(#126) v0.69.0

(#126) Minimal API to register users and organizations

.github/workflows/lint.yaml

@@ -46,3 +46,4 @@ jobs:
         uses: golangci/golangci-lint-action@v4
         with:
           version: latest
+          skip-pkg-cache: true

Makefile

@@ -4,7 +4,7 @@ PROJ=holos
 ORG_PATH=github.com/holos-run
 REPO_PATH=$(ORG_PATH)/$(PROJ)
 
-VERSION := $(shell cat pkg/version/embedded/major pkg/version/embedded/minor pkg/version/embedded/patch | xargs printf "%s.%s.%s")
+VERSION := $(shell cat version/embedded/major version/embedded/minor version/embedded/patch | xargs printf "%s.%s.%s")
 BIN_NAME := holos
 
 DOCKER_REPO=quay.io/openinfrastructure/holos
@@ -19,7 +19,7 @@ GIT_COMMIT=$(shell git rev-parse HEAD)
 GIT_TREE_STATE=$(shell test -n "`git status --porcelain`" && echo "dirty" || echo "clean")
 BUILD_DATE=$(shell date -Iseconds)
 
-LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/pkg/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/pkg/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/pkg/version.BuildDate=${BUILD_DATE}"
+LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/version.BuildDate=${BUILD_DATE}"
 
 .PHONY: default
 default: test
@@ -68,7 +68,7 @@ generate: ## Generate code.
 	go generate ./...
 
 .PHONY: build
-build: generate ## Build holos executable.
+build: generate frontend ## Build holos executable.
 	@echo "building ${BIN_NAME} ${VERSION}"
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
@@ -126,8 +126,8 @@ frontend-deps: ## Setup npm and vite
 
 .PHONY: frontend
 frontend: buf
+	cd internal/frontend/holos && rm -rf dist
 	mkdir -p internal/frontend/holos/dist
-	cd internal/frontend/holos/dist && rm -rf app
 	cd internal/frontend/holos && ng build
 	touch internal/frontend/frontend.go
 

Tiltfile

@@ -99,6 +99,7 @@ docker_build_with_restart(
         '--listen-port={}'.format(listen_port),
         '--oidc-issuer=https://login.ois.run',
         '--oidc-audience=262096764402729854@holos_platform',
+        '--log-level=debug',
         '--metrics-port={}'.format(metrics_port),
     ],
     dockerfile='./hack/tilt/Dockerfile',
@@ -190,7 +191,7 @@ k8s_resource(
     ],
     resource_deps=[compile_id],
     links=[
-        link('https://{}.holos.dev.k2.ois.run/app/'.format(developer), "Holos Web UI")
+        link('https://{}.app.dev.k2.holos.run/ui/'.format(developer), "Holos Web UI")
     ],
 )
 
@@ -200,11 +201,6 @@ k8s_resource(
     new_name=auth_id,
     objects=[
       '{}:virtualservice'.format(holos_server),
-      '{}-allow-groups:authorizationpolicy'.format(holos_server),
-      '{}-allow-nothing:authorizationpolicy'.format(holos_server),
-      '{}-allow-well-known-paths:authorizationpolicy'.format(holos_server),
-      '{}-auth:authorizationpolicy'.format(holos_server),
-      '{}:requestauthentication'.format(holos_server),
     ],
 )
 

api/v1alpha1/helm.go

@@ -8,9 +8,9 @@ import (
 	"strings"
 
 	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
 )
 
 // A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.

api/v1alpha1/kustomize.go

@@ -4,9 +4,9 @@ import (
 	"context"
 
 	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
 )
 
 const KustomizeBuildKind = "KustomizeBuild"

api/v1alpha1/result.go

@@ -7,9 +7,9 @@ import (
 	"path/filepath"
 	"slices"
 
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
 )
 
 // Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.

cmd/holos/main.go

@@ -1,8 +1,9 @@
 package main
 
 import (
-	"github.com/holos-run/holos/pkg/cli"
 	"os"
+
+	"github.com/holos-run/holos/internal/cli"
 )
 
 func main() {

cmd/holos/main_test.go

@@ -1,10 +1,11 @@
 package main
 
 import (
-	"github.com/holos-run/holos/pkg/cli"
-	"github.com/rogpeppe/go-internal/testscript"
 	"os"
 	"testing"
+
+	"github.com/holos-run/holos/internal/cli"
+	"github.com/rogpeppe/go-internal/testscript"
 )
 
 func TestMain(m *testing.M) {

docs/examples/authpolicy.cue

@@ -2,7 +2,10 @@ package holos
 
 import ap "security.istio.io/authorizationpolicy/v1"
 
-// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need specialized treatment.  Entries in this struct are exclused from the blank ingressauth AuthorizationPolicy governing the ingressgateway and included in a spcialized policy
+// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need
+// specialized treatment.  Entries in this struct are excluded from
+// AuthorizationPolicy/authproxy-custom in the istio-ingress namespace.  Entries
+// are added to their own AuthorizationPolicy.
 #AuthPolicyRules: {
 	// AuthProxySpec represents the identity provider configuration
 	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
@@ -14,6 +17,9 @@ import ap "security.istio.io/authorizationpolicy/v1"
 			name: Name
 			// slug is the resource name prefix
 			slug: string
+			// NoAuthorizationPolicy disables an AuthorizationPolicy for the host
+			NoAuthorizationPolicy: true | *false
+
 			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
 			spec: ap.#AuthorizationPolicySpec & {
 				action: "CUSTOM"
@@ -25,11 +31,13 @@ import ap "security.istio.io/authorizationpolicy/v1"
 
 	objects: #APIObjects & {
 		for Host in hosts {
-			apiObjects: {
-				AuthorizationPolicy: "\(Host.slug)-custom": {
-					metadata: namespace: "istio-ingress"
-					metadata: name:      "\(Host.slug)-custom"
-					spec: Host.spec
+			if Host.NoAuthorizationPolicy == false {
+				apiObjects: {
+					AuthorizationPolicy: "\(Host.slug)-custom": {
+						metadata: namespace: "istio-ingress"
+						metadata: name:      "\(Host.slug)-custom"
+						spec: Host.spec
+					}
 				}
 			}
 		}

docs/examples/cue.mod/usr/k8s.io/api/apps/v1/types.cue

@@ -4,3 +4,8 @@ package v1
 	apiVersion: "apps/v1"
 	kind:       "Deployment"
 }
+
+#StatefulSet: {
+	apiVersion: "apps/v1"
+	kind:       "StatefulSet"
+}

docs/examples/helpers.cue

@@ -20,6 +20,7 @@ import "encoding/yaml"
 		ConfigMap?: [Name=_]: #ConfigMap & {metadata: name: Name}
 
 		Deployment?: [_]:            #Deployment
+		StatefulSet?: [_]:           #StatefulSet
 		RequestAuthentication?: [_]: #RequestAuthentication
 		AuthorizationPolicy?: [_]:   #AuthorizationPolicy
 	}

docs/examples/platforms/holos-saas/clusters/provisioner/choria/broker/broker.cue

@@ -0,0 +1,45 @@
+package holos
+
+let Namespace = "jeff-holos"
+let Broker = "choria-broker"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-platform-issuer": _
+
+		metadata: name: "\(Namespace)-\(Broker)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelectorLabels = {
+	"app.kubernetes.io/instance": Broker
+	"app.kubernetes.io/name":     Broker
+}
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		Certificate: "\(Broker)-tls": #Certificate & {
+			metadata: {
+				name:      "\(Broker)-tls"
+				namespace: Namespace
+				labels:    SelectorLabels
+			}
+			spec: {
+				commonName: "\(Broker).\(Namespace).svc.cluster.local"
+				dnsNames: [
+					Broker,
+					"\(Broker).\(Namespace).svc",
+					"\(Broker).\(Namespace).svc.cluster.local",
+					"*.\(Broker)",
+					"*.\(Broker).\(Namespace).svc",
+					"*.\(Broker).\(Namespace).svc.cluster.local",
+				]
+				issuerRef: kind: "ClusterIssuer"
+				issuerRef: name: "platform-issuer"
+				secretName: metadata.name
+				usages: ["signing", "key encipherment", "server auth", "client auth"]
+			}
+		}
+	}
+}

docs/examples/platforms/holos-saas/clusters/provisioner/choria/provisioner/provsioner.cue

@@ -0,0 +1,45 @@
+package holos
+
+let Namespace = "jeff-holos"
+let Provisioner = "choria-provisioner"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-platform-issuer": _
+
+		metadata: name: "\(Namespace)-\(Provisioner)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelectorLabels = {
+	"app.kubernetes.io/instance": Provisioner
+	"app.kubernetes.io/name":     Provisioner
+}
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		Certificate: "\(Provisioner)-tls": #Certificate & {
+			metadata: {
+				name:      "\(Provisioner)-tls"
+				namespace: Namespace
+				labels:    SelectorLabels
+			}
+			spec: {
+				commonName: "\(Provisioner).\(Namespace).svc.cluster.local"
+				dnsNames: [
+					Provisioner,
+					"\(Provisioner).\(Namespace).svc",
+					"\(Provisioner).\(Namespace).svc.cluster.local",
+					"*.\(Provisioner)",
+					"*.\(Provisioner).\(Namespace).svc",
+					"*.\(Provisioner).\(Namespace).svc.cluster.local",
+				]
+				issuerRef: kind: "ClusterIssuer"
+				issuerRef: name: "platform-issuer"
+				secretName: metadata.name
+				usages: ["signing", "key encipherment", "server auth", "client auth"]
+			}
+		}
+	}
+}

docs/examples/platforms/holos-saas/clusters/workload/choria/broker/broker.cue

@@ -0,0 +1,177 @@
+package holos
+
+let Namespace = "jeff-holos"
+let Broker = "choria-broker"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-stores": _
+
+		metadata: name: "\(Namespace)-\(Broker)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelectorLabels = {
+	"app.kubernetes.io/part-of": "choria"
+	"app.kubernetes.io/name":    Broker
+}
+
+let Metadata = {
+	name:      Broker
+	namespace: Namespace
+	labels:    SelectorLabels
+}
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ExternalSecret: "\(Broker)-tls": #ExternalSecret & {
+			metadata: name:      "\(Broker)-tls"
+			metadata: namespace: Namespace
+		}
+		ExternalSecret: "\(Broker)": #ExternalSecret & {
+			metadata: name:      Broker
+			metadata: namespace: Namespace
+		}
+		StatefulSet: "\(Broker)": {
+			metadata: Metadata
+			spec: {
+				selector: matchLabels: SelectorLabels
+				serviceName: Broker
+				template: metadata: labels: SelectorLabels
+				template: spec: {
+					containers: [
+						{
+							name: Broker
+							command: ["choria", "broker", "run", "--config", "/etc/choria/broker.conf"]
+							image:           "registry.choria.io/choria/choria:0.28.0"
+							imagePullPolicy: "IfNotPresent"
+							ports: [
+								{
+									containerPort: 4222
+									name:          "tcp-nats"
+									protocol:      "TCP"
+								},
+								{
+									containerPort: 4333
+									name:          "https-wss"
+									protocol:      "TCP"
+								},
+								{
+									containerPort: 5222
+									name:          "tcp-cluster"
+									protocol:      "TCP"
+								},
+								{
+									containerPort: 8222
+									name:          "http-stats"
+									protocol:      "TCP"
+								},
+							]
+							livenessProbe: httpGet: {
+								path: "/healthz"
+								port: "http-stats"
+							}
+							readinessProbe: livenessProbe
+							resources: {}
+							securityContext: {}
+							volumeMounts: [
+								{
+									mountPath: "/etc/choria"
+									name:      Broker
+								},
+								{
+									mountPath: "/etc/choria-tls"
+									name:      "\(Broker)-tls"
+								},
+							]
+						},
+					]
+					securityContext: {}
+					serviceAccountName: Broker
+					volumes: [
+						{
+							name: Broker
+							secret: secretName: Broker
+						},
+						{
+							name: "\(Broker)-tls"
+							secret: secretName: "\(Broker)-tls"
+						},
+					]
+				}
+			}
+		}
+		ServiceAccount: "\(Broker)": #ServiceAccount & {
+			metadata: Metadata
+		}
+		Service: "\(Broker)": #Service & {
+			metadata: Metadata
+			spec: {
+				type:      "ClusterIP"
+				clusterIP: "None"
+				selector:  SelectorLabels
+				ports: [
+					{
+						name:        "tcp-nats"
+						appProtocol: "tcp"
+						port:        4222
+						protocol:    "TCP"
+						targetPort:  "tcp-nats"
+					},
+					{
+						name:        "tcp-cluster"
+						appProtocol: "tcp"
+						port:        5222
+						protocol:    "TCP"
+						targetPort:  "tcp-cluster"
+					},
+					{
+						name:        "https-wss"
+						appProtocol: "https"
+						port:        443
+						protocol:    "TCP"
+						targetPort:  "https-wss"
+					},
+				]
+			}
+		}
+		DestinationRule: "\(Broker)-wss": #DestinationRule & {
+			_decriptions: "Configures Istio to connect to Choria using a cert issued by the Platform Issuer"
+			metadata:     Metadata
+			spec: host: "\(Broker).\(Namespace).svc.cluster.local"
+			spec: trafficPolicy: tls: {
+				credentialName: "istio-ingress-mtls-cert"
+				mode:           "MUTUAL"
+				// subjectAltNames is important, otherwise istio will fail to verify the
+				// choria broker upstream server.  make sure this matches a value
+				// present in the choria broker's cert.
+				//
+				//  kubectl get secret choria-broker-tls -o json | jq --exit-status
+				//  '.data | map_values(@base64d)' | jq .\"tls.crt\" -r | openssl x509
+				//  -text -noout -in -
+				subjectAltNames: [spec.host]
+			}
+		}
+		VirtualService: "\(Broker)-wss": #VirtualService & {
+			metadata: name:      "\(Broker)-wss"
+			metadata: namespace: Namespace
+			spec: {
+				gateways: ["istio-ingress/default"]
+				hosts: ["jeff.provision.dev.\(#ClusterName).holos.run"]
+				http: [
+					{
+						route: [
+							{
+								destination: {
+									host: "\(Broker).\(Namespace).svc.cluster.local"
+									port: "number": 443
+								}
+							},
+						]
+					},
+				]
+			}
+		}
+	}
+}

docs/examples/platforms/holos-saas/clusters/workload/choria/provisioner/Dockerfile

@@ -0,0 +1,18 @@
+FROM registry.choria.io/choria/provisioner:latest
+
+RUN curl -Lo nsc.zip https://github.com/nats-io/nsc/releases/download/v2.8.6/nsc-linux-amd64.zip &&\
+  unzip nsc.zip && \
+  mv nsc /usr/local/bin/nsc && \
+  chmod 755 /usr/local/bin/nsc && \
+  rm -f nsc.zip
+
+# TODO: Add jwt executable
+# TODO: Add helper executable
+
+USER choria
+ENV USER=choria
+
+ENTRYPOINT ["/usr/sbin/choria-provisioner"]
+
+# These two files are expected to be in the provisioner secret.
+CMD ["--config=/etc/provisioner/provisioner.yaml", "--choria-config=/etc/provisioner/choria.cfg"]

docs/examples/platforms/holos-saas/clusters/workload/choria/provisioner/provisioner.cue

@@ -0,0 +1,82 @@
+package holos
+
+let Namespace = "jeff-holos"
+let Provisioner = "choria-provisioner"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-stores": _
+
+		metadata: name: "\(Namespace)-\(Provisioner)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelectorLabels = {
+	"app.kubernetes.io/instance": Provisioner
+	"app.kubernetes.io/name":     Provisioner
+}
+
+let Metadata = {
+	name:      Provisioner
+	namespace: Namespace
+	labels:    SelectorLabels
+}
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ExternalSecret: "\(Provisioner)-tls": #ExternalSecret & {
+			metadata: name:      "\(Provisioner)-tls"
+			metadata: namespace: Namespace
+		}
+		ExternalSecret: "\(Provisioner)": #ExternalSecret & {
+			metadata: name:      Provisioner
+			metadata: namespace: Namespace
+		}
+		ServiceAccount: "\(Provisioner)": #ServiceAccount & {
+			metadata: Metadata
+		}
+		Deployment: "\(Provisioner)": {
+			metadata: Metadata
+			spec: {
+				selector: matchLabels: SelectorLabels
+				template: metadata: labels: SelectorLabels
+				template: spec: {
+					containers: [
+						{
+							name: Provisioner
+							command: ["bash", "/etc/provisioner/entrypoint"]
+							// skopeo inspect docker://registry.choria.io/choria/provisioner | jq .RepoTags
+							image:           "registry.choria.io/choria/provisioner:0.15.1"
+							imagePullPolicy: "IfNotPresent"
+							resources: {}
+							securityContext: {}
+							volumeMounts: [
+								{
+									mountPath: "/etc/provisioner"
+									name:      Provisioner
+								},
+								{
+									mountPath: "/etc/provisioner-tls"
+									name:      "\(Provisioner)-tls"
+								},
+							]
+						},
+					]
+					securityContext: {}
+					serviceAccountName: Provisioner
+					volumes: [
+						{
+							name: Provisioner
+							secret: secretName: name
+						},
+						{
+							name: "\(Provisioner)-tls"
+							secret: secretName: name
+						},
+					]
+				}
+			}
+		}
+	}
+}

docs/examples/platforms/holos-saas/clusters/workload/choria/readme.md

@@ -0,0 +1,8 @@
+# Machine Room Provisioner
+
+This sub-tree contains Holos Components to manage a [Choria Provisioner][1]
+system for the use case of provisioning `holos controller` instances.  These
+instances are implementations of Machine Room which are in turn implementations
+of Choria Server, hence why we use Choria Provisioner.
+
+[1]: https://choria-io.github.io/provisioner/

