Run gofumpt@latest (#3079)

$ go run mvdan.cc/gofumpt@latest -l -w . Signed-off-by: Alexander Scheel <alex.scheel@control-plane.io>
2026-06-01 18:57:37 +02:00 · 2026-05-13 16:25:01 -05:00
parent 2d3b7424d1
commit bdfef204c0
119 changed files with 537 additions and 290 deletions
@@ -1056,7 +1056,8 @@ func TestClientWithNamespace(t *testing.T) {
 	client.SetNamespace(ogNS)
 	_, err = client.rawRequestWithContext(
 		t.Context(),
-		client.NewRequest(http.MethodGet, "/"))
+		client.NewRequest(http.MethodGet, "/"),
+	)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -1068,7 +1069,8 @@ func TestClientWithNamespace(t *testing.T) {
 	newNS := "new-namespace"
 	_, err = client.WithNamespace(newNS).rawRequestWithContext(
 		t.Context(),
-		client.NewRequest(http.MethodGet, "/"))
+		client.NewRequest(http.MethodGet, "/"),
+	)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -1078,7 +1080,8 @@ func TestClientWithNamespace(t *testing.T) {
 	// ensure client has not been modified
 	_, err = client.rawRequestWithContext(
 		t.Context(),
-		client.NewRequest(http.MethodGet, "/"))
+		client.NewRequest(http.MethodGet, "/"),
+	)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -1089,7 +1092,8 @@ func TestClientWithNamespace(t *testing.T) {
 	// make call with empty ns
 	_, err = client.WithNamespace("").rawRequestWithContext(
 		t.Context(),
-		client.NewRequest(http.MethodGet, "/"))
+		client.NewRequest(http.MethodGet, "/"),
+	)
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -760,10 +760,10 @@ func toMetadataMap(patchInput KVMetadataPatchInput) (map[string]interface{}, err
 	// the field remain unchanged (e.g. nil). This way, they only need to pass
 	// the fields they want to change.
 	if patchInput.MaxVersions != nil {
-		metadataMap[maxVersionsKey] = *(patchInput.MaxVersions)
+		metadataMap[maxVersionsKey] = *patchInput.MaxVersions
 	}
 	if patchInput.CASRequired != nil {
-		metadataMap[casRequiredKey] = *(patchInput.CASRequired)
+		metadataMap[casRequiredKey] = *patchInput.CASRequired
 	}
 	if patchInput.CustomMetadata != nil {
 		if len(patchInput.CustomMetadata) == 0 { // empty non-nil map means delete all the keys
@@ -95,5 +95,6 @@ func formatOutputPolicy(path string, capabilities []string) string {
 	return fmt.Sprintf(
 		`path "%s" {
  capabilities = ["%s"]
-}`, path, capStr)
+}`, path, capStr,
+	)
 }
@@ -123,7 +123,8 @@ func (r *ResponseError) Error() string {
 			ns+
 			"URL: %s %s\n"+
 			"Code: %d. %s:\n\n",
-		r.HTTPMethod, r.URL, r.StatusCode, errString))
+		r.HTTPMethod, r.URL, r.StatusCode, errString,
+	))

 	if r.RawError && len(r.Errors) == 1 {
 		errBody.WriteString(r.Errors[0])
@@ -148,7 +148,8 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 		if !strings.HasSuffix(strings.TrimSpace(buf.String()), string(expectedBytes)) {
 			t.Fatalf(
 				"bad: %s\nResult:\n\n%q\n\nExpected:\n\n%q",
-				name, buf.String(), string(expectedBytes))
+				name, buf.String(), string(expectedBytes),
+			)
 		}
 	}
 }
@@ -161,7 +161,8 @@ func TestAuditFile_fileModeExecutable(t *testing.T) {
 			info, err := os.Stat(file)
 			require.NoError(t, err)

-			require.Equal(t, tt.want, info.Mode(),
+			require.Equal(
+				t, tt.want, info.Mode(),
 				"input: %s, have: %s, want: %s",
 				strconv.FormatUint(uint64(tt.mode), 8),
 				strconv.FormatUint(uint64(info.Mode()), 8),
@@ -341,7 +341,8 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 							"source address %q unauthorized by CIDR restrictions on the secret ID: %w",
 							req.Connection.RemoteAddr,
 							err,
-						).Error()), nil
+						).Error(),
+					), nil
 				}
 			}
 		}
@@ -360,7 +361,8 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 					"source address %q unauthorized by CIDR restrictions on the role: %w",
 					req.Connection.RemoteAddr,
 					err,
-				).Error()), nil
+				).Error(),
+			), nil
 		}
 	}

@@ -122,7 +122,8 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string, nonInteractive boo
 		v, err := strconv.ParseBool(s)
 		if err != nil {
 			return false, fmt.Errorf(
-				"failed to parse value for %q, err=%w", f, err)
+				"failed to parse value for %q, err=%w", f, err,
+			)
 		}

 		return v, nil
@@ -375,7 +376,8 @@ func parseError(err error) (string, string) {

 // Help method for OIDC cli
 func (h *CLIHandler) Help() string {
-	help := fmt.Sprintf(`
+	help := fmt.Sprintf(
+		`
 Usage: bao login -method=oidc [CONFIG K=V...]

  The OIDC auth method allows users to authenticate using an OIDC provider.
@@ -317,7 +317,8 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 	oidcError := strings.ToLower(strings.TrimSpace(d.Get("error").(string)))
 	if oidcError != "" {
 		// strconv.Quote - for log-safe string output.
-		b.Logger().Warn("OIDC callback received error from provider",
+		b.Logger().Warn(
+			"OIDC callback received error from provider",
 			"error", strconv.Quote(oidcError),
 			"error_description", strconv.Quote(d.Get("error_description").(string)),
 			"error_uri", strconv.Quote(d.Get("error_uri").(string)),
@@ -693,7 +693,8 @@ func (b *jwtAuthBackend) pathRoleCreateUpdate(ctx context.Context, req *logical.

 	if role.RoleType == "oidc" && len(role.AllowedRedirectURIs) == 0 {
 		return logical.ErrorResponse(
-			"'allowed_redirect_uris' must be set if 'role_type' is 'oidc' or unspecified."), nil
+			"'allowed_redirect_uris' must be set if 'role_type' is 'oidc' or unspecified.",
+		), nil
 	}

 	// OIDC verification will enforce that the audience match the configured client_id.
@@ -89,7 +89,8 @@ func TestLogin(t *testing.T) {

 func prepareLDAPTestContainer(t *testing.T) string {
 	pool := dockertest.NewPoolT(t, "")
-	resource := pool.RunT(t, "quay.io/minio/openldap",
+	resource := pool.RunT(
+		t, "quay.io/minio/openldap",
 		dockertest.WithTag("latest"),
 		dockertest.WithEnv([]string{
 			"LDAP_TLS=false",
@@ -423,9 +423,9 @@ func Test_kubeAuthBackend_runTLSConfigUpdater(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.minHorizon > 0 {
-				defer (func() {
+				defer func() {
 					defaultMinHorizon = d
-				})()
+				}()
 				defaultMinHorizon = tt.minHorizon
 			}
 			b := &kubeAuthBackend{
@@ -50,7 +50,8 @@ var (
 	testUID                          = "d77f89bc-9055-11e7-a068-0800276d99bf"
 	testMockTokenReviewFactory       = mockTokenReviewFactory(testName, testNamespace, testUID)
 	testMockNamespaceValidateFactory = mockNamespaceValidateFactory(
-		map[string]string{"key": "value", "other": "label"})
+		map[string]string{"key": "value", "other": "label"},
+	)

 	testGlobbedNamespace = "def*"
 	testGlobbedName      = "vault-*"
@@ -164,7 +164,8 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 	if len(ldapGroups) == 0 {
 		errString := fmt.Sprintf(
 			"no LDAP groups found in groupDN %q; only policies from locally-defined groups available",
-			cfg.GroupDN)
+			cfg.GroupDN,
+		)
 		ldapResponse.AddWarning(errString)
 	}

@@ -74,7 +74,8 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string, nonInteractive boo
 	if token == "" {
 		return nil, fmt.Errorf(
 			"a token must be passed to auth, please view the help for more " +
-				"information")
+				"information",
+		)
 	}

 	// If the user declined verification, return now. Note that we will not have
@@ -73,7 +73,8 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 		metrics.Default(),
 		configutil.UsageGaugeDefaultPeriod, // TODO: add config settings for these, or add plumbing to the main config settings
 		configutil.MaximumGaugeCardinalityDefault,
-		b.logger)
+		b.logger,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -552,7 +552,8 @@ func Test_passwordGenerator_generate(t *testing.T) {

 			// Set the password policy for the test case
 			config.System.(*logical.StaticSystemView).SetPasswordPolicy(
-				"test-policy", tt.args.passGen)
+				"test-policy", tt.args.passGen,
+			)

 			// Generate the password
 			pg, err := newPasswordGenerator(tt.args.config)
@@ -243,7 +243,7 @@ func TestDynamicRoleCreateUpdate(t *testing.T) {

 			storage := new(mockStorage)
 			storage.On("Get", mock.Anything, mock.Anything).
-				Return((*logical.StorageEntry)(nil), (error)(nil)).Maybe()
+				Return((*logical.StorageEntry)(nil), error(nil)).Maybe()
 			storage.On("Put", mock.Anything, mock.Anything).
 				Return(test.putErr)
 			defer storage.AssertNumberOfCalls(t, "Put", test.putTimes)
@@ -3549,7 +3549,8 @@ func TestBackend_URI_SANs(t *testing.T) {
 	if cert.URIs[0].String() != URI0.String() || cert.URIs[1].String() != URI1.String() {
 		t.Fatalf(
 			"expected URIs SANs %v to equal provided values spiffe://host.com/something, http://someuri/abc",
-			cert.URIs)
+			cert.URIs,
+		)
 	}
 }

@@ -3628,7 +3629,8 @@ func TestBackend_IP_SANs(t *testing.T) {
 	if cert.IPAddresses[0].String() != IP0.String() || cert.IPAddresses[1].String() != IP1.String() {
 		t.Fatalf(
 			"expected IPs SANs %v to equal provided values 1.2.3.4, 1.2.3.5",
-			cert.IPAddresses)
+			cert.IPAddresses,
+		)
 	}
 }

@@ -4119,7 +4121,8 @@ func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
 	// This test is not parallelizable.
 	inmemSink := metrics.NewInmemSink(
 		1000000*time.Hour,
-		2000000*time.Hour)
+		2000000*time.Hour,
+	)

 	metricsConf := metrics.DefaultConfig("")
 	metricsConf.EnableHostname = false
@@ -4448,7 +4451,8 @@ func TestBackend_RevokePlusTidy_MultipleCerts(t *testing.T) {
 	// Set up metrics and Vault cluster
 	inmemSink := metrics.NewInmemSink(
 		1000000*time.Hour,
-		2000000*time.Hour)
+		2000000*time.Hour,
+	)

 	metricsConf := metrics.DefaultConfig("")
 	metricsConf.EnableHostname = false
@@ -29,14 +29,16 @@ func getGenerationParams(sc *storageContext, data *framework.FieldData) (exporte
 	case "kms":
 	default:
 		errorResp = logical.ErrorResponse(
-			`the "exported" path parameter must be "internal", "existing", exported" or "kms"`)
+			`the "exported" path parameter must be "internal", "existing", exported" or "kms"`,
+		)
 		return exported, format, role, errorResp
 	}

 	format = getFormat(data)
 	if format == "" {
 		errorResp = logical.ErrorResponse(
-			`the "format" path parameter must be "pem", "der", or "pem_bundle"`)
+			`the "format" path parameter must be "pem", "der", or "pem_bundle"`,
+		)
 		return exported, format, role, errorResp
 	}

@@ -900,7 +900,8 @@ func signCert(b *backend,
 		if csr.PublicKeyAlgorithm != x509.RSA {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
 				"role requires keys of type %s",
-				data.role.KeyType)}
+				data.role.KeyType,
+			)}
 		}

 		pubKey, ok := csr.PublicKey.(*rsa.PublicKey)
@@ -915,7 +916,8 @@ func signCert(b *backend,
 		if csr.PublicKeyAlgorithm != x509.ECDSA {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
 				"role requires keys of type %s",
-				data.role.KeyType)}
+				data.role.KeyType,
+			)}
 		}
 		pubKey, ok := csr.PublicKey.(*ecdsa.PublicKey)
 		if !ok {
@@ -929,7 +931,8 @@ func signCert(b *backend,
 		if csr.PublicKeyAlgorithm != x509.Ed25519 {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
 				"role requires keys of type %s",
-				data.role.KeyType)}
+				data.role.KeyType,
+			)}
 		}

