From 37cba03e364448d507278df206b1656e49b5971e Mon Sep 17 00:00:00 2001
From: yeya24 <benye@amazon.com>
Date: Tue, 12 Aug 2025 14:03:03 -0700
Subject: [PATCH 1/3] downgrade gRPC server to v1.71.2

Signed-off-by: yeya24 <benye@amazon.com>
---
 go.mod                                        |    6 +-
 go.sum                                        | 1259 ++++++++++++++++-
 pkg/util/grpcutil/health_check.go             |   13 -
 .../github.com/go-jose/go-jose/v4/.gitignore  |    2 -
 .../go-jose/go-jose/v4/.golangci.yml          |   53 -
 .../github.com/go-jose/go-jose/v4/.travis.yml |   33 -
 .../go-jose/go-jose/v4/CHANGELOG.md           |   96 --
 .../go-jose/go-jose/v4/CONTRIBUTING.md        |    9 -
 vendor/github.com/go-jose/go-jose/v4/LICENSE  |  202 ---
 .../github.com/go-jose/go-jose/v4/README.md   |  106 --
 .../github.com/go-jose/go-jose/v4/SECURITY.md |   13 -
 .../go-jose/go-jose/v4/asymmetric.go          |  595 --------
 .../go-jose/go-jose/v4/cipher/cbc_hmac.go     |  196 ---
 .../go-jose/go-jose/v4/cipher/concat_kdf.go   |   75 -
 .../go-jose/go-jose/v4/cipher/ecdh_es.go      |   86 --
 .../go-jose/go-jose/v4/cipher/key_wrap.go     |  109 --
 .../github.com/go-jose/go-jose/v4/crypter.go  |  599 --------
 vendor/github.com/go-jose/go-jose/v4/doc.go   |   25 -
 .../github.com/go-jose/go-jose/v4/encoding.go |  228 ---
 .../go-jose/go-jose/v4/json/LICENSE           |   27 -
 .../go-jose/go-jose/v4/json/README.md         |   13 -
 .../go-jose/go-jose/v4/json/decode.go         | 1216 ----------------
 .../go-jose/go-jose/v4/json/encode.go         | 1197 ----------------
 .../go-jose/go-jose/v4/json/indent.go         |  141 --
 .../go-jose/go-jose/v4/json/scanner.go        |  623 --------
 .../go-jose/go-jose/v4/json/stream.go         |  484 -------
 .../go-jose/go-jose/v4/json/tags.go           |   44 -
 vendor/github.com/go-jose/go-jose/v4/jwe.go   |  382 -----
 vendor/github.com/go-jose/go-jose/v4/jwk.go   |  823 -----------
 vendor/github.com/go-jose/go-jose/v4/jws.go   |  422 ------
 .../github.com/go-jose/go-jose/v4/opaque.go   |  147 --
 .../github.com/go-jose/go-jose/v4/shared.go   |  531 -------
 .../github.com/go-jose/go-jose/v4/signing.go  |  505 -------
 .../go-jose/go-jose/v4/symmetric.go           |  517 -------
 vendor/github.com/spiffe/go-spiffe/v2/LICENSE |  201 ---
 .../go-spiffe/v2/bundle/jwtbundle/bundle.go   |  200 ---
 .../go-spiffe/v2/bundle/jwtbundle/doc.go      |   43 -
 .../go-spiffe/v2/bundle/jwtbundle/set.go      |  105 --
 .../go-spiffe/v2/bundle/jwtbundle/source.go   |   12 -
 .../v2/bundle/spiffebundle/bundle.go          |  485 -------
 .../go-spiffe/v2/bundle/spiffebundle/doc.go   |   59 -
 .../go-spiffe/v2/bundle/spiffebundle/set.go   |  135 --
 .../v2/bundle/spiffebundle/source.go          |   10 -
 .../go-spiffe/v2/bundle/x509bundle/bundle.go  |  202 ---
 .../go-spiffe/v2/bundle/x509bundle/doc.go     |   42 -
 .../go-spiffe/v2/bundle/x509bundle/set.go     |  105 --
 .../go-spiffe/v2/bundle/x509bundle/source.go  |   12 -
 .../go-spiffe/v2/internal/cryptoutil/keys.go  |   34 -
 .../go-spiffe/v2/internal/jwtutil/util.go     |   34 -
 .../go-spiffe/v2/internal/pemutil/pem.go      |  123 --
 .../go-spiffe/v2/internal/x509util/util.go    |   53 -
 .../v2/spiffeid/charset_backcompat_allow.go   |   42 -
 .../v2/spiffeid/charset_backcompat_deny.go    |   12 -
 .../spiffe/go-spiffe/v2/spiffeid/errors.go    |   15 -
 .../spiffe/go-spiffe/v2/spiffeid/id.go        |  258 ----
 .../spiffe/go-spiffe/v2/spiffeid/match.go     |   47 -
 .../spiffe/go-spiffe/v2/spiffeid/path.go      |  107 --
 .../spiffe/go-spiffe/v2/spiffeid/require.go   |  103 --
 .../go-spiffe/v2/spiffeid/trustdomain.go      |  127 --
 vendor/github.com/zeebo/errs/.gitignore       |    1 -
 vendor/github.com/zeebo/errs/AUTHORS          |    5 -
 vendor/github.com/zeebo/errs/LICENSE          |   21 -
 vendor/github.com/zeebo/errs/README.md        |  235 ---
 vendor/github.com/zeebo/errs/errs.go          |  298 ----
 vendor/github.com/zeebo/errs/group.go         |   85 --
 vendor/github.com/zeebo/errs/is_go1.20.go     |    8 -
 vendor/github.com/zeebo/errs/is_go_other.go   |   17 -
 vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go   |   77 -
 vendor/google.golang.org/grpc/CONTRIBUTING.md |  129 +-
 vendor/google.golang.org/grpc/README.md       |    1 -
 .../grpc/balancer/base/balancer.go            |   12 +-
 .../endpointsharding/endpointsharding.go      |   20 +-
 .../grpclb/grpc_lb_v1/load_balancer.pb.go     |  152 +-
 .../balancer/grpclb/grpclb_remote_balancer.go |    5 +-
 .../balancer/leastrequest/leastrequest.go     |   34 +-
 .../pickfirst/pickfirstleaf/pickfirstleaf.go  |   43 +-
 .../grpc/balancer/ringhash/picker.go          |  124 --
 .../grpc/balancer/rls/balancer.go             |    1 +
 .../grpc/balancer/rls/config.go               |   28 +-
 .../balancer/weightedroundrobin/balancer.go   |   42 +-
 .../weightedroundrobin/weightedroundrobin.go  |   85 ++
 .../balancer/weightedtarget/weightedtarget.go |    1 +
 .../grpc_binarylog_v1/binarylog.pb.go         |  191 ++-
 .../channelz/grpc_channelz_v1/channelz.pb.go  |  753 ++++++----
 vendor/google.golang.org/grpc/clientconn.go   |   28 +-
 .../grpc/credentials/alts/alts.go             |   10 +-
 .../credentials/alts/internal/conn/common.go  |   16 +-
 .../credentials/alts/internal/conn/record.go  |   72 +-
 .../alts/internal/handshaker/handshaker.go    |    8 +-
 .../internal/handshaker/service/service.go    |   15 +-
 .../internal/proto/grpc_gcp/altscontext.pb.go |   63 +-
 .../internal/proto/grpc_gcp/handshaker.pb.go  |  412 +++---
 .../grpc_gcp/transport_security_common.pb.go  |  165 +--
 .../grpc/credentials/credentials.go           |   34 +-
 .../grpc/credentials/insecure/insecure.go     |    8 +-
 .../google.golang.org/grpc/credentials/tls.go |   16 -
 .../tls/certprovider/pemfile/builder.go       |   20 +-
 .../tls/certprovider/pemfile/watcher.go       |   59 +-
 .../credentials/tls/certprovider/provider.go  |    6 -
 vendor/google.golang.org/grpc/dialoptions.go  |    2 +-
 .../grpc/health/grpc_health_v1/health.pb.go   |  173 +--
 .../health/grpc_health_v1/health_grpc.pb.go   |   64 +-
 .../grpc/internal/balancer/weight/weight.go   |   66 -
 .../internal/balancergroup/balancergroup.go   |  121 +-
 .../grpc/internal/credentials/credentials.go  |   14 +
 .../internal/credentials/spiffe/spiffe.go     |  107 --
 .../credentials/xds/handshake_info.go         |   66 +-
 .../grpc/internal/envconfig/envconfig.go      |   26 +-
 .../grpc/internal/envconfig/xds.go            |    5 -
 .../grpc/internal/grpcsync/event.go           |   19 +-
 .../grpc/internal/internal.go                 |   20 -
 .../grpc/internal/metadata/metadata.go        |   26 +-
 .../internal/proto/grpc_lookup_v1/rls.pb.go   |   87 +-
 .../proto/grpc_lookup_v1/rls_config.pb.go     |  170 ++-
 .../delegatingresolver/delegatingresolver.go  |   49 +-
 .../grpc/internal/ringhash/ringhash.go        |   58 -
 .../grpc/internal/status/status.go            |    8 -
 .../grpc/internal/transport/client_stream.go  |    2 +-
 .../grpc/internal/transport/http2_client.go   |   30 +-
 .../grpc/internal/transport/http2_server.go   |   28 +-
 .../grpc/internal/transport/http_util.go      |    7 +-
 .../grpc/internal/transport/server_stream.go  |    6 +-
 .../grpc/internal/transport/transport.go      |    5 -
 .../grpc/internal/xds/bootstrap/bootstrap.go  |    2 +-
 .../internal/xds/bootstrap/tlscreds/bundle.go |   70 +-
 .../grpc/resolver/manual/manual.go            |   34 +-
 vendor/google.golang.org/grpc/resolver/map.go |   81 +-
 .../grpc/resolver/ringhash/attr.go            |   60 -
 vendor/google.golang.org/grpc/rpc_util.go     |   31 -
 .../google.golang.org/grpc/stats/handlers.go  |    9 -
 .../stats/opentelemetry/client_metrics.go     |  138 +-
 .../stats/opentelemetry/client_tracing.go     |   96 +-
 .../grpc/stats/opentelemetry/opentelemetry.go |   43 +-
 .../stats/opentelemetry/server_metrics.go     |   52 +-
 .../stats/opentelemetry/server_tracing.go     |   42 +-
 .../grpc/stats/opentelemetry/trace.go         |   24 +-
 vendor/google.golang.org/grpc/stats/stats.go  |   35 +-
 vendor/google.golang.org/grpc/stream.go       |   55 +-
 .../grpc/test/bufconn/bufconn.go              |    1 +
 vendor/google.golang.org/grpc/version.go      |    2 +-
 .../balancer/cdsbalancer/cdsbalancer.go       |  107 +-
 .../balancer/cdsbalancer/cluster_watcher.go   |   14 +-
 .../internal/balancer/clusterimpl/picker.go   |    6 +-
 .../balancer/clustermanager/clustermanager.go |    1 +
 .../clusterresolver/clusterresolver.go        |    7 +-
 .../balancer/clusterresolver/configbuilder.go |   19 +-
 .../clusterresolver/resource_resolver.go      |    8 +-
 .../clusterresolver/resource_resolver_eds.go  |   36 +-
 .../balancer/outlierdetection/balancer.go     |   24 +-
 .../internal/balancer/priority/balancer.go    |    4 +-
 .../internal}/balancer/ringhash/config.go     |   29 +-
 .../internal}/balancer/ringhash/logging.go    |    0
 .../xds/internal/balancer/ringhash/picker.go  |   65 +
 .../internal}/balancer/ringhash/ring.go       |   31 +-
 .../internal}/balancer/ringhash/ringhash.go   |  113 +-
 .../xds/internal/balancer/ringhash/util.go    |   40 +
 .../internal/balancer/wrrlocality/balancer.go |    6 +-
 .../grpc/xds/internal/internal.go             |   19 +-
 .../xds/internal/resolver/serviceconfig.go    |   62 +-
 .../xds/internal/resolver/watch_service.go    |   20 +-
 .../xds/internal/resolver/xds_resolver.go     |  109 +-
 .../xds/internal/server/listener_wrapper.go   |  120 +-
 .../grpc/xds/internal/server/rds_handler.go   |   51 +-
 .../grpc/xds/internal/xdsclient/authority.go  |   44 +-
 .../grpc/xds/internal/xdsclient/channel.go    |    4 +-
 .../grpc/xds/internal/xdsclient/clientimpl.go |   11 -
 .../internal/xdsclient/clientimpl_watchers.go |   14 +-
 .../xdsclient/transport/ads/ads_stream.go     |    2 +-
 .../xdsclient/transport/lrs/lrs_stream.go     |    6 +-
 .../xdslbregistry/converter/converter.go      |    5 +-
 .../xdsclient/xdslbregistry/xdslbregistry.go  |    2 +
 .../xdsresource/cluster_resource_type.go      |   45 +-
 .../xdsresource/endpoints_resource_type.go    |   45 +-
 .../internal/xdsclient/xdsresource/errors.go  |   19 +-
 .../xdsclient/xdsresource/filter_chain.go     |   19 +-
 .../xdsresource/listener_resource_type.go     |   46 +-
 .../internal/xdsclient/xdsresource/matcher.go |   11 +-
 .../xdsclient/xdsresource/resource_type.go    |   49 +-
 .../xdsresource/route_config_resource_type.go |   46 +-
 .../xdsclient/xdsresource/type_eds.go         |    1 -
 .../xdsclient/xdsresource/unmarshal_eds.go    |   22 +-
 .../xdsclient/xdsresource/unmarshal_lds.go    |    2 +-
 vendor/google.golang.org/grpc/xds/server.go   |   15 +-
 vendor/modules.txt                            |   30 +-
 184 files changed, 3792 insertions(+), 16114 deletions(-)
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/.gitignore
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/.golangci.yml
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/.travis.yml
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/LICENSE
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/README.md
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/SECURITY.md
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/asymmetric.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/crypter.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/doc.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/encoding.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/LICENSE
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/README.md
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/decode.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/encode.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/indent.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/scanner.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/stream.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/json/tags.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/jwe.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/jwk.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/jws.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/opaque.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/shared.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/signing.go
 delete mode 100644 vendor/github.com/go-jose/go-jose/v4/symmetric.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/LICENSE
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/doc.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/source.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/doc.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/source.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/doc.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/source.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/internal/cryptoutil/keys.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/internal/jwtutil/util.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/internal/pemutil/pem.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/internal/x509util/util.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_allow.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_deny.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/errors.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/id.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/match.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/path.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/require.go
 delete mode 100644 vendor/github.com/spiffe/go-spiffe/v2/spiffeid/trustdomain.go
 delete mode 100644 vendor/github.com/zeebo/errs/.gitignore
 delete mode 100644 vendor/github.com/zeebo/errs/AUTHORS
 delete mode 100644 vendor/github.com/zeebo/errs/LICENSE
 delete mode 100644 vendor/github.com/zeebo/errs/README.md
 delete mode 100644 vendor/github.com/zeebo/errs/errs.go
 delete mode 100644 vendor/github.com/zeebo/errs/group.go
 delete mode 100644 vendor/github.com/zeebo/errs/is_go1.20.go
 delete mode 100644 vendor/github.com/zeebo/errs/is_go_other.go
 delete mode 100644 vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
 delete mode 100644 vendor/google.golang.org/grpc/balancer/ringhash/picker.go
 create mode 100644 vendor/google.golang.org/grpc/balancer/weightedroundrobin/weightedroundrobin.go
 delete mode 100644 vendor/google.golang.org/grpc/internal/balancer/weight/weight.go
 delete mode 100644 vendor/google.golang.org/grpc/internal/credentials/spiffe/spiffe.go
 delete mode 100644 vendor/google.golang.org/grpc/internal/ringhash/ringhash.go
 delete mode 100644 vendor/google.golang.org/grpc/resolver/ringhash/attr.go
 rename vendor/google.golang.org/grpc/{ => xds/internal}/balancer/ringhash/config.go (67%)
 rename vendor/google.golang.org/grpc/{ => xds/internal}/balancer/ringhash/logging.go (100%)
 create mode 100644 vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/picker.go
 rename vendor/google.golang.org/grpc/{ => xds/internal}/balancer/ringhash/ring.go (88%)
 rename vendor/google.golang.org/grpc/{ => xds/internal}/balancer/ringhash/ringhash.go (78%)
 create mode 100644 vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/util.go

diff --git a/go.mod b/go.mod
index b4adb6e2987..29db2e6124e 100644
--- a/go.mod
+++ b/go.mod
@@ -150,7 +150,6 @@ require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/go-chi/chi/v5 v5.0.7 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -240,7 +239,6 @@ require (
 	github.com/shurcooL/vfsgen v0.0.0-20230704071429-0000e147ea92 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/trivago/tgo v1.0.7 // indirect
@@ -249,7 +247,6 @@ require (
 	github.com/weaveworks/promrus v1.2.0 // indirect
 	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
-	github.com/zeebo/errs v1.4.0 // indirect
 	go.mongodb.org/mongo-driver v1.17.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
@@ -326,3 +323,6 @@ replace github.com/google/gnostic => github.com/googleapis/gnostic v0.6.9
 // Same replace used by thanos: (may be removed in the future)
 // https://github.com/thanos-io/thanos/blob/fdeea3917591fc363a329cbe23af37c6fff0b5f0/go.mod#L265
 replace gopkg.in/alecthomas/kingpin.v2 => github.com/alecthomas/kingpin v1.3.8-0.20210301060133-17f40c25f497
+
+// Wait for fix for https://github.com/grpc/grpc-go/pull/8504.
+replace google.golang.org/grpc => google.golang.org/grpc v1.71.2
diff --git a/go.sum b/go.sum
index b18f8637c01..360c76bbb8a 100644
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,9 @@
+cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
+cel.dev/expr v0.16.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
+cel.dev/expr v0.19.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
+cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg=
 cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
@@ -30,52 +33,753 @@ cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+Y
 cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
 cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
 cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
+cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
 cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
+cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
+cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
+cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA=
+cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM=
+cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
+cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
+cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw=
+cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
+cloud.google.com/go v0.110.6/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
 cloud.google.com/go v0.120.0 h1:wc6bgG9DHyKqF5/vQvX1CiZrtHnxJjBlKUyF9nP6meA=
 cloud.google.com/go v0.120.0/go.mod h1:/beW32s8/pGRuj4IILWQNd4uuebeT4dkOhKmkfit64Q=
+cloud.google.com/go/accessapproval v1.4.0/go.mod h1:zybIuC3KpDOvotz59lFe5qxRZx6C75OtwbisN56xYB4=
+cloud.google.com/go/accessapproval v1.5.0/go.mod h1:HFy3tuiGvMdcd/u+Cu5b9NkO1pEICJ46IR82PoUdplw=
+cloud.google.com/go/accessapproval v1.6.0/go.mod h1:R0EiYnwV5fsRFiKZkPHr6mwyk2wxUJ30nL4j2pcFY2E=
+cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68=
+cloud.google.com/go/accesscontextmanager v1.3.0/go.mod h1:TgCBehyr5gNMz7ZaH9xubp+CE8dkrszb4oK9CWyvD4o=
+cloud.google.com/go/accesscontextmanager v1.4.0/go.mod h1:/Kjh7BBu/Gh83sv+K60vN9QE5NJcd80sU33vIe2IFPE=
+cloud.google.com/go/accesscontextmanager v1.6.0/go.mod h1:8XCvZWfYw3K/ji0iVnp+6pu7huxoQTLmxAbVjbloTtM=
+cloud.google.com/go/accesscontextmanager v1.7.0/go.mod h1:CEGLewx8dwa33aDAZQujl7Dx+uYhS0eay198wB/VumQ=
+cloud.google.com/go/accesscontextmanager v1.8.0/go.mod h1:uI+AI/r1oyWK99NN8cQ3UK76AMelMzgZCvJfsi2c+ps=
+cloud.google.com/go/accesscontextmanager v1.8.1/go.mod h1:JFJHfvuaTC+++1iL1coPiG1eu5D24db2wXCDWDjIrxo=
+cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw=
+cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY=
+cloud.google.com/go/aiplatform v1.27.0/go.mod h1:Bvxqtl40l0WImSb04d0hXFU7gDOiq9jQmorivIiWcKg=
+cloud.google.com/go/aiplatform v1.35.0/go.mod h1:7MFT/vCaOyZT/4IIFfxH4ErVg/4ku6lKv3w0+tFTgXQ=
+cloud.google.com/go/aiplatform v1.36.1/go.mod h1:WTm12vJRPARNvJ+v6P52RDHCNe4AhvjcIZ/9/RRHy/k=
+cloud.google.com/go/aiplatform v1.37.0/go.mod h1:IU2Cv29Lv9oCn/9LkFiiuKfwrRTq+QQMbW+hPCxJGZw=
+cloud.google.com/go/aiplatform v1.45.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA=
+cloud.google.com/go/aiplatform v1.48.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA=
+cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI=
+cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4=
+cloud.google.com/go/analytics v0.17.0/go.mod h1:WXFa3WSym4IZ+JiKmavYdJwGG/CvpqiqczmL59bTD9M=
+cloud.google.com/go/analytics v0.18.0/go.mod h1:ZkeHGQlcIPkw0R/GW+boWHhCOR43xz9RN/jn7WcqfIE=
+cloud.google.com/go/analytics v0.19.0/go.mod h1:k8liqf5/HCnOUkbawNtrWWc+UAzyDlW89doe8TtoDsE=
+cloud.google.com/go/analytics v0.21.2/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo=
+cloud.google.com/go/analytics v0.21.3/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo=
+cloud.google.com/go/apigateway v1.3.0/go.mod h1:89Z8Bhpmxu6AmUxuVRg/ECRGReEdiP3vQtk4Z1J9rJk=
+cloud.google.com/go/apigateway v1.4.0/go.mod h1:pHVY9MKGaH9PQ3pJ4YLzoj6U5FUDeDFBllIz7WmzJoc=
+cloud.google.com/go/apigateway v1.5.0/go.mod h1:GpnZR3Q4rR7LVu5951qfXPJCHquZt02jf7xQx7kpqN8=
+cloud.google.com/go/apigateway v1.6.1/go.mod h1:ufAS3wpbRjqfZrzpvLC2oh0MFlpRJm2E/ts25yyqmXA=
+cloud.google.com/go/apigeeconnect v1.3.0/go.mod h1:G/AwXFAKo0gIXkPTVfZDd2qA1TxBXJ3MgMRBQkIi9jc=
+cloud.google.com/go/apigeeconnect v1.4.0/go.mod h1:kV4NwOKqjvt2JYR0AoIWo2QGfoRtn/pkS3QlHp0Ni04=
+cloud.google.com/go/apigeeconnect v1.5.0/go.mod h1:KFaCqvBRU6idyhSNyn3vlHXc8VMDJdRmwDF6JyFRqZ8=
+cloud.google.com/go/apigeeconnect v1.6.1/go.mod h1:C4awq7x0JpLtrlQCr8AzVIzAaYgngRqWf9S5Uhg+wWs=
+cloud.google.com/go/apigeeregistry v0.4.0/go.mod h1:EUG4PGcsZvxOXAdyEghIdXwAEi/4MEaoqLMLDMIwKXY=
+cloud.google.com/go/apigeeregistry v0.5.0/go.mod h1:YR5+s0BVNZfVOUkMa5pAR2xGd0A473vA5M7j247o1wM=
+cloud.google.com/go/apigeeregistry v0.6.0/go.mod h1:BFNzW7yQVLZ3yj0TKcwzb8n25CFBri51GVGOEUcgQsc=
+cloud.google.com/go/apigeeregistry v0.7.1/go.mod h1:1XgyjZye4Mqtw7T9TsY4NW10U7BojBvG4RMD+vRDrIw=
+cloud.google.com/go/apikeys v0.4.0/go.mod h1:XATS/yqZbaBK0HOssf+ALHp8jAlNHUgyfprvNcBIszU=
+cloud.google.com/go/apikeys v0.5.0/go.mod h1:5aQfwY4D+ewMMWScd3hm2en3hCj+BROlyrt3ytS7KLI=
+cloud.google.com/go/apikeys v0.6.0/go.mod h1:kbpXu5upyiAlGkKrJgQl8A0rKNNJ7dQ377pdroRSSi8=
+cloud.google.com/go/appengine v1.4.0/go.mod h1:CS2NhuBuDXM9f+qscZ6V86m1MIIqPj3WC/UoEuR1Sno=
+cloud.google.com/go/appengine v1.5.0/go.mod h1:TfasSozdkFI0zeoxW3PTBLiNqRmzraodCWatWI9Dmak=
+cloud.google.com/go/appengine v1.6.0/go.mod h1:hg6i0J/BD2cKmDJbaFSYHFyZkgBEfQrDg/X0V5fJn84=
+cloud.google.com/go/appengine v1.7.0/go.mod h1:eZqpbHFCqRGa2aCdope7eC0SWLV1j0neb/QnMJVWx6A=
+cloud.google.com/go/appengine v1.7.1/go.mod h1:IHLToyb/3fKutRysUlFO0BPt5j7RiQ45nrzEJmKTo6E=
+cloud.google.com/go/appengine v1.8.1/go.mod h1:6NJXGLVhZCN9aQ/AEDvmfzKEfoYBlfB80/BHiKVputY=
+cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4=
+cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0=
+cloud.google.com/go/area120 v0.7.0/go.mod h1:a3+8EUD1SX5RUcCs3MY5YasiO1z6yLiNLRiFrykbynY=
+cloud.google.com/go/area120 v0.7.1/go.mod h1:j84i4E1RboTWjKtZVWXPqvK5VHQFJRF2c1Nm69pWm9k=
+cloud.google.com/go/area120 v0.8.1/go.mod h1:BVfZpGpB7KFVNxPiQBuHkX6Ed0rS51xIgmGyjrAfzsg=
+cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ=
+cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk=
+cloud.google.com/go/artifactregistry v1.8.0/go.mod h1:w3GQXkJX8hiKN0v+at4b0qotwijQbYUqF2GWkZzAhC0=
+cloud.google.com/go/artifactregistry v1.9.0/go.mod h1:2K2RqvA2CYvAeARHRkLDhMDJ3OXy26h3XW+3/Jh2uYc=
+cloud.google.com/go/artifactregistry v1.11.1/go.mod h1:lLYghw+Itq9SONbCa1YWBoWs1nOucMH0pwXN1rOBZFI=
+cloud.google.com/go/artifactregistry v1.11.2/go.mod h1:nLZns771ZGAwVLzTX/7Al6R9ehma4WUEhZGWV6CeQNQ=
+cloud.google.com/go/artifactregistry v1.12.0/go.mod h1:o6P3MIvtzTOnmvGagO9v/rOjjA0HmhJ+/6KAXrmYDCI=
+cloud.google.com/go/artifactregistry v1.13.0/go.mod h1:uy/LNfoOIivepGhooAUpL1i30Hgee3Cu0l4VTWHUC08=
+cloud.google.com/go/artifactregistry v1.14.1/go.mod h1:nxVdG19jTaSTu7yA7+VbWL346r3rIdkZ142BSQqhn5E=
+cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o=
+cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s=
+cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0=
+cloud.google.com/go/asset v1.9.0/go.mod h1:83MOE6jEJBMqFKadM9NLRcs80Gdw76qGuHn8m3h8oHQ=
+cloud.google.com/go/asset v1.10.0/go.mod h1:pLz7uokL80qKhzKr4xXGvBQXnzHn5evJAEAtZiIb0wY=
+cloud.google.com/go/asset v1.11.1/go.mod h1:fSwLhbRvC9p9CXQHJ3BgFeQNM4c9x10lqlrdEUYXlJo=
+cloud.google.com/go/asset v1.12.0/go.mod h1:h9/sFOa4eDIyKmH6QMpm4eUK3pDojWnUhTgJlk762Hg=
+cloud.google.com/go/asset v1.13.0/go.mod h1:WQAMyYek/b7NBpYq/K4KJWcRqzoalEsxz/t/dTk4THw=
+cloud.google.com/go/asset v1.14.1/go.mod h1:4bEJ3dnHCqWCDbWJ/6Vn7GVI9LerSi7Rfdi03hd+WTQ=
+cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY=
+cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw=
+cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI=
+cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo=
+cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0=
+cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E=
+cloud.google.com/go/assuredworkloads v1.11.1/go.mod h1:+F04I52Pgn5nmPG36CWFtxmav6+7Q+c5QyJoL18Lry0=
 cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4=
 cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
+cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0=
+cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8=
+cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8=
+cloud.google.com/go/automl v1.8.0/go.mod h1:xWx7G/aPEe/NP+qzYXktoBSDfjO+vnKMGgsApGJJquM=
+cloud.google.com/go/automl v1.12.0/go.mod h1:tWDcHDp86aMIuHmyvjuKeeHEGq76lD7ZqfGLN6B0NuU=
+cloud.google.com/go/automl v1.13.1/go.mod h1:1aowgAHWYZU27MybSCFiukPO7xnyawv7pt3zK4bheQE=
+cloud.google.com/go/baremetalsolution v0.3.0/go.mod h1:XOrocE+pvK1xFfleEnShBlNAXf+j5blPPxrhjKgnIFc=
+cloud.google.com/go/baremetalsolution v0.4.0/go.mod h1:BymplhAadOO/eBa7KewQ0Ppg4A4Wplbn+PsFKRLo0uI=
+cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss=
+cloud.google.com/go/baremetalsolution v1.1.1/go.mod h1:D1AV6xwOksJMV4OSlWHtWuFNZZYujJknMAP4Qa27QIA=
+cloud.google.com/go/batch v0.3.0/go.mod h1:TR18ZoAekj1GuirsUsR1ZTKN3FC/4UDnScjT8NXImFE=
+cloud.google.com/go/batch v0.4.0/go.mod h1:WZkHnP43R/QCGQsZ+0JyG4i79ranE2u8xvjq/9+STPE=
+cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g=
+cloud.google.com/go/batch v1.3.1/go.mod h1:VguXeQKXIYaeeIYbuozUmBR13AfL4SJP7IltNPS+A4A=
+cloud.google.com/go/beyondcorp v0.2.0/go.mod h1:TB7Bd+EEtcw9PCPQhCJtJGjk/7TC6ckmnSFS+xwTfm4=
+cloud.google.com/go/beyondcorp v0.3.0/go.mod h1:E5U5lcrcXMsCuoDNyGrpyTm/hn7ne941Jz2vmksAxW8=
+cloud.google.com/go/beyondcorp v0.4.0/go.mod h1:3ApA0mbhHx6YImmuubf5pyW8srKnCEPON32/5hj+RmM=
+cloud.google.com/go/beyondcorp v0.5.0/go.mod h1:uFqj9X+dSfrheVp7ssLTaRHd2EHqSL4QZmH4e8WXGGU=
+cloud.google.com/go/beyondcorp v0.6.1/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4=
+cloud.google.com/go/beyondcorp v1.0.0/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA=
+cloud.google.com/go/bigquery v1.43.0/go.mod h1:ZMQcXHsl+xmU1z36G2jNGZmKp9zNY5BUua5wDgmNCfw=
+cloud.google.com/go/bigquery v1.44.0/go.mod h1:0Y33VqXTEsbamHJvJHdFmtqHvMIY28aK1+dFsvaChGc=
+cloud.google.com/go/bigquery v1.47.0/go.mod h1:sA9XOgy0A8vQK9+MWhEQTY6Tix87M/ZurWFIxmF9I/E=
+cloud.google.com/go/bigquery v1.48.0/go.mod h1:QAwSz+ipNgfL5jxiaK7weyOhzdoAy1zFm0Nf1fysJac=
+cloud.google.com/go/bigquery v1.49.0/go.mod h1:Sv8hMmTFFYBlt/ftw2uN6dFdQPzBlREY9yBh7Oy7/4Q=
+cloud.google.com/go/bigquery v1.50.0/go.mod h1:YrleYEh2pSEbgTBZYMJ5SuSr0ML3ypjRB1zgf7pvQLU=
+cloud.google.com/go/bigquery v1.52.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4=
+cloud.google.com/go/bigquery v1.53.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4=
+cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY=
+cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s=
+cloud.google.com/go/billing v1.6.0/go.mod h1:WoXzguj+BeHXPbKfNWkqVtDdzORazmCjraY+vrxcyvI=
+cloud.google.com/go/billing v1.7.0/go.mod h1:q457N3Hbj9lYwwRbnlD7vUpyjq6u5U1RAOArInEiD5Y=
+cloud.google.com/go/billing v1.12.0/go.mod h1:yKrZio/eu+okO/2McZEbch17O5CB5NpZhhXG6Z766ss=
+cloud.google.com/go/billing v1.13.0/go.mod h1:7kB2W9Xf98hP9Sr12KfECgfGclsH3CQR0R08tnRlRbc=
+cloud.google.com/go/billing v1.16.0/go.mod h1:y8vx09JSSJG02k5QxbycNRrN7FGZB6F3CAcgum7jvGA=
+cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM=
+cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI=
+cloud.google.com/go/binaryauthorization v1.3.0/go.mod h1:lRZbKgjDIIQvzYQS1p99A7/U1JqvqeZg0wiI5tp6tg0=
+cloud.google.com/go/binaryauthorization v1.4.0/go.mod h1:tsSPQrBd77VLplV70GUhBf/Zm3FsKmgSqgm4UmiDItk=
+cloud.google.com/go/binaryauthorization v1.5.0/go.mod h1:OSe4OU1nN/VswXKRBmciKpo9LulY41gch5c68htf3/Q=
+cloud.google.com/go/binaryauthorization v1.6.1/go.mod h1:TKt4pa8xhowwffiBmbrbcxijJRZED4zrqnwZ1lKH51U=
+cloud.google.com/go/certificatemanager v1.3.0/go.mod h1:n6twGDvcUBFu9uBgt4eYvvf3sQ6My8jADcOVwHmzadg=
+cloud.google.com/go/certificatemanager v1.4.0/go.mod h1:vowpercVFyqs8ABSmrdV+GiFf2H/ch3KyudYQEMM590=
+cloud.google.com/go/certificatemanager v1.6.0/go.mod h1:3Hh64rCKjRAX8dXgRAyOcY5vQ/fE1sh8o+Mdd6KPgY8=
+cloud.google.com/go/certificatemanager v1.7.1/go.mod h1:iW8J3nG6SaRYImIa+wXQ0g8IgoofDFRp5UMzaNk1UqI=
+cloud.google.com/go/channel v1.8.0/go.mod h1:W5SwCXDJsq/rg3tn3oG0LOxpAo6IMxNa09ngphpSlnk=
+cloud.google.com/go/channel v1.9.0/go.mod h1:jcu05W0my9Vx4mt3/rEHpfxc9eKi9XwsdDL8yBMbKUk=
+cloud.google.com/go/channel v1.11.0/go.mod h1:IdtI0uWGqhEeatSB62VOoJ8FSUhJ9/+iGkJVqp74CGE=
+cloud.google.com/go/channel v1.12.0/go.mod h1:VkxCGKASi4Cq7TbXxlaBezonAYpp1GCnKMY6tnMQnLU=
+cloud.google.com/go/channel v1.16.0/go.mod h1:eN/q1PFSl5gyu0dYdmxNXscY/4Fi7ABmeHCJNf/oHmc=
+cloud.google.com/go/cloudbuild v1.3.0/go.mod h1:WequR4ULxlqvMsjDEEEFnOG5ZSRSgWOywXYDb1vPE6U=
+cloud.google.com/go/cloudbuild v1.4.0/go.mod h1:5Qwa40LHiOXmz3386FrjrYM93rM/hdRr7b53sySrTqA=
+cloud.google.com/go/cloudbuild v1.6.0/go.mod h1:UIbc/w9QCbH12xX+ezUsgblrWv+Cv4Tw83GiSMHOn9M=
+cloud.google.com/go/cloudbuild v1.7.0/go.mod h1:zb5tWh2XI6lR9zQmsm1VRA+7OCuve5d8S+zJUul8KTg=
+cloud.google.com/go/cloudbuild v1.9.0/go.mod h1:qK1d7s4QlO0VwfYn5YuClDGg2hfmLZEb4wQGAbIgL1s=
+cloud.google.com/go/cloudbuild v1.10.1/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU=
+cloud.google.com/go/cloudbuild v1.13.0/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU=
+cloud.google.com/go/clouddms v1.3.0/go.mod h1:oK6XsCDdW4Ib3jCCBugx+gVjevp2TMXFtgxvPSee3OM=
+cloud.google.com/go/clouddms v1.4.0/go.mod h1:Eh7sUGCC+aKry14O1NRljhjyrr0NFC0G2cjwX0cByRk=
+cloud.google.com/go/clouddms v1.5.0/go.mod h1:QSxQnhikCLUw13iAbffF2CZxAER3xDGNHjsTAkQJcQA=
+cloud.google.com/go/clouddms v1.6.1/go.mod h1:Ygo1vL52Ov4TBZQquhz5fiw2CQ58gvu+PlS6PVXCpZI=
+cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY=
+cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI=
+cloud.google.com/go/cloudtasks v1.7.0/go.mod h1:ImsfdYWwlWNJbdgPIIGJWC+gemEGTBK/SunNQQNCAb4=
+cloud.google.com/go/cloudtasks v1.8.0/go.mod h1:gQXUIwCSOI4yPVK7DgTVFiiP0ZW/eQkydWzwVMdHxrI=
+cloud.google.com/go/cloudtasks v1.9.0/go.mod h1:w+EyLsVkLWHcOaqNEyvcKAsWp9p29dL6uL9Nst1cI7Y=
+cloud.google.com/go/cloudtasks v1.10.0/go.mod h1:NDSoTLkZ3+vExFEWu2UJV1arUyzVDAiZtdWcsUyNwBs=
+cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM=
+cloud.google.com/go/cloudtasks v1.12.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM=
 cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
 cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
 cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
 cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
 cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
+cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
+cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU=
+cloud.google.com/go/compute v1.12.0/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
+cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU=
+cloud.google.com/go/compute v1.13.0/go.mod h1:5aPTS0cUNMIc1CE546K+Th6weJUNQErARyZtRXDJ8GE=
+cloud.google.com/go/compute v1.14.0/go.mod h1:YfLtxrj9sU4Yxv+sXzZkyPjEyPBZfXHUvjxega5vAdo=
+cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs=
+cloud.google.com/go/compute v1.19.0/go.mod h1:rikpw2y+UMidAe9tISo04EHNOIf42RLYF/q8Bs93scU=
+cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI=
+cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute/metadata v0.1.0/go.mod h1:Z1VN+bulIf6bt4P/C37K4DyZYZEXYonfTBHHFPO/4UU=
+cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM=
+cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
+cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
 cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
 cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
+cloud.google.com/go/contactcenterinsights v1.3.0/go.mod h1:Eu2oemoePuEFc/xKFPjbTuPSj0fYJcPls9TFlPNnHHY=
+cloud.google.com/go/contactcenterinsights v1.4.0/go.mod h1:L2YzkGbPsv+vMQMCADxJoT9YiTTnSEd6fEvCeHTYVck=
+cloud.google.com/go/contactcenterinsights v1.6.0/go.mod h1:IIDlT6CLcDoyv79kDv8iWxMSTZhLxSCofVV5W6YFM/w=
+cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM=
+cloud.google.com/go/contactcenterinsights v1.10.0/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM=
+cloud.google.com/go/container v1.6.0/go.mod h1:Xazp7GjJSeUYo688S+6J5V+n/t+G5sKBTFkKNudGRxg=
+cloud.google.com/go/container v1.7.0/go.mod h1:Dp5AHtmothHGX3DwwIHPgq45Y8KmNsgN3amoYfxVkLo=
+cloud.google.com/go/container v1.13.1/go.mod h1:6wgbMPeQRw9rSnKBCAJXnds3Pzj03C4JHamr8asWKy4=
+cloud.google.com/go/container v1.14.0/go.mod h1:3AoJMPhHfLDxLvrlVWaK57IXzaPnLaZq63WX59aQBfM=
+cloud.google.com/go/container v1.15.0/go.mod h1:ft+9S0WGjAyjDggg5S06DXj+fHJICWg8L7isCQe9pQA=
+cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4=
+cloud.google.com/go/container v1.24.0/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4=
+cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I=
+cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4=
+cloud.google.com/go/containeranalysis v0.7.0/go.mod h1:9aUL+/vZ55P2CXfuZjS4UjQ9AgXoSw8Ts6lemfmxBxI=
+cloud.google.com/go/containeranalysis v0.9.0/go.mod h1:orbOANbwk5Ejoom+s+DUCTTJ7IBdBQJDcSylAx/on9s=
+cloud.google.com/go/containeranalysis v0.10.1/go.mod h1:Ya2jiILITMY68ZLPaogjmOMNkwsDrWBSTyBubGXO7j0=
+cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0=
+cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs=
+cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc=
+cloud.google.com/go/datacatalog v1.7.0/go.mod h1:9mEl4AuDYWw81UGc41HonIHH7/sn52H0/tc8f8ZbZIE=
+cloud.google.com/go/datacatalog v1.8.0/go.mod h1:KYuoVOv9BM8EYz/4eMFxrr4DUKhGIOXxZoKYF5wdISM=
+cloud.google.com/go/datacatalog v1.8.1/go.mod h1:RJ58z4rMp3gvETA465Vg+ag8BGgBdnRPEMMSTr5Uv+M=
+cloud.google.com/go/datacatalog v1.12.0/go.mod h1:CWae8rFkfp6LzLumKOnmVh4+Zle4A3NXLzVJ1d1mRm0=
+cloud.google.com/go/datacatalog v1.13.0/go.mod h1:E4Rj9a5ZtAxcQJlEBTLgMTphfP11/lNaAshpoBgemX8=
+cloud.google.com/go/datacatalog v1.14.0/go.mod h1:h0PrGtlihoutNMp/uvwhawLQ9+c63Kz65UFqh49Yo+E=
+cloud.google.com/go/datacatalog v1.14.1/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4=
+cloud.google.com/go/datacatalog v1.16.0/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4=
+cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM=
+cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ=
+cloud.google.com/go/dataflow v0.8.0/go.mod h1:Rcf5YgTKPtQyYz8bLYhFoIV/vP39eL7fWNcSOyFfLJE=
+cloud.google.com/go/dataflow v0.9.1/go.mod h1:Wp7s32QjYuQDWqJPFFlnBKhkAtiFpMTdg00qGbnIHVw=
+cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo=
+cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE=
+cloud.google.com/go/dataform v0.5.0/go.mod h1:GFUYRe8IBa2hcomWplodVmUx/iTL0FrsauObOM3Ipr0=
+cloud.google.com/go/dataform v0.6.0/go.mod h1:QPflImQy33e29VuapFdf19oPbE4aYTJxr31OAPV+ulA=
+cloud.google.com/go/dataform v0.7.0/go.mod h1:7NulqnVozfHvWUBpMDfKMUESr+85aJsC/2O0o3jWPDE=
+cloud.google.com/go/dataform v0.8.1/go.mod h1:3BhPSiw8xmppbgzeBbmDvmSWlwouuJkXsXsb8UBih9M=
+cloud.google.com/go/datafusion v1.4.0/go.mod h1:1Zb6VN+W6ALo85cXnM1IKiPw+yQMKMhB9TsTSRDo/38=
+cloud.google.com/go/datafusion v1.5.0/go.mod h1:Kz+l1FGHB0J+4XF2fud96WMmRiq/wj8N9u007vyXZ2w=
+cloud.google.com/go/datafusion v1.6.0/go.mod h1:WBsMF8F1RhSXvVM8rCV3AeyWVxcC2xY6vith3iw3S+8=
+cloud.google.com/go/datafusion v1.7.1/go.mod h1:KpoTBbFmoToDExJUso/fcCiguGDk7MEzOWXUsJo0wsI=
+cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I=
+cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ=
+cloud.google.com/go/datalabeling v0.7.0/go.mod h1:WPQb1y08RJbmpM3ww0CSUAGweL0SxByuW2E+FU+wXcM=
+cloud.google.com/go/datalabeling v0.8.1/go.mod h1:XS62LBSVPbYR54GfYQsPXZjTW8UxCK2fkDciSrpRFdY=
+cloud.google.com/go/dataplex v1.3.0/go.mod h1:hQuRtDg+fCiFgC8j0zV222HvzFQdRd+SVX8gdmFcZzA=
+cloud.google.com/go/dataplex v1.4.0/go.mod h1:X51GfLXEMVJ6UN47ESVqvlsRplbLhcsAt0kZCCKsU0A=
+cloud.google.com/go/dataplex v1.5.2/go.mod h1:cVMgQHsmfRoI5KFYq4JtIBEUbYwc3c7tXmIDhRmNNVQ=
+cloud.google.com/go/dataplex v1.6.0/go.mod h1:bMsomC/aEJOSpHXdFKFGQ1b0TDPIeL28nJObeO1ppRs=
+cloud.google.com/go/dataplex v1.8.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE=
+cloud.google.com/go/dataplex v1.9.0/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE=
+cloud.google.com/go/dataproc v1.7.0/go.mod h1:CKAlMjII9H90RXaMpSxQ8EU6dQx6iAYNPcYPOkSbi8s=
+cloud.google.com/go/dataproc v1.8.0/go.mod h1:5OW+zNAH0pMpw14JVrPONsxMQYMBqJuzORhIBfBn9uI=
+cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4=
+cloud.google.com/go/dataproc/v2 v2.0.1/go.mod h1:7Ez3KRHdFGcfY7GcevBbvozX+zyWGcwLJvvAMwCaoZ4=
+cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo=
+cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA=
+cloud.google.com/go/dataqna v0.7.0/go.mod h1:Lx9OcIIeqCrw1a6KdO3/5KMP1wAmTc0slZWwP12Qq3c=
+cloud.google.com/go/dataqna v0.8.1/go.mod h1:zxZM0Bl6liMePWsHA8RMGAfmTG34vJMapbHAxQ5+WA8=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/datastore v1.10.0/go.mod h1:PC5UzAmDEkAmkfaknstTYbNpgE49HAgW2J1gcgUfmdM=
+cloud.google.com/go/datastore v1.11.0/go.mod h1:TvGxBIHCS50u8jzG+AW/ppf87v1of8nwzFNgEZU1D3c=
+cloud.google.com/go/datastore v1.12.0/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70=
+cloud.google.com/go/datastore v1.12.1/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70=
+cloud.google.com/go/datastore v1.13.0/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70=
+cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo=
+cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ=
+cloud.google.com/go/datastream v1.4.0/go.mod h1:h9dpzScPhDTs5noEMQVWP8Wx8AFBRyS0s8KWPx/9r0g=
+cloud.google.com/go/datastream v1.5.0/go.mod h1:6TZMMNPwjUqZHBKPQ1wwXpb0d5VDVPl2/XoS5yi88q4=
+cloud.google.com/go/datastream v1.6.0/go.mod h1:6LQSuswqLa7S4rPAOZFVjHIG3wJIjZcZrw8JDEDJuIs=
+cloud.google.com/go/datastream v1.7.0/go.mod h1:uxVRMm2elUSPuh65IbZpzJNMbuzkcvu5CjMqVIUHrww=
+cloud.google.com/go/datastream v1.9.1/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q=
+cloud.google.com/go/datastream v1.10.0/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q=
+cloud.google.com/go/deploy v1.4.0/go.mod h1:5Xghikd4VrmMLNaF6FiRFDlHb59VM59YoDQnOUdsH/c=
+cloud.google.com/go/deploy v1.5.0/go.mod h1:ffgdD0B89tToyW/U/D2eL0jN2+IEV/3EMuXHA0l4r+s=
+cloud.google.com/go/deploy v1.6.0/go.mod h1:f9PTHehG/DjCom3QH0cntOVRm93uGBDt2vKzAPwpXQI=
+cloud.google.com/go/deploy v1.8.0/go.mod h1:z3myEJnA/2wnB4sgjqdMfgxCA0EqC3RBTNcVPs93mtQ=
+cloud.google.com/go/deploy v1.11.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g=
+cloud.google.com/go/deploy v1.13.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g=
+cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4=
+cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0=
+cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8=
+cloud.google.com/go/dialogflow v1.18.0/go.mod h1:trO7Zu5YdyEuR+BhSNOqJezyFQ3aUzz0njv7sMx/iek=
+cloud.google.com/go/dialogflow v1.19.0/go.mod h1:JVmlG1TwykZDtxtTXujec4tQ+D8SBFMoosgy+6Gn0s0=
+cloud.google.com/go/dialogflow v1.29.0/go.mod h1:b+2bzMe+k1s9V+F2jbJwpHPzrnIyHihAdRFMtn2WXuM=
+cloud.google.com/go/dialogflow v1.31.0/go.mod h1:cuoUccuL1Z+HADhyIA7dci3N5zUssgpBJmCzI6fNRB4=
+cloud.google.com/go/dialogflow v1.32.0/go.mod h1:jG9TRJl8CKrDhMEcvfcfFkkpp8ZhgPz3sBGmAUYJ2qE=
+cloud.google.com/go/dialogflow v1.38.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4=
+cloud.google.com/go/dialogflow v1.40.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4=
+cloud.google.com/go/dlp v1.6.0/go.mod h1:9eyB2xIhpU0sVwUixfBubDoRwP+GjeUoxxeueZmqvmM=
+cloud.google.com/go/dlp v1.7.0/go.mod h1:68ak9vCiMBjbasxeVD17hVPxDEck+ExiHavX8kiHG+Q=
+cloud.google.com/go/dlp v1.9.0/go.mod h1:qdgmqgTyReTz5/YNSSuueR8pl7hO0o9bQ39ZhtgkWp4=
+cloud.google.com/go/dlp v1.10.1/go.mod h1:IM8BWz1iJd8njcNcG0+Kyd9OPnqnRNkDV8j42VT5KOI=
+cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU=
+cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU=
+cloud.google.com/go/documentai v1.9.0/go.mod h1:FS5485S8R00U10GhgBC0aNGrJxBP8ZVpEeJ7PQDZd6k=
+cloud.google.com/go/documentai v1.10.0/go.mod h1:vod47hKQIPeCfN2QS/jULIvQTugbmdc0ZvxxfQY1bg4=
+cloud.google.com/go/documentai v1.16.0/go.mod h1:o0o0DLTEZ+YnJZ+J4wNfTxmDVyrkzFvttBXXtYRMHkM=
+cloud.google.com/go/documentai v1.18.0/go.mod h1:F6CK6iUH8J81FehpskRmhLq/3VlwQvb7TvwOceQ2tbs=
+cloud.google.com/go/documentai v1.20.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E=
+cloud.google.com/go/documentai v1.22.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E=
+cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y=
+cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg=
+cloud.google.com/go/domains v0.8.0/go.mod h1:M9i3MMDzGFXsydri9/vW+EWz9sWb4I6WyHqdlAk0idE=
+cloud.google.com/go/domains v0.9.1/go.mod h1:aOp1c0MbejQQ2Pjf1iJvnVyT+z6R6s8pX66KaCSDYfE=
+cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk=
+cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w=
+cloud.google.com/go/edgecontainer v0.3.0/go.mod h1:FLDpP4nykgwwIfcLt6zInhprzw0lEi2P1fjO6Ie0qbc=
+cloud.google.com/go/edgecontainer v1.0.0/go.mod h1:cttArqZpBB2q58W/upSG++ooo6EsblxDIolxa3jSjbY=
+cloud.google.com/go/edgecontainer v1.1.1/go.mod h1:O5bYcS//7MELQZs3+7mabRqoWQhXCzenBu0R8bz2rwk=
+cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU=
+cloud.google.com/go/essentialcontacts v1.3.0/go.mod h1:r+OnHa5jfj90qIfZDO/VztSFqbQan7HV75p8sA+mdGI=
+cloud.google.com/go/essentialcontacts v1.4.0/go.mod h1:8tRldvHYsmnBCHdFpvU+GL75oWiBKl80BiqlFh9tp+8=
+cloud.google.com/go/essentialcontacts v1.5.0/go.mod h1:ay29Z4zODTuwliK7SnX8E86aUF2CTzdNtvv42niCX0M=
+cloud.google.com/go/essentialcontacts v1.6.2/go.mod h1:T2tB6tX+TRak7i88Fb2N9Ok3PvY3UNbUsMag9/BARh4=
+cloud.google.com/go/eventarc v1.7.0/go.mod h1:6ctpF3zTnaQCxUjHUdcfgcA1A2T309+omHZth7gDfmc=
+cloud.google.com/go/eventarc v1.8.0/go.mod h1:imbzxkyAU4ubfsaKYdQg04WS1NvncblHEup4kvF+4gw=
+cloud.google.com/go/eventarc v1.10.0/go.mod h1:u3R35tmZ9HvswGRBnF48IlYgYeBcPUCjkr4BTdem2Kw=
+cloud.google.com/go/eventarc v1.11.0/go.mod h1:PyUjsUKPWoRBCHeOxZd/lbOOjahV41icXyUY5kSTvVY=
+cloud.google.com/go/eventarc v1.12.1/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI=
+cloud.google.com/go/eventarc v1.13.0/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI=
+cloud.google.com/go/filestore v1.3.0/go.mod h1:+qbvHGvXU1HaKX2nD0WEPo92TP/8AQuCVEBXNY9z0+w=
+cloud.google.com/go/filestore v1.4.0/go.mod h1:PaG5oDfo9r224f8OYXURtAsY+Fbyq/bLYoINEK8XQAI=
+cloud.google.com/go/filestore v1.5.0/go.mod h1:FqBXDWBp4YLHqRnVGveOkHDf8svj9r5+mUDLupOWEDs=
+cloud.google.com/go/filestore v1.6.0/go.mod h1:di5unNuss/qfZTw2U9nhFqo8/ZDSc466dre85Kydllg=
+cloud.google.com/go/filestore v1.7.1/go.mod h1:y10jsorq40JJnjR/lQ8AfFbbcGlw3g+Dp8oN7i7FjV4=
 cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY=
+cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE=
+cloud.google.com/go/firestore v1.11.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4=
+cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk=
+cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg=
+cloud.google.com/go/functions v1.8.0/go.mod h1:RTZ4/HsQjIqIYP9a9YPbU+QFoQsAlYgrwOXJWHn1POY=
+cloud.google.com/go/functions v1.9.0/go.mod h1:Y+Dz8yGguzO3PpIjhLTbnqV1CWmgQ5UwtlpzoyquQ08=
+cloud.google.com/go/functions v1.10.0/go.mod h1:0D3hEOe3DbEvCXtYOZHQZmD+SzYsi1YbI7dGvHfldXw=
+cloud.google.com/go/functions v1.12.0/go.mod h1:AXWGrF3e2C/5ehvwYo/GH6O5s09tOPksiKhz+hH8WkA=
+cloud.google.com/go/functions v1.13.0/go.mod h1:EU4O007sQm6Ef/PwRsI8N2umygGqPBS/IZQKBQBcJ3c=
+cloud.google.com/go/functions v1.15.1/go.mod h1:P5yNWUTkyU+LvW/S9O6V+V423VZooALQlqoXdoPz5AE=
+cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM=
+cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA=
+cloud.google.com/go/gaming v1.7.0/go.mod h1:LrB8U7MHdGgFG851iHAfqUdLcKBdQ55hzXy9xBJz0+w=
+cloud.google.com/go/gaming v1.8.0/go.mod h1:xAqjS8b7jAVW0KFYeRUxngo9My3f33kFmua++Pi+ggM=
+cloud.google.com/go/gaming v1.9.0/go.mod h1:Fc7kEmCObylSWLO334NcO+O9QMDyz+TKC4v1D7X+Bc0=
+cloud.google.com/go/gaming v1.10.1/go.mod h1:XQQvtfP8Rb9Rxnxm5wFVpAp9zCQkJi2bLIb7iHGwB3s=
+cloud.google.com/go/gkebackup v0.2.0/go.mod h1:XKvv/4LfG829/B8B7xRkk8zRrOEbKtEam6yNfuQNH60=
+cloud.google.com/go/gkebackup v0.3.0/go.mod h1:n/E671i1aOQvUxT541aTkCwExO/bTer2HDlj4TsBRAo=
+cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg=
+cloud.google.com/go/gkebackup v1.3.0/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU=
+cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o=
+cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A=
+cloud.google.com/go/gkeconnect v0.7.0/go.mod h1:SNfmVqPkaEi3bF/B3CNZOAYPYdg7sU+obZ+QTky2Myw=
+cloud.google.com/go/gkeconnect v0.8.1/go.mod h1:KWiK1g9sDLZqhxB2xEuPV8V9NYzrqTUmQR9shJHpOZw=
+cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0=
+cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0=
+cloud.google.com/go/gkehub v0.11.0/go.mod h1:JOWHlmN+GHyIbuWQPl47/C2RFhnFKH38jH9Ascu3n0E=
+cloud.google.com/go/gkehub v0.12.0/go.mod h1:djiIwwzTTBrF5NaXCGv3mf7klpEMcST17VBTVVDcuaw=
+cloud.google.com/go/gkehub v0.14.1/go.mod h1:VEXKIJZ2avzrbd7u+zeMtW00Y8ddk/4V9511C9CQGTY=
+cloud.google.com/go/gkemulticloud v0.3.0/go.mod h1:7orzy7O0S+5kq95e4Hpn7RysVA7dPs8W/GgfUtsPbrA=
+cloud.google.com/go/gkemulticloud v0.4.0/go.mod h1:E9gxVBnseLWCk24ch+P9+B2CoDFJZTyIgLKSalC7tuI=
+cloud.google.com/go/gkemulticloud v0.5.0/go.mod h1:W0JDkiyi3Tqh0TJr//y19wyb1yf8llHVto2Htf2Ja3Y=
+cloud.google.com/go/gkemulticloud v0.6.1/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw=
+cloud.google.com/go/gkemulticloud v1.0.0/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw=
+cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc=
+cloud.google.com/go/grafeas v0.3.0/go.mod h1:P7hgN24EyONOTMyeJH6DxG4zD7fwiYa5Q6GUgyFSOU8=
+cloud.google.com/go/gsuiteaddons v1.3.0/go.mod h1:EUNK/J1lZEZO8yPtykKxLXI6JSVN2rg9bN8SXOa0bgM=
+cloud.google.com/go/gsuiteaddons v1.4.0/go.mod h1:rZK5I8hht7u7HxFQcFei0+AtfS9uSushomRlg+3ua1o=
+cloud.google.com/go/gsuiteaddons v1.5.0/go.mod h1:TFCClYLd64Eaa12sFVmUyG62tk4mdIsI7pAnSXRkcFo=
+cloud.google.com/go/gsuiteaddons v1.6.1/go.mod h1:CodrdOqRZcLp5WOwejHWYBjZvfY0kOphkAKpF/3qdZY=
+cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
+cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
+cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc=
+cloud.google.com/go/iam v0.6.0/go.mod h1:+1AH33ueBne5MzYccyMHtEKqLE4/kJOibtffMHDMFMc=
+cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg=
+cloud.google.com/go/iam v0.8.0/go.mod h1:lga0/y3iH6CX7sYqypWJ33hf7kkfXJag67naqGESjkE=
+cloud.google.com/go/iam v0.11.0/go.mod h1:9PiLDanza5D+oWFZiH1uG+RnRCfEGKoyl6yo4cgWZGY=
+cloud.google.com/go/iam v0.12.0/go.mod h1:knyHGviacl11zrtZUoDuYpDgLjvr28sLQaG0YB2GYAY=
+cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
+cloud.google.com/go/iam v1.0.1/go.mod h1:yR3tmSL8BcZB4bxByRv2jkSIahVmCtfKZwLYGBalRE8=
+cloud.google.com/go/iam v1.1.0/go.mod h1:nxdHjaKfCr7fNYx/HJMM8LgiMugmveWlkatear5gVyk=
+cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU=
 cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
 cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
+cloud.google.com/go/iap v1.4.0/go.mod h1:RGFwRJdihTINIe4wZ2iCP0zF/qu18ZwyKxrhMhygBEc=
+cloud.google.com/go/iap v1.5.0/go.mod h1:UH/CGgKd4KyohZL5Pt0jSKE4m3FR51qg6FKQ/z/Ix9A=
+cloud.google.com/go/iap v1.6.0/go.mod h1:NSuvI9C/j7UdjGjIde7t7HBz+QTwBcapPE07+sSRcLk=
+cloud.google.com/go/iap v1.7.0/go.mod h1:beqQx56T9O1G1yNPph+spKpNibDlYIiIixiqsQXxLIo=
+cloud.google.com/go/iap v1.7.1/go.mod h1:WapEwPc7ZxGt2jFGB/C/bm+hP0Y6NXzOYGjpPnmMS74=
+cloud.google.com/go/iap v1.8.1/go.mod h1:sJCbeqg3mvWLqjZNsI6dfAtbbV1DL2Rl7e1mTyXYREQ=
+cloud.google.com/go/ids v1.1.0/go.mod h1:WIuwCaYVOzHIj2OhN9HAwvW+DBdmUAdcWlFxRl+KubM=
+cloud.google.com/go/ids v1.2.0/go.mod h1:5WXvp4n25S0rA/mQWAg1YEEBBq6/s+7ml1RDCW1IrcY=
+cloud.google.com/go/ids v1.3.0/go.mod h1:JBdTYwANikFKaDP6LtW5JAi4gubs57SVNQjemdt6xV4=
+cloud.google.com/go/ids v1.4.1/go.mod h1:np41ed8YMU8zOgv53MMMoCntLTn2lF+SUzlM+O3u/jw=
+cloud.google.com/go/iot v1.3.0/go.mod h1:r7RGh2B61+B8oz0AGE+J72AhA0G7tdXItODWsaA2oLs=
+cloud.google.com/go/iot v1.4.0/go.mod h1:dIDxPOn0UvNDUMD8Ger7FIaTuvMkj+aGk94RPP0iV+g=
+cloud.google.com/go/iot v1.5.0/go.mod h1:mpz5259PDl3XJthEmh9+ap0affn/MqNSP4My77Qql9o=
+cloud.google.com/go/iot v1.6.0/go.mod h1:IqdAsmE2cTYYNO1Fvjfzo9po179rAtJeVGUvkLN3rLE=
+cloud.google.com/go/iot v1.7.1/go.mod h1:46Mgw7ev1k9KqK1ao0ayW9h0lI+3hxeanz+L1zmbbbk=
+cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA=
+cloud.google.com/go/kms v1.5.0/go.mod h1:QJS2YY0eJGBg3mnDfuaCyLauWwBJiHRboYxJ++1xJNg=
+cloud.google.com/go/kms v1.6.0/go.mod h1:Jjy850yySiasBUDi6KFUwUv2n1+o7QZFyuUJg6OgjA0=
+cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4jMAg=
+cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w=
+cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24=
+cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI=
+cloud.google.com/go/kms v1.11.0/go.mod h1:hwdiYC0xjnWsKQQCQQmIQnS9asjYVSK6jtXm+zFqXLM=
+cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
+cloud.google.com/go/kms v1.15.0/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM=
+cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
+cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
+cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE=
+cloud.google.com/go/language v1.8.0/go.mod h1:qYPVHf7SPoNNiCL2Dr0FfEFNil1qi3pQEyygwpgVKB8=
+cloud.google.com/go/language v1.9.0/go.mod h1:Ns15WooPM5Ad/5no/0n81yUetis74g3zrbeJBE+ptUY=
+cloud.google.com/go/language v1.10.1/go.mod h1:CPp94nsdVNiQEt1CNjF5WkTcisLiHPyIbMhvR8H2AW0=
+cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8=
+cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08=
+cloud.google.com/go/lifesciences v0.8.0/go.mod h1:lFxiEOMqII6XggGbOnKiyZ7IBwoIqA84ClvoezaA/bo=
+cloud.google.com/go/lifesciences v0.9.1/go.mod h1:hACAOd1fFbCGLr/+weUKRAJas82Y4vrL3O5326N//Wc=
+cloud.google.com/go/logging v1.6.1/go.mod h1:5ZO0mHHbvm8gEmeEUHrmDlTDSu5imF6MUP9OfilNXBw=
+cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
 cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc=
 cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA=
+cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE=
+cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc=
+cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
+cloud.google.com/go/longrunning v0.4.2/go.mod h1:OHrnaYyLUV6oqwh0xiS7e5sLQhP1m0QU9R+WhGDMgIQ=
+cloud.google.com/go/longrunning v0.5.0/go.mod h1:0JNuqRShmscVAhIACGtskSAWtqtOoPkwP0YF1oVEchc=
+cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc=
 cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE=
 cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY=
+cloud.google.com/go/managedidentities v1.3.0/go.mod h1:UzlW3cBOiPrzucO5qWkNkh0w33KFtBJU281hacNvsdE=
+cloud.google.com/go/managedidentities v1.4.0/go.mod h1:NWSBYbEMgqmbZsLIyKvxrYbtqOsxY1ZrGM+9RgDqInM=
+cloud.google.com/go/managedidentities v1.5.0/go.mod h1:+dWcZ0JlUmpuxpIDfyP5pP5y0bLdRwOS4Lp7gMni/LA=
+cloud.google.com/go/managedidentities v1.6.1/go.mod h1:h/irGhTN2SkZ64F43tfGPMbHnypMbu4RB3yl8YcuEak=
+cloud.google.com/go/maps v0.1.0/go.mod h1:BQM97WGyfw9FWEmQMpZ5T6cpovXXSd1cGmFma94eubI=
+cloud.google.com/go/maps v0.6.0/go.mod h1:o6DAMMfb+aINHz/p/jbcY+mYeXBoZoxTfdSQ8VAJaCw=
+cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY=
+cloud.google.com/go/maps v1.3.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s=
+cloud.google.com/go/maps v1.4.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s=
+cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4=
+cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w=
+cloud.google.com/go/mediatranslation v0.7.0/go.mod h1:LCnB/gZr90ONOIQLgSXagp8XUW1ODs2UmUMvcgMfI2I=
+cloud.google.com/go/mediatranslation v0.8.1/go.mod h1:L/7hBdEYbYHQJhX2sldtTO5SZZ1C1vkapubj0T2aGig=
+cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE=
+cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM=
+cloud.google.com/go/memcache v1.6.0/go.mod h1:XS5xB0eQZdHtTuTF9Hf8eJkKtR3pVRCcvJwtm68T3rA=
+cloud.google.com/go/memcache v1.7.0/go.mod h1:ywMKfjWhNtkQTxrWxCkCFkoPjLHPW6A7WOTVI8xy3LY=
+cloud.google.com/go/memcache v1.9.0/go.mod h1:8oEyzXCu+zo9RzlEaEjHl4KkgjlNDaXbCQeQWlzNFJM=
+cloud.google.com/go/memcache v1.10.1/go.mod h1:47YRQIarv4I3QS5+hoETgKO40InqzLP6kpNLvyXuyaA=
+cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY=
+cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s=
+cloud.google.com/go/metastore v1.7.0/go.mod h1:s45D0B4IlsINu87/AsWiEVYbLaIMeUSoxlKKDqBGFS8=
+cloud.google.com/go/metastore v1.8.0/go.mod h1:zHiMc4ZUpBiM7twCIFQmJ9JMEkDSyZS9U12uf7wHqSI=
+cloud.google.com/go/metastore v1.10.0/go.mod h1:fPEnH3g4JJAk+gMRnrAnoqyv2lpUCqJPWOodSaf45Eo=
+cloud.google.com/go/metastore v1.11.1/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA=
+cloud.google.com/go/metastore v1.12.0/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA=
+cloud.google.com/go/monitoring v1.7.0/go.mod h1:HpYse6kkGo//7p6sT0wsIC6IBDET0RhIsnmlA53dvEk=
+cloud.google.com/go/monitoring v1.8.0/go.mod h1:E7PtoMJ1kQXWxPjB6mv2fhC5/15jInuulFdYYtlcvT4=
+cloud.google.com/go/monitoring v1.12.0/go.mod h1:yx8Jj2fZNEkL/GYZyTLS4ZtZEZN8WtDEiEqG4kLK50w=
+cloud.google.com/go/monitoring v1.13.0/go.mod h1:k2yMBAB1H9JT/QETjNkgdCGD9bPF712XiLTVr+cBrpw=
+cloud.google.com/go/monitoring v1.15.1/go.mod h1:lADlSAlFdbqQuwwpaImhsJXu1QSdd3ojypXrFSMr2rM=
 cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM=
 cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U=
+cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA=
+cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o=
+cloud.google.com/go/networkconnectivity v1.6.0/go.mod h1:OJOoEXW+0LAxHh89nXd64uGG+FbQoeH8DtxCHVOMlaM=
+cloud.google.com/go/networkconnectivity v1.7.0/go.mod h1:RMuSbkdbPwNMQjB5HBWD5MpTBnNm39iAVpC3TmsExt8=
+cloud.google.com/go/networkconnectivity v1.10.0/go.mod h1:UP4O4sWXJG13AqrTdQCD9TnLGEbtNRqjuaaA7bNjF5E=
+cloud.google.com/go/networkconnectivity v1.11.0/go.mod h1:iWmDD4QF16VCDLXUqvyspJjIEtBR/4zq5hwnY2X3scM=
+cloud.google.com/go/networkconnectivity v1.12.1/go.mod h1:PelxSWYM7Sh9/guf8CFhi6vIqf19Ir/sbfZRUwXh92E=
+cloud.google.com/go/networkmanagement v1.4.0/go.mod h1:Q9mdLLRn60AsOrPc8rs8iNV6OHXaGcDdsIQe1ohekq8=
+cloud.google.com/go/networkmanagement v1.5.0/go.mod h1:ZnOeZ/evzUdUsnvRt792H0uYEnHQEMaz+REhhzJRcf4=
+cloud.google.com/go/networkmanagement v1.6.0/go.mod h1:5pKPqyXjB/sgtvB5xqOemumoQNB7y95Q7S+4rjSOPYY=
+cloud.google.com/go/networkmanagement v1.8.0/go.mod h1:Ho/BUGmtyEqrttTgWEe7m+8vDdK74ibQc+Be0q7Fof0=
+cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ=
+cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU=
+cloud.google.com/go/networksecurity v0.7.0/go.mod h1:mAnzoxx/8TBSyXEeESMy9OOYwo1v+gZ5eMRnsT5bC8k=
+cloud.google.com/go/networksecurity v0.8.0/go.mod h1:B78DkqsxFG5zRSVuwYFRZ9Xz8IcQ5iECsNrPn74hKHU=
+cloud.google.com/go/networksecurity v0.9.1/go.mod h1:MCMdxOKQ30wsBI1eI659f9kEp4wuuAueoC9AJKSPWZQ=
+cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY=
+cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34=
+cloud.google.com/go/notebooks v1.4.0/go.mod h1:4QPMngcwmgb6uw7Po99B2xv5ufVoIQ7nOGDyL4P8AgA=
+cloud.google.com/go/notebooks v1.5.0/go.mod h1:q8mwhnP9aR8Hpfnrc5iN5IBhrXUy8S2vuYs+kBJ/gu0=
+cloud.google.com/go/notebooks v1.7.0/go.mod h1:PVlaDGfJgj1fl1S3dUwhFMXFgfYGhYQt2164xOMONmE=
+cloud.google.com/go/notebooks v1.8.0/go.mod h1:Lq6dYKOYOWUCTvw5t2q1gp1lAp0zxAxRycayS0iJcqQ=
+cloud.google.com/go/notebooks v1.9.1/go.mod h1:zqG9/gk05JrzgBt4ghLzEepPHNwE5jgPcHZRKhlC1A8=
+cloud.google.com/go/optimization v1.1.0/go.mod h1:5po+wfvX5AQlPznyVEZjGJTMr4+CAkJf2XSTQOOl9l4=
+cloud.google.com/go/optimization v1.2.0/go.mod h1:Lr7SOHdRDENsh+WXVmQhQTrzdu9ybg0NecjHidBq6xs=
+cloud.google.com/go/optimization v1.3.1/go.mod h1:IvUSefKiwd1a5p0RgHDbWCIbDFgKuEdB+fPPuP0IDLI=
+cloud.google.com/go/optimization v1.4.1/go.mod h1:j64vZQP7h9bO49m2rVaTVoNM0vEBEN5eKPUPbZyXOrk=
+cloud.google.com/go/orchestration v1.3.0/go.mod h1:Sj5tq/JpWiB//X/q3Ngwdl5K7B7Y0KZ7bfv0wL6fqVA=
+cloud.google.com/go/orchestration v1.4.0/go.mod h1:6W5NLFWs2TlniBphAViZEVhrXRSMgUGDfW7vrWKvsBk=
+cloud.google.com/go/orchestration v1.6.0/go.mod h1:M62Bevp7pkxStDfFfTuCOaXgaaqRAga1yKyoMtEoWPQ=
+cloud.google.com/go/orchestration v1.8.1/go.mod h1:4sluRF3wgbYVRqz7zJ1/EUNc90TTprliq9477fGobD8=
+cloud.google.com/go/orgpolicy v1.4.0/go.mod h1:xrSLIV4RePWmP9P3tBl8S93lTmlAxjm06NSm2UTmKvE=
+cloud.google.com/go/orgpolicy v1.5.0/go.mod h1:hZEc5q3wzwXJaKrsx5+Ewg0u1LxJ51nNFlext7Tanwc=
+cloud.google.com/go/orgpolicy v1.10.0/go.mod h1:w1fo8b7rRqlXlIJbVhOMPrwVljyuW5mqssvBtU18ONc=
+cloud.google.com/go/orgpolicy v1.11.0/go.mod h1:2RK748+FtVvnfuynxBzdnyu7sygtoZa1za/0ZfpOs1M=
+cloud.google.com/go/orgpolicy v1.11.1/go.mod h1:8+E3jQcpZJQliP+zaFfayC2Pg5bmhuLK755wKhIIUCE=
+cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs=
+cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg=
+cloud.google.com/go/osconfig v1.9.0/go.mod h1:Yx+IeIZJ3bdWmzbQU4fxNl8xsZ4amB+dygAwFPlvnNo=
+cloud.google.com/go/osconfig v1.10.0/go.mod h1:uMhCzqC5I8zfD9zDEAfvgVhDS8oIjySWh+l4WK6GnWw=
+cloud.google.com/go/osconfig v1.11.0/go.mod h1:aDICxrur2ogRd9zY5ytBLV89KEgT2MKB2L/n6x1ooPw=
+cloud.google.com/go/osconfig v1.12.0/go.mod h1:8f/PaYzoS3JMVfdfTubkowZYGmAhUCjjwnjqWI7NVBc=
+cloud.google.com/go/osconfig v1.12.1/go.mod h1:4CjBxND0gswz2gfYRCUoUzCm9zCABp91EeTtWXyz0tE=
+cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E=
+cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU=
+cloud.google.com/go/oslogin v1.6.0/go.mod h1:zOJ1O3+dTU8WPlGEkFSh7qeHPPSoxrcMbbK1Nm2iX70=
+cloud.google.com/go/oslogin v1.7.0/go.mod h1:e04SN0xO1UNJ1M5GP0vzVBFicIe4O53FOfcixIqTyXo=
+cloud.google.com/go/oslogin v1.9.0/go.mod h1:HNavntnH8nzrn8JCTT5fj18FuJLFJc4NaZJtBnQtKFs=
+cloud.google.com/go/oslogin v1.10.1/go.mod h1:x692z7yAue5nE7CsSnoG0aaMbNoRJRXO4sn73R+ZqAs=
+cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0=
+cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA=
+cloud.google.com/go/phishingprotection v0.7.0/go.mod h1:8qJI4QKHoda/sb/7/YmMQ2omRLSLYSu9bU0EKCNI+Lk=
+cloud.google.com/go/phishingprotection v0.8.1/go.mod h1:AxonW7GovcA8qdEk13NfHq9hNx5KPtfxXNeUxTDxB6I=
+cloud.google.com/go/policytroubleshooter v1.3.0/go.mod h1:qy0+VwANja+kKrjlQuOzmlvscn4RNsAc0e15GGqfMxg=
+cloud.google.com/go/policytroubleshooter v1.4.0/go.mod h1:DZT4BcRw3QoO8ota9xw/LKtPa8lKeCByYeKTIf/vxdE=
+cloud.google.com/go/policytroubleshooter v1.5.0/go.mod h1:Rz1WfV+1oIpPdN2VvvuboLVRsB1Hclg3CKQ53j9l8vw=
+cloud.google.com/go/policytroubleshooter v1.6.0/go.mod h1:zYqaPTsmfvpjm5ULxAyD/lINQxJ0DDsnWOP/GZ7xzBc=
+cloud.google.com/go/policytroubleshooter v1.7.1/go.mod h1:0NaT5v3Ag1M7U5r0GfDCpUFkWd9YqpubBWsQlhanRv0=
+cloud.google.com/go/policytroubleshooter v1.8.0/go.mod h1:tmn5Ir5EToWe384EuboTcVQT7nTag2+DuH3uHmKd1HU=
+cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0=
+cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI=
+cloud.google.com/go/privatecatalog v0.7.0/go.mod h1:2s5ssIFO69F5csTXcwBP7NPFTZvps26xGzvQ2PQaBYg=
+cloud.google.com/go/privatecatalog v0.8.0/go.mod h1:nQ6pfaegeDAq/Q5lrfCQzQLhubPiZhSaNhIgfJlnIXs=
+cloud.google.com/go/privatecatalog v0.9.1/go.mod h1:0XlDXW2unJXdf9zFz968Hp35gl/bhF4twwpXZAW50JA=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
 cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
+cloud.google.com/go/pubsub v1.26.0/go.mod h1:QgBH3U/jdJy/ftjPhTkyXNj543Tin1pRYcdcPRnFIRI=
+cloud.google.com/go/pubsub v1.27.1/go.mod h1:hQN39ymbV9geqBnfQq6Xf63yNhUAhv9CZhzp5O6qsW0=
+cloud.google.com/go/pubsub v1.28.0/go.mod h1:vuXFpwaVoIPQMGXqRyUQigu/AX1S3IWugR9xznmcXX8=
+cloud.google.com/go/pubsub v1.30.0/go.mod h1:qWi1OPS0B+b5L+Sg6Gmc9zD1Y+HaM0MdUr7LsupY1P4=
+cloud.google.com/go/pubsub v1.32.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc=
+cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc=
+cloud.google.com/go/pubsublite v1.5.0/go.mod h1:xapqNQ1CuLfGi23Yda/9l4bBCKz/wC3KIJ5gKcxveZg=
+cloud.google.com/go/pubsublite v1.6.0/go.mod h1:1eFCS0U11xlOuMFV/0iBqw3zP12kddMeCbj/F3FSj9k=
+cloud.google.com/go/pubsublite v1.7.0/go.mod h1:8hVMwRXfDfvGm3fahVbtDbiLePT3gpoiJYJY+vxWxVM=
+cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0=
+cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4=
+cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o=
+cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk=
+cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo=
+cloud.google.com/go/recaptchaenterprise/v2 v2.4.0/go.mod h1:Am3LHfOuBstrLrNCBrlI5sbwx9LBg3te2N6hGvHn2mE=
+cloud.google.com/go/recaptchaenterprise/v2 v2.5.0/go.mod h1:O8LzcHXN3rz0j+LBC91jrwI3R+1ZSZEWrfL7XHgNo9U=
+cloud.google.com/go/recaptchaenterprise/v2 v2.6.0/go.mod h1:RPauz9jeLtB3JVzg6nCbe12qNoaa8pXc4d/YukAmcnA=
+cloud.google.com/go/recaptchaenterprise/v2 v2.7.0/go.mod h1:19wVj/fs5RtYtynAPJdDTb69oW0vNHYDBTbB4NvMD9c=
+cloud.google.com/go/recaptchaenterprise/v2 v2.7.2/go.mod h1:kR0KjsJS7Jt1YSyWFkseQ756D45kaYNTlDPPaRAvDBU=
+cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg=
+cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4=
+cloud.google.com/go/recommendationengine v0.7.0/go.mod h1:1reUcE3GIu6MeBz/h5xZJqNLuuVjNg1lmWMPyjatzac=
+cloud.google.com/go/recommendationengine v0.8.1/go.mod h1:MrZihWwtFYWDzE6Hz5nKcNz3gLizXVIDI/o3G1DLcrE=
+cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg=
+cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c=
+cloud.google.com/go/recommender v1.7.0/go.mod h1:XLHs/W+T8olwlGOgfQenXBTbIseGclClff6lhFVe9Bs=
+cloud.google.com/go/recommender v1.8.0/go.mod h1:PkjXrTT05BFKwxaUxQmtIlrtj0kph108r02ZZQ5FE70=
+cloud.google.com/go/recommender v1.9.0/go.mod h1:PnSsnZY7q+VL1uax2JWkt/UegHssxjUVVCrX52CuEmQ=
+cloud.google.com/go/recommender v1.10.1/go.mod h1:XFvrE4Suqn5Cq0Lf+mCP6oBHD/yRMA8XxP5sb7Q7gpA=
+cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y=
+cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A=
+cloud.google.com/go/redis v1.9.0/go.mod h1:HMYQuajvb2D0LvMgZmLDZW8V5aOC/WxstZHiy4g8OiA=
+cloud.google.com/go/redis v1.10.0/go.mod h1:ThJf3mMBQtW18JzGgh41/Wld6vnDDc/F/F35UolRZPM=
+cloud.google.com/go/redis v1.11.0/go.mod h1:/X6eicana+BWcUda5PpwZC48o37SiFVTFSs0fWAJ7uQ=
+cloud.google.com/go/redis v1.13.1/go.mod h1:VP7DGLpE91M6bcsDdMuyCm2hIpB6Vp2hI090Mfd1tcg=
+cloud.google.com/go/resourcemanager v1.3.0/go.mod h1:bAtrTjZQFJkiWTPDb1WBjzvc6/kifjj4QBYuKCCoqKA=
+cloud.google.com/go/resourcemanager v1.4.0/go.mod h1:MwxuzkumyTX7/a3n37gmsT3py7LIXwrShilPh3P1tR0=
+cloud.google.com/go/resourcemanager v1.5.0/go.mod h1:eQoXNAiAvCf5PXxWxXjhKQoTMaUSNrEfg+6qdf/wots=
+cloud.google.com/go/resourcemanager v1.6.0/go.mod h1:YcpXGRs8fDzcUl1Xw8uOVmI8JEadvhRIkoXXUNVYcVo=
+cloud.google.com/go/resourcemanager v1.7.0/go.mod h1:HlD3m6+bwhzj9XCouqmeiGuni95NTrExfhoSrkC/3EI=
+cloud.google.com/go/resourcemanager v1.9.1/go.mod h1:dVCuosgrh1tINZ/RwBufr8lULmWGOkPS8gL5gqyjdT8=
+cloud.google.com/go/resourcesettings v1.3.0/go.mod h1:lzew8VfESA5DQ8gdlHwMrqZs1S9V87v3oCnKCWoOuQU=
+cloud.google.com/go/resourcesettings v1.4.0/go.mod h1:ldiH9IJpcrlC3VSuCGvjR5of/ezRrOxFtpJoJo5SmXg=
+cloud.google.com/go/resourcesettings v1.5.0/go.mod h1:+xJF7QSG6undsQDfsCJyqWXyBwUoJLhetkRMDRnIoXA=
+cloud.google.com/go/resourcesettings v1.6.1/go.mod h1:M7mk9PIZrC5Fgsu1kZJci6mpgN8o0IUzVx3eJU3y4Jw=
+cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4=
+cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY=
+cloud.google.com/go/retail v1.10.0/go.mod h1:2gDk9HsL4HMS4oZwz6daui2/jmKvqShXKQuB2RZ+cCc=
+cloud.google.com/go/retail v1.11.0/go.mod h1:MBLk1NaWPmh6iVFSz9MeKG/Psyd7TAgm6y/9L2B4x9Y=
+cloud.google.com/go/retail v1.12.0/go.mod h1:UMkelN/0Z8XvKymXFbD4EhFJlYKRx1FGhQkVPU5kF14=
+cloud.google.com/go/retail v1.14.1/go.mod h1:y3Wv3Vr2k54dLNIrCzenyKG8g8dhvhncT2NcNjb/6gE=
+cloud.google.com/go/run v0.2.0/go.mod h1:CNtKsTA1sDcnqqIFR3Pb5Tq0usWxJJvsWOCPldRU3Do=
+cloud.google.com/go/run v0.3.0/go.mod h1:TuyY1+taHxTjrD0ZFk2iAR+xyOXEA0ztb7U3UNA0zBo=
+cloud.google.com/go/run v0.8.0/go.mod h1:VniEnuBwqjigv0A7ONfQUaEItaiCRVujlMqerPPiktM=
+cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg=
+cloud.google.com/go/run v1.2.0/go.mod h1:36V1IlDzQ0XxbQjUx6IYbw8H3TJnWvhii963WW3B/bo=
+cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s=
+cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI=
+cloud.google.com/go/scheduler v1.6.0/go.mod h1:SgeKVM7MIwPn3BqtcBntpLyrIJftQISRrYB5ZtT+KOk=
+cloud.google.com/go/scheduler v1.7.0/go.mod h1:jyCiBqWW956uBjjPMMuX09n3x37mtyPJegEWKxRsn44=
+cloud.google.com/go/scheduler v1.8.0/go.mod h1:TCET+Y5Gp1YgHT8py4nlg2Sew8nUHMqcpousDgXJVQc=
+cloud.google.com/go/scheduler v1.9.0/go.mod h1:yexg5t+KSmqu+njTIh3b7oYPheFtBWGcbVUYF1GGMIc=
+cloud.google.com/go/scheduler v1.10.1/go.mod h1:R63Ldltd47Bs4gnhQkmNDse5w8gBRrhObZ54PxgR2Oo=
+cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA=
+cloud.google.com/go/secretmanager v1.8.0/go.mod h1:hnVgi/bN5MYHd3Gt0SPuTPPp5ENina1/LxM+2W9U9J4=
+cloud.google.com/go/secretmanager v1.9.0/go.mod h1:b71qH2l1yHmWQHt9LC80akm86mX8AL6X1MA01dW8ht4=
+cloud.google.com/go/secretmanager v1.10.0/go.mod h1:MfnrdvKMPNra9aZtQFvBcvRU54hbPD8/HayQdlUgJpU=
+cloud.google.com/go/secretmanager v1.11.1/go.mod h1:znq9JlXgTNdBeQk9TBW/FnR/W4uChEKGeqQWAJ8SXFw=
+cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4=
+cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0=
+cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU=
+cloud.google.com/go/security v1.9.0/go.mod h1:6Ta1bO8LXI89nZnmnsZGp9lVoVWXqsVbIq/t9dzI+2Q=
+cloud.google.com/go/security v1.10.0/go.mod h1:QtOMZByJVlibUT2h9afNDWRZ1G96gVywH8T5GUSb9IA=
+cloud.google.com/go/security v1.12.0/go.mod h1:rV6EhrpbNHrrxqlvW0BWAIawFWq3X90SduMJdFwtLB8=
+cloud.google.com/go/security v1.13.0/go.mod h1:Q1Nvxl1PAgmeW0y3HTt54JYIvUdtcpYKVfIB8AOMZ+0=
+cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA=
+cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU=
+cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc=
+cloud.google.com/go/securitycenter v1.15.0/go.mod h1:PeKJ0t8MoFmmXLXWm41JidyzI3PJjd8sXWaVqg43WWk=
+cloud.google.com/go/securitycenter v1.16.0/go.mod h1:Q9GMaLQFUD+5ZTabrbujNWLtSLZIZF7SAR0wWECrjdk=
+cloud.google.com/go/securitycenter v1.18.1/go.mod h1:0/25gAzCM/9OL9vVx4ChPeM/+DlfGQJDwBy/UC8AKK0=
+cloud.google.com/go/securitycenter v1.19.0/go.mod h1:LVLmSg8ZkkyaNy4u7HCIshAngSQ8EcIRREP3xBnyfag=
+cloud.google.com/go/securitycenter v1.23.0/go.mod h1:8pwQ4n+Y9WCWM278R8W3nF65QtY172h4S8aXyI9/hsQ=
+cloud.google.com/go/servicecontrol v1.4.0/go.mod h1:o0hUSJ1TXJAmi/7fLJAedOovnujSEvjKCAFNXPQ1RaU=
+cloud.google.com/go/servicecontrol v1.5.0/go.mod h1:qM0CnXHhyqKVuiZnGKrIurvVImCs8gmqWsDoqe9sU1s=
+cloud.google.com/go/servicecontrol v1.10.0/go.mod h1:pQvyvSRh7YzUF2efw7H87V92mxU8FnFDawMClGCNuAA=
+cloud.google.com/go/servicecontrol v1.11.0/go.mod h1:kFmTzYzTUIuZs0ycVqRHNaNhgR+UMUpw9n02l/pY+mc=
+cloud.google.com/go/servicecontrol v1.11.1/go.mod h1:aSnNNlwEFBY+PWGQ2DoM0JJ/QUXqV5/ZD9DOLB7SnUk=
+cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs=
+cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg=
+cloud.google.com/go/servicedirectory v1.6.0/go.mod h1:pUlbnWsLH9c13yGkxCmfumWEPjsRs1RlmJ4pqiNjVL4=
+cloud.google.com/go/servicedirectory v1.7.0/go.mod h1:5p/U5oyvgYGYejufvxhgwjL8UVXjkuw7q5XcG10wx1U=
+cloud.google.com/go/servicedirectory v1.8.0/go.mod h1:srXodfhY1GFIPvltunswqXpVxFPpZjf8nkKQT7XcXaY=
+cloud.google.com/go/servicedirectory v1.9.0/go.mod h1:29je5JjiygNYlmsGz8k6o+OZ8vd4f//bQLtvzkPPT/s=
+cloud.google.com/go/servicedirectory v1.10.1/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ=
+cloud.google.com/go/servicedirectory v1.11.0/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ=
+cloud.google.com/go/servicemanagement v1.4.0/go.mod h1:d8t8MDbezI7Z2R1O/wu8oTggo3BI2GKYbdG4y/SJTco=
+cloud.google.com/go/servicemanagement v1.5.0/go.mod h1:XGaCRe57kfqu4+lRxaFEAuqmjzF0r+gWHjWqKqBvKFo=
+cloud.google.com/go/servicemanagement v1.6.0/go.mod h1:aWns7EeeCOtGEX4OvZUWCCJONRZeFKiptqKf1D0l/Jc=
+cloud.google.com/go/servicemanagement v1.8.0/go.mod h1:MSS2TDlIEQD/fzsSGfCdJItQveu9NXnUniTrq/L8LK4=
+cloud.google.com/go/serviceusage v1.3.0/go.mod h1:Hya1cozXM4SeSKTAgGXgj97GlqUvF5JaoXacR1JTP/E=
+cloud.google.com/go/serviceusage v1.4.0/go.mod h1:SB4yxXSaYVuUBYUml6qklyONXNLt83U0Rb+CXyhjEeU=
+cloud.google.com/go/serviceusage v1.5.0/go.mod h1:w8U1JvqUqwJNPEOTQjrMHkw3IaIFLoLsPLvsE3xueec=
+cloud.google.com/go/serviceusage v1.6.0/go.mod h1:R5wwQcbOWsyuOfbP9tGdAnCAc6B9DRwPG1xtWMDeuPA=
+cloud.google.com/go/shell v1.3.0/go.mod h1:VZ9HmRjZBsjLGXusm7K5Q5lzzByZmJHf1d0IWHEN5X4=
+cloud.google.com/go/shell v1.4.0/go.mod h1:HDxPzZf3GkDdhExzD/gs8Grqk+dmYcEjGShZgYa9URw=
+cloud.google.com/go/shell v1.6.0/go.mod h1:oHO8QACS90luWgxP3N9iZVuEiSF84zNyLytb+qE2f9A=
+cloud.google.com/go/shell v1.7.1/go.mod h1:u1RaM+huXFaTojTbW4g9P5emOrrmLE69KrxqQahKn4g=
+cloud.google.com/go/spanner v1.41.0/go.mod h1:MLYDBJR/dY4Wt7ZaMIQ7rXOTLjYrmxLE/5ve9vFfWos=
+cloud.google.com/go/spanner v1.44.0/go.mod h1:G8XIgYdOK+Fbcpbs7p2fiprDw4CaZX63whnSMLVBxjk=
+cloud.google.com/go/spanner v1.45.0/go.mod h1:FIws5LowYz8YAE1J8fOS7DJup8ff7xJeetWEo5REA2M=
+cloud.google.com/go/spanner v1.47.0/go.mod h1:IXsJwVW2j4UKs0eYDqodab6HgGuA1bViSqW4uH9lfUI=
+cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM=
+cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ=
+cloud.google.com/go/speech v1.8.0/go.mod h1:9bYIl1/tjsAnMgKGHKmBZzXKEkGgtU+MpdDPTE9f7y0=
+cloud.google.com/go/speech v1.9.0/go.mod h1:xQ0jTcmnRFFM2RfX/U+rk6FQNUF6DQlydUSyoooSpco=
+cloud.google.com/go/speech v1.14.1/go.mod h1:gEosVRPJ9waG7zqqnsHpYTOoAS4KouMRLDFMekpJ0J0=
+cloud.google.com/go/speech v1.15.0/go.mod h1:y6oH7GhqCaZANH7+Oe0BhgIogsNInLlz542tg3VqeYI=
+cloud.google.com/go/speech v1.17.1/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo=
+cloud.google.com/go/speech v1.19.0/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
+cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
+cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
+cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
+cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
+cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
+cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E=
 cloud.google.com/go/storage v1.50.0 h1:3TbVkzTooBvnZsk7WaAQfOsNrdoM8QHusXA1cpk6QJs=
 cloud.google.com/go/storage v1.50.0/go.mod h1:l7XeiD//vx5lfqE3RavfmU9yvk5Pp0Zhcv482poyafY=
+cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w=
+cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I=
+cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4=
+cloud.google.com/go/storagetransfer v1.8.0/go.mod h1:JpegsHHU1eXg7lMHkvf+KE5XDJ7EQu0GwNJbbVGanEw=
+cloud.google.com/go/storagetransfer v1.10.0/go.mod h1:DM4sTlSmGiNczmV6iZyceIh2dbs+7z2Ayg6YAiQlYfA=
+cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw=
+cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g=
+cloud.google.com/go/talent v1.3.0/go.mod h1:CmcxwJ/PKfRgd1pBjQgU6W3YBwiewmUzQYH5HHmSCmM=
+cloud.google.com/go/talent v1.4.0/go.mod h1:ezFtAgVuRf8jRsvyE6EwmbTK5LKciD4KVnHuDEFmOOA=
+cloud.google.com/go/talent v1.5.0/go.mod h1:G+ODMj9bsasAEJkQSzO2uHQWXHHXUomArjWQQYkqK6c=
+cloud.google.com/go/talent v1.6.2/go.mod h1:CbGvmKCG61mkdjcqTcLOkb2ZN1SrQI8MDyma2l7VD24=
+cloud.google.com/go/texttospeech v1.4.0/go.mod h1:FX8HQHA6sEpJ7rCMSfXuzBcysDAuWusNNNvN9FELDd8=
+cloud.google.com/go/texttospeech v1.5.0/go.mod h1:oKPLhR4n4ZdQqWKURdwxMy0uiTS1xU161C8W57Wkea4=
+cloud.google.com/go/texttospeech v1.6.0/go.mod h1:YmwmFT8pj1aBblQOI3TfKmwibnsfvhIBzPXcW4EBovc=
+cloud.google.com/go/texttospeech v1.7.1/go.mod h1:m7QfG5IXxeneGqTapXNxv2ItxP/FS0hCZBwXYqucgSk=
+cloud.google.com/go/tpu v1.3.0/go.mod h1:aJIManG0o20tfDQlRIej44FcwGGl/cD0oiRyMKG19IQ=
+cloud.google.com/go/tpu v1.4.0/go.mod h1:mjZaX8p0VBgllCzF6wcU2ovUXN9TONFLd7iz227X2Xg=
+cloud.google.com/go/tpu v1.5.0/go.mod h1:8zVo1rYDFuW2l4yZVY0R0fb/v44xLh3llq7RuV61fPM=
+cloud.google.com/go/tpu v1.6.1/go.mod h1:sOdcHVIgDEEOKuqUoi6Fq53MKHJAtOwtz0GuKsWSH3E=
+cloud.google.com/go/trace v1.3.0/go.mod h1:FFUE83d9Ca57C+K8rDl/Ih8LwOzWIV1krKgxg6N0G28=
+cloud.google.com/go/trace v1.4.0/go.mod h1:UG0v8UBqzusp+z63o7FK74SdFE+AXpCLdFb1rshXG+Y=
+cloud.google.com/go/trace v1.8.0/go.mod h1:zH7vcsbAhklH8hWFig58HvxcxyQbaIqMarMg9hn5ECA=
+cloud.google.com/go/trace v1.9.0/go.mod h1:lOQqpE5IaWY0Ixg7/r2SjixMuc6lfTFeO4QGM4dQWOk=
+cloud.google.com/go/trace v1.10.1/go.mod h1:gbtL94KE5AJLH3y+WVpfWILmqgc6dXcqgNXdOPAQTYk=
 cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
 cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
+cloud.google.com/go/translate v1.3.0/go.mod h1:gzMUwRjvOqj5i69y/LYLd8RrNQk+hOmIXTi9+nb3Djs=
+cloud.google.com/go/translate v1.4.0/go.mod h1:06Dn/ppvLD6WvA5Rhdp029IX2Mi3Mn7fpMRLPvXT5Wg=
+cloud.google.com/go/translate v1.5.0/go.mod h1:29YDSYveqqpA1CQFD7NQuP49xymq17RXNaUDdc0mNu0=
+cloud.google.com/go/translate v1.6.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
+cloud.google.com/go/translate v1.7.0/go.mod h1:lMGRudH1pu7I3n3PETiOB2507gf3HnfLV8qlkHZEyos=
+cloud.google.com/go/translate v1.8.1/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs=
+cloud.google.com/go/translate v1.8.2/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs=
+cloud.google.com/go/video v1.8.0/go.mod h1:sTzKFc0bUSByE8Yoh8X0mn8bMymItVGPfTuUBUyRgxk=
+cloud.google.com/go/video v1.9.0/go.mod h1:0RhNKFRF5v92f8dQt0yhaHrEuH95m068JYOvLZYnJSw=
+cloud.google.com/go/video v1.12.0/go.mod h1:MLQew95eTuaNDEGriQdcYn0dTwf9oWiA4uYebxM5kdg=
+cloud.google.com/go/video v1.13.0/go.mod h1:ulzkYlYgCp15N2AokzKjy7MQ9ejuynOJdf1tR5lGthk=
+cloud.google.com/go/video v1.14.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
+cloud.google.com/go/video v1.15.0/go.mod h1:SkgaXwT+lIIAKqWAJfktHT/RbgjSuY6DobxEp0C5yTQ=
+cloud.google.com/go/video v1.17.1/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU=
+cloud.google.com/go/video v1.19.0/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU=
+cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU=
+cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4=
+cloud.google.com/go/videointelligence v1.8.0/go.mod h1:dIcCn4gVDdS7yte/w+koiXn5dWVplOZkE+xwG9FgK+M=
+cloud.google.com/go/videointelligence v1.9.0/go.mod h1:29lVRMPDYHikk3v8EdPSaL8Ku+eMzDljjuvRs105XoU=
+cloud.google.com/go/videointelligence v1.10.0/go.mod h1:LHZngX1liVtUhZvi2uNS0VQuOzNi2TkY1OakiuoUOjU=
+cloud.google.com/go/videointelligence v1.11.1/go.mod h1:76xn/8InyQHarjTWsBR058SmlPCwQjgcvoW0aZykOvo=
+cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0=
+cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo=
+cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo=
+cloud.google.com/go/vision/v2 v2.4.0/go.mod h1:VtI579ll9RpVTrdKdkMzckdnwMyX2JILb+MhPqRbPsY=
+cloud.google.com/go/vision/v2 v2.5.0/go.mod h1:MmaezXOOE+IWa+cS7OhRRLK2cNv1ZL98zhqFFZaaH2E=
+cloud.google.com/go/vision/v2 v2.6.0/go.mod h1:158Hes0MvOS9Z/bDMSFpjwsUrZ5fPrdwuyyvKSGAGMY=
+cloud.google.com/go/vision/v2 v2.7.0/go.mod h1:H89VysHy21avemp6xcf9b9JvZHVehWbET0uT/bcuY/0=
+cloud.google.com/go/vision/v2 v2.7.2/go.mod h1:jKa8oSYBWhYiXarHPvP4USxYANYUEdEsQrloLjrSwJU=
+cloud.google.com/go/vmmigration v1.2.0/go.mod h1:IRf0o7myyWFSmVR1ItrBSFLFD/rJkfDCUTO4vLlJvsE=
+cloud.google.com/go/vmmigration v1.3.0/go.mod h1:oGJ6ZgGPQOFdjHuocGcLqX4lc98YQ7Ygq8YQwHh9A7g=
+cloud.google.com/go/vmmigration v1.5.0/go.mod h1:E4YQ8q7/4W9gobHjQg4JJSgXXSgY21nA5r8swQV+Xxc=
+cloud.google.com/go/vmmigration v1.6.0/go.mod h1:bopQ/g4z+8qXzichC7GW1w2MjbErL54rk3/C843CjfY=
+cloud.google.com/go/vmmigration v1.7.1/go.mod h1:WD+5z7a/IpZ5bKK//YmT9E047AD+rjycCAvyMxGJbro=
+cloud.google.com/go/vmwareengine v0.1.0/go.mod h1:RsdNEf/8UDvKllXhMz5J40XxDrNJNN4sagiox+OI208=
+cloud.google.com/go/vmwareengine v0.2.2/go.mod h1:sKdctNJxb3KLZkE/6Oui94iw/xs9PRNC2wnNLXsHvH8=
+cloud.google.com/go/vmwareengine v0.3.0/go.mod h1:wvoyMvNWdIzxMYSpH/R7y2h5h3WFkx6d+1TIsP39WGY=
+cloud.google.com/go/vmwareengine v0.4.1/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0=
+cloud.google.com/go/vmwareengine v1.0.0/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0=
+cloud.google.com/go/vpcaccess v1.4.0/go.mod h1:aQHVbTWDYUR1EbTApSVvMq1EnT57ppDmQzZ3imqIk4w=
+cloud.google.com/go/vpcaccess v1.5.0/go.mod h1:drmg4HLk9NkZpGfCmZ3Tz0Bwnm2+DKqViEpeEpOq0m8=
+cloud.google.com/go/vpcaccess v1.6.0/go.mod h1:wX2ILaNhe7TlVa4vC5xce1bCnqE3AeH27RV31lnmZes=
+cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2tArQwLY4SXs=
+cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE=
+cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg=
+cloud.google.com/go/webrisk v1.6.0/go.mod h1:65sW9V9rOosnc9ZY7A7jsy1zoHS5W9IAXv6dGqhMQMc=
+cloud.google.com/go/webrisk v1.7.0/go.mod h1:mVMHgEYH0r337nmt1JyLthzMr6YxwN1aAIEc2fTcq7A=
+cloud.google.com/go/webrisk v1.8.0/go.mod h1:oJPDuamzHXgUc+b8SiHRcVInZQuybnvEW72PqTc7sSg=
+cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc=
+cloud.google.com/go/websecurityscanner v1.3.0/go.mod h1:uImdKm2wyeXQevQJXeh8Uun/Ym1VqworNDlBXQevGMo=
+cloud.google.com/go/websecurityscanner v1.4.0/go.mod h1:ebit/Fp0a+FWu5j4JOmJEV8S8CzdTkAS77oDsiSqYWQ=
+cloud.google.com/go/websecurityscanner v1.5.0/go.mod h1:Y6xdCPy81yi0SQnDY1xdNTNpfY1oAgXUlcfN3B3eSng=
+cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg=
+cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0=
+cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M=
+cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
+cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
+cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
+cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=
+git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 h1:Wc1ml6QlJs2BHQ/9Bqu1jiyggbsSjramq2oUmp5WeIo=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
@@ -104,6 +808,7 @@ github.com/Code-Hex/go-generics-cache v1.5.1 h1:6vhZGc5M7Y/YD8cIUcY8kcuQLB4cHR7U
 github.com/Code-Hex/go-generics-cache v1.5.1/go.mod h1:qxcC9kRVrct9rHeiYpFWSoW1vxyillCVzX13KZG8dl4=
 github.com/DATA-DOG/go-sqlmock v1.4.1/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.50.0 h1:5IT7xOdq17MtcdtL/vtl6mGfzhaq4m4vpollPRmlsBQ=
@@ -114,13 +819,17 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapp
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.52.0/go.mod h1:gdIm9TxRk5soClCwuB0FtdXsbqtw0aqPwBEurK9tPkw=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
+github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
 github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/VictoriaMetrics/fastcache v1.12.2 h1:N0y9ASrJ0F6h0QaC3o6uJb3NIZ9VKLjCM7NQbSmF7WI=
 github.com/VictoriaMetrics/fastcache v1.12.2/go.mod h1:AmC+Nzz1+3G2eCPapF6UcsnkThDcMsQicp4xDukwJYI=
+github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY=
+github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
+github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
+github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
 github.com/alecthomas/kingpin v1.3.8-0.20210301060133-17f40c25f497/go.mod h1:b6br6/pDFSfMkBgC96TbpOji05q5pa+v5rIlS0Y6XtI=
 github.com/alecthomas/kingpin/v2 v2.4.0 h1:f48lwail6p8zpO1bC4TxtqACaGqHYA22qkHjHpqDjYY=
 github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
@@ -137,9 +846,14 @@ github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible h1:8psS8a+wKfiLt1iVDX79F
 github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156 h1:eMwmnE/GDgah4HI848JfFxHt+iPb26b4zyfspmqY0/8=
 github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM=
+github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7XdTA=
 github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0Ih0vcRo/gZ1M0=
+github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI=
+github.com/apache/arrow/go/v12 v12.0.0/go.mod h1:d+tV/eHZZ7Dz7RPrFKtPK02tpr+c9/PEd/zm8mDS9Vg=
+github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc=
@@ -191,6 +905,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bluele/gcache v0.0.2 h1:WcbfdXICg7G/DGBh1PFfcirkWOQV+v077yF1pSy3DGw=
 github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
+github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradfitz/gomemcache v0.0.0-20250403215159-8d39553ac7cf h1:TqhNAT4zKbTdLa62d2HDBFdvgSbIGB3eJE8HqhgiL9I=
 github.com/bradfitz/gomemcache v0.0.0-20250403215159-8d39553ac7cf/go.mod h1:r5xuitiExdLAJ09PR7vBVENGvp4ZuTBeWTGtxuX3K+c=
 github.com/caio/go-tdigest v3.1.0+incompatible h1:uoVMJ3Q5lXmVLCCqaMGHLBWnbGoN6Lpu7OAUPR60cds=
@@ -200,7 +916,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
 github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -218,16 +935,17 @@ github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6D
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/clbanning/mxj v1.8.4 h1:HuhwZtbyvyOw+3Z1AowPkU87JkJUSv751ELWaiTpj8I=
 github.com/clbanning/mxj v1.8.4/go.mod h1:BVjHeAH+rl9rs6f+QIpeRl0tfu10SXn1pUSa5PVGJng=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
-github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20230310173818-32f1caf87195/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
 github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coder/quartz v0.1.2 h1:PVhc9sJimTdKd3VbygXtS4826EOCpB1fXoRlLnCrE+s=
@@ -271,6 +989,7 @@ github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@@ -288,22 +1007,23 @@ github.com/emersion/go-smtp v0.21.3 h1:7uVwagE8iPYE48WhNsng3RRpCUpFvNl39JGNSIyGV
 github.com/emersion/go-smtp v0.21.3/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
-github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
+github.com/envoyproxy/go-control-plane v0.10.3/go.mod h1:fJJn/j26vwOu972OllsvAgJJM//w9BV6Fxbg2LuVd34=
+github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCwHLhwx1WguiVDV7pTG/tI=
 github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
 github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
+github.com/envoyproxy/go-control-plane/envoy v1.32.2/go.mod h1:eR2SOX2IedqlPvmiKjUH7Wu//S602JKI7HPC/L3SRq8=
+github.com/envoyproxy/go-control-plane/envoy v1.32.3/go.mod h1:c955gQjaXHsMxMjHjEZ7nwIzMJYxXpN+sJIGufsSbg4=
 github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
 github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
+github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
+github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
+github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
+github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
 github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb h1:IT4JYU7k4ikYg1SCxNI1/Tieq/NFvh6dzLdgi7eu0tM=
@@ -318,6 +1038,8 @@ github.com/felixge/fgprof v0.9.5 h1:8+vR6yu2vvSKn08urWyEuxx75NWPEvybbkBirEpsbVY=
 github.com/felixge/fgprof v0.9.5/go.mod h1:yKl+ERSa++RYOs32d8K6WEXCB4uXdLls4ZaZPpayhMM=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
+github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -329,24 +1051,30 @@ github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXE
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
+github.com/go-fonts/latin-modern v0.2.0/go.mod h1:rQVLdDMK+mK1xscDwsqM5J8U2jrRa3T0ecnM9pNujks=
+github.com/go-fonts/liberation v0.1.1/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
+github.com/go-fonts/liberation v0.2.0/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2HYqyqAO9z7GY=
+github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
+github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
+github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4=
 github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -376,6 +1104,8 @@ github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZ
 github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
+github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
+github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
@@ -394,6 +1124,7 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
+github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.9.5/go.mod h1:U/jl18uSupI5rdI2jmuCswEA2htH9eXfferR3KfscvA=
@@ -414,14 +1145,17 @@ github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeD
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.18.1 h1:JML/k+t4tpHCpQTCAD62Nu43NUFzHY4CV3uAuvHGC+Y=
 github.com/golang-migrate/migrate/v4 v4.18.1/go.mod h1:HAX6m3sQgcdO81tdjn5exv20+3Kb13cmGli1hrD6hks=
+github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
+github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
+github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
@@ -447,6 +1181,7 @@ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -457,6 +1192,7 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -474,6 +1210,7 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
@@ -484,6 +1221,7 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
+github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
 github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -505,11 +1243,20 @@ github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0Z
 github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18=
 github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
+github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
+github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
 github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
+github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
 github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
@@ -519,8 +1266,16 @@ github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0
 github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
 github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
 github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
+github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo=
+github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY=
+github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
+github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
+github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
+github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw=
+github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI=
 github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0=
 github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w=
+github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gophercloud/gophercloud/v2 v2.7.0 h1:o0m4kgVcPgHlcXiWAjoVxGd8QCmvM5VU+YM71pFbn0E=
 github.com/gophercloud/gophercloud/v2 v2.7.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk=
@@ -538,6 +1293,9 @@ github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 h1:sGm2vDRFUrQJO/Veii4h4z
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2/go.mod h1:wd1YpapPLivG6nQgbf7ZkG1hhSOXDhhn4MLTknx2aAc=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0=
@@ -606,6 +1364,8 @@ github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUq
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/huaweicloud/huaweicloud-sdk-go-obs v3.25.4+incompatible h1:yNjwdvn9fwuN6Ouxr0xHM0cVu03YMUWUyFmu2van/Yc=
 github.com/huaweicloud/huaweicloud-sdk-go-obs v3.25.4+incompatible/go.mod h1:l7VUhRbTKCzdOacdT4oWCwATKyvZqUOlOqr0Ous3k4s=
+github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
+github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
@@ -632,13 +1392,19 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
+github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
+github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
 github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo=
@@ -655,6 +1421,7 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -678,6 +1445,11 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linode/linodego v1.52.2 h1:N9ozU27To1LMSrDd8WvJZ5STSz1eGYdyLnxhAR/dIZg=
 github.com/linode/linodego v1.52.2/go.mod h1:bI949fZaVchjWyKIA08hNyvAcV6BAS+PM2op3p7PAWA=
+github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
+github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
+github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
+github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk=
+github.com/lyft/protoc-gen-star/v2 v2.0.4-0.20230330145011-496ad1ac90a4/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk=
 github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -699,8 +1471,12 @@ github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcME
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
@@ -714,6 +1490,8 @@ github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKju
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/miekg/dns v1.1.66 h1:FeZXOS3VCVsKnEAd+wBkjMC3D2K+ww66Cq3VnCINuJE=
 github.com/miekg/dns v1.1.66/go.mod h1:jGFzBsSNbJw6z1HYut1RKBKHA9PBdxeHrZG8J+gC2WE=
+github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
+github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
 github.com/minio/crc64nvme v1.0.1 h1:DHQPrYPdqK7jQG/Ls5CTBZWeex/2FMS3G5XGkycuFrY=
 github.com/minio/crc64nvme v1.0.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
@@ -806,14 +1584,20 @@ github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
 github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c h1:dAMKvw0MlJT1GshSTtih8C2gDs04w8dReiOGXrGLNoY=
 github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
+github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
+github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
+github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
+github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
 github.com/pierrec/lz4/v4 v4.1.22/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -842,6 +1626,9 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
@@ -873,15 +1660,22 @@ github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhi
 github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/redis/rueidis v1.0.61 h1:AkbCMeTyjFSQraGaNYncg3unMCTYGr6Y8WOqGhDOQu4=
 github.com/redis/rueidis v1.0.61/go.mod h1:Lkhr2QTgcoYBhxARU7kJRO8SyVlgUuEkcJO1Y8MCluA=
+github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
+github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.6.0/go.mod h1:U8+INwJo3nBv1m6A/8OBXAq7Jnpspk5AxSgDyEQcea8=
 github.com/scaleway/scaleway-sdk-go v1.0.0-beta.33 h1:KhF0WejiUTDbL5X55nXowP7zNopwpowa6qaMAWyIE+0=
@@ -907,8 +1701,11 @@ github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/sony/gobreaker v1.0.0 h1:feX5fGGXSl3dYd4aHZItw+FpHLvvoaqkawKjVNiFMNQ=
 github.com/sony/gobreaker v1.0.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
+github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/afero v1.8.2/go.mod h1:CtAatgMJh6bJEIs48Ay/FOnkljP3WeGUG0MC1RfAqwo=
+github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
@@ -916,8 +1713,6 @@ github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
-github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
-github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stackitcloud/stackit-sdk-go/core v0.17.2 h1:jPyn+i8rkp2hM80+hOg0B/1EVRbMt778Tr5RWyK1m2E=
 github.com/stackitcloud/stackit-sdk-go/core v0.17.2/go.mod h1:8KIw3czdNJ9sdil9QQimxjR6vHjeINFrRv0iZ67wfn0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -937,6 +1732,7 @@ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1F
 github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
@@ -980,10 +1776,12 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
 github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
-github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
-github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
 go.etcd.io/etcd/api/v3 v3.5.17 h1:cQB8eb8bxwuxOilBpMJAEo8fAONyrdXTHUNcMd8yT1w=
 go.etcd.io/etcd/api/v3 v3.5.17/go.mod h1:d1hvkRuXkts6PmaYk2Vrgqbv7H4ADfAKhyJqHNLJCB4=
@@ -1045,6 +1843,7 @@ go.opentelemetry.io/collector/semconv v0.128.0 h1:MzYOz7Vgb3Kf5D7b49pqqgeUhEmOCu
 go.opentelemetry.io/collector/semconv v0.128.0/go.mod h1:OPXer4l43X23cnjLXIZnRj/qQOjSuq4TgBLI76P9hns=
 go.opentelemetry.io/contrib/bridges/otelzap v0.11.0 h1:u2E32P7j1a/gRgZDWhIXC+Shd4rLg70mnE7QLI/Ssnw=
 go.opentelemetry.io/contrib/bridges/otelzap v0.11.0/go.mod h1:pJPCLM8gzX4ASqLlyAXjHBEYxgbOQJ/9bidWxD6PEPQ=
+go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
 go.opentelemetry.io/contrib/detectors/gcp v1.35.0 h1:bGvFt68+KTiAKFlacHW6AhA56GF2rS0bdD3aJYEnmzA=
 go.opentelemetry.io/contrib/detectors/gcp v1.35.0/go.mod h1:qGWP8/+ILwMRIUf9uIVLloR1uo5ZYAslM4O6OqUi1DA=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
@@ -1063,6 +1862,8 @@ go.opentelemetry.io/contrib/propagators/jaeger v1.36.0 h1:SoCgXYF4ISDtNyfLUzsGDa
 go.opentelemetry.io/contrib/propagators/jaeger v1.36.0/go.mod h1:VHu48l0YTRKSObdPQ+Sb8xMZvdnJlN7yhHuHoPgNqHM=
 go.opentelemetry.io/contrib/propagators/ot v1.36.0 h1:UBoZjbx483GslNKYK2YpfvePTJV4BHGeFd8+b7dexiM=
 go.opentelemetry.io/contrib/propagators/ot v1.36.0/go.mod h1:adDDRry19/n9WoA7mSCMjoVJcmzK/bZYzX9SR+g2+W4=
+go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
 go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
 go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
 go.opentelemetry.io/otel/bridge/opentracing v1.36.0 h1:GWGmcYhMCu6+K/Yz5KWSETU/esd/mkVGx+77uKtLjpk=
@@ -1077,15 +1878,24 @@ go.opentelemetry.io/otel/log v0.12.2 h1:yob9JVHn2ZY24byZeaXpTVoPS6l+UrrxmxmPKohX