docs/examples/platforms/holos-saas/clusters/workload/nats/envs/nats.cue

@@ -0,0 +1,62 @@
+package holos
+
+// for Project in _Projects {
+// 	spec: components: resources: (#ProjectTemplate & {project: Project}).workload.resources
+// }
+
+let Namespace = "jeff-holos"
+
+#Kustomization: spec: targetNamespace: Namespace
+
+spec: components: HelmChartList: [
+	#HelmChart & {
+		metadata: name: "jeff-holos-nats"
+		namespace: Namespace
+		_dependsOn: "prod-secrets-stores": _
+		chart: {
+			name:       "nats"
+			version:    "1.1.10"
+			repository: NatsRepository
+		}
+		_values: #NatsValues & {
+			config: {
+				// https://github.com/nats-io/k8s/tree/main/helm/charts/nats#operator-mode-with-nats-resolver
+				resolver: enabled: true
+				resolver: merge: {
+					type:     "full"
+					interval: "2m"
+					timeout:  "1.9s"
+				}
+				merge: {
+					operator:       "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJUSElBTDM2NUtOS0lVVVJDMzNLNFJGQkJVRlFBSTRLS0NQTDJGVDZYVjdNQVhWU1dFNElRIiwiaWF0IjoxNzEzMjIxMzE1LCJpc3MiOiJPREtQM0RZTzc3T1NBRU5IU0FFR0s3WUNFTFBYT1FFWUI3RVFSTVBLWlBNQUxINE5BRUVLSjZDRyIsIm5hbWUiOiJIb2xvcyIsInN1YiI6Ik9ES1AzRFlPNzdPU0FFTkhTQUVHSzdZQ0VMUFhPUUVZQjdFUVJNUEtaUE1BTEg0TkFFRUtKNkNHIiwibmF0cyI6eyJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.dQURTb-zIQMc-OYd9328oY887AEnvog6gOXY1-VCsDG3L89nq5x_ks4ME7dJ4Pn-Pvm2eyBi1Jx6ubgkthHgCQ"
+					system_account: "ADIQCYK4K3OKTPODGCLI4PDQ6XBO52MISBPTAIDESEJMLZCMNULDKCCY"
+					resolver_preload: {
+						// NOTEL: Make sure you do not include the trailing , in the SYS_ACCOUNT_JWT
+						"ADIQCYK4K3OKTPODGCLI4PDQ6XBO52MISBPTAIDESEJMLZCMNULDKCCY": "eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiI2SEVMNlhKSUdWUElMNFBURVI1MkUzTkFITjZLWkVUUUdFTlFVS0JWRzNUWlNLRzVLT09RIiwiaWF0IjoxNzEzMjIxMzE1LCJpc3MiOiJPREtQM0RZTzc3T1NBRU5IU0FFR0s3WUNFTFBYT1FFWUI3RVFSTVBLWlBNQUxINE5BRUVLSjZDRyIsIm5hbWUiOiJTWVMiLCJzdWIiOiJBRElRQ1lLNEszT0tUUE9ER0NMSTRQRFE2WEJPNTJNSVNCUFRBSURFU0VKTUxaQ01OVUxES0NDWSIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwid2lsZGNhcmRzIjp0cnVlLCJjb25uIjotMSwibGVhZiI6LTF9LCJkZWZhdWx0X3Blcm1pc3Npb25zIjp7InB1YiI6e30sInN1YiI6e319LCJhdXRob3JpemF0aW9uIjp7fSwidHlwZSI6ImFjY291bnQiLCJ2ZXJzaW9uIjoyfX0.TiGIk8XON394D9SBEowGHY_nTeOyHiM-ihyw6HZs8AngOnYPFXH9OVjsaAf8Poa2k_V84VtH7yVNgNdjBgduDA"
+					}
+				}
+				cluster: enabled:   true
+				jetstream: enabled: true
+				websocket: enabled: true
+				monitor: enabled:   true
+			}
+			promExporter: enabled: true
+			promExporter: podMonitor: enabled: true
+		}
+	},
+	#HelmChart & {
+		metadata: name: "jeff-holos-nack"
+		namespace: Namespace
+		_dependsOn: "jeff-holos-nats": _
+		chart: {
+			name:       "nack"
+			version:    "0.25.2"
+			repository: NatsRepository
+		}
+	},
+]
+
+let NatsRepository = {
+	name: "nats"
+	url:  "https://nats-io.github.io/k8s/helm/charts/"
+}

docs/examples/platforms/holos-saas/clusters/workload/nats/envs/nats.values.cue

@@ -0,0 +1,722 @@
+package holos
+
+#NatsValues: {
+	//###############################################################################
+	// Global options
+	//###############################################################################
+	global: {
+		image: {
+			// global image pull policy to use for all container images in the chart
+			// can be overridden by individual image pullPolicy
+			pullPolicy: null
+			// global list of secret names to use as image pull secrets for all pod specs in the chart
+			// secrets must exist in the same namespace
+			// https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+			pullSecretNames: []
+			// global registry to use for all container images in the chart
+			// can be overridden by individual image registry
+			registry: null
+		}
+
+		// global labels will be applied to all resources deployed by the chart
+		labels: {}
+	}
+
+	//###############################################################################
+	// Common options
+	//###############################################################################
+	// override name of the chart
+	nameOverride: null
+	// override full name of the chart+release
+	fullnameOverride: null
+	// override the namespace that resources are installed into
+	namespaceOverride: null
+
+	// reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts
+	// note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS
+	tlsCA: {
+		enabled: false
+		// set configMapName in order to mount an existing configMap to dir
+		configMapName: null
+		// set secretName in order to mount an existing secretName to dir
+		secretName: null
+		// directory to mount the configMap or secret to
+		dir: "/etc/nats-ca-cert"
+		// key in the configMap or secret that contains the CA Certificate or Bundle
+		key: "ca.crt"
+	}
+
+	//###############################################################################
+	// NATS Stateful Set and associated resources
+	//###############################################################################
+	//###########################################################
+	// NATS config
+	//###########################################################
+	config: {
+		cluster: {
+			enabled: true | *false
+			port:    6222
+			// must be 2 or higher when jetstream is enabled
+			replicas: 3
+
+			// apply to generated route URLs that connect to other pods in the StatefulSet
+			routeURLs: {
+				// if both user and password are set, they will be added to route URLs
+				// and the cluster authorization block
+				user:     null
+				password: null
+				// set to true to use FQDN in route URLs
+				useFQDN:          false
+				k8sClusterDomain: "cluster.local"
+			}
+
+			tls: {
+				enabled: true | *false
+				// set secretName in order to mount an existing secret to dir
+				secretName: null
+				dir:        "/etc/nats-certs/cluster"
+				cert:       "tls.crt"
+				key:        "tls.key"
+				// merge or patch the tls config
+				// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+				merge: {}
+				patch: []
+			}
+
+			// merge or patch the cluster config
+			// https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config
+			merge: {}
+			patch: []
+		}
+
+		jetstream: {
+			enabled: true | *false
+
+			fileStore: {
+				enabled: true
+				dir:     "/data"
+
+				//###########################################################
+				// stateful set -> volume claim templates -> jetstream pvc
+				//###########################################################
+				pvc: {
+					enabled:          true
+					size:             "10Gi"
+					storageClassName: null
+
+					// merge or patch the jetstream pvc
+					// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core
+					merge: {}
+					patch: []
+					// defaults to "{{ include "nats.fullname" $ }}-js"
+					name: null
+				}
+
+				// defaults to the PVC size
+				maxSize: null
+			}
+
+			memoryStore: {
+				enabled: false
+				// ensure that container has a sufficient memory limit greater than maxSize
+				maxSize: "1Gi"
+			}
+
+			// merge or patch the jetstream config
+			// https://docs.nats.io/running-a-nats-service/configuration#jetstream
+			merge: {}
+			patch: []
+		}
+
+		nats: {
+			port: 4222
+			tls: {
+				enabled: false
+				// set secretName in order to mount an existing secret to dir
+				secretName: null
+				dir:        "/etc/nats-certs/nats"
+				cert:       "tls.crt"
+				key:        "tls.key"
+				// merge or patch the tls config
+				// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+				merge: {}
+				patch: []
+			}
+		}
+
+		leafnodes: {
+			enabled: false
+			port:    7422
+			tls: {
+				enabled: false
+				// set secretName in order to mount an existing secret to dir
+				secretName: null
+				dir:        "/etc/nats-certs/leafnodes"
+				cert:       "tls.crt"
+				key:        "tls.key"
+				// merge or patch the tls config
+				// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+				merge: {}
+				patch: []
+			}
+
+			// merge or patch the leafnodes config
+			// https://docs.nats.io/running-a-nats-service/configuration/leafnodes/leafnode_conf
+			merge: {}
+			patch: []
+		}
+
+		websocket: {
+			enabled: true | *false
+			port:    8080
+			tls: {
+				enabled: false
+				// set secretName in order to mount an existing secret to dir
+				secretName: null
+				dir:        "/etc/nats-certs/websocket"
+				cert:       "tls.crt"
+				key:        "tls.key"
+				// merge or patch the tls config
+				// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+				merge: {}
+				patch: []
+			}
+
+			//###########################################################
+			// ingress
+			//###########################################################
+			// service must be enabled also
+			ingress: {
+				enabled: false
+				// must contain at least 1 host otherwise ingress will not be created
+				hosts: []
+				path:     "/"
+				pathType: "Exact"
+				// sets to the ingress class name
+				className: null
+				// set to an existing secret name to enable TLS on the ingress; applies to all hosts
+				tlsSecretName: null
+
+				// merge or patch the ingress
+				// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#ingress-v1-networking-k8s-io
+				merge: {}
+				patch: []
+				// defaults to "{{ include "nats.fullname" $ }}-ws"
+				name: null
+			}
+
+			// merge or patch the websocket config
+			// https://docs.nats.io/running-a-nats-service/configuration/websocket/websocket_conf
+			merge: {}
+			patch: []
+		}
+
+		mqtt: {
+			enabled: false
+			port:    1883
+			tls: {
+				enabled: false
+				// set secretName in order to mount an existing secret to dir
+				secretName: null
+				dir:        "/etc/nats-certs/mqtt"
+				cert:       "tls.crt"
+				key:        "tls.key"
+				// merge or patch the tls config
+				// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+				merge: {}
+				patch: []
+			}
+
+			// merge or patch the mqtt config
+			// https://docs.nats.io/running-a-nats-service/configuration/mqtt/mqtt_config
+			merge: {}
+			patch: []
+		}
+
+		gateway: {
+			enabled: false
+			port:    7222
+			tls: {
+				enabled: false
+				// set secretName in order to mount an existing secret to dir
+				secretName: null
+				dir:        "/etc/nats-certs/gateway"
+				cert:       "tls.crt"
+				key:        "tls.key"
+				// merge or patch the tls config
+				// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+				merge: {}
+				patch: []
+			}
+
+			// merge or patch the gateway config
+			// https://docs.nats.io/running-a-nats-service/configuration/gateways/gateway#gateway-configuration-block
+			merge: {}
+			patch: []
+		}
+
+		monitor: {
+			enabled: true
+			port:    8222
+			tls: {
+				// config.nats.tls must be enabled also
+				// when enabled, monitoring port will use HTTPS with the options from config.nats.tls
+				enabled: false
+			}
+		}
+
+		profiling: {
+			enabled: false
+			port:    65432
+		}
+
+		resolver: {
+			enabled: true | *false
+			dir:     "/data/resolver"
+
+			//###########################################################
+			// stateful set -> volume claim templates -> resolver pvc
+			//###########################################################
+			pvc: {
+				enabled:          true
+				size:             "1Gi"
+				storageClassName: null
+
+				// merge or patch the pvc
+				// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core
+				merge: {}
+				patch: []
+				// defaults to "{{ include "nats.fullname" $ }}-resolver"
+				name: null
+			}
+
+			// merge or patch the resolver
+			// https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt/resolver
+			merge: {
+				type?:     string
+				interval?: string
+				timeout?:  string
+			}
+			patch: []
+		}
+
+		// adds a prefix to the server name, which defaults to the pod name
+		// helpful for ensuring server name is unique in a super cluster
+		serverNamePrefix: ""
+
+		// merge or patch the nats config
+		// https://docs.nats.io/running-a-nats-service/configuration
+		// following special rules apply
+		//  1. strings that start with << and end with >> will be unquoted
+		//     use this for variables and numbers with units
+		//  2. keys ending in $include will be switched to include directives
+		//     keys are sorted alphabetically, use prefix before $includes to control includes ordering
+		//     paths should be relative to /etc/nats-config/nats.conf
+		// example:
+		//
+		//   merge:
+		//     $include: ./my-config.conf
+		//     zzz$include: ./my-config-last.conf
+		//     server_name: nats
+		//     authorization:
+		//       token: << $TOKEN >>
+		//     jetstream:
+		//       max_memory_store: << 1GB >>
+		//
+		// will yield the config:
+		// {
+		//   include ./my-config.conf;
+		//   "authorization": {
+		//     "token": $TOKEN
+		//   },
+		//   "jetstream": {
+		//     "max_memory_store": 1GB
+		//   },
+		//   "server_name": "nats",
+		//   include ./my-config-last.conf;
+		// }
+		merge: {
+			operator?:       string
+			system_account?: string
+			resolver_preload?: [string]: string
+		}
+		patch: []
+	}
+
+	//###########################################################
+	// stateful set -> pod template -> nats container
+	//###########################################################
+	container: {
+		image: {
+			repository: "nats"
+			tag:        "2.10.12-alpine"
+			pullPolicy: null
+			registry:   null
+		}
+
+		// container port options
+		// must be enabled in the config section also
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core
+		ports: {
+			nats: {}
+			leafnodes: {}
+			websocket: {}
+			mqtt: {}
+			cluster: {}
+			gateway: {}
+			monitor: {}
+			profiling: {}
+		}
+
+		// map with key as env var name, value can be string or map
+		// example:
+		//
+		//   env:
+		//     GOMEMLIMIT: 7GiB
+		//     TOKEN:
+		//       valueFrom:
+		//         secretKeyRef:
+		//           name: nats-auth
+		//           key: token
+		env: {}
+
+		// merge or patch the container
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+		merge: {}
+		patch: []
+	}
+
+	//###########################################################
+	// stateful set -> pod template -> reloader container
+	//###########################################################
+	reloader: {
+		enabled: true
+		image: {
+			repository: "natsio/nats-server-config-reloader"
+			tag:        "0.14.1"
+			pullPolicy: null
+			registry:   null
+		}
+
+		// env var map, see nats.env for an example
+		env: {}
+
+		// all nats container volume mounts with the following prefixes
+		// will be mounted into the reloader container
+		natsVolumeMountPrefixes: ["/etc/"]
+
+		// merge or patch the container
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+		merge: {}
+		patch: []
+	}
+
+	//###########################################################
+	// stateful set -> pod template -> prom-exporter container
+	//###########################################################
+	// config.monitor must be enabled
+	promExporter: {
+		enabled: true | *false
+		image: {
+			repository: "natsio/prometheus-nats-exporter"
+			tag:        "0.14.0"
+			pullPolicy: null
+			registry:   null
+		}
+
+		port: 7777
+		// env var map, see nats.env for an example
+		env: {}
+
+		// merge or patch the container
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+		merge: {}
+		patch: []
+
+		//###########################################################
+		// prometheus pod monitor
+		//###########################################################
+		podMonitor: {
+			enabled: true | *false
+
+			// merge or patch the pod monitor
+			// https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor
+			merge: {}
+			patch: []
+			// defaults to "{{ include "nats.fullname" $ }}"
+			name: null
+		}
+	}
+
+	//###########################################################
+	// service
+	//###########################################################
+	service: {
+		enabled: true
+
+		// service port options
+		// additional boolean field enable to control whether port is exposed in the service
+		// must be enabled in the config section also
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core
+		ports: {
+			nats: enabled:      true
+			leafnodes: enabled: true
+			websocket: enabled: true
+			mqtt: enabled:      true
+			cluster: enabled:   false
+			gateway: enabled:   false
+			monitor: enabled:   false
+			profiling: enabled: false
+		}
+
+		// merge or patch the service
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core
+		merge: {}
+		patch: []
+		// defaults to "{{ include "nats.fullname" $ }}"
+		name: null
+	}
+
+	//###########################################################
+	// other nats extension points
+	//###########################################################
+	// stateful set
+	statefulSet: {
+		// merge or patch the stateful set
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps
+		merge: {}
+		patch: []
+		// defaults to "{{ include "nats.fullname" $ }}"
+		name: null
+	}
+
+	// stateful set -> pod template
+	podTemplate: {
+		// adds a hash of the ConfigMap as a pod annotation
+		// this will cause the StatefulSet to roll when the ConfigMap is updated
+		configChecksumAnnotation: true
+
+		// map of topologyKey: topologySpreadConstraint
+		// labelSelector will be added to match StatefulSet pods
+		//
+		// topologySpreadConstraints:
+		//   kubernetes.io/hostname:
+		//     maxSkew: 1
+		//
+		topologySpreadConstraints: {}
+
+		// merge or patch the pod template
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core
+		merge: {}
+		patch: []
+	}
+
+	// headless service
+	headlessService: {
+		// merge or patch the headless service
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core
+		merge: {}
+		patch: []
+		// defaults to "{{ include "nats.fullname" $ }}-headless"
+		name: null
+	}
+
+	// config map
+	configMap: {
+		// merge or patch the config map
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core
+		merge: {}
+		patch: []
+		// defaults to "{{ include "nats.fullname" $ }}-config"
+		name: null
+	}
+
+	// pod disruption budget
+	podDisruptionBudget: {
+		enabled: true
+		// merge or patch the pod disruption budget
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#poddisruptionbudget-v1-policy
+		merge: {}
+		patch: []
+		// defaults to "{{ include "nats.fullname" $ }}"
+		name: null
+	}
+
+	// service account
+	serviceAccount: {
+		enabled: false
+		// merge or patch the service account
+		// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core
+		merge: {}
+		patch: []
+		// defaults to "{{ include "nats.fullname" $ }}"
+		name: null
+	}
+
+	//###########################################################
+	// natsBox
+	//
+	// NATS Box Deployment and associated resources
+	//###########################################################
+	natsBox: {
+		enabled: true
+
+		//###########################################################
+		// NATS contexts
+		//###########################################################
+		contexts: {
+			default: {
+				creds: {
+					// set contents in order to create a secret with the creds file contents
+					contents: null
+					// set secretName in order to mount an existing secret to dir
+					secretName: null
+					// defaults to /etc/nats-creds/<context-name>
+					dir: null
+					key: "nats.creds"
+				}
+				nkey: {
+					// set contents in order to create a secret with the nkey file contents
+					contents: null
+					// set secretName in order to mount an existing secret to dir
+					secretName: null
+					// defaults to /etc/nats-nkeys/<context-name>
+					dir: null
+					key: "nats.nk"
+				}
+				// used to connect with client certificates
+				tls: {
+					// set secretName in order to mount an existing secret to dir
+					secretName: null
+					// defaults to /etc/nats-certs/<context-name>
+					dir:  null
+					cert: "tls.crt"
+					key:  "tls.key"
+				}
+
+				// merge or patch the context
+				// https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts
+				merge: {}
+				patch: []
+			}
+		}
+
+		// name of context to select by default
+		defaultContextName: "default"
+
+		//###########################################################
+		// deployment -> pod template -> nats-box container
+		//###########################################################
+		container: {
+			image: {
+				repository: "natsio/nats-box"
+				tag:        "0.14.2"
+				pullPolicy: null
+				registry:   null
+			}
+
+			// env var map, see nats.env for an example
+			env: {}
+
+			// merge or patch the container
+			// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+			merge: {}
+			patch: []
+		}
+
+		//###########################################################
+		// other nats-box extension points
+		//###########################################################
+		// deployment
+		deployment: {
+			// merge or patch the deployment
+			// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#deployment-v1-apps
+			merge: {}
+			patch: []
+			// defaults to "{{ include "nats.fullname" $ }}-box"
+			name: null
+		}
+
+		// deployment -> pod template
+		podTemplate: {
+			// merge or patch the pod template
+			// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core
+			merge: {}
+			patch: []
+		}
+
+		// contexts secret
+		contextsSecret: {
+			// merge or patch the context secret
+			// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core
+			merge: {}
+			patch: []
+			// defaults to "{{ include "nats.fullname" $ }}-box-contexts"
+			name: null
+		}
+
+		// contents secret
+		contentsSecret: {
+			// merge or patch the contents secret
+			// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secret-v1-core
+			merge: {}
+			patch: []
+			// defaults to "{{ include "nats.fullname" $ }}-box-contents"
+			name: null
+		}
+
+		// service account
+		serviceAccount: {
+			enabled: false
+			// merge or patch the service account
+			// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceaccount-v1-core
+			merge: {}
+			patch: []
+			// defaults to "{{ include "nats.fullname" $ }}-box"
+			name: null
+		}
+	}
+
+	//###############################################################################
+	// Extra user-defined resources
+	//###############################################################################
+	//
+	// add arbitrary user-generated resources
+	// example:
+	//
+	// config:
+	//   websocket:
+	//     enabled: true
+	// extraResources:
+	// - apiVersion: networking.istio.io/v1beta1
+	//   kind: VirtualService
+	//   metadata:
+	//     name:
+	//       $tplYaml: >
+	//         {{ include "nats.fullname" $ | quote }}
+	//     labels:
+	//       $tplYaml: |
+	//         {{ include "nats.labels" $ }}
+	//   spec:
+	//     hosts:
+	//     - demo.nats.io
+	//     gateways:
+	//     - my-gateway
+	//     http:
+	//     - name: default
+	//       match:
+	//       - name: root
+	//         uri:
+	//           exact: /
+	//       route:
+	//       - destination:
+	//           host:
+	//             $tplYaml: >
+	//               {{ .Values.service.name | quote }}
+	//           port:
+	//             number:
+	//               $tplYaml: >
+	//                 {{ .Values.config.websocket.port }}
+	//
+	extraResources: []
+}

docs/examples/platforms/holos-saas/clusters/workload/nats/scripts/initialize-auth