 		_, ok := csr.PublicKey.(ed25519.PublicKey)
@@ -992,7 +995,8 @@ func signCert(b *backend,
 		// docs saying when key_type=any, we only enforce our specified minimums
 		// for signing operations
 		if data.role.KeyBits, data.role.SignatureBits, err = certutil.ValidateDefaultOrValueKeyTypeSignatureLength(
-			actualKeyType, 0, data.role.SignatureBits); err != nil {
+			actualKeyType, 0, data.role.SignatureBits,
+		); err != nil {
 			return nil, nil, errutil.InternalError{Err: fmt.Sprintf("unknown internal error updating default values: %v", err)}
 		}

@@ -1018,20 +1022,23 @@ func signCert(b *backend,
 		if actualKeyBits < data.role.KeyBits {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
 				"role requires a minimum of a %d-bit key, but CSR's key is %d bits",
-				data.role.KeyBits, actualKeyBits)}
+				data.role.KeyBits, actualKeyBits,
+			)}
 		}

 		if actualKeyBits < 2048 {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
 				"OpenBao requires a minimum of a 2048-bit key, but CSR's key is %d bits",
-				actualKeyBits)}
+				actualKeyBits,
+			)}
 		}
 	case "ec":
 		if actualKeyBits < data.role.KeyBits {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
 				"role requires a minimum of a %d-bit key, but CSR's key is %d bits",
 				data.role.KeyBits,
-				actualKeyBits)}
+				actualKeyBits,
+			)}
 		}
 	}

@@ -1289,7 +1296,8 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 			badName := validateCommonName(b, data, cn)
 			if len(badName) != 0 {
 				return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-					"common name %s not allowed by this role", badName)}
+					"common name %s not allowed by this role", badName,
+				)}
 			}
 		}

@@ -1297,7 +1305,8 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 			badName := validateSerialNumber(data, ridSerialNumber)
 			if len(badName) != 0 {
 				return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-					"serial_number %s not allowed by this role", badName)}
+					"serial_number %s not allowed by this role", badName,
+				)}
 			}
 		}

@@ -1305,13 +1314,15 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 		badName := validateNames(b, data, dnsNames)
 		if len(badName) != 0 {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-				"subject alternate name %s not allowed by this role", badName)}
+				"subject alternate name %s not allowed by this role", badName,
+			)}
 		}

 		badName = validateNames(b, data, emailAddresses)
 		if len(badName) != 0 {
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-				"email address %s not allowed by this role", badName)}
+				"email address %s not allowed by this role", badName,
+			)}
 		}
 	}

@@ -1345,10 +1356,12 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 			return nil, nil, errutil.UserError{Err: err.Error()}
 		case len(badName) > 0:
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-				"other SAN %s not allowed for OID %s by this role", badName, badOID)}
+				"other SAN %s not allowed for OID %s by this role", badName, badOID,
+			)}
 		case len(badOID) > 0:
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-				"other SAN OID %s not allowed by this role", badOID)}
+				"other SAN OID %s not allowed by this role", badOID,
+			)}
 		default:
 			otherSANs = requested
 		}
@@ -1369,13 +1382,15 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 			if len(ipAlt) > 0 {
 				if !data.role.AllowIPSANs {
 					return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-						"IP Subject Alternative Names are not allowed in this role, but was provided %s", ipAlt)}
+						"IP Subject Alternative Names are not allowed in this role, but was provided %s", ipAlt,
+					)}
 				}
 				for _, v := range ipAlt {
 					parsedIP := net.ParseIP(v)
 					if parsedIP == nil {
 						return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-							"the value %q is not a valid IP address", v)}
+							"the value %q is not a valid IP address", v,
+						)}
 					}
 					if len(data.role.AllowedIPSANsCIDR) > 0 {
 						valid := false
@@ -1388,7 +1403,8 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn

 						if !valid {
 							return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-								"the IP address %q is not allowed in this role", v)}
+								"the IP address %q is not allowed in this role", v,
+							)}
 						}

 						ipAddresses = append(ipAddresses, parsedIP)
@@ -1443,7 +1459,8 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 					if parsedURI == nil || err != nil {
 						return nil, nil, errutil.UserError{
 							Err: fmt.Sprintf(
-								"the provided URI Subject Alternative Name %q is not a valid URI", uri),
+								"the provided URI Subject Alternative Name %q is not a valid URI", uri,
+							),
 						}
 					}

@@ -1774,14 +1791,16 @@ func getCertificateNotAfter(b *backend, data *inputBundle, caSign *certutil.CAIn
 			// Error out if notAfter is in the past
 			if notAfter.Before(time.Now()) {
 				return time.Time{}, warnings, errutil.UserError{Err: fmt.Sprintf(
-					"cannot satisfy request, as NotAfter date %s is in the past", notAfter)}
+					"cannot satisfy request, as NotAfter date %s is in the past", notAfter,
+				)}
 			}
 			notAfter = caSign.Certificate.NotAfter
 		case certutil.ErrNotAfterBehavior:
 			fallthrough
 		default:
 			return time.Time{}, warnings, errutil.UserError{Err: fmt.Sprintf(
-				"cannot satisfy request, as TTL would result in notAfter of %s that is beyond the expiration of the CA certificate at %s", notAfter.UTC().Format(time.RFC3339Nano), caSign.Certificate.NotAfter.UTC().Format(time.RFC3339Nano))}
+				"cannot satisfy request, as TTL would result in notAfter of %s that is beyond the expiration of the CA certificate at %s", notAfter.UTC().Format(time.RFC3339Nano), caSign.Certificate.NotAfter.UTC().Format(time.RFC3339Nano),
+			)}
 		}
 	}

@@ -321,7 +321,8 @@ func (c CBValidateChain) Run(t testing.TB, b *backend, s logical.Storage, knownK
 			// the chain against a single value. Instead, use strings.Contains
 			// to validate the current cert is in the list of allowed
 			// possibilities.
-			require.Containsf(t, expectedChain[currentIndex], currentCert,
+			require.Containsf(
+				t, expectedChain[currentIndex], currentCert,
 				"chain mismatch at index %v for issuer %v: got cert:\n[%v]\n[pretty: %v]\nbut expected one of\n[%v]\n[pretty: %v]\n",
 				currentIndex, issuer, currentCert, c.FindNameForCert(t, currentCert, knownCerts), expectedChain[currentIndex], chain[currentIndex],
 			)
@@ -331,7 +332,8 @@ func (c CBValidateChain) Run(t testing.TB, b *backend, s logical.Storage, knownK
 		// in the chain is only used once. Validate that now.
 		for thisIndex, thisCert := range currentChain {
 			for otherIndex, otherCert := range currentChain[thisIndex+1:] {
-				require.NotEqualf(t, thisCert, otherCert,
+				require.NotEqualf(
+					t, thisCert, otherCert,
 					"cert reused in chain for %v:\n[%v]\n[pretty: %v / index: %v]\n[%v]\n[pretty: %v / index: %v]\n",
 					issuer, thisCert, c.FindNameForCert(t, thisCert, knownCerts), thisIndex, otherCert, c.FindNameForCert(t, otherCert, knownCerts), otherIndex+thisIndex+1,
 				)
@@ -357,7 +359,8 @@ func (c CBValidateChain) Run(t testing.TB, b *backend, s logical.Storage, knownK
 				}
 			}

-			require.Truef(t, foundCert,
+			require.Truef(
+				t, foundCert,
 				"malformed test scenario: certificate at chain index %v when validating %v does not validate any previous certificates:\n[%v]\n[pretty: %v]\n",
 				thisIndex, issuer, thisCertPem, c.FindNameForCert(t, thisCertPem, knownCerts),
 			)
@@ -437,13 +440,15 @@ func (c CBIssueLeaf) IssueLeaf(t testing.TB, b *backend, s logical.Storage, know
 	issuer := ToCertificate(t, raw_issuer)

 	// Validate issuer and signatures are good.
-	require.Equalf(t, strings.TrimSpace(raw_issuer), strings.TrimSpace(knownCerts[c.Issuer]),
+	require.Equalf(
+		t, strings.TrimSpace(raw_issuer), strings.TrimSpace(knownCerts[c.Issuer]),
 		"signing certificate ended with wrong certificate for issuer %v:\n[%v]\n\nvs\n\n[%v]\n",
 		c.Issuer, raw_issuer, knownCerts[c.Issuer],
 	)

 	err = cert.CheckSignatureFrom(issuer)
-	require.NoErrorf(t, err,
+	require.NoErrorf(
+		t, err,
 		"failed to verify signature on issued certificate from %v: %v\n[%v]\n[%v]\n",
 		c.Issuer, err, raw_cert, raw_issuer,
 	)
@@ -466,7 +471,8 @@ func (c CBIssueLeaf) RevokeLeaf(t testing.TB, b *backend, s logical.Storage, kno
 	require.NoErrorf(t, err, "failed to revoke issued certificate (%v) under role %v / issuer %v: %v", api_serial, c.Role, c.Issuer, err)
 	require.NotNilf(t, resp, "failed to revoke issued certificate (%v) under role %v / issuer %v: nil response", api_serial, c.Role, c.Issuer)
 	_, ok := resp.Data["revocation_time"]
-	require.Truef(t, ok,
+	require.Truef(
+		t, ok,
 		"failed to revoke issued certificate (%v) under role %v / issuer %v: expected response parameter revocation_time was missing from response:\n%v",
 		api_serial, c.Role, c.Issuer, resp.Data,
 	)
@@ -535,7 +541,8 @@ func (c CBIssueLeaf) RevokeLeaf(t testing.TB, b *backend, s logical.Storage, kno
 			}
 		}

-		require.FailNow(t,
+		require.FailNow(
+			t,
 			"expected to find certificate with serial [%v] on issuer %v's CRL but was missing: %v revoked certs\n\nCRL:\n[%v]\n\nLeaf:\n[%v]\n\nIssuer (hasCRL: %v):\n[%v]\n",
 			api_serial, c.Issuer, len(crl.RevokedCertificateEntries), raw_crl, raw_cert, hasCRL, raw_issuer,
 		)
@@ -626,7 +633,8 @@ func ensureStableOrderingOfChains(t testing.TB, b *backend, s logical.Storage, k

 			rawCurrentChain := resp.Data["ca_chain"].([]string)
 			for index, entry := range rawCurrentChain {
-				require.Equalf(t, certChains[issuer][index], strings.TrimSpace(entry),
+				require.Equalf(
+					t, certChains[issuer][index], strings.TrimSpace(entry),
 					"iteration %d - chain for issuer %v differed at index %d\n%v\nvs\n%v",
 					i, issuer, index, entry, certChains[issuer][index],
 				)
@@ -141,7 +141,8 @@ func TestCRUDCelRoles(t *testing.T) {
 	for _, v := range vars {
 		if v.Name == "require_ip_sans" {
 			found = true
-			require.Equal(t,
+			require.Equal(
+				t,
 				"size(request.ip_sans) >= 2",
 				v.Expression,
 				"`require_ip_sans` expression not updated",
@@ -640,7 +640,8 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 	format := getFormat(data)
 	if format == "" {
 		return logical.ErrorResponse(
-			`the "format" path parameter must be "pem", "der", or "pem_bundle"`), nil
+			`the "format" path parameter must be "pem", "der", or "pem_bundle"`,
+		), nil
 	}

 	input := &inputBundle{
@@ -739,7 +740,8 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 			respData,
 			map[string]interface{}{
 				"serial_number": cb.SerialNumber,
-			})
+			},
+		)
 		resp.Secret.TTL = time.Until(parsedBundle.Certificate.NotAfter)
 	}

