* vault: lazily materialize external tokens
Implement stub-first auth flow to avoid token-store writes on read-only requests, materialize only on lease registration, cache materialized token IDs by fingerprint, and add coverage for standby/leader materialization behavior.
* vault: align lazy JWT materialization with main
Adjust standby materialization behavior to main branch APIs, keep lease-time forwarding conversion, and update enterprise tests to match current standby error paths.
* vault: align jwt lazy materialization follow-ups
Apply naming and test-practice follow-ups, document cache-size rationale, simplify stub-use gating, and add external JWT e2e/benchmark coverage that measures raft writes for passthrough vs leased flows.
* vault: sanitize jwt lazy materialization logs
* vault: move jwt stub audit labels to ent
* vault: keep ent token type in audit logs
Remove audit token_type override and jwt_stub audit labeling so enterprise JWT tokens are consistently reported as ent while preserving existing request handling behavior.
* vault: rename unpersisted JWT token state
Rename IsStub/JwtStub to IsUnpersisted/JwtUnpersisted and switch serialized key to jwt_unpersisted for clearer storage semantics.
* vault: use storage-backed JWT token naming
Rename JWT token persistence marker to IsStorageBacked/JwtStorageBacked and clarify docs that passthrough JWT requests may never write token state to storage.
* vault: address jwt token materialization regressions
Fix storage-backed checks for non-ent tokens, materialize JWTs for lookup endpoints, and add lookup-self regression coverage.
* vault: thread perf standby state into jwt materialization
Pass perf standby state through materializeEnterpriseTokenForLease call sites to avoid unsynchronized state reads in request handling paths.
* test: harden flaky enterprise timing checks
Increase timing tolerance in flaky CI tests without changing runtime behavior.
* test: document CI timing tolerance in flaky tests
Add comments clarifying widened waits are for CI scheduling jitter and asynchronous convergence, not behavior changes.
* vault: remove sensitive token logging
Drop clear-text token value from SSC token MAC mismatch debug logging and keep census test unchanged per request.
* vault: tighten request logging for security scan
Remove remaining error-derived logging fields in request handling token/JWT revoke paths to satisfy clear-text sensitive logging findings.
* vault: use typed no-rpc-client errors
Replace string-based no-rpc-client error matching with a dedicated error type and update perf-standby callsites to return it.
* test: harden perf-standby billing race assertions
Allow early active-node counts up to the number of standby operations before the eventual RPC delivery assertion, to avoid race-only CI flakes without changing behavior.
* revert: undo billing test race assertion changes
Revert the prior billing test hardening commit per user request to keep billing tests unchanged in PR #12909.
* vault: restore fetchCeilingPolicies after rebase
Re-add the enterprise fetchCeilingPolicies method from main that was dropped during rebase conflict resolution, fixing build failure in request_handling.go.
* vault: materialize JWT tokens for cubbyhole requests
Ensure enterprise JWT tokens are materialized for cubbyhole paths in addition to token lookup endpoints, preserving expected persisted token-entry behavior for cubbyhole-backed request flows and token-entry JWT tests.
* vault: restore JWT token headers on perf-standby forward
* tests: fix jwt passthrough profile setup
* vault: clarify forwarding helper docs
* vault: cover jwt standby token endpoint behavior
* vault: remove enterprise JWT wording in comments
* vault: preserve materialized token request identity
* vault: stabilize external JWT readonly raft assertion
* vault: address PR 12909 review feedback
* tests: remove redundant NewTestCluster lifecycle calls
* vault: sanitize request handling token error logs
* vault: remove sensitive error fields in ent token cleanup logs
* vault: restore IsJWT wording
* vault: migrate jwt materialization tests to NewTestCluster
* tests: skip external jwt benchmark in CI
* Run make fmt
* Address PR review feedback
* Remove benchmark CI skip
* Move JWT materialization tests to external suite
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
b8c81b84c8