
 
 func (x *ActivityLogMockInput) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -158,11 +156,9 @@ type Data struct {
 
 func (x *Data) Reset() {
 	*x = Data{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Data) String() string {
@@ -173,7 +169,7 @@ func (*Data) ProtoMessage() {}
 
 func (x *Data) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -293,11 +289,9 @@ type Segments struct {
 
 func (x *Segments) Reset() {
 	*x = Segments{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Segments) String() string {
@@ -308,7 +302,7 @@ func (*Segments) ProtoMessage() {}
 
 func (x *Segments) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -341,11 +335,9 @@ type Segment struct {
 
 func (x *Segment) Reset() {
 	*x = Segment{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Segment) String() string {
@@ -356,7 +348,7 @@ func (*Segment) ProtoMessage() {}
 
 func (x *Segment) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -395,11 +387,9 @@ type Clients struct {
 
 func (x *Clients) Reset() {
 	*x = Clients{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Clients) String() string {
@@ -410,7 +400,7 @@ func (*Clients) ProtoMessage() {}
 
 func (x *Clients) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -448,11 +438,9 @@ type Client struct {
 
 func (x *Client) Reset() {
 	*x = Client{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Client) String() string {
@@ -463,7 +451,7 @@ func (*Client) ProtoMessage() {}
 
 func (x *Client) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -650,80 +638,6 @@ func file_sdk_helper_clientcountutil_generation_generate_data_proto_init() {
 	if File_sdk_helper_clientcountutil_generation_generate_data_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*ActivityLogMockInput); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*Data); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*Segments); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*Segment); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*Clients); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*Client); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	file_sdk_helper_clientcountutil_generation_generate_data_proto_msgTypes[1].OneofWrappers = []any{
 		(*Data_CurrentMonth)(nil),
 		(*Data_MonthsAgo)(nil),
diff --git a/sdk/helper/pluginutil/multiplexing.pb.go b/sdk/helper/pluginutil/multiplexing.pb.go
index 4e6c9f46a2e7..f43f46b28f87 100644
--- a/sdk/helper/pluginutil/multiplexing.pb.go
+++ b/sdk/helper/pluginutil/multiplexing.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/helper/pluginutil/multiplexing.proto
 
@@ -31,11 +31,9 @@ type MultiplexingSupportRequest struct {
 
 func (x *MultiplexingSupportRequest) Reset() {
 	*x = MultiplexingSupportRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MultiplexingSupportRequest) String() string {
@@ -46,7 +44,7 @@ func (*MultiplexingSupportRequest) ProtoMessage() {}
 
 func (x *MultiplexingSupportRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -71,11 +69,9 @@ type MultiplexingSupportResponse struct {
 
 func (x *MultiplexingSupportResponse) Reset() {
 	*x = MultiplexingSupportResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MultiplexingSupportResponse) String() string {
@@ -86,7 +82,7 @@ func (*MultiplexingSupportResponse) ProtoMessage() {}
 
 func (x *MultiplexingSupportResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -169,32 +165,6 @@ func file_sdk_helper_pluginutil_multiplexing_proto_init() {
 	if File_sdk_helper_pluginutil_multiplexing_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*MultiplexingSupportRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*MultiplexingSupportResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/helper/pluginutil/multiplexing_grpc.pb.go b/sdk/helper/pluginutil/multiplexing_grpc.pb.go
index 0f0df2128ba7..f66aa9151aa9 100644
--- a/sdk/helper/pluginutil/multiplexing_grpc.pb.go
+++ b/sdk/helper/pluginutil/multiplexing_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: sdk/helper/pluginutil/multiplexing.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	PluginMultiplexing_MultiplexingSupport_FullMethodName = "/pluginutil.multiplexing.PluginMultiplexing/MultiplexingSupport"
@@ -52,20 +52,24 @@ func (c *pluginMultiplexingClient) MultiplexingSupport(ctx context.Context, in *
 
 // PluginMultiplexingServer is the server API for PluginMultiplexing service.
 // All implementations must embed UnimplementedPluginMultiplexingServer
-// for forward compatibility
+// for forward compatibility.
 type PluginMultiplexingServer interface {
 	MultiplexingSupport(context.Context, *MultiplexingSupportRequest) (*MultiplexingSupportResponse, error)
 	mustEmbedUnimplementedPluginMultiplexingServer()
 }
 
-// UnimplementedPluginMultiplexingServer must be embedded to have forward compatible implementations.
-type UnimplementedPluginMultiplexingServer struct {
-}
+// UnimplementedPluginMultiplexingServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedPluginMultiplexingServer struct{}
 
 func (UnimplementedPluginMultiplexingServer) MultiplexingSupport(context.Context, *MultiplexingSupportRequest) (*MultiplexingSupportResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method MultiplexingSupport not implemented")
 }
 func (UnimplementedPluginMultiplexingServer) mustEmbedUnimplementedPluginMultiplexingServer() {}
+func (UnimplementedPluginMultiplexingServer) testEmbeddedByValue()                            {}
 
 // UnsafePluginMultiplexingServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to PluginMultiplexingServer will
@@ -75,6 +79,13 @@ type UnsafePluginMultiplexingServer interface {
 }
 
 func RegisterPluginMultiplexingServer(s grpc.ServiceRegistrar, srv PluginMultiplexingServer) {
+	// If the following call pancis, it indicates UnimplementedPluginMultiplexingServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&PluginMultiplexing_ServiceDesc, srv)
 }
 
diff --git a/sdk/logical/event.pb.go b/sdk/logical/event.pb.go
index 1db6d46dc94d..407ab06cc411 100644
--- a/sdk/logical/event.pb.go
+++ b/sdk/logical/event.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/logical/event.proto
 
@@ -46,11 +46,9 @@ type EventPluginInfo struct {
 
 func (x *EventPluginInfo) Reset() {
 	*x = EventPluginInfo{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_event_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_event_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EventPluginInfo) String() string {
@@ -61,7 +59,7 @@ func (*EventPluginInfo) ProtoMessage() {}
 
 func (x *EventPluginInfo) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_event_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -142,11 +140,9 @@ type EventData struct {
 
 func (x *EventData) Reset() {
 	*x = EventData{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_event_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_event_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EventData) String() string {
@@ -157,7 +153,7 @@ func (*EventData) ProtoMessage() {}
 
 func (x *EventData) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_event_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -216,11 +212,9 @@ type EventReceived struct {
 
 func (x *EventReceived) Reset() {
 	*x = EventReceived{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_event_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_event_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EventReceived) String() string {
@@ -231,7 +225,7 @@ func (*EventReceived) ProtoMessage() {}
 
 func (x *EventReceived) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_event_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -354,44 +348,6 @@ func file_sdk_logical_event_proto_init() {
 	if File_sdk_logical_event_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_logical_event_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*EventPluginInfo); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_event_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*EventData); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_event_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*EventReceived); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/logical/identity.pb.go b/sdk/logical/identity.pb.go
index 5f08ce168935..6b5805a08367 100644
--- a/sdk/logical/identity.pb.go
+++ b/sdk/logical/identity.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/logical/identity.proto
 
@@ -45,11 +45,9 @@ type Entity struct {
 
 func (x *Entity) Reset() {
 	*x = Entity{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_identity_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_identity_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Entity) String() string {
@@ -60,7 +58,7 @@ func (*Entity) ProtoMessage() {}
 
 func (x *Entity) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_identity_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -151,11 +149,9 @@ type Alias struct {
 
 func (x *Alias) Reset() {
 	*x = Alias{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_identity_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_identity_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Alias) String() string {
@@ -166,7 +162,7 @@ func (*Alias) ProtoMessage() {}
 
 func (x *Alias) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_identity_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -255,11 +251,9 @@ type Group struct {
 
 func (x *Group) Reset() {
 	*x = Group{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_identity_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_identity_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Group) String() string {
@@ -270,7 +264,7 @@ func (*Group) ProtoMessage() {}
 
 func (x *Group) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_identity_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -326,11 +320,9 @@ type MFAMethodID struct {
 
 func (x *MFAMethodID) Reset() {
 	*x = MFAMethodID{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_identity_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_identity_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MFAMethodID) String() string {
@@ -341,7 +333,7 @@ func (*MFAMethodID) ProtoMessage() {}
 
 func (x *MFAMethodID) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_identity_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -394,11 +386,9 @@ type MFAConstraintAny struct {
 
 func (x *MFAConstraintAny) Reset() {
 	*x = MFAConstraintAny{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_identity_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_identity_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MFAConstraintAny) String() string {
@@ -409,7 +399,7 @@ func (*MFAConstraintAny) ProtoMessage() {}
 
 func (x *MFAConstraintAny) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_identity_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -442,11 +432,9 @@ type MFARequirement struct {
 
 func (x *MFARequirement) Reset() {
 	*x = MFARequirement{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_identity_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_identity_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MFARequirement) String() string {
@@ -457,7 +445,7 @@ func (*MFARequirement) ProtoMessage() {}
 
 func (x *MFARequirement) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_identity_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -626,80 +614,6 @@ func file_sdk_logical_identity_proto_init() {
 	if File_sdk_logical_identity_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_logical_identity_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Entity); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_identity_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*Alias); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_identity_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*Group); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_identity_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*MFAMethodID); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_identity_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*MFAConstraintAny); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_identity_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*MFARequirement); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/logical/plugin.pb.go b/sdk/logical/plugin.pb.go
index 7b8fe8ce723a..5ab2b7b07508 100644
--- a/sdk/logical/plugin.pb.go
+++ b/sdk/logical/plugin.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/logical/plugin.proto
 
@@ -38,11 +38,9 @@ type PluginEnvironment struct {
 
 func (x *PluginEnvironment) Reset() {
 	*x = PluginEnvironment{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_plugin_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_plugin_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PluginEnvironment) String() string {
@@ -53,7 +51,7 @@ func (*PluginEnvironment) ProtoMessage() {}
 
 func (x *PluginEnvironment) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_plugin_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -139,20 +137,6 @@ func file_sdk_logical_plugin_proto_init() {
 	if File_sdk_logical_plugin_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_logical_plugin_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*PluginEnvironment); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/logical/version.pb.go b/sdk/logical/version.pb.go
index abb579096b27..861d07d03c1f 100644
--- a/sdk/logical/version.pb.go
+++ b/sdk/logical/version.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/logical/version.proto
 
@@ -31,11 +31,9 @@ type Empty struct {
 
 func (x *Empty) Reset() {
 	*x = Empty{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_version_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_version_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Empty) String() string {
@@ -46,7 +44,7 @@ func (*Empty) ProtoMessage() {}
 
 func (x *Empty) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_version_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -72,11 +70,9 @@ type VersionReply struct {
 
 func (x *VersionReply) Reset() {
 	*x = VersionReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_logical_version_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_logical_version_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *VersionReply) String() string {
@@ -87,7 +83,7 @@ func (*VersionReply) ProtoMessage() {}
 
 func (x *VersionReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_logical_version_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -160,32 +156,6 @@ func file_sdk_logical_version_proto_init() {
 	if File_sdk_logical_version_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_logical_version_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Empty); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_logical_version_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*VersionReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/logical/version_grpc.pb.go b/sdk/logical/version_grpc.pb.go
index 9aa110fce98f..53bc496d8602 100644
--- a/sdk/logical/version_grpc.pb.go
+++ b/sdk/logical/version_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: sdk/logical/version.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	PluginVersion_Version_FullMethodName = "/logical.PluginVersion/Version"
@@ -55,7 +55,7 @@ func (c *pluginVersionClient) Version(ctx context.Context, in *Empty, opts ...gr
 
 // PluginVersionServer is the server API for PluginVersion service.
 // All implementations must embed UnimplementedPluginVersionServer
-// for forward compatibility
+// for forward compatibility.
 //
 // PluginVersion is an optional RPC service implemented by plugins.
 type PluginVersionServer interface {
@@ -64,14 +64,18 @@ type PluginVersionServer interface {
 	mustEmbedUnimplementedPluginVersionServer()
 }
 
-// UnimplementedPluginVersionServer must be embedded to have forward compatible implementations.
-type UnimplementedPluginVersionServer struct {
-}
+// UnimplementedPluginVersionServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedPluginVersionServer struct{}
 
 func (UnimplementedPluginVersionServer) Version(context.Context, *Empty) (*VersionReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Version not implemented")
 }
 func (UnimplementedPluginVersionServer) mustEmbedUnimplementedPluginVersionServer() {}
+func (UnimplementedPluginVersionServer) testEmbeddedByValue()                       {}
 
 // UnsafePluginVersionServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to PluginVersionServer will
@@ -81,6 +85,13 @@ type UnsafePluginVersionServer interface {
 }
 
 func RegisterPluginVersionServer(s grpc.ServiceRegistrar, srv PluginVersionServer) {
+	// If the following call pancis, it indicates UnimplementedPluginVersionServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&PluginVersion_ServiceDesc, srv)
 }
 
diff --git a/sdk/plugin/pb/backend.pb.go b/sdk/plugin/pb/backend.pb.go
index 4c28e80b1378..34572418b4c4 100644
--- a/sdk/plugin/pb/backend.pb.go
+++ b/sdk/plugin/pb/backend.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: sdk/plugin/pb/backend.proto
 
@@ -33,11 +33,9 @@ type Empty struct {
 
 func (x *Empty) Reset() {
 	*x = Empty{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Empty) String() string {
@@ -48,7 +46,7 @@ func (*Empty) ProtoMessage() {}
 
 func (x *Empty) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -73,11 +71,9 @@ type Header struct {
 
 func (x *Header) Reset() {
 	*x = Header{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Header) String() string {
@@ -88,7 +84,7 @@ func (*Header) ProtoMessage() {}
 
 func (x *Header) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -134,11 +130,9 @@ type ProtoError struct {
 
 func (x *ProtoError) Reset() {
 	*x = ProtoError{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ProtoError) String() string {
@@ -149,7 +143,7 @@ func (*ProtoError) ProtoMessage() {}
 
 func (x *ProtoError) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -220,11 +214,9 @@ type Paths struct {
 
 func (x *Paths) Reset() {
 	*x = Paths{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Paths) String() string {
@@ -235,7 +227,7 @@ func (*Paths) ProtoMessage() {}
 
 func (x *Paths) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -374,11 +366,9 @@ type Request struct {
 
 func (x *Request) Reset() {
 	*x = Request{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Request) String() string {
@@ -389,7 +379,7 @@ func (*Request) ProtoMessage() {}
 
 func (x *Request) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -613,11 +603,9 @@ type Auth struct {
 
 func (x *Auth) Reset() {
 	*x = Auth{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Auth) String() string {
@@ -628,7 +616,7 @@ func (*Auth) ProtoMessage() {}
 
 func (x *Auth) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -800,11 +788,9 @@ type TokenEntry struct {
 
 func (x *TokenEntry) Reset() {
 	*x = TokenEntry{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TokenEntry) String() string {
@@ -815,7 +801,7 @@ func (*TokenEntry) ProtoMessage() {}
 
 func (x *TokenEntry) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -998,11 +984,9 @@ type LeaseOptions struct {
 
 func (x *LeaseOptions) Reset() {
 	*x = LeaseOptions{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LeaseOptions) String() string {
@@ -1013,7 +997,7 @@ func (*LeaseOptions) ProtoMessage() {}
 
 func (x *LeaseOptions) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1081,11 +1065,9 @@ type Secret struct {
 
 func (x *Secret) Reset() {
 	*x = Secret{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Secret) String() string {
@@ -1096,7 +1078,7 @@ func (*Secret) ProtoMessage() {}
 
 func (x *Secret) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1168,11 +1150,9 @@ type Response struct {
 
 func (x *Response) Reset() {
 	*x = Response{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Response) String() string {
@@ -1183,7 +1163,7 @@ func (*Response) ProtoMessage() {}
 
 func (x *Response) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1286,11 +1266,9 @@ type ResponseWrapInfo struct {
 
 func (x *ResponseWrapInfo) Reset() {
 	*x = ResponseWrapInfo{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ResponseWrapInfo) String() string {
@@ -1301,7 +1279,7 @@ func (*ResponseWrapInfo) ProtoMessage() {}
 
 func (x *ResponseWrapInfo) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1397,11 +1375,9 @@ type RequestWrapInfo struct {
 
 func (x *RequestWrapInfo) Reset() {
 	*x = RequestWrapInfo{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RequestWrapInfo) String() string {
@@ -1412,7 +1388,7 @@ func (*RequestWrapInfo) ProtoMessage() {}
 
 func (x *RequestWrapInfo) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1460,11 +1436,9 @@ type HandleRequestArgs struct {
 
 func (x *HandleRequestArgs) Reset() {
 	*x = HandleRequestArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HandleRequestArgs) String() string {
@@ -1475,7 +1449,7 @@ func (*HandleRequestArgs) ProtoMessage() {}
 
 func (x *HandleRequestArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1516,11 +1490,9 @@ type HandleRequestReply struct {
 
 func (x *HandleRequestReply) Reset() {
 	*x = HandleRequestReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[13]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HandleRequestReply) String() string {
@@ -1531,7 +1503,7 @@ func (*HandleRequestReply) ProtoMessage() {}
 
 func (x *HandleRequestReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[13]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1569,11 +1541,9 @@ type InitializeArgs struct {
 
 func (x *InitializeArgs) Reset() {
 	*x = InitializeArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[14]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitializeArgs) String() string {
@@ -1584,7 +1554,7 @@ func (*InitializeArgs) ProtoMessage() {}
 
 func (x *InitializeArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[14]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1610,11 +1580,9 @@ type InitializeReply struct {
 
 func (x *InitializeReply) Reset() {
 	*x = InitializeReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[15]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InitializeReply) String() string {
@@ -1625,7 +1593,7 @@ func (*InitializeReply) ProtoMessage() {}
 
 func (x *InitializeReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[15]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1658,11 +1626,9 @@ type SpecialPathsReply struct {
 