@@ -0,0 +1,81 @@
+#! /bin/bash
+#
+# This script initializes authorization for a nats cluster.  The process is:
+#
+# Locally:
+# 1. Generate the nats operator jwt.
+# 2. Generate a SYS account jwt issued by the operator.
+# 3. Store both into vault
+#
+# When nats is deployed an ExternalSecret populates auth.conf which is included
+# into nats.conf.  This approach allows helm values to be used for most things
+# except for secrets.
+#
+# Clean up by removing the nsc directory.
+
+set -euo pipefail
+
+tmpdir="$(mktemp -d)"
+finish() {
+  [[ -d "$tmpdir" ]] && rm -rf "$tmpdir"
+}
+trap finish EXIT
+
+PARENT="$(cd "$(dirname $0)" && pwd)"
+: "${OPERATOR_NAME:="Holos"}"
+
+: "${OIX_NAMESPACE:=$(kubectl config view --minify --flatten -ojsonpath='{.contexts[0].context.namespace}')}"
+nsc="${HOME}/.bin/nsc"
+
+ROOT="${PARENT}/${OIX_NAMESPACE}/nsc"
+export NKEYS_PATH="${ROOT}/nkeys"
+export NSC_HOME="${ROOT}/accounts"
+
+mkdir -p "$NKEYS_PATH"
+mkdir -p "$NSC_HOME"
+
+# Install nsc if not already installed
+if ! [[ -x $nsc ]]; then
+  platform="$(kubectl version --output=json | jq .clientVersion.platform -r)"
+  platform="${platform//\//-}"
+  curl -fSLo "${tmpdir}/nsc.zip" "https://github.com/nats-io/nsc/releases/download/v2.8.6/nsc-${platform}.zip"
+  (cd "${tmpdir}" && unzip nsc.zip)
+  sudo install -o 0 -g 0 -m 0755 "${tmpdir}/nsc" $nsc
+fi
+
+echo "export NKEYS_PATH='${NKEYS_PATH}'" > "${ROOT}/nsc.env"
+echo "export NSC_HOME='${NSC_HOME}'" >> "${ROOT}/nsc.env"
+# use kubectl port-forward nats-headless 4222
+echo "export NATS_URL='nats://localhost:4222'" >> "${ROOT}/nsc.env"
+echo "export NATS_CREDS='${ROOT}/nkeys/creds/${OPERATOR_NAME}/SYS/sys.creds'" >> "${ROOT}/nsc.env"
+
+echo "export NATS_CA='${ROOT}/ca.crt'" >> "${ROOT}/nsc.env"
+echo "export NATS_CERT='${ROOT}/tls.crt'" >> "${ROOT}/nsc.env"
+echo "export NATS_KEY='${ROOT}/tls.key'" >> "${ROOT}/nsc.env"
+
+$nsc --data-dir="${ROOT}/stores" list operators
+
+# Create operator
+$nsc add operator --name "${OPERATOR_NAME}"
+# Create system account
+$nsc add account --name SYS
+$nsc add user    --name sys
+# Create account for STAN purposes.
+$nsc add account --name STAN
+$nsc add user    --name stan
+
+# Generate an auth config compatible with the StatefulSet mounting the
+# nats-jwt-pvc PersistentVolumeClaim at path /data/accounts
+$nsc generate config --sys-account SYS --nats-resolver \
+  | sed "s,dir.*jwt',dir: '/data/accounts'" \
+  > "${ROOT}/auth.conf"
+
+# Store the auth config in vault.
+# vault kv put kv/${OIX_CLUSTER_NAME}/kube-namespace/holos-dev/nats-auth-config "auth.conf=@${tmpdir}/auth.conf"
+# Store the SYS creds in vault for use by the nack controller.
+# vault kv put kv/${OIX_CLUSTER_NAME}/kube-namespace/holos-dev/nats-sys-creds "sys.creds=@${OIX_CLUSTER_NAME}/nsc/nkeys/creds/${OPERATOR_NAME}/SYS/sys.creds"
+
+echo "After deploying the nats component, use the get-cert command to fetch the client cert."
+
+echo "Use kubectl port-forward svc/nats-headless 4222" >&2
+echo "source ${ROOT}/nsc.env to make it all work." >&2

docs/examples/platforms/reference/clusters/foundation/cloud/argocd/argocd.cue

@@ -71,14 +71,15 @@ let IstioInject = [{op: "add", path: "/spec/template/metadata/labels/sidecar.ist
 	}
 }
 
-// Probably shouldn't use the authproxy struct and should instead define an identity provider struct.
-let AuthProxySpec = #AuthProxySpec & #Platform.authproxy
+let OAuthClient = #Platform.oauthClients.argocd.spec
 
 let OIDCConfig = {
-	name:     "Holos Platform"
-	issuer:   AuthProxySpec.issuer
-	clientID: #Platform.argocd.clientID
-	requestedIDTokenClaims: groups: essential: true
-	requestedScopes: ["openid", "profile", "email", "groups", "urn:zitadel:iam:org:domain:primary:\(AuthProxySpec.orgDomain)"]
+	name:            "Holos Platform"
+	issuer:          OAuthClient.issuer
+	clientID:        OAuthClient.clientID
+	requestedScopes: OAuthClient.scopesList
+	// Set redirect uri to https://argocd.example.com/pkce/verify
 	enablePKCEAuthentication: true
+
+	requestedIDTokenClaims: groups: essential: true
 }

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/gateway/gateway.cue

@@ -21,12 +21,12 @@ spec: components: KubernetesObjectsList: [
 // GatewayServers represents all hosts for all VirtualServices in the cluster attached to Gateway/default
 // NOTE: This is a critical structure because the default Gateway should be used in most cases.
 let GatewayServers = {
+	// Critical Feature: Map all Project hosts to the default Gateway.
 	for Project in _Projects {
-		for server in (#ProjectTemplate & {project: Project}).ClusterGatewayServers {
-			(server.port.name): server
-		}
+		(#ProjectTemplate & {project: Project}).ClusterDefaultGatewayServers
 	}
 
+	// TODO: Refactor to use FQDN as key
 	for k, svc in #OptionalServices {
 		if svc.enabled && list.Contains(svc.clusterNames, #ClusterName) {
 			for server in svc.servers {
@@ -35,6 +35,7 @@ let GatewayServers = {
 		}
 	}
 
+	// TODO: Remove?  Why aren't these part of the platform project?
 	if #PlatformServers[#ClusterName] != _|_ {
 		for server in #PlatformServers[#ClusterName] {
 			(server.port.name): server
@@ -52,6 +53,11 @@ let OBJECTS = #APIObjects & {
 			spec: servers: [for x in GatewayServers {x}]
 		}
 
+		// Manage an ExternalSecret for each server defined in the default Gateway to sync the cert.
+		for Server in Gateway.default.spec.servers {
+			ExternalSecret: "\(Server.tls.credentialName)": metadata: namespace: "istio-ingress"
+		}
+
 		for k, svc in #OptionalServices {
 			if svc.enabled && list.Contains(svc.clusterNames, #ClusterName) {
 				for k, s in svc.servers {

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/ingress/ingress.cue

@@ -8,7 +8,7 @@ let ComponentName = "\(#InstancePrefix)-ingress"
 
 spec: components: HelmChartList: [
 	#HelmChart & {
-		_dependsOn: "prod-secrets-namespaces":       _
+		_dependsOn: "prod-secrets-stores":           _
 		_dependsOn: "\(#InstancePrefix)-istio-base": _
 		_dependsOn: "\(#InstancePrefix)-istiod":     _
 
@@ -76,6 +76,10 @@ let RedirectMetaName = {
 
 let OBJECTS = #APIObjects & {
 	apiObjects: {
+		ExternalSecret: "istio-ingress-mtls-cert": #ExternalSecret & {
+			metadata: name:      "istio-ingress-mtls-cert"
+			metadata: namespace: #TargetNamespace
+		}
 		Gateway: {
 			"\(RedirectMetaName.name)": #Gateway & {
 				metadata: RedirectMetaName

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/mesh.cue

@@ -18,6 +18,10 @@ _IngressAuthProxy: {
 	Domains: (#Platform.org.domain):                    _
 	Domains: "\(#ClusterName).\(#Platform.org.domain)": _
 
+	// TODO: This should be generated from ProjectHosts
+	Domains: "holos.run":                 _
+	Domains: "\(#ClusterName).holos.run": _
+
 	let Metadata = {
 		name:      string
 		namespace: Namespace
@@ -271,11 +275,14 @@ _IngressAuthProxy: {
 					rules: [
 						{
 							to: [{
+								// Refer to https://istio.io/latest/docs/ops/best-practices/security/#writing-host-match-policies
 								operation: notHosts: [
 									// Never send requests for the login service through the authorizer, would block login.
 									AuthProxySpec.issuerHost,
+									"\(AuthProxySpec.issuerHost):*",
 									// Exclude hosts with specialized rules from the catch-all.
 									for x in _AuthPolicyRules.hosts {x.name},
+									for x in _AuthPolicyRules.hosts {"\(x.name):*"},
 								]
 							}]
 							when: [
@@ -298,7 +305,7 @@ _IngressAuthProxy: {
 _AuthPolicyRules: #AuthPolicyRules & {
 	hosts: {
 		let Vault = "vault.core.ois.run"
-		(Vault): {
+		"\(Vault)": {
 			slug: "vault"
 			// Rules for when to route requests through the auth proxy
 			spec: rules: [
@@ -321,3 +328,20 @@ _AuthPolicyRules: #AuthPolicyRules & {
 		}
 	}
 }
+
+// Exclude project hosts from the auth proxy if configured to do so.  The
+// intended effect is to exclude the host from the blanket `authproxy-custom`
+// AuthorizationPolicy rule _without_ adding a specialized AuthorizationPolicy
+// for the same host.  This has the effect of completely excluding the host from
+// authorization policy.
+for Project in _Projects {
+	let ProjectHosts = (#ProjectHosts & {project: Project}).Hosts
+
+	for FQDN, Host in ProjectHosts {
+		if Host.NoAuthorizationPolicy {
+			if Host.clusters[#ClusterName] != _|_ {
+				_AuthPolicyRules: hosts: "\(Host.fqdn)": NoAuthorizationPolicy: true
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/foundation/cloud/obs/obs.cue

@@ -4,7 +4,7 @@ package holos
 
 let Namespace = "prod-platform"
 
-// FYI: kube-prometheus-stack is a large umbrella chart what brings in other large charts like
+// FYI: kube-prometheus-stack is a large umbrella chart that brings in other large charts like
 // [grafana](https://github.com/grafana/helm-charts/tree/main/charts/grafana).
 // This may make affect maintainability.  Consider breaking the integration down into
 // constituent charts represented as holos component instances.
@@ -77,7 +77,7 @@ spec: components: HelmChartList: [
 						token_url:           OIDC.token_endpoint
 						api_url:             OIDC.userinfo_endpoint
 						use_pkce:            true
-						name_attribute_path: name
+						name_attribute_path: "name"
 						// TODO: Lift the admin, editor, and viewer group names up to the plaform config struct.
 						role_attribute_path: "contains(groups[*], 'prod-cluster-admin') && 'Admin' || contains(groups[*], 'prod-cluster-editor') && 'Editor' || 'Viewer'"
 					}

docs/examples/platforms/reference/clusters/holos/nats/envs/nats.cue

@@ -1,37 +0,0 @@
-package holos
-
-// for Project in _Projects {
-// 	spec: components: resources: (#ProjectTemplate & {project: Project}).workload.resources
-// }
-
-let Namespace = "jeff-holos"
-
-#Kustomization: spec: targetNamespace: Namespace
-
-spec: components: HelmChartList: [
-	#HelmChart & {
-		metadata: name: "jeff-holos-nats"
-		namespace: Namespace
-		_dependsOn: "prod-secrets-stores": _
-		chart: {
-			name:       "nats"
-			version:    "1.1.10"
-			repository: NatsRepository
-		}
-	},
-	#HelmChart & {
-		metadata: name: "jeff-holos-nack"
-		namespace: Namespace
-		_dependsOn: "jeff-holos-nats": _
-		chart: {
-			name:       "nack"
-			version:    "0.25.2"
-			repository: NatsRepository
-		}
-	},
-]
-
-let NatsRepository = {
-	name: "nats"
-	url:  "https://nats-io.github.io/k8s/helm/charts/"
-}

docs/examples/platforms/reference/clusters/platform-projects.cue

@@ -4,15 +4,23 @@ package holos
 
 let ZitadelProjectID = 257713952794870157
 
+let AllClusters = {
+	// platform level services typically run in the core cluster pair.
+	core1: _
+	core2: _
+	// for development, probably wouldn't run these services in the workload clusters.
+	k1: _
+	k2: _
+	k3: _
+	k4: _
+	k5: _
+}
+
 _Projects: #Projects & {
 	// The platform project is required and where platform services reside.  ArgoCD, Grafana, Prometheus, etc...
 	platform: {
 		resourceId: ZitadelProjectID
-		// platform level services typically run in the core cluster pair.
-		clusters: core1: _
-		clusters: core2: _
-		// for development, probably wouldn't run these services in the workload clusters.
-		clusters: k2: _
+		clusters:   AllClusters
 		// Services hosted in the platform project
 		hosts: argocd:     _
 		hosts: grafana:    _
@@ -21,8 +29,9 @@ _Projects: #Projects & {
 
 	holos: {
 		resourceId: ZitadelProjectID
-		clusters: k1: _
-		clusters: k2: _
+		domain:     "holos.run"
+		clusters:   AllClusters
+
 		environments: {
 			prod: stage: "prod"
 			dev: stage:  "dev"
@@ -30,6 +39,13 @@ _Projects: #Projects & {
 			gary: stage: dev.stage
 			nate: stage: dev.stage
 		}
+
+		// app is the holos web app and grpc api.
+		hosts: app: _
+		// provision is the choria broker provisioning system.
+		hosts: provision: NoAuthorizationPolicy: true
+		// nats is the nats service holos controller machine room agents connect after provisioning.
+		hosts: nats: NoAuthorizationPolicy: true
 	}
 
 	iam: {

docs/examples/platforms/reference/clusters/provisioner/mesh/istio/ingress/ingress.cue

@@ -0,0 +1,40 @@
+package holos
+
+// Certificate used by the ingress to connect to services using a platform
+// issued certificate but which are not using istio sidecar injection.
+// Examples are keycloak, vault, nats, choria, etc...
+
+let Namespace = "istio-ingress"
+let CertName = "istio-ingress-mtls-cert"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-platform-issuer": _
+
+		metadata: name: CertName
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		Certificate: "\(CertName)": #Certificate & {
+			metadata: {
+				name:      CertName
+				namespace: Namespace
+			}
+			spec: {
+				secretName: metadata.name
+				issuerRef: kind: "ClusterIssuer"
+				issuerRef: name: "platform-issuer"
+				commonName: "istio-ingress"
+				dnsNames: [
+					"istio-ingress",
+					"istio-ingress.\(Namespace)",
+					"istio-ingress.\(Namespace).svc",
+					"istio-ingress.\(Namespace).svc.cluster.local",
+				]
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/platform-issuer/platform-issuer.cue

@@ -0,0 +1,53 @@
+package holos
+
+// Refer to https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
+
+let Namespace = "cert-manager"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-platform-issuer"
+
+		_dependsOn: "prod-mesh-certmanager": _
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelfSigned = "platform-selfsigned"
+let PlatformIssuer = "platform-issuer"
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ClusterIssuer: {
+			"\(SelfSigned)": #ClusterIssuer & {
+				metadata: name: SelfSigned
+				spec: selfSigned: {}
+			}
+		}
+		Certificate: {
+			"\(PlatformIssuer)": #Certificate & {
+				metadata: name:      PlatformIssuer
+				metadata: namespace: Namespace
+				spec: {
+					duration:   "999999h"
+					isCA:       true
+					commonName: PlatformIssuer
+					secretName: PlatformIssuer
+					privateKey: algorithm: "ECDSA"
+					privateKey: size:      256
+					issuerRef: {
+						name:  SelfSigned
+						kind:  "ClusterIssuer"
+						group: "cert-manager.io"
+					}
+				}
+			}
+		}
+		ClusterIssuer: {
+			"\(PlatformIssuer)": #ClusterIssuer & {
+				metadata: name: PlatformIssuer
+				spec: ca: secretName: PlatformIssuer
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/platform-issuer/readme.md