 go.opentelemetry.io/otel/log v0.12.2/go.mod h1:ShIItIxSYxufUMt+1H5a2wbckGli3/iCfuEbVZi/98E=
 go.opentelemetry.io/otel/log/logtest v0.0.0-20250526142609-aa5bd0e64989 h1:4JF7oY9CcHrPGfBLijDcXZyCzGckVEyOjuat5ktmQRg=
 go.opentelemetry.io/otel/log/logtest v0.0.0-20250526142609-aa5bd0e64989/go.mod h1:NToOxLDCS1tXDSB2dIj44H9xGPOpKr0csIN+gnuihv4=
+go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
 go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
 go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
 go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
 go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
 go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
 go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
 go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
+go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
+go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
 go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@@ -1112,29 +1922,60 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191002040644-a1355ae1e2c3/go.mod h1:NOZ3BPKG0ec/BKJQgnvsSFpcKLM5xXVWnvZS97DWHgE=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
 golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 h1:bsqhLWFR6G6xiQcb+JoGqdKdRU6WzPWmK8E0jxTjzo4=
 golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
+golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20200119044424-58c23975cae1/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20200618115811-c13761719519/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20201208152932-35266b937fa6/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20210216034530-4410531fe030/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
+golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
+golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
+golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -1157,10 +1998,20 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
 golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1200,6 +2051,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
@@ -1207,6 +2060,30 @@ golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20221012135044-0b7e1fb9d458/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
 golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1229,9 +2106,19 @@ golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
+golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
+golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
+golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
+golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1243,10 +2130,20 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1294,6 +2191,7 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210304124612-50617c2ba197/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1309,10 +2207,12 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1326,14 +2226,55 @@ golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
+golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
+golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1345,15 +2286,32 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
@@ -1367,6 +2325,7 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190927191325-030b2cf1153e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1397,6 +2356,7 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
 golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
@@ -1408,6 +2368,15 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
 golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1416,8 +2385,18 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
+gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
+gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0=
+gonum.org/v1/gonum v0.11.0/go.mod h1:fSG4YDCxxUZQJ7rKsQrj0gMOg00Il0Z96/qMA4bVQhA=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
+gonum.org/v1/plot v0.0.0-20190515093506-e2840ee46a6b/go.mod h1:Wt8AAjI+ypCyYX3nZBvf6cAIx93T+c/OS2HFAYskSZc=
+gonum.org/v1/plot v0.9.0/go.mod h1:3Pcqqmp6RHvJI72kgb8fThyUnav364FOsdDo2aGW5lY=
+gonum.org/v1/plot v0.10.1/go.mod h1:VZW5OlhkL1mysU9vaqNHnsy86inf6Ot+jB3r+BczCEo=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1455,11 +2434,35 @@ google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/S
 google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
 google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
 google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
+google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
+google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
 google.golang.org/api v0.81.0/go.mod h1:FA6Mb/bZxj706H2j+j2d6mHEEaHBmbbWnkfvmorOCko=
+google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
+google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g=
+google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
+google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
+google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI=
+google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
+google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
+google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s=
+google.golang.org/api v0.99.0/go.mod h1:1YOf74vkVndF7pG6hIHuINsM7eWwpVTAfNMNiL91A08=
+google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70=
+google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo=
+google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0=
+google.golang.org/api v0.106.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
+google.golang.org/api v0.107.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
+google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
+google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
+google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
+google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
+google.golang.org/api v0.118.0/go.mod h1:76TtD3vkgmZ66zZzp72bUUklpmQmKlhh6sYtIjYK+5E=
+google.golang.org/api v0.122.0/go.mod h1:gcitW0lvnyWjSp9nKxAbdHKIZ6vF4aajGueeslZOyms=
+google.golang.org/api v0.124.0/go.mod h1:xu2HQurE5gi/3t1aFCvhPD781p0a3p11sdunTJ2BlP4=
+google.golang.org/api v0.125.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw=
+google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw=
 google.golang.org/api v0.239.0 h1:2hZKUnFZEy81eugPs4e2XzIJ5SOwQg0G82bpXD65Puo=
 google.golang.org/api v0.239.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
@@ -1467,7 +2470,6 @@ google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180518175338-11a468237815/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -1509,6 +2511,7 @@ google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
@@ -1539,52 +2542,114 @@ google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2
 google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
 google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
 google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
+google.golang.org/genproto v0.0.0-20220329172620-7be39ac1afc7/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE=
+google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc=
+google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
+google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
+google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
+google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
+google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
+google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
+google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
+google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
+google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
+google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo=
+google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw=
+google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
+google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI=
+google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U=
+google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
+google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM=
+google.golang.org/genproto v0.0.0-20221024153911-1573dae28c9c/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
+google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
+google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
+google.golang.org/genproto v0.0.0-20221109142239-94d6d90a7d66/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
+google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
+google.golang.org/genproto v0.0.0-20221117204609-8f9c96812029/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
+google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
+google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
+google.golang.org/genproto v0.0.0-20221201204527-e3fa12d562f3/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
+google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
+google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230112194545-e10362b5ecf9/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230123190316-2c411cf9d197/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230127162408-596548ed4efa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230216225411-c8e22ba71e44/go.mod h1:8B0gmkoRebU8ukX6HP+4wrVQUY1+6PkQ44BSyIlflHA=
+google.golang.org/genproto v0.0.0-20230222225845-10f96fb3dbec/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
+google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw=
+google.golang.org/genproto v0.0.0-20230303212802-e74f57abe488/go.mod h1:TvhZT5f700eVlTNwND1xoEZQeWTB2RY/65kplwl/bFA=
+google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
+google.golang.org/genproto v0.0.0-20230320184635-7606e756e683/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
+google.golang.org/genproto v0.0.0-20230323212658-478b75c54725/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230330154414-c0448cd141ea/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230331144136-dcfb400f0633/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
+google.golang.org/genproto v0.0.0-20230525234025-438c736192d0/go.mod h1:9ExIQyXL5hZrHzQceCwuSYwZZ5QZBazOcprJ5rgs3lY=
+google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk=
+google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64=
+google.golang.org/genproto v0.0.0-20230629202037-9506855d4529/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64=
+google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
+google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108=
+google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5/go.mod h1:oH/ZOT02u4kWEp7oYBGYFFkCdKS/uYR9Z7+0/xuuFp8=
 google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78=
 google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk=
+google.golang.org/genproto/googleapis/api v0.0.0-20230525234020-1aefcd67740a/go.mod h1:ts19tUU+Z0ZShN1y3aPyq2+O3d5FUNNgT6FtOzmrNn8=
+google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
+google.golang.org/genproto/googleapis/api v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
+google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
+google.golang.org/genproto/googleapis/api v0.0.0-20230629202037-9506855d4529/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
+google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk=
+google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo=
+google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a/go.mod h1:jehYqy3+AhJU9ve55aNOaSml7wUXjF9x6z2LcCfpAhY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422/go.mod h1:b6h1vNKhxaSoEI+5jc3PJUCustfli/mRab7295pY7rw=
 google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
 google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
+google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234015-3fc162c6f38a/go.mod h1:xURIpW9ES5+/GZhnV6beoEtxQrnkRGIfP5VQG2tCBLc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230731190214-cbb8c96f2d6d/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230803162519-f966b187b2e5/go.mod h1:zBEcrKX2ZOcEkHWxBPAIvYUWOKKMIhYcmNiUIu2ji3I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240730163845-b1a4ccb954bf/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d/go.mod h1:3ENsm/5D1mzDyhpzeRi1NR784I0BcofWBoSc5QqqMK4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.12.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
-google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/grpc v1.71.2 h1:KnzCueW4s+8ojAPZ+NnyZAELjsIMJGteKjKejieEC7M=
+google.golang.org/grpc v1.71.2/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -1600,6 +2665,17 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1643,6 +2719,7 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
 k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw=
 k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw=
 k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4=
@@ -1655,7 +2732,59 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
+modernc.org/cc/v3 v3.36.2/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
+modernc.org/cc/v3 v3.36.3/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
+modernc.org/cc/v3 v3.37.0/go.mod h1:vtL+3mdHx/wcj3iEGz84rQa8vEqR6XM84v5Lcvfph20=
+modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0=
+modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc=
+modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw=
+modernc.org/ccgo/v3 v3.0.0-20220904174949-82d86e1b6d56/go.mod h1:YSXjPL62P2AMSxBphRHPn7IkzhVHqkvOnRKAKh+W6ZI=
+modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
+modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
+modernc.org/ccgo/v3 v3.16.8/go.mod h1:zNjwkizS+fIFDrDjIAgBSCLkWbJuHF+ar3QRn+Z9aws=
+modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo=
+modernc.org/ccgo/v3 v3.16.13-0.20221017192402-261537637ce8/go.mod h1:fUB3Vn0nVPReA+7IG7yZDfjv1TMWjhQP8gCxrFAtL5g=
+modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
+modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
+modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
+modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
+modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A=
+modernc.org/libc v1.16.1/go.mod h1:JjJE0eu4yeK7tab2n4S1w8tlWd9MxXLRzheaRnAKymU=
+modernc.org/libc v1.16.17/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
+modernc.org/libc v1.16.19/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
+modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0=
+modernc.org/libc v1.17.1/go.mod h1:FZ23b+8LjxZs7XtFMbSzL/EhPxNbfZbErxEHc7cbD9s=
+modernc.org/libc v1.17.4/go.mod h1:WNg2ZH56rDEwdropAJeZPQkXmDwh+JCA1s/htl6r2fA=
+modernc.org/libc v1.18.0/go.mod h1:vj6zehR5bfc98ipowQOM2nIDUZnVew/wNC/2tOGS+q0=
+modernc.org/libc v1.20.3/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0=
+modernc.org/libc v1.21.4/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI=
+modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
+modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
+modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
+modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
+modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
+modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
+modernc.org/memory v1.2.1/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/memory v1.3.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/memory v1.4.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sqlite v1.18.1/go.mod h1:6ho+Gow7oX5V+OiOQ6Tr4xeqbx13UZ6t+Fw9IRUG4d4=
+modernc.org/sqlite v1.18.2/go.mod h1:kvrTLEWgxUcHa2GfHBQtanR1H9ht3hTJNtKpzH9k1u0=
+modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
+modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
+modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
+modernc.org/tcl v1.13.2/go.mod h1:7CLiGIPo1M8Rv1Mitpv5akc2+8fxUd2y2UzC/MfMzy0=
+modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
diff --git a/pkg/util/grpcutil/health_check.go b/pkg/util/grpcutil/health_check.go
index e6883447fb6..b37ee5dd854 100644
--- a/pkg/util/grpcutil/health_check.go
+++ b/pkg/util/grpcutil/health_check.go
@@ -32,19 +32,6 @@ func (h *HealthCheck) Check(_ context.Context, _ *grpc_health_v1.HealthCheckRequ
 	return &grpc_health_v1.HealthCheckResponse{Status: grpc_health_v1.HealthCheckResponse_SERVING}, nil
 }
 
-func (h *HealthCheck) List(ctx context.Context, request *grpc_health_v1.HealthListRequest) (*grpc_health_v1.HealthListResponse, error) {
-	checkResp, err := h.Check(ctx, nil)
-	if err != nil {
-		return &grpc_health_v1.HealthListResponse{}, err
-	}
-
-	return &grpc_health_v1.HealthListResponse{
-		Statuses: map[string]*grpc_health_v1.HealthCheckResponse{
-			"server": checkResp,
-		},
-	}, nil
-}
-
 // Watch implements the grpc healthcheck.
 func (h *HealthCheck) Watch(_ *grpc_health_v1.HealthCheckRequest, _ grpc_health_v1.Health_WatchServer) error {
 	return status.Error(codes.Unimplemented, "Watching is not supported")
diff --git a/vendor/github.com/go-jose/go-jose/v4/.gitignore b/vendor/github.com/go-jose/go-jose/v4/.gitignore
deleted file mode 100644
index eb29ebaefd8..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-jose-util/jose-util
-jose-util.t.err
\ No newline at end of file
diff --git a/vendor/github.com/go-jose/go-jose/v4/.golangci.yml b/vendor/github.com/go-jose/go-jose/v4/.golangci.yml
deleted file mode 100644
index 2a577a8f95b..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/.golangci.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-# https://github.com/golangci/golangci-lint
-
-run:
-  skip-files:
-    - doc_test.go
-  modules-download-mode: readonly
-
-linters:
-  enable-all: true
-  disable:
-    - gochecknoglobals
-    - goconst
-    - lll
-    - maligned
-    - nakedret
-    - scopelint
-    - unparam
-    - funlen # added in 1.18 (requires go-jose changes before it can be enabled)
-
-linters-settings:
-  gocyclo:
-    min-complexity: 35
-
-issues:
-  exclude-rules:
-    - text: "don't use ALL_CAPS in Go names"
-      linters:
-        - golint
-    - text: "hardcoded credentials"
-      linters:
-        - gosec
-    - text: "weak cryptographic primitive"
-      linters:
-        - gosec
-    - path: json/
-      linters:
-        - dupl
-        - errcheck
-        - gocritic
-        - gocyclo
-        - golint
-        - govet
-        - ineffassign
-        - staticcheck
-        - structcheck
-        - stylecheck
-        - unused
-    - path: _test\.go
-      linters:
-        - scopelint
-    - path: jwk.go
-      linters:
-        - gocyclo
diff --git a/vendor/github.com/go-jose/go-jose/v4/.travis.yml b/vendor/github.com/go-jose/go-jose/v4/.travis.yml
deleted file mode 100644
index 48de631b003..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/.travis.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-language: go
-
-matrix:
-  fast_finish: true
-  allow_failures:
-    - go: tip
-
-go:
-  - "1.13.x"
-  - "1.14.x"
-  - tip
-
-before_script:
-  - export PATH=$HOME/.local/bin:$PATH
-
-before_install:
-  - go get -u github.com/mattn/goveralls github.com/wadey/gocovmerge
-  - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.18.0
-  - pip install cram --user
-
-script:
-  - go test -v -covermode=count -coverprofile=profile.cov .
-  - go test -v -covermode=count -coverprofile=cryptosigner/profile.cov ./cryptosigner
-  - go test -v -covermode=count -coverprofile=cipher/profile.cov ./cipher
-  - go test -v -covermode=count -coverprofile=jwt/profile.cov ./jwt
-  - go test -v ./json  # no coverage for forked encoding/json package
-  - golangci-lint run
-  - cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t # cram tests jose-util
-  - cd ..
-
-after_success:
-  - gocovmerge *.cov */*.cov > merged.coverprofile
-  - goveralls -coverprofile merged.coverprofile -service=travis-ci
diff --git a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
deleted file mode 100644
index 6f717dbd86e..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
+++ /dev/null
@@ -1,96 +0,0 @@
-# v4.0.4
-
-## Fixed
-
- - Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
-   breaking change. See #136 / #137.
-
-# v4.0.3
-
-## Changed
-
- - Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
- - Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
- - Dependency updates
-
-# v4.0.2
-
-## Changed
-
- - Improved documentation of Verify() to note that JSONWebKeySet is a supported
-   argument type (#104)
- - Defined exported error values for missing x5c header and unsupported elliptic
-   curves error cases (#117)
-
-# v4.0.1
-
-## Fixed
-
- - An attacker could send a JWE containing compressed data that used large
-   amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
-   Those functions now return an error if the decompressed data would exceed
-   250kB or 10x the compressed size (whichever is larger). Thanks to
-   Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
-   for reporting.
-
-# v4.0.0
-
-This release makes some breaking changes in order to more thoroughly
-address the vulnerabilities discussed in [Three New Attacks Against JSON Web
-Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
-token".
-
-## Changed
-
- - Limit JWT encryption types (exclude password or public key types) (#78)
- - Enforce minimum length for HMAC keys (#85)
- - jwt: match any audience in a list, rather than requiring all audiences (#81)
- - jwt: accept only Compact Serialization (#75)
- - jws: Add expected algorithms for signatures (#74)
- - Require specifying expected algorithms for ParseEncrypted,
-   ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
-   jwt.ParseSignedAndEncrypted (#69, #74)
-   - Usually there is a small, known set of appropriate algorithms for a program
-     to use and it's a mistake to allow unexpected algorithms. For instance the
-     "billion hash attack" relies in part on programs accepting the PBES2
-     encryption algorithm and doing the necessary work even if they weren't
-     specifically configured to allow PBES2.
- - Revert "Strip padding off base64 strings" (#82)
-  - The specs require base64url encoding without padding.
- - Minimum supported Go version is now 1.21
-
-## Added
-
- - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
-   - These allow parsing a specific serialization, as opposed to ParseSigned and
-     ParseEncrypted, which try to automatically detect which serialization was
-     provided. It's common to require a specific serialization for a specific
-     protocol - for instance JWT requires Compact serialization.
-
-[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
-
-# v3.0.2
-
-## Fixed
-
- - DecryptMulti: handle decompression error (#19)
-
-## Changed
-
- - jwe/CompactSerialize: improve performance (#67)
- - Increase the default number of PBKDF2 iterations to 600k (#48)
- - Return the proper algorithm for ECDSA keys (#45)
-
-## Added
-
- - Add Thumbprint support for opaque signers (#38)
-
-# v3.0.1
-
-## Fixed
-
- - Security issue: an attacker specifying a large "p2c" value can cause
-   JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
-   amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
-   disclosure and to Tom Tervoort for originally publishing the category of attack.
-   https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
diff --git a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
deleted file mode 100644
index 4b4805add65..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# Contributing
-
-If you would like to contribute code to go-jose you can do so through GitHub by
-forking the repository and sending a pull request.
-
-When submitting code, please make every effort to follow existing conventions
-and style in order to keep the code as readable as possible. Please also make
-sure all tests pass by running `go test`, and format your code with `go fmt`.
-We also recommend using `golint` and `errcheck`.
diff --git a/vendor/github.com/go-jose/go-jose/v4/LICENSE b/vendor/github.com/go-jose/go-jose/v4/LICENSE
deleted file mode 100644
index d6456956733..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/github.com/go-jose/go-jose/v4/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
deleted file mode 100644
index 02b5749546b..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/README.md
+++ /dev/null
@@ -1,106 +0,0 @@
-# Go JOSE
-
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
-[![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
-[![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions)
-
-Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. This includes support for JSON Web Encryption,
-JSON Web Signature, and JSON Web Token standards.
-
-## Overview
-
-The implementation follows the
-[JSON Web Encryption](https://dx.doi.org/10.17487/RFC7516) (RFC 7516),
-[JSON Web Signature](https://dx.doi.org/10.17487/RFC7515) (RFC 7515), and
-[JSON Web Token](https://dx.doi.org/10.17487/RFC7519) (RFC 7519) specifications.
-Tables of supported algorithms are shown below. The library supports both
-the compact and JWS/JWE JSON Serialization formats, and has optional support for
-multiple recipients. It also comes with a small command-line utility
-([`jose-util`](https://pkg.go.dev/github.com/go-jose/go-jose/jose-util))
-for dealing with JOSE messages in a shell.
-
-**Note**: We use a forked version of the `encoding/json` package from the Go
-standard library which uses case-sensitive matching for member names (instead
-of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)).
-This is to avoid differences in interpretation of messages between go-jose and
-libraries in other languages.
-
-### Versions
-
-[Version 4](https://github.com/go-jose/go-jose)
-([branch](https://github.com/go-jose/go-jose/tree/main),
-[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
-
-    import "github.com/go-jose/go-jose/v4"
-
-The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
-are still useable but not actively developed anymore.
-
-Version 3, in this repo, is still receiving security fixes but not functionality
-updates.
-
-### Supported algorithms
-
-See below for a table of supported algorithms. Algorithm identifiers match
-the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)
-standard where possible. The Godoc reference has a list of constants.
-
- Key encryption             | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSA-PKCS#1v1.5             | RSA1_5
- RSA-OAEP                   | RSA-OAEP, RSA-OAEP-256
- AES key wrap               | A128KW, A192KW, A256KW
- AES-GCM key wrap           | A128GCMKW, A192GCMKW, A256GCMKW
- ECDH-ES + AES key wrap     | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
- ECDH-ES (direct)           | ECDH-ES<sup>1</sup>
- Direct encryption          | dir<sup>1</sup>
-
-<sup>1. Not supported in multi-recipient mode</sup>
-
- Signing / MAC              | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSASSA-PKCS#1v1.5          | RS256, RS384, RS512
- RSASSA-PSS                 | PS256, PS384, PS512
- HMAC                       | HS256, HS384, HS512
- ECDSA                      | ES256, ES384, ES512
- Ed25519                    | EdDSA<sup>2</sup>
-
-<sup>2. Only available in version 2 of the package</sup>
-
- Content encryption         | Algorithm identifier(s)
- :------------------------- | :------------------------------
- AES-CBC+HMAC               | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- AES-GCM                    | A128GCM, A192GCM, A256GCM
-
- Compression                | Algorithm identifiers(s)
- :------------------------- | -------------------------------
- DEFLATE (RFC 1951)         | DEF
-
-### Supported key types
-
-See below for a table of supported key types. These are understood by the
-library, and can be passed to corresponding functions such as `NewEncrypter` or
-`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
-allows attaching a key id.
-
- Algorithm(s)               | Corresponding types
- :------------------------- | -------------------------------
- RSA                        | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey)
- ECDH, ECDSA                | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey)
- EdDSA<sup>1</sup>          | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey)
- AES, HMAC                  | []byte
-
-<sup>1. Only available in version 2 or later of the package</sup>
-
-## Examples
-
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
-
-Examples can be found in the Godoc
-reference for this package. The
-[`jose-util`](https://github.com/go-jose/go-jose/tree/main/jose-util)
-subdirectory also contains a small command-line utility which might be useful
-as an example as well.
diff --git a/vendor/github.com/go-jose/go-jose/v4/SECURITY.md b/vendor/github.com/go-jose/go-jose/v4/SECURITY.md
deleted file mode 100644
index 2f18a75a822..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/SECURITY.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Security Policy
-This document explains how to contact the Let's Encrypt security team to report security vulnerabilities.
-
-## Supported Versions
-| Version | Supported |
-| ------- | ----------|
-| >= v3   | &check; |
-| v2      | &cross; |
-| v1      | &cross; |
-
-## Reporting a vulnerability
-
-Please see [https://letsencrypt.org/contact/#security](https://letsencrypt.org/contact/#security) for the email address to report a vulnerability. Ensure that the subject line for your report contains the word `vulnerability` and is descriptive. Your email should be acknowledged within 24 hours. If you do not receive a response within 24 hours, please follow-up again with another email.
diff --git a/vendor/github.com/go-jose/go-jose/v4/asymmetric.go b/vendor/github.com/go-jose/go-jose/v4/asymmetric.go
deleted file mode 100644
index f8d5774ef56..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/asymmetric.go
+++ /dev/null
@@ -1,595 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"crypto"
-	"crypto/aes"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/sha256"
-	"errors"
-	"fmt"
-	"math/big"
-
-	josecipher "github.com/go-jose/go-jose/v4/cipher"
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// A generic RSA-based encrypter/verifier
-type rsaEncrypterVerifier struct {
-	publicKey *rsa.PublicKey
-}
-
-// A generic RSA-based decrypter/signer
-type rsaDecrypterSigner struct {
-	privateKey *rsa.PrivateKey
-}
-
-// A generic EC-based encrypter/verifier
-type ecEncrypterVerifier struct {
-	publicKey *ecdsa.PublicKey
-}
-
-type edEncrypterVerifier struct {
-	publicKey ed25519.PublicKey
-}
-
-// A key generator for ECDH-ES
-type ecKeyGenerator struct {
-	size      int
-	algID     string
-	publicKey *ecdsa.PublicKey
-}
-
-// A generic EC-based decrypter/signer
-type ecDecrypterSigner struct {
-	privateKey *ecdsa.PrivateKey
-}
-
-type edDecrypterSigner struct {
-	privateKey ed25519.PrivateKey
-}
-
-// newRSARecipient creates recipientKeyInfo based on the given key.
-func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch keyAlg {
-	case RSA1_5, RSA_OAEP, RSA_OAEP_256:
-	default:
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if publicKey == nil {
-		return recipientKeyInfo{}, errors.New("invalid public key")
-	}
-
-	return recipientKeyInfo{
-		keyAlg: keyAlg,
-		keyEncrypter: &rsaEncrypterVerifier{
-			publicKey: publicKey,
-		},
-	}, nil
-}
-
-// newRSASigner creates a recipientSigInfo based on the given key.
-func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipientSigInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch sigAlg {
-	case RS256, RS384, RS512, PS256, PS384, PS512:
-	default:
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if privateKey == nil {
-		return recipientSigInfo{}, errors.New("invalid private key")
-	}
-
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		publicKey: staticPublicKey(&JSONWebKey{
-			Key: privateKey.Public(),
-		}),
-		signer: &rsaDecrypterSigner{
-			privateKey: privateKey,
-		},
-	}, nil
-}
-
-func newEd25519Signer(sigAlg SignatureAlgorithm, privateKey ed25519.PrivateKey) (recipientSigInfo, error) {
-	if sigAlg != EdDSA {
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if privateKey == nil {
-		return recipientSigInfo{}, errors.New("invalid private key")
-	}
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		publicKey: staticPublicKey(&JSONWebKey{
-			Key: privateKey.Public(),
-		}),
-		signer: &edDecrypterSigner{
-			privateKey: privateKey,
-		},
-	}, nil
-}
-
-// newECDHRecipient creates recipientKeyInfo based on the given key.
-func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch keyAlg {
-	case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
-	default:
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
-		return recipientKeyInfo{}, errors.New("invalid public key")
-	}
-
-	return recipientKeyInfo{
-		keyAlg: keyAlg,
-		keyEncrypter: &ecEncrypterVerifier{
-			publicKey: publicKey,
-		},
-	}, nil
-}
-
-// newECDSASigner creates a recipientSigInfo based on the given key.
-func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (recipientSigInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch sigAlg {
-	case ES256, ES384, ES512:
-	default:
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	if privateKey == nil {
-		return recipientSigInfo{}, errors.New("invalid private key")
-	}
-
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		publicKey: staticPublicKey(&JSONWebKey{
-			Key: privateKey.Public(),
-		}),
-		signer: &ecDecrypterSigner{
-			privateKey: privateKey,
-		},
-	}, nil
-}
-
-// Encrypt the given payload and update the object.
-func (ctx rsaEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	encryptedKey, err := ctx.encrypt(cek, alg)
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	return recipientInfo{
-		encryptedKey: encryptedKey,
-		header:       &rawHeader{},
-	}, nil
-}
-
-// Encrypt the given payload. Based on the key encryption algorithm,
-// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
-func (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, error) {
-	switch alg {
-	case RSA1_5:
-		return rsa.EncryptPKCS1v15(RandReader, ctx.publicKey, cek)
-	case RSA_OAEP:
-		return rsa.EncryptOAEP(sha1.New(), RandReader, ctx.publicKey, cek, []byte{})
-	case RSA_OAEP_256:
-		return rsa.EncryptOAEP(sha256.New(), RandReader, ctx.publicKey, cek, []byte{})
-	}
-
-	return nil, ErrUnsupportedAlgorithm
-}
-
-// Decrypt the given payload and return the content encryption key.
-func (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	return ctx.decrypt(recipient.encryptedKey, headers.getAlgorithm(), generator)
-}
-
-// Decrypt the given payload. Based on the key encryption algorithm,
-// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
-func (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator keyGenerator) ([]byte, error) {
-	// Note: The random reader on decrypt operations is only used for blinding,
-	// so stubbing is meanlingless (hence the direct use of rand.Reader).
-	switch alg {
-	case RSA1_5:
-		defer func() {
-			// DecryptPKCS1v15SessionKey sometimes panics on an invalid payload
-			// because of an index out of bounds error, which we want to ignore.
-			// This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()
-			// only exists for preventing crashes with unpatched versions.
-			// See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k
-			// See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33
-			_ = recover()
-		}()
-
-		// Perform some input validation.
-		keyBytes := ctx.privateKey.PublicKey.N.BitLen() / 8
-		if keyBytes != len(jek) {
-			// Input size is incorrect, the encrypted payload should always match
-			// the size of the public modulus (e.g. using a 2048 bit key will
-			// produce 256 bytes of output). Reject this since it's invalid input.
-			return nil, ErrCryptoFailure
-		}
-
-		cek, _, err := generator.genKey()
-		if err != nil {
-			return nil, ErrCryptoFailure
-		}
-
-		// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
-		// prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
-		// the Million Message Attack on Cryptographic Message Syntax". We are
-		// therefore deliberately ignoring errors here.
-		_ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)
-
-		return cek, nil
-	case RSA_OAEP:
-		// Use rand.Reader for RSA blinding
-		return rsa.DecryptOAEP(sha1.New(), rand.Reader, ctx.privateKey, jek, []byte{})
-	case RSA_OAEP_256:
-		// Use rand.Reader for RSA blinding
-		return rsa.DecryptOAEP(sha256.New(), rand.Reader, ctx.privateKey, jek, []byte{})
-	}
-
-	return nil, ErrUnsupportedAlgorithm
-}
-
-// Sign the given payload
-func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	var hash crypto.Hash
-
-	switch alg {
-	case RS256, PS256:
-		hash = crypto.SHA256
-	case RS384, PS384:
-		hash = crypto.SHA384
-	case RS512, PS512:
-		hash = crypto.SHA512
-	default:
-		return Signature{}, ErrUnsupportedAlgorithm
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	var out []byte
-	var err error
-
-	switch alg {
-	case RS256, RS384, RS512:
-		// TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the
-		// random parameter is legacy and ignored, and it can be nil.
-		// https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1
-		out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed)
-	case PS256, PS384, PS512:
-		out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
-			SaltLength: rsa.PSSSaltLengthEqualsHash,
-		})
-	}
-
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: out,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// Verify the given payload
-func (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	var hash crypto.Hash
-
-	switch alg {
-	case RS256, PS256:
-		hash = crypto.SHA256
-	case RS384, PS384:
-		hash = crypto.SHA384
-	case RS512, PS512:
-		hash = crypto.SHA512
-	default:
-		return ErrUnsupportedAlgorithm
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	switch alg {
-	case RS256, RS384, RS512:
-		return rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)
-	case PS256, PS384, PS512:
-		return rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)
-	}
-
-	return ErrUnsupportedAlgorithm
-}
-
-// Encrypt the given payload and update the object.
-func (ctx ecEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	switch alg {
-	case ECDH_ES:
-		// ECDH-ES mode doesn't wrap a key, the shared secret is used directly as the key.
-		return recipientInfo{
-			header: &rawHeader{},
-		}, nil
-	case ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
-	default:
-		return recipientInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	generator := ecKeyGenerator{
-		algID:     string(alg),
-		publicKey: ctx.publicKey,
-	}
-
-	switch alg {
-	case ECDH_ES_A128KW:
-		generator.size = 16
-	case ECDH_ES_A192KW:
-		generator.size = 24
-	case ECDH_ES_A256KW:
-		generator.size = 32
-	}
-
-	kek, header, err := generator.genKey()
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	block, err := aes.NewCipher(kek)
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	jek, err := josecipher.KeyWrap(block, cek)
-	if err != nil {
-		return recipientInfo{}, err
-	}
-
-	return recipientInfo{
-		encryptedKey: jek,
-		header:       &header,
-	}, nil
-}
-
-// Get key size for EC key generator
-func (ctx ecKeyGenerator) keySize() int {
-	return ctx.size
-}
-
-// Get a content encryption key for ECDH-ES
-func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
-	priv, err := ecdsa.GenerateKey(ctx.publicKey.Curve, RandReader)
-	if err != nil {
-		return nil, rawHeader{}, err
-	}
-
-	out := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size)
-
-	b, err := json.Marshal(&JSONWebKey{
-		Key: &priv.PublicKey,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	headers := rawHeader{
-		headerEPK: makeRawMessage(b),
-	}
-
-	return out, headers, nil
-}
-
-// Decrypt the given payload and return the content encryption key.
-func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	epk, err := headers.getEPK()
-	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid epk header")
-	}
-	if epk == nil {
-		return nil, errors.New("go-jose/go-jose: missing epk header")
-	}
-
-	publicKey, ok := epk.Key.(*ecdsa.PublicKey)
-	if publicKey == nil || !ok {
-		return nil, errors.New("go-jose/go-jose: invalid epk header")
-	}
-
-	if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
-		return nil, errors.New("go-jose/go-jose: invalid public key in epk header")
-	}
-
-	apuData, err := headers.getAPU()
-	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid apu header")
-	}
-	apvData, err := headers.getAPV()
-	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid apv header")
-	}
-
-	deriveKey := func(algID string, size int) []byte {
-		return josecipher.DeriveECDHES(algID, apuData.bytes(), apvData.bytes(), ctx.privateKey, publicKey, size)
-	}
-
-	var keySize int
-
-	algorithm := headers.getAlgorithm()
-	switch algorithm {
-	case ECDH_ES:
-		// ECDH-ES uses direct key agreement, no key unwrapping necessary.
-		return deriveKey(string(headers.getEncryption()), generator.keySize()), nil
-	case ECDH_ES_A128KW:
-		keySize = 16
-	case ECDH_ES_A192KW:
-		keySize = 24
-	case ECDH_ES_A256KW:
-		keySize = 32
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-
-	key := deriveKey(string(algorithm), keySize)
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	return josecipher.KeyUnwrap(block, recipient.encryptedKey)
-}
-
-func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	if alg != EdDSA {
-		return Signature{}, ErrUnsupportedAlgorithm
-	}
-
-	sig, err := ctx.privateKey.Sign(RandReader, payload, crypto.Hash(0))
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: sig,
-		protected: &rawHeader{},
-	}, nil
-}
-
-func (ctx edEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	if alg != EdDSA {
-		return ErrUnsupportedAlgorithm
-	}
-	ok := ed25519.Verify(ctx.publicKey, payload, signature)
-	if !ok {
-		return errors.New("go-jose/go-jose: ed25519 signature failed to verify")
-	}
-	return nil
-}
-
-// Sign the given payload
-func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	var expectedBitSize int
-	var hash crypto.Hash
-
-	switch alg {
-	case ES256:
-		expectedBitSize = 256
-		hash = crypto.SHA256
-	case ES384:
-		expectedBitSize = 384
-		hash = crypto.SHA384
-	case ES512:
-		expectedBitSize = 521
-		hash = crypto.SHA512
-	}
-
-	curveBits := ctx.privateKey.Curve.Params().BitSize
-	if expectedBitSize != curveBits {
-		return Signature{}, fmt.Errorf("go-jose/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	r, s, err := ecdsa.Sign(RandReader, ctx.privateKey, hashed)
-	if err != nil {
-		return Signature{}, err
-	}
-
-	keyBytes := curveBits / 8
-	if curveBits%8 > 0 {
-		keyBytes++
-	}
-
-	// We serialize the outputs (r and s) into big-endian byte arrays and pad
-	// them with zeros on the left to make sure the sizes work out. Both arrays
-	// must be keyBytes long, and the output must be 2*keyBytes long.
-	rBytes := r.Bytes()
-	rBytesPadded := make([]byte, keyBytes)
-	copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
-
-	sBytes := s.Bytes()
-	sBytesPadded := make([]byte, keyBytes)
-	copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
-
-	out := append(rBytesPadded, sBytesPadded...)
-
-	return Signature{
-		Signature: out,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// Verify the given payload
-func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	var keySize int
-	var hash crypto.Hash
-
-	switch alg {
-	case ES256:
-		keySize = 32
-		hash = crypto.SHA256
-	case ES384:
-		keySize = 48
-		hash = crypto.SHA384
-	case ES512:
-		keySize = 66
-		hash = crypto.SHA512
-	default:
-		return ErrUnsupportedAlgorithm
-	}
-
-	if len(signature) != 2*keySize {
-		return fmt.Errorf("go-jose/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
-	}
-
-	hasher := hash.New()
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hasher.Write(payload)
-	hashed := hasher.Sum(nil)
-
-	r := big.NewInt(0).SetBytes(signature[:keySize])
-	s := big.NewInt(0).SetBytes(signature[keySize:])
-
-	match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
-	if !match {
-		return errors.New("go-jose/go-jose: ecdsa signature failed to verify")
-	}
-
-	return nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go b/vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
deleted file mode 100644
index af029cec0ba..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
+++ /dev/null
@@ -1,196 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"bytes"
-	"crypto/cipher"
-	"crypto/hmac"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
-	"hash"
-)
-
-const (
-	nonceBytes = 16
-)
-
-// NewCBCHMAC instantiates a new AEAD based on CBC+HMAC.
-func NewCBCHMAC(key []byte, newBlockCipher func([]byte) (cipher.Block, error)) (cipher.AEAD, error) {
-	keySize := len(key) / 2
-	integrityKey := key[:keySize]
-	encryptionKey := key[keySize:]
-
-	blockCipher, err := newBlockCipher(encryptionKey)
-	if err != nil {
-		return nil, err
-	}
-
-	var hash func() hash.Hash
-	switch keySize {
-	case 16:
-		hash = sha256.New
-	case 24:
-		hash = sha512.New384
-	case 32:
-		hash = sha512.New
-	}
-
-	return &cbcAEAD{
-		hash:         hash,
-		blockCipher:  blockCipher,
-		authtagBytes: keySize,
-		integrityKey: integrityKey,
-	}, nil
-}
-
-// An AEAD based on CBC+HMAC
-type cbcAEAD struct {
-	hash         func() hash.Hash
-	authtagBytes int
-	integrityKey []byte
-	blockCipher  cipher.Block
-}
-
-func (ctx *cbcAEAD) NonceSize() int {
-	return nonceBytes
-}
-
-func (ctx *cbcAEAD) Overhead() int {
-	// Maximum overhead is block size (for padding) plus auth tag length, where
-	// the length of the auth tag is equivalent to the key size.
-	return ctx.blockCipher.BlockSize() + ctx.authtagBytes
-}
-
-// Seal encrypts and authenticates the plaintext.
-func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
-	// Output buffer -- must take care not to mangle plaintext input.
-	ciphertext := make([]byte, uint64(len(plaintext))+uint64(ctx.Overhead()))[:len(plaintext)]
-	copy(ciphertext, plaintext)
-	ciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())
-
-	cbc := cipher.NewCBCEncrypter(ctx.blockCipher, nonce)
-
-	cbc.CryptBlocks(ciphertext, ciphertext)
-	authtag := ctx.computeAuthTag(data, nonce, ciphertext)
-
-	ret, out := resize(dst, uint64(len(dst))+uint64(len(ciphertext))+uint64(len(authtag)))
-	copy(out, ciphertext)
-	copy(out[len(ciphertext):], authtag)
-
-	return ret
-}
-
-// Open decrypts and authenticates the ciphertext.