 func (x *SpecialPathsReply) Reset() {
 	*x = SpecialPathsReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[16]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SpecialPathsReply) String() string {
@@ -1673,7 +1639,7 @@ func (*SpecialPathsReply) ProtoMessage() {}
 
 func (x *SpecialPathsReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[16]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1707,11 +1673,9 @@ type HandleExistenceCheckArgs struct {
 
 func (x *HandleExistenceCheckArgs) Reset() {
 	*x = HandleExistenceCheckArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[17]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[17]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HandleExistenceCheckArgs) String() string {
@@ -1722,7 +1686,7 @@ func (*HandleExistenceCheckArgs) ProtoMessage() {}
 
 func (x *HandleExistenceCheckArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[17]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1764,11 +1728,9 @@ type HandleExistenceCheckReply struct {
 
 func (x *HandleExistenceCheckReply) Reset() {
 	*x = HandleExistenceCheckReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[18]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[18]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HandleExistenceCheckReply) String() string {
@@ -1779,7 +1741,7 @@ func (*HandleExistenceCheckReply) ProtoMessage() {}
 
 func (x *HandleExistenceCheckReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[18]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1828,11 +1790,9 @@ type SetupArgs struct {
 
 func (x *SetupArgs) Reset() {
 	*x = SetupArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[19]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[19]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SetupArgs) String() string {
@@ -1843,7 +1803,7 @@ func (*SetupArgs) ProtoMessage() {}
 
 func (x *SetupArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[19]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1890,11 +1850,9 @@ type SetupReply struct {
 
 func (x *SetupReply) Reset() {
 	*x = SetupReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[20]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[20]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SetupReply) String() string {
@@ -1905,7 +1863,7 @@ func (*SetupReply) ProtoMessage() {}
 
 func (x *SetupReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[20]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1938,11 +1896,9 @@ type TypeReply struct {
 
 func (x *TypeReply) Reset() {
 	*x = TypeReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[21]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[21]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TypeReply) String() string {
@@ -1953,7 +1909,7 @@ func (*TypeReply) ProtoMessage() {}
 
 func (x *TypeReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[21]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1985,11 +1941,9 @@ type InvalidateKeyArgs struct {
 
 func (x *InvalidateKeyArgs) Reset() {
 	*x = InvalidateKeyArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[22]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[22]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *InvalidateKeyArgs) String() string {
@@ -2000,7 +1954,7 @@ func (*InvalidateKeyArgs) ProtoMessage() {}
 
 func (x *InvalidateKeyArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[22]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2034,11 +1988,9 @@ type StorageEntry struct {
 
 func (x *StorageEntry) Reset() {
 	*x = StorageEntry{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[23]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[23]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageEntry) String() string {
@@ -2049,7 +2001,7 @@ func (*StorageEntry) ProtoMessage() {}
 
 func (x *StorageEntry) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[23]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2095,11 +2047,9 @@ type StorageListArgs struct {
 
 func (x *StorageListArgs) Reset() {
 	*x = StorageListArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[24]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[24]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageListArgs) String() string {
@@ -2110,7 +2060,7 @@ func (*StorageListArgs) ProtoMessage() {}
 
 func (x *StorageListArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[24]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2143,11 +2093,9 @@ type StorageListReply struct {
 
 func (x *StorageListReply) Reset() {
 	*x = StorageListReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[25]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[25]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageListReply) String() string {
@@ -2158,7 +2106,7 @@ func (*StorageListReply) ProtoMessage() {}
 
 func (x *StorageListReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[25]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2197,11 +2145,9 @@ type StorageGetArgs struct {
 
 func (x *StorageGetArgs) Reset() {
 	*x = StorageGetArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[26]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[26]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageGetArgs) String() string {
@@ -2212,7 +2158,7 @@ func (*StorageGetArgs) ProtoMessage() {}
 
 func (x *StorageGetArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[26]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2245,11 +2191,9 @@ type StorageGetReply struct {
 
 func (x *StorageGetReply) Reset() {
 	*x = StorageGetReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[27]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[27]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageGetReply) String() string {
@@ -2260,7 +2204,7 @@ func (*StorageGetReply) ProtoMessage() {}
 
 func (x *StorageGetReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[27]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2299,11 +2243,9 @@ type StoragePutArgs struct {
 
 func (x *StoragePutArgs) Reset() {
 	*x = StoragePutArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[28]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[28]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StoragePutArgs) String() string {
@@ -2314,7 +2256,7 @@ func (*StoragePutArgs) ProtoMessage() {}
 
 func (x *StoragePutArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[28]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2346,11 +2288,9 @@ type StoragePutReply struct {
 
 func (x *StoragePutReply) Reset() {
 	*x = StoragePutReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[29]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[29]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StoragePutReply) String() string {
@@ -2361,7 +2301,7 @@ func (*StoragePutReply) ProtoMessage() {}
 
 func (x *StoragePutReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[29]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2393,11 +2333,9 @@ type StorageDeleteArgs struct {
 
 func (x *StorageDeleteArgs) Reset() {
 	*x = StorageDeleteArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[30]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[30]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageDeleteArgs) String() string {
@@ -2408,7 +2346,7 @@ func (*StorageDeleteArgs) ProtoMessage() {}
 
 func (x *StorageDeleteArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[30]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2440,11 +2378,9 @@ type StorageDeleteReply struct {
 
 func (x *StorageDeleteReply) Reset() {
 	*x = StorageDeleteReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[31]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[31]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *StorageDeleteReply) String() string {
@@ -2455,7 +2391,7 @@ func (*StorageDeleteReply) ProtoMessage() {}
 
 func (x *StorageDeleteReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[31]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2487,11 +2423,9 @@ type TTLReply struct {
 
 func (x *TTLReply) Reset() {
 	*x = TTLReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[32]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[32]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TTLReply) String() string {
@@ -2502,7 +2436,7 @@ func (*TTLReply) ProtoMessage() {}
 
 func (x *TTLReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[32]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2534,11 +2468,9 @@ type TaintedReply struct {
 
 func (x *TaintedReply) Reset() {
 	*x = TaintedReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[33]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[33]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TaintedReply) String() string {
@@ -2549,7 +2481,7 @@ func (*TaintedReply) ProtoMessage() {}
 
 func (x *TaintedReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[33]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2581,11 +2513,9 @@ type CachingDisabledReply struct {
 
 func (x *CachingDisabledReply) Reset() {
 	*x = CachingDisabledReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[34]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[34]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *CachingDisabledReply) String() string {
@@ -2596,7 +2526,7 @@ func (*CachingDisabledReply) ProtoMessage() {}
 
 func (x *CachingDisabledReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[34]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2628,11 +2558,9 @@ type ReplicationStateReply struct {
 
 func (x *ReplicationStateReply) Reset() {
 	*x = ReplicationStateReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[35]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[35]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ReplicationStateReply) String() string {
@@ -2643,7 +2571,7 @@ func (*ReplicationStateReply) ProtoMessage() {}
 
 func (x *ReplicationStateReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[35]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2677,11 +2605,9 @@ type ResponseWrapDataArgs struct {
 
 func (x *ResponseWrapDataArgs) Reset() {
 	*x = ResponseWrapDataArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[36]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[36]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ResponseWrapDataArgs) String() string {
@@ -2692,7 +2618,7 @@ func (*ResponseWrapDataArgs) ProtoMessage() {}
 
 func (x *ResponseWrapDataArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[36]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2739,11 +2665,9 @@ type ResponseWrapDataReply struct {
 
 func (x *ResponseWrapDataReply) Reset() {
 	*x = ResponseWrapDataReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[37]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[37]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ResponseWrapDataReply) String() string {
@@ -2754,7 +2678,7 @@ func (*ResponseWrapDataReply) ProtoMessage() {}
 
 func (x *ResponseWrapDataReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[37]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2793,11 +2717,9 @@ type MlockEnabledReply struct {
 
 func (x *MlockEnabledReply) Reset() {
 	*x = MlockEnabledReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[38]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[38]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MlockEnabledReply) String() string {
@@ -2808,7 +2730,7 @@ func (*MlockEnabledReply) ProtoMessage() {}
 
 func (x *MlockEnabledReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[38]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2840,11 +2762,9 @@ type LocalMountReply struct {
 
 func (x *LocalMountReply) Reset() {
 	*x = LocalMountReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[39]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[39]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LocalMountReply) String() string {
@@ -2855,7 +2775,7 @@ func (*LocalMountReply) ProtoMessage() {}
 
 func (x *LocalMountReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[39]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2887,11 +2807,9 @@ type EntityInfoArgs struct {
 
 func (x *EntityInfoArgs) Reset() {
 	*x = EntityInfoArgs{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[40]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[40]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EntityInfoArgs) String() string {
@@ -2902,7 +2820,7 @@ func (*EntityInfoArgs) ProtoMessage() {}
 
 func (x *EntityInfoArgs) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[40]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2935,11 +2853,9 @@ type EntityInfoReply struct {
 
 func (x *EntityInfoReply) Reset() {
 	*x = EntityInfoReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[41]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[41]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EntityInfoReply) String() string {
@@ -2950,7 +2866,7 @@ func (*EntityInfoReply) ProtoMessage() {}
 
 func (x *EntityInfoReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[41]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -2990,11 +2906,9 @@ type GroupsForEntityReply struct {
 
 func (x *GroupsForEntityReply) Reset() {
 	*x = GroupsForEntityReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[42]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[42]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GroupsForEntityReply) String() string {
@@ -3005,7 +2919,7 @@ func (*GroupsForEntityReply) ProtoMessage() {}
 
 func (x *GroupsForEntityReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[42]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3045,11 +2959,9 @@ type PluginEnvReply struct {
 
 func (x *PluginEnvReply) Reset() {
 	*x = PluginEnvReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[43]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[43]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PluginEnvReply) String() string {
@@ -3060,7 +2972,7 @@ func (*PluginEnvReply) ProtoMessage() {}
 
 func (x *PluginEnvReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[43]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3099,11 +3011,9 @@ type GeneratePasswordFromPolicyRequest struct {
 
 func (x *GeneratePasswordFromPolicyRequest) Reset() {
 	*x = GeneratePasswordFromPolicyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[44]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[44]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GeneratePasswordFromPolicyRequest) String() string {
@@ -3114,7 +3024,7 @@ func (*GeneratePasswordFromPolicyRequest) ProtoMessage() {}
 
 func (x *GeneratePasswordFromPolicyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[44]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3146,11 +3056,9 @@ type GeneratePasswordFromPolicyReply struct {
 
 func (x *GeneratePasswordFromPolicyReply) Reset() {
 	*x = GeneratePasswordFromPolicyReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[45]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[45]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GeneratePasswordFromPolicyReply) String() string {
@@ -3161,7 +3069,7 @@ func (*GeneratePasswordFromPolicyReply) ProtoMessage() {}
 
 func (x *GeneratePasswordFromPolicyReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[45]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3195,11 +3103,9 @@ type ClusterInfoReply struct {
 
 func (x *ClusterInfoReply) Reset() {
 	*x = ClusterInfoReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[46]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[46]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ClusterInfoReply) String() string {
@@ -3210,7 +3116,7 @@ func (*ClusterInfoReply) ProtoMessage() {}
 
 func (x *ClusterInfoReply) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[46]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3257,11 +3163,9 @@ type GenerateIdentityTokenRequest struct {
 
 func (x *GenerateIdentityTokenRequest) Reset() {
 	*x = GenerateIdentityTokenRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[47]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[47]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GenerateIdentityTokenRequest) String() string {
@@ -3272,7 +3176,7 @@ func (*GenerateIdentityTokenRequest) ProtoMessage() {}
 
 func (x *GenerateIdentityTokenRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[47]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3312,11 +3216,9 @@ type GenerateIdentityTokenResponse struct {
 
 func (x *GenerateIdentityTokenResponse) Reset() {
 	*x = GenerateIdentityTokenResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[48]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[48]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GenerateIdentityTokenResponse) String() string {
@@ -3327,7 +3229,7 @@ func (*GenerateIdentityTokenResponse) ProtoMessage() {}
 
 func (x *GenerateIdentityTokenResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[48]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3372,11 +3274,9 @@ type Connection struct {
 
 func (x *Connection) Reset() {
 	*x = Connection{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[49]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[49]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Connection) String() string {
@@ -3387,7 +3287,7 @@ func (*Connection) ProtoMessage() {}
 
 func (x *Connection) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[49]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3444,11 +3344,9 @@ type ConnectionState struct {
 
 func (x *ConnectionState) Reset() {
 	*x = ConnectionState{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[50]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[50]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ConnectionState) String() string {
@@ -3459,7 +3357,7 @@ func (*ConnectionState) ProtoMessage() {}
 
 func (x *ConnectionState) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[50]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3568,11 +3466,9 @@ type Certificate struct {
 
 func (x *Certificate) Reset() {
 	*x = Certificate{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[51]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[51]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Certificate) String() string {
@@ -3583,7 +3479,7 @@ func (*Certificate) ProtoMessage() {}
 
 func (x *Certificate) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[51]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3615,11 +3511,9 @@ type CertificateChain struct {
 
 func (x *CertificateChain) Reset() {
 	*x = CertificateChain{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[52]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[52]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *CertificateChain) String() string {
@@ -3630,7 +3524,7 @@ func (*CertificateChain) ProtoMessage() {}
 
 func (x *CertificateChain) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[52]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -3663,11 +3557,9 @@ type SendEventRequest struct {
 
 func (x *SendEventRequest) Reset() {
 	*x = SendEventRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_sdk_plugin_pb_backend_proto_msgTypes[53]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[53]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SendEventRequest) String() string {
@@ -3678,7 +3570,7 @@ func (*SendEventRequest) ProtoMessage() {}
 
 func (x *SendEventRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_sdk_plugin_pb_backend_proto_msgTypes[53]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -4462,656 +4354,6 @@ func file_sdk_plugin_pb_backend_proto_init() {
 	if File_sdk_plugin_pb_backend_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_sdk_plugin_pb_backend_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*Empty); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*Header); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*ProtoError); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*Paths); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*Request); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*Auth); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*TokenEntry); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*LeaseOptions); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*Secret); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*Response); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*ResponseWrapInfo); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[11].Exporter = func(v any, i int) any {
-			switch v := v.(*RequestWrapInfo); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[12].Exporter = func(v any, i int) any {
-			switch v := v.(*HandleRequestArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[13].Exporter = func(v any, i int) any {
-			switch v := v.(*HandleRequestReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[14].Exporter = func(v any, i int) any {
-			switch v := v.(*InitializeArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[15].Exporter = func(v any, i int) any {
-			switch v := v.(*InitializeReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[16].Exporter = func(v any, i int) any {
-			switch v := v.(*SpecialPathsReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[17].Exporter = func(v any, i int) any {
-			switch v := v.(*HandleExistenceCheckArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[18].Exporter = func(v any, i int) any {
-			switch v := v.(*HandleExistenceCheckReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[19].Exporter = func(v any, i int) any {
-			switch v := v.(*SetupArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[20].Exporter = func(v any, i int) any {
-			switch v := v.(*SetupReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[21].Exporter = func(v any, i int) any {
-			switch v := v.(*TypeReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[22].Exporter = func(v any, i int) any {
-			switch v := v.(*InvalidateKeyArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[23].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageEntry); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[24].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageListArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[25].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageListReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[26].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageGetArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[27].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageGetReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[28].Exporter = func(v any, i int) any {
-			switch v := v.(*StoragePutArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[29].Exporter = func(v any, i int) any {
-			switch v := v.(*StoragePutReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[30].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageDeleteArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[31].Exporter = func(v any, i int) any {
-			switch v := v.(*StorageDeleteReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[32].Exporter = func(v any, i int) any {
-			switch v := v.(*TTLReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[33].Exporter = func(v any, i int) any {
-			switch v := v.(*TaintedReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[34].Exporter = func(v any, i int) any {
-			switch v := v.(*CachingDisabledReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[35].Exporter = func(v any, i int) any {
-			switch v := v.(*ReplicationStateReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[36].Exporter = func(v any, i int) any {
-			switch v := v.(*ResponseWrapDataArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[37].Exporter = func(v any, i int) any {
-			switch v := v.(*ResponseWrapDataReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[38].Exporter = func(v any, i int) any {
-			switch v := v.(*MlockEnabledReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[39].Exporter = func(v any, i int) any {
-			switch v := v.(*LocalMountReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[40].Exporter = func(v any, i int) any {
-			switch v := v.(*EntityInfoArgs); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[41].Exporter = func(v any, i int) any {
-			switch v := v.(*EntityInfoReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[42].Exporter = func(v any, i int) any {
-			switch v := v.(*GroupsForEntityReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[43].Exporter = func(v any, i int) any {
-			switch v := v.(*PluginEnvReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[44].Exporter = func(v any, i int) any {
-			switch v := v.(*GeneratePasswordFromPolicyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[45].Exporter = func(v any, i int) any {
-			switch v := v.(*GeneratePasswordFromPolicyReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[46].Exporter = func(v any, i int) any {
-			switch v := v.(*ClusterInfoReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[47].Exporter = func(v any, i int) any {
-			switch v := v.(*GenerateIdentityTokenRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[48].Exporter = func(v any, i int) any {
-			switch v := v.(*GenerateIdentityTokenResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[49].Exporter = func(v any, i int) any {
-			switch v := v.(*Connection); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[50].Exporter = func(v any, i int) any {
-			switch v := v.(*ConnectionState); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[51].Exporter = func(v any, i int) any {
-			switch v := v.(*Certificate); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[52].Exporter = func(v any, i int) any {
-			switch v := v.(*CertificateChain); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_sdk_plugin_pb_backend_proto_msgTypes[53].Exporter = func(v any, i int) any {
-			switch v := v.(*SendEventRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/sdk/plugin/pb/backend_grpc.pb.go b/sdk/plugin/pb/backend_grpc.pb.go
index 322e723f1560..65d59ae77abc 100644
--- a/sdk/plugin/pb/backend_grpc.pb.go
+++ b/sdk/plugin/pb/backend_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: sdk/plugin/pb/backend.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	Backend_HandleRequest_FullMethodName        = "/pb.Backend/HandleRequest"
@@ -167,7 +167,7 @@ func (c *backendClient) Type(ctx context.Context, in *Empty, opts ...grpc.CallOp
 
