[1.83.4]
Update vault to 2.0.3
Full Changelog
auth/radius: Added case_insensitive_names toggle to prevent username collisions and enable case-insensitive user handling.
core/acl: Fix LIST ACL bypass where a trailing-slash request could skip a more-specific deny rule.
core: Use constant-time recovery token comparison
core/acl: LIST requests with a trailing slash now correctly respect more-specific deny policies. Previously, a deny on path "kv/*" { deny } could be bypassed for LIST kv/private/ if a broader allow path "kv/*" also existed. Policies relying on the previous (incorrect) behavior may now be denied.
core: Vault will now redirect non-canonicalized paths (containing /./, /../, or //) to a cleaned path, instead of rejecting these requests
AI Agent Support (Beta/Enterprise): Adds beta support for first-class AI agents. Adds an Agent Registry to register agents, and adds support for using Vault as an OAuth resource server for registered agent entities. When configured, allows OAuth 2.0 JWTs to be used to directly authorize requests to Vault, without needing a Vault token.
core/rotationMgr: Fix storage routing for local mounts in namespaces to prevent metadata replication and ensure GDPR compliance.
secrets/pki: Fix PKI certificate issuance not_after time to respect max TTL.
secrets/transit: Add managed key support to Transit rewrap endpoint.
storage/raft: reject performance_multiplier values less than or equal to zero