-func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
-	if len(ciphertext) < ctx.authtagBytes {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (too short)")
-	}
-
-	offset := len(ciphertext) - ctx.authtagBytes
-	expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
-	match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
-	if match != 1 {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (auth tag mismatch)")
-	}
-
-	cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
-
-	// Make copy of ciphertext buffer, don't want to modify in place
-	buffer := append([]byte{}, ciphertext[:offset]...)
-
-	if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (invalid length)")
-	}
-
-	cbc.CryptBlocks(buffer, buffer)
-
-	// Remove padding
-	plaintext, err := unpadBuffer(buffer, ctx.blockCipher.BlockSize())
-	if err != nil {
-		return nil, err
-	}
-
-	ret, out := resize(dst, uint64(len(dst))+uint64(len(plaintext)))
-	copy(out, plaintext)
-
-	return ret, nil
-}
-
-// Compute an authentication tag
-func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
-	buffer := make([]byte, uint64(len(aad))+uint64(len(nonce))+uint64(len(ciphertext))+8)
-	n := 0
-	n += copy(buffer, aad)
-	n += copy(buffer[n:], nonce)
-	n += copy(buffer[n:], ciphertext)
-	binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad))*8)
-
-	// According to documentation, Write() on hash.Hash never fails.
-	hmac := hmac.New(ctx.hash, ctx.integrityKey)
-	_, _ = hmac.Write(buffer)
-
-	return hmac.Sum(nil)[:ctx.authtagBytes]
-}
-
-// resize ensures that the given slice has a capacity of at least n bytes.
-// If the capacity of the slice is less than n, a new slice is allocated
-// and the existing data will be copied.
-func resize(in []byte, n uint64) (head, tail []byte) {
-	if uint64(cap(in)) >= n {
-		head = in[:n]
-	} else {
-		head = make([]byte, n)
-		copy(head, in)
-	}
-
-	tail = head[len(in):]
-	return
-}
-
-// Apply padding
-func padBuffer(buffer []byte, blockSize int) []byte {
-	missing := blockSize - (len(buffer) % blockSize)
-	ret, out := resize(buffer, uint64(len(buffer))+uint64(missing))
-	padding := bytes.Repeat([]byte{byte(missing)}, missing)
-	copy(out, padding)
-	return ret
-}
-
-// Remove padding
-func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
-	if len(buffer)%blockSize != 0 {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
-	}
-
-	last := buffer[len(buffer)-1]
-	count := int(last)
-
-	if count == 0 || count > blockSize || count > len(buffer) {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
-	}
-
-	padding := bytes.Repeat([]byte{last}, count)
-	if !bytes.HasSuffix(buffer, padding) {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
-	}
-
-	return buffer[:len(buffer)-count], nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go b/vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
deleted file mode 100644
index f62c3bdba5d..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
+++ /dev/null
@@ -1,75 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"crypto"
-	"encoding/binary"
-	"hash"
-	"io"
-)
-
-type concatKDF struct {
-	z, info []byte
-	i       uint32
-	cache   []byte
-	hasher  hash.Hash
-}
-
-// NewConcatKDF builds a KDF reader based on the given inputs.
-func NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {
-	buffer := make([]byte, uint64(len(algID))+uint64(len(ptyUInfo))+uint64(len(ptyVInfo))+uint64(len(supPubInfo))+uint64(len(supPrivInfo)))
-	n := 0
-	n += copy(buffer, algID)
-	n += copy(buffer[n:], ptyUInfo)
-	n += copy(buffer[n:], ptyVInfo)
-	n += copy(buffer[n:], supPubInfo)
-	copy(buffer[n:], supPrivInfo)
-
-	hasher := hash.New()
-
-	return &concatKDF{
-		z:      z,
-		info:   buffer,
-		hasher: hasher,
-		cache:  []byte{},
-		i:      1,
-	}
-}
-
-func (ctx *concatKDF) Read(out []byte) (int, error) {
-	copied := copy(out, ctx.cache)
-	ctx.cache = ctx.cache[copied:]
-
-	for copied < len(out) {
-		ctx.hasher.Reset()
-
-		// Write on a hash.Hash never fails
-		_ = binary.Write(ctx.hasher, binary.BigEndian, ctx.i)
-		_, _ = ctx.hasher.Write(ctx.z)
-		_, _ = ctx.hasher.Write(ctx.info)
-
-		hash := ctx.hasher.Sum(nil)
-		chunkCopied := copy(out[copied:], hash)
-		copied += chunkCopied
-		ctx.cache = hash[chunkCopied:]
-
-		ctx.i++
-	}
-
-	return copied, nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go b/vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
deleted file mode 100644
index 093c646740b..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
+++ /dev/null
@@ -1,86 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"encoding/binary"
-)
-
-// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.
-// It is an error to call this function with a private/public key that are not on the same
-// curve. Callers must ensure that the keys are valid before calling this function. Output
-// size may be at most 1<<16 bytes (64 KiB).
-func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {
-	if size > 1<<16 {
-		panic("ECDH-ES output size too large, must be less than or equal to 1<<16")
-	}
-
-	// algId, partyUInfo, partyVInfo inputs must be prefixed with the length
-	algID := lengthPrefixed([]byte(alg))
-	ptyUInfo := lengthPrefixed(apuData)
-	ptyVInfo := lengthPrefixed(apvData)
-
-	// suppPubInfo is the encoded length of the output size in bits
-	supPubInfo := make([]byte, 4)
-	binary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)
-
-	if !priv.PublicKey.Curve.IsOnCurve(pub.X, pub.Y) {
-		panic("public key not on same curve as private key")
-	}
-
-	z, _ := priv.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())
-	zBytes := z.Bytes()
-
-	// Note that calling z.Bytes() on a big.Int may strip leading zero bytes from
-	// the returned byte array. This can lead to a problem where zBytes will be
-	// shorter than expected which breaks the key derivation. Therefore we must pad
-	// to the full length of the expected coordinate here before calling the KDF.
-	octSize := dSize(priv.Curve)
-	if len(zBytes) != octSize {
-		zBytes = append(bytes.Repeat([]byte{0}, octSize-len(zBytes)), zBytes...)
-	}
-
-	reader := NewConcatKDF(crypto.SHA256, zBytes, algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})
-	key := make([]byte, size)
-
-	// Read on the KDF will never fail
-	_, _ = reader.Read(key)
-
-	return key
-}
-
-// dSize returns the size in octets for a coordinate on a elliptic curve.
-func dSize(curve elliptic.Curve) int {
-	order := curve.Params().P
-	bitLen := order.BitLen()
-	size := bitLen / 8
-	if bitLen%8 != 0 {
-		size++
-	}
-	return size
-}
-
-func lengthPrefixed(data []byte) []byte {
-	out := make([]byte, len(data)+4)
-	binary.BigEndian.PutUint32(out, uint32(len(data)))
-	copy(out[4:], data)
-	return out
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go b/vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
deleted file mode 100644
index b9effbca8a4..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
+++ /dev/null
@@ -1,109 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
-	"crypto/cipher"
-	"crypto/subtle"
-	"encoding/binary"
-	"errors"
-)
-
-var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
-
-// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
-func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
-	if len(cek)%8 != 0 {
-		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
-	}
-
-	n := len(cek) / 8
-	r := make([][]byte, n)
-
-	for i := range r {
-		r[i] = make([]byte, 8)
-		copy(r[i], cek[i*8:])
-	}
-
-	buffer := make([]byte, 16)
-	tBytes := make([]byte, 8)
-	copy(buffer, defaultIV)
-
-	for t := 0; t < 6*n; t++ {
-		copy(buffer[8:], r[t%n])
-
-		block.Encrypt(buffer, buffer)
-
-		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
-
-		for i := 0; i < 8; i++ {
-			buffer[i] ^= tBytes[i]
-		}
-		copy(r[t%n], buffer[8:])
-	}
-
-	out := make([]byte, (n+1)*8)
-	copy(out, buffer[:8])
-	for i := range r {
-		copy(out[(i+1)*8:], r[i])
-	}
-
-	return out, nil
-}
-
-// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
-func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
-	if len(ciphertext)%8 != 0 {
-		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
-	}
-
-	n := (len(ciphertext) / 8) - 1
-	r := make([][]byte, n)
-
-	for i := range r {
-		r[i] = make([]byte, 8)
-		copy(r[i], ciphertext[(i+1)*8:])
-	}
-
-	buffer := make([]byte, 16)
-	tBytes := make([]byte, 8)
-	copy(buffer[:8], ciphertext[:8])
-
-	for t := 6*n - 1; t >= 0; t-- {
-		binary.BigEndian.PutUint64(tBytes, uint64(t+1))
-
-		for i := 0; i < 8; i++ {
-			buffer[i] ^= tBytes[i]
-		}
-		copy(buffer[8:], r[t%n])
-
-		block.Decrypt(buffer, buffer)
-
-		copy(r[t%n], buffer[8:])
-	}
-
-	if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
-		return nil, errors.New("go-jose/go-jose: failed to unwrap key")
-	}
-
-	out := make([]byte, n*8)
-	for i := range r {
-		copy(out[i*8:], r[i])
-	}
-
-	return out, nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/crypter.go b/vendor/github.com/go-jose/go-jose/v4/crypter.go
deleted file mode 100644
index d81b03b4474..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/crypter.go
+++ /dev/null
@@ -1,599 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"errors"
-	"fmt"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// Encrypter represents an encrypter which produces an encrypted JWE object.
-type Encrypter interface {
-	Encrypt(plaintext []byte) (*JSONWebEncryption, error)
-	EncryptWithAuthData(plaintext []byte, aad []byte) (*JSONWebEncryption, error)
-	Options() EncrypterOptions
-}
-
-// A generic content cipher
-type contentCipher interface {
-	keySize() int
-	encrypt(cek []byte, aad, plaintext []byte) (*aeadParts, error)
-	decrypt(cek []byte, aad []byte, parts *aeadParts) ([]byte, error)
-}
-
-// A key generator (for generating/getting a CEK)
-type keyGenerator interface {
-	keySize() int
-	genKey() ([]byte, rawHeader, error)
-}
-
-// A generic key encrypter
-type keyEncrypter interface {
-	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) // Encrypt a key
-}
-
-// A generic key decrypter
-type keyDecrypter interface {
-	decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) // Decrypt a key
-}
-
-// A generic encrypter based on the given key encrypter and content cipher.
-type genericEncrypter struct {
-	contentAlg     ContentEncryption
-	compressionAlg CompressionAlgorithm
-	cipher         contentCipher
-	recipients     []recipientKeyInfo
-	keyGenerator   keyGenerator
-	extraHeaders   map[HeaderKey]interface{}
-}
-
-type recipientKeyInfo struct {
-	keyID        string
-	keyAlg       KeyAlgorithm
-	keyEncrypter keyEncrypter
-}
-
-// EncrypterOptions represents options that can be set on new encrypters.
-type EncrypterOptions struct {
-	Compression CompressionAlgorithm
-
-	// Optional map of name/value pairs to be inserted into the protected
-	// header of a JWS object. Some specifications which make use of
-	// JWS require additional values here.
-	//
-	// Values will be serialized by [json.Marshal] and must be valid inputs to
-	// that function.
-	//
-	// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
-	ExtraHeaders map[HeaderKey]interface{}
-}
-
-// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
-// if necessary, and returns the updated EncrypterOptions.
-//
-// The v parameter will be serialized by [json.Marshal] and must be a valid
-// input to that function.
-//
-// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
-func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions {
-	if eo.ExtraHeaders == nil {
-		eo.ExtraHeaders = map[HeaderKey]interface{}{}
-	}
-	eo.ExtraHeaders[k] = v
-	return eo
-}
-
-// WithContentType adds a content type ("cty") header and returns the updated
-// EncrypterOptions.
-func (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions {
-	return eo.WithHeader(HeaderContentType, contentType)
-}
-
-// WithType adds a type ("typ") header and returns the updated EncrypterOptions.
-func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions {
-	return eo.WithHeader(HeaderType, typ)
-}
-
-// Recipient represents an algorithm/key to encrypt messages to.
-//
-// PBES2Count and PBES2Salt correspond with the  "p2c" and "p2s" headers used
-// on the password-based encryption algorithms PBES2-HS256+A128KW,
-// PBES2-HS384+A192KW, and PBES2-HS512+A256KW. If they are not provided a safe
-// default of 100000 will be used for the count and a 128-bit random salt will
-// be generated.
-type Recipient struct {
-	Algorithm KeyAlgorithm
-	// Key must have one of these types:
-	//  - ed25519.PublicKey
-	//  - *ecdsa.PublicKey
-	//  - *rsa.PublicKey
-	//  - *JSONWebKey
-	//  - JSONWebKey
-	//  - []byte (a symmetric key)
-	//  - Any type that satisfies the OpaqueKeyEncrypter interface
-	//
-	// The type of Key must match the value of Algorithm.
-	Key        interface{}
-	KeyID      string
-	PBES2Count int
-	PBES2Salt  []byte
-}
-
-// NewEncrypter creates an appropriate encrypter based on the key type
-func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error) {
-	encrypter := &genericEncrypter{
-		contentAlg: enc,
-		recipients: []recipientKeyInfo{},
-		cipher:     getContentCipher(enc),
-	}
-	if opts != nil {
-		encrypter.compressionAlg = opts.Compression
-		encrypter.extraHeaders = opts.ExtraHeaders
-	}
-
-	if encrypter.cipher == nil {
-		return nil, ErrUnsupportedAlgorithm
-	}
-
-	var keyID string
-	var rawKey interface{}
-	switch encryptionKey := rcpt.Key.(type) {
-	case JSONWebKey:
-		keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key
-	case *JSONWebKey:
-		keyID, rawKey = encryptionKey.KeyID, encryptionKey.Key
-	case OpaqueKeyEncrypter:
-		keyID, rawKey = encryptionKey.KeyID(), encryptionKey
-	default:
-		rawKey = encryptionKey
-	}
-
-	switch rcpt.Algorithm {
-	case DIRECT:
-		// Direct encryption mode must be treated differently
-		keyBytes, ok := rawKey.([]byte)
-		if !ok {
-			return nil, ErrUnsupportedKeyType
-		}
-		if encrypter.cipher.keySize() != len(keyBytes) {
-			return nil, ErrInvalidKeySize
-		}
-		encrypter.keyGenerator = staticKeyGenerator{
-			key: keyBytes,
-		}
-		recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, keyBytes)
-		recipientInfo.keyID = keyID
-		if rcpt.KeyID != "" {
-			recipientInfo.keyID = rcpt.KeyID
-		}
-		encrypter.recipients = []recipientKeyInfo{recipientInfo}
-		return encrypter, nil
-	case ECDH_ES:
-		// ECDH-ES (w/o key wrapping) is similar to DIRECT mode
-		keyDSA, ok := rawKey.(*ecdsa.PublicKey)
-		if !ok {
-			return nil, ErrUnsupportedKeyType
-		}
-		encrypter.keyGenerator = ecKeyGenerator{
-			size:      encrypter.cipher.keySize(),
-			algID:     string(enc),
-			publicKey: keyDSA,
-		}
-		recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, keyDSA)
-		recipientInfo.keyID = keyID
-		if rcpt.KeyID != "" {
-			recipientInfo.keyID = rcpt.KeyID
-		}
-		encrypter.recipients = []recipientKeyInfo{recipientInfo}
-		return encrypter, nil
-	default:
-		// Can just add a standard recipient
-		encrypter.keyGenerator = randomKeyGenerator{
-			size: encrypter.cipher.keySize(),
-		}
-		err := encrypter.addRecipient(rcpt)
-		return encrypter, err
-	}
-}
-
-// NewMultiEncrypter creates a multi-encrypter based on the given parameters
-func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error) {
-	cipher := getContentCipher(enc)
-
-	if cipher == nil {
-		return nil, ErrUnsupportedAlgorithm
-	}
-	if len(rcpts) == 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: recipients is nil or empty")
-	}
-
-	encrypter := &genericEncrypter{
-		contentAlg: enc,
-		recipients: []recipientKeyInfo{},
-		cipher:     cipher,
-		keyGenerator: randomKeyGenerator{
-			size: cipher.keySize(),
-		},
-	}
-
-	if opts != nil {
-		encrypter.compressionAlg = opts.Compression
-		encrypter.extraHeaders = opts.ExtraHeaders
-	}
-
-	for _, recipient := range rcpts {
-		err := encrypter.addRecipient(recipient)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return encrypter, nil
-}
-
-func (ctx *genericEncrypter) addRecipient(recipient Recipient) (err error) {
-	var recipientInfo recipientKeyInfo
-
-	switch recipient.Algorithm {
-	case DIRECT, ECDH_ES:
-		return fmt.Errorf("go-jose/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
-	}
-
-	recipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key)
-	if recipient.KeyID != "" {
-		recipientInfo.keyID = recipient.KeyID
-	}
-
-	switch recipient.Algorithm {
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-		if sr, ok := recipientInfo.keyEncrypter.(*symmetricKeyCipher); ok {
-			sr.p2c = recipient.PBES2Count
-			sr.p2s = recipient.PBES2Salt
-		}
-	}
-
-	if err == nil {
-		ctx.recipients = append(ctx.recipients, recipientInfo)
-	}
-	return err
-}
-
-func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKeyInfo, error) {
-	switch encryptionKey := encryptionKey.(type) {
-	case *rsa.PublicKey:
-		return newRSARecipient(alg, encryptionKey)
-	case *ecdsa.PublicKey:
-		return newECDHRecipient(alg, encryptionKey)
-	case []byte:
-		return newSymmetricRecipient(alg, encryptionKey)
-	case string:
-		return newSymmetricRecipient(alg, []byte(encryptionKey))
-	case *JSONWebKey:
-		recipient, err := makeJWERecipient(alg, encryptionKey.Key)
-		recipient.keyID = encryptionKey.KeyID
-		return recipient, err
-	case OpaqueKeyEncrypter:
-		return newOpaqueKeyEncrypter(alg, encryptionKey)
-	}
-	return recipientKeyInfo{}, ErrUnsupportedKeyType
-}
-
-// newDecrypter creates an appropriate decrypter based on the key type
-func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {
-	switch decryptionKey := decryptionKey.(type) {
-	case *rsa.PrivateKey:
-		return &rsaDecrypterSigner{
-			privateKey: decryptionKey,
-		}, nil
-	case *ecdsa.PrivateKey:
-		return &ecDecrypterSigner{
-			privateKey: decryptionKey,
-		}, nil
-	case []byte:
-		return &symmetricKeyCipher{
-			key: decryptionKey,
-		}, nil
-	case string:
-		return &symmetricKeyCipher{
-			key: []byte(decryptionKey),
-		}, nil
-	case JSONWebKey:
-		return newDecrypter(decryptionKey.Key)
-	case *JSONWebKey:
-		return newDecrypter(decryptionKey.Key)
-	case OpaqueKeyDecrypter:
-		return &opaqueKeyDecrypter{decrypter: decryptionKey}, nil
-	default:
-		return nil, ErrUnsupportedKeyType
-	}
-}
-
-// Implementation of encrypt method producing a JWE object.
-func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JSONWebEncryption, error) {
-	return ctx.EncryptWithAuthData(plaintext, nil)
-}
-
-// Implementation of encrypt method producing a JWE object.
-func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error) {
-	obj := &JSONWebEncryption{}
-	obj.aad = aad
-
-	obj.protected = &rawHeader{}
-	err := obj.protected.set(headerEncryption, ctx.contentAlg)
-	if err != nil {
-		return nil, err
-	}
-
-	obj.recipients = make([]recipientInfo, len(ctx.recipients))
-
-	if len(ctx.recipients) == 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: no recipients to encrypt to")
-	}
-
-	cek, headers, err := ctx.keyGenerator.genKey()
-	if err != nil {
-		return nil, err
-	}
-
-	obj.protected.merge(&headers)
-
-	for i, info := range ctx.recipients {
-		recipient, err := info.keyEncrypter.encryptKey(cek, info.keyAlg)
-		if err != nil {
-			return nil, err
-		}
-
-		err = recipient.header.set(headerAlgorithm, info.keyAlg)
-		if err != nil {
-			return nil, err
-		}
-
-		if info.keyID != "" {
-			err = recipient.header.set(headerKeyID, info.keyID)
-			if err != nil {
-				return nil, err
-			}
-		}
-		obj.recipients[i] = recipient
-	}
-
-	if len(ctx.recipients) == 1 {
-		// Move per-recipient headers into main protected header if there's
-		// only a single recipient.
-		obj.protected.merge(obj.recipients[0].header)
-		obj.recipients[0].header = nil
-	}
-
-	if ctx.compressionAlg != NONE {
-		plaintext, err = compress(ctx.compressionAlg, plaintext)
-		if err != nil {
-			return nil, err
-		}
-
-		err = obj.protected.set(headerCompression, ctx.compressionAlg)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	for k, v := range ctx.extraHeaders {
-		b, err := json.Marshal(v)
-		if err != nil {
-			return nil, err
-		}
-		(*obj.protected)[k] = makeRawMessage(b)
-	}
-
-	authData := obj.computeAuthData()
-	parts, err := ctx.cipher.encrypt(cek, authData, plaintext)
-	if err != nil {
-		return nil, err
-	}
-
-	obj.iv = parts.iv
-	obj.ciphertext = parts.ciphertext
-	obj.tag = parts.tag
-
-	return obj, nil
-}
-
-func (ctx *genericEncrypter) Options() EncrypterOptions {
-	return EncrypterOptions{
-		Compression:  ctx.compressionAlg,
-		ExtraHeaders: ctx.extraHeaders,
-	}
-}
-
-// Decrypt and validate the object and return the plaintext. This
-// function does not support multi-recipient. If you desire multi-recipient
-// decryption use DecryptMulti instead.
-//
-// The decryptionKey argument must contain a private or symmetric key
-// and must have one of these types:
-//   - *ecdsa.PrivateKey
-//   - *rsa.PrivateKey
-//   - *JSONWebKey
-//   - JSONWebKey
-//   - *JSONWebKeySet
-//   - JSONWebKeySet
-//   - []byte (a symmetric key)
-//   - string (a symmetric key)
-//   - Any type that satisfies the OpaqueKeyDecrypter interface.
-//
-// Note that ed25519 is only available for signatures, not encryption, so is
-// not an option here.
-//
-// Automatically decompresses plaintext, but returns an error if the decompressed
-// data would be >250kB or >10x the size of the compressed data, whichever is larger.
-func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
-	headers := obj.mergedHeaders(nil)
-
-	if len(obj.recipients) > 1 {
-		return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
-	}
-
-	critical, err := headers.getCritical()
-	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
-	}
-
-	if len(critical) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
-	}
-
-	key, err := tryJWKS(decryptionKey, obj.Header)
-	if err != nil {
-		return nil, err
-	}
-	decrypter, err := newDecrypter(key)
-	if err != nil {
-		return nil, err
-	}
-
-	cipher := getContentCipher(headers.getEncryption())
-	if cipher == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
-	}
-
-	generator := randomKeyGenerator{
-		size: cipher.keySize(),
-	}
-
-	parts := &aeadParts{
-		iv:         obj.iv,
-		ciphertext: obj.ciphertext,
-		tag:        obj.tag,
-	}
-
-	authData := obj.computeAuthData()
-
-	var plaintext []byte
-	recipient := obj.recipients[0]
-	recipientHeaders := obj.mergedHeaders(&recipient)
-
-	cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
-	if err == nil {
-		// Found a valid CEK -- let's try to decrypt.
-		plaintext, err = cipher.decrypt(cek, authData, parts)
-	}
-
-	if plaintext == nil {
-		return nil, ErrCryptoFailure
-	}
-
-	// The "zip" header parameter may only be present in the protected header.
-	if comp := obj.protected.getCompression(); comp != "" {
-		plaintext, err = decompress(comp, plaintext)
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: failed to decompress plaintext: %v", err)
-		}
-	}
-
-	return plaintext, nil
-}
-
-// DecryptMulti decrypts and validates the object and returns the plaintexts,
-// with support for multiple recipients. It returns the index of the recipient
-// for which the decryption was successful, the merged headers for that recipient,
-// and the plaintext.
-//
-// The decryptionKey argument must have one of the types allowed for the
-// decryptionKey argument of Decrypt().
-//
-// Automatically decompresses plaintext, but returns an error if the decompressed
-// data would be >250kB or >3x the size of the compressed data, whichever is larger.
-func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
-	globalHeaders := obj.mergedHeaders(nil)
-
-	critical, err := globalHeaders.getCritical()
-	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
-	}
-
-	if len(critical) > 0 {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
-	}
-
-	key, err := tryJWKS(decryptionKey, obj.Header)
-	if err != nil {
-		return -1, Header{}, nil, err
-	}
-	decrypter, err := newDecrypter(key)
-	if err != nil {
-		return -1, Header{}, nil, err
-	}
-
-	encryption := globalHeaders.getEncryption()
-	cipher := getContentCipher(encryption)
-	if cipher == nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(encryption))
-	}
-
-	generator := randomKeyGenerator{
-		size: cipher.keySize(),
-	}
-
-	parts := &aeadParts{
-		iv:         obj.iv,
-		ciphertext: obj.ciphertext,
-		tag:        obj.tag,
-	}
-
-	authData := obj.computeAuthData()
-
-	index := -1
-	var plaintext []byte
-	var headers rawHeader
-
-	for i, recipient := range obj.recipients {
-		recipientHeaders := obj.mergedHeaders(&recipient)
-
-		cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
-		if err == nil {
-			// Found a valid CEK -- let's try to decrypt.
-			plaintext, err = cipher.decrypt(cek, authData, parts)
-			if err == nil {
-				index = i
-				headers = recipientHeaders
-				break
-			}
-		}
-	}
-
-	if plaintext == nil {
-		return -1, Header{}, nil, ErrCryptoFailure
-	}
-
-	// The "zip" header parameter may only be present in the protected header.
-	if comp := obj.protected.getCompression(); comp != "" {
-		plaintext, err = decompress(comp, plaintext)
-		if err != nil {
-			return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to decompress plaintext: %v", err)
-		}
-	}
-
-	sanitized, err := headers.sanitized()
-	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to sanitize header: %v", err)
-	}
-
-	return index, sanitized, plaintext, err
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/doc.go b/vendor/github.com/go-jose/go-jose/v4/doc.go
deleted file mode 100644
index 0ad40ca085f..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/doc.go
+++ /dev/null
@@ -1,25 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
-Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. It implements encryption and signing based on
-the JSON Web Encryption and JSON Web Signature standards, with optional JSON Web
-Token support available in a sub-package. The library supports both the compact
-and JWS/JWE JSON Serialization formats, and has optional support for multiple
-recipients.
-*/
-package jose
diff --git a/vendor/github.com/go-jose/go-jose/v4/encoding.go b/vendor/github.com/go-jose/go-jose/v4/encoding.go
deleted file mode 100644
index 4f6e0d4a5cf..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/encoding.go
+++ /dev/null
@@ -1,228 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"compress/flate"
-	"encoding/base64"
-	"encoding/binary"
-	"fmt"
-	"io"
-	"math/big"
-	"strings"
-	"unicode"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// Helper function to serialize known-good objects.
-// Precondition: value is not a nil pointer.
-func mustSerializeJSON(value interface{}) []byte {
-	out, err := json.Marshal(value)
-	if err != nil {
-		panic(err)
-	}
-	// We never want to serialize the top-level value "null," since it's not a
-	// valid JOSE message. But if a caller passes in a nil pointer to this method,
-	// MarshalJSON will happily serialize it as the top-level value "null". If
-	// that value is then embedded in another operation, for instance by being
-	// base64-encoded and fed as input to a signing algorithm
-	// (https://github.com/go-jose/go-jose/issues/22), the result will be
-	// incorrect. Because this method is intended for known-good objects, and a nil
-	// pointer is not a known-good object, we are free to panic in this case.
-	// Note: It's not possible to directly check whether the data pointed at by an
-	// interface is a nil pointer, so we do this hacky workaround.
-	// https://groups.google.com/forum/#!topic/golang-nuts/wnH302gBa4I
-	if string(out) == "null" {
-		panic("Tried to serialize a nil pointer.")
-	}
-	return out
-}
-
-// Strip all newlines and whitespace
-func stripWhitespace(data string) string {
-	buf := strings.Builder{}
-	buf.Grow(len(data))
-	for _, r := range data {
-		if !unicode.IsSpace(r) {
-			buf.WriteRune(r)
-		}
-	}
-	return buf.String()
-}
-
-// Perform compression based on algorithm
-func compress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
-	switch algorithm {
-	case DEFLATE:
-		return deflate(input)
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-}
-
-// Perform decompression based on algorithm
-func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
-	switch algorithm {
-	case DEFLATE:
-		return inflate(input)
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-}
-
-// deflate compresses the input.
-func deflate(input []byte) ([]byte, error) {
-	output := new(bytes.Buffer)
-
-	// Writing to byte buffer, err is always nil
-	writer, _ := flate.NewWriter(output, 1)
-	_, _ = io.Copy(writer, bytes.NewBuffer(input))
-
-	err := writer.Close()
-	return output.Bytes(), err
-}
-
-// inflate decompresses the input.
-//
-// Errors if the decompressed data would be >250kB or >10x the size of the
-// compressed data, whichever is larger.
-func inflate(input []byte) ([]byte, error) {
-	output := new(bytes.Buffer)
-	reader := flate.NewReader(bytes.NewBuffer(input))
-
-	maxCompressedSize := max(250_000, 10*int64(len(input)))
-
-	limit := maxCompressedSize + 1
-	n, err := io.CopyN(output, reader, limit)
-	if err != nil && err != io.EOF {
-		return nil, err
-	}
-	if n == limit {
-		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
-	}
-
-	err = reader.Close()
-	return output.Bytes(), err
-}
-
-// byteBuffer represents a slice of bytes that can be serialized to url-safe base64.
-type byteBuffer struct {
-	data []byte
-}
-
-func newBuffer(data []byte) *byteBuffer {
-	if data == nil {
-		return nil
-	}
-	return &byteBuffer{
-		data: data,
-	}
-}
-
-func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
-	if len(data) > length {
-		panic("go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
-	}
-	pad := make([]byte, length-len(data))
-	return newBuffer(append(pad, data...))
-}
-
-func newBufferFromInt(num uint64) *byteBuffer {
-	data := make([]byte, 8)
-	binary.BigEndian.PutUint64(data, num)
-	return newBuffer(bytes.TrimLeft(data, "\x00"))
-}
-
-func (b *byteBuffer) MarshalJSON() ([]byte, error) {
-	return json.Marshal(b.base64())
-}
-
-func (b *byteBuffer) UnmarshalJSON(data []byte) error {
-	var encoded string
-	err := json.Unmarshal(data, &encoded)
-	if err != nil {
-		return err
-	}
-
-	if encoded == "" {
-		return nil
-	}
-
-	decoded, err := base64.RawURLEncoding.DecodeString(encoded)
-	if err != nil {
-		return err
-	}
-
-	*b = *newBuffer(decoded)
-
-	return nil
-}
-
-func (b *byteBuffer) base64() string {
-	return base64.RawURLEncoding.EncodeToString(b.data)
-}
-
-func (b *byteBuffer) bytes() []byte {
-	// Handling nil here allows us to transparently handle nil slices when serializing.
-	if b == nil {
-		return nil
-	}
-	return b.data
-}
-
-func (b byteBuffer) bigInt() *big.Int {
-	return new(big.Int).SetBytes(b.data)
-}
-
-func (b byteBuffer) toInt() int {
-	return int(b.bigInt().Int64())
-}
-
-func base64EncodeLen(sl []byte) int {
-	return base64.RawURLEncoding.EncodedLen(len(sl))
-}
-
-func base64JoinWithDots(inputs ...[]byte) string {
-	if len(inputs) == 0 {
-		return ""
-	}
-
-	// Count of dots.
-	totalCount := len(inputs) - 1
-
-	for _, input := range inputs {
-		totalCount += base64EncodeLen(input)
-	}
-
-	out := make([]byte, totalCount)
-	startEncode := 0
-	for i, input := range inputs {
-		base64.RawURLEncoding.Encode(out[startEncode:], input)
-
-		if i == len(inputs)-1 {
-			continue
-		}
-
-		startEncode += base64EncodeLen(input)
-		out[startEncode] = '.'
-		startEncode++
-	}
-
-	return string(out)
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/LICENSE b/vendor/github.com/go-jose/go-jose/v4/json/LICENSE
deleted file mode 100644
index 74487567632..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2012 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/README.md b/vendor/github.com/go-jose/go-jose/v4/json/README.md
deleted file mode 100644
index 86de5e5581f..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Safe JSON
-
-This repository contains a fork of the `encoding/json` package from Go 1.6.
-
-The following changes were made:
-
-* Object deserialization uses case-sensitive member name matching instead of
-  [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html).
-  This is to avoid differences in the interpretation of JOSE messages between
-  go-jose and libraries written in other languages.
-* When deserializing a JSON object, we check for duplicate keys and reject the
-  input whenever we detect a duplicate. Rather than trying to work with malformed
-  data, we prefer to reject it right away.
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/decode.go b/vendor/github.com/go-jose/go-jose/v4/json/decode.go
deleted file mode 100644
index 50634dd8478..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/decode.go
+++ /dev/null
@@ -1,1216 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Represents JSON data structure using native Go types: booleans, floats,
-// strings, arrays, and maps.
-
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"math"
-	"reflect"
-	"runtime"
-	"strconv"
-	"unicode"
-	"unicode/utf16"
-	"unicode/utf8"
-)
-
-// Unmarshal parses the JSON-encoded data and stores the result
-// in the value pointed to by v.
-//
-// Unmarshal uses the inverse of the encodings that
-// Marshal uses, allocating maps, slices, and pointers as necessary,
-// with the following additional rules:
-//
-// To unmarshal JSON into a pointer, Unmarshal first handles the case of
-// the JSON being the JSON literal null.  In that case, Unmarshal sets
-// the pointer to nil.  Otherwise, Unmarshal unmarshals the JSON into
-// the value pointed at by the pointer.  If the pointer is nil, Unmarshal
-// allocates a new value for it to point to.
-//
-// To unmarshal JSON into a struct, Unmarshal matches incoming object
-// keys to the keys used by Marshal (either the struct field name or its tag),
-// preferring an exact match but also accepting a case-insensitive match.
-// Unmarshal will only set exported fields of the struct.
-//
-// To unmarshal JSON into an interface value,
-// Unmarshal stores one of these in the interface value:
-//
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	string, for JSON strings
-//	[]interface{}, for JSON arrays
-//	map[string]interface{}, for JSON objects
-//	nil for JSON null
-//
-// To unmarshal a JSON array into a slice, Unmarshal resets the slice length
-// to zero and then appends each element to the slice.
-// As a special case, to unmarshal an empty JSON array into a slice,
-// Unmarshal replaces the slice with a new empty slice.
-//
-// To unmarshal a JSON array into a Go array, Unmarshal decodes
-// JSON array elements into corresponding Go array elements.
-// If the Go array is smaller than the JSON array,
-// the additional JSON array elements are discarded.
-// If the JSON array is smaller than the Go array,
-// the additional Go array elements are set to zero values.
-//
-// To unmarshal a JSON object into a string-keyed map, Unmarshal first
-// establishes a map to use, If the map is nil, Unmarshal allocates a new map.
-// Otherwise Unmarshal reuses the existing map, keeping existing entries.
-// Unmarshal then stores key-value pairs from the JSON object into the map.
-//
-// If a JSON value is not appropriate for a given target type,
-// or if a JSON number overflows the target type, Unmarshal
-// skips that field and completes the unmarshaling as best it can.
-// If no more serious errors are encountered, Unmarshal returns
-// an UnmarshalTypeError describing the earliest such error.
-//
-// The JSON null value unmarshals into an interface, map, pointer, or slice
-// by setting that Go value to nil. Because null is often used in JSON to mean
-// “not present,” unmarshaling a JSON null into any other Go type has no effect
-// on the value and produces no error.
-//
-// When unmarshaling quoted strings, invalid UTF-8 or
-// invalid UTF-16 surrogate pairs are not treated as an error.
-// Instead, they are replaced by the Unicode replacement
-// character U+FFFD.
-func Unmarshal(data []byte, v interface{}) error {
-	// Check for well-formedness.
-	// Avoids filling out half a data structure
-	// before discovering a JSON syntax error.
-	var d decodeState
-	err := checkValid(data, &d.scan)
-	if err != nil {
-		return err
-	}
-
-	d.init(data)
-	return d.unmarshal(v)
-}
-
-// Unmarshaler is the interface implemented by objects
-// that can unmarshal a JSON description of themselves.
-// The input can be assumed to be a valid encoding of
-// a JSON value. UnmarshalJSON must copy the JSON data
-// if it wishes to retain the data after returning.
-type Unmarshaler interface {
-	UnmarshalJSON([]byte) error
-}
-
-// An UnmarshalTypeError describes a JSON value that was
-// not appropriate for a value of a specific Go type.
-type UnmarshalTypeError struct {
-	Value  string       // description of JSON value - "bool", "array", "number -5"
-	Type   reflect.Type // type of Go value it could not be assigned to
-	Offset int64        // error occurred after reading Offset bytes
-}
-
-func (e *UnmarshalTypeError) Error() string {
-	return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
-}
-
-// An UnmarshalFieldError describes a JSON object key that
-// led to an unexported (and therefore unwritable) struct field.
-// (No longer used; kept for compatibility.)
-type UnmarshalFieldError struct {
-	Key   string
-	Type  reflect.Type
-	Field reflect.StructField
-}
-
-func (e *UnmarshalFieldError) Error() string {
-	return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
-}
-
-// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
-// (The argument to Unmarshal must be a non-nil pointer.)
-type InvalidUnmarshalError struct {
-	Type reflect.Type
-}
-
-func (e *InvalidUnmarshalError) Error() string {
-	if e.Type == nil {
-		return "json: Unmarshal(nil)"
-	}
-
-	if e.Type.Kind() != reflect.Ptr {
-		return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
-	}
-	return "json: Unmarshal(nil " + e.Type.String() + ")"
-}
-
-func (d *decodeState) unmarshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			err = r.(error)
-		}
-	}()
-
-	rv := reflect.ValueOf(v)
-	if rv.Kind() != reflect.Ptr || rv.IsNil() {
-		return &InvalidUnmarshalError{reflect.TypeOf(v)}
-	}
-
-	d.scan.reset()
-	// We decode rv not rv.Elem because the Unmarshaler interface
-	// test must be applied at the top level of the value.
-	d.value(rv)
-	return d.savedError
-}
-
-// A Number represents a JSON number literal.
-type Number string
-
-// String returns the literal text of the number.
-func (n Number) String() string { return string(n) }
-
-// Float64 returns the number as a float64.
-func (n Number) Float64() (float64, error) {
-	return strconv.ParseFloat(string(n), 64)
-}
-
-// Int64 returns the number as an int64.
-func (n Number) Int64() (int64, error) {
-	return strconv.ParseInt(string(n), 10, 64)
-}
-
-// isValidNumber reports whether s is a valid JSON number literal.
-func isValidNumber(s string) bool {
-	// This function implements the JSON numbers grammar.
-	// See https://tools.ietf.org/html/rfc7159#section-6
-	// and http://json.org/number.gif
-
-	if s == "" {
-		return false
-	}
-
-	// Optional -
-	if s[0] == '-' {
-		s = s[1:]
-		if s == "" {
-			return false
-		}
-	}
-
-	// Digits
-	switch {
-	default:
-		return false
-
-	case s[0] == '0':
-		s = s[1:]
-
-	case '1' <= s[0] && s[0] <= '9':
-		s = s[1:]
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// . followed by 1 or more digits.
-	if len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {
-		s = s[2:]
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// e or E followed by an optional - or + and
-	// 1 or more digits.
-	if len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {
-		s = s[1:]
-		if s[0] == '+' || s[0] == '-' {
-			s = s[1:]
-			if s == "" {
-				return false
-			}
-		}
-		for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
-			s = s[1:]
-		}
-	}
-
-	// Make sure we are at the end.
-	return s == ""
-}
-
-type NumberUnmarshalType int
-
-const (
-	// unmarshal a JSON number into an interface{} as a float64
-	UnmarshalFloat NumberUnmarshalType = iota
-	// unmarshal a JSON number into an interface{} as a `json.Number`
-	UnmarshalJSONNumber
-	// unmarshal a JSON number into an interface{} as a int64
-	// if value is an integer otherwise float64
-	UnmarshalIntOrFloat
-)
-
-// decodeState represents the state while decoding a JSON value.
-type decodeState struct {
-	data       []byte
-	off        int // read offset in data
-	scan       scanner
-	nextscan   scanner // for calls to nextValue
-	savedError error
-	numberType NumberUnmarshalType
-}
-
-// errPhase is used for errors that should not happen unless
-// there is a bug in the JSON decoder or something is editing
-// the data slice while the decoder executes.
-var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
-
-func (d *decodeState) init(data []byte) *decodeState {
-	d.data = data
-	d.off = 0
-	d.savedError = nil
-	return d
-}
-
-// error aborts the decoding by panicking with err.
-func (d *decodeState) error(err error) {
-	panic(err)
-}
-
-// saveError saves the first err it is called with,
-// for reporting at the end of the unmarshal.
-func (d *decodeState) saveError(err error) {
-	if d.savedError == nil {
-		d.savedError = err
-	}
-}
-
-// next cuts off and returns the next full JSON value in d.data[d.off:].
-// The next value is known to be an object or array, not a literal.
-func (d *decodeState) next() []byte {
-	c := d.data[d.off]
-	item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-	if err != nil {
-		d.error(err)
-	}
-	d.off = len(d.data) - len(rest)
-
-	// Our scanner has seen the opening brace/bracket
-	// and thinks we're still in the middle of the object.
-	// invent a closing brace/bracket to get it out.
-	if c == '{' {
-		d.scan.step(&d.scan, '}')
-	} else {
-		d.scan.step(&d.scan, ']')
-	}
-
-	return item
-}
-
-// scanWhile processes bytes in d.data[d.off:] until it
-// receives a scan code not equal to op.
-// It updates d.off and returns the new scan code.
-func (d *decodeState) scanWhile(op int) int {
-	var newOp int
-	for {
-		if d.off >= len(d.data) {
-			newOp = d.scan.eof()
-			d.off = len(d.data) + 1 // mark processed EOF with len+1
-		} else {
-			c := d.data[d.off]
-			d.off++
-			newOp = d.scan.step(&d.scan, c)
-		}
-		if newOp != op {
-			break
-		}
-	}
-	return newOp
-}
-
-// value decodes a JSON value from d.data[d.off:] into the value.
-// it updates d.off to point past the decoded value.
-func (d *decodeState) value(v reflect.Value) {
-	if !v.IsValid() {
-		_, rest, err := nextValue(d.data[d.off:], &d.nextscan)
-		if err != nil {
-			d.error(err)
-		}
-		d.off = len(d.data) - len(rest)
-
-		// d.scan thinks we're still at the beginning of the item.
-		// Feed in an empty string - the shortest, simplest value -
-		// so that it knows we got to the end of the value.
-		if d.scan.redo {
-			// rewind.
-			d.scan.redo = false
-			d.scan.step = stateBeginValue
-		}
-		d.scan.step(&d.scan, '"')
-		d.scan.step(&d.scan, '"')
-
-		n := len(d.scan.parseState)
-		if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
-			// d.scan thinks we just read an object key; finish the object
-			d.scan.step(&d.scan, ':')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '"')
-			d.scan.step(&d.scan, '}')
-		}
-
-		return
-	}
-
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(v)
-
-	case scanBeginObject:
-		d.object(v)
-
-	case scanBeginLiteral:
-		d.literal(v)
-	}
-}
-
-type unquotedValue struct{}
-
-// valueQuoted is like value but decodes a
-// quoted string literal or literal null into an interface value.
-// If it finds anything other than a quoted string literal or null,
-// valueQuoted returns unquotedValue{}.
-func (d *decodeState) valueQuoted() interface{} {
-	switch op := d.scanWhile(scanSkipSpace); op {
-	default:
-		d.error(errPhase)
-
-	case scanBeginArray:
-		d.array(reflect.Value{})
-
-	case scanBeginObject:
-		d.object(reflect.Value{})
-
-	case scanBeginLiteral:
-		switch v := d.literalInterface().(type) {
-		case nil, string:
-			return v
-		}
-	}
-	return unquotedValue{}
-}
-
-// indirect walks down v allocating pointers as needed,
-// until it gets to a non-pointer.
-// if it encounters an Unmarshaler, indirect stops and returns that.
-// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
-func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
-	// If v is a named type and is addressable,
-	// start with its address, so that if the type has pointer methods,
-	// we find them.
-	if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
-		v = v.Addr()
-	}
-	for {
-		// Load value from interface, but only if the result will be
-		// usefully addressable.
-		if v.Kind() == reflect.Interface && !v.IsNil() {
-			e := v.Elem()
-			if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
-				v = e
-				continue
-			}
-		}
-
-		if v.Kind() != reflect.Ptr {
-			break
-		}
-
-		if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
-			break
-		}
-		if v.IsNil() {
-			v.Set(reflect.New(v.Type().Elem()))
-		}
-		if v.Type().NumMethod() > 0 {
-			if u, ok := v.Interface().(Unmarshaler); ok {
-				return u, nil, reflect.Value{}
-			}
-			if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
-				return nil, u, reflect.Value{}
-			}
-		}
-		v = v.Elem()
-	}
-	return nil, nil, v
-}
-
-// array consumes an array from d.data[d.off-1:], decoding into the value v.
-// the first byte of the array ('[') has been read already.
-func (d *decodeState) array(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	}
-
-	v = pv
-
-	// Check type of target.
-	switch v.Kind() {
-	case reflect.Interface:
-		if v.NumMethod() == 0 {
-			// Decoding into nil interface?  Switch to non-reflect code.
-			v.Set(reflect.ValueOf(d.arrayInterface()))
-			return
-		}
-		// Otherwise it's invalid.
-		fallthrough
-	default:
-		d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
-		d.off--
-		d.next()
-		return
-	case reflect.Array:
-	case reflect.Slice:
-		break
-	}
-
-	i := 0
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		// Get element of array, growing if necessary.
-		if v.Kind() == reflect.Slice {
-			// Grow slice if necessary
-			if i >= v.Cap() {
-				newcap := v.Cap() + v.Cap()/2
-				if newcap < 4 {
-					newcap = 4
-				}
-				newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
-				reflect.Copy(newv, v)
-				v.Set(newv)
-			}
-			if i >= v.Len() {
-				v.SetLen(i + 1)
-			}
-		}
-
-		if i < v.Len() {
-			// Decode into element.
-			d.value(v.Index(i))
-		} else {
-			// Ran out of fixed array: skip.
-			d.value(reflect.Value{})
-		}
-		i++
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-
-	if i < v.Len() {
-		if v.Kind() == reflect.Array {
-			// Array.  Zero the rest.
-			z := reflect.Zero(v.Type().Elem())
-			for ; i < v.Len(); i++ {
-				v.Index(i).Set(z)
-			}
-		} else {
-			v.SetLen(i)
-		}
-	}
-	if i == 0 && v.Kind() == reflect.Slice {
-		v.Set(reflect.MakeSlice(v.Type(), 0, 0))
-	}
-}
-
-var nullLiteral = []byte("null")
-
-// object consumes an object from d.data[d.off-1:], decoding into the value v.
-// the first byte ('{') of the object has been read already.
-func (d *decodeState) object(v reflect.Value) {
-	// Check for unmarshaler.
-	u, ut, pv := d.indirect(v, false)
-	if u != nil {
-		d.off--
-		err := u.UnmarshalJSON(d.next())
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-	v = pv
-
-	// Decoding into nil interface?  Switch to non-reflect code.
-	if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
-		v.Set(reflect.ValueOf(d.objectInterface()))
-		return
-	}
-
-	// Check type of target: struct or map[string]T
-	switch v.Kind() {
-	case reflect.Map:
-		// map must have string kind
-		t := v.Type()
-		if t.Key().Kind() != reflect.String {
-			d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-			d.off--
-			d.next() // skip over { } in input
-			return
-		}
-		if v.IsNil() {
-			v.Set(reflect.MakeMap(t))
-		}
-	case reflect.Struct:
-
-	default:
-		d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
-		d.off--
-		d.next() // skip over { } in input
-		return
-	}
-
-	var mapElem reflect.Value
-	keys := map[string]bool{}
-
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Check for duplicate keys.
-		_, ok = keys[key]
-		if !ok {
-			keys[key] = true
-		} else {
-			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
-		}
-
-		// Figure out field corresponding to key.
-		var subv reflect.Value
-		destring := false // whether the value is wrapped in a string to be decoded first
-
-		if v.Kind() == reflect.Map {
-			elemType := v.Type().Elem()
-			if !mapElem.IsValid() {
-				mapElem = reflect.New(elemType).Elem()
-			} else {
-				mapElem.Set(reflect.Zero(elemType))
-			}
-			subv = mapElem
-		} else {
-			var f *field
-			fields := cachedTypeFields(v.Type())
-			for i := range fields {
-				ff := &fields[i]
-				if bytes.Equal(ff.nameBytes, []byte(key)) {
-					f = ff
-					break
-				}
-			}
-			if f != nil {
-				subv = v
-				destring = f.quoted
-				for _, i := range f.index {
-					if subv.Kind() == reflect.Ptr {
-						if subv.IsNil() {
-							subv.Set(reflect.New(subv.Type().Elem()))
-						}
-						subv = subv.Elem()
-					}
-					subv = subv.Field(i)
-				}
-			}
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		if destring {
-			switch qv := d.valueQuoted().(type) {
-			case nil:
-				d.literalStore(nullLiteral, subv, false)
-			case string:
-				d.literalStore([]byte(qv), subv, true)
-			default:
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
-			}
-		} else {
-			d.value(subv)
-		}
-
-		// Write value back to map;
-		// if using struct, subv points into struct already.
-		if v.Kind() == reflect.Map {
-			kv := reflect.ValueOf(key).Convert(v.Type().Key())
-			v.SetMapIndex(kv, subv)
-		}
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-}
-
-// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
-// The first byte of the literal has been read already
-// (that's how the caller knows it's a literal).
-func (d *decodeState) literal(v reflect.Value) {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-
-	d.literalStore(d.data[start:d.off], v, false)
-}
-
-// convertNumber converts the number literal s to a float64, int64 or a Number
-// depending on d.numberDecodeType.
-func (d *decodeState) convertNumber(s string) (interface{}, error) {
-	switch d.numberType {
-
-	case UnmarshalJSONNumber:
-		return Number(s), nil
-	case UnmarshalIntOrFloat:
-		v, err := strconv.ParseInt(s, 10, 64)
-		if err == nil {
-			return v, nil
-		}
-
-		// tries to parse integer number in scientific notation
-		f, err := strconv.ParseFloat(s, 64)
-		if err != nil {
-			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-		}
-
-		// if it has no decimal value use int64
-		if fi, fd := math.Modf(f); fd == 0.0 {
-			return int64(fi), nil
-		}
-		return f, nil
-	default:
-		f, err := strconv.ParseFloat(s, 64)
-		if err != nil {
-			return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
-		}
-		return f, nil
-	}
-
-}
-
-var numberType = reflect.TypeOf(Number(""))
-
-// literalStore decodes a literal stored in item into v.
-//
-// fromQuoted indicates whether this literal came from unwrapping a
-// string from the ",string" struct tag option. this is used only to
-// produce more helpful error messages.
-func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
-	// Check for unmarshaler.