 // BackendServer is the server API for Backend service.
 // All implementations must embed UnimplementedBackendServer
-// for forward compatibility
+// for forward compatibility.
 //
 // Backend is the interface that plugins must satisfy. The plugin should
 // implement the server for this service. Requests will first run the
@@ -211,9 +211,12 @@ type BackendServer interface {
 	mustEmbedUnimplementedBackendServer()
 }
 
-// UnimplementedBackendServer must be embedded to have forward compatible implementations.
-type UnimplementedBackendServer struct {
-}
+// UnimplementedBackendServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedBackendServer struct{}
 
 func (UnimplementedBackendServer) HandleRequest(context.Context, *HandleRequestArgs) (*HandleRequestReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method HandleRequest not implemented")
@@ -240,6 +243,7 @@ func (UnimplementedBackendServer) Type(context.Context, *Empty) (*TypeReply, err
 	return nil, status.Errorf(codes.Unimplemented, "method Type not implemented")
 }
 func (UnimplementedBackendServer) mustEmbedUnimplementedBackendServer() {}
+func (UnimplementedBackendServer) testEmbeddedByValue()                 {}
 
 // UnsafeBackendServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to BackendServer will
@@ -249,6 +253,13 @@ type UnsafeBackendServer interface {
 }
 
 func RegisterBackendServer(s grpc.ServiceRegistrar, srv BackendServer) {
+	// If the following call pancis, it indicates UnimplementedBackendServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&Backend_ServiceDesc, srv)
 }
 
@@ -510,7 +521,7 @@ func (c *storageClient) Delete(ctx context.Context, in *StorageDeleteArgs, opts
 
 // StorageServer is the server API for Storage service.
 // All implementations must embed UnimplementedStorageServer
-// for forward compatibility
+// for forward compatibility.
 //
 // Storage is the way that plugins are able read/write data. Plugins should
 // implement the client for this service.
@@ -522,9 +533,12 @@ type StorageServer interface {
 	mustEmbedUnimplementedStorageServer()
 }
 
-// UnimplementedStorageServer must be embedded to have forward compatible implementations.
-type UnimplementedStorageServer struct {
-}
+// UnimplementedStorageServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedStorageServer struct{}
 
 func (UnimplementedStorageServer) List(context.Context, *StorageListArgs) (*StorageListReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method List not implemented")
@@ -539,6 +553,7 @@ func (UnimplementedStorageServer) Delete(context.Context, *StorageDeleteArgs) (*
 	return nil, status.Errorf(codes.Unimplemented, "method Delete not implemented")
 }
 func (UnimplementedStorageServer) mustEmbedUnimplementedStorageServer() {}
+func (UnimplementedStorageServer) testEmbeddedByValue()                 {}
 
 // UnsafeStorageServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to StorageServer will
@@ -548,6 +563,13 @@ type UnsafeStorageServer interface {
 }
 
 func RegisterStorageServer(s grpc.ServiceRegistrar, srv StorageServer) {
+	// If the following call pancis, it indicates UnimplementedStorageServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&Storage_ServiceDesc, srv)
 }
 
@@ -869,7 +891,7 @@ func (c *systemViewClient) GenerateIdentityToken(ctx context.Context, in *Genera
 
 // SystemViewServer is the server API for SystemView service.
 // All implementations must embed UnimplementedSystemViewServer
-// for forward compatibility
+// for forward compatibility.
 //
 // SystemView exposes system configuration information in a safe way for plugins
 // to consume. Plugins should implement the client for this service.
@@ -919,9 +941,12 @@ type SystemViewServer interface {
 	mustEmbedUnimplementedSystemViewServer()
 }
 
-// UnimplementedSystemViewServer must be embedded to have forward compatible implementations.
-type UnimplementedSystemViewServer struct {
-}
+// UnimplementedSystemViewServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedSystemViewServer struct{}
 
 func (UnimplementedSystemViewServer) DefaultLeaseTTL(context.Context, *Empty) (*TTLReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DefaultLeaseTTL not implemented")
@@ -966,6 +991,7 @@ func (UnimplementedSystemViewServer) GenerateIdentityToken(context.Context, *Gen
 	return nil, status.Errorf(codes.Unimplemented, "method GenerateIdentityToken not implemented")
 }
 func (UnimplementedSystemViewServer) mustEmbedUnimplementedSystemViewServer() {}
+func (UnimplementedSystemViewServer) testEmbeddedByValue()                    {}
 
 // UnsafeSystemViewServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to SystemViewServer will
@@ -975,6 +1001,13 @@ type UnsafeSystemViewServer interface {
 }
 
 func RegisterSystemViewServer(s grpc.ServiceRegistrar, srv SystemViewServer) {
+	// If the following call pancis, it indicates UnimplementedSystemViewServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&SystemView_ServiceDesc, srv)
 }
 
@@ -1329,20 +1362,24 @@ func (c *eventsClient) SendEvent(ctx context.Context, in *SendEventRequest, opts
 
 // EventsServer is the server API for Events service.
 // All implementations must embed UnimplementedEventsServer
-// for forward compatibility
+// for forward compatibility.
 type EventsServer interface {
 	SendEvent(context.Context, *SendEventRequest) (*Empty, error)
 	mustEmbedUnimplementedEventsServer()
 }
 
-// UnimplementedEventsServer must be embedded to have forward compatible implementations.
-type UnimplementedEventsServer struct {
-}
+// UnimplementedEventsServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedEventsServer struct{}
 
 func (UnimplementedEventsServer) SendEvent(context.Context, *SendEventRequest) (*Empty, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SendEvent not implemented")
 }
 func (UnimplementedEventsServer) mustEmbedUnimplementedEventsServer() {}
+func (UnimplementedEventsServer) testEmbeddedByValue()                {}
 
 // UnsafeEventsServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to EventsServer will
@@ -1352,6 +1389,13 @@ type UnsafeEventsServer interface {
 }
 
 func RegisterEventsServer(s grpc.ServiceRegistrar, srv EventsServer) {
+	// If the following call pancis, it indicates UnimplementedEventsServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&Events_ServiceDesc, srv)
 }
 
diff --git a/tools/tools.sh b/tools/tools.sh
index 8a8dffa7dddb..d6002563c52f 100755
--- a/tools/tools.sh
+++ b/tools/tools.sh
@@ -46,7 +46,7 @@ install_external() {
     github.com/rinchsan/gosimports/cmd/gosimports@latest
     golang.org/x/tools/cmd/goimports@latest
     google.golang.org/protobuf/cmd/protoc-gen-go@latest
-    google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.4.0
+    google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
     gotest.tools/gotestsum@latest
     mvdan.cc/gofumpt@latest
     mvdan.cc/sh/v3/cmd/shfmt@latest
diff --git a/vault/activity/activity_log.pb.go b/vault/activity/activity_log.pb.go
index 0f12bf229f4a..7f8b501e8084 100644
--- a/vault/activity/activity_log.pb.go
+++ b/vault/activity/activity_log.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/activity/activity_log.proto
 
@@ -49,11 +49,9 @@ type EntityRecord struct {
 
 func (x *EntityRecord) Reset() {
 	*x = EntityRecord{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_activity_activity_log_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_activity_activity_log_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EntityRecord) String() string {
@@ -64,7 +62,7 @@ func (*EntityRecord) ProtoMessage() {}
 
 func (x *EntityRecord) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_activity_activity_log_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -138,11 +136,9 @@ type LogFragment struct {
 
 func (x *LogFragment) Reset() {
 	*x = LogFragment{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_activity_activity_log_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_activity_activity_log_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LogFragment) String() string {
@@ -153,7 +149,7 @@ func (*LogFragment) ProtoMessage() {}
 
 func (x *LogFragment) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_activity_activity_log_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -201,11 +197,9 @@ type EntityActivityLog struct {
 
 func (x *EntityActivityLog) Reset() {
 	*x = EntityActivityLog{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_activity_activity_log_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_activity_activity_log_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EntityActivityLog) String() string {
@@ -216,7 +210,7 @@ func (*EntityActivityLog) ProtoMessage() {}
 
 func (x *EntityActivityLog) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_activity_activity_log_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -248,11 +242,9 @@ type TokenCount struct {
 
 func (x *TokenCount) Reset() {
 	*x = TokenCount{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_activity_activity_log_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_activity_activity_log_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *TokenCount) String() string {
@@ -263,7 +255,7 @@ func (*TokenCount) ProtoMessage() {}
 
 func (x *TokenCount) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_activity_activity_log_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -293,11 +285,9 @@ type LogFragmentResponse struct {
 
 func (x *LogFragmentResponse) Reset() {
 	*x = LogFragmentResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_activity_activity_log_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_activity_activity_log_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LogFragmentResponse) String() string {
@@ -308,7 +298,7 @@ func (*LogFragmentResponse) ProtoMessage() {}
 
 func (x *LogFragmentResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_activity_activity_log_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -421,68 +411,6 @@ func file_vault_activity_activity_log_proto_init() {
 	if File_vault_activity_activity_log_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_activity_activity_log_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*EntityRecord); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_activity_activity_log_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*LogFragment); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_activity_activity_log_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*EntityActivityLog); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_activity_activity_log_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*TokenCount); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_activity_activity_log_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*LogFragmentResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/vault/hcp_link/proto/link_control/link_control.pb.go b/vault/hcp_link/proto/link_control/link_control.pb.go
index fccbb9c0bb60..2c6cd60d38a9 100644
--- a/vault/hcp_link/proto/link_control/link_control.pb.go
+++ b/vault/hcp_link/proto/link_control/link_control.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/hcp_link/proto/link_control/link_control.proto
 
@@ -31,11 +31,9 @@ type PurgePolicyRequest struct {
 
 func (x *PurgePolicyRequest) Reset() {
 	*x = PurgePolicyRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PurgePolicyRequest) String() string {
@@ -46,7 +44,7 @@ func (*PurgePolicyRequest) ProtoMessage() {}
 
 func (x *PurgePolicyRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -69,11 +67,9 @@ type PurgePolicyResponse struct {
 
 func (x *PurgePolicyResponse) Reset() {
 	*x = PurgePolicyResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PurgePolicyResponse) String() string {
@@ -84,7 +80,7 @@ func (*PurgePolicyResponse) ProtoMessage() {}
 
 func (x *PurgePolicyResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -154,32 +150,6 @@ func file_vault_hcp_link_proto_link_control_link_control_proto_init() {
 	if File_vault_hcp_link_proto_link_control_link_control_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*PurgePolicyRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_link_control_link_control_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*PurgePolicyResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/vault/hcp_link/proto/link_control/link_control_grpc.pb.go b/vault/hcp_link/proto/link_control/link_control_grpc.pb.go
index 2cf5dc7758d6..39fdf39c18e9 100644
--- a/vault/hcp_link/proto/link_control/link_control_grpc.pb.go
+++ b/vault/hcp_link/proto/link_control/link_control_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: vault/hcp_link/proto/link_control/link_control.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	HCPLinkControl_PurgePolicy_FullMethodName = "/link_control.HCPLinkControl/PurgePolicy"
@@ -54,7 +54,7 @@ func (c *hCPLinkControlClient) PurgePolicy(ctx context.Context, in *PurgePolicyR
 
 // HCPLinkControlServer is the server API for HCPLinkControl service.
 // All implementations must embed UnimplementedHCPLinkControlServer
-// for forward compatibility
+// for forward compatibility.
 type HCPLinkControlServer interface {
 	// PurgePolicy Forgets the current Batch token, and its associated policy,
 	// such that the policy is forced to be refreshed.
@@ -62,14 +62,18 @@ type HCPLinkControlServer interface {
 	mustEmbedUnimplementedHCPLinkControlServer()
 }
 
-// UnimplementedHCPLinkControlServer must be embedded to have forward compatible implementations.
-type UnimplementedHCPLinkControlServer struct {
-}
+// UnimplementedHCPLinkControlServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedHCPLinkControlServer struct{}
 
 func (UnimplementedHCPLinkControlServer) PurgePolicy(context.Context, *PurgePolicyRequest) (*PurgePolicyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method PurgePolicy not implemented")
 }
 func (UnimplementedHCPLinkControlServer) mustEmbedUnimplementedHCPLinkControlServer() {}
+func (UnimplementedHCPLinkControlServer) testEmbeddedByValue()                        {}
 
 // UnsafeHCPLinkControlServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to HCPLinkControlServer will
@@ -79,6 +83,13 @@ type UnsafeHCPLinkControlServer interface {
 }
 
 func RegisterHCPLinkControlServer(s grpc.ServiceRegistrar, srv HCPLinkControlServer) {
+	// If the following call pancis, it indicates UnimplementedHCPLinkControlServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&HCPLinkControl_ServiceDesc, srv)
 }
 
diff --git a/vault/hcp_link/proto/meta/meta.pb.go b/vault/hcp_link/proto/meta/meta.pb.go
index fa69987fab08..41a19ec01252 100644
--- a/vault/hcp_link/proto/meta/meta.pb.go
+++ b/vault/hcp_link/proto/meta/meta.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/hcp_link/proto/meta/meta.proto
 
@@ -31,11 +31,9 @@ type ListNamespacesRequest struct {
 
 func (x *ListNamespacesRequest) Reset() {
 	*x = ListNamespacesRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ListNamespacesRequest) String() string {
@@ -46,7 +44,7 @@ func (*ListNamespacesRequest) ProtoMessage() {}
 
 func (x *ListNamespacesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -71,11 +69,9 @@ type ListNamespacesResponse struct {
 
 func (x *ListNamespacesResponse) Reset() {
 	*x = ListNamespacesResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ListNamespacesResponse) String() string {
@@ -86,7 +82,7 @@ func (*ListNamespacesResponse) ProtoMessage() {}
 
 func (x *ListNamespacesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -116,11 +112,9 @@ type ListMountsRequest struct {
 
 func (x *ListMountsRequest) Reset() {
 	*x = ListMountsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ListMountsRequest) String() string {
@@ -131,7 +125,7 @@ func (*ListMountsRequest) ProtoMessage() {}
 
 func (x *ListMountsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -158,11 +152,9 @@ type Mount struct {
 
 func (x *Mount) Reset() {
 	*x = Mount{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Mount) String() string {
@@ -173,7 +165,7 @@ func (*Mount) ProtoMessage() {}
 
 func (x *Mount) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -219,11 +211,9 @@ type ListMountsResponse struct {
 
 func (x *ListMountsResponse) Reset() {
 	*x = ListMountsResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ListMountsResponse) String() string {
@@ -234,7 +224,7 @@ func (*ListMountsResponse) ProtoMessage() {}
 
 func (x *ListMountsResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -264,11 +254,9 @@ type ListAuthsRequest struct {
 
 func (x *ListAuthsRequest) Reset() {
 	*x = ListAuthsRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ListAuthsRequest) String() string {
@@ -279,7 +267,7 @@ func (*ListAuthsRequest) ProtoMessage() {}
 
 func (x *ListAuthsRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -306,11 +294,9 @@ type Auth struct {
 
 func (x *Auth) Reset() {
 	*x = Auth{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[6]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Auth) String() string {
@@ -321,7 +307,7 @@ func (*Auth) ProtoMessage() {}
 
 func (x *Auth) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[6]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -367,11 +353,9 @@ type ListAuthResponse struct {
 
 func (x *ListAuthResponse) Reset() {
 	*x = ListAuthResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[7]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ListAuthResponse) String() string {
@@ -382,7 +366,7 @@ func (*ListAuthResponse) ProtoMessage() {}
 
 func (x *ListAuthResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[7]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -412,11 +396,9 @@ type GetClusterStatusRequest struct {
 
 func (x *GetClusterStatusRequest) Reset() {
 	*x = GetClusterStatusRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[8]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GetClusterStatusRequest) String() string {
@@ -427,7 +409,7 @@ func (*GetClusterStatusRequest) ProtoMessage() {}
 
 func (x *GetClusterStatusRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[8]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -452,11 +434,9 @@ type HANode struct {
 
 func (x *HANode) Reset() {
 	*x = HANode{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[9]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HANode) String() string {
@@ -467,7 +447,7 @@ func (*HANode) ProtoMessage() {}
 
 func (x *HANode) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[9]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -500,11 +480,9 @@ type HAStatus struct {
 
 func (x *HAStatus) Reset() {
 	*x = HAStatus{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[10]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *HAStatus) String() string {
@@ -515,7 +493,7 @@ func (*HAStatus) ProtoMessage() {}
 
 func (x *HAStatus) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[10]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -564,11 +542,9 @@ type RaftServer struct {
 
 func (x *RaftServer) Reset() {
 	*x = RaftServer{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[11]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RaftServer) String() string {
@@ -579,7 +555,7 @@ func (*RaftServer) ProtoMessage() {}
 
 func (x *RaftServer) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[11]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -639,11 +615,9 @@ type RaftConfiguration struct {
 
 func (x *RaftConfiguration) Reset() {
 	*x = RaftConfiguration{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[12]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RaftConfiguration) String() string {
@@ -654,7 +628,7 @@ func (*RaftConfiguration) ProtoMessage() {}
 
 func (x *RaftConfiguration) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[12]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -687,11 +661,9 @@ type AutopilotServer struct {
 
 func (x *AutopilotServer) Reset() {
 	*x = AutopilotServer{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[13]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *AutopilotServer) String() string {
@@ -702,7 +674,7 @@ func (*AutopilotServer) ProtoMessage() {}
 