@@ -793,7 +795,8 @@ func (b *backend) getCelEvalConfig(useCSR bool) *celhelper.EvalConfig {
 			celgo.Variable("parsed_csr",
 				types.NewMapType(
 					types.StringType,
-					types.DynType)))
+					types.DynType,
+				)))
 	}

 	return &celhelper.EvalConfig{
@@ -1008,7 +1011,8 @@ func (b *backend) pathCelIssueSignCert(ctx context.Context, req *logical.Request
 			respData,
 			map[string]interface{}{
 				"serial_number": cb.SerialNumber,
-			})
+			},
+		)
 		resp.Secret.TTL = time.Until(parsedBundle.Certificate.NotAfter)
 	} else {
 		// Non-Leased Certificate
@@ -1122,10 +1126,12 @@ func (b *backend) fetchCaSigningBundle(ctx context.Context, req *logical.Request
 		switch caErr.(type) {
 		case errutil.UserError:
 			return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-				"could not fetch the CA certificate (was one set?): %s", caErr)}
+				"could not fetch the CA certificate (was one set?): %s", caErr,
+			)}
 		default:
 			return nil, nil, errutil.InternalError{Err: fmt.Sprintf(
-				"error fetching CA certificate: %s", caErr)}
+				"error fetching CA certificate: %s", caErr,
+			)}
 		}
 	}
 	return signingBundle, sc, nil
@@ -1008,7 +1008,7 @@ func TestPki_RolePatch(t *testing.T) {
 			switch typed := before.(type) {
 			case *bool:
 				before = *typed
-				afterRoleData[field] = *(afterRoleData[field].(*bool))
+				afterRoleData[field] = *afterRoleData[field].(*bool)
 			}

 			if field != testCase.Field {
@@ -401,10 +401,12 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 		switch caErr.(type) {
 		case errutil.UserError:
 			return nil, errutil.UserError{Err: fmt.Sprintf(
-				"could not fetch the CA certificate (was one set?): %s", caErr)}
+				"could not fetch the CA certificate (was one set?): %s", caErr,
+			)}
 		default:
 			return nil, errutil.InternalError{Err: fmt.Sprintf(
-				"error fetching CA certificate: %s", caErr)}
+				"error fetching CA certificate: %s", caErr,
+			)}
 		}
 	}

@@ -433,7 +435,8 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
 			return logical.ErrorResponse(err.Error()), nil
 		default:
 			return nil, errutil.InternalError{Err: fmt.Sprintf(
-				"error signing cert: %s", err)}
+				"error signing cert: %s", err,
+			)}
 		}
 	}

@@ -566,7 +569,8 @@ func (b *backend) pathIssuerSignSelfIssued(ctx context.Context, req *logical.Req
 		switch caErr.(type) {
 		case errutil.UserError:
 			return nil, errutil.UserError{Err: fmt.Sprintf(
-				"could not fetch the CA certificate (was one set?): %s", caErr)}
+				"could not fetch the CA certificate (was one set?): %s", caErr,
+			)}
 		default:
 			return nil, errutil.InternalError{Err: fmt.Sprintf("error fetching CA certificate: %s", caErr)}
 		}
@@ -265,7 +265,7 @@ func TestAutoTidy(t *testing.T) {
 	require.NotNil(t, resp)
 	require.NotNil(t, resp.Data)
 	require.NotEmpty(t, resp.Data["certificate"])
-	revocationTime, err := (resp.Data["revocation_time"].(json.Number)).Int64()
+	revocationTime, err := resp.Data["revocation_time"].(json.Number).Int64()
 	require.NoError(t, err)
 	require.Equal(t, int64(0), revocationTime, "revocation time was not zero")
 	require.Empty(t, resp.Data["revocation_time_rfc3339"], "revocation_time_rfc3339 was not empty")
@@ -282,7 +282,7 @@ func TestAutoTidy(t *testing.T) {
 	require.NotNil(t, resp)
 	require.NotNil(t, resp.Data)
 	require.NotEmpty(t, resp.Data["certificate"])
-	revocationTime, err = (resp.Data["revocation_time"].(json.Number)).Int64()
+	revocationTime, err = resp.Data["revocation_time"].(json.Number).Int64()
 	require.NoError(t, err, "failed converting %s to int", resp.Data["revocation_time"])
 	revTime := time.Unix(revocationTime, 0)
 	now := time.Now()
@@ -548,8 +548,9 @@ func TestCertStorageMetrics(t *testing.T) {

 	// We set up a metrics accumulator
 	inmemSink := metrics.NewInmemSink(
-		2*newPeriod,  // A short time period is ideal here to test metrics are emitted every periodic func
-		10*newPeriod) // Do not keep a huge amount of metrics in the sink forever, clear them out to save memory usage.
+		2*newPeriod, // A short time period is ideal here to test metrics are emitted every periodic func
+		10*newPeriod,
+	) // Do not keep a huge amount of metrics in the sink forever, clear them out to save memory usage.

 	metricsConf := metrics.DefaultConfig("")
 	metricsConf.EnableHostname = false
@@ -724,7 +725,7 @@ func TestCertStorageMetrics(t *testing.T) {
 	require.NotNil(t, resp)
 	require.NotNil(t, resp.Data)
 	require.NotEmpty(t, resp.Data["certificate"])
-	revocationTime, err := (resp.Data["revocation_time"].(json.Number)).Int64()
+	revocationTime, err := resp.Data["revocation_time"].(json.Number).Int64()
 	require.Equal(t, int64(0), revocationTime, "revocation time was not zero")
 	require.Empty(t, resp.Data["revocation_time_rfc3339"], "revocation_time_rfc3339 was not empty")
 	require.Empty(t, resp.Data["issuer_id"], "issuer_id was not empty")
@@ -368,7 +368,8 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
 }

 func TestBackend_AllowedUsersTemplate(t *testing.T) {
-	testAllowedUsersTemplate(t,
+	testAllowedUsersTemplate(
+		t,
 		"{{ identity.entity.metadata.ssh_username }}",
 		testUserName, map[string]string{
 			"ssh_username": testUserName,
@@ -377,7 +378,8 @@ func TestBackend_AllowedUsersTemplate(t *testing.T) {
 }

 func TestBackend_MultipleAllowedUsersTemplate(t *testing.T) {
-	testAllowedUsersTemplate(t,
+	testAllowedUsersTemplate(
+		t,
 		"{{ identity.entity.metadata.ssh_username }}",
 		testUserName, map[string]string{
 			"ssh_username": testMultiUserName,
@@ -386,7 +388,8 @@ func TestBackend_MultipleAllowedUsersTemplate(t *testing.T) {
 }

 func TestBackend_AllowedUsersTemplate_WithStaticPrefix(t *testing.T) {
-	testAllowedUsersTemplate(t,
+	testAllowedUsersTemplate(
+		t,
 		"ssh-{{ identity.entity.metadata.ssh_username }}",
 		"ssh-"+testUserName, map[string]string{
 			"ssh_username": testUserName,
@@ -395,7 +398,8 @@ func TestBackend_AllowedUsersTemplate_WithStaticPrefix(t *testing.T) {
 }

 func TestBackend_DefaultUserTemplate(t *testing.T) {
-	testDefaultUserTemplate(t,
+	testDefaultUserTemplate(
+		t,
 		"{{ identity.entity.metadata.ssh_username }}",
 		testUserName,
 		map[string]string{
@@ -405,7 +409,8 @@ func TestBackend_DefaultUserTemplate(t *testing.T) {
 }

 func TestBackend_DefaultUserTemplate_WithStaticPrefix(t *testing.T) {
-	testDefaultUserTemplate(t,
+	testDefaultUserTemplate(
+		t,
 		"user-{{ identity.entity.metadata.ssh_username }}",
 		"user-"+testUserName,
 		map[string]string{
@@ -516,17 +521,20 @@ func TestBackend_DefaultUserTemplateFalse_AllowedUsersTemplateFalse(t *testing.T
 	}
 	actualPrincipals := parsedKey.(*ssh.Certificate).ValidPrincipals
 	if len(actualPrincipals) < 1 {
-		t.Fatalf("No ValidPrincipals returned: should have been %v",
+		t.Fatalf(
+			"No ValidPrincipals returned: should have been %v",
 			[]string{"{{identity.entity.metadata.ssh_username}}"},
 		)
 	}
 	if len(actualPrincipals) > 1 {
-		t.Errorf("incorrect number ValidPrincipals, expected only 1: %v should be %v",
+		t.Errorf(
+			"incorrect number ValidPrincipals, expected only 1: %v should be %v",
 			actualPrincipals, []string{"{{identity.entity.metadata.ssh_username}}"},
 		)
 	}
 	if actualPrincipals[0] != "{{identity.entity.metadata.ssh_username}}" {
-		t.Fatalf("incorrect ValidPrincipals: %v should be %v",
+		t.Fatalf(
+			"incorrect ValidPrincipals: %v should be %v",
 			actualPrincipals, []string{"{{identity.entity.metadata.ssh_username}}"},
 		)
 	}
@@ -1891,7 +1899,8 @@ func testDefaultUserTemplate(t *testing.T, testDefaultUserTemplate string,
 	}
 	actualPrincipals := parsedKey.(*ssh.Certificate).ValidPrincipals
 	if actualPrincipals[0] != expectedValidPrincipal {
-		t.Fatalf("incorrect ValidPrincipals: %v should be %v",
+		t.Fatalf(
+			"incorrect ValidPrincipals: %v should be %v",
 			actualPrincipals, []string{expectedValidPrincipal},
 		)
 	}
@@ -1941,7 +1950,8 @@ func testAllowedPrincipalsTemplate(t *testing.T, testAllowedDomainsTemplate stri
 	}
 	actualPrincipals := parsedKey.(*ssh.Certificate).ValidPrincipals
 	if actualPrincipals[0] != expectedValidPrincipal {
-		t.Fatalf("incorrect ValidPrincipals: %v should be %v",
+		t.Fatalf(
+			"incorrect ValidPrincipals: %v should be %v",
 			actualPrincipals, []string{expectedValidPrincipal},
 		)
 	}
@@ -560,7 +560,8 @@ func (b *backend) createCARole(allowedUsers, defaultUser, signer string, data *f

 	if ttl != 0 && maxTTL != 0 && ttl > maxTTL {
 		return nil, logical.ErrorResponse(
-			`"ttl" value must be less than "max_ttl" when both are specified`)
+			`"ttl" value must be less than "max_ttl" when both are specified`,
+		)
 	}

 	// Persist TTLs
@@ -149,7 +149,8 @@ func (b *backend) pathValidateCode(ctx context.Context, req *logical.Request, da
 	err = b.usedCodes.AddWithExpire(usedName, struct{}{}, time.Duration(
 		int64(time.Second)*
 			int64(key.Period)*
-			int64((2+key.Skew))))
+			int64((2+key.Skew)),
+	))
 	if err != nil {
 		return nil, fmt.Errorf("error adding code to used cache: %w", err)
 	}
@@ -289,7 +289,8 @@ func getExportKey(policy *keysutil.Policy, key *keysutil.KeyEntry, exportType st
 				&pem.Block{
 					Type:  "CERTIFICATE",
 					Bytes: derCertificateBytes,
-				})))
+				},
+			)))
 			pemCertificates = append(pemCertificates, pemCert)
 		}
 		certificateChain := strings.Join(pemCertificates, "\n")
@@ -460,7 +460,8 @@ func TestTransit_Import(t *testing.T) {
 			if err != nil {
 				t.Fatalf("failed to import ed25519 key: %v", err)
 			}
-		})
+		},
+	)

 	t.Run(
 		"import public key ecdsa",
@@ -492,7 +493,8 @@ func TestTransit_Import(t *testing.T) {
 			if err != nil {
 				t.Fatalf("failed to import public key: %s", err)
 			}
-		})
+		},
+	)
 }

 func TestTransit_ImportVersion(t *testing.T) {
@@ -450,7 +450,8 @@ func (b *backend) formatKeyPolicy(p *keysutil.Policy, context []byte) (*logical.
 						&pem.Block{
 							Type:  "CERTIFICATE",
 							Bytes: derCertBytes,
-						})))
+						},
+					)))
 					pemCerts = append(pemCerts, pemCert)
 				}
 				key.CertificateChain = strings.Join(pemCerts, "\n")
@@ -97,7 +97,8 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 	}
 	if p == nil {
 		return logical.ErrorResponse(
-				fmt.Sprintf("no existing key named %s could be found", name)),
+				fmt.Sprintf("no existing key named %s could be found", name),
+			),
 			logical.ErrInvalidRequest
 	}
 	if !b.System().CachingDisabled() {
@@ -141,7 +142,8 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 		if minDecryptionVersion != p.MinDecryptionVersion {
 			if minDecryptionVersion > p.LatestVersion {
 				return logical.ErrorResponse(
-					fmt.Sprintf("cannot set min decryption version of %d, latest key version is %d", minDecryptionVersion, p.LatestVersion)), nil
+					fmt.Sprintf("cannot set min decryption version of %d, latest key version is %d", minDecryptionVersion, p.LatestVersion),
+				), nil
 			}
 			p.MinDecryptionVersion = minDecryptionVersion
 			persistNeeded = true
@@ -159,7 +161,8 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 		if minEncryptionVersion != p.MinEncryptionVersion {
 			if minEncryptionVersion > p.LatestVersion {
 				return logical.ErrorResponse(
-					fmt.Sprintf("cannot set min encryption version of %d, latest key version is %d", minEncryptionVersion, p.LatestVersion)), nil
+					fmt.Sprintf("cannot set min encryption version of %d, latest key version is %d", minEncryptionVersion, p.LatestVersion),
+				), nil
 			}
 			p.MinEncryptionVersion = minEncryptionVersion
 			persistNeeded = true
@@ -171,7 +174,8 @@ func (b *backend) pathKeysConfigWrite(ctx context.Context, req *logical.Request,
 	if p.MinEncryptionVersion > 0 &&
 		p.MinEncryptionVersion < p.MinDecryptionVersion {
 		return logical.ErrorResponse(
-			fmt.Sprintf("cannot set min encryption/decryption values; min encryption version of %d must be greater than or equal to min decryption version of %d", p.MinEncryptionVersion, p.MinDecryptionVersion)), nil
+			fmt.Sprintf("cannot set min encryption/decryption values; min encryption version of %d must be greater than or equal to min decryption version of %d", p.MinEncryptionVersion, p.MinDecryptionVersion),
+		), nil
 	}

 	allowDeletionInt, ok := d.GetOk("deletion_allowed")
@@ -240,7 +240,8 @@ func (c *AgentCommand) Run(args []string) int {
 		if api.ReadBaoVariable("BAO_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
 			c.UI.Output(fmt.Sprintf(
 				"\nConfiguration:\n%s\n",
-				pretty.Sprint(*c.config)))
+				pretty.Sprint(*c.config),
+			))
 		}
 		return 0
 	}
@@ -252,7 +253,8 @@ func (c *AgentCommand) Run(args []string) int {
 	if err != nil {
 		c.UI.Error(fmt.Sprintf(
 			"Error fetching client: %v",
-			err))
+			err,
+		))
 		return 1
 	}

