v1.4.1 - classic bearer path now calls Key Vault
Option 4 (Classic MSI bearer) now also calls Key Vault with the plain bearer token (Authorization: Bearer, no binding cert): 200 = secret read with a bearer (the exposure, shown red), 401 = the vault enforces token binding and rejects it, 403 = RBAC. Token is still printed in full for cross-VM replay.