-	if len(item) == 0 {
-		//Empty string given
-		d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-		return
-	}
-	wantptr := item[0] == 'n' // null
-	u, ut, pv := d.indirect(v, wantptr)
-	if u != nil {
-		err := u.UnmarshalJSON(item)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-	if ut != nil {
-		if item[0] != '"' {
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-			return
-		}
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		err := ut.UnmarshalText(s)
-		if err != nil {
-			d.error(err)
-		}
-		return
-	}
-
-	v = pv
-
-	switch c := item[0]; c {
-	case 'n': // null
-		switch v.Kind() {
-		case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
-			v.Set(reflect.Zero(v.Type()))
-			// otherwise, ignore null for primitives/string
-		}
-	case 't', 'f': // true, false
-		value := c == 't'
-		switch v.Kind() {
-		default:
-			if fromQuoted {
-				d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		case reflect.Bool:
-			v.SetBool(value)
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(value))
-			} else {
-				d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
-			}
-		}
-
-	case '"': // string
-		s, ok := unquoteBytes(item)
-		if !ok {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		switch v.Kind() {
-		default:
-			d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-		case reflect.Slice:
-			if v.Type().Elem().Kind() != reflect.Uint8 {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-				break
-			}
-			b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
-			n, err := base64.StdEncoding.Decode(b, s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			v.SetBytes(b[:n])
-		case reflect.String:
-			v.SetString(string(s))
-		case reflect.Interface:
-			if v.NumMethod() == 0 {
-				v.Set(reflect.ValueOf(string(s)))
-			} else {
-				d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
-			}
-		}
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(errPhase)
-			}
-		}
-		s := string(item)
-		switch v.Kind() {
-		default:
-			if v.Kind() == reflect.String && v.Type() == numberType {
-				v.SetString(s)
-				if !isValidNumber(s) {
-					d.error(fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item))
-				}
-				break
-			}
-			if fromQuoted {
-				d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
-			} else {
-				d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-			}
-		case reflect.Interface:
-			n, err := d.convertNumber(s)
-			if err != nil {
-				d.saveError(err)
-				break
-			}
-			if v.NumMethod() != 0 {
-				d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
-				break
-			}
-			v.Set(reflect.ValueOf(n))
-
-		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-			n, err := strconv.ParseInt(s, 10, 64)
-			if err != nil || v.OverflowInt(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetInt(n)
-
-		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-			n, err := strconv.ParseUint(s, 10, 64)
-			if err != nil || v.OverflowUint(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetUint(n)
-
-		case reflect.Float32, reflect.Float64:
-			n, err := strconv.ParseFloat(s, v.Type().Bits())
-			if err != nil || v.OverflowFloat(n) {
-				d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
-				break
-			}
-			v.SetFloat(n)
-		}
-	}
-}
-
-// The xxxInterface routines build up a value to be stored
-// in an empty interface.  They are not strictly necessary,
-// but they avoid the weight of reflection in this common case.
-
-// valueInterface is like value but returns interface{}
-func (d *decodeState) valueInterface() interface{} {
-	switch d.scanWhile(scanSkipSpace) {
-	default:
-		d.error(errPhase)
-		panic("unreachable")
-	case scanBeginArray:
-		return d.arrayInterface()
-	case scanBeginObject:
-		return d.objectInterface()
-	case scanBeginLiteral:
-		return d.literalInterface()
-	}
-}
-
-// arrayInterface is like array but returns []interface{}.
-func (d *decodeState) arrayInterface() []interface{} {
-	var v = make([]interface{}, 0)
-	for {
-		// Look ahead for ] - can only happen on first iteration.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-
-		// Back up so d.value can have the byte we just read.
-		d.off--
-		d.scan.undo(op)
-
-		v = append(v, d.valueInterface())
-
-		// Next token must be , or ].
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndArray {
-			break
-		}
-		if op != scanArrayValue {
-			d.error(errPhase)
-		}
-	}
-	return v
-}
-
-// objectInterface is like object but returns map[string]interface{}.
-func (d *decodeState) objectInterface() map[string]interface{} {
-	m := make(map[string]interface{})
-	keys := map[string]bool{}
-
-	for {
-		// Read opening " of string key or closing }.
-		op := d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			// closing } - can only happen on first iteration.
-			break
-		}
-		if op != scanBeginLiteral {
-			d.error(errPhase)
-		}
-
-		// Read string key.
-		start := d.off - 1
-		op = d.scanWhile(scanContinue)
-		item := d.data[start : d.off-1]
-		key, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-
-		// Check for duplicate keys.
-		_, ok = keys[key]
-		if !ok {
-			keys[key] = true
-		} else {
-			d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
-		}
-
-		// Read : before value.
-		if op == scanSkipSpace {
-			op = d.scanWhile(scanSkipSpace)
-		}
-		if op != scanObjectKey {
-			d.error(errPhase)
-		}
-
-		// Read value.
-		m[key] = d.valueInterface()
-
-		// Next token must be , or }.
-		op = d.scanWhile(scanSkipSpace)
-		if op == scanEndObject {
-			break
-		}
-		if op != scanObjectValue {
-			d.error(errPhase)
-		}
-	}
-	return m
-}
-
-// literalInterface is like literal but returns an interface value.
-func (d *decodeState) literalInterface() interface{} {
-	// All bytes inside literal return scanContinue op code.
-	start := d.off - 1
-	op := d.scanWhile(scanContinue)
-
-	// Scan read one byte too far; back up.
-	d.off--
-	d.scan.undo(op)
-	item := d.data[start:d.off]
-
-	switch c := item[0]; c {
-	case 'n': // null
-		return nil
-
-	case 't', 'f': // true, false
-		return c == 't'
-
-	case '"': // string
-		s, ok := unquote(item)
-		if !ok {
-			d.error(errPhase)
-		}
-		return s
-
-	default: // number
-		if c != '-' && (c < '0' || c > '9') {
-			d.error(errPhase)
-		}
-		n, err := d.convertNumber(string(item))
-		if err != nil {
-			d.saveError(err)
-		}
-		return n
-	}
-}
-
-// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
-// or it returns -1.
-func getu4(s []byte) rune {
-	if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
-		return -1
-	}
-	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
-	if err != nil {
-		return -1
-	}
-	return rune(r)
-}
-
-// unquote converts a quoted JSON string literal s into an actual string t.
-// The rules are different than for Go, so cannot use strconv.Unquote.
-func unquote(s []byte) (t string, ok bool) {
-	s, ok = unquoteBytes(s)
-	t = string(s)
-	return
-}
-
-func unquoteBytes(s []byte) (t []byte, ok bool) {
-	if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
-		return
-	}
-	s = s[1 : len(s)-1]
-
-	// Check for unusual characters. If there are none,
-	// then no unquoting is needed, so return a slice of the
-	// original bytes.
-	r := 0
-	for r < len(s) {
-		c := s[r]
-		if c == '\\' || c == '"' || c < ' ' {
-			break
-		}
-		if c < utf8.RuneSelf {
-			r++
-			continue
-		}
-		rr, size := utf8.DecodeRune(s[r:])
-		if rr == utf8.RuneError && size == 1 {
-			break
-		}
-		r += size
-	}
-	if r == len(s) {
-		return s, true
-	}
-
-	b := make([]byte, len(s)+2*utf8.UTFMax)
-	w := copy(b, s[0:r])
-	for r < len(s) {
-		// Out of room?  Can only happen if s is full of
-		// malformed UTF-8 and we're replacing each
-		// byte with RuneError.
-		if w >= len(b)-2*utf8.UTFMax {
-			nb := make([]byte, (len(b)+utf8.UTFMax)*2)
-			copy(nb, b[0:w])
-			b = nb
-		}
-		switch c := s[r]; {
-		case c == '\\':
-			r++
-			if r >= len(s) {
-				return
-			}
-			switch s[r] {
-			default:
-				return
-			case '"', '\\', '/', '\'':
-				b[w] = s[r]
-				r++
-				w++
-			case 'b':
-				b[w] = '\b'
-				r++
-				w++
-			case 'f':
-				b[w] = '\f'
-				r++
-				w++
-			case 'n':
-				b[w] = '\n'
-				r++
-				w++
-			case 'r':
-				b[w] = '\r'
-				r++
-				w++
-			case 't':
-				b[w] = '\t'
-				r++
-				w++
-			case 'u':
-				r--
-				rr := getu4(s[r:])
-				if rr < 0 {
-					return
-				}
-				r += 6
-				if utf16.IsSurrogate(rr) {
-					rr1 := getu4(s[r:])
-					if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
-						// A valid pair; consume.
-						r += 6
-						w += utf8.EncodeRune(b[w:], dec)
-						break
-					}
-					// Invalid surrogate; fall back to replacement rune.
-					rr = unicode.ReplacementChar
-				}
-				w += utf8.EncodeRune(b[w:], rr)
-			}
-
-		// Quote, control characters are invalid.
-		case c == '"', c < ' ':
-			return
-
-		// ASCII
-		case c < utf8.RuneSelf:
-			b[w] = c
-			r++
-			w++
-
-		// Coerce to well-formed UTF-8.
-		default:
-			rr, size := utf8.DecodeRune(s[r:])
-			r += size
-			w += utf8.EncodeRune(b[w:], rr)
-		}
-	}
-	return b[0:w], true
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/encode.go b/vendor/github.com/go-jose/go-jose/v4/json/encode.go
deleted file mode 100644
index 98de68ce1e9..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/encode.go
+++ /dev/null
@@ -1,1197 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package json implements encoding and decoding of JSON objects as defined in
-// RFC 4627. The mapping between JSON objects and Go values is described
-// in the documentation for the Marshal and Unmarshal functions.
-//
-// See "JSON and Go" for an introduction to this package:
-// https://golang.org/doc/articles/json_and_go.html
-package json
-
-import (
-	"bytes"
-	"encoding"
-	"encoding/base64"
-	"fmt"
-	"math"
-	"reflect"
-	"runtime"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-	"unicode"
-	"unicode/utf8"
-)
-
-// Marshal returns the JSON encoding of v.
-//
-// Marshal traverses the value v recursively.
-// If an encountered value implements the Marshaler interface
-// and is not a nil pointer, Marshal calls its MarshalJSON method
-// to produce JSON. If no MarshalJSON method is present but the
-// value implements encoding.TextMarshaler instead, Marshal calls
-// its MarshalText method.
-// The nil pointer exception is not strictly necessary
-// but mimics a similar, necessary exception in the behavior of
-// UnmarshalJSON.
-//
-// Otherwise, Marshal uses the following type-dependent default encodings:
-//
-// Boolean values encode as JSON booleans.
-//
-// Floating point, integer, and Number values encode as JSON numbers.
-//
-// String values encode as JSON strings coerced to valid UTF-8,
-// replacing invalid bytes with the Unicode replacement rune.
-// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
-// to keep some browsers from misinterpreting JSON output as HTML.
-// Ampersand "&" is also escaped to "\u0026" for the same reason.
-//
-// Array and slice values encode as JSON arrays, except that
-// []byte encodes as a base64-encoded string, and a nil slice
-// encodes as the null JSON object.
-//
-// Struct values encode as JSON objects. Each exported struct field
-// becomes a member of the object unless
-//   - the field's tag is "-", or
-//   - the field is empty and its tag specifies the "omitempty" option.
-//
-// The empty values are false, 0, any
-// nil pointer or interface value, and any array, slice, map, or string of
-// length zero. The object's default key string is the struct field name
-// but can be specified in the struct field's tag value. The "json" key in
-// the struct field's tag value is the key name, followed by an optional comma
-// and options. Examples:
-//
-//	// Field is ignored by this package.
-//	Field int `json:"-"`
-//
-//	// Field appears in JSON as key "myName".
-//	Field int `json:"myName"`
-//
-//	// Field appears in JSON as key "myName" and
-//	// the field is omitted from the object if its value is empty,
-//	// as defined above.
-//	Field int `json:"myName,omitempty"`
-//
-//	// Field appears in JSON as key "Field" (the default), but
-//	// the field is skipped if empty.
-//	// Note the leading comma.
-//	Field int `json:",omitempty"`
-//
-// The "string" option signals that a field is stored as JSON inside a
-// JSON-encoded string. It applies only to fields of string, floating point,
-// integer, or boolean types. This extra level of encoding is sometimes used
-// when communicating with JavaScript programs:
-//
-//	Int64String int64 `json:",string"`
-//
-// The key name will be used if it's a non-empty string consisting of
-// only Unicode letters, digits, dollar signs, percent signs, hyphens,
-// underscores and slashes.
-//
-// Anonymous struct fields are usually marshaled as if their inner exported fields
-// were fields in the outer struct, subject to the usual Go visibility rules amended
-// as described in the next paragraph.
-// An anonymous struct field with a name given in its JSON tag is treated as
-// having that name, rather than being anonymous.
-// An anonymous struct field of interface type is treated the same as having
-// that type as its name, rather than being anonymous.
-//
-// The Go visibility rules for struct fields are amended for JSON when
-// deciding which field to marshal or unmarshal. If there are
-// multiple fields at the same level, and that level is the least
-// nested (and would therefore be the nesting level selected by the
-// usual Go rules), the following extra rules apply:
-//
-// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
-// even if there are multiple untagged fields that would otherwise conflict.
-// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
-// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
-//
-// Handling of anonymous struct fields is new in Go 1.1.
-// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
-// an anonymous struct field in both current and earlier versions, give the field
-// a JSON tag of "-".
-//
-// Map values encode as JSON objects.
-// The map's key type must be string; the map keys are used as JSON object
-// keys, subject to the UTF-8 coercion described for string values above.
-//
-// Pointer values encode as the value pointed to.
-// A nil pointer encodes as the null JSON object.
-//
-// Interface values encode as the value contained in the interface.
-// A nil interface value encodes as the null JSON object.
-//
-// Channel, complex, and function values cannot be encoded in JSON.
-// Attempting to encode such a value causes Marshal to return
-// an UnsupportedTypeError.
-//
-// JSON cannot represent cyclic data structures and Marshal does not
-// handle them.  Passing cyclic structures to Marshal will result in
-// an infinite recursion.
-func Marshal(v interface{}) ([]byte, error) {
-	e := &encodeState{}
-	err := e.marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	return e.Bytes(), nil
-}
-
-// MarshalIndent is like Marshal but applies Indent to format the output.
-func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
-	b, err := Marshal(v)
-	if err != nil {
-		return nil, err
-	}
-	var buf bytes.Buffer
-	err = Indent(&buf, b, prefix, indent)
-	if err != nil {
-		return nil, err
-	}
-	return buf.Bytes(), nil
-}
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must
-// be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
-	// The characters can only appear in string literals,
-	// so just scan the string one byte at a time.
-	start := 0
-	for i, c := range src {
-		if c == '<' || c == '>' || c == '&' {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-}
-
-// Marshaler is the interface implemented by objects that
-// can marshal themselves into valid JSON.
-type Marshaler interface {
-	MarshalJSON() ([]byte, error)
-}
-
-// An UnsupportedTypeError is returned by Marshal when attempting
-// to encode an unsupported value type.
-type UnsupportedTypeError struct {
-	Type reflect.Type
-}
-
-func (e *UnsupportedTypeError) Error() string {
-	return "json: unsupported type: " + e.Type.String()
-}
-
-type UnsupportedValueError struct {
-	Value reflect.Value
-	Str   string
-}
-
-func (e *UnsupportedValueError) Error() string {
-	return "json: unsupported value: " + e.Str
-}
-
-// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
-// attempting to encode a string value with invalid UTF-8 sequences.
-// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
-// replacing invalid bytes with the Unicode replacement rune U+FFFD.
-// This error is no longer generated but is kept for backwards compatibility
-// with programs that might mention it.
-type InvalidUTF8Error struct {
-	S string // the whole string value that caused the error
-}
-
-func (e *InvalidUTF8Error) Error() string {
-	return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
-}
-
-type MarshalerError struct {
-	Type reflect.Type
-	Err  error
-}
-
-func (e *MarshalerError) Error() string {
-	return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
-}
-
-var hex = "0123456789abcdef"
-
-// An encodeState encodes JSON into a bytes.Buffer.
-type encodeState struct {
-	bytes.Buffer // accumulated output
-	scratch      [64]byte
-}
-
-var encodeStatePool sync.Pool
-
-func newEncodeState() *encodeState {
-	if v := encodeStatePool.Get(); v != nil {
-		e := v.(*encodeState)
-		e.Reset()
-		return e
-	}
-	return new(encodeState)
-}
-
-func (e *encodeState) marshal(v interface{}) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			if _, ok := r.(runtime.Error); ok {
-				panic(r)
-			}
-			if s, ok := r.(string); ok {
-				panic(s)
-			}
-			err = r.(error)
-		}
-	}()
-	e.reflectValue(reflect.ValueOf(v))
-	return nil
-}
-
-func (e *encodeState) error(err error) {
-	panic(err)
-}
-
-func isEmptyValue(v reflect.Value) bool {
-	switch v.Kind() {
-	case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
-		return v.Len() == 0
-	case reflect.Bool:
-		return !v.Bool()
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return v.Int() == 0
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return v.Uint() == 0
-	case reflect.Float32, reflect.Float64:
-		return v.Float() == 0
-	case reflect.Interface, reflect.Ptr:
-		return v.IsNil()
-	}
-	return false
-}
-
-func (e *encodeState) reflectValue(v reflect.Value) {
-	valueEncoder(v)(e, v, false)
-}
-
-type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
-
-var encoderCache struct {
-	sync.RWMutex
-	m map[reflect.Type]encoderFunc
-}
-
-func valueEncoder(v reflect.Value) encoderFunc {
-	if !v.IsValid() {
-		return invalidValueEncoder
-	}
-	return typeEncoder(v.Type())
-}
-
-func typeEncoder(t reflect.Type) encoderFunc {
-	encoderCache.RLock()
-	f := encoderCache.m[t]
-	encoderCache.RUnlock()
-	if f != nil {
-		return f
-	}
-
-	// To deal with recursive types, populate the map with an
-	// indirect func before we build it. This type waits on the
-	// real func (f) to be ready and then calls it.  This indirect
-	// func is only used for recursive types.
-	encoderCache.Lock()
-	if encoderCache.m == nil {
-		encoderCache.m = make(map[reflect.Type]encoderFunc)
-	}
-	var wg sync.WaitGroup
-	wg.Add(1)
-	encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
-		wg.Wait()
-		f(e, v, quoted)
-	}
-	encoderCache.Unlock()
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = newTypeEncoder(t, true)
-	wg.Done()
-	encoderCache.Lock()
-	encoderCache.m[t] = f
-	encoderCache.Unlock()
-	return f
-}
-
-var (
-	marshalerType     = reflect.TypeOf(new(Marshaler)).Elem()
-	textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
-)
-
-// newTypeEncoder constructs an encoderFunc for a type.
-// The returned encoder only checks CanAddr when allowAddr is true.
-func newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
-	if t.Implements(marshalerType) {
-		return marshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(marshalerType) {
-			return newCondAddrEncoder(addrMarshalerEncoder, newTypeEncoder(t, false))
-		}
-	}
-
-	if t.Implements(textMarshalerType) {
-		return textMarshalerEncoder
-	}
-	if t.Kind() != reflect.Ptr && allowAddr {
-		if reflect.PtrTo(t).Implements(textMarshalerType) {
-			return newCondAddrEncoder(addrTextMarshalerEncoder, newTypeEncoder(t, false))
-		}
-	}
-
-	switch t.Kind() {
-	case reflect.Bool:
-		return boolEncoder
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		return intEncoder
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
-		return uintEncoder
-	case reflect.Float32:
-		return float32Encoder
-	case reflect.Float64:
-		return float64Encoder
-	case reflect.String:
-		return stringEncoder
-	case reflect.Interface:
-		return interfaceEncoder
-	case reflect.Struct:
-		return newStructEncoder(t)
-	case reflect.Map:
-		return newMapEncoder(t)
-	case reflect.Slice:
-		return newSliceEncoder(t)
-	case reflect.Array:
-		return newArrayEncoder(t)
-	case reflect.Ptr:
-		return newPtrEncoder(t)
-	default:
-		return unsupportedTypeEncoder
-	}
-}
-
-func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteString("null")
-}
-
-func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(Marshaler)
-	b, err := m.MarshalJSON()
-	if err == nil {
-		// copy JSON into buffer, checking validity.
-		err = compact(&e.Buffer, b, true)
-	}
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-}
-
-func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Kind() == reflect.Ptr && v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := v.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-	e.stringBytes(b)
-}
-
-func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	va := v.Addr()
-	if va.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	m := va.Interface().(encoding.TextMarshaler)
-	b, err := m.MarshalText()
-	if err != nil {
-		e.error(&MarshalerError{v.Type(), err})
-	}
-	e.stringBytes(b)
-}
-
-func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if quoted {
-		e.WriteByte('"')
-	}
-	if v.Bool() {
-		e.WriteString("true")
-	} else {
-		e.WriteString("false")
-	}
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-type floatEncoder int // number of bits
-
-func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	f := v.Float()
-	if math.IsInf(f, 0) || math.IsNaN(f) {
-		e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
-	}
-	b := strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
-	if quoted {
-		e.WriteByte('"')
-	}
-	e.Write(b)
-	if quoted {
-		e.WriteByte('"')
-	}
-}
-
-var (
-	float32Encoder = (floatEncoder(32)).encode
-	float64Encoder = (floatEncoder(64)).encode
-)
-
-func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.Type() == numberType {
-		numStr := v.String()
-		// In Go1.5 the empty string encodes to "0", while this is not a valid number literal
-		// we keep compatibility so check validity after this.
-		if numStr == "" {
-			numStr = "0" // Number's zero-val
-		}
-		if !isValidNumber(numStr) {
-			e.error(fmt.Errorf("json: invalid number literal %q", numStr))
-		}
-		e.WriteString(numStr)
-		return
-	}
-	if quoted {
-		sb, err := Marshal(v.String())
-		if err != nil {
-			e.error(err)
-		}
-		e.string(string(sb))
-	} else {
-		e.string(v.String())
-	}
-}
-
-func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.reflectValue(v.Elem())
-}
-
-func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
-	e.error(&UnsupportedTypeError{v.Type()})
-}
-
-type structEncoder struct {
-	fields    []field
-	fieldEncs []encoderFunc
-}
-
-func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	e.WriteByte('{')
-	first := true
-	for i, f := range se.fields {
-		fv := fieldByIndex(v, f.index)
-		if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
-			continue
-		}
-		if first {
-			first = false
-		} else {
-			e.WriteByte(',')
-		}
-		e.string(f.name)
-		e.WriteByte(':')
-		se.fieldEncs[i](e, fv, f.quoted)
-	}
-	e.WriteByte('}')
-}
-
-func newStructEncoder(t reflect.Type) encoderFunc {
-	fields := cachedTypeFields(t)
-	se := &structEncoder{
-		fields:    fields,
-		fieldEncs: make([]encoderFunc, len(fields)),
-	}
-	for i, f := range fields {
-		se.fieldEncs[i] = typeEncoder(typeByIndex(t, f.index))
-	}
-	return se.encode
-}
-
-type mapEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	e.WriteByte('{')
-	var sv stringValues = v.MapKeys()
-	sort.Sort(sv)
-	for i, k := range sv {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		e.string(k.String())
-		e.WriteByte(':')
-		me.elemEnc(e, v.MapIndex(k), false)
-	}
-	e.WriteByte('}')
-}
-
-func newMapEncoder(t reflect.Type) encoderFunc {
-	if t.Key().Kind() != reflect.String {
-		return unsupportedTypeEncoder
-	}
-	me := &mapEncoder{typeEncoder(t.Elem())}
-	return me.encode
-}
-
-func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	s := v.Bytes()
-	e.WriteByte('"')
-	if len(s) < 1024 {
-		// for small buffers, using Encode directly is much faster.
-		dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
-		base64.StdEncoding.Encode(dst, s)
-		e.Write(dst)
-	} else {
-		// for large buffers, avoid unnecessary extra temporary
-		// buffer space.
-		enc := base64.NewEncoder(base64.StdEncoding, e)
-		_, _ = enc.Write(s)
-		enc.Close()
-	}
-	e.WriteByte('"')
-}
-
-// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
-type sliceEncoder struct {
-	arrayEnc encoderFunc
-}
-
-func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	se.arrayEnc(e, v, false)
-}
-
-func newSliceEncoder(t reflect.Type) encoderFunc {
-	// Byte slices get special treatment; arrays don't.
-	if t.Elem().Kind() == reflect.Uint8 {
-		return encodeByteSlice
-	}
-	enc := &sliceEncoder{newArrayEncoder(t)}
-	return enc.encode
-}
-
-type arrayEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
-	e.WriteByte('[')
-	n := v.Len()
-	for i := 0; i < n; i++ {
-		if i > 0 {
-			e.WriteByte(',')
-		}
-		ae.elemEnc(e, v.Index(i), false)
-	}
-	e.WriteByte(']')
-}
-
-func newArrayEncoder(t reflect.Type) encoderFunc {
-	enc := &arrayEncoder{typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type ptrEncoder struct {
-	elemEnc encoderFunc
-}
-
-func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.IsNil() {
-		e.WriteString("null")
-		return
-	}
-	pe.elemEnc(e, v.Elem(), quoted)
-}
-
-func newPtrEncoder(t reflect.Type) encoderFunc {
-	enc := &ptrEncoder{typeEncoder(t.Elem())}
-	return enc.encode
-}
-
-type condAddrEncoder struct {
-	canAddrEnc, elseEnc encoderFunc
-}
-
-func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
-	if v.CanAddr() {
-		ce.canAddrEnc(e, v, quoted)
-	} else {
-		ce.elseEnc(e, v, quoted)
-	}
-}
-
-// newCondAddrEncoder returns an encoder that checks whether its value
-// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
-func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
-	enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
-	return enc.encode
-}
-
-func isValidTag(s string) bool {
-	if s == "" {
-		return false
-	}
-	for _, c := range s {
-		switch {
-		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
-			// Backslash and quote chars are reserved, but
-			// otherwise any punctuation chars are allowed
-			// in a tag name.
-		default:
-			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
-				return false
-			}
-		}
-	}
-	return true
-}
-
-func fieldByIndex(v reflect.Value, index []int) reflect.Value {
-	for _, i := range index {
-		if v.Kind() == reflect.Ptr {
-			if v.IsNil() {
-				return reflect.Value{}
-			}
-			v = v.Elem()
-		}
-		v = v.Field(i)
-	}
-	return v
-}
-
-func typeByIndex(t reflect.Type, index []int) reflect.Type {
-	for _, i := range index {
-		if t.Kind() == reflect.Ptr {
-			t = t.Elem()
-		}
-		t = t.Field(i).Type
-	}
-	return t
-}
-
-// stringValues is a slice of reflect.Value holding *reflect.StringValue.
-// It implements the methods to sort by string.
-type stringValues []reflect.Value
-
-func (sv stringValues) Len() int           { return len(sv) }
-func (sv stringValues) Swap(i, j int)      { sv[i], sv[j] = sv[j], sv[i] }
-func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
-func (sv stringValues) get(i int) string   { return sv[i].String() }
-
-// NOTE: keep in sync with stringBytes below.
-func (e *encodeState) string(s string) int {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
-				i++
-				continue
-			}
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, > and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		c, size := utf8.DecodeRuneInString(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.WriteString(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.WriteString(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0
-}
-
-// NOTE: keep in sync with string above.
-func (e *encodeState) stringBytes(s []byte) int {
-	len0 := e.Len()
-	e.WriteByte('"')
-	start := 0
-	for i := 0; i < len(s); {
-		if b := s[i]; b < utf8.RuneSelf {
-			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
-				i++
-				continue
-			}
-			if start < i {
-				e.Write(s[start:i])
-			}
-			switch b {
-			case '\\', '"':
-				e.WriteByte('\\')
-				e.WriteByte(b)
-			case '\n':
-				e.WriteByte('\\')
-				e.WriteByte('n')
-			case '\r':
-				e.WriteByte('\\')
-				e.WriteByte('r')
-			case '\t':
-				e.WriteByte('\\')
-				e.WriteByte('t')
-			default:
-				// This encodes bytes < 0x20 except for \n and \r,
-				// as well as <, >, and &. The latter are escaped because they
-				// can lead to security holes when user-controlled strings
-				// are rendered into JSON and served to some browsers.
-				e.WriteString(`\u00`)
-				e.WriteByte(hex[b>>4])
-				e.WriteByte(hex[b&0xF])
-			}
-			i++
-			start = i
-			continue
-		}
-		c, size := utf8.DecodeRune(s[i:])
-		if c == utf8.RuneError && size == 1 {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\ufffd`)
-			i += size
-			start = i
-			continue
-		}
-		// U+2028 is LINE SEPARATOR.
-		// U+2029 is PARAGRAPH SEPARATOR.
-		// They are both technically valid characters in JSON strings,
-		// but don't work in JSONP, which has to be evaluated as JavaScript,
-		// and can lead to security holes there. It is valid JSON to
-		// escape them, so we do so unconditionally.
-		// See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
-		if c == '\u2028' || c == '\u2029' {
-			if start < i {
-				e.Write(s[start:i])
-			}
-			e.WriteString(`\u202`)
-			e.WriteByte(hex[c&0xF])
-			i += size
-			start = i
-			continue
-		}
-		i += size
-	}
-	if start < len(s) {
-		e.Write(s[start:])
-	}
-	e.WriteByte('"')
-	return e.Len() - len0
-}
-
-// A field represents a single field found in a struct.
-type field struct {
-	name      string
-	nameBytes []byte // []byte(name)
-
-	tag       bool
-	index     []int
-	typ       reflect.Type
-	omitEmpty bool
-	quoted    bool
-}
-
-func fillField(f field) field {
-	f.nameBytes = []byte(f.name)
-	return f
-}
-
-// byName sorts field by name, breaking ties with depth,
-// then breaking ties with "name came from json tag", then
-// breaking ties with index sequence.
-type byName []field
-
-func (x byName) Len() int { return len(x) }
-
-func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byName) Less(i, j int) bool {
-	if x[i].name != x[j].name {
-		return x[i].name < x[j].name
-	}
-	if len(x[i].index) != len(x[j].index) {
-		return len(x[i].index) < len(x[j].index)
-	}
-	if x[i].tag != x[j].tag {
-		return x[i].tag
-	}
-	return byIndex(x).Less(i, j)
-}
-
-// byIndex sorts field by index sequence.
-type byIndex []field
-
-func (x byIndex) Len() int { return len(x) }
-
-func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byIndex) Less(i, j int) bool {
-	for k, xik := range x[i].index {
-		if k >= len(x[j].index) {
-			return false
-		}
-		if xik != x[j].index[k] {
-			return xik < x[j].index[k]
-		}
-	}
-	return len(x[i].index) < len(x[j].index)
-}
-
-// typeFields returns a list of fields that JSON should recognize for the given type.
-// The algorithm is breadth-first search over the set of structs to include - the top struct
-// and then any reachable anonymous structs.
-func typeFields(t reflect.Type) []field {
-	// Anonymous fields to explore at the current level and the next.
-	current := []field{}
-	next := []field{{typ: t}}
-
-	// Count of queued names for current level and the next.
-	count := map[reflect.Type]int{}
-	nextCount := map[reflect.Type]int{}
-
-	// Types already visited at an earlier level.
-	visited := map[reflect.Type]bool{}
-
-	// Fields found.
-	var fields []field
-
-	for len(next) > 0 {
-		current, next = next, current[:0]
-		count, nextCount = nextCount, map[reflect.Type]int{}
-
-		for _, f := range current {
-			if visited[f.typ] {
-				continue
-			}
-			visited[f.typ] = true
-
-			// Scan f.typ for fields to include.
-			for i := 0; i < f.typ.NumField(); i++ {
-				sf := f.typ.Field(i)
-				if sf.PkgPath != "" && !sf.Anonymous { // unexported
-					continue
-				}
-				tag := sf.Tag.Get("json")
-				if tag == "-" {
-					continue
-				}
-				name, opts := parseTag(tag)
-				if !isValidTag(name) {
-					name = ""
-				}
-				index := make([]int, len(f.index)+1)
-				copy(index, f.index)
-				index[len(f.index)] = i
-
-				ft := sf.Type
-				if ft.Name() == "" && ft.Kind() == reflect.Ptr {
-					// Follow pointer.
-					ft = ft.Elem()
-				}
-
-				// Only strings, floats, integers, and booleans can be quoted.
-				quoted := false
-				if opts.Contains("string") {
-					switch ft.Kind() {
-					case reflect.Bool,
-						reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
-						reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
-						reflect.Float32, reflect.Float64,
-						reflect.String:
-						quoted = true
-					}
-				}
-
-				// Record found field and index sequence.
-				if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
-					tagged := name != ""
-					if name == "" {
-						name = sf.Name
-					}
-					fields = append(fields, fillField(field{
-						name:      name,
-						tag:       tagged,
-						index:     index,
-						typ:       ft,
-						omitEmpty: opts.Contains("omitempty"),
-						quoted:    quoted,
-					}))
-					if count[f.typ] > 1 {
-						// If there were multiple instances, add a second,
-						// so that the annihilation code will see a duplicate.
-						// It only cares about the distinction between 1 or 2,
-						// so don't bother generating any more copies.
-						fields = append(fields, fields[len(fields)-1])
-					}
-					continue
-				}
-
-				// Record new anonymous struct to explore in next round.
-				nextCount[ft]++
-				if nextCount[ft] == 1 {
-					next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
-				}
-			}
-		}
-	}
-
-	sort.Sort(byName(fields))
-
-	// Delete all fields that are hidden by the Go rules for embedded fields,
-	// except that fields with JSON tags are promoted.
-
-	// The fields are sorted in primary order of name, secondary order
-	// of field index length. Loop over names; for each name, delete
-	// hidden fields by choosing the one dominant field that survives.
-	out := fields[:0]
-	for advance, i := 0, 0; i < len(fields); i += advance {
-		// One iteration per name.
-		// Find the sequence of fields with the name of this first field.
-		fi := fields[i]
-		name := fi.name
-		for advance = 1; i+advance < len(fields); advance++ {
-			fj := fields[i+advance]
-			if fj.name != name {
-				break
-			}
-		}
-		if advance == 1 { // Only one field with this name
-			out = append(out, fi)
-			continue
-		}
-		dominant, ok := dominantField(fields[i : i+advance])
-		if ok {
-			out = append(out, dominant)
-		}
-	}
-
-	fields = out
-	sort.Sort(byIndex(fields))
-
-	return fields
-}
-
-// dominantField looks through the fields, all of which are known to
-// have the same name, to find the single field that dominates the
-// others using Go's embedding rules, modified by the presence of
-// JSON tags. If there are multiple top-level fields, the boolean
-// will be false: This condition is an error in Go and we skip all
-// the fields.
-func dominantField(fields []field) (field, bool) {
-	// The fields are sorted in increasing index-length order. The winner
-	// must therefore be one with the shortest index length. Drop all
-	// longer entries, which is easy: just truncate the slice.
-	length := len(fields[0].index)
-	tagged := -1 // Index of first tagged field.
-	for i, f := range fields {
-		if len(f.index) > length {
-			fields = fields[:i]
-			break
-		}
-		if f.tag {
-			if tagged >= 0 {
-				// Multiple tagged fields at the same level: conflict.
-				// Return no field.
-				return field{}, false
-			}
-			tagged = i
-		}
-	}
-	if tagged >= 0 {
-		return fields[tagged], true
-	}
-	// All remaining fields have the same length. If there's more than one,
-	// we have a conflict (two fields named "X" at the same level) and we
-	// return no field.
-	if len(fields) > 1 {
-		return field{}, false
-	}
-	return fields[0], true
-}
-
-var fieldCache struct {
-	sync.RWMutex
-	m map[reflect.Type][]field
-}
-
-// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
-func cachedTypeFields(t reflect.Type) []field {
-	fieldCache.RLock()
-	f := fieldCache.m[t]
-	fieldCache.RUnlock()
-	if f != nil {
-		return f
-	}
-
-	// Compute fields without lock.
-	// Might duplicate effort but won't hold other computations back.
-	f = typeFields(t)
-	if f == nil {
-		f = []field{}
-	}
-
-	fieldCache.Lock()
-	if fieldCache.m == nil {
-		fieldCache.m = map[reflect.Type][]field{}
-	}
-	fieldCache.m[t] = f
-	fieldCache.Unlock()
-	return f
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/indent.go b/vendor/github.com/go-jose/go-jose/v4/json/indent.go
deleted file mode 100644
index 7cd9f4db184..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/indent.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
-	return compact(dst, src, false)
-}
-
-func compact(dst *bytes.Buffer, src []byte, escape bool) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	start := 0
-	for i, c := range src {
-		if escape && (c == '<' || c == '>' || c == '&') {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u00`)
-			dst.WriteByte(hex[c>>4])
-			dst.WriteByte(hex[c&0xF])
-			start = i + 1
-		}
-		// Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
-		if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			dst.WriteString(`\u202`)
-			dst.WriteByte(hex[src[i+2]&0xF])
-			start = i + 3
-		}
-		v := scan.step(&scan, c)
-		if v >= scanSkipSpace {
-			if v == scanError {
-				break
-			}
-			if start < i {
-				dst.Write(src[start:i])
-			}
-			start = i + 1
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	if start < len(src) {
-		dst.Write(src[start:])
-	}
-	return nil
-}
-
-func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
-	dst.WriteByte('\n')
-	dst.WriteString(prefix)
-	for i := 0; i < depth; i++ {
-		dst.WriteString(indent)
-	}
-}
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, to make it easier to embed inside other formatted JSON data.
-// Although leading space characters (space, tab, carriage return, newline)
-// at the beginning of src are dropped, trailing space characters
-// at the end of src are preserved and copied to dst.
-// For example, if src has no trailing spaces, neither will dst;
-// if src ends in a trailing newline, so will dst.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
-	origLen := dst.Len()
-	var scan scanner
-	scan.reset()
-	needIndent := false
-	depth := 0
-	for _, c := range src {
-		scan.bytes++
-		v := scan.step(&scan, c)
-		if v == scanSkipSpace {
-			continue
-		}
-		if v == scanError {
-			break
-		}
-		if needIndent && v != scanEndObject && v != scanEndArray {
-			needIndent = false
-			depth++
-			newline(dst, prefix, indent, depth)
-		}
-
-		// Emit semantically uninteresting bytes
-		// (in particular, punctuation in strings) unmodified.
-		if v == scanContinue {
-			dst.WriteByte(c)
-			continue
-		}
-
-		// Add spacing around real punctuation.
-		switch c {
-		case '{', '[':
-			// delay indent so that empty object and array are formatted as {} and [].
-			needIndent = true
-			dst.WriteByte(c)
-
-		case ',':
-			dst.WriteByte(c)
-			newline(dst, prefix, indent, depth)
-
-		case ':':
-			dst.WriteByte(c)
-			dst.WriteByte(' ')
-
-		case '}', ']':
-			if needIndent {
-				// suppress indent in empty object/array
-				needIndent = false
-			} else {
-				depth--
-				newline(dst, prefix, indent, depth)
-			}
-			dst.WriteByte(c)
-
-		default:
-			dst.WriteByte(c)
-		}
-	}
-	if scan.eof() == scanError {
-		dst.Truncate(origLen)
-		return scan.err
-	}
-	return nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/scanner.go b/vendor/github.com/go-jose/go-jose/v4/json/scanner.go
deleted file mode 100644
index ee6622e8cf8..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/scanner.go
+++ /dev/null
@@ -1,623 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, nextValue, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import "strconv"
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-func checkValid(data []byte, scan *scanner) error {
-	scan.reset()
-	for _, c := range data {
-		scan.bytes++
-		if scan.step(scan, c) == scanError {
-			return scan.err
-		}
-	}
-	if scan.eof() == scanError {
-		return scan.err
-	}
-	return nil
-}
-
-// nextValue splits data after the next whole JSON value,
-// returning that value and the bytes that follow it as separate slices.
-// scan is passed in for use by nextValue to avoid an allocation.
-func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
-	scan.reset()
-	for i, c := range data {
-		v := scan.step(scan, c)
-		if v >= scanEndObject {
-			switch v {
-			// probe the scanner with a space to determine whether we will
-			// get scanEnd on the next character. Otherwise, if the next character
-			// is not a space, scanEndTop allocates a needless error.
-			case scanEndObject, scanEndArray:
-				if scan.step(scan, ' ') == scanEnd {
-					return data[:i+1], data[i+1:], nil
-				}
-			case scanError:
-				return nil, nil, scan.err
-			case scanEnd:
-				return data[:i], data[i:], nil
-			}
-		}
-	}
-	if scan.eof() == scanError {
-		return nil, nil, scan.err
-	}
-	return data, nil, nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-type SyntaxError struct {
-	msg    string // description of error
-	Offset int64  // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset() and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in.  (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
-	// The step is a func to be called to execute the next transition.
-	// Also tried using an integer constant and a single func
-	// with a switch, but using the func directly was 10% faster
-	// on a 64-bit Mac Mini, and it's nicer to read.
-	step func(*scanner, byte) int
-
-	// Reached end of top-level value.
-	endTop bool
-
-	// Stack of what we're in the middle of - array values, object keys, object values.
-	parseState []int
-
-	// Error that happened, if any.
-	err error
-
-	// 1-byte redo (see undo method)
-	redo      bool
-	redoCode  int
-	redoState func(*scanner, byte) int
-
-	// total bytes consumed, updated by decoder.Decode
-	bytes int64
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
-	// Continue.
-	scanContinue     = iota // uninteresting byte
-	scanBeginLiteral        // end implied by next result != scanContinue
-	scanBeginObject         // begin object
-	scanObjectKey           // just finished object key (string)
-	scanObjectValue         // just finished non-last object value
-	scanEndObject           // end object (implies scanObjectValue if possible)
-	scanBeginArray          // begin array
-	scanArrayValue          // just finished array value
-	scanEndArray            // end array (implies scanArrayValue if possible)
-	scanSkipSpace           // space byte; can skip; known to be last "continue" result
-
-	// Stop.
-	scanEnd   // top-level value ended *before* this byte; known to be first "stop" result
-	scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned.  If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
-	parseObjectKey   = iota // parsing object key (before colon)
-	parseObjectValue        // parsing object value (after colon)
-	parseArrayValue         // parsing array value
-)
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
-	s.step = stateBeginValue
-	s.parseState = s.parseState[0:0]
-	s.err = nil
-	s.redo = false
-	s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
-	if s.err != nil {
-		return scanError
-	}
-	if s.endTop {
-		return scanEnd
-	}
-	s.step(s, ' ')
-	if s.endTop {
-		return scanEnd
-	}
-	if s.err == nil {
-		s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
-	}
-	return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-func (s *scanner) pushParseState(p int) {
-	s.parseState = append(s.parseState, p)
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
-	n := len(s.parseState) - 1
-	s.parseState = s.parseState[0:n]
-	s.redo = false
-	if n == 0 {
-		s.step = stateEndTop
-		s.endTop = true
-	} else {
-		s.step = stateEndValue
-	}
-}
-
-func isSpace(c byte) bool {
-	return c == ' ' || c == '\t' || c == '\r' || c == '\n'
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == ']' {
-		return stateEndValue(s, c)
-	}
-	return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	switch c {
-	case '{':
-		s.step = stateBeginStringOrEmpty
-		s.pushParseState(parseObjectKey)
-		return scanBeginObject
-	case '[':
-		s.step = stateBeginValueOrEmpty
-		s.pushParseState(parseArrayValue)
-		return scanBeginArray
-	case '"':
-		s.step = stateInString
-		return scanBeginLiteral
-	case '-':
-		s.step = stateNeg
-		return scanBeginLiteral
-	case '0': // beginning of 0.123
-		s.step = state0
-		return scanBeginLiteral
-	case 't': // beginning of true
-		s.step = stateT
-		return scanBeginLiteral
-	case 'f': // beginning of false
-		s.step = stateF
-		return scanBeginLiteral
-	case 'n': // beginning of null
-		s.step = stateN
-		return scanBeginLiteral
-	}
-	if '1' <= c && c <= '9' { // beginning of 1234.5
-		s.step = state1
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '}' {
-		n := len(s.parseState)
-		s.parseState[n-1] = parseObjectValue
-		return stateEndValue(s, c)
-	}
-	return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c byte) int {
-	if c <= ' ' && isSpace(c) {
-		return scanSkipSpace
-	}
-	if c == '"' {
-		s.step = stateInString
-		return scanBeginLiteral
-	}
-	return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c byte) int {
-	n := len(s.parseState)
-	if n == 0 {
-		// Completed top-level before the current byte.
-		s.step = stateEndTop
-		s.endTop = true
-		return stateEndTop(s, c)
-	}
-	if c <= ' ' && isSpace(c) {
-		s.step = stateEndValue
-		return scanSkipSpace
-	}
-	ps := s.parseState[n-1]
-	switch ps {
-	case parseObjectKey:
-		if c == ':' {
-			s.parseState[n-1] = parseObjectValue
-			s.step = stateBeginValue
-			return scanObjectKey
-		}
-		return s.error(c, "after object key")
-	case parseObjectValue:
-		if c == ',' {
-			s.parseState[n-1] = parseObjectKey
-			s.step = stateBeginString
-			return scanObjectValue
-		}
-		if c == '}' {
-			s.popParseState()
-			return scanEndObject
-		}
-		return s.error(c, "after object key:value pair")
-	case parseArrayValue:
-		if c == ',' {
-			s.step = stateBeginValue
-			return scanArrayValue
-		}
-		if c == ']' {
-			s.popParseState()
-			return scanEndArray
-		}
-		return s.error(c, "after array element")
-	}
-	return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c byte) int {
-	if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
-		// Complain about non-space byte on next call.
-		s.error(c, "after top-level value")
-	}
-	return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c byte) int {
-	if c == '"' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	if c == '\\' {
-		s.step = stateInStringEsc
-		return scanContinue
-	}
-	if c < 0x20 {
-		return s.error(c, "in string literal")
-	}
-	return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c byte) int {
-	switch c {
-	case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
-		s.step = stateInString
-		return scanContinue
-	case 'u':
-		s.step = stateInStringEscU
-		return scanContinue
-	}
-	return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU1
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU12
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInStringEscU123
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
-		s.step = stateInString
-		return scanContinue
-	}
-	// numbers
-	return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c byte) int {
-	if c == '0' {
-		s.step = state0
-		return scanContinue
-	}
-	if '1' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = state1
-		return scanContinue
-	}
-	return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c byte) int {
-	if c == '.' {
-		s.step = stateDot
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateDot0
-		return scanContinue
-	}
-	return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	if c == 'e' || c == 'E' {
-		s.step = stateE
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c byte) int {
-	if c == '+' || c == '-' {
-		s.step = stateESign
-		return scanContinue
-	}
-	return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		s.step = stateE0
-		return scanContinue
-	}
-	return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c byte) int {
-	if '0' <= c && c <= '9' {
-		return scanContinue
-	}
-	return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c byte) int {
-	if c == 'r' {
-		s.step = stateTr
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateTru
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c byte) int {
-	if c == 'a' {
-		s.step = stateFa
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateFal
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c byte) int {
-	if c == 's' {
-		s.step = stateFals
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c byte) int {
-	if c == 'e' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c byte) int {
-	if c == 'u' {
-		s.step = stateNu
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateNul
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c byte) int {
-	if c == 'l' {
-		s.step = stateEndValue
-		return scanContinue
-	}
-	return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c byte) int {
-	return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c byte, context string) int {
-	s.step = stateError
-	s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
-	return scanError
-}
-
-// quoteChar formats c as a quoted character literal
-func quoteChar(c byte) string {
-	// special cases - different from quoted strings
-	if c == '\'' {
-		return `'\''`
-	}
-	if c == '"' {
-		return `'"'`
-	}
-
-	// use quoted string with different quotation marks
-	s := strconv.Quote(string(c))
-	return "'" + s[1:len(s)-1] + "'"
-}
-
-// undo causes the scanner to return scanCode from the next state transition.
-// This gives callers a simple 1-byte undo mechanism.
-func (s *scanner) undo(scanCode int) {
-	if s.redo {
-		panic("json: invalid use of scanner")
-	}
-	s.redoCode = scanCode
-	s.redoState = s.step
-	s.step = stateRedo
-	s.redo = true
-}
-
-// stateRedo helps implement the scanner's 1-byte undo.
-func stateRedo(s *scanner, c byte) int {
-	s.redo = false
-	s.step = s.redoState
-	return s.redoCode
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/stream.go b/vendor/github.com/go-jose/go-jose/v4/json/stream.go
deleted file mode 100644
index f03b171e6a4..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/stream.go
+++ /dev/null
@@ -1,484 +0,0 @@
-// Copyright 2010 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"bytes"
-	"errors"
-	"io"
-)
-
-// A Decoder reads and decodes JSON objects from an input stream.
-type Decoder struct {
-	r     io.Reader
-	buf   []byte
-	d     decodeState
-	scanp int // start of unread data in buf
-	scan  scanner
-	err   error
-
-	tokenState int
-	tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
-	return &Decoder{r: r}
-}
-
-// Deprecated: Use `SetNumberType` instead
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.numberType = UnmarshalJSONNumber }
-
-// SetNumberType causes the Decoder to unmarshal a number into an interface{} as a
-// Number, float64 or int64 depending on `t` enum value.
-func (dec *Decoder) SetNumberType(t NumberUnmarshalType) { dec.d.numberType = t }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v interface{}) error {
-	if dec.err != nil {
-		return dec.err
-	}
-
-	if err := dec.tokenPrepareForDecode(); err != nil {
-		return err
-	}
-
-	if !dec.tokenValueAllowed() {
-		return &SyntaxError{msg: "not at beginning of value"}
-	}
-
-	// Read whole value into buffer.
-	n, err := dec.readValue()
-	if err != nil {
-		return err
-	}
-	dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
-	dec.scanp += n
-
-	// Don't save err from unmarshal into dec.err:
-	// the connection is still usable since we read a complete JSON
-	// object from it before the error happened.
-	err = dec.d.unmarshal(v)
-
-	// fixup token streaming state
-	dec.tokenValueEnd()
-
-	return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
-	return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
-	dec.scan.reset()
-
-	scanp := dec.scanp
-	var err error
-Input:
-	for {
-		// Look in the buffer for a new value.
-		for i, c := range dec.buf[scanp:] {
-			dec.scan.bytes++
-			v := dec.scan.step(&dec.scan, c)
-			if v == scanEnd {
-				scanp += i
-				break Input
-			}
-			// scanEnd is delayed one byte.
-			// We might block trying to get that byte from src,
-			// so instead invent a space byte.
-			if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
-				scanp += i + 1
-				break Input
-			}
-			if v == scanError {
-				dec.err = dec.scan.err
-				return 0, dec.scan.err
-			}
-		}
-		scanp = len(dec.buf)
-
-		// Did the last read have an error?
-		// Delayed until now to allow buffer scan.
-		if err != nil {
-			if err == io.EOF {
-				if dec.scan.step(&dec.scan, ' ') == scanEnd {
-					break Input
-				}
-				if nonSpace(dec.buf) {
-					err = io.ErrUnexpectedEOF
-				}
-			}
-			dec.err = err
-			return 0, err
-		}
-
-		n := scanp - dec.scanp
-		err = dec.refill()
-		scanp = dec.scanp + n
-	}
-	return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
-	// Make room to read more into the buffer.
-	// First slide down data already consumed.
-	if dec.scanp > 0 {
-		n := copy(dec.buf, dec.buf[dec.scanp:])
-		dec.buf = dec.buf[:n]
-		dec.scanp = 0
-	}
-
-	// Grow buffer if not large enough.
-	const minRead = 512
-	if cap(dec.buf)-len(dec.buf) < minRead {
-		newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
-		copy(newBuf, dec.buf)
-		dec.buf = newBuf
-	}
-
-	// Read.  Delay error for next iteration (after scan).
-	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
-	dec.buf = dec.buf[0 : len(dec.buf)+n]
-
-	return err
-}
-
-func nonSpace(b []byte) bool {
-	for _, c := range b {
-		if !isSpace(c) {
-			return true
-		}
-	}
-	return false
-}
-
-// An Encoder writes JSON objects to an output stream.
-type Encoder struct {
-	w   io.Writer
-	err error
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
-	return &Encoder{w: w}
-}
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v interface{}) error {
-	if enc.err != nil {
-		return enc.err
-	}
-	e := newEncodeState()
-	err := e.marshal(v)
-	if err != nil {
-		return err
-	}
-
-	// Terminate each value with a newline.
-	// This makes the output look a little nicer
-	// when debugging, and some kind of space
-	// is required if the encoded value was a number,
-	// so that the reader knows there aren't more
-	// digits coming.