@@ -776,7 +778,8 @@ func (c *AgentCommand) Run(args []string) int {
 			"%s%s: %s",
 			strings.Repeat(" ", padding-len(k)),
 			caser.String(k),
-			info[k]))
+			info[k],
+		))
 	}
 	c.UI.Output("")

@@ -42,7 +42,8 @@ func fakeVaultServer(t *testing.T) *httptest.Server {

 		firstRequest = false

-		fmt.Fprintf(w, `{
+		fmt.Fprintf(
+			w, `{
                "request_id": "8af096e9-518c-7351-eff5-5ba20554b21f",
                "lease_id": "",
                "renewable": false,
@@ -512,7 +512,8 @@ func TestAgent_Template_UserAgent(t *testing.T) {
 					h.requestMethodToCheck = "GET"
 					h.t = t
 					return &h
-				}),
+				},
+			),
 		})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -1402,7 +1403,8 @@ func TestAgent_Template_Retry(t *testing.T) {
 					h.props = properties
 					h.t = t
 					return &h
-				}),
+				},
+			),
 		})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -1677,7 +1679,8 @@ func TestAgent_AutoAuth_UserAgent(t *testing.T) {
 				h.pathToCheck = "auth/approle/login"
 				h.t = t
 				return &h
-			}),
+			},
+		),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -1798,7 +1801,8 @@ func TestAgent_APIProxyWithoutCache_UserAgent(t *testing.T) {
 				h.requestMethodToCheck = "GET"
 				h.t = t
 				return &h
-			}),
+			},
+		),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -1883,7 +1887,8 @@ func TestAgent_APIProxyWithCache_UserAgent(t *testing.T) {
 				h.requestMethodToCheck = "GET"
 				h.t = t
 				return &h
-			}),
+			},
+		),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -684,7 +684,8 @@ func compareBeforeAndAfter(t *testing.T, before, after *LeaseCache, beforeLen, a
 		assert.NotEmpty(t, restoredItem.RenewCtxInfo.CancelFunc)
 		assert.NotZero(t, restoredItem.RenewCtxInfo.DoneCh)
 		require.NotEmpty(t, restoredItem.RenewCtxInfo.Ctx)
-		assert.Equal(t,
+		assert.Equal(
+			t,
 			cachedItem.RenewCtxInfo.Ctx.Value(contextIndexID),
 			restoredItem.RenewCtxInfo.Ctx.Value(contextIndexID),
 		)
@@ -128,7 +128,7 @@ func (c *AuditEnableCommand) Run(args []string) int {
 	auditPath = ensureTrailingSlash(auditPath)

 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -127,7 +127,8 @@ func (c *AuditListCommand) simpleAudits(audits map[string]*api.Audit) []string {
 	columns := []string{"Path | Type | Description"}
 	for _, path := range paths {
 		audit := audits[path]
-		columns = append(columns, fmt.Sprintf("%s | %s | %s",
+		columns = append(columns, fmt.Sprintf(
+			"%s | %s | %s",
 			audit.Path,
 			audit.Type,
 			audit.Description,
@@ -158,7 +159,8 @@ func (c *AuditListCommand) detailedAudits(audits map[string]*api.Audit) []string
 			replication = "local"
 		}

-		columns = append(columns, fmt.Sprintf("%s | %s | %s | %s | %s",
+		columns = append(columns, fmt.Sprintf(
+			"%s | %s | %s | %s | %s",
 			path,
 			audit.Type,
 			audit.Description,
@@ -110,7 +110,8 @@ func (c *AuthHelpCommand) Run(args []string) int {
 		auth, ok := auths[authPath]
 		if !ok {
 			c.UI.Warn(fmt.Sprintf(
-				"No auth method available on the server at %q", authPath))
+				"No auth method available on the server at %q", authPath,
+			))
 			return 1
 		}

@@ -118,7 +119,8 @@ func (c *AuthHelpCommand) Run(args []string) int {
 		if !ok {
 			c.UI.Warn(wrapAtLength(fmt.Sprintf(
 				"No method-specific CLI handler available for auth method %q",
-				authType)))
+				authType,
+			)))
 			return 2
 		}
 	}
@@ -162,7 +162,8 @@ func (c *AuthListCommand) detailedMounts(auths map[string]*api.AuthMount) []stri

 		pluginName := mount.Type

-		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s | %s | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
+		out = append(out, fmt.Sprintf(
+			"%s | %s | %s | %s | %s | %s | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
 			path,
 			pluginName,
 			mount.Accessor,
@@ -68,7 +68,7 @@ func (b *BoolPtr) Get() bool {
 func (b *BoolPtr) String() string {
 	var current bool
 	if b.v != nil {
-		current = *(b.v)
+		current = *b.v
 	}
 	return fmt.Sprintf("%v", current)
 }
@@ -90,7 +90,7 @@ func (c *DeleteCommand) Run(args []string) int {
 	}

 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -83,7 +83,8 @@ func kvPreflightVersionRequest(client *api.Client, path string) (string, int, er
 to determine the version of a KV secrets engine. Please 
 re-run this command with a token with read access to %s. 
 Note that if the path you are trying to reach is a KV v2 path, your token's policy must 
-allow read access to that path in the format 'mount-path/data/foo', not just 'mount-path/foo'.`, path)
+allow read access to that path in the format 'mount-path/data/foo', not just 'mount-path/foo'.`, path,
+				)
 			}
 		}

@@ -155,7 +155,7 @@ func (c *KVPatchCommand) Run(args []string) int {

 	args = f.Args()
 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -117,7 +117,7 @@ func (c *KVPutCommand) Run(args []string) int {

 	args = f.Args()
 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -163,7 +163,8 @@ func (c *LoginCommand) Run(args []string) int {

 	if c.flagNoStore && c.flagNoPrint {
 		c.UI.Error(wrapAtLength(
-			"-no-store and -no-print cannot be used together"))
+			"-no-store and -no-print cannot be used together",
+		))
 		return 1
 	}

@@ -187,12 +188,13 @@ func (c *LoginCommand) Run(args []string) int {
 			"Unknown auth method: %s. Use \"bao auth list\" to see the "+
 				"complete list of auth methods. Additionally, some "+
 				"auth methods are only available via the HTTP API.",
-			authMethod)))
+			authMethod,
+		)))
 		return 1
 	}

 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -291,7 +293,8 @@ func (c *LoginCommand) Run(args []string) int {
 		c.UI.Error(wrapAtLength(
 			"Vault returned a secret, but the secret has no authentication " +
 				"information attached. This should never happen and is likely a " +
-				"bug."))
+				"bug.",
+		))
 		return 2
 	}

@@ -306,7 +309,8 @@ func (c *LoginCommand) Run(args []string) int {
 			c.UI.Error(wrapAtLength(fmt.Sprintf(
 				"Error initializing token helper. Please verify that the token "+
 					"helper is available and properly configured for your system. The "+
-					"error was: %s", err)))
+					"error was: %s", err,
+			)))
 			return 1
 		}

@@ -315,7 +319,8 @@ func (c *LoginCommand) Run(args []string) int {
 			c.UI.Error(fmt.Sprintf("Error storing token: %s", err))
 			c.UI.Error(wrapAtLength(
 				"Authentication was successful, but the token was not persisted. The "+
-					"resulting token is shown below for your records.") + "\n")
+					"resulting token is shown below for your records.",
+			) + "\n")
 			OutputSecret(c.UI, secret)
 			return 2
 		}
@@ -326,7 +331,8 @@ func (c *LoginCommand) Run(args []string) int {
 		c.UI.Warn(wrapAtLength(
 			"The token was not stored in token helper. Set the BAO_TOKEN "+
 				"environment variable or pass the token below with each request to "+
-				"Vault.") + "\n")
+				"Vault.",
+		) + "\n")
 	}

 	if c.flagNoPrint {
@@ -345,7 +351,8 @@ func (c *LoginCommand) Run(args []string) int {
 			"Success! You are now authenticated. The token information displayed "+
 				"below is already stored in the token helper. You do NOT need to run "+
 				"\"bao login\" again. Future OpenBao requests will automatically use "+
-				"this token.") + "\n")
+				"this token.",
+		) + "\n")
 	}

 	return OutputSecret(c.UI, secret)
@@ -147,7 +147,7 @@ func (c *NamespaceUnsealCommand) Run(args []string) int {
 		}

 		// Override the output
-		writer := (io.Writer)(os.Stdout)
+		writer := io.Writer(os.Stdout)
 		if c.testOutput != nil {
 			writer = c.testOutput
 		}
@@ -542,7 +542,8 @@ SEALFAIL:
 				return fmt.Errorf("Error initializing core: %s.", newCoreError)
 			}
 			diagnose.Warn(ctx, wrapAtLength(
-				"A non-fatal error occurred during initialization. Please check the logs for more information."))
+				"A non-fatal error occurred during initialization. Please check the logs for more information.",
+			))
 		} else {
 			vaultCore = core
 		}
@@ -290,20 +290,23 @@ func (c *OperatorInitCommand) init(client *api.Client, req *api.InitRequest) int
 				"these keys to unseal it before it can start servicing requests.",
 			req.SecretShares,
 			req.SecretThreshold,
-			req.SecretThreshold)))
+			req.SecretThreshold,
+		)))

 		c.UI.Output("")
 		c.UI.Output(wrapAtLength(fmt.Sprintf(
 			"Vault does not store the generated root key. Without at least %d "+
 				"keys to reconstruct the root key, Vault will remain permanently "+
 				"sealed!",
-			req.SecretThreshold)))
+			req.SecretThreshold,
+		)))

 		c.UI.Output("")
 		c.UI.Output(wrapAtLength(
 			"It is possible to generate new unseal keys, provided you have a quorum " +
 				"of existing unseal keys shares. See \"bao operator rotate-keys\" for " +
-				"more information."))
+				"more information.",
+		))
 	} else {
 		c.UI.Output("")
 		c.UI.Output("Success! Vault is initialized")
@@ -315,7 +318,8 @@ func (c *OperatorInitCommand) init(client *api.Client, req *api.InitRequest) int
 			"Recovery key initialized with %d key shares and a key threshold of %d. "+
 				"Please securely distribute the key shares printed above.",
 			req.RecoveryShares,
-			req.RecoveryThreshold)))
+			req.RecoveryThreshold,
+		)))
 	}

 	return 0
@@ -322,7 +322,8 @@ func (c *OperatorRekeyCommand) init(client *api.Client) int {
 					"with the -pgp-keys flag to protect the returned %s keys along "+
 					"with -backup to allow recovery of the encrypted keys in case of "+
 					"emergency. You can delete the backed up keys later using the -delete "+
-					"flag.", strings.ToLower(keyTypeRequired))))
+					"flag.", strings.ToLower(keyTypeRequired)),
+			))
 			c.UI.Output("")
 		}
 		if len(c.flagPGPKeys) > 0 && !c.flagBackup {
@@ -333,7 +334,8 @@ func (c *OperatorRekeyCommand) init(client *api.Client) int {
 					"returned, you will not be able to recover them. Consider canceling "+
 					"this operation and re-running with -backup to allow recovery of the "+
 					"encrypted unseal keys in case of emergency. You can delete the "+
-					"backed up keys later using the -delete flag.", strings.ToLower(keyTypeRequired))))
+					"backed up keys later using the -delete flag.", strings.ToLower(keyTypeRequired)),
+			))
 			c.UI.Output("")
 		}
 	}
@@ -456,7 +458,8 @@ func (c *OperatorRekeyCommand) provide(client *api.Client, key string) int {
 	if !started {
 		c.UI.Error(wrapAtLength(
 			"No rekey is in progress. Start a rekey process by running " +
-				"\"bao operator rekey -init\"."))
+				"\"bao operator rekey -init\".",
+		))
 		return 1
 	}