 func (x *AutopilotServer) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[13]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -742,11 +714,9 @@ type AutopilotStatus struct {
 
 func (x *AutopilotStatus) Reset() {
 	*x = AutopilotStatus{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[14]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *AutopilotStatus) String() string {
@@ -757,7 +727,7 @@ func (*AutopilotStatus) ProtoMessage() {}
 
 func (x *AutopilotStatus) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[14]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -798,11 +768,9 @@ type RaftStatus struct {
 
 func (x *RaftStatus) Reset() {
 	*x = RaftStatus{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[15]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RaftStatus) String() string {
@@ -813,7 +781,7 @@ func (*RaftStatus) ProtoMessage() {}
 
 func (x *RaftStatus) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[15]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -863,11 +831,9 @@ type GetClusterStatusResponse struct {
 
 func (x *GetClusterStatusResponse) Reset() {
 	*x = GetClusterStatusResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[16]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *GetClusterStatusResponse) String() string {
@@ -878,7 +844,7 @@ func (*GetClusterStatusResponse) ProtoMessage() {}
 
 func (x *GetClusterStatusResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_meta_meta_proto_msgTypes[16]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -1103,212 +1069,6 @@ func file_vault_hcp_link_proto_meta_meta_proto_init() {
 	if File_vault_hcp_link_proto_meta_meta_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*ListNamespacesRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*ListNamespacesResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*ListMountsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*Mount); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*ListMountsResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*ListAuthsRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*Auth); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[7].Exporter = func(v any, i int) any {
-			switch v := v.(*ListAuthResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[8].Exporter = func(v any, i int) any {
-			switch v := v.(*GetClusterStatusRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[9].Exporter = func(v any, i int) any {
-			switch v := v.(*HANode); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[10].Exporter = func(v any, i int) any {
-			switch v := v.(*HAStatus); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[11].Exporter = func(v any, i int) any {
-			switch v := v.(*RaftServer); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[12].Exporter = func(v any, i int) any {
-			switch v := v.(*RaftConfiguration); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[13].Exporter = func(v any, i int) any {
-			switch v := v.(*AutopilotServer); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[14].Exporter = func(v any, i int) any {
-			switch v := v.(*AutopilotStatus); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[15].Exporter = func(v any, i int) any {
-			switch v := v.(*RaftStatus); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_meta_meta_proto_msgTypes[16].Exporter = func(v any, i int) any {
-			switch v := v.(*GetClusterStatusResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/vault/hcp_link/proto/meta/meta_grpc.pb.go b/vault/hcp_link/proto/meta/meta_grpc.pb.go
index be1186698589..9768a06d59a0 100644
--- a/vault/hcp_link/proto/meta/meta_grpc.pb.go
+++ b/vault/hcp_link/proto/meta/meta_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: vault/hcp_link/proto/meta/meta.proto
 
@@ -18,8 +18,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	HCPLinkMeta_ListNamespaces_FullMethodName   = "/meta.HCPLinkMeta/ListNamespaces"
@@ -92,7 +92,7 @@ func (c *hCPLinkMetaClient) GetClusterStatus(ctx context.Context, in *GetCluster
 
 // HCPLinkMetaServer is the server API for HCPLinkMeta service.
 // All implementations must embed UnimplementedHCPLinkMetaServer
-// for forward compatibility
+// for forward compatibility.
 type HCPLinkMetaServer interface {
 	// ListNamespaces will be used to recursively list all namespaces
 	ListNamespaces(context.Context, *ListNamespacesRequest) (*ListNamespacesResponse, error)
@@ -105,9 +105,12 @@ type HCPLinkMetaServer interface {
 	mustEmbedUnimplementedHCPLinkMetaServer()
 }
 
-// UnimplementedHCPLinkMetaServer must be embedded to have forward compatible implementations.
-type UnimplementedHCPLinkMetaServer struct {
-}
+// UnimplementedHCPLinkMetaServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedHCPLinkMetaServer struct{}
 
 func (UnimplementedHCPLinkMetaServer) ListNamespaces(context.Context, *ListNamespacesRequest) (*ListNamespacesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListNamespaces not implemented")
@@ -122,6 +125,7 @@ func (UnimplementedHCPLinkMetaServer) GetClusterStatus(context.Context, *GetClus
 	return nil, status.Errorf(codes.Unimplemented, "method GetClusterStatus not implemented")
 }
 func (UnimplementedHCPLinkMetaServer) mustEmbedUnimplementedHCPLinkMetaServer() {}
+func (UnimplementedHCPLinkMetaServer) testEmbeddedByValue()                     {}
 
 // UnsafeHCPLinkMetaServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to HCPLinkMetaServer will
@@ -131,6 +135,13 @@ type UnsafeHCPLinkMetaServer interface {
 }
 
 func RegisterHCPLinkMetaServer(s grpc.ServiceRegistrar, srv HCPLinkMetaServer) {
+	// If the following call pancis, it indicates UnimplementedHCPLinkMetaServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&HCPLinkMeta_ServiceDesc, srv)
 }
 
diff --git a/vault/hcp_link/proto/node_status/status.pb.go b/vault/hcp_link/proto/node_status/status.pb.go
index d23045303f63..b9af0bab0b7e 100644
--- a/vault/hcp_link/proto/node_status/status.pb.go
+++ b/vault/hcp_link/proto/node_status/status.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/hcp_link/proto/node_status/status.proto
 
@@ -93,11 +93,9 @@ type RaftStatus struct {
 
 func (x *RaftStatus) Reset() {
 	*x = RaftStatus{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_node_status_status_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_node_status_status_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *RaftStatus) String() string {
@@ -108,7 +106,7 @@ func (*RaftStatus) ProtoMessage() {}
 
 func (x *RaftStatus) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_node_status_status_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -161,11 +159,9 @@ type LinkedClusterNodeStatusResponse struct {
 
 func (x *LinkedClusterNodeStatusResponse) Reset() {
 	*x = LinkedClusterNodeStatusResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_hcp_link_proto_node_status_status_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_hcp_link_proto_node_status_status_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *LinkedClusterNodeStatusResponse) String() string {
@@ -176,7 +172,7 @@ func (*LinkedClusterNodeStatusResponse) ProtoMessage() {}
 
 func (x *LinkedClusterNodeStatusResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_hcp_link_proto_node_status_status_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -460,32 +456,6 @@ func file_vault_hcp_link_proto_node_status_status_proto_init() {
 	if File_vault_hcp_link_proto_node_status_status_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_hcp_link_proto_node_status_status_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*RaftStatus); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_hcp_link_proto_node_status_status_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*LinkedClusterNodeStatusResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/vault/request_forwarding_service.pb.go b/vault/request_forwarding_service.pb.go
index d787d831b1db..b00fbc5e961c 100644
--- a/vault/request_forwarding_service.pb.go
+++ b/vault/request_forwarding_service.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/request_forwarding_service.proto
 
@@ -56,11 +56,9 @@ type EchoRequest struct {
 
 func (x *EchoRequest) Reset() {
 	*x = EchoRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_request_forwarding_service_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EchoRequest) String() string {
@@ -71,7 +69,7 @@ func (*EchoRequest) ProtoMessage() {}
 
 func (x *EchoRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_request_forwarding_service_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -208,11 +206,9 @@ type EchoReply struct {
 
 func (x *EchoReply) Reset() {
 	*x = EchoReply{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_request_forwarding_service_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *EchoReply) String() string {
@@ -223,7 +219,7 @@ func (*EchoReply) ProtoMessage() {}
 
 func (x *EchoReply) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_request_forwarding_service_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -302,11 +298,9 @@ type NodeInformation struct {
 
 func (x *NodeInformation) Reset() {
 	*x = NodeInformation{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_request_forwarding_service_proto_msgTypes[2]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *NodeInformation) String() string {
@@ -317,7 +311,7 @@ func (*NodeInformation) ProtoMessage() {}
 
 func (x *NodeInformation) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_request_forwarding_service_proto_msgTypes[2]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -387,11 +381,9 @@ type ClientKey struct {
 
 func (x *ClientKey) Reset() {
 	*x = ClientKey{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_request_forwarding_service_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *ClientKey) String() string {
@@ -402,7 +394,7 @@ func (*ClientKey) ProtoMessage() {}
 
 func (x *ClientKey) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_request_forwarding_service_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -453,11 +445,9 @@ type PerfStandbyElectionInput struct {
 
 func (x *PerfStandbyElectionInput) Reset() {
 	*x = PerfStandbyElectionInput{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_request_forwarding_service_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PerfStandbyElectionInput) String() string {
@@ -468,7 +458,7 @@ func (*PerfStandbyElectionInput) ProtoMessage() {}
 
 func (x *PerfStandbyElectionInput) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_request_forwarding_service_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -498,11 +488,9 @@ type PerfStandbyElectionResponse struct {
 
 func (x *PerfStandbyElectionResponse) Reset() {
 	*x = PerfStandbyElectionResponse{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_request_forwarding_service_proto_msgTypes[5]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_request_forwarding_service_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *PerfStandbyElectionResponse) String() string {
@@ -513,7 +501,7 @@ func (*PerfStandbyElectionResponse) ProtoMessage() {}
 
 func (x *PerfStandbyElectionResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_request_forwarding_service_proto_msgTypes[5]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -749,80 +737,6 @@ func file_vault_request_forwarding_service_proto_init() {
 	if File_vault_request_forwarding_service_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_request_forwarding_service_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*EchoRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_request_forwarding_service_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*EchoReply); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_request_forwarding_service_proto_msgTypes[2].Exporter = func(v any, i int) any {
-			switch v := v.(*NodeInformation); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_request_forwarding_service_proto_msgTypes[3].Exporter = func(v any, i int) any {
-			switch v := v.(*ClientKey); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_request_forwarding_service_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*PerfStandbyElectionInput); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_request_forwarding_service_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*PerfStandbyElectionResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/vault/request_forwarding_service_grpc.pb.go b/vault/request_forwarding_service_grpc.pb.go
index ff082568ea14..38b053b2b7b4 100644
--- a/vault/request_forwarding_service_grpc.pb.go
+++ b/vault/request_forwarding_service_grpc.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.4.0
+// - protoc-gen-go-grpc v1.5.1
 // - protoc             (unknown)
 // source: vault/request_forwarding_service.proto
 
@@ -19,8 +19,8 @@ import (
 
 // This is a compile-time assertion to ensure that this generated file
 // is compatible with the grpc package it is being compiled against.
-// Requires gRPC-Go v1.62.0 or later.
-const _ = grpc.SupportPackageIsVersion8
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
 
 const (
 	RequestForwarding_ForwardRequest_FullMethodName                    = "/vault.RequestForwarding/ForwardRequest"
@@ -34,7 +34,7 @@ const (
 type RequestForwardingClient interface {
 	ForwardRequest(ctx context.Context, in *forwarding.Request, opts ...grpc.CallOption) (*forwarding.Response, error)
 	Echo(ctx context.Context, in *EchoRequest, opts ...grpc.CallOption) (*EchoReply, error)
-	PerformanceStandbyElectionRequest(ctx context.Context, in *PerfStandbyElectionInput, opts ...grpc.CallOption) (RequestForwarding_PerformanceStandbyElectionRequestClient, error)
+	PerformanceStandbyElectionRequest(ctx context.Context, in *PerfStandbyElectionInput, opts ...grpc.CallOption) (grpc.ServerStreamingClient[PerfStandbyElectionResponse], error)
 }
 
 type requestForwardingClient struct {
@@ -65,13 +65,13 @@ func (c *requestForwardingClient) Echo(ctx context.Context, in *EchoRequest, opt
 	return out, nil
 }
 
-func (c *requestForwardingClient) PerformanceStandbyElectionRequest(ctx context.Context, in *PerfStandbyElectionInput, opts ...grpc.CallOption) (RequestForwarding_PerformanceStandbyElectionRequestClient, error) {
+func (c *requestForwardingClient) PerformanceStandbyElectionRequest(ctx context.Context, in *PerfStandbyElectionInput, opts ...grpc.CallOption) (grpc.ServerStreamingClient[PerfStandbyElectionResponse], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &RequestForwarding_ServiceDesc.Streams[0], RequestForwarding_PerformanceStandbyElectionRequest_FullMethodName, cOpts...)
 	if err != nil {
 		return nil, err
 	}
-	x := &requestForwardingPerformanceStandbyElectionRequestClient{ClientStream: stream}
+	x := &grpc.GenericClientStream[PerfStandbyElectionInput, PerfStandbyElectionResponse]{ClientStream: stream}
 	if err := x.ClientStream.SendMsg(in); err != nil {
 		return nil, err
 	}
@@ -81,36 +81,25 @@ func (c *requestForwardingClient) PerformanceStandbyElectionRequest(ctx context.
 	return x, nil
 }
 
-type RequestForwarding_PerformanceStandbyElectionRequestClient interface {
-	Recv() (*PerfStandbyElectionResponse, error)
-	grpc.ClientStream
-}
-
-type requestForwardingPerformanceStandbyElectionRequestClient struct {
-	grpc.ClientStream
-}
-
-func (x *requestForwardingPerformanceStandbyElectionRequestClient) Recv() (*PerfStandbyElectionResponse, error) {
-	m := new(PerfStandbyElectionResponse)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type RequestForwarding_PerformanceStandbyElectionRequestClient = grpc.ServerStreamingClient[PerfStandbyElectionResponse]
 
 // RequestForwardingServer is the server API for RequestForwarding service.
 // All implementations must embed UnimplementedRequestForwardingServer
-// for forward compatibility
+// for forward compatibility.
 type RequestForwardingServer interface {
 	ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error)
 	Echo(context.Context, *EchoRequest) (*EchoReply, error)
-	PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, RequestForwarding_PerformanceStandbyElectionRequestServer) error
+	PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, grpc.ServerStreamingServer[PerfStandbyElectionResponse]) error
 	mustEmbedUnimplementedRequestForwardingServer()
 }
 
-// UnimplementedRequestForwardingServer must be embedded to have forward compatible implementations.
-type UnimplementedRequestForwardingServer struct {
-}
+// UnimplementedRequestForwardingServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedRequestForwardingServer struct{}
 
 func (UnimplementedRequestForwardingServer) ForwardRequest(context.Context, *forwarding.Request) (*forwarding.Response, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ForwardRequest not implemented")
@@ -118,10 +107,11 @@ func (UnimplementedRequestForwardingServer) ForwardRequest(context.Context, *for
 func (UnimplementedRequestForwardingServer) Echo(context.Context, *EchoRequest) (*EchoReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Echo not implemented")
 }
-func (UnimplementedRequestForwardingServer) PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, RequestForwarding_PerformanceStandbyElectionRequestServer) error {
+func (UnimplementedRequestForwardingServer) PerformanceStandbyElectionRequest(*PerfStandbyElectionInput, grpc.ServerStreamingServer[PerfStandbyElectionResponse]) error {
 	return status.Errorf(codes.Unimplemented, "method PerformanceStandbyElectionRequest not implemented")
 }
 func (UnimplementedRequestForwardingServer) mustEmbedUnimplementedRequestForwardingServer() {}
+func (UnimplementedRequestForwardingServer) testEmbeddedByValue()                           {}
 
 // UnsafeRequestForwardingServer may be embedded to opt out of forward compatibility for this service.
 // Use of this interface is not recommended, as added methods to RequestForwardingServer will
@@ -131,6 +121,13 @@ type UnsafeRequestForwardingServer interface {
 }
 
 func RegisterRequestForwardingServer(s grpc.ServiceRegistrar, srv RequestForwardingServer) {
+	// If the following call pancis, it indicates UnimplementedRequestForwardingServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
 	s.RegisterService(&RequestForwarding_ServiceDesc, srv)
 }
 
@@ -175,21 +172,11 @@ func _RequestForwarding_PerformanceStandbyElectionRequest_Handler(srv interface{
 	if err := stream.RecvMsg(m); err != nil {
 		return err
 	}
-	return srv.(RequestForwardingServer).PerformanceStandbyElectionRequest(m, &requestForwardingPerformanceStandbyElectionRequestServer{ServerStream: stream})
-}
-
-type RequestForwarding_PerformanceStandbyElectionRequestServer interface {
-	Send(*PerfStandbyElectionResponse) error
-	grpc.ServerStream
+	return srv.(RequestForwardingServer).PerformanceStandbyElectionRequest(m, &grpc.GenericServerStream[PerfStandbyElectionInput, PerfStandbyElectionResponse]{ServerStream: stream})
 }
 
-type requestForwardingPerformanceStandbyElectionRequestServer struct {
-	grpc.ServerStream
-}
-
-func (x *requestForwardingPerformanceStandbyElectionRequestServer) Send(m *PerfStandbyElectionResponse) error {
-	return x.ServerStream.SendMsg(m)
-}
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type RequestForwarding_PerformanceStandbyElectionRequestServer = grpc.ServerStreamingServer[PerfStandbyElectionResponse]
 
 // RequestForwarding_ServiceDesc is the grpc.ServiceDesc for RequestForwarding service.
 // It's only intended for direct use with grpc.RegisterService,
diff --git a/vault/seal/multi_wrap_value.pb.go b/vault/seal/multi_wrap_value.pb.go
index d831f4f5ebde..ba81e948278d 100644
--- a/vault/seal/multi_wrap_value.pb.go
+++ b/vault/seal/multi_wrap_value.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/seal/multi_wrap_value.proto
 