@@ -0,0 +1,5 @@
+# Platform Issuer
+
+The platform issuer is a self signed root certificate authority which acts as a private pki for the platform.  Used to issue certificates for use internally within the platform in a way that supports multi-cluster communication.
+
+Refer to [Bootstrapping CA Issuers](https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers)

docs/examples/platforms/reference/clusters/provisioner/projects/projects.cue

@@ -1,5 +1,11 @@
 package holos
 
 for Project in _Projects {
-	spec: components: resources: (#ProjectTemplate & {project: Project}).provisioner.resources
+
+	// Debugging variable to enable inspecting the project host data:
+	// cue eval --out json -t cluster=provisioner ./platforms/reference/clusters/provisioner/projects/... -e _ProjectHosts.holos  > hosts.json
+	let ProjectData = (#ProjectTemplate & {project: Project})
+	_ProjectHosts: "\(Project.name)": ProjectData.ProjectHosts
+
+	spec: components: resources: ProjectData.provisioner.resources
 }

docs/examples/platforms/reference/platform-project-schema.cue

@@ -0,0 +1,25 @@
+package holos
+
+// Platform level definition of a project.
+#Project: {
+	name: string
+
+	// All projects have at least a prod and dev environment and stage.
+
+	// Omit the prod stage segment from hostnames.  foo.holos.run not foo.prod.holos.run
+	stages: prod: stageSegments: []
+	environments: prod: stage: "prod"
+	// Omit the prod env segment from hostnames.  foo.holos.run not prod.foo.holos.run
+	environments: prod: envSegments: []
+
+	stages: dev: _
+	environments: dev: stage: "dev"
+	// Omit the dev env segment from hostnames.  foo.dev.holos.run not dev.foo.dev.holos.run
+	environments: dev: envSegments: []
+
+	// environments share the stage segments of their stage.
+	environments: [_]: {
+		stage:         string
+		stageSegments: stages[stage].stageSegments
+	}
+}

docs/examples/platforms/reference/project_constraints.cue

@@ -1 +0,0 @@
-package holos

docs/examples/project-hosts.cue

@@ -0,0 +1,143 @@
+package holos
+
+import "strings"
+
+// #ProjectHosts represents all of the hosts associated with the project
+// organized for use in Certificates, Gateways, VirtualServices.
+#ProjectHosts: {
+	project: #Project
+
+	// Hosts map key fqdn to host to reduce into structs organized by stage,
+	// canonical name, etc...  The flat nature and long list of properties is
+	// intended to make it straight forward to derive another struct for Gateways,
+	// VirtualServices, Certificates, AuthProxy cookie domains, etc...
+	Hosts: {
+		for Env in project.environments {
+			for Host in project.hosts {
+				// Global hostname, e.g. app.holos.run
+				let CertInfo = (#MakeCertInfo & {
+					host:       Host
+					env:        Env
+					domain:     project.domain
+					clusterMap: project.clusters
+				}).CertInfo
+
+				"\(CertInfo.fqdn)": CertInfo
+
+				// Cluster hostname, e.g. app.east1.holos.run, app.west1.holos.run
+				for Cluster in project.clusters {
+					let CertInfo = (#MakeCertInfo & {
+						host:       Host
+						env:        Env
+						domain:     project.domain
+						cluster:    Cluster.name
+						clusterMap: project.clusters
+					}).CertInfo
+
+					"\(CertInfo.fqdn)": CertInfo
+				}
+			}
+		}
+	}
+}
+
+// #MakeCertInfo provides dns info for a certificate
+// Refer to: https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
+#MakeCertInfo: {
+	host:       #Host
+	env:        #Environment
+	domain:     string
+	cluster:    string
+	clusterMap: #ClusterMap
+
+	let Stage = #StageInfo & {name: env.stage, project: env.project}
+	let Env = env
+
+	// DNS segments from left to right.
+	let EnvSegments = env.envSegments
+
+	WildcardSegments: [...string]
+	if len(env.envSegments) > 0 {
+		WildcardSegments: ["*"]
+	}
+
+	let HostSegments = [host.name]
+
+	let StageSegments = env.stageSegments
+
+	ClusterSegments: [...string]
+	if cluster != _|_ {
+		ClusterSegments: [cluster]
+	}
+
+	let DomainSegments = [domain]
+
+	// Assemble the segments
+
+	let FQDN = EnvSegments + HostSegments + StageSegments + ClusterSegments + DomainSegments
+	let WILDCARD = WildcardSegments + HostSegments + StageSegments + ClusterSegments + DomainSegments
+	let CANONICAL = HostSegments + StageSegments + DomainSegments
+
+	CertInfo: #CertInfo & {
+		fqdn:      strings.Join(FQDN, ".")
+		wildcard:  strings.Join(WILDCARD, ".")
+		canonical: strings.Join(CANONICAL, ".")
+
+		project: name: Env.project
+		stage: #StageOrEnvRef & {
+			name:      Stage.name
+			slug:      Stage.slug
+			namespace: Stage.namespace
+		}
+		env: #StageOrEnvRef & {
+			name:      Env.name
+			slug:      Env.slug
+			namespace: Env.namespace
+		}
+
+		if cluster != _|_ {
+			// Host is valid on a single cluster.
+			clusters: "\(cluster)": _
+		}
+
+		if cluster == _|_ {
+			// Host is valid on all project clusters.
+			clusters: clusterMap
+		}
+
+		NoAuthorizationPolicy: host.NoAuthorizationPolicy
+	}
+}
+
+// #CertInfo defines the attributes associated with a fully qualfied domain name
+#CertInfo: {
+	// fqdn is the fully qualified domain name, never a wildcard.
+	fqdn: string
+	// canonical is the canonical name this name may be an alternate name for.
+	canonical: string
+	// wildcard may replace the left most segment fqdn with a wildcard to consolidate cert dnsNames.  If not a wildcad, must be fqdn
+	wildcard: string
+
+	// Project, stage and env attributes for mapping and collecting.
+	project: name: string
+
+	stage: #StageOrEnvRef
+	env:   #StageOrEnvRef
+
+	// clusters represents the cluster names the fqdn is valid on.
+	clusters: #ClusterMap
+	// hosts are always valid on the provisioner cluster
+	clusters: provisioner: _
+
+	// NoAuthorizationPolicy excludes the host from the auth proxy integrated with
+	// the default ingress Gateway.
+	NoAuthorizationPolicy: true | *false
+}
+
+#ClusterMap: [Name=string]: #Cluster & {name: Name}
+
+#StageOrEnvRef: {
+	name:      string
+	slug:      string
+	namespace: string
+}

docs/examples/project-template-provisioner-certs.cue

@@ -0,0 +1,45 @@
+package holos
+
+#ProjectTemplate: {
+	project:        _
+	GatewayServers: _
+
+	// Sort GatewayServers by the tls credentialName to issue wildcards
+	let GatewayCerts = {
+		for FQDN, Server in GatewayServers {
+			let CertInfo = Server._CertInfo
+
+			// Sort into stage for the holos components, e.g. prod-iam-certs, dev-iam-certs
+			"\(CertInfo.stage.slug)": {
+				"\(Server.tls.credentialName)": #Certificate & {
+
+					// Store the dnsNames in a struct so they can be collected into a list
+					_dnsNames: "\(CertInfo.wildcard)": CertInfo.wildcard
+
+					metadata: name:      CertInfo.canonical & Server.tls.credentialName
+					metadata: namespace: "istio-ingress"
+					spec: {
+						commonName: CertInfo.canonical
+						secretName: CertInfo.canonical & Server.tls.credentialName
+						dnsNames: [for x in _dnsNames {x}]
+						issuerRef: {
+							kind: "ClusterIssuer"
+							name: "letsencrypt"
+						}
+					}
+				}
+			}
+		}
+	}
+
+	// Resources to be managed on the provisioner cluster.
+	provisioner: resources: {
+		for stage in project.stages {
+			"\(stage.slug)-certs": #KubernetesObjects & {
+				apiObjectMap: (#APIObjects & {
+					apiObjects: Certificate: GatewayCerts[stage.slug]
+				}).apiObjectMap
+			}
+		}
+	}
+}

docs/examples/project-template.cue

@@ -1,87 +1,77 @@
 package holos
 
-import "encoding/yaml"
+import (
+	h "github.com/holos-run/holos/api/v1alpha1"
+	"encoding/yaml"
+	"strings"
+)
 
-// Platform level definition of a project.
-#Project: {
-	name: string
+// let SourceLoc = "project-template.cue"
 
-	// All projects have at least a prod environment and stage.
-	stages: prod: stageSegments: []
-	environments: prod: stage: "prod"
-	environments: prod: envSegments: []
-	stages: dev: _
-	environments: dev: stage: "dev"
-	environments: dev: envSegments: []
-	// Ensure at least the project name is a short hostname.  Additional may be added.
-	hosts: (name): _
+#ProjectTemplate: {
+	project: #Project
 
-	// environments share the stage segments of their stage.
-	environments: [_]: {
-		stage:         string
-		stageSegments: stages[stage].stageSegments
+	// workload cluster resources
+	workload: resources: [Name=_]: h.#KubernetesObjects & {
+		metadata: name: Name
+	}
+
+	// provisioner cluster resources
+	provisioner: resources: [Name=_]: h.#KubernetesObjects & {
+		metadata: name: Name
 	}
 }
 
+// Reference Platform Project Template
 #ProjectTemplate: {
 	project: #Project
 	let Project = project
 
-	// GatewayServers maps Gateway spec.servers #GatewayServer values indexed by stage then name.
-	let GatewayServers = {
-		// Initialize all stages, even if they have no environments.
-		for stage in project.stages {
-			(stage.name): {}
-		}
+	// ProjectHosts represents all of the hosts associated with a project indexed
+	// by FQDN with #CertInfo values.  Slice and dice this struct as needed to
+	// work with hosts in the platform.
+	ProjectHosts: (#ProjectHosts & {project: Project}).Hosts
 
-		// For each stage, construct entries for the Gateway spec.servers.hosts field.
-		for env in project.environments {
-			(env.stage): {
-				let Env = env
-				let Stage = project.stages[env.stage]
-				for host in (#EnvHosts & {project: Project, env: Env}).hosts {
-					(host.name): #GatewayServer & {
-						hosts: [
-							"\(env.namespace)/\(host.name)",
-							// Allow the authproxy VirtualService to match the project.authProxyPrefix path.
-							"\(Stage.namespace)/\(host.name)",
-						]
-						port: host.port
-						tls: credentialName: host.name
-						tls: mode:           "SIMPLE"
+	// GatewayServers maps Gateway spec.servers #GatewayServer values indexed by stage then name.
+	GatewayServers: {
+		for FQDN, Host in ProjectHosts {
+			// If the host is valid on the cluster being rendered
+			if Host.clusters[#ClusterName] != _|_ {
+				"\(FQDN)": #GatewayServer & {
+					_CertInfo: Host
+					hosts: [
+						"\(Host.env.namespace)/\(FQDN)",
+						// Allow the authproxy VirtualService to match the project.authProxyPrefix path.
+						"\(Host.stage.namespace)/\(FQDN)",
+					]
+					port: {
+						// NOTE: port names in servers must be unique: duplicate name https
+						name:     "https-" + strings.Replace(FQDN, ".", "-", -1)
+						number:   443
+						protocol: "HTTPS"
 					}
+					tls: credentialName: Host.canonical
+					tls: mode:           "SIMPLE"
 				}
 			}
 		}
 	}
 
-	// ClusterGatewayServers provides a struct of Gateway servers for the current cluster.
+	// ClusterDefaultGatewayServers provides a struct of Gateway servers for the current cluster.
 	// This is intended for Gateway/default to add all servers to the default gateway.
-	ClusterGatewayServers: {
+	ClusterDefaultGatewayServers: {
 		if project.clusters[#ClusterName] != _|_ {
-			for Stage in project.stages {
-				for server in GatewayServers[Stage.name] {
-					(server.port.name): server
-				}
-			}
+			GatewayServers
 		}
 	}
 
 	workload: resources: {
-		// Provide resources only if the project is managed on --cluster-name
+		// Provide resources only if the project is managed on the cluster specified
+		// by --cluster-name
 		if project.clusters[#ClusterName] != _|_ {
 			for stage in project.stages {
 				let Stage = stage
 
-				// Istio Gateway
-				"\(stage.slug)-gateway": #KubernetesObjects & {
-					apiObjectMap: (#APIObjects & {
-						for host in GatewayServers[stage.name] {
-							apiObjects: ExternalSecret: (host.tls.credentialName): metadata: namespace: "istio-ingress"
-						}
-					}).apiObjectMap
-				}
-
 				// Manage auth-proxy in each stage
 				if project.features.authproxy.enabled {
 					"\(stage.slug)-authproxy": #KubernetesObjects & {
@@ -114,90 +104,6 @@ import "encoding/yaml"
 			}
 		}
 	}
-
-	provisioner: resources: {
-		for stage in project.stages {
-			"\(stage.slug)-certs": #KubernetesObjects & {
-				apiObjectMap: (#APIObjects & {
-					for host in GatewayServers[stage.name] {
-						let CN = host.tls.credentialName
-						apiObjects: Certificate: (CN): #Certificate & {
-							metadata: name:      CN
-							metadata: namespace: "istio-ingress"
-							spec: {
-								commonName: CN
-								dnsNames: [CN]
-								secretName: CN
-								issuerRef: {
-									kind: "ClusterIssuer"
-									name: "letsencrypt"
-								}
-							}
-						}
-					}
-				}).apiObjectMap
-			}
-		}
-	}
-}
-
-let HTTPBIN = {
-	name:    string | *"httpbin"
-	project: #Project
-	env:     #Environment
-	let Name = name
-	let Stage = project.stages[env.stage]
-
-	let Metadata = {
-		name:      Name
-		namespace: env.namespace
-		labels: app: name
-	}
-	let Labels = {
-		"app.kubernetes.io/name":       Name
-		"app.kubernetes.io/instance":   env.slug
-		"app.kubernetes.io/part-of":    env.project
-		"security.holos.run/authproxy": Stage.extAuthzProviderName
-	}
-
-	apiObjects: {
-		Deployment: (Name): #Deployment & {
-			metadata: Metadata
-
-			spec: selector: matchLabels: Metadata.labels
-			spec: template: {
-				metadata: labels: Metadata.labels & #IstioSidecar & Labels
-				spec: securityContext: seccompProfile: type: "RuntimeDefault"
-				spec: containers: [{
-					name:  Name
-					image: "quay.io/holos/mccutchen/go-httpbin"
-					ports: [{containerPort: 8080}]
-					securityContext: {
-						seccompProfile: type: "RuntimeDefault"
-						allowPrivilegeEscalation: false
-						runAsNonRoot:             true
-						runAsUser:                8192
-						runAsGroup:               8192
-						capabilities: drop: ["ALL"]
-					}}]
-			}
-		}
-		Service: (Name): #Service & {
-			metadata: Metadata
-			spec: selector: Metadata.labels
-			spec: ports: [
-				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
-			]
-		}
-		VirtualService: (Name): #VirtualService & {
-			metadata: Metadata
-			let Project = project
-			let Env = env
-			spec: hosts: [for host in (#EnvHosts & {project: Project, env: Env}).hosts {host.name}]
-			spec: gateways: ["istio-ingress/default"]
-			spec: http: [{route: [{destination: host: Name}]}]
-		}
-	}
 }
 
 // AUTHPROXY configures one oauth2-proxy deployment for each host in each stage of a project.  Multiple deployments per stage are used to narrow down the cookie domain.
@@ -462,6 +368,65 @@ let AUTHPROXY = {
 	}
 }
 
+let HTTPBIN = {
+	name:    string | *"httpbin"
+	project: #Project
+	env:     #Environment
+	let Name = name
+	let Stage = project.stages[env.stage]
+
+	let Metadata = {
+		name:      Name
+		namespace: env.namespace
+		labels: app: name
+	}
+	let Labels = {
+		"app.kubernetes.io/name":       Name
+		"app.kubernetes.io/instance":   env.slug
+		"app.kubernetes.io/part-of":    env.project
+		"security.holos.run/authproxy": Stage.extAuthzProviderName
+	}
+
+	apiObjects: {
+		Deployment: (Name): #Deployment & {
+			metadata: Metadata
+
+			spec: selector: matchLabels: Metadata.labels
+			spec: template: {
+				metadata: labels: Metadata.labels & #IstioSidecar & Labels
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                8192
+						runAsGroup:               8192
+						capabilities: drop: ["ALL"]
+					}}]
+			}
+		}
+		Service: (Name): #Service & {
+			metadata: Metadata
+			spec: selector: Metadata.labels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		VirtualService: (Name): #VirtualService & {
+			metadata: Metadata
+			let Project = project
+			let Env = env
+			spec: hosts: [for host in (#EnvHosts & {project: Project, env: Env}).hosts {host.name}]
+			spec: gateways: ["istio-ingress/default"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}
+
 // AUTHPOLICY configures the baseline AuthorizationPolicy and RequestAuthentication policy for each stage of each project.
 let AUTHPOLICY = {
 	project: #Project

docs/examples/project_types.cue

@@ -1,12 +1,12 @@
 package holos
 
-import h "github.com/holos-run/holos/api/v1alpha1"
-
 import "strings"
 
 // #Projects is a map of all the projects in the platform.
 #Projects: [Name=_]: #Project & {name: Name}
 
+_Projects: #Projects
+
 // The platform project is required and where platform services reside.  ArgoCD, Grafana, Prometheus, etc...
 #Projects: platform: _
 
@@ -59,7 +59,7 @@ import "strings"
 		}
 	}
 
-	// features is YAGNI maybe? 
+	// Thes are useful to enable / disable.
 	features: [Name=string]: #Feature & {name: Name}
 	features: authproxy: _
 	features: httpbin:   _
@@ -68,8 +68,13 @@ import "strings"
 // #Cluster defines a cluster
 #Cluster: name: string
 
-// #Host defines a short hostname
-#Host: name: string
+#Host: {
+	// #Host defines a short hostname
+	name: string
+	// NoAuthorizationPolicy excludes the host from the auth proxy integrated with
+	// the default ingress Gateway.
+	NoAuthorizationPolicy: true | *false
+}
 
 #Environment: {
 	// name uniquely identifies the environment within the scope of the project.
@@ -91,15 +96,25 @@ import "strings"
 		name:     string
 		cluster?: string
 		clusterSegments: [...string]
+		wildcard: true | *false
 		if cluster != _|_ {
 			clusterSegments: [cluster]
 		}
-		let SEGMENTS = envSegments + [name] + stageSegments + clusterSegments + [#Platform.org.domain]
+		_EnvSegments: [...string]
+		if wildcard {
+			if len(envSegments) > 0 {
+				_EnvSegments: ["*"]
+			}
+		}
+		if !wildcard {
+			_EnvSegments: envSegments
+		}
+		let SEGMENTS = _EnvSegments + [name] + stageSegments + clusterSegments + [_Projects[project].domain]
 		let NAMESEGMENTS = ["https"] + SEGMENTS
 		host: {
 			name: strings.Join(SEGMENTS, ".")
 			port: {
-				name:     strings.Replace(strings.Join(NAMESEGMENTS, "-"), ".", "-", -1)
+				name:     strings.Replace(strings.Replace(strings.Join(NAMESEGMENTS, "-"), ".", "-", -1), "*", "wildcard", -1)
 				number:   443
 				protocol: "HTTPS"
 			}
@@ -107,17 +122,26 @@ import "strings"
 	}
 }
 
-#Stage: {
+#StageInfo: {
 	name:    string
 	project: string
 	slug:    "\(name)-\(project)"
 	// namespace is the system namespace for the project stage
 	namespace: "\(name)-\(project)-system"
+}
+
+#Stage: {
+	#StageInfo
+	name:      string
+	project:   string
+	namespace: string
+	slug:      string
+
 	// Manage a system namespace for each stage
 	namespaces: [Name=_]: name: Name
-	namespaces: (namespace): _
+	namespaces: "\(namespace)": _
 	// stageSegments are the stage portion of the dns segments
-	stageSegments: [...string] | *[name]
+	stageSegments: [] | *[name]
 	// authProxyClientID is the ClientID registered with the oidc issuer.
 	authProxyClientID: string
 	// extAuthzProviderName is the provider name in the mesh config
@@ -130,20 +154,6 @@ import "strings"
 	enabled:     true | *false
 }
 