@@ -465,7 +468,7 @@ func (c *OperatorRekeyCommand) provide(client *api.Client, key string) int {
 		nonce = c.flagNonce

 		// Pull our fake stdin if needed
-		stdin := (io.Reader)(os.Stdin)
+		stdin := io.Reader(os.Stdin)
 		if c.testStdin != nil {
 			stdin = c.testStdin
 		}
@@ -703,7 +706,8 @@ func (c *OperatorRekeyCommand) printWarnings(client *api.Client, status *api.Rot
 					"of these keys to unseal it before it can start servicing requests.",
 				status.N,
 				status.T,
-				status.T)))
+				status.T,
+			)))
 			warningText = "unseal"
 		case "recovery", "hsm":
 			c.UI.Output(wrapAtLength(fmt.Sprintf(
@@ -711,7 +715,8 @@ func (c *OperatorRekeyCommand) printWarnings(client *api.Client, status *api.Rot
 					"key threshold of %d. These will not be active until after verification is "+
 					"complete. Please securely distribute the key shares printed above.",
 				status.N,
-				status.T)))
+				status.T,
+			)))
 			warningText = "authenticate with"
 		}

@@ -721,7 +726,8 @@ func (c *OperatorRekeyCommand) printWarnings(client *api.Client, status *api.Rot
 				"Do not lose or discard your current key shares until after verification "+
 				"is complete or you will be unable to %s OpenBao. If you cancel the "+
 				"rekey process or seal OpenBao before verification is complete the new "+
-				"shares will be discarded and the current shares will remain valid.", warningText)))
+				"shares will be discarded and the current shares will remain valid.", warningText,
+		)))
 		c.UI.Output("")
 		c.UI.Warn(wrapAtLength(
 			"The current verification status, including initial nonce, is shown below.",
@@ -741,13 +747,15 @@ func (c *OperatorRekeyCommand) printWarnings(client *api.Client, status *api.Rot
 					"these keys to unseal it before it can start servicing requests.",
 				status.N,
 				status.T,
-				status.T)))
+				status.T,
+			)))
 		case "recovery", "hsm":
 			c.UI.Output(wrapAtLength(fmt.Sprintf(
 				"OpenBao recovery keys rekeyed to %d key shares and a key threshold of %d. "+
 					"Please securely distribute the key shares printed above.",
 				status.N,
-				status.T)))
+				status.T,
+			)))
 		}
 	}

@@ -317,7 +317,8 @@ func (c *OperatorRotateKeysCommand) init(client *api.Client) int {
 						"returned %s keys along with -backup to allow recovery "+
 						"of the encrypted keys in case of emergency. You can "+
 						"delete the backed up keys later using the -delete flag.",
-						strings.ToLower(keyTypeRequired))))
+						strings.ToLower(keyTypeRequired)),
+				))
 				c.UI.Output("")
 			}
 			if len(c.flagPGPKeys) > 0 && !c.flagBackup {
@@ -330,7 +331,8 @@ func (c *OperatorRotateKeysCommand) init(client *api.Client) int {
 						"re-initializing with -backup to allow recovery of the "+
 						"encrypted unseal keys in case of emergency. You can "+
 						"delete the backed up keys later using the -delete flag.",
-						strings.ToLower(keyTypeRequired))))
+						strings.ToLower(keyTypeRequired)),
+				))
 				c.UI.Output("")
 			}

@@ -366,7 +368,8 @@ func (c *OperatorRotateKeysCommand) init(client *api.Client) int {
 					"the returned %s keys along with -backup to allow recovery of the "+
 					"encrypted keys in case of emergency. You can delete the stored "+
 					"keys later using the -delete flag.",
-					strings.ToLower(keyTypeRequired))))
+					strings.ToLower(keyTypeRequired)),
+			))
 			c.UI.Output("")
 		}
 		if len(c.flagPGPKeys) > 0 && !c.flagBackup {
@@ -378,7 +381,8 @@ func (c *OperatorRotateKeysCommand) init(client *api.Client) int {
 					"canceling this operation and re-running with -backup to allow "+
 					"recovery of the encrypted unseal keys in case of emergency. You "+
 					"can delete the backed up keys later using the -delete flag.",
-					strings.ToLower(keyTypeRequired))))
+					strings.ToLower(keyTypeRequired)),
+			))
 			c.UI.Output("")
 		}
 	}
@@ -488,7 +492,8 @@ func (c *OperatorRotateKeysCommand) provide(client *api.Client, key string) int
 	if !started {
 		c.UI.Error(wrapAtLength(
 			"No rotation is in progress. Start a rotation process by running " +
-				"\"bao operator rotate-keys -init\"."))
+				"\"bao operator rotate-keys -init\".",
+		))
 		return 1
 	}

@@ -497,7 +502,7 @@ func (c *OperatorRotateKeysCommand) provide(client *api.Client, key string) int
 		nonce = c.flagNonce

 		// Pull our fake stdin if needed
-		stdin := (io.Reader)(os.Stdin)
+		stdin := io.Reader(os.Stdin)
 		if c.testStdin != nil {
 			stdin = c.testStdin
 		}
@@ -809,7 +814,8 @@ func (c *OperatorRotateKeysCommand) printWarnings(client *api.Client, status *ap
 					"of these keys to unseal it before it can start servicing requests.",
 				status.N,
 				status.T,
-				status.T)))
+				status.T,
+			)))
 			warningText = "unseal"
 		case "recovery", "hsm":
 			c.UI.Output(wrapAtLength(fmt.Sprintf(
@@ -817,7 +823,8 @@ func (c *OperatorRotateKeysCommand) printWarnings(client *api.Client, status *ap
 					"key threshold of %d. These will not be active until after verification is "+
 					"complete. Please securely distribute the key shares printed above.",
 				status.N,
-				status.T)))
+				status.T,
+			)))
 			warningText = "authenticate with"
 		}

@@ -827,7 +834,8 @@ func (c *OperatorRotateKeysCommand) printWarnings(client *api.Client, status *ap
 				"Do not lose or discard your current key shares until after verification "+
 				"is complete or you will be unable to %s OpenBao. If you cancel the "+
 				"rotation process or seal OpenBao before verification is complete the new "+
-				"shares will be discarded and the current shares will remain valid.", warningText)))
+				"shares will be discarded and the current shares will remain valid.", warningText,
+		)))
 		c.UI.Output("")
 		c.UI.Warn(wrapAtLength(
 			"The current verification status, including initial nonce, is shown below.",
@@ -847,13 +855,15 @@ func (c *OperatorRotateKeysCommand) printWarnings(client *api.Client, status *ap
 					"these keys to unseal it before it can start servicing requests.",
 				status.N,
 				status.T,
-				status.T)))
+				status.T,
+			)))
 		case "recovery", "hsm":
 			c.UI.Output(wrapAtLength(fmt.Sprintf(
 				"OpenBao recovery keys rotated to %d key shares and a key threshold of %d. "+
 					"Please securely distribute the key shares printed above.",
 				status.N,
-				status.T)))
+				status.T,
+			)))
 		}
 	}

@@ -135,7 +135,7 @@ func (c *OperatorUnsealCommand) Run(args []string) int {
 		}

 		// Override the output
-		writer := (io.Writer)(os.Stdout)
+		writer := io.Writer(os.Stdout)
 		if c.testOutput != nil {
 			writer = c.testOutput
 		}
@@ -115,7 +115,7 @@ func (c *PatchCommand) Run(args []string) int {
 	}

 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -81,7 +81,7 @@ func (c *PKIIssueCACommand) Run(args []string) int {
 		return 1
 	}

-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.flagNonInteractive {
 		stdin = bytes.NewReader(nil)
 	}
@@ -79,7 +79,7 @@ func (c *PKIReIssueCACommand) Run(args []string) int {
 		return 1
 	}

-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.flagNonInteractive {
 		stdin = bytes.NewReader(nil)
 	}
@@ -169,7 +169,7 @@ func parseTemplateCertificate(certificate x509.Certificate, useExistingKey bool,
 		"street_address":        certificate.Subject.StreetAddress,
 		"postal_code":           certificate.Subject.PostalCode,
 		"serial_number":         certificate.Subject.SerialNumber,
-		"ttl":                   (certificate.NotAfter.Sub(certificate.NotBefore)).String(),
+		"ttl":                   certificate.NotAfter.Sub(certificate.NotBefore).String(),
 		"max_path_length":       certificate.MaxPathLen,
 		"permitted_dns_domains": strings.Join(certificate.PermittedDNSDomains, ","),
 		"use_pss":               isPSS(certificate.SignatureAlgorithm),
@@ -230,7 +230,8 @@ func (c *ProxyCommand) Run(args []string) int {
 		if api.ReadBaoVariable("BAO_TEST_VERIFY_ONLY_DUMP_CONFIG") != "" {
 			c.UI.Output(fmt.Sprintf(
 				"\nConfiguration:\n%s\n",
-				pretty.Sprint(*c.config)))
+				pretty.Sprint(*c.config),
+			))
 		}
 		return 0
 	}
@@ -242,7 +243,8 @@ func (c *ProxyCommand) Run(args []string) int {
 	if err != nil {
 		c.UI.Error(fmt.Sprintf(
 			"Error fetching client: %v",
-			err))
+			err,
+		))
 		return 1
 	}

@@ -700,7 +702,8 @@ func (c *ProxyCommand) Run(args []string) int {
 			"%s%s: %s",
 			strings.Repeat(" ", padding-len(k)),
 			caser.String(k),
-			info[k]))
+			info[k],
+		))
 	}
 	c.UI.Output("")

@@ -262,7 +262,8 @@ func TestProxy_AutoAuth_UserAgent(t *testing.T) {
 				h.pathToCheck = "auth/approle/login"
 				h.t = t
 				return &h
-			}),
+			},
+		),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -420,7 +421,8 @@ func TestProxy_APIProxyWithoutCache_UserAgent(t *testing.T) {
 				h.requestMethodToCheck = "GET"
 				h.t = t
 				return &h
-			}),
+			},
+		),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -505,7 +507,8 @@ func TestProxy_APIProxyWithCache_UserAgent(t *testing.T) {
 				h.requestMethodToCheck = "GET"
 				h.t = t
 				return &h
-			}),
+			},
+		),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -87,7 +87,7 @@ func (c *ReadCommand) Run(args []string) int {
 	defer cancel()

 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -162,7 +162,8 @@ func (c *SecretsListCommand) detailedMounts(mounts map[string]*api.MountOutput)

 		pluginName := mount.Type

-		out = append(out, fmt.Sprintf("%s | %s | %s | %s | %s | %t | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
+		out = append(out, fmt.Sprintf(
+			"%s | %s | %s | %s | %s | %t | %s | %t | %v | %s | %s | %s | %s | %s | %s | %s",
 			path,
 			pluginName,
 			mount.Accessor,
@@ -377,7 +377,8 @@ func (c *ServerCommand) runRecoveryMode() int {
 			"No configuration files found. Please provide configurations with the " +
 				"-config flag. If you are supplying the path to a directory, please " +
 				"ensure the directory contains files with the .hcl or .json " +
-				"extension."))
+				"extension.",
+		))
 		return 1
 	}

@@ -476,7 +477,8 @@ func (c *ServerCommand) runRecoveryMode() int {
 		seal = vault.NewDefaultSeal(vaultseal.NewAccess(vaultseal.NewShamirWrapper()))
 	default:
 		wrapper, config, err := kms.ConfigureWrapper(
-			context.Background(), configSeal.Type, wrapping.WithConfigMap(configSeal.Config))
+			context.Background(), configSeal.Type, wrapping.WithConfigMap(configSeal.Config),
+		)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error configuring seal %q: %s", configSeal.Type, err))
 			return 1
@@ -594,7 +596,8 @@ func (c *ServerCommand) runRecoveryMode() int {
 			"%s%s: %s",
 			strings.Repeat(" ", padding-len(k)),
 			titleCaser.String(k),
-			info[k]))
+			info[k],
+		))
 	}

 	c.UI.Output("")
@@ -635,7 +638,8 @@ func (c *ServerCommand) runRecoveryMode() int {
 	if newCoreError != nil {
 		c.UI.Warn(wrapAtLength(
 			"WARNING! A non-fatal error occurred during initialization. Please " +
-				"check the logs for more information."))
+				"check the logs for more information.",
+		))
 		c.UI.Warn("")
 	}