@@ -38,11 +38,9 @@ type MultiWrapValue struct {
 
 func (x *MultiWrapValue) Reset() {
 	*x = MultiWrapValue{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_seal_multi_wrap_value_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_seal_multi_wrap_value_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *MultiWrapValue) String() string {
@@ -53,7 +51,7 @@ func (*MultiWrapValue) ProtoMessage() {}
 
 func (x *MultiWrapValue) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_seal_multi_wrap_value_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -135,20 +133,6 @@ func file_vault_seal_multi_wrap_value_proto_init() {
 	if File_vault_seal_multi_wrap_value_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_seal_multi_wrap_value_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*MultiWrapValue); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
diff --git a/vault/tokens/token.pb.go b/vault/tokens/token.pb.go
index 30308caf4c90..061bdb93bee5 100644
--- a/vault/tokens/token.pb.go
+++ b/vault/tokens/token.pb.go
@@ -3,7 +3,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.34.2
+// 	protoc-gen-go v1.35.1
 // 	protoc        (unknown)
 // source: vault/tokens/token.proto
 
@@ -36,11 +36,9 @@ type SignedToken struct {
 
 func (x *SignedToken) Reset() {
 	*x = SignedToken{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_tokens_token_proto_msgTypes[0]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_tokens_token_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *SignedToken) String() string {
@@ -51,7 +49,7 @@ func (*SignedToken) ProtoMessage() {}
 
 func (x *SignedToken) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_tokens_token_proto_msgTypes[0]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -99,11 +97,9 @@ type Token struct {
 
 func (x *Token) Reset() {
 	*x = Token{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_vault_tokens_token_proto_msgTypes[1]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
+	mi := &file_vault_tokens_token_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
 }
 
 func (x *Token) String() string {
@@ -114,7 +110,7 @@ func (*Token) ProtoMessage() {}
 
 func (x *Token) ProtoReflect() protoreflect.Message {
 	mi := &file_vault_tokens_token_proto_msgTypes[1]
-	if protoimpl.UnsafeEnabled && x != nil {
+	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
@@ -203,32 +199,6 @@ func file_vault_tokens_token_proto_init() {
 	if File_vault_tokens_token_proto != nil {
 		return
 	}
-	if !protoimpl.UnsafeEnabled {
-		file_vault_tokens_token_proto_msgTypes[0].Exporter = func(v any, i int) any {
-			switch v := v.(*SignedToken); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_vault_tokens_token_proto_msgTypes[1].Exporter = func(v any, i int) any {
-			switch v := v.(*Token); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{

From 7774261c15836350fe53045eaf5bd60d1a6ec29c Mon Sep 17 00:00:00 2001
From: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Date: Tue, 8 Oct 2024 09:01:46 -0700
Subject: [PATCH 12/13] UI: Ember upgrade: Handle deprecation router service
 from host (#28603)

* use alias for router injection

* update @router declarations in engine files

* fix remaining pki router imports

* dynamically set router based on owner

* address replication routers

* update markdown docs

* use non-deprecated import for getOwner

* revert out of scope changes

* add transition-to test
---
 ui/app/app.js                                 | 27 ++++---
 ui/docs/ember-engines.md                      |  6 +-
 .../messages/page/create-and-edit.js          |  2 +-
 .../addon/components/messages/page/details.js |  2 +-
 .../addon/components/messages/page/list.js    |  2 +-
 ui/lib/config-ui/addon/engine.js              |  2 +-
 ui/lib/core/addon/components/linked-block.js  | 11 ++-
 .../core/addon/components/replication-page.js |  8 +-
 ui/lib/core/addon/helpers/transition-to.js    | 31 ++++++++
 .../core/addon/mixins/replication-actions.js  |  1 -
 ui/lib/core/app/helpers/transition-to.js      |  6 ++
 .../addon/controllers/credentials/show.js     |  2 +-
 ui/lib/kmip/addon/controllers/role.js         |  2 +-
 ui/lib/kmip/addon/engine.js                   |  2 +-
 .../addon/components/page/configure.js        |  2 +-
 .../addon/components/page/credentials.js      |  2 +-
 .../addon/components/page/overview.js         |  2 +-
 .../components/page/role/create-and-edit.js   |  2 +-
 .../addon/components/page/role/details.js     |  2 +-
 .../kubernetes/addon/components/page/roles.js |  2 +-
 ui/lib/kubernetes/addon/engine.js             |  2 +-
 ui/lib/kubernetes/addon/routes/index.js       |  2 +-
 .../addon/routes/roles/role/index.js          |  2 +-
 ui/lib/kv/addon/components/kv-list-filter.js  |  2 +-
 ui/lib/kv/addon/components/page/list.js       |  2 +-
 .../addon/components/page/secret/details.js   |  2 +-
 .../kv/addon/components/page/secret/edit.js   |  2 +-
 .../page/secret/metadata/details.js           |  2 +-
 .../kv/addon/components/page/secret/patch.js  |  2 +-
 .../addon/components/page/secrets/create.js   |  2 +-
 ui/lib/kv/addon/engine.js                     |  2 +-
 ui/lib/kv/addon/routes/index.js               |  2 +-
 ui/lib/kv/addon/routes/list-directory.js      |  2 +-
 ui/lib/kv/addon/routes/secret/index.js        |  2 +-
 ui/lib/kv/addon/routes/secret/patch.js        |  2 +-
 .../ldap/addon/components/page/configure.ts   |  2 +-
 .../page/library/create-and-edit.ts           |  2 +-
 .../addon/components/page/library/details.ts  |  2 +-
 .../page/library/details/accounts.ts          |  2 +-
 ui/lib/ldap/addon/components/page/overview.ts |  2 +-
 .../components/page/role/create-and-edit.ts   |  2 +-
 .../addon/components/page/role/details.ts     |  2 +-
 ui/lib/ldap/addon/components/page/roles.ts    |  2 +-
 ui/lib/ldap/addon/engine.js                   |  2 +-
 .../routes/libraries/library/check-out.ts     |  2 +-
 .../routes/libraries/library/details/index.ts |  2 +-
 .../addon/routes/libraries/library/index.ts   |  2 +-
 ui/lib/ldap/addon/routes/roles/role/index.ts  |  2 +-
 ui/lib/open-api-explorer/addon/engine.js      |  2 +-
 .../page/pki-configuration-details.ts         |  2 +-
 .../components/page/pki-configuration-edit.ts |  2 +-
 .../components/page/pki-configure-create.ts   |  6 +-
 .../addon/components/page/pki-issuer-edit.ts  |  2 +-
 .../components/page/pki-issuer-rotate-root.ts |  6 +-
 .../addon/components/page/pki-key-details.ts  |  2 +-
 .../pki/addon/components/page/pki-overview.ts |  2 +-
 .../addon/components/page/pki-role-details.ts |  2 +-
 .../addon/components/page/pki-tidy-status.ts  |  2 +-
 .../pki/addon/components/pki-generate-root.ts |  2 +-
 .../pki/addon/components/pki-role-generate.ts |  8 +-
 ui/lib/pki/addon/components/pki-tidy-form.ts  |  2 +-
 ui/lib/pki/addon/engine.js                    |  2 +-
 ui/lib/pki/addon/routes/index.js              |  2 +-
 .../addon/controllers/application.js          |  2 +-
 .../mode/secondaries/config-edit.js           |  2 +-
 .../addon/controllers/replication-mode.js     |  2 +-
 ui/lib/replication/addon/engine.js            |  2 +-
 .../replication/addon/routes/application.js   |  2 +-
 ui/lib/replication/addon/routes/mode.js       |  2 +-
 ui/lib/replication/addon/routes/mode/index.js |  2 +-
 .../replication/addon/routes/mode/manage.js   |  2 +-
 .../addon/routes/mode/secondaries.js          |  2 +-
 .../routes/mode/secondaries/config-create.js  |  2 +-
 .../addon/routes/replication-base.js          |  2 +-
 .../components/secrets/destination-header.ts  |  2 +-
 .../components/secrets/page/destinations.ts   |  2 +-
 .../page/destinations/create-and-edit.ts      |  2 +-
 .../page/destinations/destination/secrets.ts  |  2 +-
 .../page/destinations/destination/sync.ts     |  2 +-
 .../secrets/sync-activation-modal.ts          |  2 +-
 ui/lib/sync/addon/engine.js                   |  2 +-
 ui/lib/sync/addon/routes/index.ts             |  2 +-
 ui/lib/sync/addon/routes/secrets.ts           |  2 +-
 .../secrets/destinations/destination.ts       |  2 +-
 .../secrets/destinations/destination/index.ts |  2 +-
 .../routes/secrets/destinations/index.ts      |  2 +-
 ui/lib/sync/addon/routes/secrets/overview.ts  |  2 +-
 ui/package.json                               |  1 -
 .../integration/helpers/transition-to-test.js | 77 +++++++++++++++++++
 ui/yarn.lock                                  | 12 +--
 90 files changed, 238 insertions(+), 116 deletions(-)
 create mode 100644 ui/lib/core/addon/helpers/transition-to.js
 create mode 100644 ui/lib/core/app/helpers/transition-to.js
 create mode 100644 ui/tests/integration/helpers/transition-to-test.js

diff --git a/ui/app/app.js b/ui/app/app.js
index 5de9c28a3a33..f603f64f2f31 100644
--- a/ui/app/app.js
+++ b/ui/app/app.js
@@ -8,7 +8,6 @@ import Resolver from 'ember-resolver';
 import loadInitializers from 'ember-load-initializers';
 import config from 'vault/config/environment';
 
-// TODO: DEPRECATION https://ember-engines.com/docs/deprecations#-use-alias-for-inject-router-service-from-host-application
 export default class App extends Application {
   modulePrefix = config.modulePrefix;
   podModulePrefix = config.podModulePrefix;
@@ -16,12 +15,20 @@ export default class App extends Application {
   engines = {
     'config-ui': {
       dependencies: {
-        services: ['auth', 'flash-messages', 'namespace', 'router', 'store', 'version', 'custom-messages'],
+        services: [
+          'auth',
+          'flash-messages',
+          'namespace',
+          { 'app-router': 'router' },
+          'store',
+          'version',
+          'custom-messages',
+        ],
       },
     },
     'open-api-explorer': {
       dependencies: {
-        services: ['auth', 'flash-messages', 'namespace', 'router', 'version'],
+        services: ['auth', 'flash-messages', 'namespace', { 'app-router': 'router' }, 'version'],
       },
     },
     replication: {
@@ -32,7 +39,7 @@ export default class App extends Application {
           'flash-messages',
           'namespace',
           'replication-mode',
-          'router',
+          { 'app-router': 'router' },
           'store',
           'version',
           '-portal',
@@ -51,7 +58,7 @@ export default class App extends Application {
           'flash-messages',
           'namespace',
           'path-help',
-          'router',
+          { 'app-router': 'router' },
           'store',
           'version',
           'secret-mount-path',
@@ -63,7 +70,7 @@ export default class App extends Application {
     },
     kubernetes: {
       dependencies: {
-        services: ['router', 'store', 'secret-mount-path', 'flash-messages'],
+        services: [{ 'app-router': 'router' }, 'store', 'secret-mount-path', 'flash-messages'],
         externalRoutes: {
           secrets: 'vault.cluster.secrets.backends',
         },
@@ -71,7 +78,7 @@ export default class App extends Application {
     },
     ldap: {
       dependencies: {
-        services: ['router', 'store', 'secret-mount-path', 'flash-messages', 'auth'],
+        services: [{ 'app-router': 'router' }, 'store', 'secret-mount-path', 'flash-messages', 'auth'],
         externalRoutes: {
           secrets: 'vault.cluster.secrets.backends',
         },
@@ -85,7 +92,7 @@ export default class App extends Application {
           'download',
           'flash-messages',
           'namespace',
-          'router',
+          { 'app-router': 'router' },
           'secret-mount-path',
           'store',
           'version',
@@ -104,7 +111,7 @@ export default class App extends Application {
           'flash-messages',
           'namespace',
           'path-help',
-          'router',
+          { 'app-router': 'router' },
           'secret-mount-path',
           'store',
           'version',
@@ -118,7 +125,7 @@ export default class App extends Application {
     },
     sync: {
       dependencies: {
-        services: ['flash-messages', 'flags', 'router', 'store', 'version'],
+        services: ['flash-messages', 'flags', { 'app-router': 'router' }, 'store', 'version'],
         externalRoutes: {
           kvSecretOverview: 'vault.cluster.secrets.backend.kv.secret.index',
           clientCountOverview: 'vault.cluster.clients',
diff --git a/ui/docs/ember-engines.md b/ui/docs/ember-engines.md
index 56cd5841e394..471e9f0d3f6b 100644
--- a/ui/docs/ember-engines.md
+++ b/ui/docs/ember-engines.md
@@ -96,7 +96,7 @@ export default class <EngineName>Engine extends Engine {
   modulePrefix = modulePrefix;
   Resolver = Resolver;
   dependencies = {
-    services: ['router', 'store', 'secret-mount-path', 'flash-messages'],
+    services: ['app-router', 'store', 'secret-mount-path', 'flash-messages'],
     externalRoutes: ['secrets'],
   };
 }
@@ -128,7 +128,7 @@ The external route dependencies allow you to link to a route outside of your eng
 