-	e.WriteByte('\n')
-
-	if _, err = enc.w.Write(e.Bytes()); err != nil {
-		enc.err = err
-	}
-	encodeStatePool.Put(e)
-	return err
-}
-
-// RawMessage is a raw encoded JSON object.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns *m as the JSON encoding of m.
-func (m *RawMessage) MarshalJSON() ([]byte, error) {
-	return *m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
-	if m == nil {
-		return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
-	}
-	*m = append((*m)[0:0], data...)
-	return nil
-}
-
-var _ Marshaler = (*RawMessage)(nil)
-var _ Unmarshaler = (*RawMessage)(nil)
-
-// A Token holds a value of one of these types:
-//
-//	Delim, for the four JSON delimiters [ ] { }
-//	bool, for JSON booleans
-//	float64, for JSON numbers
-//	Number, for JSON numbers
-//	string, for JSON string literals
-//	nil, for JSON null
-type Token interface{}
-
-const (
-	tokenTopValue = iota
-	tokenArrayStart
-	tokenArrayValue
-	tokenArrayComma
-	tokenObjectStart
-	tokenObjectKey
-	tokenObjectColon
-	tokenObjectValue
-	tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
-	// Note: Not calling peek before switch, to avoid
-	// putting peek into the standard Decode path.
-	// peek is only called when using the Token API.
-	switch dec.tokenState {
-	case tokenArrayComma:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ',' {
-			return &SyntaxError{"expected comma after array element", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenArrayValue
-	case tokenObjectColon:
-		c, err := dec.peek()
-		if err != nil {
-			return err
-		}
-		if c != ':' {
-			return &SyntaxError{"expected colon after object key", 0}
-		}
-		dec.scanp++
-		dec.tokenState = tokenObjectValue
-	}
-	return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
-	switch dec.tokenState {
-	case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		return true
-	}
-	return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
-	switch dec.tokenState {
-	case tokenArrayStart, tokenArrayValue:
-		dec.tokenState = tokenArrayComma
-	case tokenObjectValue:
-		dec.tokenState = tokenObjectComma
-	}
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
-	return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
-	for {
-		c, err := dec.peek()
-		if err != nil {
-			return nil, err
-		}
-		switch c {
-		case '[':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenArrayStart
-			return Delim('['), nil
-
-		case ']':
-			if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim(']'), nil
-
-		case '{':
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenStack = append(dec.tokenStack, dec.tokenState)
-			dec.tokenState = tokenObjectStart
-			return Delim('{'), nil
-
-		case '}':
-			if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
-			dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
-			dec.tokenValueEnd()
-			return Delim('}'), nil
-
-		case ':':
-			if dec.tokenState != tokenObjectColon {
-				return dec.tokenError(c)
-			}
-			dec.scanp++
-			dec.tokenState = tokenObjectValue
-			continue
-
-		case ',':
-			if dec.tokenState == tokenArrayComma {
-				dec.scanp++
-				dec.tokenState = tokenArrayValue
-				continue
-			}
-			if dec.tokenState == tokenObjectComma {
-				dec.scanp++
-				dec.tokenState = tokenObjectKey
-				continue
-			}
-			return dec.tokenError(c)
-
-		case '"':
-			if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
-				var x string
-				old := dec.tokenState
-				dec.tokenState = tokenTopValue
-				err := dec.Decode(&x)
-				dec.tokenState = old
-				if err != nil {
-					clearOffset(err)
-					return nil, err
-				}
-				dec.tokenState = tokenObjectColon
-				return x, nil
-			}
-			fallthrough
-
-		default:
-			if !dec.tokenValueAllowed() {
-				return dec.tokenError(c)
-			}
-			var x interface{}
-			if err := dec.Decode(&x); err != nil {
-				clearOffset(err)
-				return nil, err
-			}
-			return x, nil
-		}
-	}
-}
-
-func clearOffset(err error) {
-	if s, ok := err.(*SyntaxError); ok {
-		s.Offset = 0
-	}
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
-	var context string
-	switch dec.tokenState {
-	case tokenTopValue:
-		context = " looking for beginning of value"
-	case tokenArrayStart, tokenArrayValue, tokenObjectValue:
-		context = " looking for beginning of value"
-	case tokenArrayComma:
-		context = " after array element"
-	case tokenObjectKey:
-		context = " looking for beginning of object key string"
-	case tokenObjectColon:
-		context = " after object key"
-	case tokenObjectComma:
-		context = " after object key:value pair"
-	}
-	return nil, &SyntaxError{"invalid character " + quoteChar(c) + " " + context, 0}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
-	c, err := dec.peek()
-	return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
-	var err error
-	for {
-		for i := dec.scanp; i < len(dec.buf); i++ {
-			c := dec.buf[i]
-			if isSpace(c) {
-				continue
-			}
-			dec.scanp = i
-			return c, nil
-		}
-		// buffer has been scanned, now report any error
-		if err != nil {
-			return 0, err
-		}
-		err = dec.refill()
-	}
-}
-
-/*
-TODO
-
-// EncodeToken writes the given JSON token to the stream.
-// It returns an error if the delimiters [ ] { } are not properly used.
-//
-// EncodeToken does not call Flush, because usually it is part of
-// a larger operation such as Encode, and those will call Flush when finished.
-// Callers that create an Encoder and then invoke EncodeToken directly,
-// without using Encode, need to call Flush when finished to ensure that
-// the JSON is written to the underlying writer.
-func (e *Encoder) EncodeToken(t Token) error  {
-	...
-}
-
-*/
diff --git a/vendor/github.com/go-jose/go-jose/v4/json/tags.go b/vendor/github.com/go-jose/go-jose/v4/json/tags.go
deleted file mode 100644
index c38fd5102f6..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/json/tags.go
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
-	"strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
-	if idx := strings.Index(tag, ","); idx != -1 {
-		return tag[:idx], tagOptions(tag[idx+1:])
-	}
-	return tag, tagOptions("")
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
-	if len(o) == 0 {
-		return false
-	}
-	s := string(o)
-	for s != "" {
-		var next string
-		i := strings.Index(s, ",")
-		if i >= 0 {
-			s, next = s[:i], s[i+1:]
-		}
-		if s == optionName {
-			return true
-		}
-		s = next
-	}
-	return false
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
deleted file mode 100644
index 9f1322dccc9..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
+++ /dev/null
@@ -1,382 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
-type rawJSONWebEncryption struct {
-	Protected    *byteBuffer        `json:"protected,omitempty"`
-	Unprotected  *rawHeader         `json:"unprotected,omitempty"`
-	Header       *rawHeader         `json:"header,omitempty"`
-	Recipients   []rawRecipientInfo `json:"recipients,omitempty"`
-	Aad          *byteBuffer        `json:"aad,omitempty"`
-	EncryptedKey *byteBuffer        `json:"encrypted_key,omitempty"`
-	Iv           *byteBuffer        `json:"iv,omitempty"`
-	Ciphertext   *byteBuffer        `json:"ciphertext,omitempty"`
-	Tag          *byteBuffer        `json:"tag,omitempty"`
-}
-
-// rawRecipientInfo represents a raw JWE Per-Recipient header JSON object. Used for parsing/serializing.
-type rawRecipientInfo struct {
-	Header       *rawHeader `json:"header,omitempty"`
-	EncryptedKey string     `json:"encrypted_key,omitempty"`
-}
-
-// JSONWebEncryption represents an encrypted JWE object after parsing.
-type JSONWebEncryption struct {
-	Header                   Header
-	protected, unprotected   *rawHeader
-	recipients               []recipientInfo
-	aad, iv, ciphertext, tag []byte
-	original                 *rawJSONWebEncryption
-}
-
-// recipientInfo represents a raw JWE Per-Recipient header JSON object after parsing.
-type recipientInfo struct {
-	header       *rawHeader
-	encryptedKey []byte
-}
-
-// GetAuthData retrieves the (optional) authenticated data attached to the object.
-func (obj JSONWebEncryption) GetAuthData() []byte {
-	if obj.aad != nil {
-		out := make([]byte, len(obj.aad))
-		copy(out, obj.aad)
-		return out
-	}
-
-	return nil
-}
-
-// Get the merged header values
-func (obj JSONWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader {
-	out := rawHeader{}
-	out.merge(obj.protected)
-	out.merge(obj.unprotected)
-
-	if recipient != nil {
-		out.merge(recipient.header)
-	}
-
-	return out
-}
-
-// Get the additional authenticated data from a JWE object.
-func (obj JSONWebEncryption) computeAuthData() []byte {
-	var protected string
-
-	switch {
-	case obj.original != nil && obj.original.Protected != nil:
-		protected = obj.original.Protected.base64()
-	case obj.protected != nil:
-		protected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON((obj.protected)))
-	default:
-		protected = ""
-	}
-
-	output := []byte(protected)
-	if obj.aad != nil {
-		output = append(output, '.')
-		output = append(output, []byte(base64.RawURLEncoding.EncodeToString(obj.aad))...)
-	}
-
-	return output
-}
-
-func containsKeyAlgorithm(haystack []KeyAlgorithm, needle KeyAlgorithm) bool {
-	for _, algorithm := range haystack {
-		if algorithm == needle {
-			return true
-		}
-	}
-	return false
-}
-
-func containsContentEncryption(haystack []ContentEncryption, needle ContentEncryption) bool {
-	for _, algorithm := range haystack {
-		if algorithm == needle {
-			return true
-		}
-	}
-	return false
-}
-
-// ParseEncrypted parses an encrypted message in JWE Compact or JWE JSON Serialization.
-//
-// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
-// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
-//
-// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
-// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
-// parsed data must contain a value that is present in the corresponding parameter. That
-// includes the protected and unprotected headers as well as all recipients. To accept
-// multiple algorithms, pass a slice of all the algorithms you want to accept.
-func ParseEncrypted(input string,
-	keyEncryptionAlgorithms []KeyAlgorithm,
-	contentEncryption []ContentEncryption,
-) (*JSONWebEncryption, error) {
-	input = stripWhitespace(input)
-	if strings.HasPrefix(input, "{") {
-		return ParseEncryptedJSON(input, keyEncryptionAlgorithms, contentEncryption)
-	}
-
-	return ParseEncryptedCompact(input, keyEncryptionAlgorithms, contentEncryption)
-}
-
-// ParseEncryptedJSON parses a message in JWE JSON Serialization.
-//
-// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
-func ParseEncryptedJSON(
-	input string,
-	keyEncryptionAlgorithms []KeyAlgorithm,
-	contentEncryption []ContentEncryption,
-) (*JSONWebEncryption, error) {
-	var parsed rawJSONWebEncryption
-	err := json.Unmarshal([]byte(input), &parsed)
-	if err != nil {
-		return nil, err
-	}
-
-	return parsed.sanitized(keyEncryptionAlgorithms, contentEncryption)
-}
-
-// sanitized produces a cleaned-up JWE object from the raw JSON.
-func (parsed *rawJSONWebEncryption) sanitized(
-	keyEncryptionAlgorithms []KeyAlgorithm,
-	contentEncryption []ContentEncryption,
-) (*JSONWebEncryption, error) {
-	if len(keyEncryptionAlgorithms) == 0 {
-		return nil, errors.New("go-jose/go-jose: no key algorithms provided")
-	}
-	if len(contentEncryption) == 0 {
-		return nil, errors.New("go-jose/go-jose: no content encryption algorithms provided")
-	}
-
-	obj := &JSONWebEncryption{
-		original:    parsed,
-		unprotected: parsed.Unprotected,
-	}
-
-	// Check that there is not a nonce in the unprotected headers
-	if parsed.Unprotected != nil {
-		if nonce := parsed.Unprotected.getNonce(); nonce != "" {
-			return nil, ErrUnprotectedNonce
-		}
-	}
-	if parsed.Header != nil {
-		if nonce := parsed.Header.getNonce(); nonce != "" {
-			return nil, ErrUnprotectedNonce
-		}
-	}
-
-	if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
-		err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
-		}
-	}
-
-	// Note: this must be called _after_ we parse the protected header,
-	// otherwise fields from the protected header will not get picked up.
-	var err error
-	mergedHeaders := obj.mergedHeaders(nil)
-	obj.Header, err = mergedHeaders.sanitized()
-	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
-	}
-
-	if len(parsed.Recipients) == 0 {
-		obj.recipients = []recipientInfo{
-			{
-				header:       parsed.Header,
-				encryptedKey: parsed.EncryptedKey.bytes(),
-			},
-		}
-	} else {
-		obj.recipients = make([]recipientInfo, len(parsed.Recipients))
-		for r := range parsed.Recipients {
-			encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
-			if err != nil {
-				return nil, err
-			}
-
-			// Check that there is not a nonce in the unprotected header
-			if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.getNonce() != "" {
-				return nil, ErrUnprotectedNonce
-			}
-
-			obj.recipients[r].header = parsed.Recipients[r].Header
-			obj.recipients[r].encryptedKey = encryptedKey
-		}
-	}
-
-	for i, recipient := range obj.recipients {
-		headers := obj.mergedHeaders(&recipient)
-		if headers.getAlgorithm() == "" {
-			return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "alg"`, i)
-		}
-		if headers.getEncryption() == "" {
-			return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "enc"`, i)
-		}
-		err := validateAlgEnc(headers, keyEncryptionAlgorithms, contentEncryption)
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: recipient %d: %s", i, err)
-		}
-
-	}
-
-	if obj.protected != nil {
-		err := validateAlgEnc(*obj.protected, keyEncryptionAlgorithms, contentEncryption)
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: protected header: %s", err)
-		}
-	}
-	if obj.unprotected != nil {
-		err := validateAlgEnc(*obj.unprotected, keyEncryptionAlgorithms, contentEncryption)
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: unprotected header: %s", err)
-		}
-	}
-
-	obj.iv = parsed.Iv.bytes()
-	obj.ciphertext = parsed.Ciphertext.bytes()
-	obj.tag = parsed.Tag.bytes()
-	obj.aad = parsed.Aad.bytes()
-
-	return obj, nil
-}
-
-func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncryption []ContentEncryption) error {
-	alg := headers.getAlgorithm()
-	enc := headers.getEncryption()
-	if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
-		return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
-	}
-	if alg != "" && !containsContentEncryption(contentEncryption, enc) {
-		return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
-	}
-	return nil
-}
-
-// ParseEncryptedCompact parses a message in JWE Compact Serialization.
-//
-// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
-func ParseEncryptedCompact(
-	input string,
-	keyAlgorithms []KeyAlgorithm,
-	contentEncryption []ContentEncryption,
-) (*JSONWebEncryption, error) {
-	// Five parts is four separators
-	if strings.Count(input, ".") != 4 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
-	}
-	parts := strings.SplitN(input, ".", 5)
-
-	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
-	if err != nil {
-		return nil, err
-	}
-
-	encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
-	if err != nil {
-		return nil, err
-	}
-
-	iv, err := base64.RawURLEncoding.DecodeString(parts[2])
-	if err != nil {
-		return nil, err
-	}
-
-	ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
-	if err != nil {
-		return nil, err
-	}
-
-	tag, err := base64.RawURLEncoding.DecodeString(parts[4])
-	if err != nil {
-		return nil, err
-	}
-
-	raw := &rawJSONWebEncryption{
-		Protected:    newBuffer(rawProtected),
-		EncryptedKey: newBuffer(encryptedKey),
-		Iv:           newBuffer(iv),
-		Ciphertext:   newBuffer(ciphertext),
-		Tag:          newBuffer(tag),
-	}
-
-	return raw.sanitized(keyAlgorithms, contentEncryption)
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JSONWebEncryption) CompactSerialize() (string, error) {
-	if len(obj.recipients) != 1 || obj.unprotected != nil ||
-		obj.protected == nil || obj.recipients[0].header != nil {
-		return "", ErrNotSupported
-	}
-
-	serializedProtected := mustSerializeJSON(obj.protected)
-
-	return base64JoinWithDots(
-		serializedProtected,
-		obj.recipients[0].encryptedKey,
-		obj.iv,
-		obj.ciphertext,
-		obj.tag,
-	), nil
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JSONWebEncryption) FullSerialize() string {
-	raw := rawJSONWebEncryption{
-		Unprotected:  obj.unprotected,
-		Iv:           newBuffer(obj.iv),
-		Ciphertext:   newBuffer(obj.ciphertext),
-		EncryptedKey: newBuffer(obj.recipients[0].encryptedKey),
-		Tag:          newBuffer(obj.tag),
-		Aad:          newBuffer(obj.aad),
-		Recipients:   []rawRecipientInfo{},
-	}
-
-	if len(obj.recipients) > 1 {
-		for _, recipient := range obj.recipients {
-			info := rawRecipientInfo{
-				Header:       recipient.header,
-				EncryptedKey: base64.RawURLEncoding.EncodeToString(recipient.encryptedKey),
-			}
-			raw.Recipients = append(raw.Recipients, info)
-		}
-	} else {
-		// Use flattened serialization
-		raw.Header = obj.recipients[0].header
-		raw.EncryptedKey = newBuffer(obj.recipients[0].encryptedKey)
-	}
-
-	if obj.protected != nil {
-		raw.Protected = newBuffer(mustSerializeJSON(obj.protected))
-	}
-
-	return string(mustSerializeJSON(raw))
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
deleted file mode 100644
index 9e57e93ba2e..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/jwk.go
+++ /dev/null
@@ -1,823 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"math/big"
-	"net/url"
-	"reflect"
-	"strings"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
-type rawJSONWebKey struct {
-	Use string      `json:"use,omitempty"`
-	Kty string      `json:"kty,omitempty"`
-	Kid string      `json:"kid,omitempty"`
-	Crv string      `json:"crv,omitempty"`
-	Alg string      `json:"alg,omitempty"`
-	K   *byteBuffer `json:"k,omitempty"`
-	X   *byteBuffer `json:"x,omitempty"`
-	Y   *byteBuffer `json:"y,omitempty"`
-	N   *byteBuffer `json:"n,omitempty"`
-	E   *byteBuffer `json:"e,omitempty"`
-	// -- Following fields are only used for private keys --
-	// RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
-	// completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
-	// we have a private key whereas D == nil means we have only a public key.
-	D  *byteBuffer `json:"d,omitempty"`
-	P  *byteBuffer `json:"p,omitempty"`
-	Q  *byteBuffer `json:"q,omitempty"`
-	Dp *byteBuffer `json:"dp,omitempty"`
-	Dq *byteBuffer `json:"dq,omitempty"`
-	Qi *byteBuffer `json:"qi,omitempty"`
-	// Certificates
-	X5c       []string `json:"x5c,omitempty"`
-	X5u       string   `json:"x5u,omitempty"`
-	X5tSHA1   string   `json:"x5t,omitempty"`
-	X5tSHA256 string   `json:"x5t#S256,omitempty"`
-}
-
-// JSONWebKey represents a public or private key in JWK format. It can be
-// marshaled into JSON and unmarshaled from JSON.
-type JSONWebKey struct {
-	// Key is the Go in-memory representation of this key. It must have one
-	// of these types:
-	//  - ed25519.PublicKey
-	//  - ed25519.PrivateKey
-	//  - *ecdsa.PublicKey
-	//  - *ecdsa.PrivateKey
-	//  - *rsa.PublicKey
-	//  - *rsa.PrivateKey
-	//  - []byte (a symmetric key)
-	//
-	// When marshaling this JSONWebKey into JSON, the "kty" header parameter
-	// will be automatically set based on the type of this field.
-	Key interface{}
-	// Key identifier, parsed from `kid` header.
-	KeyID string
-	// Key algorithm, parsed from `alg` header.
-	Algorithm string
-	// Key use, parsed from `use` header.
-	Use string
-
-	// X.509 certificate chain, parsed from `x5c` header.
-	Certificates []*x509.Certificate
-	// X.509 certificate URL, parsed from `x5u` header.
-	CertificatesURL *url.URL
-	// X.509 certificate thumbprint (SHA-1), parsed from `x5t` header.
-	CertificateThumbprintSHA1 []byte
-	// X.509 certificate thumbprint (SHA-256), parsed from `x5t#S256` header.
-	CertificateThumbprintSHA256 []byte
-}
-
-// MarshalJSON serializes the given key to its JSON representation.
-func (k JSONWebKey) MarshalJSON() ([]byte, error) {
-	var raw *rawJSONWebKey
-	var err error
-
-	switch key := k.Key.(type) {
-	case ed25519.PublicKey:
-		raw = fromEdPublicKey(key)
-	case *ecdsa.PublicKey:
-		raw, err = fromEcPublicKey(key)
-	case *rsa.PublicKey:
-		raw = fromRsaPublicKey(key)
-	case ed25519.PrivateKey:
-		raw, err = fromEdPrivateKey(key)
-	case *ecdsa.PrivateKey:
-		raw, err = fromEcPrivateKey(key)
-	case *rsa.PrivateKey:
-		raw, err = fromRsaPrivateKey(key)
-	case []byte:
-		raw, err = fromSymmetricKey(key)
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	raw.Kid = k.KeyID
-	raw.Alg = k.Algorithm
-	raw.Use = k.Use
-
-	for _, cert := range k.Certificates {
-		raw.X5c = append(raw.X5c, base64.StdEncoding.EncodeToString(cert.Raw))
-	}
-
-	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
-	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
-	if x5tSHA1Len > 0 {
-		if x5tSHA1Len != sha1.Size {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
-		}
-		raw.X5tSHA1 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA1)
-	}
-	if x5tSHA256Len > 0 {
-		if x5tSHA256Len != sha256.Size {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
-		}
-		raw.X5tSHA256 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA256)
-	}
-
-	// If cert chain is attached (as opposed to being behind a URL), check the
-	// keys thumbprints to make sure they match what is expected. This is to
-	// ensure we don't accidentally produce a JWK with semantically inconsistent
-	// data in the headers.
-	if len(k.Certificates) > 0 {
-		expectedSHA1 := sha1.Sum(k.Certificates[0].Raw)
-		expectedSHA256 := sha256.Sum256(k.Certificates[0].Raw)
-
-		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(k.CertificateThumbprintSHA1, expectedSHA1[:]) {
-			return nil, errors.New("go-jose/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
-		}
-		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(k.CertificateThumbprintSHA256, expectedSHA256[:]) {
-			return nil, errors.New("go-jose/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
-		}
-	}
-
-	if k.CertificatesURL != nil {
-		raw.X5u = k.CertificatesURL.String()
-	}
-
-	return json.Marshal(raw)
-}
-
-// UnmarshalJSON reads a key from its JSON representation.
-func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
-	var raw rawJSONWebKey
-	err = json.Unmarshal(data, &raw)
-	if err != nil {
-		return err
-	}
-
-	certs, err := parseCertificateChain(raw.X5c)
-	if err != nil {
-		return fmt.Errorf("go-jose/go-jose: failed to unmarshal x5c field: %s", err)
-	}
-
-	var key interface{}
-	var certPub interface{}
-	var keyPub interface{}
-
-	if len(certs) > 0 {
-		// We need to check that leaf public key matches the key embedded in this
-		// JWK, as required by the standard (see RFC 7517, Section 4.7). Otherwise
-		// the JWK parsed could be semantically invalid. Technically, should also
-		// check key usage fields and other extensions on the cert here, but the
-		// standard doesn't exactly explain how they're supposed to map from the
-		// JWK representation to the X.509 extensions.
-		certPub = certs[0].PublicKey
-	}
-
-	switch raw.Kty {
-	case "EC":
-		if raw.D != nil {
-			key, err = raw.ecPrivateKey()
-			if err == nil {
-				keyPub = key.(*ecdsa.PrivateKey).Public()
-			}
-		} else {
-			key, err = raw.ecPublicKey()
-			keyPub = key
-		}
-	case "RSA":
-		if raw.D != nil {
-			key, err = raw.rsaPrivateKey()
-			if err == nil {
-				keyPub = key.(*rsa.PrivateKey).Public()
-			}
-		} else {
-			key, err = raw.rsaPublicKey()
-			keyPub = key
-		}
-	case "oct":
-		if certPub != nil {
-			return errors.New("go-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
-		}
-		key, err = raw.symmetricKey()
-	case "OKP":
-		if raw.Crv == "Ed25519" && raw.X != nil {
-			if raw.D != nil {
-				key, err = raw.edPrivateKey()
-				if err == nil {
-					keyPub = key.(ed25519.PrivateKey).Public()
-				}
-			} else {
-				key, err = raw.edPublicKey()
-				keyPub = key
-			}
-		} else {
-			return fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
-		}
-	default:
-		return fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
-	}
-
-	if err != nil {
-		return
-	}
-
-	if certPub != nil && keyPub != nil {
-		if !reflect.DeepEqual(certPub, keyPub) {
-			return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
-		}
-	}
-
-	*k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use, Certificates: certs}
-
-	if raw.X5u != "" {
-		k.CertificatesURL, err = url.Parse(raw.X5u)
-		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, x5u header is invalid URL: %w", err)
-		}
-	}
-
-	// x5t parameters are base64url-encoded SHA thumbprints
-	// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
-	x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
-	if err != nil {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
-	}
-
-	// RFC 7517, Section 4.8 is ambiguous as to whether the digest output should be byte or hex,
-	// for this reason, after base64 decoding, if the size is sha1.Size it's likely that the value is a byte encoded
-	// checksum so we skip this. Otherwise if the checksum was hex encoded we expect a 40 byte sized array so we'll
-	// try to hex decode it. When Marshalling this value we'll always use a base64 encoded version of byte format checksum.
-	if len(x5tSHA1bytes) == 2*sha1.Size {
-		hx, err := hex.DecodeString(string(x5tSHA1bytes))
-		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
-
-		}
-		x5tSHA1bytes = hx
-	}
-
-	k.CertificateThumbprintSHA1 = x5tSHA1bytes
-
-	x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
-	if err != nil {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
-	}
-
-	if len(x5tSHA256bytes) == 2*sha256.Size {
-		hx256, err := hex.DecodeString(string(x5tSHA256bytes))
-		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
-		}
-		x5tSHA256bytes = hx256
-	}
-
-	k.CertificateThumbprintSHA256 = x5tSHA256bytes
-
-	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
-	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
-	if x5tSHA1Len > 0 && x5tSHA1Len != sha1.Size {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t header is of incorrect size")
-	}
-	if x5tSHA256Len > 0 && x5tSHA256Len != sha256.Size {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
-	}
-
-	// If certificate chain *and* thumbprints are set, verify correctness.
-	if len(k.Certificates) > 0 {
-		leaf := k.Certificates[0]
-		sha1sum := sha1.Sum(leaf.Raw)
-		sha256sum := sha256.Sum256(leaf.Raw)
-
-		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(sha1sum[:], k.CertificateThumbprintSHA1) {
-			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
-		}
-
-		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(sha256sum[:], k.CertificateThumbprintSHA256) {
-			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
-		}
-	}
-
-	return
-}
-
-// JSONWebKeySet represents a JWK Set object.
-type JSONWebKeySet struct {
-	Keys []JSONWebKey `json:"keys"`
-}
-
-// Key convenience method returns keys by key ID. Specification states
-// that a JWK Set "SHOULD" use distinct key IDs, but allows for some
-// cases where they are not distinct. Hence method returns a slice
-// of JSONWebKeys.
-func (s *JSONWebKeySet) Key(kid string) []JSONWebKey {
-	var keys []JSONWebKey
-	for _, key := range s.Keys {
-		if key.KeyID == kid {
-			keys = append(keys, key)
-		}
-	}
-
-	return keys
-}
-
-const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
-const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
-const edThumbprintTemplate = `{"crv":"%s","kty":"OKP","x":"%s"}`
-
-func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
-	coordLength := curveSize(curve)
-	crv, err := curveName(curve)
-	if err != nil {
-		return "", err
-	}
-
-	if len(x.Bytes()) > coordLength || len(y.Bytes()) > coordLength {
-		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
-	}
-
-	return fmt.Sprintf(ecThumbprintTemplate, crv,
-		newFixedSizeBuffer(x.Bytes(), coordLength).base64(),
-		newFixedSizeBuffer(y.Bytes(), coordLength).base64()), nil
-}
-
-func rsaThumbprintInput(n *big.Int, e int) (string, error) {
-	return fmt.Sprintf(rsaThumbprintTemplate,
-		newBufferFromInt(uint64(e)).base64(),
-		newBuffer(n.Bytes()).base64()), nil
-}
-
-func edThumbprintInput(ed ed25519.PublicKey) (string, error) {
-	crv := "Ed25519"
-	if len(ed) > 32 {
-		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
-	}
-	return fmt.Sprintf(edThumbprintTemplate, crv,
-		newFixedSizeBuffer(ed, 32).base64()), nil
-}
-
-// Thumbprint computes the JWK Thumbprint of a key using the
-// indicated hash algorithm.
-func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
-	var input string
-	var err error
-	switch key := k.Key.(type) {
-	case ed25519.PublicKey:
-		input, err = edThumbprintInput(key)
-	case *ecdsa.PublicKey:
-		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
-	case *ecdsa.PrivateKey:
-		input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
-	case *rsa.PublicKey:
-		input, err = rsaThumbprintInput(key.N, key.E)
-	case *rsa.PrivateKey:
-		input, err = rsaThumbprintInput(key.N, key.E)
-	case ed25519.PrivateKey:
-		input, err = edThumbprintInput(ed25519.PublicKey(key[32:]))
-	case OpaqueSigner:
-		return key.Public().Thumbprint(hash)
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	h := hash.New()
-	_, _ = h.Write([]byte(input))
-	return h.Sum(nil), nil
-}
-
-// IsPublic returns true if the JWK represents a public key (not symmetric, not private).
-func (k *JSONWebKey) IsPublic() bool {
-	switch k.Key.(type) {
-	case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
-		return true
-	default:
-		return false
-	}
-}
-
-// Public creates JSONWebKey with corresponding public key if JWK represents asymmetric private key.
-func (k *JSONWebKey) Public() JSONWebKey {
-	if k.IsPublic() {
-		return *k
-	}
-	ret := *k
-	switch key := k.Key.(type) {
-	case *ecdsa.PrivateKey:
-		ret.Key = key.Public()
-	case *rsa.PrivateKey:
-		ret.Key = key.Public()
-	case ed25519.PrivateKey:
-		ret.Key = key.Public()
-	default:
-		return JSONWebKey{} // returning invalid key
-	}
-	return ret
-}
-
-// Valid checks that the key contains the expected parameters.
-func (k *JSONWebKey) Valid() bool {
-	if k.Key == nil {
-		return false
-	}
-	switch key := k.Key.(type) {
-	case *ecdsa.PublicKey:
-		if key.Curve == nil || key.X == nil || key.Y == nil {
-			return false
-		}
-	case *ecdsa.PrivateKey:
-		if key.Curve == nil || key.X == nil || key.Y == nil || key.D == nil {
-			return false
-		}
-	case *rsa.PublicKey:
-		if key.N == nil || key.E == 0 {
-			return false
-		}
-	case *rsa.PrivateKey:
-		if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 {
-			return false
-		}
-	case ed25519.PublicKey:
-		if len(key) != 32 {
-			return false
-		}
-	case ed25519.PrivateKey:
-		if len(key) != 64 {
-			return false
-		}
-	default:
-		return false
-	}
-	return true
-}
-
-func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
-	if key.N == nil || key.E == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA key, missing n/e values")
-	}
-
-	return &rsa.PublicKey{
-		N: key.N.bigInt(),
-		E: key.E.toInt(),
-	}, nil
-}
-
-func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey {
-	return &rawJSONWebKey{
-		Kty: "OKP",
-		Crv: "Ed25519",
-		X:   newBuffer(pub),
-	}
-}
-
-func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey {
-	return &rawJSONWebKey{
-		Kty: "RSA",
-		N:   newBuffer(pub.N.Bytes()),
-		E:   newBufferFromInt(uint64(pub.E)),
-	}
-}
-
-func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
-	var curve elliptic.Curve
-	switch key.Crv {
-	case "P-256":
-		curve = elliptic.P256()
-	case "P-384":
-		curve = elliptic.P384()
-	case "P-521":
-		curve = elliptic.P521()
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
-	}
-
-	if key.X == nil || key.Y == nil {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, missing x/y values")
-	}
-
-	// The length of this octet string MUST be the full size of a coordinate for
-	// the curve specified in the "crv" parameter.
-	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
-	if curveSize(curve) != len(key.X.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for x")
-	}
-
-	if curveSize(curve) != len(key.Y.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for y")
-	}
-
-	x := key.X.bigInt()
-	y := key.Y.bigInt()
-
-	if !curve.IsOnCurve(x, y) {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
-	}
-
-	return &ecdsa.PublicKey{
-		Curve: curve,
-		X:     x,
-		Y:     y,
-	}, nil
-}
-
-func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
-	if pub == nil || pub.X == nil || pub.Y == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (nil, or X/Y missing)")
-	}
-
-	name, err := curveName(pub.Curve)
-	if err != nil {
-		return nil, err
-	}
-
-	size := curveSize(pub.Curve)
-
-	xBytes := pub.X.Bytes()
-	yBytes := pub.Y.Bytes()
-
-	if len(xBytes) > size || len(yBytes) > size {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (X/Y too large)")
-	}
-
-	key := &rawJSONWebKey{
-		Kty: "EC",
-		Crv: name,
-		X:   newFixedSizeBuffer(xBytes, size),
-		Y:   newFixedSizeBuffer(yBytes, size),
-	}
-
-	return key, nil
-}
-
-func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
-	var missing []string
-	switch {
-	case key.D == nil:
-		missing = append(missing, "D")
-	case key.X == nil:
-		missing = append(missing, "X")
-	}
-
-	if len(missing) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
-	}
-
-	privateKey := make([]byte, ed25519.PrivateKeySize)
-	copy(privateKey[0:32], key.D.bytes())
-	copy(privateKey[32:], key.X.bytes())
-	rv := ed25519.PrivateKey(privateKey)
-	return rv, nil
-}
-
-func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
-	if key.X == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed key, missing x value")
-	}
-	publicKey := make([]byte, ed25519.PublicKeySize)
-	copy(publicKey[0:32], key.X.bytes())
-	rv := ed25519.PublicKey(publicKey)
-	return rv, nil
-}
-
-func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
-	var missing []string
-	switch {
-	case key.N == nil:
-		missing = append(missing, "N")
-	case key.E == nil:
-		missing = append(missing, "E")
-	case key.D == nil:
-		missing = append(missing, "D")
-	case key.P == nil:
-		missing = append(missing, "P")
-	case key.Q == nil:
-		missing = append(missing, "Q")
-	}
-
-	if len(missing) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
-	}
-
-	rv := &rsa.PrivateKey{
-		PublicKey: rsa.PublicKey{
-			N: key.N.bigInt(),
-			E: key.E.toInt(),
-		},
-		D: key.D.bigInt(),
-		Primes: []*big.Int{
-			key.P.bigInt(),
-			key.Q.bigInt(),
-		},
-	}
-
-	if key.Dp != nil {
-		rv.Precomputed.Dp = key.Dp.bigInt()
-	}
-	if key.Dq != nil {
-		rv.Precomputed.Dq = key.Dq.bigInt()
-	}
-	if key.Qi != nil {
-		rv.Precomputed.Qinv = key.Qi.bigInt()
-	}
-
-	err := rv.Validate()
-	return rv, err
-}
-
-func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) {
-	raw := fromEdPublicKey(ed25519.PublicKey(ed[32:]))
-
-	raw.D = newBuffer(ed[0:32])
-	return raw, nil
-}
-
-func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) {
-	if len(rsa.Primes) != 2 {
-		return nil, ErrUnsupportedKeyType
-	}
-
-	raw := fromRsaPublicKey(&rsa.PublicKey)
-
-	raw.D = newBuffer(rsa.D.Bytes())
-	raw.P = newBuffer(rsa.Primes[0].Bytes())
-	raw.Q = newBuffer(rsa.Primes[1].Bytes())
-
-	if rsa.Precomputed.Dp != nil {
-		raw.Dp = newBuffer(rsa.Precomputed.Dp.Bytes())
-	}
-	if rsa.Precomputed.Dq != nil {
-		raw.Dq = newBuffer(rsa.Precomputed.Dq.Bytes())
-	}
-	if rsa.Precomputed.Qinv != nil {
-		raw.Qi = newBuffer(rsa.Precomputed.Qinv.Bytes())
-	}
-
-	return raw, nil
-}
-
-func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
-	var curve elliptic.Curve
-	switch key.Crv {
-	case "P-256":
-		curve = elliptic.P256()
-	case "P-384":
-		curve = elliptic.P384()
-	case "P-521":
-		curve = elliptic.P521()
-	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
-	}
-
-	if key.X == nil || key.Y == nil || key.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
-	}
-
-	// The length of this octet string MUST be the full size of a coordinate for
-	// the curve specified in the "crv" parameter.
-	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
-	if curveSize(curve) != len(key.X.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for x")
-	}
-
-	if curveSize(curve) != len(key.Y.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for y")
-	}
-
-	// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
-	if dSize(curve) != len(key.D.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for d")
-	}
-
-	x := key.X.bigInt()
-	y := key.Y.bigInt()
-
-	if !curve.IsOnCurve(x, y) {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
-	}
-
-	return &ecdsa.PrivateKey{
-		PublicKey: ecdsa.PublicKey{
-			Curve: curve,
-			X:     x,
-			Y:     y,
-		},
-		D: key.D.bigInt(),
-	}, nil
-}
-
-func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJSONWebKey, error) {
-	raw, err := fromEcPublicKey(&ec.PublicKey)
-	if err != nil {
-		return nil, err
-	}
-
-	if ec.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key")
-	}
-
-	raw.D = newFixedSizeBuffer(ec.D.Bytes(), dSize(ec.PublicKey.Curve))
-
-	return raw, nil
-}
-
-// dSize returns the size in octets for the "d" member of an elliptic curve
-// private key.
-// The length of this octet string MUST be ceiling(log-base-2(n)/8)
-// octets (where n is the order of the curve).
-// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
-func dSize(curve elliptic.Curve) int {
-	order := curve.Params().P
-	bitLen := order.BitLen()
-	size := bitLen / 8
-	if bitLen%8 != 0 {
-		size++
-	}
-	return size
-}
-
-func fromSymmetricKey(key []byte) (*rawJSONWebKey, error) {
-	return &rawJSONWebKey{
-		Kty: "oct",
-		K:   newBuffer(key),
-	}, nil
-}
-
-func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
-	if key.K == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid OCT (symmetric) key, missing k value")
-	}
-	return key.K.bytes(), nil
-}
-
-var (
-	// ErrJWKSKidNotFound is returned when a JWKS does not contain a JWK with a
-	// key ID which matches one in the provided tokens headers.
-	ErrJWKSKidNotFound = errors.New("go-jose/go-jose: JWK with matching kid not found in JWK Set")
-)
-
-func tryJWKS(key interface{}, headers ...Header) (interface{}, error) {
-	var jwks JSONWebKeySet
-
-	switch jwksType := key.(type) {
-	case *JSONWebKeySet:
-		jwks = *jwksType
-	case JSONWebKeySet:
-		jwks = jwksType
-	default:
-		// If the specified key is not a JWKS, return as is.
-		return key, nil
-	}
-
-	// Determine the KID to search for from the headers.
-	var kid string
-	for _, header := range headers {
-		if header.KeyID != "" {
-			kid = header.KeyID
-			break
-		}
-	}
-
-	// If no KID is specified in the headers, reject.
-	if kid == "" {
-		return nil, ErrJWKSKidNotFound
-	}
-
-	// Find the JWK with the matching KID. If no JWK with the specified KID is
-	// found, reject.
-	keys := jwks.Key(kid)
-	if len(keys) == 0 {
-		return nil, ErrJWKSKidNotFound
-	}
-
-	return keys[0].Key, nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
deleted file mode 100644
index d09d8ba5078..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
+++ /dev/null
@@ -1,422 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
-type rawJSONWebSignature struct {
-	Payload    *byteBuffer        `json:"payload,omitempty"`
-	Signatures []rawSignatureInfo `json:"signatures,omitempty"`
-	Protected  *byteBuffer        `json:"protected,omitempty"`
-	Header     *rawHeader         `json:"header,omitempty"`
-	Signature  *byteBuffer        `json:"signature,omitempty"`
-}
-
-// rawSignatureInfo represents a single JWS signature over the JWS payload and protected header.
-type rawSignatureInfo struct {
-	Protected *byteBuffer `json:"protected,omitempty"`
-	Header    *rawHeader  `json:"header,omitempty"`
-	Signature *byteBuffer `json:"signature,omitempty"`
-}
-
-// JSONWebSignature represents a signed JWS object after parsing.
-type JSONWebSignature struct {
-	payload []byte
-	// Signatures attached to this object (may be more than one for multi-sig).
-	// Be careful about accessing these directly, prefer to use Verify() or
-	// VerifyMulti() to ensure that the data you're getting is verified.
-	Signatures []Signature
-}
-
-// Signature represents a single signature over the JWS payload and protected header.
-type Signature struct {
-	// Merged header fields. Contains both protected and unprotected header
-	// values. Prefer using Protected and Unprotected fields instead of this.
-	// Values in this header may or may not have been signed and in general
-	// should not be trusted.
-	Header Header
-
-	// Protected header. Values in this header were signed and
-	// will be verified as part of the signature verification process.
-	Protected Header
-
-	// Unprotected header. Values in this header were not signed
-	// and in general should not be trusted.
-	Unprotected Header
-
-	// The actual signature value
-	Signature []byte
-
-	protected *rawHeader
-	header    *rawHeader
-	original  *rawSignatureInfo
-}
-
-// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
-//
-// https://datatracker.ietf.org/doc/html/rfc7515#section-7
-func ParseSigned(
-	signature string,
-	signatureAlgorithms []SignatureAlgorithm,
-) (*JSONWebSignature, error) {
-	signature = stripWhitespace(signature)
-	if strings.HasPrefix(signature, "{") {
-		return ParseSignedJSON(signature, signatureAlgorithms)
-	}
-
-	return parseSignedCompact(signature, nil, signatureAlgorithms)
-}
-
-// ParseSignedCompact parses a message in JWS Compact Serialization.
-//
-// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
-func ParseSignedCompact(
-	signature string,
-	signatureAlgorithms []SignatureAlgorithm,
-) (*JSONWebSignature, error) {
-	return parseSignedCompact(signature, nil, signatureAlgorithms)
-}
-
-// ParseDetached parses a signed message in compact serialization format with detached payload.
-func ParseDetached(
-	signature string,
-	payload []byte,
-	signatureAlgorithms []SignatureAlgorithm,
-) (*JSONWebSignature, error) {
-	if payload == nil {
-		return nil, errors.New("go-jose/go-jose: nil payload")
-	}
-	return parseSignedCompact(stripWhitespace(signature), payload, signatureAlgorithms)
-}
-
-// Get a header value
-func (sig Signature) mergedHeaders() rawHeader {
-	out := rawHeader{}
-	out.merge(sig.protected)
-	out.merge(sig.header)
-	return out
-}
-
-// Compute data to be signed
-func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature) ([]byte, error) {
-	var authData bytes.Buffer
-
-	protectedHeader := new(rawHeader)
-
-	if signature.original != nil && signature.original.Protected != nil {
-		if err := json.Unmarshal(signature.original.Protected.bytes(), protectedHeader); err != nil {
-			return nil, err
-		}
-		authData.WriteString(signature.original.Protected.base64())
-	} else if signature.protected != nil {
-		protectedHeader = signature.protected
-		authData.WriteString(base64.RawURLEncoding.EncodeToString(mustSerializeJSON(protectedHeader)))
-	}
-
-	needsBase64 := true
-
-	if protectedHeader != nil {
-		var err error
-		if needsBase64, err = protectedHeader.getB64(); err != nil {
-			needsBase64 = true
-		}
-	}
-
-	authData.WriteByte('.')
-
-	if needsBase64 {
-		authData.WriteString(base64.RawURLEncoding.EncodeToString(payload))
-	} else {
-		authData.Write(payload)
-	}
-
-	return authData.Bytes(), nil
-}
-
-// ParseSignedJSON parses a message in JWS JSON Serialization.
-//
-// https://datatracker.ietf.org/doc/html/rfc7515#section-7.2
-func ParseSignedJSON(
-	input string,
-	signatureAlgorithms []SignatureAlgorithm,
-) (*JSONWebSignature, error) {
-	var parsed rawJSONWebSignature
-	err := json.Unmarshal([]byte(input), &parsed)
-	if err != nil {
-		return nil, err
-	}
-
-	return parsed.sanitized(signatureAlgorithms)
-}
-
-func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureAlgorithm) bool {
-	for _, algorithm := range haystack {
-		if algorithm == needle {
-			return true
-		}
-	}
-	return false
-}
-
-// sanitized produces a cleaned-up JWS object from the raw JSON.
-func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
-	if len(signatureAlgorithms) == 0 {
-		return nil, errors.New("go-jose/go-jose: no signature algorithms specified")
-	}
-	if parsed.Payload == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
-	}
-
-	obj := &JSONWebSignature{
-		payload:    parsed.Payload.bytes(),
-		Signatures: make([]Signature, len(parsed.Signatures)),
-	}
-
-	if len(parsed.Signatures) == 0 {
-		// No signatures array, must be flattened serialization
-		signature := Signature{}
-		if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
-			signature.protected = &rawHeader{}
-			err := json.Unmarshal(parsed.Protected.bytes(), signature.protected)
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// Check that there is not a nonce in the unprotected header
-		if parsed.Header != nil && parsed.Header.getNonce() != "" {
-			return nil, ErrUnprotectedNonce
-		}
-
-		signature.header = parsed.Header
-		signature.Signature = parsed.Signature.bytes()
-		// Make a fake "original" rawSignatureInfo to store the unprocessed
-		// Protected header. This is necessary because the Protected header can
-		// contain arbitrary fields not registered as part of the spec. See
-		// https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
-		// If we unmarshal Protected into a rawHeader with its explicit list of fields,
-		// we cannot marshal losslessly. So we have to keep around the original bytes.
-		// This is used in computeAuthData, which will first attempt to use
-		// the original bytes of a protected header, and fall back on marshaling the
-		// header struct only if those bytes are not available.
-		signature.original = &rawSignatureInfo{
-			Protected: parsed.Protected,
-			Header:    parsed.Header,
-			Signature: parsed.Signature,
-		}
-
-		var err error
-		signature.Header, err = signature.mergedHeaders().sanitized()
-		if err != nil {
-			return nil, err
-		}
-
-		alg := SignatureAlgorithm(signature.Header.Algorithm)
-		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
-			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
-				alg, signatureAlgorithms)
-		}
-
-		if signature.header != nil {
-			signature.Unprotected, err = signature.header.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		if signature.protected != nil {
-			signature.Protected, err = signature.protected.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
-		jwk := signature.Header.JSONWebKey
-		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
-			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
-		}
-
-		obj.Signatures = append(obj.Signatures, signature)
-	}
-
-	for i, sig := range parsed.Signatures {
-		if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
-			obj.Signatures[i].protected = &rawHeader{}
-			err := json.Unmarshal(sig.Protected.bytes(), obj.Signatures[i].protected)
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		// Check that there is not a nonce in the unprotected header
-		if sig.Header != nil && sig.Header.getNonce() != "" {
-			return nil, ErrUnprotectedNonce
-		}
-
-		var err error
-		obj.Signatures[i].Header, err = obj.Signatures[i].mergedHeaders().sanitized()
-		if err != nil {
-			return nil, err
-		}
-
-		alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
-		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
-			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
-				alg, signatureAlgorithms)
-		}
-
-		if obj.Signatures[i].header != nil {
-			obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		if obj.Signatures[i].protected != nil {
-			obj.Signatures[i].Protected, err = obj.Signatures[i].protected.sanitized()
-			if err != nil {
-				return nil, err
-			}
-		}
-
-		obj.Signatures[i].Signature = sig.Signature.bytes()
-
-		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
-		jwk := obj.Signatures[i].Header.JSONWebKey
-		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
-			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
-		}
-
-		// Copy value of sig
-		original := sig
-
-		obj.Signatures[i].header = sig.Header
-		obj.Signatures[i].original = &original
-	}
-
-	return obj, nil
-}
-
-// parseSignedCompact parses a message in compact format.
-func parseSignedCompact(
-	input string,
-	payload []byte,
-	signatureAlgorithms []SignatureAlgorithm,
-) (*JSONWebSignature, error) {
-	// Three parts is two separators
-	if strings.Count(input, ".") != 2 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
-	}
-	parts := strings.SplitN(input, ".", 3)
-
-	if parts[1] != "" && payload != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
-	}
-
-	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
-	if err != nil {
-		return nil, err
-	}
-
-	if payload == nil {
-		payload, err = base64.RawURLEncoding.DecodeString(parts[1])
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	signature, err := base64.RawURLEncoding.DecodeString(parts[2])
-	if err != nil {
-		return nil, err
-	}
-
-	raw := &rawJSONWebSignature{
-		Payload:   newBuffer(payload),
-		Protected: newBuffer(rawProtected),
-		Signature: newBuffer(signature),
-	}
-	return raw.sanitized(signatureAlgorithms)
-}
-
-func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {
-	if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil {
-		return "", ErrNotSupported
-	}
-
-	serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
-
-	var payload []byte
-	if !detached {
-		payload = obj.payload
-	}
-
-	return base64JoinWithDots(
-		serializedProtected,
-		payload,
-		obj.Signatures[0].Signature,
-	), nil
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JSONWebSignature) CompactSerialize() (string, error) {
-	return obj.compactSerialize(false)
-}
-
-// DetachedCompactSerialize serializes an object using the compact serialization format with detached payload.
-func (obj JSONWebSignature) DetachedCompactSerialize() (string, error) {
-	return obj.compactSerialize(true)
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JSONWebSignature) FullSerialize() string {
-	raw := rawJSONWebSignature{
-		Payload: newBuffer(obj.payload),
-	}
-
-	if len(obj.Signatures) == 1 {
-		if obj.Signatures[0].protected != nil {
-			serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
-			raw.Protected = newBuffer(serializedProtected)
-		}
-		raw.Header = obj.Signatures[0].header
-		raw.Signature = newBuffer(obj.Signatures[0].Signature)
-	} else {
-		raw.Signatures = make([]rawSignatureInfo, len(obj.Signatures))
-		for i, signature := range obj.Signatures {
-			raw.Signatures[i] = rawSignatureInfo{
-				Header:    signature.header,
-				Signature: newBuffer(signature.Signature),
-			}
-
-			if signature.protected != nil {
-				raw.Signatures[i].Protected = newBuffer(mustSerializeJSON(signature.protected))
-			}
-		}
-	}
-
-	return string(mustSerializeJSON(raw))
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/opaque.go b/vendor/github.com/go-jose/go-jose/v4/opaque.go
deleted file mode 100644
index 429427232e8..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/opaque.go
+++ /dev/null
@@ -1,147 +0,0 @@
-/*-
- * Copyright 2018 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-// OpaqueSigner is an interface that supports signing payloads with opaque
-// private key(s). Private key operations performed by implementers may, for
-// example, occur in a hardware module. An OpaqueSigner may rotate signing keys
-// transparently to the user of this interface.
-type OpaqueSigner interface {
-	// Public returns the public key of the current signing key.
-	Public() *JSONWebKey
-	// Algs returns a list of supported signing algorithms.
-	Algs() []SignatureAlgorithm
-	// SignPayload signs a payload with the current signing key using the given
-	// algorithm.
-	SignPayload(payload []byte, alg SignatureAlgorithm) ([]byte, error)
-}
-
-type opaqueSigner struct {
-	signer OpaqueSigner
-}
-
-func newOpaqueSigner(alg SignatureAlgorithm, signer OpaqueSigner) (recipientSigInfo, error) {
-	var algSupported bool
-	for _, salg := range signer.Algs() {
-		if alg == salg {
-			algSupported = true
-			break
-		}
-	}
-	if !algSupported {
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientSigInfo{
-		sigAlg:    alg,
-		publicKey: signer.Public,
-		signer: &opaqueSigner{
-			signer: signer,
-		},
-	}, nil
-}
-
-func (o *opaqueSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	out, err := o.signer.SignPayload(payload, alg)
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: out,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// OpaqueVerifier is an interface that supports verifying payloads with opaque
-// public key(s). An OpaqueSigner may rotate signing keys transparently to the
-// user of this interface.