@@ -937,7 +941,8 @@ func (c *ServerCommand) Run(args []string) int {
 		case c.flagDevRootTokenID != "":
 			c.UI.Warn(wrapAtLength(
 				"You cannot specify a custom root token ID outside of \"dev\" mode. " +
-					"Your request has been ignored."))
+					"Your request has been ignored.",
+			))
 			c.flagDevRootTokenID = ""
 		}
 	}
@@ -982,7 +987,8 @@ func (c *ServerCommand) Run(args []string) int {
 			"No configuration files found. Please provide configurations with the " +
 				"-config flag. If you are supplying the path to a directory, please " +
 				"ensure the directory contains files with the .hcl or .json " +
-				"extension."))
+				"extension.",
+		))
 		return 1
 	}

@@ -1197,7 +1203,8 @@ func (c *ServerCommand) Run(args []string) int {
 		}
 		c.UI.Warn(wrapAtLength(
 			"WARNING! A non-fatal error occurred during initialization. Please " +
-				"check the logs for more information."))
+				"check the logs for more information.",
+		))
 		c.UI.Warn("")

 	}
@@ -1289,7 +1296,8 @@ func (c *ServerCommand) Run(args []string) int {
 		c.UI.Output(fmt.Sprintf(
 			"%24s: %s",
 			titleCaser.String(k),
-			info[k]))
+			info[k],
+		))
 	}

 	c.UI.Output("")
@@ -2052,7 +2060,8 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m
 			"%s%s: %s",
 			strings.Repeat(" ", padding-len(k)),
 			titleCaser.String(k),
-			info[k]))
+			info[k],
+		))
 	}

 	c.UI.Output("")
@@ -2494,7 +2503,8 @@ func setSeal(c *ServerCommand, config *server.Config, kms *kmsplugin.Catalog, in
 			seal = vault.NewDefaultSeal(vaultseal.NewAccess(vaultseal.NewShamirWrapper()))
 		default:
 			wrapper, config, err := kms.ConfigureWrapper(
-				context.Background(), configSeal.Type, wrapping.WithConfigMap(configSeal.Config))
+				context.Background(), configSeal.Type, wrapping.WithConfigMap(configSeal.Config),
+			)
 			if err != nil {
 				//nolint:staticcheck // User-facing error.
 				return nil, nil, nil, nil, nil, fmt.Errorf("Error configuring seal %q: %w", configSeal.Type, err)
@@ -2862,7 +2872,8 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.
 						"WARNING! dev mode is enabled! In this mode, OpenBao runs entirely " +
 							"in-memory and starts unsealed with a single unseal key. The root " +
 							"token is already authenticated to the CLI, so you can immediately " +
-							"begin using OpenBao."))
+							"begin using OpenBao.",
+					))
 					c.UI.Warn("")
 					c.UI.Warn("You may need to set the following environment variables:")
 					c.UI.Warn("")
@@ -2898,7 +2909,8 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.
 						c.UI.Warn("")
 						c.UI.Warn(wrapAtLength(
 							"The unseal key and root token are displayed below in case you want " +
-								"to seal/unseal the Vault or re-authenticate."))
+								"to seal/unseal the Vault or re-authenticate.",
+						))
 						c.UI.Warn("")
 						c.UI.Warn(fmt.Sprintf("Unseal Key: %s", base64.StdEncoding.EncodeToString(init.SecretShares[0])))
 					}
@@ -2907,7 +2919,8 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.
 						c.UI.Warn("")
 						c.UI.Warn(wrapAtLength(
 							"The recovery key and root token are displayed below in case you want " +
-								"to seal/unseal the Vault or re-authenticate."))
+								"to seal/unseal the Vault or re-authenticate.",
+						))
 						c.UI.Warn("")
 						c.UI.Warn(fmt.Sprintf("Recovery Key: %s", base64.StdEncoding.EncodeToString(init.RecoveryShares[0])))
 					}
@@ -2917,7 +2930,8 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.
 					if len(plugins) > 0 {
 						c.UI.Warn("")
 						c.UI.Warn(wrapAtLength(
-							"The following dev plugins are registered in the catalog:"))
+							"The following dev plugins are registered in the catalog:",
+						))
 						for _, p := range plugins {
 							c.UI.Warn(fmt.Sprintf("    - %s", p))
 						}
@@ -2926,7 +2940,8 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.
 					if len(pluginsNotLoaded) > 0 {
 						c.UI.Warn("")
 						c.UI.Warn(wrapAtLength(
-							"The following dev plugins FAILED to be registered in the catalog due to unknown type:"))
+							"The following dev plugins FAILED to be registered in the catalog due to unknown type:",
+						))
 						for _, p := range pluginsNotLoaded {
 							c.UI.Warn(fmt.Sprintf("    - %s", p))
 						}
@@ -2934,7 +2949,8 @@ func initDevCore(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.

 					c.UI.Warn("")
 					c.UI.Warn(wrapAtLength(
-						"Development mode should NOT be used in production installations!"))
+						"Development mode should NOT be used in production installations!",
+					))
 					c.UI.Warn("")
 				})
 			}),
@@ -10,12 +10,13 @@ import (
 )

 func WarnHSMDeprecated(logger hclog.Logger) {
-	logger.Warn("The HSM distribution of OpenBao is discontinued and will no " +
-		"longer receive updates beyond this minor version. PKCS#11 support has " +
-		"not been removed, but is now available via an external KMS plugin that " +
-		"is drop-in compatible with the previously built-in PKCS#11 seal. " +
-		"To remove this warning, migrate your deployment to the default distribution " +
-		"of OpenBao and use the PKCS#11 KMS plugin to regain PKCS#11 seal functionality. " +
-		"For more information, see https://openbao.org/docs/release-notes/2-6-0/#v260",
+	logger.Warn(
+		"The HSM distribution of OpenBao is discontinued and will no " +
+			"longer receive updates beyond this minor version. PKCS#11 support has " +
+			"not been removed, but is now available via an external KMS plugin that " +
+			"is drop-in compatible with the previously built-in PKCS#11 seal. " +
+			"To remove this warning, migrate your deployment to the default distribution " +
+			"of OpenBao and use the PKCS#11 KMS plugin to regain PKCS#11 seal functionality. " +
+			"For more information, see https://openbao.org/docs/release-notes/2-6-0/#v260",
 	)
 }
@@ -59,7 +59,8 @@ func TestTCPListener_tls(t *testing.T) {

 	clientCert, _ := tls.LoadX509KeyPair(
 		cwd+"/test-fixtures/reload/reload_foo.pem",
-		cwd+"/test-fixtures/reload/reload_foo.key")
+		cwd+"/test-fixtures/reload/reload_foo.key",
+	)

 	connFn := func(clientCerts bool) func(net.Listener) (net.Conn, error) {
 		return func(lnReal net.Listener) (net.Conn, error) {
@@ -135,7 +136,8 @@ func TestTCPListener_tls13(t *testing.T) {

 	clientCert, _ := tls.LoadX509KeyPair(
 		cwd+"/test-fixtures/reload/reload_foo.pem",
-		cwd+"/test-fixtures/reload/reload_foo.key")
+		cwd+"/test-fixtures/reload/reload_foo.key",
+	)

 	connFn := func(clientCerts bool) func(net.Listener) (net.Conn, error) {
 		return func(lnReal net.Listener) (net.Conn, error) {
@@ -76,7 +76,8 @@ func GenerateCert(caCertTemplate *x509.Certificate, caSigner crypto.Signer) (str
 	}

 	bs, err := x509.CreateCertificate(
-		rand.Reader, &template, caCertTemplate, signer.Public(), caSigner)
+		rand.Reader, &template, caCertTemplate, signer.Public(), caSigner,
+	)
 	if err != nil {
 		return "", "", fmt.Errorf("error creating server certificate: %v", err)
 	}
@@ -125,7 +126,8 @@ func GenerateCA() (*CaCert, error) {
 	}

 	bs, err := x509.CreateCertificate(
-		rand.Reader, &template, &template, signer.Public(), signer)
+		rand.Reader, &template, &template, signer.Public(), signer,
+	)
 	if err != nil {
 		return nil, fmt.Errorf("error creating CA certificate: %v", err)
 	}
@@ -333,7 +333,8 @@ func (c *SSHCommand) Run(args []string) int {
 	if c.flagRole == "" {
 		c.UI.Error(wrapAtLength(
 			"No -role specified. Use -role to tell OpenBao which " +
-				"ssh role to use for authentcation."))
+				"ssh role to use for authentcation.",
+		))
 		return 1
 	}

@@ -344,7 +345,8 @@ func (c *SSHCommand) Run(args []string) int {
 	if c.flagMode == "" {
 		c.UI.Error(wrapAtLength(
 			"WARNING: No -mode specified. Use -mode to tell OpenBao which ssh " +
-				"authentication mode to use."))
+				"authentication mode to use.",
+		))
 		return 1
 	}

@@ -484,7 +486,8 @@ func (c *SSHCommand) handleTypeCA(username, ip, port string, sshArgs []string) i
 	}

 	if userKnownHostsFile != "" {
-		args = append(args,
+		args = append(
+			args,
 			"-o UserKnownHostsFile="+userKnownHostsFile,
 		)
 	}
@@ -552,12 +555,14 @@ func (c *SSHCommand) handleTypeOTP(username, ip, port string, sshArgs []string)
 		c.UI.Warn(wrapAtLength(
 			"OpenBao could not locate \"sshpass\". The OTP code for the session is " +
 				"displayed below. Enter this code in the SSH password prompt. If you " +
-				"install sshpass, OpenBao can automatically perform this step for you."))
+				"install sshpass, OpenBao can automatically perform this step for you.",
+		))
 		c.UI.Output("OTP for the session is: " + cred.Key)
 	} else {
 		// sshpass is available so lets use it instead
 		sshCmd = sshpassPath
-		args = append(args,
+		args = append(
+			args,
 			"-e", // Read password for SSHPASS environment variable
 			c.flagSSHExecutable,
 		)
@@ -566,7 +571,8 @@ func (c *SSHCommand) handleTypeOTP(username, ip, port string, sshArgs []string)

 	// Only harcode the knownhostsfile path if it has been set
 	if c.flagUserKnownHostsFile != "" {
-		args = append(args,
+		args = append(
+			args,
 			"-o UserKnownHostsFile="+c.flagUserKnownHostsFile,
 		)
 	}
@@ -576,7 +582,8 @@ func (c *SSHCommand) handleTypeOTP(username, ip, port string, sshArgs []string)
 		args = append(args, "-p", cred.Port)
 	}

-	args = append(args,
+	args = append(
+		args,
 		"-o StrictHostKeyChecking="+c.flagStrictHostKeyChecking,
 	)

@@ -654,7 +661,8 @@ func (c *SSHCommand) handleTypeDynamic(username, ip, port string, sshArgs []stri
 		args = append(args, "-p", cred.Port)
 	}

-	args = append(args,
+	args = append(
+		args,
 		"-i", keyPath,
 		"-o UserKnownHostsFile="+c.flagUserKnownHostsFile,
 		"-o StrictHostKeyChecking="+c.flagStrictHostKeyChecking,
@@ -65,7 +65,8 @@ func helperPath(s ...string) string {
 	return fmt.Sprintf(
 		"%s %s",
 		os.Args[0],
-		strings.Join(cs, " "))
+		strings.Join(cs, " "),
+	)
 }

 func helperEnv() []string {
@@ -57,7 +57,8 @@ func TestProcessPath(t *testing.T, s ...string) string {
 	return fmt.Sprintf(
 		"%s %s",
 		os.Args[0],
-		strings.Join(cs, " "))
+		strings.Join(cs, " "),
+	)
 }

 // TestExternalTokenHelperProcessCLI can be called to implement TestExternalTokenHelperProcess
@@ -123,7 +123,7 @@ func (c *WriteCommand) Run(args []string) int {
 	}