 ## Register your engine with our main application:
 
-In our `app/app.js` file in the engines object, add your engine’s name and dependencies.
+In our `app/app.js` file in the engines object, add your engine’s name and dependencies. The `router` service must be referenced via an alias within engines. The pattern is to use `app-router` as the alias, see example below.
 
 ```js
 /**
@@ -146,7 +146,7 @@ export default class App extends Application {
   engines = {
     <engine-name>: {
       dependencies: {
-        services: ['router', 'store', 'secret-mount-path', 'flash-messages', <any-other-dependencies-you-have>],
+        services: [{ 'app-router': 'router' }, 'store', 'secret-mount-path', 'flash-messages', <any-other-dependencies-you-have>],
         externalRoutes: {
           secrets: 'vault.cluster.secrets.backends',
         },
diff --git a/ui/lib/config-ui/addon/components/messages/page/create-and-edit.js b/ui/lib/config-ui/addon/components/messages/page/create-and-edit.js
index b71ce31ba180..17a476ad604c 100644
--- a/ui/lib/config-ui/addon/components/messages/page/create-and-edit.js
+++ b/ui/lib/config-ui/addon/components/messages/page/create-and-edit.js
@@ -23,7 +23,7 @@ import { isAfter } from 'date-fns';
  */
 
 export default class MessagesList extends Component {
-  @service router;
+  @service('app-router') router;
   @service store;
   @service flashMessages;
   @service customMessages;
diff --git a/ui/lib/config-ui/addon/components/messages/page/details.js b/ui/lib/config-ui/addon/components/messages/page/details.js
index 60d71ca78f7f..83e4a53f6483 100644
--- a/ui/lib/config-ui/addon/components/messages/page/details.js
+++ b/ui/lib/config-ui/addon/components/messages/page/details.js
@@ -20,7 +20,7 @@ import errorMessage from 'vault/utils/error-message';
 
 export default class MessageDetails extends Component {
   @service store;
-  @service router;
+  @service('app-router') router;
   @service flashMessages;
   @service customMessages;
   @service namespace;
diff --git a/ui/lib/config-ui/addon/components/messages/page/list.js b/ui/lib/config-ui/addon/components/messages/page/list.js
index 5b476d6afbf1..a8a7a99181ad 100644
--- a/ui/lib/config-ui/addon/components/messages/page/list.js
+++ b/ui/lib/config-ui/addon/components/messages/page/list.js
@@ -24,7 +24,7 @@ import errorMessage from 'vault/utils/error-message';
 
 export default class MessagesList extends Component {
   @service store;
-  @service router;
+  @service('app-router') router;
   @service flashMessages;
   @service namespace;
   @service customMessages;
diff --git a/ui/lib/config-ui/addon/engine.js b/ui/lib/config-ui/addon/engine.js
index cd9cfb604c66..32fc297b051f 100644
--- a/ui/lib/config-ui/addon/engine.js
+++ b/ui/lib/config-ui/addon/engine.js
@@ -16,7 +16,7 @@ export default class ConfigUiEngine extends Engine {
   modulePrefix = modulePrefix;
   Resolver = Resolver;
   dependencies = {
-    services: ['auth', 'store', 'flash-messages', 'namespace', 'router', 'version', 'custom-messages'],
+    services: ['auth', 'store', 'flash-messages', 'namespace', 'app-router', 'version', 'custom-messages'],
   };
 }
 
diff --git a/ui/lib/core/addon/components/linked-block.js b/ui/lib/core/addon/components/linked-block.js
index 60a5fa311ee5..d9684a6286ac 100644
--- a/ui/lib/core/addon/components/linked-block.js
+++ b/ui/lib/core/addon/components/linked-block.js
@@ -4,7 +4,7 @@
  */
 
 import Component from '@glimmer/component';
-import { service } from '@ember/service';
+import { getOwner } from '@ember/owner';
 import { action } from '@ember/object';
 import { encodePath } from 'vault/utils/path-encoding-helpers';
 
@@ -26,7 +26,14 @@ import { encodePath } from 'vault/utils/path-encoding-helpers';
  */
 
 export default class LinkedBlockComponent extends Component {
-  @service router;
+  // We don't import the router service here because Ember Engine's use the alias 'app-router'
+  // Since this component is shared across engines, we look up the router dynamically using getOwner instead.
+  // This way we avoid throwing an error by looking up a service that doesn't exist.
+  // https://guides.emberjs.com/release/services/#toc_accessing-services
+  get router() {
+    const owner = getOwner(this);
+    return owner.lookup('service:router') || owner.lookup('service:app-router');
+  }
 
   @action
   onClick(event) {
diff --git a/ui/lib/core/addon/components/replication-page.js b/ui/lib/core/addon/components/replication-page.js
index aa92f306a13a..b65296d473d2 100644
--- a/ui/lib/core/addon/components/replication-page.js
+++ b/ui/lib/core/addon/components/replication-page.js
@@ -9,6 +9,7 @@ import { action } from '@ember/object';
 import { service } from '@ember/service';
 import { task } from 'ember-concurrency';
 import { waitFor } from '@ember/test-waiters';
+import { getOwner } from '@ember/owner';
 
 /**
  * @module ReplicationPage
@@ -28,9 +29,14 @@ const MODE = {
 
 export default class ReplicationPage extends Component {
   @service store;
-  @service router;
   @tracked reindexingDetails = null;
 
+  // This component renders both within and outside the replication engine so we have to dynamically look up the router
+  get router() {
+    const owner = getOwner(this);
+    return owner.lookup('service:router') || owner.lookup('service:app-router');
+  }
+
   @action onModeUpdate(evt, replicationMode) {
     // Called on did-insert and did-update
     this.getReplicationModeStatus.perform(replicationMode);
diff --git a/ui/lib/core/addon/helpers/transition-to.js b/ui/lib/core/addon/helpers/transition-to.js
new file mode 100644
index 000000000000..be3af5df6f8f
--- /dev/null
+++ b/ui/lib/core/addon/helpers/transition-to.js
@@ -0,0 +1,31 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import Helper from '@ember/component/helper';
+import { getOwner } from '@ember/owner';
+
+/*
+template helper that replaces ember-router-helpers https://github.com/rwjblue/ember-router-helpers
+example:
+<MyForm @onSave={{transition-to "vault.cluster.some.route.item" "item-id"}} />
+<MyForm @onSave={{transition-to "vault.cluster.some.external.route"  external=true}} />
+*/
+export default class TransitionTo extends Helper {
+  // We don't import the router service here because Ember Engine's use the alias 'app-router'
+  // Since this helper is shared across engines, we look up the router dynamically using getOwner instead.
+  // This way we avoid throwing an error by looking up a service that doesn't exist.
+  // https://guides.emberjs.com/release/services/#toc_accessing-services
+  get router() {
+    const owner = getOwner(this);
+    return owner.lookup('service:router') || owner.lookup('service:app-router');
+  }
+
+  compute(routeParams, { external = false }) {
+    if (external) {
+      return () => this.router.transitionToExternal(...routeParams);
+    }
+    return () => this.router.transitionTo(...routeParams);
+  }
+}
diff --git a/ui/lib/core/addon/mixins/replication-actions.js b/ui/lib/core/addon/mixins/replication-actions.js
index 26fe1effefaa..f472d5e2a163 100644
--- a/ui/lib/core/addon/mixins/replication-actions.js
+++ b/ui/lib/core/addon/mixins/replication-actions.js
@@ -11,7 +11,6 @@ import { task } from 'ember-concurrency';
 
 export default Mixin.create({
   store: service(),
-  router: service(),
   loading: or('save.isRunning', 'submitSuccess.isRunning'),
   onDisable() {},
   onPromote() {},
diff --git a/ui/lib/core/app/helpers/transition-to.js b/ui/lib/core/app/helpers/transition-to.js
new file mode 100644
index 000000000000..98c6573a3bdd
--- /dev/null
+++ b/ui/lib/core/app/helpers/transition-to.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export { default } from 'core/helpers/transition-to';
diff --git a/ui/lib/kmip/addon/controllers/credentials/show.js b/ui/lib/kmip/addon/controllers/credentials/show.js
index 97242a1bfe68..b6cdef77f6ac 100644
--- a/ui/lib/kmip/addon/controllers/credentials/show.js
+++ b/ui/lib/kmip/addon/controllers/credentials/show.js
@@ -9,7 +9,7 @@ import { action } from '@ember/object';
 
 export default class CredentialsShowController extends Controller {
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
 
   @action
   async revokeCredentials() {
diff --git a/ui/lib/kmip/addon/controllers/role.js b/ui/lib/kmip/addon/controllers/role.js
index e4fe42c15bf1..780df5dbd727 100644
--- a/ui/lib/kmip/addon/controllers/role.js
+++ b/ui/lib/kmip/addon/controllers/role.js
@@ -9,7 +9,7 @@ import { action } from '@ember/object';
 
 export default class RoleController extends Controller {
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
 
   @action
   async deleteRole() {
diff --git a/ui/lib/kmip/addon/engine.js b/ui/lib/kmip/addon/engine.js
index c2a71428bf0e..16a3468d8900 100644
--- a/ui/lib/kmip/addon/engine.js
+++ b/ui/lib/kmip/addon/engine.js
@@ -20,7 +20,7 @@ const Eng = Engine.extend({
       'flash-messages',
       'namespace',
       'path-help',
-      'router',
+      'app-router',
       'store',
       'version',
       'secret-mount-path',
diff --git a/ui/lib/kubernetes/addon/components/page/configure.js b/ui/lib/kubernetes/addon/components/page/configure.js
index 72b1301697f0..98456766f90e 100644
--- a/ui/lib/kubernetes/addon/components/page/configure.js
+++ b/ui/lib/kubernetes/addon/components/page/configure.js
@@ -18,7 +18,7 @@ import errorMessage from 'vault/utils/error-message';
  * @param {object} model - config model that contains kubernetes configuration
  */
 export default class ConfigurePageComponent extends Component {
-  @service router;
+  @service('app-router') router;
   @service store;
 
   @tracked inferredState;
diff --git a/ui/lib/kubernetes/addon/components/page/credentials.js b/ui/lib/kubernetes/addon/components/page/credentials.js
index 736be6a0e311..eb23930acb02 100644
--- a/ui/lib/kubernetes/addon/components/page/credentials.js
+++ b/ui/lib/kubernetes/addon/components/page/credentials.js
@@ -23,7 +23,7 @@ import timestamp from 'vault/utils/timestamp';
  */
 export default class CredentialsPageComponent extends Component {
   @service store;
-  @service router;
+  @service('app-router') router;
 
   @tracked ttl = '';
   @tracked clusterRoleBinding = false;
diff --git a/ui/lib/kubernetes/addon/components/page/overview.js b/ui/lib/kubernetes/addon/components/page/overview.js
index d20ff4d1b8d3..44b2902d4bdc 100644
--- a/ui/lib/kubernetes/addon/components/page/overview.js
+++ b/ui/lib/kubernetes/addon/components/page/overview.js
@@ -19,7 +19,7 @@ import { action } from '@ember/object';
  */
 
 export default class OverviewPageComponent extends Component {
-  @service router;
+  @service('app-router') router;
 
   @tracked selectedRole = null;
   @tracked roleOptions = [];
diff --git a/ui/lib/kubernetes/addon/components/page/role/create-and-edit.js b/ui/lib/kubernetes/addon/components/page/role/create-and-edit.js
index d01d521e9c2d..07c68fe9f88c 100644
--- a/ui/lib/kubernetes/addon/components/page/role/create-and-edit.js
+++ b/ui/lib/kubernetes/addon/components/page/role/create-and-edit.js
@@ -20,7 +20,7 @@ import errorMessage from 'vault/utils/error-message';
  */
 
 export default class CreateAndEditRolePageComponent extends Component {
-  @service router;
+  @service('app-router') router;
   @service flashMessages;
 
   @tracked roleRulesTemplates;
diff --git a/ui/lib/kubernetes/addon/components/page/role/details.js b/ui/lib/kubernetes/addon/components/page/role/details.js
index d3001c1f2d51..4a73d209e694 100644
--- a/ui/lib/kubernetes/addon/components/page/role/details.js
+++ b/ui/lib/kubernetes/addon/components/page/role/details.js
@@ -17,7 +17,7 @@ import errorMessage from 'vault/utils/error-message';
  */
 
 export default class RoleDetailsPageComponent extends Component {
-  @service router;
+  @service('app-router') router;
   @service flashMessages;
 
   get extraFields() {
diff --git a/ui/lib/kubernetes/addon/components/page/roles.js b/ui/lib/kubernetes/addon/components/page/roles.js
index d56140cf054f..8735d597e460 100644
--- a/ui/lib/kubernetes/addon/components/page/roles.js
+++ b/ui/lib/kubernetes/addon/components/page/roles.js
@@ -23,7 +23,7 @@ import keys from 'core/utils/key-codes';
  */
 export default class RolesPageComponent extends Component {
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
   @tracked query;
   @tracked roleToDelete = null;
 
diff --git a/ui/lib/kubernetes/addon/engine.js b/ui/lib/kubernetes/addon/engine.js
index c033628b1258..9f772c6f472e 100644
--- a/ui/lib/kubernetes/addon/engine.js
+++ b/ui/lib/kubernetes/addon/engine.js
@@ -16,7 +16,7 @@ export default class KubernetesEngine extends Engine {
   modulePrefix = modulePrefix;
   Resolver = Resolver;
   dependencies = {
-    services: ['router', 'store', 'secret-mount-path', 'flash-messages'],
+    services: ['app-router', 'store', 'secret-mount-path', 'flash-messages'],
     externalRoutes: ['secrets'],
   };
 }
diff --git a/ui/lib/kubernetes/addon/routes/index.js b/ui/lib/kubernetes/addon/routes/index.js
index 75aebf2744c1..f880be4a533c 100644
--- a/ui/lib/kubernetes/addon/routes/index.js
+++ b/ui/lib/kubernetes/addon/routes/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class KubernetesRoute extends Route {
-  @service router;
+  @service('app-router') router;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.kubernetes.overview');
diff --git a/ui/lib/kubernetes/addon/routes/roles/role/index.js b/ui/lib/kubernetes/addon/routes/roles/role/index.js
index 1be0ddd62f13..e11ca64232a4 100644
--- a/ui/lib/kubernetes/addon/routes/roles/role/index.js
+++ b/ui/lib/kubernetes/addon/routes/roles/role/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class KubernetesRoleRoute extends Route {
-  @service router;
+  @service('app-router') router;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.kubernetes.roles.role.details');
diff --git a/ui/lib/kv/addon/components/kv-list-filter.js b/ui/lib/kv/addon/components/kv-list-filter.js
index 1cc9c0cfac36..384f74c6e78c 100644
--- a/ui/lib/kv/addon/components/kv-list-filter.js
+++ b/ui/lib/kv/addon/components/kv-list-filter.js
@@ -31,7 +31,7 @@ import { task, timeout } from 'ember-concurrency';
  */
 
 export default class KvListFilterComponent extends Component {
-  @service router;
+  @service('app-router') router;
   @tracked query;
 
   constructor() {
diff --git a/ui/lib/kv/addon/components/page/list.js b/ui/lib/kv/addon/components/page/list.js
index fe16726e1b41..cb50ba322983 100644
--- a/ui/lib/kv/addon/components/page/list.js
+++ b/ui/lib/kv/addon/components/page/list.js
@@ -26,7 +26,7 @@ import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
 
 export default class KvListPageComponent extends Component {
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
   @service store;
 
   @tracked secretPath;
diff --git a/ui/lib/kv/addon/components/page/secret/details.js b/ui/lib/kv/addon/components/page/secret/details.js
index 12adabd3506c..404a30bc9ec6 100644
--- a/ui/lib/kv/addon/components/page/secret/details.js
+++ b/ui/lib/kv/addon/components/page/secret/details.js
@@ -41,7 +41,7 @@ import { isAdvancedSecret } from 'core/utils/advanced-secret';
 
 export default class KvSecretDetails extends Component {
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
   @service store;
 
   @tracked showJsonView = false;
diff --git a/ui/lib/kv/addon/components/page/secret/edit.js b/ui/lib/kv/addon/components/page/secret/edit.js
index c1549f9b458a..01e2c66f4b97 100644
--- a/ui/lib/kv/addon/components/page/secret/edit.js
+++ b/ui/lib/kv/addon/components/page/secret/edit.js
@@ -31,7 +31,7 @@ import { isAdvancedSecret } from 'core/utils/advanced-secret';
 export default class KvSecretEdit extends Component {
   @service controlGroup;
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
 
   @tracked showJsonView = false;
   @tracked showDiff = false;
diff --git a/ui/lib/kv/addon/components/page/secret/metadata/details.js b/ui/lib/kv/addon/components/page/secret/metadata/details.js
index 2769ae946ad2..55b26493c412 100644
--- a/ui/lib/kv/addon/components/page/secret/metadata/details.js
+++ b/ui/lib/kv/addon/components/page/secret/metadata/details.js
@@ -37,7 +37,7 @@ import errorMessage from 'vault/utils/error-message';
 export default class KvSecretMetadataDetails extends Component {
   @service controlGroup;
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
   @service store;
 
   @tracked error = null;
diff --git a/ui/lib/kv/addon/components/page/secret/patch.js b/ui/lib/kv/addon/components/page/secret/patch.js
index fb1a4db15218..bb61f96e5cd3 100644
--- a/ui/lib/kv/addon/components/page/secret/patch.js
+++ b/ui/lib/kv/addon/components/page/secret/patch.js
@@ -37,7 +37,7 @@ import errorMessage from 'vault/utils/error-message';
 export default class KvSecretPatch extends Component {
   @service controlGroup;
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
   @service store;
 
   @tracked controlGroupError;
diff --git a/ui/lib/kv/addon/components/page/secrets/create.js b/ui/lib/kv/addon/components/page/secrets/create.js
index c4375f300a95..961ba1befa60 100644
--- a/ui/lib/kv/addon/components/page/secrets/create.js
+++ b/ui/lib/kv/addon/components/page/secrets/create.js
@@ -28,7 +28,7 @@ import errorMessage from 'vault/utils/error-message';
 export default class KvSecretCreate extends Component {
   @service controlGroup;
   @service flashMessages;
-  @service router;
+  @service('app-router') router;
   @service store;
 
   @tracked showJsonView = false;
diff --git a/ui/lib/kv/addon/engine.js b/ui/lib/kv/addon/engine.js
index bfd19ebefe7f..3bb5fcab88b1 100644
--- a/ui/lib/kv/addon/engine.js
+++ b/ui/lib/kv/addon/engine.js
@@ -22,7 +22,7 @@ export default class KvEngine extends Engine {
       'download',
       'flash-messages',
       'namespace',
-      'router',
+      'app-router',
       'secret-mount-path',
       'store',
       'version',
diff --git a/ui/lib/kv/addon/routes/index.js b/ui/lib/kv/addon/routes/index.js
index 28a4566751ed..904b8cb3912a 100644
--- a/ui/lib/kv/addon/routes/index.js
+++ b/ui/lib/kv/addon/routes/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class KvRoute extends Route {
-  @service router;
+  @service('app-router') router;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.kv.list');
diff --git a/ui/lib/kv/addon/routes/list-directory.js b/ui/lib/kv/addon/routes/list-directory.js
index 61d3258625af..6190bd684470 100644
--- a/ui/lib/kv/addon/routes/list-directory.js
+++ b/ui/lib/kv/addon/routes/list-directory.js
@@ -12,7 +12,7 @@ import { pathIsDirectory } from 'kv/utils/kv-breadcrumbs';
 
 export default class KvSecretsListRoute extends Route {
   @service store;
-  @service router;