-type OpaqueVerifier interface {
-	VerifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
-}
-
-type opaqueVerifier struct {
-	verifier OpaqueVerifier
-}
-
-func (o *opaqueVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
-	return o.verifier.VerifyPayload(payload, signature, alg)
-}
-
-// OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
-//
-// Note: this cannot currently be implemented outside this package because of its
-// unexported method.
-type OpaqueKeyEncrypter interface {
-	// KeyID returns the kid
-	KeyID() string
-	// Algs returns a list of supported key encryption algorithms.
-	Algs() []KeyAlgorithm
-	// encryptKey encrypts the CEK using the given algorithm.
-	encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error)
-}
-
-type opaqueKeyEncrypter struct {
-	encrypter OpaqueKeyEncrypter
-}
-
-func newOpaqueKeyEncrypter(alg KeyAlgorithm, encrypter OpaqueKeyEncrypter) (recipientKeyInfo, error) {
-	var algSupported bool
-	for _, salg := range encrypter.Algs() {
-		if alg == salg {
-			algSupported = true
-			break
-		}
-	}
-	if !algSupported {
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientKeyInfo{
-		keyID:  encrypter.KeyID(),
-		keyAlg: alg,
-		keyEncrypter: &opaqueKeyEncrypter{
-			encrypter: encrypter,
-		},
-	}, nil
-}
-
-func (oke *opaqueKeyEncrypter) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	return oke.encrypter.encryptKey(cek, alg)
-}
-
-// OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key.
-type OpaqueKeyDecrypter interface {
-	DecryptKey(encryptedKey []byte, header Header) ([]byte, error)
-}
-
-type opaqueKeyDecrypter struct {
-	decrypter OpaqueKeyDecrypter
-}
-
-func (okd *opaqueKeyDecrypter) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	mergedHeaders := rawHeader{}
-	mergedHeaders.merge(&headers)
-	mergedHeaders.merge(recipient.header)
-
-	header, err := mergedHeaders.sanitized()
-	if err != nil {
-		return nil, err
-	}
-
-	return okd.decrypter.DecryptKey(recipient.encryptedKey, header)
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/shared.go b/vendor/github.com/go-jose/go-jose/v4/shared.go
deleted file mode 100644
index 1ec33961265..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/shared.go
+++ /dev/null
@@ -1,531 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"crypto/elliptic"
-	"crypto/x509"
-	"encoding/base64"
-	"errors"
-	"fmt"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// KeyAlgorithm represents a key management algorithm.
-type KeyAlgorithm string
-
-// SignatureAlgorithm represents a signature (or MAC) algorithm.
-type SignatureAlgorithm string
-
-// ContentEncryption represents a content encryption algorithm.
-type ContentEncryption string
-
-// CompressionAlgorithm represents an algorithm used for plaintext compression.
-type CompressionAlgorithm string
-
-// ContentType represents type of the contained data.
-type ContentType string
-
-var (
-	// ErrCryptoFailure represents an error in cryptographic primitive. This
-	// occurs when, for example, a message had an invalid authentication tag or
-	// could not be decrypted.
-	ErrCryptoFailure = errors.New("go-jose/go-jose: error in cryptographic primitive")
-
-	// ErrUnsupportedAlgorithm indicates that a selected algorithm is not
-	// supported. This occurs when trying to instantiate an encrypter for an
-	// algorithm that is not yet implemented.
-	ErrUnsupportedAlgorithm = errors.New("go-jose/go-jose: unknown/unsupported algorithm")
-
-	// ErrUnsupportedKeyType indicates that the given key type/format is not
-	// supported. This occurs when trying to instantiate an encrypter and passing
-	// it a key of an unrecognized type or with unsupported parameters, such as
-	// an RSA private key with more than two primes.
-	ErrUnsupportedKeyType = errors.New("go-jose/go-jose: unsupported key type/format")
-
-	// ErrInvalidKeySize indicates that the given key is not the correct size
-	// for the selected algorithm. This can occur, for example, when trying to
-	// encrypt with AES-256 but passing only a 128-bit key as input.
-	ErrInvalidKeySize = errors.New("go-jose/go-jose: invalid key size for algorithm")
-
-	// ErrNotSupported serialization of object is not supported. This occurs when
-	// trying to compact-serialize an object which can't be represented in
-	// compact form.
-	ErrNotSupported = errors.New("go-jose/go-jose: compact serialization not supported for object")
-
-	// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
-	// nonce header parameter was included in an unprotected header object.
-	ErrUnprotectedNonce = errors.New("go-jose/go-jose: Nonce parameter included in unprotected header")
-
-	// ErrMissingX5cHeader indicates that the JWT header is missing x5c headers.
-	ErrMissingX5cHeader = errors.New("go-jose/go-jose: no x5c header present in message")
-
-	// ErrUnsupportedEllipticCurve indicates unsupported or unknown elliptic curve has been found.
-	ErrUnsupportedEllipticCurve = errors.New("go-jose/go-jose: unsupported/unknown elliptic curve")
-)
-
-// Key management algorithms
-const (
-	ED25519            = KeyAlgorithm("ED25519")
-	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
-	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
-	RSA_OAEP_256       = KeyAlgorithm("RSA-OAEP-256")       // RSA-OAEP-SHA256
-	A128KW             = KeyAlgorithm("A128KW")             // AES key wrap (128)
-	A192KW             = KeyAlgorithm("A192KW")             // AES key wrap (192)
-	A256KW             = KeyAlgorithm("A256KW")             // AES key wrap (256)
-	DIRECT             = KeyAlgorithm("dir")                // Direct encryption
-	ECDH_ES            = KeyAlgorithm("ECDH-ES")            // ECDH-ES
-	ECDH_ES_A128KW     = KeyAlgorithm("ECDH-ES+A128KW")     // ECDH-ES + AES key wrap (128)
-	ECDH_ES_A192KW     = KeyAlgorithm("ECDH-ES+A192KW")     // ECDH-ES + AES key wrap (192)
-	ECDH_ES_A256KW     = KeyAlgorithm("ECDH-ES+A256KW")     // ECDH-ES + AES key wrap (256)
-	A128GCMKW          = KeyAlgorithm("A128GCMKW")          // AES-GCM key wrap (128)
-	A192GCMKW          = KeyAlgorithm("A192GCMKW")          // AES-GCM key wrap (192)
-	A256GCMKW          = KeyAlgorithm("A256GCMKW")          // AES-GCM key wrap (256)
-	PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
-	PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
-	PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
-)
-
-// Signature algorithms
-const (
-	EdDSA = SignatureAlgorithm("EdDSA")
-	HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
-	HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
-	HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
-	RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
-	RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
-	RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
-	ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256
-	ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384
-	ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512
-	PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
-	PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
-	PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512
-)
-
-// Content encryption algorithms
-const (
-	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
-	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
-	A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
-	A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
-	A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
-	A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
-)
-
-// Compression algorithms
-const (
-	NONE    = CompressionAlgorithm("")    // No compression
-	DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951)
-)
-
-// A key in the protected header of a JWS object. Use of the Header...
-// constants is preferred to enhance type safety.
-type HeaderKey string
-
-const (
-	HeaderType        = "typ" // string
-	HeaderContentType = "cty" // string
-
-	// These are set by go-jose and shouldn't need to be set by consumers of the
-	// library.
-	headerAlgorithm   = "alg"  // string
-	headerEncryption  = "enc"  // ContentEncryption
-	headerCompression = "zip"  // CompressionAlgorithm
-	headerCritical    = "crit" // []string
-
-	headerAPU = "apu" // *byteBuffer
-	headerAPV = "apv" // *byteBuffer
-	headerEPK = "epk" // *JSONWebKey
-	headerIV  = "iv"  // *byteBuffer
-	headerTag = "tag" // *byteBuffer
-	headerX5c = "x5c" // []*x509.Certificate
-
-	headerJWK   = "jwk"   // *JSONWebKey
-	headerKeyID = "kid"   // string
-	headerNonce = "nonce" // string
-	headerB64   = "b64"   // bool
-
-	headerP2C = "p2c" // *byteBuffer (int)
-	headerP2S = "p2s" // *byteBuffer ([]byte)
-
-)
-
-// supportedCritical is the set of supported extensions that are understood and processed.
-var supportedCritical = map[string]bool{
-	headerB64: true,
-}
-
-// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
-//
-// The decoding of the constituent items is deferred because we want to marshal
-// some members into particular structs rather than generic maps, but at the
-// same time we need to receive any extra fields unhandled by this library to
-// pass through to consuming code in case it wants to examine them.
-type rawHeader map[HeaderKey]*json.RawMessage
-
-// Header represents the read-only JOSE header for JWE/JWS objects.
-type Header struct {
-	KeyID      string
-	JSONWebKey *JSONWebKey
-	Algorithm  string
-	Nonce      string
-
-	// Unverified certificate chain parsed from x5c header.
-	certificates []*x509.Certificate
-
-	// At parse time, each header parameter with a name other than "kid",
-	// "jwk", "alg", "nonce", or "x5c"  will have its value passed to
-	// [json.Unmarshal] to unmarshal it into an interface value.
-	// The resulting value will be stored in this map, with the header
-	// parameter name as the key.
-	//
-	// [json.Unmarshal]: https://pkg.go.dev/encoding/json#Unmarshal
-	ExtraHeaders map[HeaderKey]interface{}
-}
-
-// Certificates verifies & returns the certificate chain present
-// in the x5c header field of a message, if one was present. Returns
-// an error if there was no x5c header present or the chain could
-// not be validated with the given verify options.
-func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) {
-	if len(h.certificates) == 0 {
-		return nil, ErrMissingX5cHeader
-	}
-
-	leaf := h.certificates[0]
-	if opts.Intermediates == nil {
-		opts.Intermediates = x509.NewCertPool()
-		for _, intermediate := range h.certificates[1:] {
-			opts.Intermediates.AddCert(intermediate)
-		}
-	}
-
-	return leaf.Verify(opts)
-}
-
-func (parsed rawHeader) set(k HeaderKey, v interface{}) error {
-	b, err := json.Marshal(v)
-	if err != nil {
-		return err
-	}
-
-	parsed[k] = makeRawMessage(b)
-	return nil
-}
-
-// getString gets a string from the raw JSON, defaulting to "".
-func (parsed rawHeader) getString(k HeaderKey) string {
-	v, ok := parsed[k]
-	if !ok || v == nil {
-		return ""
-	}
-	var s string
-	err := json.Unmarshal(*v, &s)
-	if err != nil {
-		return ""
-	}
-	return s
-}
-
-// getByteBuffer gets a byte buffer from the raw JSON. Returns (nil, nil) if
-// not specified.
-func (parsed rawHeader) getByteBuffer(k HeaderKey) (*byteBuffer, error) {
-	v := parsed[k]
-	if v == nil {
-		return nil, nil
-	}
-	var bb *byteBuffer
-	err := json.Unmarshal(*v, &bb)
-	if err != nil {
-		return nil, err
-	}
-	return bb, nil
-}
-
-// getAlgorithm extracts parsed "alg" from the raw JSON as a KeyAlgorithm.
-func (parsed rawHeader) getAlgorithm() KeyAlgorithm {
-	return KeyAlgorithm(parsed.getString(headerAlgorithm))
-}
-
-// getSignatureAlgorithm extracts parsed "alg" from the raw JSON as a SignatureAlgorithm.
-func (parsed rawHeader) getSignatureAlgorithm() SignatureAlgorithm {
-	return SignatureAlgorithm(parsed.getString(headerAlgorithm))
-}
-
-// getEncryption extracts parsed "enc" from the raw JSON.
-func (parsed rawHeader) getEncryption() ContentEncryption {
-	return ContentEncryption(parsed.getString(headerEncryption))
-}
-
-// getCompression extracts parsed "zip" from the raw JSON.
-func (parsed rawHeader) getCompression() CompressionAlgorithm {
-	return CompressionAlgorithm(parsed.getString(headerCompression))
-}
-
-func (parsed rawHeader) getNonce() string {
-	return parsed.getString(headerNonce)
-}
-
-// getEPK extracts parsed "epk" from the raw JSON.
-func (parsed rawHeader) getEPK() (*JSONWebKey, error) {
-	v := parsed[headerEPK]
-	if v == nil {
-		return nil, nil
-	}
-	var epk *JSONWebKey
-	err := json.Unmarshal(*v, &epk)
-	if err != nil {
-		return nil, err
-	}
-	return epk, nil
-}
-
-// getAPU extracts parsed "apu" from the raw JSON.
-func (parsed rawHeader) getAPU() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerAPU)
-}
-
-// getAPV extracts parsed "apv" from the raw JSON.
-func (parsed rawHeader) getAPV() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerAPV)
-}
-
-// getIV extracts parsed "iv" from the raw JSON.
-func (parsed rawHeader) getIV() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerIV)
-}
-
-// getTag extracts parsed "tag" from the raw JSON.
-func (parsed rawHeader) getTag() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerTag)
-}
-
-// getJWK extracts parsed "jwk" from the raw JSON.
-func (parsed rawHeader) getJWK() (*JSONWebKey, error) {
-	v := parsed[headerJWK]
-	if v == nil {
-		return nil, nil
-	}
-	var jwk *JSONWebKey
-	err := json.Unmarshal(*v, &jwk)
-	if err != nil {
-		return nil, err
-	}
-	return jwk, nil
-}
-
-// getCritical extracts parsed "crit" from the raw JSON. If omitted, it
-// returns an empty slice.
-func (parsed rawHeader) getCritical() ([]string, error) {
-	v := parsed[headerCritical]
-	if v == nil {
-		return nil, nil
-	}
-
-	var q []string
-	err := json.Unmarshal(*v, &q)
-	if err != nil {
-		return nil, err
-	}
-	return q, nil
-}
-
-// getS2C extracts parsed "p2c" from the raw JSON.
-func (parsed rawHeader) getP2C() (int, error) {
-	v := parsed[headerP2C]
-	if v == nil {
-		return 0, nil
-	}
-
-	var p2c int
-	err := json.Unmarshal(*v, &p2c)
-	if err != nil {
-		return 0, err
-	}
-	return p2c, nil
-}
-
-// getS2S extracts parsed "p2s" from the raw JSON.
-func (parsed rawHeader) getP2S() (*byteBuffer, error) {
-	return parsed.getByteBuffer(headerP2S)
-}
-
-// getB64 extracts parsed "b64" from the raw JSON, defaulting to true.
-func (parsed rawHeader) getB64() (bool, error) {
-	v := parsed[headerB64]
-	if v == nil {
-		return true, nil
-	}
-
-	var b64 bool
-	err := json.Unmarshal(*v, &b64)
-	if err != nil {
-		return true, err
-	}
-	return b64, nil
-}
-
-// sanitized produces a cleaned-up header object from the raw JSON.
-func (parsed rawHeader) sanitized() (h Header, err error) {
-	for k, v := range parsed {
-		if v == nil {
-			continue
-		}
-		switch k {
-		case headerJWK:
-			var jwk *JSONWebKey
-			err = json.Unmarshal(*v, &jwk)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal JWK: %v: %#v", err, string(*v))
-				return
-			}
-			h.JSONWebKey = jwk
-		case headerKeyID:
-			var s string
-			err = json.Unmarshal(*v, &s)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal key ID: %v: %#v", err, string(*v))
-				return
-			}
-			h.KeyID = s
-		case headerAlgorithm:
-			var s string
-			err = json.Unmarshal(*v, &s)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal algorithm: %v: %#v", err, string(*v))
-				return
-			}
-			h.Algorithm = s
-		case headerNonce:
-			var s string
-			err = json.Unmarshal(*v, &s)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal nonce: %v: %#v", err, string(*v))
-				return
-			}
-			h.Nonce = s
-		case headerX5c:
-			c := []string{}
-			err = json.Unmarshal(*v, &c)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v))
-				return
-			}
-			h.certificates, err = parseCertificateChain(c)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v))
-				return
-			}
-		default:
-			if h.ExtraHeaders == nil {
-				h.ExtraHeaders = map[HeaderKey]interface{}{}
-			}
-			var v2 interface{}
-			err = json.Unmarshal(*v, &v2)
-			if err != nil {
-				err = fmt.Errorf("failed to unmarshal value: %v: %#v", err, string(*v))
-				return
-			}
-			h.ExtraHeaders[k] = v2
-		}
-	}
-	return
-}
-
-func parseCertificateChain(chain []string) ([]*x509.Certificate, error) {
-	out := make([]*x509.Certificate, len(chain))
-	for i, cert := range chain {
-		raw, err := base64.StdEncoding.DecodeString(cert)
-		if err != nil {
-			return nil, err
-		}
-		out[i], err = x509.ParseCertificate(raw)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return out, nil
-}
-
-func (parsed rawHeader) isSet(k HeaderKey) bool {
-	dvr := parsed[k]
-	if dvr == nil {
-		return false
-	}
-
-	var dv interface{}
-	err := json.Unmarshal(*dvr, &dv)
-	if err != nil {
-		return true
-	}
-
-	if dvStr, ok := dv.(string); ok {
-		return dvStr != ""
-	}
-
-	return true
-}
-
-// Merge headers from src into dst, giving precedence to headers from l.
-func (parsed rawHeader) merge(src *rawHeader) {
-	if src == nil {
-		return
-	}
-
-	for k, v := range *src {
-		if parsed.isSet(k) {
-			continue
-		}
-
-		parsed[k] = v
-	}
-}
-
-// Get JOSE name of curve
-func curveName(crv elliptic.Curve) (string, error) {
-	switch crv {
-	case elliptic.P256():
-		return "P-256", nil
-	case elliptic.P384():
-		return "P-384", nil
-	case elliptic.P521():
-		return "P-521", nil
-	default:
-		return "", ErrUnsupportedEllipticCurve
-	}
-}
-
-// Get size of curve in bytes
-func curveSize(crv elliptic.Curve) int {
-	bits := crv.Params().BitSize
-
-	div := bits / 8
-	mod := bits % 8
-
-	if mod == 0 {
-		return div
-	}
-
-	return div + 1
-}
-
-func makeRawMessage(b []byte) *json.RawMessage {
-	rm := json.RawMessage(b)
-	return &rm
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/signing.go b/vendor/github.com/go-jose/go-jose/v4/signing.go
deleted file mode 100644
index 3dec0112b6f..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/signing.go
+++ /dev/null
@@ -1,505 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/rsa"
-	"encoding/base64"
-	"errors"
-	"fmt"
-
-	"github.com/go-jose/go-jose/v4/json"
-)
-
-// NonceSource represents a source of random nonces to go into JWS objects
-type NonceSource interface {
-	Nonce() (string, error)
-}
-
-// Signer represents a signer which takes a payload and produces a signed JWS object.
-type Signer interface {
-	Sign(payload []byte) (*JSONWebSignature, error)
-	Options() SignerOptions
-}
-
-// SigningKey represents an algorithm/key used to sign a message.
-//
-// Key must have one of these types:
-//   - ed25519.PrivateKey
-//   - *ecdsa.PrivateKey
-//   - *rsa.PrivateKey
-//   - *JSONWebKey
-//   - JSONWebKey
-//   - []byte (an HMAC key)
-//   - Any type that satisfies the OpaqueSigner interface
-//
-// If the key is an HMAC key, it must have at least as many bytes as the relevant hash output:
-//   - HS256: 32 bytes
-//   - HS384: 48 bytes
-//   - HS512: 64 bytes
-type SigningKey struct {
-	Algorithm SignatureAlgorithm
-	Key       interface{}
-}
-
-// SignerOptions represents options that can be set when creating signers.
-type SignerOptions struct {
-	NonceSource NonceSource
-	EmbedJWK    bool
-
-	// Optional map of additional keys to be inserted into the protected header
-	// of a JWS object. Some specifications which make use of JWS like to insert
-	// additional values here.
-	//
-	// Values will be serialized by [json.Marshal] and must be valid inputs to
-	// that function.
-	//
-	// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
-	ExtraHeaders map[HeaderKey]interface{}
-}
-
-// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
-// if necessary, and returns the updated SignerOptions.
-//
-// The v argument will be serialized by [json.Marshal] and must be a valid
-// input to that function.
-//
-// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
-func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions {
-	if so.ExtraHeaders == nil {
-		so.ExtraHeaders = map[HeaderKey]interface{}{}
-	}
-	so.ExtraHeaders[k] = v
-	return so
-}
-
-// WithContentType adds a content type ("cty") header and returns the updated
-// SignerOptions.
-func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions {
-	return so.WithHeader(HeaderContentType, contentType)
-}
-
-// WithType adds a type ("typ") header and returns the updated SignerOptions.
-func (so *SignerOptions) WithType(typ ContentType) *SignerOptions {
-	return so.WithHeader(HeaderType, typ)
-}
-
-// WithCritical adds the given names to the critical ("crit") header and returns
-// the updated SignerOptions.
-func (so *SignerOptions) WithCritical(names ...string) *SignerOptions {
-	if so.ExtraHeaders[headerCritical] == nil {
-		so.WithHeader(headerCritical, make([]string, 0, len(names)))
-	}
-	crit := so.ExtraHeaders[headerCritical].([]string)
-	so.ExtraHeaders[headerCritical] = append(crit, names...)
-	return so
-}
-
-// WithBase64 adds a base64url-encode payload ("b64") header and returns the updated
-// SignerOptions. When the "b64" value is "false", the payload is not base64 encoded.
-func (so *SignerOptions) WithBase64(b64 bool) *SignerOptions {
-	if !b64 {
-		so.WithHeader(headerB64, b64)
-		so.WithCritical(headerB64)
-	}
-	return so
-}
-
-type payloadSigner interface {
-	signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error)
-}
-
-type payloadVerifier interface {
-	verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
-}
-
-type genericSigner struct {
-	recipients   []recipientSigInfo
-	nonceSource  NonceSource
-	embedJWK     bool
-	extraHeaders map[HeaderKey]interface{}
-}
-
-type recipientSigInfo struct {
-	sigAlg    SignatureAlgorithm
-	publicKey func() *JSONWebKey
-	signer    payloadSigner
-}
-
-func staticPublicKey(jwk *JSONWebKey) func() *JSONWebKey {
-	return func() *JSONWebKey {
-		return jwk
-	}
-}
-
-// NewSigner creates an appropriate signer based on the key type
-func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error) {
-	return NewMultiSigner([]SigningKey{sig}, opts)
-}
-
-// NewMultiSigner creates a signer for multiple recipients
-func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error) {
-	signer := &genericSigner{recipients: []recipientSigInfo{}}
-
-	if opts != nil {
-		signer.nonceSource = opts.NonceSource
-		signer.embedJWK = opts.EmbedJWK
-		signer.extraHeaders = opts.ExtraHeaders
-	}
-
-	for _, sig := range sigs {
-		err := signer.addRecipient(sig.Algorithm, sig.Key)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return signer, nil
-}
-
-// newVerifier creates a verifier based on the key type
-func newVerifier(verificationKey interface{}) (payloadVerifier, error) {
-	switch verificationKey := verificationKey.(type) {
-	case ed25519.PublicKey:
-		return &edEncrypterVerifier{
-			publicKey: verificationKey,
-		}, nil
-	case *rsa.PublicKey:
-		return &rsaEncrypterVerifier{
-			publicKey: verificationKey,
-		}, nil
-	case *ecdsa.PublicKey:
-		return &ecEncrypterVerifier{
-			publicKey: verificationKey,
-		}, nil
-	case []byte:
-		return &symmetricMac{
-			key: verificationKey,
-		}, nil
-	case JSONWebKey:
-		return newVerifier(verificationKey.Key)
-	case *JSONWebKey:
-		return newVerifier(verificationKey.Key)
-	case OpaqueVerifier:
-		return &opaqueVerifier{verifier: verificationKey}, nil
-	default:
-		return nil, ErrUnsupportedKeyType
-	}
-}
-
-func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error {
-	recipient, err := makeJWSRecipient(alg, signingKey)
-	if err != nil {
-		return err
-	}
-
-	ctx.recipients = append(ctx.recipients, recipient)
-	return nil
-}
-
-func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) {
-	switch signingKey := signingKey.(type) {
-	case ed25519.PrivateKey:
-		return newEd25519Signer(alg, signingKey)
-	case *rsa.PrivateKey:
-		return newRSASigner(alg, signingKey)
-	case *ecdsa.PrivateKey:
-		return newECDSASigner(alg, signingKey)
-	case []byte:
-		return newSymmetricSigner(alg, signingKey)
-	case JSONWebKey:
-		return newJWKSigner(alg, signingKey)
-	case *JSONWebKey:
-		return newJWKSigner(alg, *signingKey)
-	case OpaqueSigner:
-		return newOpaqueSigner(alg, signingKey)
-	default:
-		return recipientSigInfo{}, ErrUnsupportedKeyType
-	}
-}
-
-func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) {
-	recipient, err := makeJWSRecipient(alg, signingKey.Key)
-	if err != nil {
-		return recipientSigInfo{}, err
-	}
-	if recipient.publicKey != nil && recipient.publicKey() != nil {
-		// recipient.publicKey is a JWK synthesized for embedding when recipientSigInfo
-		// was created for the inner key (such as a RSA or ECDSA public key). It contains
-		// the pub key for embedding, but doesn't have extra params like key id.
-		publicKey := signingKey
-		publicKey.Key = recipient.publicKey().Key
-		recipient.publicKey = staticPublicKey(&publicKey)
-
-		// This should be impossible, but let's check anyway.
-		if !recipient.publicKey().IsPublic() {
-			return recipientSigInfo{}, errors.New("go-jose/go-jose: public key was unexpectedly not public")
-		}
-	}
-	return recipient, nil
-}
-
-func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
-	obj := &JSONWebSignature{}
-	obj.payload = payload
-	obj.Signatures = make([]Signature, len(ctx.recipients))
-
-	for i, recipient := range ctx.recipients {
-		protected := map[HeaderKey]interface{}{
-			headerAlgorithm: string(recipient.sigAlg),
-		}
-
-		if recipient.publicKey != nil && recipient.publicKey() != nil {
-			// We want to embed the JWK or set the kid header, but not both. Having a protected
-			// header that contains an embedded JWK while also simultaneously containing the kid
-			// header is confusing, and at least in ACME the two are considered to be mutually
-			// exclusive. The fact that both can exist at the same time is a somewhat unfortunate
-			// result of the JOSE spec. We've decided that this library will only include one or
-			// the other to avoid this confusion.
-			//
-			// See https://github.com/go-jose/go-jose/issues/157 for more context.
-			if ctx.embedJWK {
-				protected[headerJWK] = recipient.publicKey()
-			} else {
-				keyID := recipient.publicKey().KeyID
-				if keyID != "" {
-					protected[headerKeyID] = keyID
-				}
-			}
-		}
-
-		if ctx.nonceSource != nil {
-			nonce, err := ctx.nonceSource.Nonce()
-			if err != nil {
-				return nil, fmt.Errorf("go-jose/go-jose: Error generating nonce: %v", err)
-			}
-			protected[headerNonce] = nonce
-		}
-
-		for k, v := range ctx.extraHeaders {
-			protected[k] = v
-		}
-
-		serializedProtected := mustSerializeJSON(protected)
-		needsBase64 := true
-
-		if b64, ok := protected[headerB64]; ok {
-			if needsBase64, ok = b64.(bool); !ok {
-				return nil, errors.New("go-jose/go-jose: Invalid b64 header parameter")
-			}
-		}
-
-		var input bytes.Buffer
-
-		input.WriteString(base64.RawURLEncoding.EncodeToString(serializedProtected))
-		input.WriteByte('.')
-
-		if needsBase64 {
-			input.WriteString(base64.RawURLEncoding.EncodeToString(payload))
-		} else {
-			input.Write(payload)
-		}
-
-		signatureInfo, err := recipient.signer.signPayload(input.Bytes(), recipient.sigAlg)
-		if err != nil {
-			return nil, err
-		}
-
-		signatureInfo.protected = &rawHeader{}
-		for k, v := range protected {
-			b, err := json.Marshal(v)
-			if err != nil {
-				return nil, fmt.Errorf("go-jose/go-jose: Error marshalling item %#v: %v", k, err)
-			}
-			(*signatureInfo.protected)[k] = makeRawMessage(b)
-		}
-		obj.Signatures[i] = signatureInfo
-	}
-
-	return obj, nil
-}
-
-func (ctx *genericSigner) Options() SignerOptions {
-	return SignerOptions{
-		NonceSource:  ctx.nonceSource,
-		EmbedJWK:     ctx.embedJWK,
-		ExtraHeaders: ctx.extraHeaders,
-	}
-}
-
-// Verify validates the signature on the object and returns the payload.
-// This function does not support multi-signature. If you desire multi-signature
-// verification use VerifyMulti instead.
-//
-// Be careful when verifying signatures based on embedded JWKs inside the
-// payload header. You cannot assume that the key received in a payload is
-// trusted.
-//
-// The verificationKey argument must have one of these types:
-//   - ed25519.PublicKey
-//   - *ecdsa.PublicKey
-//   - *rsa.PublicKey
-//   - *JSONWebKey
-//   - JSONWebKey
-//   - *JSONWebKeySet
-//   - JSONWebKeySet
-//   - []byte (an HMAC key)
-//   - Any type that implements the OpaqueVerifier interface.
-//
-// If the key is an HMAC key, it must have at least as many bytes as the relevant hash output:
-//   - HS256: 32 bytes
-//   - HS384: 48 bytes
-//   - HS512: 64 bytes
-func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
-	err := obj.DetachedVerify(obj.payload, verificationKey)
-	if err != nil {
-		return nil, err
-	}
-	return obj.payload, nil
-}
-
-// UnsafePayloadWithoutVerification returns the payload without
-// verifying it. The content returned from this function cannot be
-// trusted.
-func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
-	return obj.payload
-}
-
-// DetachedVerify validates a detached signature on the given payload. In
-// most cases, you will probably want to use Verify instead. DetachedVerify
-// is only useful if you have a payload and signature that are separated from
-// each other.
-//
-// The verificationKey argument must have one of the types allowed for the
-// verificationKey argument of JSONWebSignature.Verify().
-func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
-	key, err := tryJWKS(verificationKey, obj.headers()...)
-	if err != nil {
-		return err
-	}
-	verifier, err := newVerifier(key)
-	if err != nil {
-		return err
-	}
-
-	if len(obj.Signatures) > 1 {
-		return errors.New("go-jose/go-jose: too many signatures in payload; expecting only one")
-	}
-
-	signature := obj.Signatures[0]
-	headers := signature.mergedHeaders()
-	critical, err := headers.getCritical()
-	if err != nil {
-		return err
-	}
-
-	for _, name := range critical {
-		if !supportedCritical[name] {
-			return ErrCryptoFailure
-		}
-	}
-
-	input, err := obj.computeAuthData(payload, &signature)
-	if err != nil {
-		return ErrCryptoFailure
-	}
-
-	alg := headers.getSignatureAlgorithm()
-	err = verifier.verifyPayload(input, signature.Signature, alg)
-	if err == nil {
-		return nil
-	}
-
-	return ErrCryptoFailure
-}
-
-// VerifyMulti validates (one of the multiple) signatures on the object and
-// returns the index of the signature that was verified, along with the signature
-// object and the payload. We return the signature and index to guarantee that
-// callers are getting the verified value.
-//
-// The verificationKey argument must have one of the types allowed for the
-// verificationKey argument of JSONWebSignature.Verify().
-func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) {
-	idx, sig, err := obj.DetachedVerifyMulti(obj.payload, verificationKey)
-	if err != nil {
-		return -1, Signature{}, nil, err
-	}
-	return idx, sig, obj.payload, nil
-}
-
-// DetachedVerifyMulti validates a detached signature on the given payload with
-// a signature/object that has potentially multiple signers. This returns the index
-// of the signature that was verified, along with the signature object. We return
-// the signature and index to guarantee that callers are getting the verified value.
-//
-// In most cases, you will probably want to use Verify or VerifyMulti instead.
-// DetachedVerifyMulti is only useful if you have a payload and signature that are
-// separated from each other, and the signature can have multiple signers at the
-// same time.
-//
-// The verificationKey argument must have one of the types allowed for the
-// verificationKey argument of JSONWebSignature.Verify().
-func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
-	key, err := tryJWKS(verificationKey, obj.headers()...)
-	if err != nil {
-		return -1, Signature{}, err
-	}
-	verifier, err := newVerifier(key)
-	if err != nil {
-		return -1, Signature{}, err
-	}
-
-outer:
-	for i, signature := range obj.Signatures {
-		headers := signature.mergedHeaders()
-		critical, err := headers.getCritical()
-		if err != nil {
-			continue
-		}
-
-		for _, name := range critical {
-			if !supportedCritical[name] {
-				continue outer
-			}
-		}
-
-		input, err := obj.computeAuthData(payload, &signature)
-		if err != nil {
-			continue
-		}
-
-		alg := headers.getSignatureAlgorithm()
-		err = verifier.verifyPayload(input, signature.Signature, alg)
-		if err == nil {
-			return i, signature, nil
-		}
-	}
-
-	return -1, Signature{}, ErrCryptoFailure
-}
-
-func (obj JSONWebSignature) headers() []Header {
-	headers := make([]Header, len(obj.Signatures))
-	for i, sig := range obj.Signatures {
-		headers[i] = sig.Header
-	}
-	return headers
-}
diff --git a/vendor/github.com/go-jose/go-jose/v4/symmetric.go b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
deleted file mode 100644
index a69103b084e..00000000000
--- a/vendor/github.com/go-jose/go-jose/v4/symmetric.go
+++ /dev/null
@@ -1,517 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/subtle"
-	"errors"
-	"fmt"
-	"hash"
-	"io"
-
-	"golang.org/x/crypto/pbkdf2"
-
-	josecipher "github.com/go-jose/go-jose/v4/cipher"
-)
-
-// RandReader is a cryptographically secure random number generator (stubbed out in tests).
-var RandReader = rand.Reader
-
-const (
-	// RFC7518 recommends a minimum of 1,000 iterations:
-	// 	- https://tools.ietf.org/html/rfc7518#section-4.8.1.2
-	//
-	// NIST recommends a minimum of 10,000:
-	// 	- https://pages.nist.gov/800-63-3/sp800-63b.html
-	//
-	// 1Password increased in 2023 from 100,000 to 650,000:
-	//  - https://support.1password.com/pbkdf2/
-	//
-	// OWASP recommended 600,000 in Dec 2022:
-	//	- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
-	defaultP2C = 600000
-	// Default salt size: 128 bits
-	defaultP2SSize = 16
-)
-
-// Dummy key cipher for shared symmetric key mode
-type symmetricKeyCipher struct {
-	key []byte // Pre-shared content-encryption key
-	p2c int    // PBES2 Count
-	p2s []byte // PBES2 Salt Input
-}
-
-// Signer/verifier for MAC modes
-type symmetricMac struct {
-	key []byte
-}
-
-// Input/output from an AEAD operation
-type aeadParts struct {
-	iv, ciphertext, tag []byte
-}
-
-// A content cipher based on an AEAD construction
-type aeadContentCipher struct {
-	keyBytes     int
-	authtagBytes int
-	getAead      func(key []byte) (cipher.AEAD, error)
-}
-
-// Random key generator
-type randomKeyGenerator struct {
-	size int
-}
-
-// Static key generator
-type staticKeyGenerator struct {
-	key []byte
-}
-
-// Create a new content cipher based on AES-GCM
-func newAESGCM(keySize int) contentCipher {
-	return &aeadContentCipher{
-		keyBytes:     keySize,
-		authtagBytes: 16,
-		getAead: func(key []byte) (cipher.AEAD, error) {
-			aes, err := aes.NewCipher(key)
-			if err != nil {
-				return nil, err
-			}
-
-			return cipher.NewGCM(aes)
-		},
-	}
-}
-
-// Create a new content cipher based on AES-CBC+HMAC
-func newAESCBC(keySize int) contentCipher {
-	return &aeadContentCipher{
-		keyBytes:     keySize * 2,
-		authtagBytes: keySize,
-		getAead: func(key []byte) (cipher.AEAD, error) {
-			return josecipher.NewCBCHMAC(key, aes.NewCipher)
-		},
-	}
-}
-
-// Get an AEAD cipher object for the given content encryption algorithm
-func getContentCipher(alg ContentEncryption) contentCipher {
-	switch alg {
-	case A128GCM:
-		return newAESGCM(16)
-	case A192GCM:
-		return newAESGCM(24)
-	case A256GCM:
-		return newAESGCM(32)
-	case A128CBC_HS256:
-		return newAESCBC(16)
-	case A192CBC_HS384:
-		return newAESCBC(24)
-	case A256CBC_HS512:
-		return newAESCBC(32)
-	default:
-		return nil
-	}
-}
-
-// getPbkdf2Params returns the key length and hash function used in
-// pbkdf2.Key.
-func getPbkdf2Params(alg KeyAlgorithm) (int, func() hash.Hash) {
-	switch alg {
-	case PBES2_HS256_A128KW:
-		return 16, sha256.New
-	case PBES2_HS384_A192KW:
-		return 24, sha512.New384
-	case PBES2_HS512_A256KW:
-		return 32, sha512.New
-	default:
-		panic("invalid algorithm")
-	}
-}
-
-// getRandomSalt generates a new salt of the given size.
-func getRandomSalt(size int) ([]byte, error) {
-	salt := make([]byte, size)
-	_, err := io.ReadFull(RandReader, salt)
-	if err != nil {
-		return nil, err
-	}
-
-	return salt, nil
-}
-
-// newSymmetricRecipient creates a JWE encrypter based on AES-GCM key wrap.
-func newSymmetricRecipient(keyAlg KeyAlgorithm, key []byte) (recipientKeyInfo, error) {
-	switch keyAlg {
-	case DIRECT, A128GCMKW, A192GCMKW, A256GCMKW, A128KW, A192KW, A256KW:
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-	default:
-		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientKeyInfo{
-		keyAlg: keyAlg,
-		keyEncrypter: &symmetricKeyCipher{
-			key: key,
-		},
-	}, nil
-}
-
-// newSymmetricSigner creates a recipientSigInfo based on the given key.
-func newSymmetricSigner(sigAlg SignatureAlgorithm, key []byte) (recipientSigInfo, error) {
-	// Verify that key management algorithm is supported by this encrypter
-	switch sigAlg {
-	case HS256, HS384, HS512:
-	default:
-		return recipientSigInfo{}, ErrUnsupportedAlgorithm
-	}
-
-	return recipientSigInfo{
-		sigAlg: sigAlg,
-		signer: &symmetricMac{
-			key: key,
-		},
-	}, nil
-}
-
-// Generate a random key for the given content cipher
-func (ctx randomKeyGenerator) genKey() ([]byte, rawHeader, error) {
-	key := make([]byte, ctx.size)
-	_, err := io.ReadFull(RandReader, key)
-	if err != nil {
-		return nil, rawHeader{}, err
-	}
-
-	return key, rawHeader{}, nil
-}
-
-// Key size for random generator
-func (ctx randomKeyGenerator) keySize() int {
-	return ctx.size
-}
-
-// Generate a static key (for direct mode)
-func (ctx staticKeyGenerator) genKey() ([]byte, rawHeader, error) {
-	cek := make([]byte, len(ctx.key))
-	copy(cek, ctx.key)
-	return cek, rawHeader{}, nil
-}
-
-// Key size for static generator
-func (ctx staticKeyGenerator) keySize() int {
-	return len(ctx.key)
-}
-
-// Get key size for this cipher
-func (ctx aeadContentCipher) keySize() int {
-	return ctx.keyBytes
-}
-
-// Encrypt some data
-func (ctx aeadContentCipher) encrypt(key, aad, pt []byte) (*aeadParts, error) {
-	// Get a new AEAD instance
-	aead, err := ctx.getAead(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// Initialize a new nonce
-	iv := make([]byte, aead.NonceSize())
-	_, err = io.ReadFull(RandReader, iv)
-	if err != nil {
-		return nil, err
-	}
-
-	ciphertextAndTag := aead.Seal(nil, iv, pt, aad)
-	offset := len(ciphertextAndTag) - ctx.authtagBytes
-
-	return &aeadParts{
-		iv:         iv,
-		ciphertext: ciphertextAndTag[:offset],
-		tag:        ciphertextAndTag[offset:],
-	}, nil
-}
-
-// Decrypt some data
-func (ctx aeadContentCipher) decrypt(key, aad []byte, parts *aeadParts) ([]byte, error) {
-	aead, err := ctx.getAead(key)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(parts.iv) != aead.NonceSize() || len(parts.tag) < ctx.authtagBytes {
-		return nil, ErrCryptoFailure
-	}
-
-	return aead.Open(nil, parts.iv, append(parts.ciphertext, parts.tag...), aad)
-}
-
-// Encrypt the content encryption key.
-func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
-	switch alg {
-	case DIRECT:
-		return recipientInfo{
-			header: &rawHeader{},
-		}, nil
-	case A128GCMKW, A192GCMKW, A256GCMKW:
-		aead := newAESGCM(len(ctx.key))
-
-		parts, err := aead.encrypt(ctx.key, []byte{}, cek)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		header := &rawHeader{}
-
-		if err = header.set(headerIV, newBuffer(parts.iv)); err != nil {
-			return recipientInfo{}, err
-		}
-
-		if err = header.set(headerTag, newBuffer(parts.tag)); err != nil {
-			return recipientInfo{}, err
-		}
-
-		return recipientInfo{
-			header:       header,
-			encryptedKey: parts.ciphertext,
-		}, nil
-	case A128KW, A192KW, A256KW:
-		block, err := aes.NewCipher(ctx.key)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		jek, err := josecipher.KeyWrap(block, cek)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		return recipientInfo{
-			encryptedKey: jek,
-			header:       &rawHeader{},
-		}, nil
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-		if len(ctx.p2s) == 0 {
-			salt, err := getRandomSalt(defaultP2SSize)
-			if err != nil {
-				return recipientInfo{}, err
-			}
-			ctx.p2s = salt
-		}
-
-		if ctx.p2c <= 0 {
-			ctx.p2c = defaultP2C
-		}
-
-		// salt is UTF8(Alg) || 0x00 || Salt Input
-		salt := bytes.Join([][]byte{[]byte(alg), ctx.p2s}, []byte{0x00})
-
-		// derive key
-		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, ctx.p2c, keyLen, h)
-
-		// use AES cipher with derived key
-		block, err := aes.NewCipher(key)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		jek, err := josecipher.KeyWrap(block, cek)
-		if err != nil {
-			return recipientInfo{}, err
-		}
-
-		header := &rawHeader{}
-
-		if err = header.set(headerP2C, ctx.p2c); err != nil {
-			return recipientInfo{}, err
-		}
-
-		if err = header.set(headerP2S, newBuffer(ctx.p2s)); err != nil {
-			return recipientInfo{}, err
-		}
-
-		return recipientInfo{
-			encryptedKey: jek,
-			header:       header,
-		}, nil
-	}
-
-	return recipientInfo{}, ErrUnsupportedAlgorithm
-}
-
-// Decrypt the content encryption key.
-func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	switch headers.getAlgorithm() {
-	case DIRECT:
-		cek := make([]byte, len(ctx.key))
-		copy(cek, ctx.key)
-		return cek, nil
-	case A128GCMKW, A192GCMKW, A256GCMKW:
-		aead := newAESGCM(len(ctx.key))
-
-		iv, err := headers.getIV()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid IV: %v", err)
-		}
-		tag, err := headers.getTag()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid tag: %v", err)
-		}
-
-		parts := &aeadParts{
-			iv:         iv.bytes(),
-			ciphertext: recipient.encryptedKey,
-			tag:        tag.bytes(),
-		}
-
-		cek, err := aead.decrypt(ctx.key, []byte{}, parts)
-		if err != nil {
-			return nil, err
-		}
-
-		return cek, nil
-	case A128KW, A192KW, A256KW:
-		block, err := aes.NewCipher(ctx.key)
-		if err != nil {
-			return nil, err
-		}
-
-		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
-		if err != nil {
-			return nil, err
-		}
-		return cek, nil
-	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
-		p2s, err := headers.getP2S()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: %v", err)
-		}
-		if p2s == nil || len(p2s.data) == 0 {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: must be present")
-		}
-
-		p2c, err := headers.getP2C()
-		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: %v", err)
-		}
-		if p2c <= 0 {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
-		}
-		if p2c > 1000000 {
-			// An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
-			// DoS attacks.
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high")
-		}
-
-		// salt is UTF8(Alg) || 0x00 || Salt Input
-		alg := headers.getAlgorithm()
-		salt := bytes.Join([][]byte{[]byte(alg), p2s.bytes()}, []byte{0x00})
-
-		// derive key
-		keyLen, h := getPbkdf2Params(alg)
-		key := pbkdf2.Key(ctx.key, salt, p2c, keyLen, h)
-
-		// use AES cipher with derived key
-		block, err := aes.NewCipher(key)
-		if err != nil {
-			return nil, err
-		}
-
-		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
-		if err != nil {
-			return nil, err
-		}
-		return cek, nil
-	}
-
-	return nil, ErrUnsupportedAlgorithm
-}
-
-// Sign the given payload
-func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
-	mac, err := ctx.hmac(payload, alg)
-	if err != nil {
-		return Signature{}, err
-	}
-
-	return Signature{
-		Signature: mac,
-		protected: &rawHeader{},
-	}, nil
-}
-
-// Verify the given payload
-func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
-	expected, err := ctx.hmac(payload, alg)
-	if err != nil {
-		return errors.New("go-jose/go-jose: failed to compute hmac")
-	}
-
-	if len(mac) != len(expected) {
-		return errors.New("go-jose/go-jose: invalid hmac")
-	}
-
-	match := subtle.ConstantTimeCompare(mac, expected)
-	if match != 1 {
-		return errors.New("go-jose/go-jose: invalid hmac")
-	}
-
-	return nil
-}
-
-// Compute the HMAC based on the given alg value
-func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
-	var hash func() hash.Hash
-
-	// https://datatracker.ietf.org/doc/html/rfc7518#section-3.2
-	// A key of the same size as the hash output (for instance, 256 bits for
-	// "HS256") or larger MUST be used
-	switch alg {
-	case HS256:
-		if len(ctx.key)*8 < 256 {
-			return nil, ErrInvalidKeySize
-		}
-		hash = sha256.New
-	case HS384:
-		if len(ctx.key)*8 < 384 {
-			return nil, ErrInvalidKeySize
-		}
-		hash = sha512.New384
-	case HS512:
-		if len(ctx.key)*8 < 512 {
-			return nil, ErrInvalidKeySize
-		}
-		hash = sha512.New
-	default:
-		return nil, ErrUnsupportedAlgorithm
-	}
-
-	hmac := hmac.New(hash, ctx.key)
-
-	// According to documentation, Write() on hash never fails
-	_, _ = hmac.Write(payload)
-	return hmac.Sum(nil), nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/LICENSE b/vendor/github.com/spiffe/go-spiffe/v2/LICENSE
deleted file mode 100644
index 261eeb9e9f8..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/LICENSE
+++ /dev/null
@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go
deleted file mode 100644
index ebd3cacd47b..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/bundle.go
+++ /dev/null
@@ -1,200 +0,0 @@
-package jwtbundle
-
-import (
-	"crypto"
-	"encoding/json"
-	"errors"
-	"io"
-	"os"
-	"sync"
-
-	"github.com/go-jose/go-jose/v4"
-	"github.com/spiffe/go-spiffe/v2/internal/jwtutil"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
-)
-
-var jwtbundleErr = errs.Class("jwtbundle")
-
-// Bundle is a collection of trusted JWT authorities for a trust domain.
-type Bundle struct {
-	trustDomain spiffeid.TrustDomain
-
-	mtx            sync.RWMutex
-	jwtAuthorities map[string]crypto.PublicKey
-}
-
-// New creates a new bundle.
-func New(trustDomain spiffeid.TrustDomain) *Bundle {
-	return &Bundle{
-		trustDomain:    trustDomain,
-		jwtAuthorities: make(map[string]crypto.PublicKey),
-	}
-}
-
-// FromJWTAuthorities creates a new bundle from JWT authorities
-func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[string]crypto.PublicKey) *Bundle {
-	return &Bundle{
-		trustDomain:    trustDomain,
-		jwtAuthorities: jwtutil.CopyJWTAuthorities(jwtAuthorities),
-	}
-}
-
-// Load loads a bundle from a file on disk. The file must contain a standard RFC 7517 JWKS document.
-func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
-	bundleBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, jwtbundleErr.New("unable to read JWT bundle: %w", err)
-	}
-
-	return Parse(trustDomain, bundleBytes)
-}
-
-// Read decodes a bundle from a reader. The contents must contain a standard RFC 7517 JWKS document.
-func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
-	b, err := io.ReadAll(r)
-	if err != nil {
-		return nil, jwtbundleErr.New("unable to read: %v", err)
-	}
-
-	return Parse(trustDomain, b)
-}
-
-// Parse parses a bundle from bytes. The data must be a standard RFC 7517 JWKS document.
-func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) {
-	jwks := new(jose.JSONWebKeySet)
-	if err := json.Unmarshal(bundleBytes, jwks); err != nil {
-		return nil, jwtbundleErr.New("unable to parse JWKS: %v", err)
-	}
-
-	bundle := New(trustDomain)
-	for i, key := range jwks.Keys {
-		if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil {
-			return nil, jwtbundleErr.New("error adding authority %d of JWKS: %v", i, errors.Unwrap(err))
-		}
-	}
-
-	return bundle, nil
-}
-
-// TrustDomain returns the trust domain that the bundle belongs to.
-func (b *Bundle) TrustDomain() spiffeid.TrustDomain {
-	return b.trustDomain
-}
-
-// JWTAuthorities returns the JWT authorities in the bundle, keyed by key ID.
-func (b *Bundle) JWTAuthorities() map[string]crypto.PublicKey {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return jwtutil.CopyJWTAuthorities(b.jwtAuthorities)
-}
-
-// FindJWTAuthority finds the JWT authority with the given key ID from the bundle. If the authority
-// is found, it is returned and the boolean is true. Otherwise, the returned
-// value is nil and the boolean is false.
-func (b *Bundle) FindJWTAuthority(keyID string) (crypto.PublicKey, bool) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if jwtAuthority, ok := b.jwtAuthorities[keyID]; ok {
-		return jwtAuthority, true
-	}
-	return nil, false
-}
-
-// HasJWTAuthority returns true if the bundle has a JWT authority with the given key ID.
-func (b *Bundle) HasJWTAuthority(keyID string) bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	_, ok := b.jwtAuthorities[keyID]
-	return ok
-}
-
-// AddJWTAuthority adds a JWT authority to the bundle. If a JWT authority already exists
-// under the given key ID, it is replaced. A key ID must be specified.
-func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error {
-	if keyID == "" {
-		return jwtbundleErr.New("keyID cannot be empty")
-	}
-
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.jwtAuthorities[keyID] = jwtAuthority
-	return nil
-}
-
-// RemoveJWTAuthority removes the JWT authority identified by the key ID from the bundle.
-func (b *Bundle) RemoveJWTAuthority(keyID string) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	delete(b.jwtAuthorities, keyID)
-}
-
-// SetJWTAuthorities sets the JWT authorities in the bundle.
-func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.jwtAuthorities = jwtutil.CopyJWTAuthorities(jwtAuthorities)
-}
-
-// Empty returns true if the bundle has no JWT authorities.
-func (b *Bundle) Empty() bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return len(b.jwtAuthorities) == 0
-}
-
-// Marshal marshals the JWT bundle into a standard RFC 7517 JWKS document. The
-// JWKS does not contain any SPIFFE-specific parameters.
-func (b *Bundle) Marshal() ([]byte, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	jwks := jose.JSONWebKeySet{}
-	for keyID, jwtAuthority := range b.jwtAuthorities {
-		jwks.Keys = append(jwks.Keys, jose.JSONWebKey{
-			Key:   jwtAuthority,
-			KeyID: keyID,
-		})
-	}
-
-	return json.Marshal(jwks)
-}
-
-// Clone clones the bundle.