 	// Pull our fake stdin if needed
-	stdin := (io.Reader)(os.Stdin)
+	stdin := io.Reader(os.Stdin)
 	if c.testStdin != nil {
 		stdin = c.testStdin
 	}
@@ -201,7 +201,8 @@ func (c *Catalog) checkFilePath(plugin *server.PluginConfig) error {
 	} else {
 		// Declarative, OCI-based plugin.
 		ok = filepath.Dir(path) == filepath.Join(
-			c.pluginDirectory, oci.PluginCacheDir, plugin.Slug(), plugin.SHA256Sum[:8])
+			c.pluginDirectory, oci.PluginCacheDir, plugin.Slug(), plugin.SHA256Sum[:8],
+		)
 	}
 	if !ok {
 		return errors.New("cannot execute files outside of configured plugin directory")
@@ -380,7 +380,8 @@ func TestGauge_InterruptedStreaming(t *testing.T) {
 	// Long bucket time == low chance of crossing interval
 	inmemSink := metrics.NewInmemSink(
 		1000000*time.Hour,
-		2000000*time.Hour)
+		2000000*time.Hour,
+	)

 	sink := NewClusterMetricSink("test", inmemSink)
 	sink.MaxGaugeCardinality = 500
@@ -448,7 +449,8 @@ func TestGauge_MaximumMeasurements(t *testing.T) {
 	// Long bucket time == low chance of crossing interval
 	inmemSink := metrics.NewInmemSink(
 		1000000*time.Hour,
-		2000000*time.Hour)
+		2000000*time.Hour,
+	)

 	sink := NewClusterMetricSink("test", inmemSink)
 	sink.MaxGaugeCardinality = 100
@@ -523,7 +525,8 @@ func TestGauge_MeasurementError(t *testing.T) {
 	c := newSimulatedCollector()
 	inmemSink := metrics.NewInmemSink(
 		1000000*time.Hour,
-		2000000*time.Hour)
+		2000000*time.Hour,
+	)
 	sink := NewClusterMetricSink("test", inmemSink)
 	sink.MaxGaugeCardinality = 500
 	sink.GaugeInterval = 2 * time.Hour
@@ -36,7 +36,8 @@ func TestClusterLabelPresent(t *testing.T) {
 	// starting one at the time of initialization.
 	inmemSink := metrics.NewInmemSink(
 		1000000*time.Hour,
-		2000000*time.Hour)
+		2000000*time.Hour,
+	)
 	clusterSink := NewClusterMetricSink(testClusterName, defaultMetrics(inmemSink))

 	key1 := []string{"aaa", "bbb"}
@@ -331,11 +331,12 @@ func TestRandomRunes_errors(t *testing.T) {
 			rng:     rand.Reader,
 		},
 		"charset is too long": {
-			charset: []rune(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_" +
-				"`abcdefghijklmnopqrstuvwxyz{|}~ĀāĂăĄąĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠ" +
-				"ġĢģĤĥĦħĨĩĪīĬĭĮįİıĲĳĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňŉŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠ" +
-				"šŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ℀℁ℂ℃℄℅℆ℇ℈℉ℊℋℌℍℎℏℐℑℒℓ℔ℕ№℗℘ℙℚℛℜℝ℞℟℠" +
-				"Σ",
+			charset: []rune(
+				" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_" +
+					"`abcdefghijklmnopqrstuvwxyz{|}~ĀāĂăĄąĆćĈĉĊċČčĎďĐđĒēĔĕĖėĘęĚěĜĝĞğĠ" +
+					"ġĢģĤĥĦħĨĩĪīĬĭĮįİıĲĳĴĵĶķĸĹĺĻļĽľĿŀŁłŃńŅņŇňŉŊŋŌōŎŏŐőŒœŔŕŖŗŘřŚśŜŝŞşŠ" +
+					"šŢţŤťŦŧŨũŪūŬŭŮůŰűŲųŴŵŶŷŸŹźŻżŽžſ℀℁ℂ℃℄℅℆ℇ℈℉ℊℋℌℍℎℏℐℑℒℓ℔ℕ№℗℘ℙℚℛℜℝ℞℟℠" +
+					"Σ",
 			),
 			length: 20,
 			rng:    rand.Reader,
@@ -124,7 +124,8 @@ func Test(tt TestT, c TestCase) {
 	if c.AcceptanceTest && api.ReadBaoVariable(TestEnvVar) == "" {
 		tt.Skip(fmt.Sprintf(
 			"Acceptance tests skipped unless env %q set",
-			TestEnvVar))
+			TestEnvVar,
+		))
 		return
 	}

@@ -413,7 +414,8 @@ func Test(tt TestT, c TestCase) {
 			tt.Error(fmt.Sprintf(
 				"WARNING: Revoking the following secret failed. It may\n"+
 					"still exist. Please verify:\n\n%#v",
-				s))
+				s,
+			))
 		}
 	}
 }
@@ -466,7 +466,8 @@ func wrapGenericHandler(core *vault.Core, h http.Handler, props *vault.HandlerPr
 				ReqPath:          r.URL.Path,
 				ClientRemoteAddr: clientAddr,
 				Method:           requestMethod,
-			})
+			},
+		)
 		defer func() {
 			// Not expecting this fail, so skipping the assertion check
 			core.FinalizeInFlightReqData(inFlightReqID, nw.StatusCode)
@@ -982,7 +982,8 @@ func TestHandler_MaxRequestSize_Memory(t *testing.T) {
 func TestHandler_RestrictedEndpointCalls(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	// add namespaces for tests
-	vault.TestCoreCreateNamespaces(t, core,
+	vault.TestCoreCreateNamespaces(
+		t, core,
 		&namespace.Namespace{Path: "test"},
 		&namespace.Namespace{Path: "test/test2"},
 	)
@@ -125,7 +125,8 @@ func testResponseStatus(t *testing.T, resp *http.Response, code int) {

 		t.Fatalf(
 			"Expected status %d, got %d. Body:\n\n%s",
-			code, resp.StatusCode, body.String())
+			code, resp.StatusCode, body.String(),
+		)
 	}
 }

@@ -159,7 +159,8 @@ func handleSysGenerateRootUpdate(core *vault.Core, generateStrategy vault.Genera
 		if req.Key == "" {
 			respondError(
 				w, http.StatusBadRequest,
-				errors.New("'key' must be specified in request body as JSON"))
+				errors.New("'key' must be specified in request body as JSON"),
+			)
 			return
 		}

@@ -174,7 +175,8 @@ func handleSysGenerateRootUpdate(core *vault.Core, generateStrategy vault.Genera
 			if err != nil {
 				respondError(
 					w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex or base64 string"))
+					errors.New("'key' must be a valid hex or base64 string"),
+				)
 				return
 			}
 		}
@@ -146,7 +146,8 @@ func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
 		if req.Key == "" {
 			respondError(
 				w, http.StatusBadRequest,
-				errors.New("'key' must be specified in request body as JSON"))
+				errors.New("'key' must be specified in request body as JSON"),
+			)
 			return
 		}

@@ -161,7 +162,8 @@ func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
 			if err != nil {
 				respondError(
 					w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex or base64 string"))
+					errors.New("'key' must be a valid hex or base64 string"),
+				)
 				return
 			}
 		}
@@ -281,7 +283,8 @@ func handleSysRekeyVerifyPut(_ context.Context, core *vault.Core, recovery bool,
 	if req.Key == "" {
 		respondError(
 			w, http.StatusBadRequest,
-			errors.New("'key' must be specified in request body as JSON"))
+			errors.New("'key' must be specified in request body as JSON"),
+		)
 		return
 	}

@@ -296,7 +299,8 @@ func handleSysRekeyVerifyPut(_ context.Context, core *vault.Core, recovery bool,
 		if err != nil {
 			respondError(
 				w, http.StatusBadRequest,
-				errors.New("'key' must be a valid hex or base64 string"))
+				errors.New("'key' must be a valid hex or base64 string"),
+			)
 			return
 		}
 	}
@@ -106,7 +106,8 @@ func handleSysUnseal(core *vault.Core) http.Handler {
 		if req.Key == "" {
 			respondError(
 				w, http.StatusBadRequest,
-				errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"))
+				errors.New("'key' must be specified in request body as JSON, or 'reset' set to true"),
+			)
 			return
 		}

@@ -121,7 +122,8 @@ func handleSysUnseal(core *vault.Core) http.Handler {
 			if err != nil {
 				respondError(
 					w, http.StatusBadRequest,
-					errors.New("'key' must be a valid hex or base64 string"))
+					errors.New("'key' must be a valid hex or base64 string"),
+				)
 				return
 			}
 		}
@@ -37,7 +37,8 @@ func SetupDatabaseObjectsWithClient(client *sql.DB, table string, constraint str
 			"  key         TEXT COLLATE \"C\", "+
 			"  value       BYTEA, "+
 			"  CONSTRAINT %v PRIMARY KEY (path, key) "+
-			" ); ", table, constraint)
+			" ); ", table, constraint,
+	)

 	_, err = client.Exec(createTableSQL)
 	if err != nil {
@@ -59,7 +60,8 @@ func SetupDatabaseObjectsWithClient(client *sql.DB, table string, constraint str
 				" ha_value                                    TEXT COLLATE \"C\", "+
 				" valid_until                                 TIMESTAMP WITH TIME ZONE NOT NULL, "+
 				" CONSTRAINT %v PRIMARY KEY (ha_key) "+
-				" ); ", haTable, haTableConstraint)
+				" ); ", haTable, haTableConstraint,
+		)

 		_, err = client.Exec(createHaTableSQL)
 		if err != nil {
@@ -388,7 +388,8 @@ func TestRaft_Backend_ThreeNode(t *testing.T) {
 func testRaft_assertFastTxnTrackerCleanup(t testing.TB, raft *RaftBackend) {
 	t.Helper()
 	if assert.Equal(t, raft.fsm.fastTxnTracker.lowestActiveIndex(), uint64(math.MaxUint64), "the test assumes that no transaction is in flight") {
-		assert.Len(t, raft.fsm.fastTxnTracker.indexModifiedMap,
+		assert.Len(
+			t, raft.fsm.fastTxnTracker.indexModifiedMap,
 			2,
 			"two entries are expected: the one that was the latest when we applied the final operation and the final operation itself",
 			// Why? we can not evict the currently active as a new transaction might be started concurrently to our apply
@@ -242,7 +242,8 @@ func (b *RaftBackend) newTransaction(ctx context.Context, writable bool) (*RaftT
 		if b.transactionLeakCounter.Add(1) == 1 { // "Add" returns the new value, for the first leak we want to print an error
 			log = b.logger.Error
 		}
-		log("transaction was leaked",
+		log(
+			"transaction was leaked",
 			// we include some details about the transaction, to make it easier to find the leak
 			"start_index", startIndex,
 			"updated_keys", slices.Collect(maps.Keys(updates)),
@@ -19,7 +19,8 @@ import (
 )

 func getCassandra(t *testing.T, protocolVersion interface{}) (*Cassandra, func()) {
-	host, cleanup := cassandra.PrepareTestContainer(t,
+	host, cleanup := cassandra.PrepareTestContainer(
+		t,
 		cassandra.Version("3.11"),
 		cassandra.CopyFromTo(insecureFileMounts),
 	)
@@ -141,7 +142,8 @@ func TestCreateUser(t *testing.T) {

 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			host, cleanup := cassandra.PrepareTestContainer(t,
+			host, cleanup := cassandra.PrepareTestContainer(
+				t,
 				cassandra.Version("3.11"),
 				cassandra.CopyFromTo(insecureFileMounts),
 			)
@@ -256,7 +258,8 @@ func assertCreds(t testing.TB, address string, port int, username, password stri
 	bo.MaxInterval = bo.InitialInterval
 	bo.RandomizationFactor = 0.0

-	if _, err := backoff.Retry(t.Context(), op,
+	if _, err := backoff.Retry(
+		t.Context(), op,
 		backoff.WithBackOff(bo),
 		backoff.WithMaxElapsedTime(timeout),
 	); err != nil {
@@ -296,7 +299,8 @@ func assertNoCreds(t testing.TB, address string, port int, username, password st
 	bo.MaxInterval = bo.InitialInterval
 	bo.RandomizationFactor = 0.0

-	if _, err := backoff.Retry(t.Context(), op,
+	if _, err := backoff.Retry(
+		t.Context(), op,
 		backoff.WithBackOff(bo),
 		backoff.WithMaxElapsedTime(timeout),
 	); err != nil {
@@ -44,7 +44,8 @@ func TestSelfSignedCA(t *testing.T) {
 		EnableHostVerification: true,
 	}