-#ProjectTemplate: {
-	project: #Project
-
-	// workload cluster resources
-	workload: resources: [Name=_]: h.#KubernetesObjects & {
-		metadata: name: Name
-	}
-
-	// provisioner cluster resources
-	provisioner: resources: [Name=_]: h.#KubernetesObjects & {
-		metadata: name: Name
-	}
-}
-
 // #EnvHosts provides hostnames given a project and environment.
 // Refer to https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
 #EnvHosts: {
@@ -166,7 +176,7 @@ import "strings"
 }
 
 // #StageDomains provides hostnames given a project and stage.  Primarily for the
-// auth proxy.
+// auth proxy cookie domains.
 // Refer to https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
 #StageDomains: {
 	// names are the leading prefix names to create hostnames for.

docs/examples/schema.cue

@@ -15,6 +15,7 @@ import (
 	crt "cert-manager.io/certificate/v1"
 	gw "networking.istio.io/gateway/v1beta1"
 	vs "networking.istio.io/virtualservice/v1beta1"
+	dr "networking.istio.io/destinationrule/v1beta1"
 	ra "security.istio.io/requestauthentication/v1"
 	ap "security.istio.io/authorizationpolicy/v1"
 	pg "postgres-operator.crunchydata.com/postgrescluster/v1beta1"
@@ -77,7 +78,9 @@ _apiVersion: "holos.run/v1alpha1"
 #Job:                   #NamespaceObject & batchv1.#Job
 #CronJob:               #NamespaceObject & batchv1.#CronJob
 #Deployment:            #NamespaceObject & appsv1.#Deployment
+#StatefulSet:           #NamespaceObject & appsv1.#StatefulSet
 #VirtualService:        #NamespaceObject & vs.#VirtualService
+#DestinationRule:       #NamespaceObject & dr.#DestinationRule
 #RequestAuthentication: #NamespaceObject & ra.#RequestAuthentication
 #AuthorizationPolicy:   #NamespaceObject & ap.#AuthorizationPolicy
 #Certificate:           #NamespaceObject & crt.#Certificate

go.mod

@@ -9,15 +9,16 @@ require (
 	cuelang.org/go v0.8.0
 	entgo.io/ent v0.13.1
 	github.com/bufbuild/buf v1.30.1
+	github.com/choria-io/machine-room v0.0.0-20240417064836-c604da2f005e
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/fullstorydev/grpcurl v1.9.1
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/gofrs/uuid v4.4.0+incompatible
-	github.com/google/uuid v1.6.0
+	github.com/int128/kubelogin v1.28.0
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/lmittmann/tint v1.0.4
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-runewidth v0.0.9
+	github.com/mattn/go-runewidth v0.0.15
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/prometheus/client_golang v1.19.0
 	github.com/rogpeppe/go-internal v1.12.0
@@ -25,8 +26,8 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/net v0.22.0
-	golang.org/x/tools v0.19.0
+	golang.org/x/net v0.24.0
+	golang.org/x/tools v0.20.0
 	google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002
 	honnef.co/go/tools v0.4.7
 	k8s.io/api v0.29.2
@@ -41,27 +42,45 @@ require (
 	ariga.io/atlas v0.19.1-0.20240203083654-5948b60a8e43 // indirect
 	cloud.google.com/go/compute v1.23.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	connectrpc.com/grpcreflect v1.2.0 // indirect
 	connectrpc.com/otelconnect v0.7.0 // indirect
 	cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e // indirect
+	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/Freman/eventloghook v0.0.0-20191003051739-e4d803b6b48b // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/achanda/go-sysctl v0.0.0-20160222034550-6be7678c45d2 // indirect
 	github.com/agext/levenshtein v1.2.1 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bufbuild/protocompile v0.10.0 // indirect
 	github.com/bufbuild/protovalidate-go v0.6.0 // indirect
 	github.com/bufbuild/protoyaml-go v0.1.8 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cheekybits/genny v1.0.0 // indirect
+	github.com/choria-io/fisk v0.6.2 // indirect
+	github.com/choria-io/go-choria v0.28.1-0.20240416190746-b3bf9c7d5a45 // indirect
+	github.com/choria-io/go-updater v0.1.0 // indirect
+	github.com/choria-io/stream-replicator v0.8.3-0.20230503130504-86152f798aec // indirect
+	github.com/choria-io/tokens v0.0.4-0.20240316144214-a929d9325d48 // indirect
+	github.com/cloudevents/sdk-go/v2 v2.15.2 // indirect
 	github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect
 	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect
 	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/cli v26.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -75,29 +94,54 @@ require (
 	github.com/envoyproxy/go-control-plane v0.12.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
+	github.com/expr-lang/expr v1.16.4 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/fgprof v0.9.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-chi/chi/v5 v5.0.12 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/inflect v0.19.0 // indirect
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/uuid/v5 v5.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/cel-go v0.20.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-containerregistry v0.19.1 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240327155427-868f304927ed // indirect
+	github.com/google/pprof v0.0.0-20240416155748-26353dc0451f // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/google/wire v0.5.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/goss-org/GOnetstat v0.0.0-20230101144325-22be0bd9e64d // indirect
+	github.com/goss-org/go-ps v0.0.0-20230609005227-7b318e6a56e5 // indirect
+	github.com/goss-org/goss v0.4.6 // indirect
+	github.com/gosuri/uilive v0.0.4 // indirect
+	github.com/gosuri/uiprogress v0.0.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
+	github.com/guptarohit/asciigraph v0.7.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
+	github.com/hashicorp/logutils v1.0.0 // indirect
+	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/int128/listener v1.1.0 // indirect
+	github.com/int128/oauth2cli v1.14.0 // indirect
+	github.com/int128/oauth2dev v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
@@ -105,37 +149,81 @@ require (
 	github.com/jhump/protoreflect v1.16.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/lib/pq v1.10.9 // indirect
+	github.com/looplab/fsm v1.0.1 // indirect
+	github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/miekg/dns v1.1.58 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/minio/highwayhash v1.0.2 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/nats-io/jsm.go v0.1.1 // indirect
+	github.com/nats-io/jwt/v2 v2.5.5 // indirect
+	github.com/nats-io/nats-server/v2 v2.10.14 // indirect
+	github.com/nats-io/nats.go v1.34.1 // indirect
+	github.com/nats-io/nkeys v0.4.7 // indirect
+	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
-	github.com/onsi/ginkgo/v2 v2.15.0 // indirect
-	github.com/onsi/gomega v1.31.1 // indirect
+	github.com/oleiade/reflections v1.0.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.17.1 // indirect
+	github.com/onsi/gomega v1.32.0 // indirect
+	github.com/open-policy-agent/opa v0.63.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.48.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.52.3 // indirect
+	github.com/prometheus/procfs v0.13.0 // indirect
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rs/cors v1.10.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/samber/lo v1.39.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.3 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tidwall/gjson v1.17.1 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.13 // indirect
+	github.com/tklauser/numcpus v0.7.0 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xlab/tablewriter v0.0.0-20160610135559-80b567a11ad5 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	github.com/zclconf/go-cty v1.8.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.25.0 // indirect
@@ -143,18 +231,17 @@ require (
 	go.opentelemetry.io/otel/metric v1.25.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.25.0 // indirect
 	go.opentelemetry.io/otel/trace v1.25.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
 	golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
-	golang.org/x/mod v0.16.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/oauth2 v0.18.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/term v0.19.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect

go.sum

@@ -3,12 +3,45 @@ ariga.io/atlas v0.19.1-0.20240203083654-5948b60a8e43/go.mod h1:uj3pm+hUTVN/X5yfd
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1 h1:2IGhRovxlsOIQgx2ekZWo4wTPAYpck41+18ICxs37is=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1/go.mod h1:Tgn5bgL220vkFOI0KPStlcClPeOJzAv4uT+V8JXGUnw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
 cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 connectrpc.com/connect v1.16.0 h1:rdtfQjZ0OyFkWPTegBNcH7cwquGAN1WzyJy80oFNibg=
 connectrpc.com/connect v1.16.0/go.mod h1:XpZAduBQUySsb4/KO5JffORVkDI4B6/EYPi7N8xpNZw=
+connectrpc.com/grpcreflect v1.2.0 h1:Q6og1S7HinmtbEuBvARLNwYmTbhEGRpHDhqrPNlmK+U=
+connectrpc.com/grpcreflect v1.2.0/go.mod h1:nwSOKmE8nU5u/CidgHtPYk1PFI3U9ignz7iDMxOYkSY=
 connectrpc.com/otelconnect v0.7.0 h1:ZH55ZZtcJOTKWWLy3qmL4Pam4RzRWBJFOqTPyAqCXkY=
 connectrpc.com/otelconnect v0.7.0/go.mod h1:Bt2ivBymHZHqxvo4HkJ0EwHuUzQN6k2l0oH+mp/8nwc=
 connectrpc.com/validate v0.1.0 h1:r55jirxMK7HO/xZwVHj3w2XkVFarsUM77ZDy367NtH4=
@@ -17,25 +50,54 @@ cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxw
 cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24=
 cuelang.org/go v0.8.0 h1:fO1XPe/SUGtc7dhnGnTPbpIDoQm/XxhDtoSF7jzO01c=
 cuelang.org/go v0.8.0/go.mod h1:CoDbYolfMms4BhWUlhD+t5ORnihR7wvjcfgyO9lL5FI=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 entgo.io/ent v0.13.1 h1:uD8QwN1h6SNphdCCzmkMN3feSUzNnVvV/WIkHKMbzOE=
 entgo.io/ent v0.13.1/go.mod h1:qCEmo+biw3ccBn9OyL4ZK5dfpwg++l1Gxwac5B1206A=
+github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
+github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
+github.com/Freman/eventloghook v0.0.0-20191003051739-e4d803b6b48b h1:IltY1fRcdIshI/c8KOdmaO8P4lBwDXHJYPymMisvvDs=
+github.com/Freman/eventloghook v0.0.0-20191003051739-e4d803b6b48b/go.mod h1:VGwG8f2pQ8SAFjTSH3PEDmLdlvi0XTd7a4C4AZn+pVw=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
+github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
+github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
+github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
+github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
+github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
+github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
+github.com/achanda/go-sysctl v0.0.0-20160222034550-6be7678c45d2 h1:NYoPVh1XuUB5VBWLXRKoqzQhl4bajIxh+XuURbJ0uwc=
+github.com/achanda/go-sysctl v0.0.0-20160222034550-6be7678c45d2/go.mod h1:DCNKSpXhum14Y258jSbRmJvcesbzEdBPincz7yJUx3k=
 github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
+github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
+github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
+github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
+github.com/brutella/hc v1.2.5 h1:P1tHqJtrGngob6Lv5E7RVGlLcdo54X/03Gseo5+soVw=
+github.com/brutella/hc v1.2.5/go.mod h1:kluioDmG4z8OweN0boeTf08696sH8odlhPDdq3gwuZw=
 github.com/bufbuild/buf v1.30.1 h1:QFtanwsXodoGFAwzXFXGXpzBkb7N2u8ZDyA3jWB4Pbs=
 github.com/bufbuild/buf v1.30.1/go.mod h1:7W8DJnj76wQa55EA3z2CmDxS0/nsHh8FqtE00dyDAdA=
 github.com/bufbuild/protocompile v0.10.0 h1:+jW/wnLMLxaCEG8AX9lD0bQ5v9h1RUiMKOBOT5ll9dM=
@@ -44,13 +106,31 @@ github.com/bufbuild/protovalidate-go v0.6.0 h1:Jgs1kFuZ2LHvvdj8SpCLA1W/+pXS8QSM3
 github.com/bufbuild/protovalidate-go v0.6.0/go.mod h1:1LamgoYHZ2NdIQH0XGczGTc6Z8YrTHjcJVmiBaar4t4=
 github.com/bufbuild/protoyaml-go v0.1.8 h1:X9QDLfl9uEllh4gsXUGqPanZYCOKzd92uniRtW2OnAQ=
 github.com/bufbuild/protoyaml-go v0.1.8/go.mod h1:R8vE2+l49bSiIExP4VJpxOXleHE+FDzZ6HVxr3cYunw=
+github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
+github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
+github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
+github.com/choria-io/fisk v0.6.2 h1:Vfvpcv8SD53FHW5cT4u7LStpz/wThwRPQHU7mzv1kMI=
+github.com/choria-io/fisk v0.6.2/go.mod h1:PajiUZTAotE5zO18eU6UexuPLLv565WOma4dB0ObxRM=
+github.com/choria-io/go-choria v0.28.1-0.20240416190746-b3bf9c7d5a45 h1:B76eu8PMXr3mAhQl8y7NSsb1/4KCKX4bEDTsKWh7/CQ=
+github.com/choria-io/go-choria v0.28.1-0.20240416190746-b3bf9c7d5a45/go.mod h1:XLEKGqo1Xmvj69DrSdI0neDGveWJDDQTeHdZgf1zxsI=
+github.com/choria-io/go-updater v0.1.0 h1:+Pt2ifsDh478T/ldA8fnDwavvH3RTQNn1mkrabVZ5eg=
+github.com/choria-io/go-updater v0.1.0/go.mod h1:8qj3lwYUC6c0zqsvaKP4pNu8GMHbIr5WGrd5YUWByWw=
+github.com/choria-io/machine-room v0.0.0-20240417064836-c604da2f005e h1:Kt9CeGRjW/mKQTams+aCUvIAucw3VzEZbKFJvM3pFeE=
+github.com/choria-io/machine-room v0.0.0-20240417064836-c604da2f005e/go.mod h1:3zCpMS5R2/xOd6Wsep2o0vvAy0eJnfU/ngEptEuJArs=
+github.com/choria-io/stream-replicator v0.8.3-0.20230503130504-86152f798aec h1:jGTkaDf2kDAlho4Oi6r2x51kzjXpxqhECFTHzTZ/a3w=
+github.com/choria-io/stream-replicator v0.8.3-0.20230503130504-86152f798aec/go.mod h1:QVvT5tjYSYmvqx585herBk0aK13DS1j/wJVDDWuLFww=
+github.com/choria-io/tokens v0.0.4-0.20240316144214-a929d9325d48 h1:KyL4w+dxAOfqi4Wds6Fh0632sxBw0YvRqL9fqMziGBI=
+github.com/choria-io/tokens v0.0.4-0.20240316144214-a929d9325d48/go.mod h1:dEyJo/309e8n141nzx1u82QuXVt6mt42V1Jn9CkJJPs=
 github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
 github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs=
 github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
@@ -61,6 +141,9 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudevents/sdk-go/v2 v2.15.2 h1:54+I5xQEnI73RBhWHxbI1XJcqOFOVJN85vb41+8mHUc=
+github.com/cloudevents/sdk-go/v2 v2.15.2/go.mod h1:lL7kSWAE/V8VI4Wh0jbL2v/jvqsm6tjmaQBSvxcv4uE=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
@@ -78,11 +161,20 @@ github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg=
+github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw=
+github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=
+github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA=
+github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/dgryski/trifles v0.0.0-20220729183022-231ecf6ed548 h1:acdRTG6Vp8kMaN3lVkI49O/BuHjg+GH5i/MJjYZV+BM=
+github.com/dgryski/trifles v0.0.0-20220729183022-231ecf6ed548/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUyzJVPxD30I=
@@ -104,6 +196,8 @@ github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr
 github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
 github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI=
 github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
@@ -111,15 +205,32 @@ github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU
 github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
 github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
 github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/expr-lang/expr v1.16.4 h1:1Mq5RHw5T5jxXMUvyb+eT546mJREm1yFyNHkybYQ81c=
+github.com/expr-lang/expr v1.16.4/go.mod h1:uCkhfG+x7fcZ5A5sXHKuQ07jGZRl6J0FCAaf2k4PtVQ=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/felixge/fgprof v0.9.4 h1:ocDNwMFlnA0NU0zSB3I52xkO4sFXk80VK9lXjLClu88=
 github.com/felixge/fgprof v0.9.4/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
+github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
+github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
+github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fullstorydev/grpcurl v1.9.1 h1:YxX1aCcCc4SDBQfj9uoWcTLe8t4NWrZe1y+mk83BQgo=
 github.com/fullstorydev/grpcurl v1.9.1/go.mod h1:i8gKLIC6s93WdU3LSmkE5vtsCxyRmihUj5FK1cNW5EM=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
 github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
+github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
@@ -130,6 +241,9 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-openapi/inflect v0.19.0 h1:9jCH9scKIbHeV9m12SmPilScz6krDxKRasNNSNPXu/4=
 github.com/go-openapi/inflect v0.19.0/go.mod h1:lHpZVlpIQqLyKwJ4N+YSc9hchQy/i12fJykb83CRBH4=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
@@ -146,6 +260,8 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEe
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
@@ -157,23 +273,63 @@ github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
 github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/glog v1.2.0 h1:uCdmnmatrKCgMBlM4rMuJZWOkPDqdbZPnrMXDY4gI68=
+github.com/golang/glog v1.2.0/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84=
 github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg=
+github.com/google/flatbuffers v23.3.3+incompatible h1:5PJI/WbJkaMTvpGxsHVKG/LurN/KnWXNyGpwSCDgen0=
+github.com/google/flatbuffers v23.3.3+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -182,24 +338,76 @@ github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDIt
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/pprof v0.0.0-20240327155427-868f304927ed h1:n8QtJTrwsv3P7dNxPaMeNkMcxvUpqocsHLr8iDLGlQI=
-github.com/google/pprof v0.0.0-20240327155427-868f304927ed/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20240416155748-26353dc0451f h1:WpZiq8iqvGjJ3m3wzAVKL6+0vz7VkE79iSy9GII00II=
+github.com/google/pprof v0.0.0-20240416155748-26353dc0451f/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
+github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/wire v0.5.0 h1:I7ELFeVBr3yfPIcc8+MWvrjk+3VjbcSzoXm3JVa+jD8=
+github.com/google/wire v0.5.0/go.mod h1:ngWDr9Qvq3yZA10YrxfyGELY/AFWGVpy9c1LTRi1EoU=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/goss-org/GOnetstat v0.0.0-20230101144325-22be0bd9e64d h1:50mlZKtg8BUvBtFs0ioVpSgMMwcKaJefg/2pZ+lQf98=
+github.com/goss-org/GOnetstat v0.0.0-20230101144325-22be0bd9e64d/go.mod h1:MBdRlloGIbpQVDuH5Gxg3hjqwZBCZsmFqbYPaeR6r0M=
+github.com/goss-org/go-ps v0.0.0-20230609005227-7b318e6a56e5 h1:NW0Jo4leMIrQxNOyOkBu4yBnygI37m0Ey0EUUgvzr+8=
+github.com/goss-org/go-ps v0.0.0-20230609005227-7b318e6a56e5/go.mod h1:FYj70SLmogHdTTDGnIVaaK0iczROlsxmoMCwfAUuIE8=
+github.com/goss-org/goss v0.4.6 h1:WPFGMjlgTBeZqfr4LaGIQCgKf+hX5h0pbNOK3ZuipEA=
+github.com/goss-org/goss v0.4.6/go.mod h1:VfZhk3KLI6fk4jk5kbrto7iuJMh62wyYp2CLiXZZDXc=
+github.com/gosuri/uilive v0.0.4 h1:hUEBpQDj8D8jXgtCdBu7sWsy5sbW/5GhuO8KBwJ2jyY=
+github.com/gosuri/uilive v0.0.4/go.mod h1:V/epo5LjjlDE5RJUcqx8dbw+zc93y5Ya3yg8tfZ74VI=
+github.com/gosuri/uiprogress v0.0.1 h1:0kpv/XY/qTmFWl/SkaJykZXrBBzwwadmW8fRb7RJSxw=
+github.com/gosuri/uiprogress v0.0.1/go.mod h1:C1RTYn4Sc7iEyf6j8ft5dyoZ4212h8G1ol9QQluh5+0=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
+github.com/guptarohit/asciigraph v0.7.1 h1:K+JWbRc04XEfv8BSZgNuvhCmpbvX4+9NYd/UxXVnAuk=
+github.com/guptarohit/asciigraph v0.7.1/go.mod h1:dYl5wwK4gNsnFf9Zp+l06rFiDZ5YtXM6x7SRWZ3KGag=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl/v2 v2.13.0 h1:0Apadu1w6M11dyGFxWnmhhcMjkbAiKCv7G1r/2QgCNc=
 github.com/hashicorp/hcl/v2 v2.13.0/go.mod h1:e4z5nxYlWNPdDSNYX+ph14EvWYMFm3eP0zIUqPc2jr0=
+github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI65Y=
+github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
+github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
+github.com/hinshun/vt10x v0.0.0-20220301184237-5011da428d02 h1:AgcIVYPa6XJnU3phs104wLj8l5GEththEw6+F79YsIY=
+github.com/hinshun/vt10x v0.0.0-20220301184237-5011da428d02/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
+github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
+github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
+github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/int128/kubelogin v1.28.0 h1:T1xQ/dw2aIX/Bvv3KtSk8m8u483acr/5lidVRLBgIQ4=
+github.com/int128/kubelogin v1.28.0/go.mod h1:UM4ShH939mXO1Cd0ns13mYQsUctyLbfHFHq8a6NXMG0=
+github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
+github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
+github.com/int128/oauth2cli v1.14.0 h1:r63NoO10ybUXIXUQxih8WOmt5HQpJubdTmhWh22B9VE=
+github.com/int128/oauth2cli v1.14.0/go.mod h1:LIoVAzgAsS2tDDBc8yopkcgY5oZR0+MJAeECkCwtxhA=
+github.com/int128/oauth2dev v1.0.0 h1:emMhky6ssFEiyujCGcTpuUkeBg121IvcFey54CxW844=
+github.com/int128/oauth2dev v1.0.0/go.mod h1:lLIeCHF2MzH+sQ35/2IgA+Lbti/K2ONjrwO3n3FKSAM=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
@@ -216,10 +424,14 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
-github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
+github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -237,20 +449,50 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lmittmann/tint v1.0.4 h1:LeYihpJ9hyGvE0w+K2okPTGUdVLfng1+nDNVR4vWISc=
 github.com/lmittmann/tint v1.0.4/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
+github.com/looplab/fsm v1.0.1 h1:OEW0ORrIx095N/6lgoGkFkotqH6s7vaFPsgjLAaF5QU=
+github.com/looplab/fsm v1.0.1/go.mod h1:PmD3fFvQEIsjMEfvZdrCDZ6y8VwKTwWNjlpEr6IKPO4=
+github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
+github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74 h1:1KuuSOy4ZNgW0KA2oYIngXVFhQcXxhLqCVK7cBcldkk=
+github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
+github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
+github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
+github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
+github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
+github.com/minio/highwayhash v1.0.2/go.mod h1:BQskDq+xkJ12lmlUUi7U0M5Swg3EWR+dLTk+kldvVxY=
+github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
+github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -262,52 +504,101 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/nats-io/jsm.go v0.1.1 h1:6vjllz276SdC+3Fb3XI71p9B6toxkCruuB1K6unQEr0=
+github.com/nats-io/jsm.go v0.1.1/go.mod h1:cFz5wR1pW0zLFotntS4HA7V8Wm+sf8zpF+iQJHbsS6M=
+github.com/nats-io/jwt/v2 v2.5.5 h1:ROfXb50elFq5c9+1ztaUbdlrArNFl2+fQWP6B8HGEq4=
+github.com/nats-io/jwt/v2 v2.5.5/go.mod h1:ZdWS1nZa6WMZfFwwgpEaqBV8EPGVgOTDHN/wTbz0Y5A=
+github.com/nats-io/nats-server/v2 v2.10.14 h1:98gPJFOAO2vLdM0gogh8GAiHghwErrSLhugIqzRC+tk=
+github.com/nats-io/nats-server/v2 v2.10.14/go.mod h1:a0TwOVBJZz6Hwv7JH2E4ONdpyFk9do0C18TEwxnHdRk=
+github.com/nats-io/nats.go v1.34.1 h1:syWey5xaNHZgicYBemv0nohUPPmaLteiBEUT6Q5+F/4=
+github.com/nats-io/nats.go v1.34.1/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
+github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
+github.com/nats-io/nkeys v0.4.7/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
+github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
+github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM=
+github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
-github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
-github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
+github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
+github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
+github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
+github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/open-policy-agent/opa v0.63.0 h1:ztNNste1v8kH0/vJMJNquE45lRvqwrM5mY9Ctr9xIXw=
+github.com/open-policy-agent/opa v0.63.0/go.mod h1:9VQPqEfoB2N//AToTxzZ1pVTVPUoF2Mhd64szzjWPpU=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
+github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
+github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
 github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
-github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.52.3 h1:5f8uj6ZwHSscOGNdIQg6OiZv/ybiK2CO2q2drVZAQSA=
+github.com/prometheus/common v0.52.3/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
+github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o=
+github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
+github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
+github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo=
 github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
+github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
+github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
+github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/sethvargo/go-retry v0.2.4 h1:T+jHEQy/zKJf5s95UkguisicE0zuF9y7+/vgz08Ocec=
 github.com/sethvargo/go-retry v0.2.4/go.mod h1:1afjQuvh7s4gflMObvjLPaWgluLLyhA1wmVZ6KLpICw=
+github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
+github.com/shirou/gopsutil/v3 v3.24.3/go.mod h1:JpND7O217xa72ewWz9zN2eIIkPWsDN/3pl0H8Qt0uwg=
+github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
+github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
+github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
+github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
+github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -317,28 +608,74 @@ github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8w
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
+github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
+github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U=
+github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
+github.com/tklauser/go-sysconf v0.3.13 h1:GBUpcahXSpR2xN01jhkNAbTLRk2Yzgggk8IM08lq3r4=
+github.com/tklauser/go-sysconf v0.3.13/go.mod h1:zwleP4Q4OehZHGn4CYZDipCgg9usW5IJePewFCGVEa0=
+github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
+github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr4=
+github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xlab/tablewriter v0.0.0-20160610135559-80b567a11ad5 h1:gmD7q6cCJfBbcuobWQe/KzLsd9Cd3amS1Mq5f3uU1qo=
+github.com/xlab/tablewriter v0.0.0-20160610135559-80b567a11ad5/go.mod h1:fVwOndYN3s5IaGlMucfgxwMhqwcaJtlGejBU6zX6Yxw=
+github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
+github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zclconf/go-cty v1.8.0 h1:s4AvqaeQzJIu3ndv4gVIhplVD0krU+bgrcLSVUnaWuA=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
 go.opentelemetry.io/otel v1.25.0 h1:gldB5FfhRl7OJQbUHt/8s0a7cE8fbsPAtdpRaApKy4k=
 go.opentelemetry.io/otel v1.25.0/go.mod h1:Wa2ds5NOXEMkCmUou1WA7ZBfLTHWIsp034OVD7AO+Vg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0 h1:dT33yIHtmsqpixFsSQPwNeY5drM9wTcoL8h0FWF4oGM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0/go.mod h1:h95q0LBGh7hlAC08X2DhSeyIG02YQ0UyioTCVAqRPmc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 h1:Xw8U6u2f8DK2XAkGRFV7BBLENgnTGX9i4rQRxJf+/vs=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0/go.mod h1:6KW1Fm6R/s6Z3PGXwSJN2K4eT6wQB3vXX6CVnYX9NmM=
 go.opentelemetry.io/otel/metric v1.25.0 h1:LUKbS7ArpFL/I2jJHdJcqMGxkRdxpPHE0VU/D4NuEwA=
@@ -360,124 +697,322 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 h1:aAcj0Da7eBAtrTp03QXWvm88pSyOt+UgdZw2BFZ+lEw=
-golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE=
 golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
-golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
+golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
+golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190422233926-fe54fb35175b/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
-golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
+golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY=
+golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa h1:Jt1XW5PaLXF1/ePZrznsh/aAUvI7Adfc3LY1dAKlzRs=
 google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa/go.mod h1:K4kfzHtI0kqWA79gecJarFtDn/Mls+GxQcg3Zox91Ac=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa h1:RBgMaUMP+6soRkik4VoN8ojR2nex2TqZwjSSogic+eo=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
 google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
@@ -487,18 +1022,26 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
-gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs=
 honnef.co/go/tools v0.4.7/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0=
 k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
@@ -531,6 +1074,9 @@ modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