+  @service('app-router') router;
   @service secretMountPath;
 
   queryParams = {
diff --git a/ui/lib/kv/addon/routes/secret/index.js b/ui/lib/kv/addon/routes/secret/index.js
index f048281b2dbd..dc1356810e3c 100644
--- a/ui/lib/kv/addon/routes/secret/index.js
+++ b/ui/lib/kv/addon/routes/secret/index.js
@@ -8,7 +8,7 @@ import { service } from '@ember/service';
 import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
 
 export default class SecretIndex extends Route {
-  @service router;
+  @service('app-router') router;
 
   setupController(controller, resolvedModel) {
     super.setupController(controller, resolvedModel);
diff --git a/ui/lib/kv/addon/routes/secret/patch.js b/ui/lib/kv/addon/routes/secret/patch.js
index 3cb88d1b10f0..210a54a9b0cb 100644
--- a/ui/lib/kv/addon/routes/secret/patch.js
+++ b/ui/lib/kv/addon/routes/secret/patch.js
@@ -8,7 +8,7 @@ import { breadcrumbsForSecret } from 'kv/utils/kv-breadcrumbs';
 import { service } from '@ember/service';
 
 export default class SecretPatch extends Route {
-  @service router;
+  @service('app-router') router;
 
   setupController(controller, resolvedModel) {
     super.setupController(controller, resolvedModel);
diff --git a/ui/lib/ldap/addon/components/page/configure.ts b/ui/lib/ldap/addon/components/page/configure.ts
index 303659df5367..6deea648f07e 100644
--- a/ui/lib/ldap/addon/components/page/configure.ts
+++ b/ui/lib/ldap/addon/components/page/configure.ts
@@ -29,7 +29,7 @@ interface SchemaOption {
 
 export default class LdapConfigurePageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked showRotatePrompt = false;
   @tracked modelValidations: ValidationMap | null = null;
diff --git a/ui/lib/ldap/addon/components/page/library/create-and-edit.ts b/ui/lib/ldap/addon/components/page/library/create-and-edit.ts
index 0724a1031765..7e483ed9e771 100644
--- a/ui/lib/ldap/addon/components/page/library/create-and-edit.ts
+++ b/ui/lib/ldap/addon/components/page/library/create-and-edit.ts
@@ -23,7 +23,7 @@ interface Args {
 
 export default class LdapCreateAndEditLibraryPageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked modelValidations: ValidationMap | null = null;
   @tracked invalidFormMessage = '';
diff --git a/ui/lib/ldap/addon/components/page/library/details.ts b/ui/lib/ldap/addon/components/page/library/details.ts
index c96962821cba..e35bb2f56022 100644
--- a/ui/lib/ldap/addon/components/page/library/details.ts
+++ b/ui/lib/ldap/addon/components/page/library/details.ts
@@ -20,7 +20,7 @@ interface Args {
 
 export default class LdapLibraryDetailsPageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @action
   async delete() {
diff --git a/ui/lib/ldap/addon/components/page/library/details/accounts.ts b/ui/lib/ldap/addon/components/page/library/details/accounts.ts
index 7e119375dbc0..45e45ef0505c 100644
--- a/ui/lib/ldap/addon/components/page/library/details/accounts.ts
+++ b/ui/lib/ldap/addon/components/page/library/details/accounts.ts
@@ -21,7 +21,7 @@ interface Args {
 
 export default class LdapLibraryDetailsAccountsPageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked showCheckOutPrompt = false;
   @tracked checkOutTtl: string | null = null;
diff --git a/ui/lib/ldap/addon/components/page/overview.ts b/ui/lib/ldap/addon/components/page/overview.ts
index 78b89bedea4a..3694b1530ed2 100644
--- a/ui/lib/ldap/addon/components/page/overview.ts
+++ b/ui/lib/ldap/addon/components/page/overview.ts
@@ -25,7 +25,7 @@ interface Args {
 }
 
 export default class LdapLibrariesPageComponent extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked selectedRole: LdapRoleModel | undefined;
 
diff --git a/ui/lib/ldap/addon/components/page/role/create-and-edit.ts b/ui/lib/ldap/addon/components/page/role/create-and-edit.ts
index 80fb5d164e5a..582f2d8f275c 100644
--- a/ui/lib/ldap/addon/components/page/role/create-and-edit.ts
+++ b/ui/lib/ldap/addon/components/page/role/create-and-edit.ts
@@ -30,7 +30,7 @@ interface RoleTypeOption {
 
 export default class LdapCreateAndEditRolePageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
 
   @tracked modelValidations: ValidationMap | null = null;
diff --git a/ui/lib/ldap/addon/components/page/role/details.ts b/ui/lib/ldap/addon/components/page/role/details.ts
index cc6e9f08560b..75444e182b09 100644
--- a/ui/lib/ldap/addon/components/page/role/details.ts
+++ b/ui/lib/ldap/addon/components/page/role/details.ts
@@ -23,7 +23,7 @@ interface Args {
 
 export default class LdapRoleDetailsPageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
 
   @action
diff --git a/ui/lib/ldap/addon/components/page/roles.ts b/ui/lib/ldap/addon/components/page/roles.ts
index 15747ac1c6cf..9489e39eaa04 100644
--- a/ui/lib/ldap/addon/components/page/roles.ts
+++ b/ui/lib/ldap/addon/components/page/roles.ts
@@ -27,7 +27,7 @@ interface Args {
 
 export default class LdapRolesPageComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
   @tracked credsToRotate: LdapRoleModel | null = null;
   @tracked roleToDelete: LdapRoleModel | null = null;
diff --git a/ui/lib/ldap/addon/engine.js b/ui/lib/ldap/addon/engine.js
index 22a4c7caa64d..c2abaaf766b8 100644
--- a/ui/lib/ldap/addon/engine.js
+++ b/ui/lib/ldap/addon/engine.js
@@ -14,7 +14,7 @@ export default class LdapEngine extends Engine {
   modulePrefix = modulePrefix;
   Resolver = Resolver;
   dependencies = {
-    services: ['router', 'store', 'secret-mount-path', 'flash-messages', 'auth'],
+    services: ['app-router', 'store', 'secret-mount-path', 'flash-messages', 'auth'],
     externalRoutes: ['secrets'],
   };
 }
diff --git a/ui/lib/ldap/addon/routes/libraries/library/check-out.ts b/ui/lib/ldap/addon/routes/libraries/library/check-out.ts
index 72701dba11e7..174c60034ae6 100644
--- a/ui/lib/ldap/addon/routes/libraries/library/check-out.ts
+++ b/ui/lib/ldap/addon/routes/libraries/library/check-out.ts
@@ -24,7 +24,7 @@ interface LdapLibraryCheckOutController extends Controller {
 
 export default class LdapLibraryCheckOutRoute extends Route {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   accountsRoute = 'vault.cluster.secrets.backend.ldap.libraries.library.details.accounts';
 
diff --git a/ui/lib/ldap/addon/routes/libraries/library/details/index.ts b/ui/lib/ldap/addon/routes/libraries/library/details/index.ts
index 77024023f489..2b60dd68e6b8 100644
--- a/ui/lib/ldap/addon/routes/libraries/library/details/index.ts
+++ b/ui/lib/ldap/addon/routes/libraries/library/details/index.ts
@@ -9,7 +9,7 @@ import { service } from '@ember/service';
 import type RouterService from '@ember/routing/router-service';
 
 export default class LdapLibraryRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.ldap.libraries.library.details.accounts');
diff --git a/ui/lib/ldap/addon/routes/libraries/library/index.ts b/ui/lib/ldap/addon/routes/libraries/library/index.ts
index eb4fbd897f07..316516913b7d 100644
--- a/ui/lib/ldap/addon/routes/libraries/library/index.ts
+++ b/ui/lib/ldap/addon/routes/libraries/library/index.ts
@@ -9,7 +9,7 @@ import { service } from '@ember/service';
 import type RouterService from '@ember/routing/router-service';
 
 export default class LdapLibraryRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.ldap.libraries.library.details');
diff --git a/ui/lib/ldap/addon/routes/roles/role/index.ts b/ui/lib/ldap/addon/routes/roles/role/index.ts
index 852289daf1ba..e2442f8fc362 100644
--- a/ui/lib/ldap/addon/routes/roles/role/index.ts
+++ b/ui/lib/ldap/addon/routes/roles/role/index.ts
@@ -9,7 +9,7 @@ import { service } from '@ember/service';
 import type RouterService from '@ember/routing/router-service';
 
 export default class LdapRoleRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.ldap.roles.role.details');
diff --git a/ui/lib/open-api-explorer/addon/engine.js b/ui/lib/open-api-explorer/addon/engine.js
index b16e623c86ea..400b5e4f86c6 100644
--- a/ui/lib/open-api-explorer/addon/engine.js
+++ b/ui/lib/open-api-explorer/addon/engine.js
@@ -14,7 +14,7 @@ const Eng = Engine.extend({
   modulePrefix,
   Resolver,
   dependencies: {
-    services: ['auth', 'flash-messages', 'namespace', 'router', 'version'],
+    services: ['auth', 'flash-messages', 'namespace', 'app-router', 'version'],
   },
 });
 
diff --git a/ui/lib/pki/addon/components/page/pki-configuration-details.ts b/ui/lib/pki/addon/components/page/pki-configuration-details.ts
index 149d7b450392..78ef13da0d13 100644
--- a/ui/lib/pki/addon/components/page/pki-configuration-details.ts
+++ b/ui/lib/pki/addon/components/page/pki-configuration-details.ts
@@ -19,7 +19,7 @@ interface Args {
 
 export default class PkiConfigurationDetails extends Component<Args> {
   @service declare readonly store: Store;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly version: VersionService;
   @tracked showDeleteAllIssuers = false;
diff --git a/ui/lib/pki/addon/components/page/pki-configuration-edit.ts b/ui/lib/pki/addon/components/page/pki-configuration-edit.ts
index 3545006208f5..0f8e1de30c57 100644
--- a/ui/lib/pki/addon/components/page/pki-configuration-edit.ts
+++ b/ui/lib/pki/addon/components/page/pki-configuration-edit.ts
@@ -44,7 +44,7 @@ interface ErrorObject {
   message: string;
 }
 export default class PkiConfigurationEditComponent extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly version: VersionService;
 
diff --git a/ui/lib/pki/addon/components/page/pki-configure-create.ts b/ui/lib/pki/addon/components/page/pki-configure-create.ts
index fba02ee780d9..8bcb723c650c 100644
--- a/ui/lib/pki/addon/components/page/pki-configure-create.ts
+++ b/ui/lib/pki/addon/components/page/pki-configure-create.ts
@@ -7,7 +7,7 @@ import Component from '@glimmer/component';
 import { service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import type Store from '@ember-data/store';
-import type Router from '@ember/routing/router';
+import type RouterService from '@ember/routing/router';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type PkiActionModel from 'vault/models/pki/action';
 import type { Breadcrumb } from 'vault/vault/app-types';
@@ -26,9 +26,9 @@ interface Args {
  * and form submission and cancel actions.
  */
 export default class PkiConfigureCreate extends Component<Args> {
-  @service declare readonly store: Store;
-  @service declare readonly router: Router;
   @service declare readonly flashMessages: FlashMessageService;
+  @service declare readonly store: Store;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked title = 'Configure PKI';
 
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-edit.ts b/ui/lib/pki/addon/components/page/pki-issuer-edit.ts
index 1f456efb09c1..6f2576e773c5 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-edit.ts
+++ b/ui/lib/pki/addon/components/page/pki-issuer-edit.ts
@@ -21,7 +21,7 @@ interface Args {
 }
 
 export default class PkiIssuerEditComponent extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
 
   @tracked usageValues: Array<string> = [];
diff --git a/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts b/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts
index 693573f23492..7b74640a3f0b 100644
--- a/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts
+++ b/ui/lib/pki/addon/components/page/pki-issuer-rotate-root.ts
@@ -11,7 +11,7 @@ import { waitFor } from '@ember/test-waiters';
 import { task } from 'ember-concurrency';
 import errorMessage from 'vault/utils/error-message';
 import type Store from '@ember-data/store';
-import type Router from '@ember/routing/router';
+import type RouterService from '@ember/routing/router';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type SecretMountPath from 'vault/services/secret-mount-path';
 import type PkiIssuerModel from 'vault/models/pki/issuer';
@@ -31,10 +31,10 @@ const RADIO_BUTTON_KEY = {
 };
 
 export default class PagePkiIssuerRotateRootComponent extends Component<Args> {
-  @service declare readonly store: Store;
-  @service declare readonly router: Router;
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly secretMountPath: SecretMountPath;
+  @service declare readonly store: Store;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked displayedForm = RADIO_BUTTON_KEY.oldSettings;
   @tracked showOldSettings = false;
diff --git a/ui/lib/pki/addon/components/page/pki-key-details.ts b/ui/lib/pki/addon/components/page/pki-key-details.ts
index d48ef94e4e49..756236f3e0f4 100644
--- a/ui/lib/pki/addon/components/page/pki-key-details.ts
+++ b/ui/lib/pki/addon/components/page/pki-key-details.ts
@@ -15,7 +15,7 @@ interface Args {
 }
 
 export default class PkiKeyDetails extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
 
   @action
diff --git a/ui/lib/pki/addon/components/page/pki-overview.ts b/ui/lib/pki/addon/components/page/pki-overview.ts
index 508c84eefad0..daf879d0cca7 100644
--- a/ui/lib/pki/addon/components/page/pki-overview.ts
+++ b/ui/lib/pki/addon/components/page/pki-overview.ts
@@ -19,7 +19,7 @@ interface Args {
 }
 
 export default class PkiOverview extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: Store;
 
   @tracked rolesValue = '';
diff --git a/ui/lib/pki/addon/components/page/pki-role-details.ts b/ui/lib/pki/addon/components/page/pki-role-details.ts
index c48a5ecd996a..e8f3865dbfc7 100644
--- a/ui/lib/pki/addon/components/page/pki-role-details.ts
+++ b/ui/lib/pki/addon/components/page/pki-role-details.ts
@@ -17,7 +17,7 @@ interface Args {
 }
 
 export default class DetailsPage extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly secretMountPath: SecretMountPath;
 
diff --git a/ui/lib/pki/addon/components/page/pki-tidy-status.ts b/ui/lib/pki/addon/components/page/pki-tidy-status.ts
index c8a0f07f9a08..8172b5e846ff 100644
--- a/ui/lib/pki/addon/components/page/pki-tidy-status.ts
+++ b/ui/lib/pki/addon/components/page/pki-tidy-status.ts
@@ -52,7 +52,7 @@ export default class PkiTidyStatusComponent extends Component<Args> {
   @service declare readonly secretMountPath: SecretMountPath;
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly version: VersionService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked tidyOptionsModal = false;
   @tracked confirmCancelTidy = false;
diff --git a/ui/lib/pki/addon/components/pki-generate-root.ts b/ui/lib/pki/addon/components/pki-generate-root.ts
index d8bab62adce1..2b3d8a959381 100644
--- a/ui/lib/pki/addon/components/pki-generate-root.ts
+++ b/ui/lib/pki/addon/components/pki-generate-root.ts
@@ -51,7 +51,7 @@ interface Args {
  */
 export default class PkiGenerateRootComponent extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked modelValidations: ValidationMap | null = null;
   @tracked errorBanner = '';
diff --git a/ui/lib/pki/addon/components/pki-role-generate.ts b/ui/lib/pki/addon/components/pki-role-generate.ts
index 3c008b4196de..56c327c8f450 100644
--- a/ui/lib/pki/addon/components/pki-role-generate.ts
+++ b/ui/lib/pki/addon/components/pki-role-generate.ts
@@ -9,7 +9,7 @@ import { task } from 'ember-concurrency';
 import { service } from '@ember/service';
 import { tracked } from '@glimmer/tracking';
 import errorMessage from 'vault/utils/error-message';
-import type Router from '@ember/routing/router';
+import type RouterService from '@ember/routing/router';
 import type Store from '@ember-data/store';
 import type FlashMessageService from 'vault/services/flash-messages';
 import type DownloadService from 'vault/services/download';
@@ -23,10 +23,10 @@ interface Args {
 }
 
 export default class PkiRoleGenerate extends Component<Args> {
-  @service declare readonly router: Router;
-  @service declare readonly store: Store;
-  @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly download: DownloadService;
+  @service declare readonly flashMessages: FlashMessageService;
+  @service declare readonly store: Store;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked errorBanner = '';
   @tracked invalidFormAlert = '';
diff --git a/ui/lib/pki/addon/components/pki-tidy-form.ts b/ui/lib/pki/addon/components/pki-tidy-form.ts
index 1b388b77eade..84c313ca3a5d 100644
--- a/ui/lib/pki/addon/components/pki-tidy-form.ts
+++ b/ui/lib/pki/addon/components/pki-tidy-form.ts
@@ -30,7 +30,7 @@ interface PkiTidyBooleans {
 }
 
 export default class PkiTidyForm extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked errorBanner = '';
   @tracked invalidFormAlert = '';
diff --git a/ui/lib/pki/addon/engine.js b/ui/lib/pki/addon/engine.js
index 803bc5071788..178a88c2a90b 100644
--- a/ui/lib/pki/addon/engine.js
+++ b/ui/lib/pki/addon/engine.js
@@ -22,7 +22,7 @@ export default class PkiEngine extends Engine {
       'flash-messages',
       'namespace',
       'path-help',
-      'router',
+      'app-router',
       'secret-mount-path',
       'store',
       'version',
diff --git a/ui/lib/pki/addon/routes/index.js b/ui/lib/pki/addon/routes/index.js
index 38c03207a00a..6dfb959f80af 100644
--- a/ui/lib/pki/addon/routes/index.js
+++ b/ui/lib/pki/addon/routes/index.js
@@ -7,7 +7,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default class PkiRoute extends Route {
-  @service router;
+  @service('app-router') router;
 
   redirect() {
     this.router.transitionTo('vault.cluster.secrets.backend.pki.overview');
diff --git a/ui/lib/replication/addon/controllers/application.js b/ui/lib/replication/addon/controllers/application.js
index 19ba12b9c88d..f3c680fbd65d 100644
--- a/ui/lib/replication/addon/controllers/application.js
+++ b/ui/lib/replication/addon/controllers/application.js
@@ -29,7 +29,7 @@ export default Controller.extend(structuredClone(DEFAULTS), {
   isModalActive: false,
   isTokenCopied: false,
   expirationDate: null,
-  router: service(),
+  router: service('app-router'),
   store: service(),
   rm: service('replication-mode'),
   replicationMode: alias('rm.mode'),
diff --git a/ui/lib/replication/addon/controllers/mode/secondaries/config-edit.js b/ui/lib/replication/addon/controllers/mode/secondaries/config-edit.js
index 2fdecbe4b5b9..760f00c7c81f 100644
--- a/ui/lib/replication/addon/controllers/mode/secondaries/config-edit.js
+++ b/ui/lib/replication/addon/controllers/mode/secondaries/config-edit.js
@@ -9,7 +9,7 @@ import Controller from '@ember/controller';
 
 export default Controller.extend({
   flashMessages: service(),
-  router: service(),
+  router: service('app-router'),
   rm: service('replication-mode'),
   replicationMode: alias('rm.mode'),
   actions: {
diff --git a/ui/lib/replication/addon/controllers/replication-mode.js b/ui/lib/replication/addon/controllers/replication-mode.js
index f2fb9d51b192..9124972b4e18 100644
--- a/ui/lib/replication/addon/controllers/replication-mode.js
+++ b/ui/lib/replication/addon/controllers/replication-mode.js
@@ -11,7 +11,7 @@ import { action } from '@ember/object';
 