-	host, cleanup := cassandra.PrepareTestContainer(t,
+	host, cleanup := cassandra.PrepareTestContainer(
+		t,
 		cassandra.CopyFromTo(copyFromTo),
 		cassandra.SslOpts(sslOpts),
 	)
@@ -442,26 +442,31 @@ func (p *PostgreSQL) defaultDeleteUser(ctx context.Context, username string) err
 		revocationStmts = append(revocationStmts, fmt.Sprintf(
 			`REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA %s FROM %s;`,
 			dbutil.QuoteIdentifier(schema),
-			dbutil.QuoteIdentifier(username)))
+			dbutil.QuoteIdentifier(username),
+		))

 		revocationStmts = append(revocationStmts, fmt.Sprintf(
 			`REVOKE USAGE ON SCHEMA %s FROM %s;`,
 			dbutil.QuoteIdentifier(schema),
-			dbutil.QuoteIdentifier(username)))
+			dbutil.QuoteIdentifier(username),
+		))
 	}

 	// for good measure, revoke all privileges and usage on schema public
 	revocationStmts = append(revocationStmts, fmt.Sprintf(
 		`REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM %s;`,
-		dbutil.QuoteIdentifier(username)))
+		dbutil.QuoteIdentifier(username),
+	))

 	revocationStmts = append(revocationStmts, fmt.Sprintf(
 		"REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public FROM %s;",
-		dbutil.QuoteIdentifier(username)))
+		dbutil.QuoteIdentifier(username),
+	))

 	revocationStmts = append(revocationStmts, fmt.Sprintf(
 		"REVOKE USAGE ON SCHEMA public FROM %s;",
-		dbutil.QuoteIdentifier(username)))
+		dbutil.QuoteIdentifier(username),
+	))

 	// get the current database name so we can issue a REVOKE CONNECT for
 	// this username
@@ -474,7 +479,8 @@ func (p *PostgreSQL) defaultDeleteUser(ctx context.Context, username string) err
 		revocationStmts = append(revocationStmts, fmt.Sprintf(
 			`REVOKE CONNECT ON DATABASE %s FROM %s;`,
 			dbutil.QuoteIdentifier(dbname.String),
-			dbutil.QuoteIdentifier(username)))
+			dbutil.QuoteIdentifier(username),
+		))
 	}

 	// again, here, we do not stop on error, as we want to remove as
@@ -496,7 +502,8 @@ func (p *PostgreSQL) defaultDeleteUser(ctx context.Context, username string) err

 	// Drop this user
 	stmt, err = db.PrepareContext(ctx, fmt.Sprintf(
-		`DROP ROLE IF EXISTS %s;`, dbutil.QuoteIdentifier(username)))
+		`DROP ROLE IF EXISTS %s;`, dbutil.QuoteIdentifier(username),
+	))
 	if err != nil {
 		return err
 	}
@@ -67,7 +67,8 @@ func hashPassword(rawPassword, salt []byte, iter, keyLen int) string {
 	storedKey := getSHA256Sum(clientKey)
 	serverKey := getHMACSum(digestKey, serverRawKey)

-	return fmt.Sprintf("SCRAM-SHA-256$%d:%s$%s:%s",
+	return fmt.Sprintf(
+		"SCRAM-SHA-256$%d:%s$%s:%s",
 		iter,
 		string(encodeB64(salt)),
 		string(encodeB64(storedKey)),
@@ -71,7 +71,8 @@ func (c *ValkeyDB) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (db

 	username, err := credsutil.GenerateUsername(
 		credsutil.DisplayName(req.UsernameConfig.DisplayName, maxKeyLength),
-		credsutil.RoleName(req.UsernameConfig.RoleName, maxKeyLength))
+		credsutil.RoleName(req.UsernameConfig.RoleName, maxKeyLength),
+	)
 	if err != nil {
 		return dbplugin.NewUserResponse{}, fmt.Errorf("failed to generate username: %w", err)
 	}
@@ -53,7 +53,8 @@ func prepareValkeyTestContainer(t *testing.T) (string, int) {
 	p, err := network.ParsePort("6379")
 	require.NoError(t, err)

-	_ = pool.RunT(t,
+	_ = pool.RunT(
+		t,
 		"docker.io/valkey/valkey",
 		dockertest.WithTag(redver),
 		dockertest.WithPortBindings(
@@ -52,7 +52,8 @@ func TestDatabaseErrorSanitizerMiddleware(t *testing.T) {
 		},
 		"multiple secrets": {
 			inputErr: errors.New("here is my password: iofsd9473tg"),
-			secretsFunc: secretFunc(t,
+			secretsFunc: secretFunc(
+				t,
 				"iofsd9473tg", "<redacted>",
 				"password", "<this was the word password>",
 			),
@@ -31,8 +31,10 @@ func checkValidEmail(value ref.Val) ref.Val {

 // checkValidEmailFunction adds the check_valid_email function.
 func CheckValidEmailFunction() cel.EnvOption {
-	return cel.Function("check_valid_email",
-		cel.Overload("check_valid_email_string",
+	return cel.Function(
+		"check_valid_email",
+		cel.Overload(
+			"check_valid_email_string",
 			[]*cel.Type{cel.StringType}, // Takes a string input
 			cel.BoolType,                // Returns a boolean
 			cel.UnaryBinding(checkValidEmail),
@@ -123,7 +125,8 @@ func decodeJSON(value ref.Val) ref.Val {

 // EncodeJSONFunction adds the encode_json function.
 func EncodeJSONFunction() cel.EnvOption {
-	return cel.Function("encode_json",
+	return cel.Function(
+		"encode_json",
 		cel.Overload(
 			"encode_json_dyn",
 			[]*cel.Type{cel.DynType},
@@ -135,7 +138,8 @@ func EncodeJSONFunction() cel.EnvOption {

 // DecodeJSONFunction adds the decode_json function.
 func DecodeJSONFunction() cel.EnvOption {
-	return cel.Function("decode_json",
+	return cel.Function(
+		"decode_json",
 		cel.Overload(
 			"decode_json_string",
 			[]*cel.Type{cel.StringType},
@@ -121,7 +121,8 @@ func (e *EvalConfig) ToEnv() (*cel.Env, error) {
 	conditionalFunction, err := decls.NewFunction(operators.Conditional,
 		decls.FunctionDocs(
 			`The ternary operator tests a boolean predicate and returns the left-hand side `+
-				`(truthy) expression if true, or the right-hand side (falsy) expression if false`),
+				`(truthy) expression if true, or the right-hand side (falsy) expression if false`,
+		),
 		decls.Overload(overloads.Conditional,
 			[]*types.Type{types.BoolType, paramA, paramB}, // This signature is different
 			types.DynType, // This return type is different
@@ -129,7 +130,8 @@ func (e *EvalConfig) ToEnv() (*cel.Env, error) {
 			decls.OverloadExamples(
 				`'hello'.contains('lo') ? 'hi' : false // 'hi'`,
 				`'hello'.contains('lo') ? 'hi' : 'bye' // 'hi'`,
-				`32 % 3 == 0 ? 'divisible' : -1 // -1`)),
+				`32 % 3 == 0 ? 'divisible' : -1 // -1`,
+			)),
 		decls.SingletonFunctionBinding(func(args ...ref.Val) ref.Val {
 			return types.NoSuchOverloadErr()
 		}))
@@ -420,7 +420,8 @@ func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.
 				defer wg.Done()
 			}
 			ocspRes, _, ocspS, err := c.retryOCSP(
-				ctx, ocspClient, retryablehttp.NewRequest, u, headers, ocspReq, issuer)
+				ctx, ocspClient, retryablehttp.NewRequest, u, headers, ocspReq, issuer,
+			)
 			ocspResponses[i] = ocspRes
 			if err != nil {
 				allErrors[i] = err
@@ -617,7 +618,8 @@ func (c *Client) canEarlyExitForOCSP(results []*ocspStatus, chainSize int, conf
 	}
 	if len(msg.String()) > 0 {
 		c.Logger().Warn(
-			"OCSP is set to fail-open, and could not retrieve OCSP based revocation checking but proceeding.", "detail", msg.String())
+			"OCSP is set to fail-open, and could not retrieve OCSP based revocation checking but proceeding.", "detail", msg.String(),
+		)
 	}
 	return nil
 }
@@ -437,7 +437,8 @@ func TestOCSPRetry(t *testing.T) {
 		t.Context(),
 		client, fakeRequestFunc,
 		dummyOCSPHost,
-		make(map[string]string), []byte{0}, certs[len(certs)-1])
+		make(map[string]string), []byte{0}, certs[len(certs)-1],
+	)
 	if err == nil {
 		fmt.Printf("should fail: %v, %v, %v\n", res, b, st)
 	}
@@ -452,7 +453,8 @@ func TestOCSPRetry(t *testing.T) {
 		t.Context(),
 		client, fakeRequestFunc,
 		dummyOCSPHost,
-		make(map[string]string), []byte{0}, certs[len(certs)-1])
+		make(map[string]string), []byte{0}, certs[len(certs)-1],
+	)
 	if err == nil {
 		fmt.Printf("should fail: %v, %v, %v\n", res, b, st)
 	}
@@ -67,7 +67,8 @@ type PluginRunner struct {
 // returns a configured plugin.Client with TLS Configured and a wrapping token set
 // on PluginUnwrapTokenEnv for plugin process consumption.
 func (r *PluginRunner) Run(ctx context.Context, wrapper RunnerUtil, pluginSets map[int]plugin.PluginSet, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) {
-	return r.RunConfig(ctx,
+	return r.RunConfig(
+		ctx,
 		Runner(wrapper),
 		PluginSets(pluginSets),
 		HandshakeConfig(hs),
@@ -81,7 +82,8 @@ func (r *PluginRunner) Run(ctx context.Context, wrapper RunnerUtil, pluginSets m
 // in metadata mode. The PluginMetadataModeEnv is passed in as part of the Cmd to
 // plugin.Client, and consumed by the plugin process on api.VaultPluginTLSProvider.
 func (r *PluginRunner) RunMetadataMode(ctx context.Context, wrapper RunnerUtil, pluginSets map[int]plugin.PluginSet, hs plugin.HandshakeConfig, env []string, logger log.Logger) (*plugin.Client, error) {
-	return r.RunConfig(ctx,
+	return r.RunConfig(
+		ctx,
 		Runner(wrapper),
 		PluginSets(pluginSets),
 		HandshakeConfig(hs),
@@ -225,7 +225,8 @@ func Run(tt TestT, c Case) {
 				tt.Error(fmt.Sprintf(
 					"WARNING: Revoking the following secret failed. It may\n"+
 						"still exist. Please verify:\n\n%#v",
-					s))
+					s,
+				))
 			}
 		}
 	}()
@@ -299,7 +300,8 @@ func checkShouldRun(tt TestT) {
 	if api.ReadBaoVariable(TestEnvVar) == "" {
 		tt.Skip(fmt.Sprintf(
 			"Acceptance tests skipped unless env '%s' set",
-			TestEnvVar))
+			TestEnvVar,
+		))
 		return
 	}

@@ -230,7 +230,8 @@ func (b *FileBackend) PutInternal(ctx context.Context, entry *physical.Entry) er
 	f, err := os.OpenFile(
 		tempPath,
 		os.O_CREATE|os.O_TRUNC|os.O_WRONLY,
-		0o600)
+		0o600,
+	)
 	if err != nil {
 		if f != nil {
 			f.Close()
@@ -48,7 +48,8 @@ func TestFileBackend_Base64URLEncoding(t *testing.T) {
 	f, err := os.OpenFile(
 		rawFullPath,
 		os.O_CREATE|os.O_TRUNC|os.O_WRONLY,
-		0o600)
+		0o600,
+	)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -150,7 +151,8 @@ func TestFileBackend_Base64URLEncoding(t *testing.T) {
 	f, err = os.OpenFile(
 		rawFullPath,
 		os.O_CREATE|os.O_TRUNC|os.O_WRONLY,
-		0o600)
+		0o600,
+	)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -156,7 +156,7 @@ func (c *CORSConfig) IsValidOrigin(origin string) bool {
 		return false
 	}

-	if len(c.AllowedOrigins) == 1 && (c.AllowedOrigins)[0] == "*" {
+	if len(c.AllowedOrigins) == 1 && c.AllowedOrigins[0] == "*" {
 		return true
 	}

@@ -296,7 +296,8 @@ func TestDynamicSystemView_GeneratePasswordFromPolicy_failed(t *testing.T) {
 func TestDynamicSystemView_GeneratePasswordFromPolicy_namespaces(t *testing.T) {
 	core, _, token := TestCoreUnsealed(t)

-	TestCoreCreateNamespaces(t, core,
+	TestCoreCreateNamespaces(
+		t, core,
 		&namespace.Namespace{Path: "foo/"},
 		&namespace.Namespace{Path: "foo/bar/"},
 	)
--- a/Show More
+++ b/Show More