hack/choria/gen-machine-signer

@@ -0,0 +1,22 @@
+#! /bin/bash
+#
+# build github.com/choria-io/go-choria with go build -trimpath -o choria -ldflags "-w" ./
+# Refer to https://github.com/ripienaar/choria-compose/blob/main/setup.sh#L41
+# Refer to https://github.com/holos-run/holos-infra/blob/v0.60.4/experiments/components/holos-saas/initialize/setup
+# choria jwt keys machine-signer.seed machine-signer.public
+
+set -euo pipefail
+
+PARENT="$(cd "$(dirname "$0")" && pwd)"
+
+tmpdir="$(mktemp -d)"
+finish() {
+  [[ -d "$tmpdir" ]] && rm -rf "$tmpdir"
+}
+trap finish EXIT
+cd "$tmpdir"
+
+mkdir machine-signer
+cd machine-signer
+choria jwt keys machine-signer.seed machine-signer.public
+holos create secret machine-signer --from-file .

hack/choria/initialize/.gitignore

@@ -0,0 +1,5 @@
+/issuer/
+/provisioner/
+/broker/
+/customers/
+/agents/

hack/choria/initialize/README.md

@@ -0,0 +1,20 @@
+Initialize machine room provisioning credentials
+
+When you want the holos controller to provision while operating in the current
+working directory, run:
+
+ 1. `init-choria-provisioner-creds` to populate secrets in the Holos
+    Provisioner Cluster (not to be confused with the Choria Provisioner).
+ 2. `make-provisioning-jwt` to issue a `provisioning.jwt` file for `holos
+    controller` to use.
+ 3. `holos controller --config=agent.cfg` to read `provisioning.jwt` and write
+    the provisioned config file and credentials to the current directory.
+
+Expect the controller to provision.
+
+Setup Notes:
+
+The holos server flag `--provisioner-seed` must match the issuer.seed value.
+To get the correct value to configure for holos server:
+
+    holos get secret choria-issuer --print-key=issuer.seed --namespace $NAMESPACE

hack/choria/initialize/init-choria-provisioner-creds

@@ -0,0 +1,64 @@
+#! /bin/bash
+#
+
+export BROKER_PASSWORD="$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upper:]' '[:lower:]' | head -c 32)"
+export PROVISIONER_TOKEN="$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upper:]' '[:lower:]' | head -c 32)"
+
+set -xeuo pipefail
+
+# Make sure gomplate is available
+gomplate --version
+
+PARENT="$(cd $(dirname "$0") && pwd)"
+TOPLEVEL="$(cd "${PARENT}" && git rev-parse --show-toplevel)"
+: "${NAMESPACE:=jeff-holos}"
+export NAMESPACE
+
+tmpdir="$(mktemp -d)"
+finish() {
+  [[ -d "$tmpdir" ]] && rm -rf "$tmpdir"
+}
+trap finish EXIT
+cd "$tmpdir"
+
+# Generate Secrets
+
+# Create organization issuer
+mkdir issuer
+choria jwt keys "./issuer/issuer.seed" "./issuer/issuer.public"
+ISSUER="$(<issuer/issuer.public)"
+export ISSUER
+
+# Provisioner token used for ???
+mkdir provisioner
+echo -n "${PROVISIONER_TOKEN}" > ./provisioner/token
+
+# Provisioner signer
+choria jwt keys ./provisioner/signer.seed ./provisioner/signer.public
+choria jwt client ./provisioner/signer.jwt provisioner_signer ./issuer/issuer.seed \
+  --public-key "$(<provisioner/signer.public)" --server-provisioner --validity $((100*365))d --issuer
+
+# Provisioner Secret
+mkdir -p provisioner/secret
+gomplate --input-dir "${PARENT}/templates/provisioner" --output-dir ./provisioner/secret/
+cp ./provisioner/signer.seed ./provisioner/secret/signer.seed
+cp ./provisioner/signer.jwt ./provisioner/secret/signer.jwt
+
+# Provisioner Broker
+mkdir broker
+choria jwt keys ./broker/broker.seed ./broker/broker.public
+choria jwt server ./broker/broker.jwt broker.holos.local "$(<broker/broker.public)" ./issuer/issuer.seed \
+  --org choria \
+  --collectives choria \
+  --subjects 'choria.node_metadata.>'
+gomplate --input-dir "${PARENT}/templates/broker/" --output-dir ./broker/
+echo -n "${BROKER_PASSWORD}" > ./broker/password
+
+mkdir agents
+choria jwt keys ./agents/signer.seed ./agents/signer.public
+
+# Now save the secrets
+holos create secret --append-hash=false --namespace $NAMESPACE choria-issuer --from-file=issuer
+holos create secret --append-hash=false --namespace $NAMESPACE choria-broker --from-file=broker
+holos create secret --append-hash=false --namespace $NAMESPACE choria-provisioner --from-file=provisioner/secret
+holos create secret --append-hash=false --namespace $NAMESPACE choria-agents --from-file=agents

hack/choria/initialize/make-provisioning-jwt

@@ -0,0 +1,50 @@
+#! /bin/bash
+#
+# Make a provisioner.jwt and put it in the current directory.
+#
+# Use the provisioner.jwt with `holos controller --config=controller.cfg` which
+# will read the jwt from the same directory as the config file.
+#
+# Refer to Arri's
+# [setup.sh](https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/setup.sh#L41)
+# And our own nites at https://github.com/holos-run/holos/issues/142
+
+PARENT="$(cd $(dirname "$0") && pwd)"
+OUTDIR="$(pwd)"
+
+: "${NAMESPACE:=jeff-holos}"
+
+tmpdir="$(mktemp -d)"
+finish() {
+  [[ -d "$tmpdir" ]] && rm -rvf "$tmpdir"
+}
+trap finish EXIT
+cd "$tmpdir"
+
+set -xeuo pipefail
+
+# e.g. jeff.provision.dev.k2.holos.run
+#
+kubectl -n $NAMESPACE get virtualservice choria-broker-wss -o json > vs.json
+jq --exit-status -r '.spec.hosts[0]' vs.json > host
+
+# Get the issuer.seed
+holos -n $NAMESPACE get secret choria-issuer --to-file issuer.seed
+
+# Get the provisioner token to embed in the provisioning.jwt file.
+holos -n $NAMESPACE get secret choria-provisioner --to-file token
+
+# The --token flag value must be the same value set in the token field of provisioner.yaml
+# Refer to https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/setup.sh#L41
+# Refer to https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/templates/provisioner/provisioner.yaml#L6
+choria jwt prov provisioning.jwt "issuer.seed" \
+  --token "$(<token)" \
+  --urls wss://$(<host):443 \
+  --default \
+  --protocol-v2 \
+  --insecure \
+  --update \
+  --validity 30d \
+  --extensions '{}'
+
+cp provisioning.jwt "${OUTDIR}/"

hack/choria/initialize/reset-choria-config

@@ -0,0 +1,23 @@
+#! /bin/bash
+#
+# This script resets the choria config for a Namespace
+
+PARENT="$(cd $(dirname "$0") && pwd)"
+: "${NAMESPACE:=jeff-holos}"
+export NAMESPACE
+
+set -xeuo pipefail
+
+KUBECONFIG=$HOME/.holos/kubeconfig.provisioner kubectl delete secret -n jeff-holos choria-agents choria-broker choria-provisioner choria-issuer
+
+"${PARENT}/init-choria-provisioner-creds"
+
+stamp="$(date)"
+
+kubectl -n $NAMESPACE annotate externalsecret choria-broker secret.holos.run/refresh="$stamp" --overwrite
+kubectl -n $NAMESPACE annotate externalsecret choria-provisioner secret.holos.run/refresh="$stamp" --overwrite
+
+kubectl -n $NAMESPACE wait --for='jsonpath={.status.conditions[?(@.type=="Ready")].status}=True' externalsecret choria-provisioner choria-broker
+
+kubectl -n $NAMESPACE rollout restart statefulset choria-broker
+kubectl -n $NAMESPACE rollout restart deployment choria-provisioner

hack/choria/initialize/templates/broker/broker.conf

@@ -0,0 +1,23 @@
+loglevel = info
+plugin.choria.stats_address = 0.0.0.0
+plugin.choria.stats_port = 8222
+plugin.choria.broker_network = true
+plugin.choria.network.client_port = 4222
+plugin.choria.network.peer_port = 5222
+plugin.choria.network.system.user = system
+plugin.choria.network.system.password = system
+plugin.choria.network.peers = nats://choria-broker-0.choria-broker:5222,nats://choria-broker-1.choria-broker:5222,nats://choria-broker-2.choria-broker:5222
+plugin.choria.use_srv = false
+plugin.choria.network.websocket_port = 4333
+
+plugin.security.provider = choria
+# NOTE: plugin.security.choria.ca must not be set or provisioning will fail
+# with a unhandled choria_provisioning purpose token error
+plugin.security.choria.certificate = /etc/choria-tls/tls.crt
+plugin.security.choria.key = /etc/choria-tls/tls.key
+plugin.security.choria.token_file = /etc/choria/broker.jwt
+plugin.security.choria.seed_file = /etc/choria/broker.seed
+plugin.choria.network.provisioning.client_password = {{ .Env.BROKER_PASSWORD }}
+
+plugin.security.issuer.names = choria
+plugin.security.issuer.choria.public = {{ .Env.ISSUER }}