 export default class ReplicationModeBaseController extends Controller {
   @service('replication-mode') rm;
-  @service router;
+  @service('app-router') router;
   @service store;
 
   get replicationMode() {
diff --git a/ui/lib/replication/addon/engine.js b/ui/lib/replication/addon/engine.js
index b7757a16b6d4..b649bbd1d762 100644
--- a/ui/lib/replication/addon/engine.js
+++ b/ui/lib/replication/addon/engine.js
@@ -20,7 +20,7 @@ const Eng = Engine.extend({
       'flash-messages',
       'namespace',
       'replication-mode',
-      'router',
+      'app-router',
       'store',
       'version',
       '-portal',
diff --git a/ui/lib/replication/addon/routes/application.js b/ui/lib/replication/addon/routes/application.js
index e54b870f9793..58569ad3b2d9 100644
--- a/ui/lib/replication/addon/routes/application.js
+++ b/ui/lib/replication/addon/routes/application.js
@@ -12,7 +12,7 @@ export default Route.extend(ClusterRoute, {
   version: service(),
   store: service(),
   auth: service(),
-  router: service(),
+  router: service('app-router'),
   capabilities: service(),
 
   async fetchCapabilities() {
diff --git a/ui/lib/replication/addon/routes/mode.js b/ui/lib/replication/addon/routes/mode.js
index 04bd9ba7166e..9177713f5725 100644
--- a/ui/lib/replication/addon/routes/mode.js
+++ b/ui/lib/replication/addon/routes/mode.js
@@ -12,7 +12,7 @@ const SUPPORTED_REPLICATION_MODES = ['dr', 'performance'];
 
 export default Route.extend({
   replicationMode: service(),
-  router: service(),
+  router: service('app-router'),
   store: service(),
   beforeModel() {
     const replicationMode = this.paramsFor(this.routeName).replication_mode;
diff --git a/ui/lib/replication/addon/routes/mode/index.js b/ui/lib/replication/addon/routes/mode/index.js
index c102cb8f9ee0..78599aa03423 100644
--- a/ui/lib/replication/addon/routes/mode/index.js
+++ b/ui/lib/replication/addon/routes/mode/index.js
@@ -9,7 +9,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default Route.extend({
-  router: service(),
+  router: service('app-router'),
   store: service(),
   model() {
     const replicationMode = this.paramsFor('mode').replication_mode;
diff --git a/ui/lib/replication/addon/routes/mode/manage.js b/ui/lib/replication/addon/routes/mode/manage.js
index def996286879..57108299d4b1 100644
--- a/ui/lib/replication/addon/routes/mode/manage.js
+++ b/ui/lib/replication/addon/routes/mode/manage.js
@@ -20,7 +20,7 @@ const pathForAction = (action, replicationMode, clusterMode) => {
 };
 
 export default Route.extend({
-  router: service(),
+  router: service('app-router'),
   store: service(),
   model() {
     const store = this.store;
diff --git a/ui/lib/replication/addon/routes/mode/secondaries.js b/ui/lib/replication/addon/routes/mode/secondaries.js
index 176f5450e3d0..02152d5c7d83 100644
--- a/ui/lib/replication/addon/routes/mode/secondaries.js
+++ b/ui/lib/replication/addon/routes/mode/secondaries.js
@@ -9,7 +9,7 @@ import Route from '@ember/routing/route';
 import { service } from '@ember/service';
 
 export default Route.extend({
-  router: service(),
+  router: service('app-router'),
   store: service(),
   model() {
     const replicationMode = this.paramsFor('mode').replication_mode;
diff --git a/ui/lib/replication/addon/routes/mode/secondaries/config-create.js b/ui/lib/replication/addon/routes/mode/secondaries/config-create.js
index 772135b54d20..52a93e8fc20b 100644
--- a/ui/lib/replication/addon/routes/mode/secondaries/config-create.js
+++ b/ui/lib/replication/addon/routes/mode/secondaries/config-create.js
@@ -9,7 +9,7 @@ import Base from '../../replication-base';
 
 export default Base.extend({
   flashMessages: service(),
-  router: service(),
+  router: service('app-router'),
 
   modelPath: 'model.config',
 
diff --git a/ui/lib/replication/addon/routes/replication-base.js b/ui/lib/replication/addon/routes/replication-base.js
index 464165349dbb..6cfff08fdd34 100644
--- a/ui/lib/replication/addon/routes/replication-base.js
+++ b/ui/lib/replication/addon/routes/replication-base.js
@@ -9,7 +9,7 @@ import Route from '@ember/routing/route';
 import UnloadModelRouteMixin from 'vault/mixins/unload-model-route';
 
 export default Route.extend(UnloadModelRouteMixin, {
-  router: service(),
+  router: service('app-router'),
   store: service(),
   version: service(),
   rm: service('replication-mode'),
diff --git a/ui/lib/sync/addon/components/secrets/destination-header.ts b/ui/lib/sync/addon/components/secrets/destination-header.ts
index 6da771e6155a..bd17cd907c7a 100644
--- a/ui/lib/sync/addon/components/secrets/destination-header.ts
+++ b/ui/lib/sync/addon/components/secrets/destination-header.ts
@@ -18,7 +18,7 @@ interface Args {
 }
 
 export default class DestinationsTabsToolbar extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
   @service declare readonly flashMessages: FlashMessageService;
 
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations.ts b/ui/lib/sync/addon/components/secrets/page/destinations.ts
index 9f8423a7f510..7f7ea756a464 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations.ts
@@ -27,7 +27,7 @@ interface Args {
 }
 
 export default class SyncSecretsDestinationsPageComponent extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
   @service declare readonly flashMessages: FlashMessageService;
 
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts b/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts
index 30198e713305..50c1779dfe9e 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/create-and-edit.ts
@@ -23,7 +23,7 @@ interface Args {
 
 export default class DestinationsCreateForm extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
 
   @tracked modelValidations: ValidationMap | null = null;
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.ts b/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.ts
index 3325083c2470..3f798ded9958 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/destination/secrets.ts
@@ -23,7 +23,7 @@ interface Args {
 }
 
 export default class SyncSecretsDestinationsPageComponent extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
   @service declare readonly flashMessages: FlashMessageService;
 
diff --git a/ui/lib/sync/addon/components/secrets/page/destinations/destination/sync.ts b/ui/lib/sync/addon/components/secrets/page/destinations/destination/sync.ts
index b59ad040cfb5..47239a606e89 100644
--- a/ui/lib/sync/addon/components/secrets/page/destinations/destination/sync.ts
+++ b/ui/lib/sync/addon/components/secrets/page/destinations/destination/sync.ts
@@ -22,7 +22,7 @@ interface Args {
 }
 
 export default class DestinationSyncPageComponent extends Component<Args> {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
   @service declare readonly flashMessages: FlashMessageService;
 
diff --git a/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts b/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts
index 70fee2d750ba..2ccce7463d27 100644
--- a/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts
+++ b/ui/lib/sync/addon/components/secrets/sync-activation-modal.ts
@@ -24,7 +24,7 @@ interface Args {
 export default class SyncActivationModal extends Component<Args> {
   @service declare readonly flashMessages: FlashMessageService;
   @service declare readonly store: StoreService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   @tracked hasConfirmedDocs = false;
 
diff --git a/ui/lib/sync/addon/engine.js b/ui/lib/sync/addon/engine.js
index f6cfda3760c2..fc8b3448728e 100644
--- a/ui/lib/sync/addon/engine.js
+++ b/ui/lib/sync/addon/engine.js
@@ -14,7 +14,7 @@ export default class SyncEngine extends Engine {
   modulePrefix = modulePrefix;
   Resolver = Resolver;
   dependencies = {
-    services: ['flash-messages', 'flags', 'router', 'store', 'version'],
+    services: ['flash-messages', 'flags', 'app-router', 'store', 'version'],
     externalRoutes: ['kvSecretOverview', 'clientCountOverview'],
   };
 }
diff --git a/ui/lib/sync/addon/routes/index.ts b/ui/lib/sync/addon/routes/index.ts
index e73816a5e3e5..67243509e3e3 100644
--- a/ui/lib/sync/addon/routes/index.ts
+++ b/ui/lib/sync/addon/routes/index.ts
@@ -9,7 +9,7 @@ import { service } from '@ember/service';
 import type RouterService from '@ember/routing/router-service';
 
 export default class SyncIndexRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   redirect() {
     this.router.transitionTo('vault.cluster.sync.secrets.overview');
diff --git a/ui/lib/sync/addon/routes/secrets.ts b/ui/lib/sync/addon/routes/secrets.ts
index 0a1a6ec296db..2fbd5a368224 100644
--- a/ui/lib/sync/addon/routes/secrets.ts
+++ b/ui/lib/sync/addon/routes/secrets.ts
@@ -10,7 +10,7 @@ import type RouterService from '@ember/routing/router-service';
 import type FlagService from 'vault/services/flags';
 
 export default class SyncSecretsRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flags: FlagService;
 
   model() {
diff --git a/ui/lib/sync/addon/routes/secrets/destinations/destination.ts b/ui/lib/sync/addon/routes/secrets/destinations/destination.ts
index 21cd8a724459..919b173fa0ce 100644
--- a/ui/lib/sync/addon/routes/secrets/destinations/destination.ts
+++ b/ui/lib/sync/addon/routes/secrets/destinations/destination.ts
@@ -19,7 +19,7 @@ interface RouteParams {
 
 export default class SyncSecretsDestinationsDestinationRoute extends Route {
   @service declare readonly store: Store;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly flashMessages: FlashMessageService;
 
   model(params: RouteParams) {
diff --git a/ui/lib/sync/addon/routes/secrets/destinations/destination/index.ts b/ui/lib/sync/addon/routes/secrets/destinations/destination/index.ts
index 660e186f4371..d68f82ded1a4 100644
--- a/ui/lib/sync/addon/routes/secrets/destinations/destination/index.ts
+++ b/ui/lib/sync/addon/routes/secrets/destinations/destination/index.ts
@@ -9,7 +9,7 @@ import { service } from '@ember/service';
 import type RouterService from '@ember/routing/router-service';
 
 export default class SyncSecretsDestinationsDestinationIndexRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   redirect() {
     this.router.transitionTo('vault.cluster.sync.secrets.destinations.destination.details');
diff --git a/ui/lib/sync/addon/routes/secrets/destinations/index.ts b/ui/lib/sync/addon/routes/secrets/destinations/index.ts
index 7634cd5a9db1..52b1140ed03f 100644
--- a/ui/lib/sync/addon/routes/secrets/destinations/index.ts
+++ b/ui/lib/sync/addon/routes/secrets/destinations/index.ts
@@ -34,7 +34,7 @@ interface SyncSecretsDestinationsController extends Controller {
 
 export default class SyncSecretsDestinationsIndexRoute extends Route {
   @service declare readonly store: StoreService;
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
 
   queryParams = {
     page: {
diff --git a/ui/lib/sync/addon/routes/secrets/overview.ts b/ui/lib/sync/addon/routes/secrets/overview.ts
index 75b90ec50263..7ebeffc1977b 100644
--- a/ui/lib/sync/addon/routes/secrets/overview.ts
+++ b/ui/lib/sync/addon/routes/secrets/overview.ts
@@ -13,7 +13,7 @@ import type StoreService from 'vault/services/store';
 import type VersionService from 'vault/services/version';
 
 export default class SyncSecretsOverviewRoute extends Route {
-  @service declare readonly router: RouterService;
+  @service('app-router') declare readonly router: RouterService;
   @service declare readonly store: StoreService;
   @service declare readonly flags: FlagsService;
   @service declare readonly version: VersionService;
diff --git a/ui/package.json b/ui/package.json
index f694ac9dba7c..80e090d2656f 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -136,7 +136,6 @@
     "ember-qunit": "^8.0.1",
     "ember-resolver": "^11.0.1",
     "ember-responsive": "5.0.0",
-    "ember-router-helpers": "^0.4.0",
     "ember-service-worker": "meirish/ember-service-worker#configurable-scope",
     "ember-sinon-qunit": "^7.4.0",
     "ember-source": "~5.4.0",
diff --git a/ui/tests/integration/helpers/transition-to-test.js b/ui/tests/integration/helpers/transition-to-test.js
new file mode 100644
index 000000000000..32b7e35ac65a
--- /dev/null
+++ b/ui/tests/integration/helpers/transition-to-test.js
@@ -0,0 +1,77 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import { module, test } from 'qunit';
+import { setupRenderingTest } from 'vault/tests/helpers';
+import { setupEngine } from 'ember-engines/test-support';
+import { click, render } from '@ember/test-helpers';
+import { hbs } from 'ember-cli-htmlbars';
+import Sinon from 'sinon';
+
+module('Integration | Helper | transition-to', function (hooks) {
+  setupRenderingTest(hooks);
+  // using 'kv' here for testing, but this could be any Ember engine in the app
+  // sets this.engine, which we use to set context for the component testing service:app-router
+  setupEngine(hooks, 'kv');
+
+  hooks.beforeEach(function () {
+    this.router = this.owner.lookup('service:router');
+    this.router.reopen({
+      transitionTo: Sinon.stub(),
+      transitionToExternal: Sinon.stub(),
+    });
+  });
+
+  test('it does not call transition on render', async function (assert) {
+    await render(hbs`<button data-test-btn {{on "click" (transition-to "vault.cluster")}}>Click</button>`);
+
+    assert.true(this.router.transitionTo.notCalled, 'transitionTo not called on render');
+    assert.true(this.router.transitionToExternal.notCalled, 'transitionToExternal not called on render');
+  });
+
+  test('it calls transitionTo correctly', async function (assert) {
+    await render(
+      hbs`<button data-test-btn {{on "click" (transition-to "vault.cluster" "foobar" "baz")}}>Click</button>`
+    );
+    await click('[data-test-btn]');
+
+    assert.true(this.router.transitionTo.calledOnce, 'transitionTo called once on click');
+    assert.deepEqual(
+      this.router.transitionTo.args[0],
+      ['vault.cluster', 'foobar', 'baz'],
+      'transitionTo called with positional params'
+    );
+    assert.true(this.router.transitionToExternal.notCalled, 'transitionToExternal not called');
+  });
+
+  test('it calls transitionToExternal correctly', async function (assert) {
+    await render(
+      hbs`<button data-test-btn {{on "click" (transition-to "vault.cluster" "foobar" "baz" external=true)}}>Click</button>`
+    );
+    await click('[data-test-btn]');
+
+    assert.true(this.router.transitionToExternal.calledOnce, 'transitionToExternal called');
+    assert.deepEqual(
+      this.router.transitionToExternal.args[0],
+      ['vault.cluster', 'foobar', 'baz'],
+      'transitionToExternal called with positional params'
+    );
+    assert.true(this.router.transitionTo.notCalled, 'transitionTo not called');
+  });
+
+  // This test is confusing (and admittedly not ideal) because stubbing routers gets strange,
+  // but if you go into the TransitionTo class and console.log owner.lookup('service:router') in get router()
+  // you'll see the getter returns 'service:app-router' (because of the context setup)
+  // so although we're asserting this.router, the TransitionTo helper is using "service:app-router" under the hood.
+  // This test passing, indirectly means the helper works as expected. Failures might be something like "global failure: TypeError: this.router is undefined"
+  test('it uses service:app-router when base router undefined', async function (assert) {
+    await render(
+      hbs`<button data-test-btn {{on "click" (transition-to "vault.cluster" "foobar" "baz" external=true)}}>Click</button>`,
+      { owner: this.engine }
+    );
+    await click('[data-test-btn]');
+    assert.true(this.router.transitionToExternal.calledOnce, 'transitionToExternal called');
+  });
+});
diff --git a/ui/yarn.lock b/ui/yarn.lock
index 7b207dfa3213..d58e7d495f48 100644
--- a/ui/yarn.lock
+++ b/ui/yarn.lock
@@ -7613,7 +7613,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-cli-babel@npm:^7.1.2, ember-cli-babel@npm:^7.1.3, ember-cli-babel@npm:^7.10.0, ember-cli-babel@npm:^7.13.0, ember-cli-babel@npm:^7.18.0, ember-cli-babel@npm:^7.20.0, ember-cli-babel@npm:^7.22.1, ember-cli-babel@npm:^7.23.0, ember-cli-babel@npm:^7.26.11, ember-cli-babel@npm:^7.26.3, ember-cli-babel@npm:^7.26.4, ember-cli-babel@npm:^7.26.5, ember-cli-babel@npm:^7.26.6, ember-cli-babel@npm:^7.26.8, ember-cli-babel@npm:^7.5.0, ember-cli-babel@npm:^7.7.3":
+"ember-cli-babel@npm:^7.1.2, ember-cli-babel@npm:^7.1.3, ember-cli-babel@npm:^7.10.0, ember-cli-babel@npm:^7.13.0, ember-cli-babel@npm:^7.18.0, ember-cli-babel@npm:^7.22.1, ember-cli-babel@npm:^7.23.0, ember-cli-babel@npm:^7.26.11, ember-cli-babel@npm:^7.26.3, ember-cli-babel@npm:^7.26.4, ember-cli-babel@npm:^7.26.5, ember-cli-babel@npm:^7.26.6, ember-cli-babel@npm:^7.26.8, ember-cli-babel@npm:^7.5.0, ember-cli-babel@npm:^7.7.3":
   version: 7.26.11
   resolution: "ember-cli-babel@npm:7.26.11"
   dependencies:
@@ -8652,15 +8652,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ember-router-helpers@npm:^0.4.0":
-  version: 0.4.0
-  resolution: "ember-router-helpers@npm:0.4.0"
-  dependencies:
-    ember-cli-babel: ^7.20.0
-  checksum: e847ceb1061f87416d6bb5d72ef539fda738a24086051bc94d740117c6353b3406c65247ac8190b8572df008a70d9f801e224d38489170129c5ca6c4ec7f206e
-  languageName: node
-  linkType: hard
-
 "ember-service-worker@meirish/ember-service-worker#configurable-scope":
   version: 9.0.1
   resolution: "ember-service-worker@https://github.com/meirish/ember-service-worker.git#commit=dda14187aace0d73ecdb6a55beac2194a3aec01b"
@@ -18829,7 +18820,6 @@ __metadata:
     ember-qunit: ^8.0.1
     ember-resolver: ^11.0.1
     ember-responsive: 5.0.0
-    ember-router-helpers: ^0.4.0
     ember-service-worker: "meirish/ember-service-worker#configurable-scope"
     ember-sinon-qunit: ^7.4.0
     ember-source: ~5.4.0

From 163cfd225f7bff327b5d714d21bdd611d95a9a38 Mon Sep 17 00:00:00 2001
From: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Date: Tue, 8 Oct 2024 09:26:28 -0700
Subject: [PATCH 13/13] remove dep (#28628)

---
 ui/config/deprecation-workflow.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ui/config/deprecation-workflow.js b/ui/config/deprecation-workflow.js
index 54a067fb381b..d5c2f638e6b9 100644
--- a/ui/config/deprecation-workflow.js
+++ b/ui/config/deprecation-workflow.js
@@ -12,7 +12,6 @@ self.deprecationWorkflow.config = {
 self.deprecationWorkflow.config = {
   // current output from deprecationWorkflow.flushDeprecations();
   workflow: [
-    { handler: 'silence', matchId: 'ember-engines.deprecation-router-service-from-host' },
     // ember-data
     { handler: 'silence', matchId: 'ember-data:no-a-with-array-like' }, // MFA
     { handler: 'silence', matchId: 'ember-data:deprecate-promise-many-array-behaviors' }, // MFA