Composite key for cached delegated tokens. Token cache lookups
hit on (subject, audience, scopes, mode) so different audiences
or scope sets for the same subject mint independent tokens.
One minted outbound credential, produced by a TokenDelegate
handler and cached for re-use until expiry. The token field is
serde-skipped under the same invariant as RawInboundToken.token.
One inbound credential, captured at the wire layer and stashed
here by an identity-resolver plugin. Validation happens elsewhere
— this struct just carries the bytes and a few hints.
Whether a delegated outbound token represents the user’s identity
or the gateway’s own identity to the downstream service. Affects
scope-narrowing rules and audit-log attribution.