hack/choria/initialize/templates/provisioner/ISSUER

@@ -0,0 +1 @@
+{{ .Env.ISSUER -}}

hack/choria/initialize/templates/provisioner/choria.cfg

@@ -0,0 +1,7 @@
+plugin.security.provider = choria
+plugin.security.choria.token_file = /etc/provisioner/signer.jwt
+plugin.security.choria.seed_file = /etc/provisioner/signer.seed
+
+identity = provisioner_signer
+
+plugin.choria.middleware_hosts = choria-broker-0.choria-broker:4222,choria-broker-1.choria-broker:4222,choria-broker-2.choria-broker:4222

hack/choria/initialize/templates/provisioner/entrypoint

@@ -0,0 +1,9 @@
+#! /bin/bash
+#
+
+set -xeuo pipefail
+
+mkdir -p /home/choria/bin
+install -m 0755 /etc/provisioner/helper.rb /home/choria/bin/helper.rb
+
+exec /usr/sbin/choria-provisioner --config=/etc/provisioner/provisioner.yaml --choria-config=/etc/provisioner/choria.cfg

hack/choria/initialize/templates/provisioner/helper.rb

@@ -0,0 +1,134 @@
+#!/usr/bin/ruby
+
+require "json"
+require "yaml"
+require "base64"
+require "net/http"
+require "openssl"
+
+def parse_input
+  input = STDIN.read
+
+  begin
+    File.open("/tmp/request.json", "w") {|f| f.write(input)}
+  rescue Exception
+  end
+
+  request = JSON.parse(input)
+  request["inventory"] = JSON.parse(request["inventory"])
+
+  request
+end
+
+def validate!(request, reply)
+  if request["identity"] && request["identity"].length == 0
+    reply["msg"] = "No identity received in request"
+    reply["defer"] = true
+    return false
+  end
+
+  unless request["ed25519_pubkey"]
+    reply["msg"] = "No ed15519 public key received"
+    reply["defer"] = true
+    return false
+  end
+
+  unless request["ed25519_pubkey"]
+    reply["msg"] = "No ed15519 directory received"
+    reply["defer"] = true
+    return false
+  end
+
+  if request["ed25519_pubkey"]["directory"].length == 0
+    reply["msg"] = "No ed15519 directory received"
+    reply["defer"] = true
+    return false
+  end
+
+  true
+end
+
+def publish_reply(reply)
+  begin
+    File.open("/tmp/reply.json", "w") {|f| f.write(reply.to_json)}
+  rescue Exception
+  end
+
+  puts reply.to_json
+end
+
+def publish_reply!(reply)
+  publish_reply(reply)
+  exit
+end
+
+def set_config!(request, reply)
+  # stub data the helper will fetch from the saas
+  customers = {
+        "one" => {
+            :brokers => "nats://managed.example.net:9222", # whoever is the leader for this site
+            :site => "customer_one",
+            :source => {
+                :host => "nats://cust_one:s3cret@saas-nats.choria.local",
+            }
+        }
+    }
+
+
+  customer = request["jwt"]["extensions"]["customer"]
+  brokers = customers[customer][:brokers]
+  source = customers[customer][:source]
+
+  reply["configuration"].merge!(
+    "identity" => request["identity"],
+    "loglevel" => "warn",
+    "plugin.choria.server.provision" => "false",
+    "plugin.choria.middleware_hosts" => brokers,
+    "plugin.security.issuer.names" => "choria",
+    "plugin.security.issuer.choria.public" => "{{ .Env.ISSUER }}",
+    "plugin.security.provider" => "choria",
+    "plugin.security.choria.token_file" => File.join(request["ed25519_pubkey"]["directory"], "server.jwt"),
+    "plugin.security.choria.seed_file" => File.join(request["ed25519_pubkey"]["directory"], "server.seed"),
+    "machine_room.role" => "leader",
+    "machine_room.site" => customers[customer][:site],
+    "machine_room.source.host" => source[:host],
+  )
+
+  reply["server_claims"].merge!(
+    "exp" => 5*60*60*24*365,
+    "pub_subjects" => [">"],
+    "permissions" => {
+      "streams" => true,
+      "submission" => true,
+      "service_host" => true,
+    }
+  )
+end
+
+reply = {
+  "defer" => false,
+  "msg" => "",
+  "certificate" => "",
+  "ca" => "",
+  "configuration" => {},
+  "server_claims" => {}
+}
+
+begin
+  request = parse_input
+
+  reply["msg"] = "Validating"
+  unless validate!(request, reply)
+    publish_reply!(reply)
+  end
+
+  set_config!(request, reply)
+
+  reply["msg"] = "Done"
+  publish_reply!(reply)
+rescue SystemExit
+rescue Exception
+  reply["msg"] = "Unexpected failure during provisioning: %s: %s" % [$!.class, $!.to_s]
+  reply["defer"] = true
+  publish_reply!(reply)
+end

hack/choria/initialize/templates/provisioner/provisioner.yaml

@@ -0,0 +1,17 @@
+workers: 4
+interval: 1m
+logfile: /dev/stdout
+loglevel: info
+# The entrypoint script installs this helper script.
+helper: /home/choria/bin/helper.rb
+token: "{{ .Env.PROVISIONER_TOKEN }}"
+choria_insecure: false
+site: holos
+broker_provisioning_password: "{{ .Env.BROKER_PASSWORD }}"
+jwt_verify_cert: "{{ .Env.ISSUER }}"
+jwt_signing_key: /etc/provisioner/signer.seed
+jwt_signing_token: /etc/provisioner/signer.jwt
+
+features:
+  jwt: true
+  ed25519: true

hack/choria/initialize/templates/provisioner/token

@@ -0,0 +1 @@
+{{ .Env.PROVISIONER_TOKEN -}}

hack/tilt/k8s.yaml

@@ -101,7 +101,7 @@ spec:
   gateways:
     - istio-ingress/default
   hosts:
-    - '{developer}.holos.dev.k2.ois.run'
+    - '{developer}.app.dev.k2.holos.run'
   http:
     - route:
         - destination:
@@ -120,117 +120,6 @@ metadata:
 imagePullSecrets:
   - name: kube-system-ecr-image-pull-creds
 ---
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-  name: '{name}-allow-groups'
-  namespace: '{namespace}'
-spec:
-  action: ALLOW
-  rules:
-    - when:
-        - key: request.auth.claims[groups]
-          values:
-            - holos-developer
-            - holos-developer@openinfrastructure.co
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: '{name}-allow-nothing'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  action: ALLOW
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: '{name}-allow-well-known-paths'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  action: ALLOW
-  rules:
-    - to:
-        - operation:
-            paths:
-              - /healthz
-              - /metrics
-              - /callbacks/github
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: '{name}-auth'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  action: CUSTOM
-  provider:
-    name: dev-holos-sso
-  rules:
-    - to:
-        - operation:
-            notPaths:
-              - /healthz
-              - /metrics
-              - /callbacks/github
-      when:
-        - key: request.headers[Authorization]
-          notValues:
-            - Bearer *
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: '{name}'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  jwtRules:
-    - audiences:
-        - https://sso.dev.holos.run
-      forwardOriginalToken: true
-      fromHeaders:
-        - name: x-auth-request-access-token
-      issuer: https://idex.core.ois.run
-      jwksUri: https://idex.core.ois.run/keys
-    - audiences:
-        - holos-cli
-      forwardOriginalToken: true
-      fromHeaders:
-        - name: authorization
-          prefix: 'Bearer '
-      issuer: https://idex.core.ois.run
-      jwksUri: https://idex.core.ois.run/keys
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
 apiVersion: postgres-operator.crunchydata.com/v1beta1
 kind: PGAdmin
 metadata:
@@ -266,19 +155,9 @@ spec:
       databases:
         - holos
       options: 'SUPERUSER'
-    - name: kratos
-      databases:
-        - kratos
-      options: 'SUPERUSER'
-    - name: hydra
-      databases:
-        - hydra
-      options: 'SUPERUSER'
     - name: '{developer}'
       databases:
         - holos
-        - kratos
-        - hydra
         - '{developer}'
       options: 'SUPERUSER'
   # https://access.crunchydata.com/documentation/postgres-operator/latest/architecture/user-management

internal/cli/build/build.go

@@ -4,10 +4,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/internal/builder"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/internal/builder"
 	"github.com/spf13/cobra"
 )
 

internal/cli/command/cmd.go

@@ -3,8 +3,8 @@ package command
 import (
 	"fmt"
 
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/version"
 	"github.com/spf13/cobra"
 )
 
@@ -26,5 +26,6 @@ func New(name string) *cobra.Command {
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
+	cmd.Flags().SortFlags = false
 	return cmd
 }

internal/cli/controller/controller.go

@@ -0,0 +1,50 @@
+// Package controller integrates Choria Machine Room into Holos for cluster management.
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	mr "github.com/choria-io/machine-room"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/version"
+	"github.com/spf13/cobra"
+)
+
+var (
+	// SigningKey is the public key from choria jwt keys machine-signer.seed machine-signer.public, refer to gen-machine-signer.
+	SigningKey = "2a136e3875f4375968ae8e8d400ba24864d3ed7c4109675f357d32cc3ca1d5a7"
+)
+
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("controller")
+	cmd.Args = cobra.ArbitraryArgs
+	cmd.DisableFlagParsing = true
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		if SigningKey == "" {
+			return errors.Wrap(fmt.Errorf("could not run: controller.SigningKey not set from build variables"))
+		}
+
+		ctx := c.Context()
+		if ctx == nil {
+			ctx = context.Background()
+		}
+
+		app, err := mr.New(mr.Options{
+			Name:              "controller",
+			Contact:           "jeff@openinfrastructure.co",
+			Version:           version.Version,
+			Help:              "Holos Controller",
+			MachineSigningKey: SigningKey,
+			Args:              args,
+		})
+		if err != nil {
+			return errors.Wrap(fmt.Errorf("could not make machine room app: %w", err))
+		}
+
+		return app.Run(ctx)
+	}
+	return cmd
+}

internal/cli/create/create.go

@@ -1,9 +1,9 @@
 package create
 
 import (
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/cli/secret"
-	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/holos"
 	"github.com/spf13/cobra"
 )
 

internal/cli/get/get.go

@@ -1,9 +1,9 @@
 package get
 
 import (
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/cli/secret"
-	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/holos"
 	"github.com/spf13/cobra"
 )
 

internal/cli/kv/get.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"sort"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/cli/secret"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

internal/cli/kv/kv.go

@@ -1,9 +1,9 @@
 package kv
 
 import (
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"

internal/cli/kv/list.go

@@ -1,10 +1,10 @@
 package kv
 
 import (
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/cli/secret"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

internal/cli/kv/put.go

@@ -11,11 +11,11 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/cli/secret"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
 	"github.com/spf13/cobra"
 	"golang.org/x/tools/txtar"
 	v1 "k8s.io/api/core/v1"

internal/cli/login/login.go

@@ -0,0 +1,48 @@
+package login
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log/slog"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/token"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new login command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("login")
+	cmd.Short = "log in by caching credentials"
+	var printClaims bool
+
+	config := token.NewConfig()
+	cmd.Flags().AddGoFlagSet(config.FlagSet())
+
+	fs := &flag.FlagSet{}
+	fs.BoolVar(&printClaims, "print-claims", false, "print id token claims")
+	cmd.Flags().AddGoFlagSet(fs)
+
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		ctx := c.Context()
+		if ctx == nil {
+			ctx = context.Background()
+		}
+		token, err := token.Get(ctx, cfg.Logger(), config)
+		if err != nil {
+			slog.Error("could not get token", "err", err)
+			return fmt.Errorf("could not get token: %w", err)
+		}
+
+		claims := token.Claims()
+		slog.Info("logged in as "+claims.Email, "name", claims.Name, "exp", token.Expiry, "email", claims.Email)
+		if printClaims {
+			fmt.Fprintln(cmd.OutOrStdout(), token.Pretty)
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/logout/logout.go

@@ -0,0 +1,25 @@
+package logout
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/token"
+	"github.com/spf13/cobra"
+)
+
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("logout")
+	cmd.Short = "log out by deleting cached credentials"
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		if err := os.RemoveAll(token.CacheDir); err != nil {
+			return errors.Wrap(fmt.Errorf("could not logout: %w", err))
+		}
+		cfg.Logger().Info("logged out: removed " + token.CacheDir)
+		return nil
+	}
+	return cmd
+}

internal/cli/main.go

@@ -6,8 +6,8 @@ import (
 	"log/slog"
 
 	cue "cuelang.org/go/cue/errors"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
 )
 
 // MakeMain makes a main function for the cli or tests.

internal/cli/preflight/gh.go

@@ -5,9 +5,9 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
 )
 
 type ghAuthStatusResponse string

internal/cli/preflight/preflight.go

@@ -5,9 +5,9 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
 )
 
 // Config holds configuration parameters for preflight checks.

internal/cli/render/render.go

@@ -3,11 +3,11 @@ package render
 import (
 	"fmt"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/internal/builder"
-	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/internal/builder"
+	"github.com/holos-run/holos/internal/logger"
 	"github.com/spf13/cobra"
 )
 
@@ -18,7 +18,7 @@ func makeRenderRunFunc(cfg *holos.Config) command.RunFunc {
 		}
 
 		ctx := cmd.Context()
-		log := logger.FromContext(ctx)
+		log := logger.FromContext(ctx).With("cluster", cfg.ClusterName())
 		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 		results, err := build.Run(cmd.Context())
 		if err != nil {

internal/cli/root.go

@@ -7,16 +7,20 @@ import (
 
 	"github.com/holos-run/holos/internal/server"
 
-	"github.com/holos-run/holos/pkg/cli/build"
-	"github.com/holos-run/holos/pkg/cli/create"
-	"github.com/holos-run/holos/pkg/cli/get"
-	"github.com/holos-run/holos/pkg/cli/kv"
-	"github.com/holos-run/holos/pkg/cli/preflight"
-	"github.com/holos-run/holos/pkg/cli/render"
-	"github.com/holos-run/holos/pkg/cli/txtar"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/internal/cli/build"
+	"github.com/holos-run/holos/internal/cli/controller"
+	"github.com/holos-run/holos/internal/cli/create"
+	"github.com/holos-run/holos/internal/cli/get"
+	"github.com/holos-run/holos/internal/cli/kv"
+	"github.com/holos-run/holos/internal/cli/login"
+	"github.com/holos-run/holos/internal/cli/logout"
+	"github.com/holos-run/holos/internal/cli/preflight"
+	"github.com/holos-run/holos/internal/cli/render"
+	"github.com/holos-run/holos/internal/cli/token"
+	"github.com/holos-run/holos/internal/cli/txtar"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/version"
 )
 
 // New returns a new root *cobra.Command for command line execution.
@@ -56,6 +60,9 @@ func New(cfg *holos.Config) *cobra.Command {
 	rootCmd.AddCommand(get.New(cfg))
 	rootCmd.AddCommand(create.New(cfg))
 	rootCmd.AddCommand(preflight.New(cfg))
+	rootCmd.AddCommand(login.New(cfg))
+	rootCmd.AddCommand(logout.New(cfg))
+	rootCmd.AddCommand(token.New(cfg))
 
 	// Maybe not needed?
 	rootCmd.AddCommand(txtar.New(cfg))
@@ -66,5 +73,8 @@ func New(cfg *holos.Config) *cobra.Command {
 	// Server
 	rootCmd.AddCommand(server.New(cfg))
 
+	// Controller
+	rootCmd.AddCommand(controller.New(cfg))
+
 	return rootCmd
 }

internal/cli/root_test.go

@@ -2,12 +2,13 @@ package cli
 
 import (
 	"bytes"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/version"
-	"github.com/spf13/cobra"
 	"strings"
 	"testing"
+
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/version"
+	"github.com/spf13/cobra"
 )
 
 func newCommand() (*cobra.Command, *bytes.Buffer) {

internal/cli/secret/create.go

@@ -9,10 +9,10 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

internal/cli/secret/get.go

@@ -8,11 +8,11 @@ import (
 	"path/filepath"
 	"sort"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

internal/cli/secret/secret.go

@@ -1,7 +1,7 @@
 package secret
 
 import (
-	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/internal/holos"
 	"github.com/spf13/pflag"
 )
 

internal/cli/secret/secret_test.go

@@ -1,15 +1,16 @@
 package secret_test
 
 import (
-	"github.com/holos-run/holos/pkg/cli"
-	"github.com/holos-run/holos/pkg/holos"
+	"testing"
+	"time"
+
+	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/internal/holos"
 	"github.com/rogpeppe/go-internal/testscript"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
-	"testing"
-	"time"
 )
 
 const clientsetKey = "clientset"

internal/cli/token/token.go

@@ -0,0 +1,44 @@
+package token
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log/slog"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/token"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new login command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("token")
+	cmd.Short = "write id token to stdout"
+	cmd.Long = "Useful with curl / grpcurl -H $(holos token)"
+
+	config := token.NewConfig()
+	cmd.Flags().AddGoFlagSet(config.FlagSet())
+
+	fs := &flag.FlagSet{}
+	cmd.Flags().AddGoFlagSet(fs)
+
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		ctx := c.Context()
+		if ctx == nil {
+			ctx = context.Background()
+		}
+		token, err := token.Get(ctx, cfg.Logger(), config)
+		if err != nil {
+			slog.Error("could not get token", "err", err)
+			return fmt.Errorf("could not get token: %w", err)
+		}
+
+		fmt.Fprintf(cmd.OutOrStdout(), token.Bearer)
+
+		return nil
+	}
+
+	return cmd
+}

internal/cli/txtar/txtar.go

@@ -8,10 +8,10 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/holos-run/holos/pkg/cli/command"
-	"github.com/holos-run/holos/pkg/errors"
-	"github.com/holos-run/holos/pkg/holos"
-	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/util"
 	"github.com/spf13/cobra"
 	"golang.org/x/tools/txtar"
 )

internal/ent/client.go

@@ -16,8 +16,8 @@ import (
 	"entgo.io/ent/dialect"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/holos-run/holos/internal/ent/organization"
 	"github.com/holos-run/holos/internal/ent/user"
-	"github.com/holos-run/holos/internal/ent/useridentity"
 )
 
 // Client is the client that holds all ent builders.
@@ -25,10 +25,10 @@ type Client struct {
 	config
 	// Schema is the client for creating, migrating and dropping schema.
 	Schema *migrate.Schema
+	// Organization is the client for interacting with the Organization builders.
+	Organization *OrganizationClient
 	// User is the client for interacting with the User builders.
 	User *UserClient
-	// UserIdentity is the client for interacting with the UserIdentity builders.
-	UserIdentity *UserIdentityClient
 }
 
 // NewClient creates a new client configured with the given options.
@@ -40,8 +40,8 @@ func NewClient(opts ...Option) *Client {
 
 func (c *Client) init() {
 	c.Schema = migrate.NewSchema(c.driver)
+	c.Organization = NewOrganizationClient(c.config)
 	c.User = NewUserClient(c.config)
-	c.UserIdentity = NewUserIdentityClient(c.config)
 }
 
 type (
@@ -134,8 +134,8 @@ func (c *Client) Tx(ctx context.Context) (*Tx, error) {
 	return &Tx{
 		ctx:          ctx,
 		config:       cfg,
+		Organization: NewOrganizationClient(cfg),
 		User:         NewUserClient(cfg),
-		UserIdentity: NewUserIdentityClient(cfg),
 	}, nil
 }
 
@@ -155,15 +155,15 @@ func (c *Client) BeginTx(ctx context.Context, opts *sql.TxOptions) (*Tx, error)
 	return &Tx{
 		ctx:          ctx,
 		config:       cfg,
+		Organization: NewOrganizationClient(cfg),
 		User:         NewUserClient(cfg),
-		UserIdentity: NewUserIdentityClient(cfg),
 	}, nil
 }
 
 // Debug returns a new debug-client. It's used to get verbose logging on specific operations.
 //
 //	client.Debug().
-//		User.
+//		Organization.
 //		Query().
 //		Count(ctx)
 func (c *Client) Debug() *Client {
@@ -185,29 +185,194 @@ func (c *Client) Close() error {
 // Use adds the mutation hooks to all the entity clients.
 // In order to add hooks to a specific client, call: `client.Node.Use(...)`.
 func (c *Client) Use(hooks ...Hook) {
+	c.Organization.Use(hooks...)
 	c.User.Use(hooks...)
-	c.UserIdentity.Use(hooks...)
 }
 
 // Intercept adds the query interceptors to all the entity clients.
 // In order to add interceptors to a specific client, call: `client.Node.Intercept(...)`.
 func (c *Client) Intercept(interceptors ...Interceptor) {
+	c.Organization.Intercept(interceptors...)
 	c.User.Intercept(interceptors...)
-	c.UserIdentity.Intercept(interceptors...)
 }
 
 // Mutate implements the ent.Mutator interface.
 func (c *Client) Mutate(ctx context.Context, m Mutation) (Value, error) {
 	switch m := m.(type) {
+	case *OrganizationMutation:
+		return c.Organization.mutate(ctx, m)
 	case *UserMutation:
 		return c.User.mutate(ctx, m)
-	case *UserIdentityMutation:
-		return c.UserIdentity.mutate(ctx, m)
 	default:
 		return nil, fmt.Errorf("ent: unknown mutation type %T", m)
 	}
 }
 
+// OrganizationClient is a client for the Organization schema.
+type OrganizationClient struct {
+	config
+}
+
+// NewOrganizationClient returns a client for the Organization from the given config.
+func NewOrganizationClient(c config) *OrganizationClient {
+	return &OrganizationClient{config: c}
+}
+
+// Use adds a list of mutation hooks to the hooks stack.
+// A call to `Use(f, g, h)` equals to `organization.Hooks(f(g(h())))`.
+func (c *OrganizationClient) Use(hooks ...Hook) {
+	c.hooks.Organization = append(c.hooks.Organization, hooks...)
+}
+
+// Intercept adds a list of query interceptors to the interceptors stack.
+// A call to `Intercept(f, g, h)` equals to `organization.Intercept(f(g(h())))`.
+func (c *OrganizationClient) Intercept(interceptors ...Interceptor) {
+	c.inters.Organization = append(c.inters.Organization, interceptors...)
+}
+
+// Create returns a builder for creating a Organization entity.
+func (c *OrganizationClient) Create() *OrganizationCreate {
+	mutation := newOrganizationMutation(c.config, OpCreate)
+	return &OrganizationCreate{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// CreateBulk returns a builder for creating a bulk of Organization entities.
+func (c *OrganizationClient) CreateBulk(builders ...*OrganizationCreate) *OrganizationCreateBulk {
+	return &OrganizationCreateBulk{config: c.config, builders: builders}
+}
+
+// MapCreateBulk creates a bulk creation builder from the given slice. For each item in the slice, the function creates
+// a builder and applies setFunc on it.
+func (c *OrganizationClient) MapCreateBulk(slice any, setFunc func(*OrganizationCreate, int)) *OrganizationCreateBulk {
+	rv := reflect.ValueOf(slice)
+	if rv.Kind() != reflect.Slice {
+		return &OrganizationCreateBulk{err: fmt.Errorf("calling to OrganizationClient.MapCreateBulk with wrong type %T, need slice", slice)}
+	}
+	builders := make([]*OrganizationCreate, rv.Len())
+	for i := 0; i < rv.Len(); i++ {
+		builders[i] = c.Create()
+		setFunc(builders[i], i)
+	}
+	return &OrganizationCreateBulk{config: c.config, builders: builders}
+}
+
+// Update returns an update builder for Organization.
+func (c *OrganizationClient) Update() *OrganizationUpdate {
+	mutation := newOrganizationMutation(c.config, OpUpdate)
+	return &OrganizationUpdate{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// UpdateOne returns an update builder for the given entity.
+func (c *OrganizationClient) UpdateOne(o *Organization) *OrganizationUpdateOne {
+	mutation := newOrganizationMutation(c.config, OpUpdateOne, withOrganization(o))
+	return &OrganizationUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// UpdateOneID returns an update builder for the given id.
+func (c *OrganizationClient) UpdateOneID(id uuid.UUID) *OrganizationUpdateOne {
+	mutation := newOrganizationMutation(c.config, OpUpdateOne, withOrganizationID(id))
+	return &OrganizationUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// Delete returns a delete builder for Organization.
+func (c *OrganizationClient) Delete() *OrganizationDelete {
+	mutation := newOrganizationMutation(c.config, OpDelete)
+	return &OrganizationDelete{config: c.config, hooks: c.Hooks(), mutation: mutation}
+}
+
+// DeleteOne returns a builder for deleting the given entity.
+func (c *OrganizationClient) DeleteOne(o *Organization) *OrganizationDeleteOne {
+	return c.DeleteOneID(o.ID)
+}
+
+// DeleteOneID returns a builder for deleting the given entity by its id.
+func (c *OrganizationClient) DeleteOneID(id uuid.UUID) *OrganizationDeleteOne {
+	builder := c.Delete().Where(organization.ID(id))
+	builder.mutation.id = &id
+	builder.mutation.op = OpDeleteOne
+	return &OrganizationDeleteOne{builder}
+}
+
+// Query returns a query builder for Organization.
+func (c *OrganizationClient) Query() *OrganizationQuery {
+	return &OrganizationQuery{
+		config: c.config,
+		ctx:    &QueryContext{Type: TypeOrganization},
+		inters: c.Interceptors(),
+	}
+}
+
+// Get returns a Organization entity by its id.
+func (c *OrganizationClient) Get(ctx context.Context, id uuid.UUID) (*Organization, error) {
+	return c.Query().Where(organization.ID(id)).Only(ctx)
+}
+
+// GetX is like Get, but panics if an error occurs.
+func (c *OrganizationClient) GetX(ctx context.Context, id uuid.UUID) *Organization {
+	obj, err := c.Get(ctx, id)
+	if err != nil {
+		panic(err)
+	}
+	return obj
+}
+
+// QueryCreator queries the creator edge of a Organization.
+func (c *OrganizationClient) QueryCreator(o *Organization) *UserQuery {
+	query := (&UserClient{config: c.config}).Query()
+	query.path = func(context.Context) (fromV *sql.Selector, _ error) {
+		id := o.ID
+		step := sqlgraph.NewStep(
+			sqlgraph.From(organization.Table, organization.FieldID, id),
+			sqlgraph.To(user.Table, user.FieldID),
+			sqlgraph.Edge(sqlgraph.M2O, false, organization.CreatorTable, organization.CreatorColumn),
+		)
+		fromV = sqlgraph.Neighbors(o.driver.Dialect(), step)
+		return fromV, nil
+	}
+	return query
+}
+
+// QueryUsers queries the users edge of a Organization.
+func (c *OrganizationClient) QueryUsers(o *Organization) *UserQuery {
+	query := (&UserClient{config: c.config}).Query()
+	query.path = func(context.Context) (fromV *sql.Selector, _ error) {
+		id := o.ID
+		step := sqlgraph.NewStep(
+			sqlgraph.From(organization.Table, organization.FieldID, id),
+			sqlgraph.To(user.Table, user.FieldID),
+			sqlgraph.Edge(sqlgraph.M2M, false, organization.UsersTable, organization.UsersPrimaryKey...),
+		)
+		fromV = sqlgraph.Neighbors(o.driver.Dialect(), step)
+		return fromV, nil
+	}
+	return query
+}
+
+// Hooks returns the client hooks.
+func (c *OrganizationClient) Hooks() []Hook {
+	return c.hooks.Organization
+}
+
+// Interceptors returns the client interceptors.
+func (c *OrganizationClient) Interceptors() []Interceptor {
+	return c.inters.Organization
+}
+
+func (c *OrganizationClient) mutate(ctx context.Context, m *OrganizationMutation) (Value, error) {
+	switch m.Op() {
+	case OpCreate:
+		return (&OrganizationCreate{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
+	case OpUpdate:
+		return (&OrganizationUpdate{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
+	case OpUpdateOne:
+		return (&OrganizationUpdateOne{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
+	case OpDelete, OpDeleteOne:
+		return (&OrganizationDelete{config: c.config, hooks: c.Hooks(), mutation: m}).Exec(ctx)
+	default:
+		return nil, fmt.Errorf("ent: unknown Organization mutation op: %q", m.Op())
+	}
+}
+
 // UserClient is a client for the User schema.
 type UserClient struct {
 	config
@@ -316,15 +481,15 @@ func (c *UserClient) GetX(ctx context.Context, id uuid.UUID) *User {
 	return obj
 }
 
-// QueryIdentities queries the identities edge of a User.
-func (c *UserClient) QueryIdentities(u *User) *UserIdentityQuery {
-	query := (&UserIdentityClient{config: c.config}).Query()
+// QueryOrganizations queries the organizations edge of a User.
+func (c *UserClient) QueryOrganizations(u *User) *OrganizationQuery {
+	query := (&OrganizationClient{config: c.config}).Query()
 	query.path = func(context.Context) (fromV *sql.Selector, _ error) {
 		id := u.ID
 		step := sqlgraph.NewStep(
 			sqlgraph.From(user.Table, user.FieldID, id),
-			sqlgraph.To(useridentity.Table, useridentity.FieldID),
-			sqlgraph.Edge(sqlgraph.O2M, false, user.IdentitiesTable, user.IdentitiesColumn),
+			sqlgraph.To(organization.Table, organization.FieldID),
+			sqlgraph.Edge(sqlgraph.M2M, true, user.OrganizationsTable, user.OrganizationsPrimaryKey...),
 		)
 		fromV = sqlgraph.Neighbors(u.driver.Dialect(), step)
 		return fromV, nil
@@ -357,161 +522,12 @@ func (c *UserClient) mutate(ctx context.Context, m *UserMutation) (Value, error)
 	}
 }
 
-// UserIdentityClient is a client for the UserIdentity schema.
-type UserIdentityClient struct {
-	config
-}
-
-// NewUserIdentityClient returns a client for the UserIdentity from the given config.
-func NewUserIdentityClient(c config) *UserIdentityClient {
-	return &UserIdentityClient{config: c}
-}
-
-// Use adds a list of mutation hooks to the hooks stack.
-// A call to `Use(f, g, h)` equals to `useridentity.Hooks(f(g(h())))`.
-func (c *UserIdentityClient) Use(hooks ...Hook) {
-	c.hooks.UserIdentity = append(c.hooks.UserIdentity, hooks...)
-}
-
-// Intercept adds a list of query interceptors to the interceptors stack.
-// A call to `Intercept(f, g, h)` equals to `useridentity.Intercept(f(g(h())))`.
-func (c *UserIdentityClient) Intercept(interceptors ...Interceptor) {
-	c.inters.UserIdentity = append(c.inters.UserIdentity, interceptors...)
-}
-
-// Create returns a builder for creating a UserIdentity entity.
-func (c *UserIdentityClient) Create() *UserIdentityCreate {
-	mutation := newUserIdentityMutation(c.config, OpCreate)
-	return &UserIdentityCreate{config: c.config, hooks: c.Hooks(), mutation: mutation}
-}
-
-// CreateBulk returns a builder for creating a bulk of UserIdentity entities.
-func (c *UserIdentityClient) CreateBulk(builders ...*UserIdentityCreate) *UserIdentityCreateBulk {
-	return &UserIdentityCreateBulk{config: c.config, builders: builders}
-}
-
-// MapCreateBulk creates a bulk creation builder from the given slice. For each item in the slice, the function creates
-// a builder and applies setFunc on it.
-func (c *UserIdentityClient) MapCreateBulk(slice any, setFunc func(*UserIdentityCreate, int)) *UserIdentityCreateBulk {
-	rv := reflect.ValueOf(slice)
-	if rv.Kind() != reflect.Slice {
-		return &UserIdentityCreateBulk{err: fmt.Errorf("calling to UserIdentityClient.MapCreateBulk with wrong type %T, need slice", slice)}
-	}
-	builders := make([]*UserIdentityCreate, rv.Len())
-	for i := 0; i < rv.Len(); i++ {
-		builders[i] = c.Create()
-		setFunc(builders[i], i)
-	}
-	return &UserIdentityCreateBulk{config: c.config, builders: builders}
-}
-
-// Update returns an update builder for UserIdentity.
-func (c *UserIdentityClient) Update() *UserIdentityUpdate {
-	mutation := newUserIdentityMutation(c.config, OpUpdate)
-	return &UserIdentityUpdate{config: c.config, hooks: c.Hooks(), mutation: mutation}
-}
-
-// UpdateOne returns an update builder for the given entity.
-func (c *UserIdentityClient) UpdateOne(ui *UserIdentity) *UserIdentityUpdateOne {
-	mutation := newUserIdentityMutation(c.config, OpUpdateOne, withUserIdentity(ui))
-	return &UserIdentityUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
-}
-
-// UpdateOneID returns an update builder for the given id.
-func (c *UserIdentityClient) UpdateOneID(id uuid.UUID) *UserIdentityUpdateOne {
-	mutation := newUserIdentityMutation(c.config, OpUpdateOne, withUserIdentityID(id))
-	return &UserIdentityUpdateOne{config: c.config, hooks: c.Hooks(), mutation: mutation}
-}
-
-// Delete returns a delete builder for UserIdentity.
-func (c *UserIdentityClient) Delete() *UserIdentityDelete {
-	mutation := newUserIdentityMutation(c.config, OpDelete)
-	return &UserIdentityDelete{config: c.config, hooks: c.Hooks(), mutation: mutation}
-}
-
-// DeleteOne returns a builder for deleting the given entity.
-func (c *UserIdentityClient) DeleteOne(ui *UserIdentity) *UserIdentityDeleteOne {
-	return c.DeleteOneID(ui.ID)
-}
-
-// DeleteOneID returns a builder for deleting the given entity by its id.
-func (c *UserIdentityClient) DeleteOneID(id uuid.UUID) *UserIdentityDeleteOne {
-	builder := c.Delete().Where(useridentity.ID(id))
-	builder.mutation.id = &id
-	builder.mutation.op = OpDeleteOne
-	return &UserIdentityDeleteOne{builder}
-}
-
-// Query returns a query builder for UserIdentity.
-func (c *UserIdentityClient) Query() *UserIdentityQuery {
-	return &UserIdentityQuery{
-		config: c.config,
-		ctx:    &QueryContext{Type: TypeUserIdentity},
-		inters: c.Interceptors(),
-	}
-}
-
-// Get returns a UserIdentity entity by its id.
-func (c *UserIdentityClient) Get(ctx context.Context, id uuid.UUID) (*UserIdentity, error) {
-	return c.Query().Where(useridentity.ID(id)).Only(ctx)
-}
-
-// GetX is like Get, but panics if an error occurs.
-func (c *UserIdentityClient) GetX(ctx context.Context, id uuid.UUID) *UserIdentity {
-	obj, err := c.Get(ctx, id)
-	if err != nil {
-		panic(err)
-	}
-	return obj
-}
-
-// QueryUser queries the user edge of a UserIdentity.
-func (c *UserIdentityClient) QueryUser(ui *UserIdentity) *UserQuery {
-	query := (&UserClient{config: c.config}).Query()
-	query.path = func(context.Context) (fromV *sql.Selector, _ error) {
-		id := ui.ID
-		step := sqlgraph.NewStep(
-			sqlgraph.From(useridentity.Table, useridentity.FieldID, id),
-			sqlgraph.To(user.Table, user.FieldID),
-			sqlgraph.Edge(sqlgraph.M2O, true, useridentity.UserTable, useridentity.UserColumn),
-		)
-		fromV = sqlgraph.Neighbors(ui.driver.Dialect(), step)
-		return fromV, nil
-	}
-	return query
-}
-
-// Hooks returns the client hooks.
-func (c *UserIdentityClient) Hooks() []Hook {
-	return c.hooks.UserIdentity
-}
-
-// Interceptors returns the client interceptors.
-func (c *UserIdentityClient) Interceptors() []Interceptor {
-	return c.inters.UserIdentity
-}
-
-func (c *UserIdentityClient) mutate(ctx context.Context, m *UserIdentityMutation) (Value, error) {
-	switch m.Op() {
-	case OpCreate:
-		return (&UserIdentityCreate{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
-	case OpUpdate:
-		return (&UserIdentityUpdate{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
-	case OpUpdateOne:
-		return (&UserIdentityUpdateOne{config: c.config, hooks: c.Hooks(), mutation: m}).Save(ctx)
-	case OpDelete, OpDeleteOne:
-		return (&UserIdentityDelete{config: c.config, hooks: c.Hooks(), mutation: m}).Exec(ctx)
-	default:
-		return nil, fmt.Errorf("ent: unknown UserIdentity mutation op: %q", m.Op())
-	}
-}
-
 // hooks and interceptors per client, for fast access.
 type (
 	hooks struct {
-		User, UserIdentity []ent.Hook
+		Organization, User []ent.Hook
 	}
 	inters struct {
-		User, UserIdentity []ent.Interceptor
+		Organization, User []ent.Interceptor
 	}
 )

internal/ent/ent.go

@@ -12,8 +12,8 @@ import (
 	"entgo.io/ent"
 	"entgo.io/ent/dialect/sql"
 	"entgo.io/ent/dialect/sql/sqlgraph"
+	"github.com/holos-run/holos/internal/ent/organization"
 	"github.com/holos-run/holos/internal/ent/user"
-	"github.com/holos-run/holos/internal/ent/useridentity"
 )
 
 // ent aliases to avoid import conflicts in user's code.
@@ -74,8 +74,8 @@ var (
 func checkColumn(table, column string) error {
 	initCheck.Do(func() {
 		columnCheck = sql.NewColumnCheck(map[string]func(string) bool{
+			organization.Table: organization.ValidColumn,
 			user.Table:         user.ValidColumn,
-			useridentity.Table: useridentity.ValidColumn,
 		})
 	})
 	return columnCheck(table, column)

internal/ent/generate.go

@@ -1,3 +1,3 @@
 package ent
 
-//go:generate go run -mod=mod entgo.io/ent/cmd/ent generate --feature sql/upsert ./schema
+//go:generate go run entgo.io/ent/cmd/ent generate --feature sql/upsert ./schema