-func (b *Bundle) Clone() *Bundle {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return FromJWTAuthorities(b.trustDomain, b.jwtAuthorities)
-}
-
-// Equal compares the bundle for equality against the given bundle.
-func (b *Bundle) Equal(other *Bundle) bool {
-	if b == nil || other == nil {
-		return b == other
-	}
-
-	return b.trustDomain == other.trustDomain &&
-		jwtutil.JWTAuthoritiesEqual(b.jwtAuthorities, other.jwtAuthorities)
-}
-
-// GetJWTBundleForTrustDomain returns the JWT bundle for the given trust
-// domain. It implements the Source interface. An error will be returned if
-// the trust domain does not match that of the bundle.
-func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if b.trustDomain != trustDomain {
-		return nil, jwtbundleErr.New("no JWT bundle for trust domain %q", trustDomain)
-	}
-
-	return b, nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/doc.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/doc.go
deleted file mode 100644
index 394878e1b2a..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/doc.go
+++ /dev/null
@@ -1,43 +0,0 @@
-// Package jwtbundle provides JWT bundle related functionality.
-//
-// A bundle represents a collection of JWT authorities, i.e., those that
-// are used to authenticate SPIFFE JWT-SVIDs.
-//
-// You can create a new bundle for a specific trust domain:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	bundle := jwtbundle.New(td)
-//
-// Or you can load it from disk:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	bundle := jwtbundle.Load(td, "bundle.jwks")
-//
-// The bundle can be initialized with JWT authorities:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	var jwtAuthorities map[string]crypto.PublicKey = ...
-//	bundle := jwtbundle.FromJWTAuthorities(td, jwtAuthorities)
-//
-// In addition, you can add JWT authorities to the bundle:
-//
-//	var keyID string = ...
-//	var publicKey crypto.PublicKey = ...
-//	bundle.AddJWTAuthority(keyID, publicKey)
-//
-// Bundles can be organized into a set, keyed by trust domain:
-//
-//	set := jwtbundle.NewSet()
-//	set.Add(bundle)
-//
-// A Source is source of JWT bundles for a trust domain. Both the Bundle
-// and Set types implement Source:
-//
-//	// Initialize the source from a bundle or set
-//	var source jwtbundle.Source = bundle
-//	// ... or ...
-//	var source jwtbundle.Source = set
-//
-//	// Use the source to query for bundles by trust domain
-//	bundle, err := source.GetJWTBundleForTrustDomain(td)
-package jwtbundle
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go
deleted file mode 100644
index 048dd0d8a8a..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/set.go
+++ /dev/null
@@ -1,105 +0,0 @@
-package jwtbundle
-
-import (
-	"sort"
-	"sync"
-
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-)
-
-// Set is a set of bundles, keyed by trust domain.
-type Set struct {
-	mtx     sync.RWMutex
-	bundles map[spiffeid.TrustDomain]*Bundle
-}
-
-// NewSet creates a new set initialized with the given bundles.
-func NewSet(bundles ...*Bundle) *Set {
-	bundlesMap := make(map[spiffeid.TrustDomain]*Bundle)
-
-	for _, b := range bundles {
-		if b != nil {
-			bundlesMap[b.trustDomain] = b
-		}
-	}
-
-	return &Set{
-		bundles: bundlesMap,
-	}
-}
-
-// Add adds a new bundle into the set. If a bundle already exists for the
-// trust domain, the existing bundle is replaced.
-func (s *Set) Add(bundle *Bundle) {
-	s.mtx.Lock()
-	defer s.mtx.Unlock()
-
-	if bundle != nil {
-		s.bundles[bundle.trustDomain] = bundle
-	}
-}
-
-// Remove removes the bundle for the given trust domain.
-func (s *Set) Remove(trustDomain spiffeid.TrustDomain) {
-	s.mtx.Lock()
-	defer s.mtx.Unlock()
-
-	delete(s.bundles, trustDomain)
-}
-
-// Has returns true if there is a bundle for the given trust domain.
-func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	_, ok := s.bundles[trustDomain]
-	return ok
-}
-
-// Get returns a bundle for the given trust domain. If the bundle is in the set
-// it is returned and the boolean is true. Otherwise, the returned value is
-// nil and the boolean is false.
-func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	return bundle, ok
-}
-
-// Bundles returns the bundles in the set sorted by trust domain.
-func (s *Set) Bundles() []*Bundle {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	out := make([]*Bundle, 0, len(s.bundles))
-	for _, bundle := range s.bundles {
-		out = append(out, bundle)
-	}
-	sort.Slice(out, func(a, b int) bool {
-		return out[a].TrustDomain().Compare(out[b].TrustDomain()) < 0
-	})
-	return out
-}
-
-// Len returns the number of bundles in the set.
-func (s *Set) Len() int {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	return len(s.bundles)
-}
-
-// GetJWTBundleForTrustDomain returns the JWT bundle for the given trust
-// domain. It implements the Source interface.
-func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	if !ok {
-		return nil, jwtbundleErr.New("no JWT bundle for trust domain %q", trustDomain)
-	}
-
-	return bundle, nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/source.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/source.go
deleted file mode 100644
index 224cd9f93ef..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/jwtbundle/source.go
+++ /dev/null
@@ -1,12 +0,0 @@
-package jwtbundle
-
-import (
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-)
-
-// Source represents a source of JWT bundles keyed by trust domain.
-type Source interface {
-	// GetJWTBundleForTrustDomain returns the JWT bundle for the given trust
-	// domain.
-	GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go
deleted file mode 100644
index 13b103e24cc..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go
+++ /dev/null
@@ -1,485 +0,0 @@
-package spiffebundle
-
-import (
-	"crypto"
-	"crypto/x509"
-	"encoding/json"
-	"errors"
-	"io"
-	"os"
-	"sync"
-	"time"
-
-	"github.com/go-jose/go-jose/v4"
-	"github.com/spiffe/go-spiffe/v2/bundle/jwtbundle"
-	"github.com/spiffe/go-spiffe/v2/bundle/x509bundle"
-	"github.com/spiffe/go-spiffe/v2/internal/jwtutil"
-	"github.com/spiffe/go-spiffe/v2/internal/x509util"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
-)
-
-const (
-	x509SVIDUse = "x509-svid"
-	jwtSVIDUse  = "jwt-svid"
-)
-
-var spiffebundleErr = errs.Class("spiffebundle")
-
-type bundleDoc struct {
-	jose.JSONWebKeySet
-	SequenceNumber *uint64 `json:"spiffe_sequence,omitempty"`
-	RefreshHint    *int64  `json:"spiffe_refresh_hint,omitempty"`
-}
-
-// Bundle is a collection of trusted public key material for a trust domain,
-// conforming to the SPIFFE Bundle Format as part of the SPIFFE Trust Domain
-// and Bundle specification:
-// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md
-type Bundle struct {
-	trustDomain spiffeid.TrustDomain
-
-	mtx             sync.RWMutex
-	refreshHint     *time.Duration
-	sequenceNumber  *uint64
-	jwtAuthorities  map[string]crypto.PublicKey
-	x509Authorities []*x509.Certificate
-}
-
-// New creates a new bundle.
-func New(trustDomain spiffeid.TrustDomain) *Bundle {
-	return &Bundle{
-		trustDomain:    trustDomain,
-		jwtAuthorities: make(map[string]crypto.PublicKey),
-	}
-}
-
-// Load loads a bundle from a file on disk. The file must contain a JWKS
-// document following the SPIFFE Trust Domain and Bundle specification.
-func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
-	bundleBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, spiffebundleErr.New("unable to read SPIFFE bundle: %w", err)
-	}
-
-	return Parse(trustDomain, bundleBytes)
-}
-
-// Read decodes a bundle from a reader. The contents must contain a JWKS
-// document following the SPIFFE Trust Domain and Bundle specification.
-func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
-	b, err := io.ReadAll(r)
-	if err != nil {
-		return nil, spiffebundleErr.New("unable to read: %v", err)
-	}
-
-	return Parse(trustDomain, b)
-}
-
-// Parse parses a bundle from bytes. The data must be a JWKS document following
-// the SPIFFE Trust Domain and Bundle specification.
-func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) {
-	jwks := &bundleDoc{}
-	if err := json.Unmarshal(bundleBytes, jwks); err != nil {
-		return nil, spiffebundleErr.New("unable to parse JWKS: %v", err)
-	}
-
-	bundle := New(trustDomain)
-	if jwks.RefreshHint != nil {
-		bundle.SetRefreshHint(time.Second * time.Duration(*jwks.RefreshHint))
-	}
-	if jwks.SequenceNumber != nil {
-		bundle.SetSequenceNumber(*jwks.SequenceNumber)
-	}
-
-	if jwks.Keys == nil {
-		// The parameter keys MUST be present.
-		// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#413-keys
-		return nil, spiffebundleErr.New("no authorities found")
-	}
-	for i, key := range jwks.Keys {
-		switch key.Use {
-		// Two SVID types are supported: x509-svid and jwt-svid.
-		case x509SVIDUse:
-			if len(key.Certificates) != 1 {
-				return nil, spiffebundleErr.New("expected a single certificate in %s entry %d; got %d", x509SVIDUse, i, len(key.Certificates))
-			}
-			bundle.AddX509Authority(key.Certificates[0])
-		case jwtSVIDUse:
-			if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil {
-				return nil, spiffebundleErr.New("error adding authority %d of JWKS: %v", i, errors.Unwrap(err))
-			}
-		}
-	}
-
-	return bundle, nil
-}
-
-// FromX509Bundle creates a bundle from an X.509 bundle.
-// The function panics in case of a nil X.509 bundle.
-func FromX509Bundle(x509Bundle *x509bundle.Bundle) *Bundle {
-	bundle := New(x509Bundle.TrustDomain())
-	bundle.x509Authorities = x509Bundle.X509Authorities()
-	return bundle
-}
-
-// FromJWTBundle creates a bundle from a JWT bundle.
-// The function panics in case of a nil JWT bundle.
-func FromJWTBundle(jwtBundle *jwtbundle.Bundle) *Bundle {
-	bundle := New(jwtBundle.TrustDomain())
-	bundle.jwtAuthorities = jwtBundle.JWTAuthorities()
-	return bundle
-}
-
-// FromX509Authorities creates a bundle from X.509 certificates.
-func FromX509Authorities(trustDomain spiffeid.TrustDomain, x509Authorities []*x509.Certificate) *Bundle {
-	bundle := New(trustDomain)
-	bundle.x509Authorities = x509util.CopyX509Authorities(x509Authorities)
-	return bundle
-}
-
-// FromJWTAuthorities creates a new bundle from JWT authorities.
-func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[string]crypto.PublicKey) *Bundle {
-	bundle := New(trustDomain)
-	bundle.jwtAuthorities = jwtutil.CopyJWTAuthorities(jwtAuthorities)
-	return bundle
-}
-
-// TrustDomain returns the trust domain that the bundle belongs to.
-func (b *Bundle) TrustDomain() spiffeid.TrustDomain {
-	return b.trustDomain
-}
-
-// X509Authorities returns the X.509 authorities in the bundle.
-func (b *Bundle) X509Authorities() []*x509.Certificate {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return x509util.CopyX509Authorities(b.x509Authorities)
-}
-
-// AddX509Authority adds an X.509 authority to the bundle. If the authority already
-// exists in the bundle, the contents of the bundle will remain unchanged.
-func (b *Bundle) AddX509Authority(x509Authority *x509.Certificate) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	for _, r := range b.x509Authorities {
-		if r.Equal(x509Authority) {
-			return
-		}
-	}
-
-	b.x509Authorities = append(b.x509Authorities, x509Authority)
-}
-
-// RemoveX509Authority removes an X.509 authority from the bundle.
-func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	for i, r := range b.x509Authorities {
-		if r.Equal(x509Authority) {
-			b.x509Authorities = append(b.x509Authorities[:i], b.x509Authorities[i+1:]...)
-			return
-		}
-	}
-}
-
-// HasX509Authority checks if the given X.509 authority exists in the bundle.
-func (b *Bundle) HasX509Authority(x509Authority *x509.Certificate) bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	for _, r := range b.x509Authorities {
-		if r.Equal(x509Authority) {
-			return true
-		}
-	}
-	return false
-}
-
-// SetX509Authorities sets the X.509 authorities in the bundle.
-func (b *Bundle) SetX509Authorities(authorities []*x509.Certificate) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.x509Authorities = x509util.CopyX509Authorities(authorities)
-}
-
-// JWTAuthorities returns the JWT authorities in the bundle, keyed by key ID.
-func (b *Bundle) JWTAuthorities() map[string]crypto.PublicKey {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return jwtutil.CopyJWTAuthorities(b.jwtAuthorities)
-}
-
-// FindJWTAuthority finds the JWT authority with the given key ID from the bundle. If the authority
-// is found, it is returned and the boolean is true. Otherwise, the returned
-// value is nil and the boolean is false.
-func (b *Bundle) FindJWTAuthority(keyID string) (crypto.PublicKey, bool) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	jwtAuthority, ok := b.jwtAuthorities[keyID]
-	return jwtAuthority, ok
-}
-
-// HasJWTAuthority returns true if the bundle has a JWT authority with the given key ID.
-func (b *Bundle) HasJWTAuthority(keyID string) bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	_, ok := b.jwtAuthorities[keyID]
-	return ok
-}
-
-// AddJWTAuthority adds a JWT authority to the bundle. If a JWT authority already exists
-// under the given key ID, it is replaced. A key ID must be specified.
-func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error {
-	if keyID == "" {
-		return spiffebundleErr.New("keyID cannot be empty")
-	}
-
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.jwtAuthorities[keyID] = jwtAuthority
-	return nil
-}
-
-// RemoveJWTAuthority removes the JWT authority identified by the key ID from the bundle.
-func (b *Bundle) RemoveJWTAuthority(keyID string) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	delete(b.jwtAuthorities, keyID)
-}
-
-// SetJWTAuthorities sets the JWT authorities in the bundle.
-func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.jwtAuthorities = jwtutil.CopyJWTAuthorities(jwtAuthorities)
-}
-
-// Empty returns true if the bundle has no X.509 and JWT authorities.
-func (b *Bundle) Empty() bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return len(b.x509Authorities) == 0 && len(b.jwtAuthorities) == 0
-}
-
-// RefreshHint returns the refresh hint. If the refresh hint is set in
-// the bundle, it is returned and the boolean is true. Otherwise, the returned
-// value is zero and the boolean is false.
-func (b *Bundle) RefreshHint() (refreshHint time.Duration, ok bool) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if b.refreshHint != nil {
-		return *b.refreshHint, true
-	}
-	return 0, false
-}
-
-// SetRefreshHint sets the refresh hint. The refresh hint value will be
-// truncated to time.Second.
-func (b *Bundle) SetRefreshHint(refreshHint time.Duration) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.refreshHint = &refreshHint
-}
-
-// ClearRefreshHint clears the refresh hint.
-func (b *Bundle) ClearRefreshHint() {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.refreshHint = nil
-}
-
-// SequenceNumber returns the sequence number. If the sequence number is set in
-// the bundle, it is returned and the boolean is true. Otherwise, the returned
-// value is zero and the boolean is false.
-func (b *Bundle) SequenceNumber() (uint64, bool) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if b.sequenceNumber != nil {
-		return *b.sequenceNumber, true
-	}
-	return 0, false
-}
-
-// SetSequenceNumber sets the sequence number.
-func (b *Bundle) SetSequenceNumber(sequenceNumber uint64) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.sequenceNumber = &sequenceNumber
-}
-
-// ClearSequenceNumber clears the sequence number.
-func (b *Bundle) ClearSequenceNumber() {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.sequenceNumber = nil
-}
-
-// Marshal marshals the bundle according to the SPIFFE Trust Domain and Bundle
-// specification. The trust domain is not marshaled as part of the bundle and
-// must be conveyed separately. See the specification for details.
-func (b *Bundle) Marshal() ([]byte, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	jwks := bundleDoc{}
-	if b.refreshHint != nil {
-		tr := int64((*b.refreshHint + (time.Second - 1)) / time.Second)
-		jwks.RefreshHint = &tr
-	}
-	jwks.SequenceNumber = b.sequenceNumber
-	for _, x509Authority := range b.x509Authorities {
-		jwks.Keys = append(jwks.Keys, jose.JSONWebKey{
-			Key:          x509Authority.PublicKey,
-			Certificates: []*x509.Certificate{x509Authority},
-			Use:          x509SVIDUse,
-		})
-	}
-
-	for keyID, jwtAuthority := range b.jwtAuthorities {
-		jwks.Keys = append(jwks.Keys, jose.JSONWebKey{
-			Key:   jwtAuthority,
-			KeyID: keyID,
-			Use:   jwtSVIDUse,
-		})
-	}
-
-	return json.Marshal(jwks)
-}
-
-// Clone clones the bundle.
-func (b *Bundle) Clone() *Bundle {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return &Bundle{
-		trustDomain:     b.trustDomain,
-		refreshHint:     copyRefreshHint(b.refreshHint),
-		sequenceNumber:  copySequenceNumber(b.sequenceNumber),
-		x509Authorities: x509util.CopyX509Authorities(b.x509Authorities),
-		jwtAuthorities:  jwtutil.CopyJWTAuthorities(b.jwtAuthorities),
-	}
-}
-
-// X509Bundle returns an X.509 bundle containing the X.509 authorities in the SPIFFE
-// bundle.
-func (b *Bundle) X509Bundle() *x509bundle.Bundle {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	// FromX509Authorities makes a copy, so we can pass our internal slice directly.
-	return x509bundle.FromX509Authorities(b.trustDomain, b.x509Authorities)
-}
-
-// JWTBundle returns a JWT bundle containing the JWT authorities in the SPIFFE bundle.
-func (b *Bundle) JWTBundle() *jwtbundle.Bundle {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	// FromJWTBundle makes a copy, so we can pass our internal slice directly.
-	return jwtbundle.FromJWTAuthorities(b.trustDomain, b.jwtAuthorities)
-}
-
-// GetBundleForTrustDomain returns the SPIFFE bundle for the given trust
-// domain. It implements the Source interface. An error will be returned if the
-// trust domain does not match that of the bundle.
-func (b *Bundle) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if b.trustDomain != trustDomain {
-		return nil, spiffebundleErr.New("no SPIFFE bundle for trust domain %q", trustDomain)
-	}
-
-	return b, nil
-}
-
-// GetX509BundleForTrustDomain returns the X.509 bundle for the given trust
-// domain. It implements the x509bundle.Source interface. An error will be
-// returned if the trust domain does not match that of the bundle.
-func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if b.trustDomain != trustDomain {
-		return nil, spiffebundleErr.New("no X.509 bundle for trust domain %q", trustDomain)
-	}
-
-	return b.X509Bundle(), nil
-}
-
-// GetJWTBundleForTrustDomain returns the JWT bundle of the given trust domain.
-// It implements the jwtbundle.Source interface. An error will be returned if
-// the trust domain does not match that of the bundle.
-func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwtbundle.Bundle, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	if b.trustDomain != trustDomain {
-		return nil, spiffebundleErr.New("no JWT bundle for trust domain %q", trustDomain)
-	}
-
-	return b.JWTBundle(), nil
-}
-
-// Equal compares the bundle for equality against the given bundle.
-func (b *Bundle) Equal(other *Bundle) bool {
-	if b == nil || other == nil {
-		return b == other
-	}
-
-	return b.trustDomain == other.trustDomain &&
-		refreshHintEqual(b.refreshHint, other.refreshHint) &&
-		sequenceNumberEqual(b.sequenceNumber, other.sequenceNumber) &&
-		jwtutil.JWTAuthoritiesEqual(b.jwtAuthorities, other.jwtAuthorities) &&
-		x509util.CertsEqual(b.x509Authorities, other.x509Authorities)
-}
-
-func refreshHintEqual(a, b *time.Duration) bool {
-	if a == nil || b == nil {
-		return a == b
-	}
-
-	return *a == *b
-}
-
-func sequenceNumberEqual(a, b *uint64) bool {
-	if a == nil || b == nil {
-		return a == b
-	}
-
-	return *a == *b
-}
-
-func copyRefreshHint(refreshHint *time.Duration) *time.Duration {
-	if refreshHint == nil {
-		return nil
-	}
-	copied := *refreshHint
-	return &copied
-}
-
-func copySequenceNumber(sequenceNumber *uint64) *uint64 {
-	if sequenceNumber == nil {
-		return nil
-	}
-	copied := *sequenceNumber
-	return &copied
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/doc.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/doc.go
deleted file mode 100644
index db9dcde31f0..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/doc.go
+++ /dev/null
@@ -1,59 +0,0 @@
-// Package spiffebundle provides SPIFFE bundle related functionality.
-//
-// A bundle represents a SPIFFE bundle, a collection authorities for
-// authenticating SVIDs.
-//
-// You can create a new bundle for a specific trust domain:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	bundle := spiffebundle.New(td)
-//
-// Or you can load it from disk:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	bundle := spiffebundle.Load(td, "bundle.json")
-//
-// The bundle can be initialized with X.509 or JWT authorities:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//
-//	var x509Authorities []*x509.Certificate = ...
-//	bundle := spiffebundle.FromX509Authorities(td, x509Authorities)
-//	// ... or ...
-//	var jwtAuthorities map[string]crypto.PublicKey = ...
-//	bundle := spiffebundle.FromJWTAuthorities(td, jwtAuthorities)
-//
-// In addition, you can add authorities to the bundle:
-//
-//	var x509CA *x509.Certificate = ...
-//	bundle.AddX509Authority(x509CA)
-//	var keyID string = ...
-//	var publicKey crypto.PublicKey = ...
-//	bundle.AddJWTAuthority(keyID, publicKey)
-//
-// Bundles can be organized into a set, keyed by trust domain:
-//
-//	set := spiffebundle.NewSet()
-//	set.Add(bundle)
-//
-// A Source is source of bundles for a trust domain. Both the
-// Bundle and Set types implement Source:
-//
-//	// Initialize the source from a bundle or set
-//	var source spiffebundle.Source = bundle
-//	// ... or ...
-//	var source spiffebundle.Source = set
-//
-//	// Use the source to query for X.509 bundles by trust domain
-//	bundle, err := source.GetBundleForTrustDomain(td)
-//
-// Additionally the Bundle and Set types also implement the x509bundle.Source and jwtbundle.Source interfaces:
-//
-//	// As an x509bundle.Source...
-//	var source x509bundle.Source = bundle // or set
-//	x509Bundle, err := source.GetX509BundleForTrustDomain(td)
-//
-//	// As a jwtbundle.Source...
-//	var source jwtbundle.Source = bundle // or set
-//	jwtBundle, err := source.GetJWTBundleForTrustDomain(td)
-package spiffebundle
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go
deleted file mode 100644
index 2738135c04a..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go
+++ /dev/null
@@ -1,135 +0,0 @@
-package spiffebundle
-
-import (
-	"sort"
-	"sync"
-
-	"github.com/spiffe/go-spiffe/v2/bundle/jwtbundle"
-	"github.com/spiffe/go-spiffe/v2/bundle/x509bundle"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-)
-
-// Set is a set of bundles, keyed by trust domain.
-type Set struct {
-	mtx     sync.RWMutex
-	bundles map[spiffeid.TrustDomain]*Bundle
-}
-
-// NewSet creates a new set initialized with the given bundles.
-func NewSet(bundles ...*Bundle) *Set {
-	bundlesMap := make(map[spiffeid.TrustDomain]*Bundle)
-
-	for _, b := range bundles {
-		if b != nil {
-			bundlesMap[b.trustDomain] = b
-		}
-	}
-
-	return &Set{
-		bundles: bundlesMap,
-	}
-}
-
-// Add adds a new bundle into the set. If a bundle already exists for the
-// trust domain, the existing bundle is replaced.
-func (s *Set) Add(bundle *Bundle) {
-	s.mtx.Lock()
-	defer s.mtx.Unlock()
-
-	if bundle != nil {
-		s.bundles[bundle.trustDomain] = bundle
-	}
-}
-
-// Remove removes the bundle for the given trust domain.
-func (s *Set) Remove(trustDomain spiffeid.TrustDomain) {
-	s.mtx.Lock()
-	defer s.mtx.Unlock()
-
-	delete(s.bundles, trustDomain)
-}
-
-// Has returns true if there is a bundle for the given trust domain.
-func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	_, ok := s.bundles[trustDomain]
-	return ok
-}
-
-// Get returns a bundle for the given trust domain. If the bundle is in the set
-// it is returned and the boolean is true. Otherwise, the returned value is
-// nil and the boolean is false.
-func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	return bundle, ok
-}
-
-// Bundles returns the bundles in the set sorted by trust domain.
-func (s *Set) Bundles() []*Bundle {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	out := make([]*Bundle, 0, len(s.bundles))
-	for _, bundle := range s.bundles {
-		out = append(out, bundle)
-	}
-	sort.Slice(out, func(a, b int) bool {
-		return out[a].TrustDomain().Compare(out[b].TrustDomain()) < 0
-	})
-	return out
-}
-
-// Len returns the number of bundles in the set.
-func (s *Set) Len() int {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	return len(s.bundles)
-}
-
-// GetBundleForTrustDomain returns the SPIFFE bundle for the given trust
-// domain. It implements the Source interface.
-func (s *Set) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	if !ok {
-		return nil, spiffebundleErr.New("no SPIFFE bundle for trust domain %q", trustDomain)
-	}
-
-	return bundle, nil
-}
-
-// GetX509BundleForTrustDomain returns the X.509 bundle for the given trust
-// domain. It implements the x509bundle.Source interface.
-func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	if !ok {
-		return nil, spiffebundleErr.New("no X.509 bundle for trust domain %q", trustDomain)
-	}
-
-	return bundle.X509Bundle(), nil
-}
-
-// GetJWTBundleForTrustDomain returns the JWT bundle for the given trust
-// domain. It implements the jwtbundle.Source interface.
-func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwtbundle.Bundle, error) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	if !ok {
-		return nil, spiffebundleErr.New("no JWT bundle for trust domain %q", trustDomain)
-	}
-
-	return bundle.JWTBundle(), nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/source.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/source.go
deleted file mode 100644
index f4d37125b48..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/source.go
+++ /dev/null
@@ -1,10 +0,0 @@
-package spiffebundle
-
-import "github.com/spiffe/go-spiffe/v2/spiffeid"
-
-// Source represents a source of SPIFFE bundles keyed by trust domain.
-type Source interface {
-	// GetBundleForTrustDomain returns the SPIFFE bundle for the given trust
-	// domain.
-	GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go
deleted file mode 100644
index a70bb62fd70..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/bundle.go
+++ /dev/null
@@ -1,202 +0,0 @@
-package x509bundle
-
-import (
-	"crypto/x509"
-	"io"
-	"os"
-	"sync"
-
-	"github.com/spiffe/go-spiffe/v2/internal/pemutil"
-	"github.com/spiffe/go-spiffe/v2/internal/x509util"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
-)
-
-var x509bundleErr = errs.Class("x509bundle")
-
-// Bundle is a collection of trusted X.509 authorities for a trust domain.
-type Bundle struct {
-	trustDomain spiffeid.TrustDomain
-
-	mtx             sync.RWMutex
-	x509Authorities []*x509.Certificate
-}
-
-// New creates a new bundle.
-func New(trustDomain spiffeid.TrustDomain) *Bundle {
-	return &Bundle{
-		trustDomain: trustDomain,
-	}
-}
-
-// FromX509Authorities creates a bundle from X.509 certificates.
-func FromX509Authorities(trustDomain spiffeid.TrustDomain, authorities []*x509.Certificate) *Bundle {
-	return &Bundle{
-		trustDomain:     trustDomain,
-		x509Authorities: x509util.CopyX509Authorities(authorities),
-	}
-}
-
-// Load loads a bundle from a file on disk. The file must contain PEM-encoded
-// certificate blocks.
-func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
-	fileBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, x509bundleErr.New("unable to load X.509 bundle file: %w", err)
-	}
-
-	return Parse(trustDomain, fileBytes)
-}
-
-// Read decodes a bundle from a reader. The contents must be PEM-encoded
-// certificate blocks.
-func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
-	b, err := io.ReadAll(r)
-	if err != nil {
-		return nil, x509bundleErr.New("unable to read X.509 bundle: %v", err)
-	}
-
-	return Parse(trustDomain, b)
-}
-
-// Parse parses a bundle from bytes. The data must be PEM-encoded certificate
-// blocks.
-func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
-	bundle := New(trustDomain)
-	if len(b) == 0 {
-		return bundle, nil
-	}
-
-	certs, err := pemutil.ParseCertificates(b)
-	if err != nil {
-		return nil, x509bundleErr.New("cannot parse certificate: %v", err)
-	}
-	for _, cert := range certs {
-		bundle.AddX509Authority(cert)
-	}
-	return bundle, nil
-}
-
-// ParseRaw parses a bundle from bytes. The certificate must be ASN.1 DER (concatenated
-// with no intermediate padding if there are more than one certificate)
-func ParseRaw(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
-	bundle := New(trustDomain)
-	if len(b) == 0 {
-		return bundle, nil
-	}
-
-	certs, err := x509.ParseCertificates(b)
-	if err != nil {
-		return nil, x509bundleErr.New("cannot parse certificate: %v", err)
-	}
-	for _, cert := range certs {
-		bundle.AddX509Authority(cert)
-	}
-	return bundle, nil
-}
-
-// TrustDomain returns the trust domain that the bundle belongs to.
-func (b *Bundle) TrustDomain() spiffeid.TrustDomain {
-	return b.trustDomain
-}
-
-// X509Authorities returns the X.509 x509Authorities in the bundle.
-func (b *Bundle) X509Authorities() []*x509.Certificate {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-	return x509util.CopyX509Authorities(b.x509Authorities)
-}
-
-// AddX509Authority adds an X.509 authority to the bundle. If the authority already
-// exists in the bundle, the contents of the bundle will remain unchanged.
-func (b *Bundle) AddX509Authority(x509Authority *x509.Certificate) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	for _, r := range b.x509Authorities {
-		if r.Equal(x509Authority) {
-			return
-		}
-	}
-
-	b.x509Authorities = append(b.x509Authorities, x509Authority)
-}
-
-// RemoveX509Authority removes an X.509 authority from the bundle.
-func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	for i, r := range b.x509Authorities {
-		if r.Equal(x509Authority) {
-			// remove element from slice
-			b.x509Authorities = append(b.x509Authorities[:i], b.x509Authorities[i+1:]...)
-			return
-		}
-	}
-}
-
-// HasX509Authority checks if the given X.509 authority exists in the bundle.
-func (b *Bundle) HasX509Authority(x509Authority *x509.Certificate) bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	for _, r := range b.x509Authorities {
-		if r.Equal(x509Authority) {
-			return true
-		}
-	}
-	return false
-}
-
-// SetX509Authorities sets the X.509 authorities in the bundle.
-func (b *Bundle) SetX509Authorities(x509Authorities []*x509.Certificate) {
-	b.mtx.Lock()
-	defer b.mtx.Unlock()
-
-	b.x509Authorities = x509util.CopyX509Authorities(x509Authorities)
-}
-
-// Empty returns true if the bundle has no X.509 x509Authorities.
-func (b *Bundle) Empty() bool {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return len(b.x509Authorities) == 0
-}
-
-// Marshal marshals the X.509 bundle into PEM-encoded certificate blocks.
-func (b *Bundle) Marshal() ([]byte, error) {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-	return pemutil.EncodeCertificates(b.x509Authorities), nil
-}
-
-// Equal compares the bundle for equality against the given bundle.
-func (b *Bundle) Equal(other *Bundle) bool {
-	if b == nil || other == nil {
-		return b == other
-	}
-
-	return b.trustDomain == other.trustDomain &&
-		x509util.CertsEqual(b.x509Authorities, other.x509Authorities)
-}
-
-// Clone clones the bundle.
-func (b *Bundle) Clone() *Bundle {
-	b.mtx.RLock()
-	defer b.mtx.RUnlock()
-
-	return FromX509Authorities(b.trustDomain, b.x509Authorities)
-}
-
-// GetX509BundleForTrustDomain returns the X.509 bundle for the given trust
-// domain. It implements the Source interface. An error will be
-// returned if the trust domain does not match that of the bundle.
-func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
-	if b.trustDomain != trustDomain {
-		return nil, x509bundleErr.New("no X.509 bundle found for trust domain: %q", trustDomain)
-	}
-
-	return b, nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/doc.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/doc.go
deleted file mode 100644
index 889554f822a..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/doc.go
+++ /dev/null
@@ -1,42 +0,0 @@
-// Package x509bundle provides X.509 bundle related functionality.
-//
-// A bundle represents a collection of X.509 authorities, i.e., those that
-// are used to authenticate SPIFFE X509-SVIDs.
-//
-// You can create a new bundle for a specific trust domain:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	bundle := x509bundle.New(td)
-//
-// Or you can load it from disk:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	bundle := x509bundle.Load(td, "bundle.pem")
-//
-// The bundle can be initialized with X.509 authorities:
-//
-//	td := spiffeid.RequireTrustDomainFromString("example.org")
-//	var x509Authorities []*x509.Certificate = ...
-//	bundle := x509bundle.FromX509Authorities(td, x509Authorities)
-//
-// In addition, you can add X.509 authorities to the bundle:
-//
-//	var x509CA *x509.Certificate = ...
-//	bundle.AddX509Authority(x509CA)
-//
-// Bundles can be organized into a set, keyed by trust domain:
-//
-//	set := x509bundle.NewSet()
-//	set.Add(bundle)
-//
-// A Source is source of X.509 bundles for a trust domain. Both the Bundle
-// and Set types implement Source:
-//
-//	// Initialize the source from a bundle or set
-//	var source x509bundle.Source = bundle
-//	// ... or ...
-//	var source x509bundle.Source = set
-//
-//	// Use the source to query for bundles by trust domain
-//	bundle, err := source.GetX509BundleForTrustDomain(td)
-package x509bundle
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go
deleted file mode 100644
index 522e2492656..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/set.go
+++ /dev/null
@@ -1,105 +0,0 @@
-package x509bundle
-
-import (
-	"sort"
-	"sync"
-
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-)
-
-// Set is a set of bundles, keyed by trust domain.
-type Set struct {
-	mtx     sync.RWMutex
-	bundles map[spiffeid.TrustDomain]*Bundle
-}
-
-// NewSet creates a new set initialized with the given bundles.
-func NewSet(bundles ...*Bundle) *Set {
-	bundlesMap := make(map[spiffeid.TrustDomain]*Bundle)
-
-	for _, b := range bundles {
-		if b != nil {
-			bundlesMap[b.trustDomain] = b
-		}
-	}
-
-	return &Set{
-		bundles: bundlesMap,
-	}
-}
-
-// Add adds a new bundle into the set. If a bundle already exists for the
-// trust domain, the existing bundle is replaced.
-func (s *Set) Add(bundle *Bundle) {
-	s.mtx.Lock()
-	defer s.mtx.Unlock()
-
-	if bundle != nil {
-		s.bundles[bundle.trustDomain] = bundle
-	}
-}
-
-// Remove removes the bundle for the given trust domain.
-func (s *Set) Remove(trustDomain spiffeid.TrustDomain) {
-	s.mtx.Lock()
-	defer s.mtx.Unlock()
-
-	delete(s.bundles, trustDomain)
-}
-
-// Has returns true if there is a bundle for the given trust domain.
-func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	_, ok := s.bundles[trustDomain]
-	return ok
-}
-
-// Get returns a bundle for the given trust domain. If the bundle is in the set
-// it is returned and the boolean is true. Otherwise, the returned value is
-// nil and the boolean is false.
-func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	return bundle, ok
-}
-
-// Bundles returns the bundles in the set sorted by trust domain.
-func (s *Set) Bundles() []*Bundle {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	out := make([]*Bundle, 0, len(s.bundles))
-	for _, bundle := range s.bundles {
-		out = append(out, bundle)
-	}
-	sort.Slice(out, func(a, b int) bool {
-		return out[a].TrustDomain().Compare(out[b].TrustDomain()) < 0
-	})
-	return out
-}
-
-// Len returns the number of bundles in the set.
-func (s *Set) Len() int {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	return len(s.bundles)
-}
-
-// GetX509BundleForTrustDomain returns the X.509 bundle for the given trust
-// domain. It implements the Source interface.
-func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
-	s.mtx.RLock()
-	defer s.mtx.RUnlock()
-
-	bundle, ok := s.bundles[trustDomain]
-	if !ok {
-		return nil, x509bundleErr.New("no X.509 bundle for trust domain %q", trustDomain)
-	}
-
-	return bundle, nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/source.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/source.go
deleted file mode 100644
index 22446357bb1..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/x509bundle/source.go
+++ /dev/null
@@ -1,12 +0,0 @@
-package x509bundle
-
-import (
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-)
-
-// Source represents a source of X.509 bundles keyed by trust domain.
-type Source interface {
-	// GetX509BundleForTrustDomain returns the X.509 bundle for the given trust
-	// domain.
-	GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/internal/cryptoutil/keys.go b/vendor/github.com/spiffe/go-spiffe/v2/internal/cryptoutil/keys.go
deleted file mode 100644
index 8e4e2102267..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/internal/cryptoutil/keys.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package cryptoutil
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/rsa"
-	"fmt"
-)
-
-func PublicKeyEqual(a, b crypto.PublicKey) (bool, error) {
-	switch a := a.(type) {
-	case *rsa.PublicKey:
-		rsaPublicKey, ok := b.(*rsa.PublicKey)
-		return ok && RSAPublicKeyEqual(a, rsaPublicKey), nil
-	case *ecdsa.PublicKey:
-		ecdsaPublicKey, ok := b.(*ecdsa.PublicKey)
-		return ok && ECDSAPublicKeyEqual(a, ecdsaPublicKey), nil
-	case ed25519.PublicKey:
-		ed25519PublicKey, ok := b.(ed25519.PublicKey)
-		return ok && bytes.Equal(a, ed25519PublicKey), nil
-	default:
-		return false, fmt.Errorf("unsupported public key type %T", a)
-	}
-}
-
-func RSAPublicKeyEqual(a, b *rsa.PublicKey) bool {
-	return a.E == b.E && a.N.Cmp(b.N) == 0
-}
-
-func ECDSAPublicKeyEqual(a, b *ecdsa.PublicKey) bool {
-	return a.Curve == b.Curve && a.X.Cmp(b.X) == 0 && a.Y.Cmp(b.Y) == 0
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/internal/jwtutil/util.go b/vendor/github.com/spiffe/go-spiffe/v2/internal/jwtutil/util.go
deleted file mode 100644
index 86052797898..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/internal/jwtutil/util.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package jwtutil
-
-import (
-	"crypto"
-
-	"github.com/spiffe/go-spiffe/v2/internal/cryptoutil"
-)
-
-// CopyJWTAuthorities copies JWT authorities from a map to a new map.
-func CopyJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey) map[string]crypto.PublicKey {
-	copiedJWTAuthorities := make(map[string]crypto.PublicKey)
-	for key, jwtAuthority := range jwtAuthorities {
-		copiedJWTAuthorities[key] = jwtAuthority
-	}
-	return copiedJWTAuthorities
-}
-
-func JWTAuthoritiesEqual(a, b map[string]crypto.PublicKey) bool {
-	if len(a) != len(b) {
-		return false
-	}
-
-	for k, pka := range a {
-		pkb, ok := b[k]
-		if !ok {
-			return false
-		}
-		if equal, _ := cryptoutil.PublicKeyEqual(pka, pkb); !equal {
-			return false
-		}
-	}
-
-	return true
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/internal/pemutil/pem.go b/vendor/github.com/spiffe/go-spiffe/v2/internal/pemutil/pem.go
deleted file mode 100644
index 26617525a31..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/internal/pemutil/pem.go
+++ /dev/null
@@ -1,123 +0,0 @@
-package pemutil
-
-import (
-	"crypto"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"fmt"
-)
-
-const (
-	certType string = "CERTIFICATE"
-	keyType  string = "PRIVATE KEY"
-)
-
-func ParseCertificates(certsBytes []byte) ([]*x509.Certificate, error) {
-	objects, err := parseBlocks(certsBytes, certType)
-	if err != nil {
-		return nil, err
-	}
-
-	certs := []*x509.Certificate{}
-	for _, object := range objects {
-		cert, ok := object.(*x509.Certificate)
-		if !ok {
-			return nil, fmt.Errorf("expected *x509.Certificate; got %T", object)
-		}
-		certs = append(certs, cert)
-	}
-
-	return certs, nil
-}
-
-func ParsePrivateKey(keyBytes []byte) (crypto.PrivateKey, error) {
-	objects, err := parseBlocks(keyBytes, keyType)
-	if err != nil {
-		return nil, err
-	}
-	if len(objects) == 0 {
-		return nil, nil
-	}
-
-	privateKey, ok := objects[0].(crypto.PrivateKey)
-	if !ok {
-		return nil, fmt.Errorf("expected crypto.PrivateKey; got %T", objects[0])
-	}
-	return privateKey, nil
-}
-
-func EncodePKCS8PrivateKey(privateKey interface{}) ([]byte, error) {
-	keyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return pem.EncodeToMemory(&pem.Block{
-		Type:  keyType,
-		Bytes: keyBytes,
-	}), nil
-}
-
-func EncodeCertificates(certificates []*x509.Certificate) []byte {
-	pemBytes := []byte{}
-	for _, cert := range certificates {
-		pemBytes = append(pemBytes, pem.EncodeToMemory(&pem.Block{
-			Type:  certType,
-			Bytes: cert.Raw,
-		})...)
-	}
-	return pemBytes
-}
-
-func parseBlocks(blocksBytes []byte, expectedType string) ([]interface{}, error) {
-	objects := []interface{}{}
-	var foundBlocks = false
-	for {
-		if len(blocksBytes) == 0 {
-			if len(objects) == 0 && !foundBlocks {
-				return nil, errors.New("no PEM blocks found")
-			}
-			return objects, nil
-		}
-		object, rest, foundBlock, err := parseBlock(blocksBytes, expectedType)
-		blocksBytes = rest
-		if foundBlock {
-			foundBlocks = true
-		}
-		switch {
-		case err != nil:
-			return nil, err
-		case object != nil:
-			objects = append(objects, object)
-		}
-	}
-}
-
-func parseBlock(pemBytes []byte, pemType string) (interface{}, []byte, bool, error) {
-	pemBlock, rest := pem.Decode(pemBytes)
-	if pemBlock == nil {
-		return nil, nil, false, nil
-	}
-
-	if pemBlock.Type != pemType {
-		return nil, rest, true, nil
-	}
-
-	var object interface{}
-	var err error
-	switch pemType {
-	case certType:
-		object, err = x509.ParseCertificate(pemBlock.Bytes)
-	case keyType:
-		object, err = x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
-	default:
-		err = fmt.Errorf("PEM type not supported: %q", pemType)
-	}
-
-	if err != nil {
-		return nil, nil, false, err
-	}
-
-	return object, rest, true, nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/internal/x509util/util.go b/vendor/github.com/spiffe/go-spiffe/v2/internal/x509util/util.go
deleted file mode 100644
index c45288d0f6c..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/internal/x509util/util.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package x509util
-
-import (
-	"crypto/x509"
-)
-
-// NewCertPool returns a new CertPool with the given X.509 certificates
-func NewCertPool(certs []*x509.Certificate) *x509.CertPool {
-	pool := x509.NewCertPool()
-	for _, cert := range certs {
-		pool.AddCert(cert)
-	}
-	return pool
-}
-
-// CopyX509Authorities copies a slice of X.509 certificates to a new slice.
-func CopyX509Authorities(x509Authorities []*x509.Certificate) []*x509.Certificate {
-	copiedX509Authorities := make([]*x509.Certificate, len(x509Authorities))
-	copy(copiedX509Authorities, x509Authorities)
-
-	return copiedX509Authorities
-}
-
-// CertsEqual returns true if the slices of X.509 certificates are equal.
-func CertsEqual(a, b []*x509.Certificate) bool {
-	if len(a) != len(b) {
-		return false
-	}
-
-	for i, cert := range a {
-		if !cert.Equal(b[i]) {
-			return false
-		}
-	}
-
-	return true
-}
-
-func RawCertsFromCerts(certs []*x509.Certificate) [][]byte {
-	rawCerts := make([][]byte, 0, len(certs))
-	for _, cert := range certs {
-		rawCerts = append(rawCerts, cert.Raw)
-	}
-	return rawCerts
-}
-
-func ConcatRawCertsFromCerts(certs []*x509.Certificate) []byte {
-	var rawCerts []byte
-	for _, cert := range certs {
-		rawCerts = append(rawCerts, cert.Raw...)
-	}
-	return rawCerts
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_allow.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_allow.go
deleted file mode 100644
index 9bd225dfb62..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_allow.go
+++ /dev/null
@@ -1,42 +0,0 @@
-//go:build spiffeid_charset_backcompat
-// +build spiffeid_charset_backcompat
-
-package spiffeid
-
-func isBackcompatTrustDomainChar(c uint8) bool {
-	if isSubDelim(c) {
-		return true
-	}
-	switch c {
-	// unreserved
-	case '~':
-		return true
-	default:
-		return false
-	}
-}
-
-func isBackcompatPathChar(c uint8) bool {
-	if isSubDelim(c) {
-		return true
-	}
-	switch c {
-	// unreserved
-	case '~':
-		return true
-	// gen-delims
-	case ':', '[', ']', '@':
-		return true
-	default:
-		return false
-	}
-}
-
-func isSubDelim(c uint8) bool {
-	switch c {
-	case '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=':
-		return true
-	default:
-		return false
-	}
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_deny.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_deny.go
deleted file mode 100644
index 11447473b92..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/charset_backcompat_deny.go
+++ /dev/null
@@ -1,12 +0,0 @@
-//go:build !spiffeid_charset_backcompat
-// +build !spiffeid_charset_backcompat
-
-package spiffeid
-
-func isBackcompatTrustDomainChar(c uint8) bool {
-	return false
-}
-
-func isBackcompatPathChar(c uint8) bool {
-	return false
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/errors.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/errors.go
deleted file mode 100644
index cc9defee140..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/errors.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package spiffeid
-
-import "errors"
-
-var (
-	errBadTrustDomainChar = errors.New("trust domain characters are limited to lowercase letters, numbers, dots, dashes, and underscores")
-	errBadPathSegmentChar = errors.New("path segment characters are limited to letters, numbers, dots, dashes, and underscores")
-	errDotSegment         = errors.New("path cannot contain dot segments")
-	errNoLeadingSlash     = errors.New("path must have a leading slash")
-	errEmpty              = errors.New("cannot be empty")
-	errEmptySegment       = errors.New("path cannot contain empty segments")
-	errMissingTrustDomain = errors.New("trust domain is missing")
-	errTrailingSlash      = errors.New("path cannot have a trailing slash")
-	errWrongScheme        = errors.New("scheme is missing or invalid")
-)
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/id.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/id.go
deleted file mode 100644
index f4e02eee7f8..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/id.go
+++ /dev/null
@@ -1,258 +0,0 @@
-package spiffeid
-
-import (
-	"errors"
-	"fmt"
-	"net/url"
-	"strings"
-)
-
-const (
-	schemePrefix    = "spiffe://"
-	schemePrefixLen = len(schemePrefix)
-)
-
-// FromPath returns a new SPIFFE ID in the given trust domain and with the
-// given path. The supplied path must be a valid absolute path according to the
-// SPIFFE specification.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func FromPath(td TrustDomain, path string) (ID, error) {
-	if err := ValidatePath(path); err != nil {
-		return ID{}, err
-	}
-	return makeID(td, path)
-}
-
-// FromPathf returns a new SPIFFE ID from the formatted path in the given trust
-// domain. The formatted path must be a valid absolute path according to the
-// SPIFFE specification.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func FromPathf(td TrustDomain, format string, args ...interface{}) (ID, error) {
-	path, err := FormatPath(format, args...)
-	if err != nil {
-		return ID{}, err
-	}
-	return makeID(td, path)
-}
-
-// FromSegments returns a new SPIFFE ID in the given trust domain with joined
-// path segments. The path segments must be valid according to the SPIFFE
-// specification and must not contain path separators.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func FromSegments(td TrustDomain, segments ...string) (ID, error) {
-	path, err := JoinPathSegments(segments...)
-	if err != nil {
-		return ID{}, err
-	}
-	return makeID(td, path)
-}
-
-// FromString parses a SPIFFE ID from a string.
-func FromString(id string) (ID, error) {
-	switch {
-	case id == "":
-		return ID{}, errEmpty
-	case !strings.HasPrefix(id, schemePrefix):
-		return ID{}, errWrongScheme
-	}
-
-	pathidx := schemePrefixLen
-	for ; pathidx < len(id); pathidx++ {
-		c := id[pathidx]
-		if c == '/' {
-			break
-		}
-		if !isValidTrustDomainChar(c) {
-			return ID{}, errBadTrustDomainChar
-		}
-	}
-
-	if pathidx == schemePrefixLen {
-		return ID{}, errMissingTrustDomain
-	}
-
-	if err := ValidatePath(id[pathidx:]); err != nil {
-		return ID{}, err
-	}
-
-	return ID{
-		id:      id,
-		pathidx: pathidx,
-	}, nil
-}
-
-// FromStringf parses a SPIFFE ID from a formatted string.
-func FromStringf(format string, args ...interface{}) (ID, error) {
-	return FromString(fmt.Sprintf(format, args...))
-}
-
-// FromURI parses a SPIFFE ID from a URI.
-func FromURI(uri *url.URL) (ID, error) {
-	return FromString(uri.String())
-}
-
-// ID is a SPIFFE ID
-type ID struct {
-	id string
-
-	// pathidx tracks the index to the beginning of the path inside of id. This
-	// is used when extracting the trust domain or path portions of the id.
-	pathidx int
-}
-
-// TrustDomain returns the trust domain of the SPIFFE ID.
-func (id ID) TrustDomain() TrustDomain {
-	if id.IsZero() {
-		return TrustDomain{}
-	}
-	return TrustDomain{name: id.id[schemePrefixLen:id.pathidx]}
-}
-
-// MemberOf returns true if the SPIFFE ID is a member of the given trust domain.
-func (id ID) MemberOf(td TrustDomain) bool {
-	return id.TrustDomain() == td
-}
-
-// Path returns the path of the SPIFFE ID inside the trust domain.
-func (id ID) Path() string {
-	return id.id[id.pathidx:]
-}
-
-// String returns the string representation of the SPIFFE ID, e.g.,
-// "spiffe://example.org/foo/bar".
-func (id ID) String() string {
-	return id.id
-}
-
-// URL returns a URL for SPIFFE ID.
-func (id ID) URL() *url.URL {
-	if id.IsZero() {
-		return &url.URL{}
-	}
-
-	return &url.URL{
-		Scheme: "spiffe",
-		Host:   id.TrustDomain().String(),
-		Path:   id.Path(),
-	}
-}
-
-// IsZero returns true if the SPIFFE ID is the zero value.
-func (id ID) IsZero() bool {
-	return id.id == ""
-}
-
-// AppendPath returns an ID with the appended path. It will fail if called on a
-// zero value. The path to append must be a valid absolute path according to
-// the SPIFFE specification.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func (id ID) AppendPath(path string) (ID, error) {
-	if id.IsZero() {
-		return ID{}, errors.New("cannot append path on a zero ID value")
-	}
-	if err := ValidatePath(path); err != nil {
-		return ID{}, err
-	}
-	id.id += path
-	return id, nil
-}
-
-// AppendPathf returns an ID with the appended formatted path. It will fail if
-// called on a zero value. The formatted path must be a valid absolute path
-// according to the SPIFFE specification.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func (id ID) AppendPathf(format string, args ...interface{}) (ID, error) {
-	if id.IsZero() {
-		return ID{}, errors.New("cannot append path on a zero ID value")
-	}
-	path, err := FormatPath(format, args...)
-	if err != nil {
-		return ID{}, err
-	}
-	id.id += path
-	return id, nil
-}
-
-// AppendSegments returns an ID with the appended joined path segments.  It
-// will fail if called on a zero value. The path segments must be valid
-// according to the SPIFFE specification and must not contain path separators.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func (id ID) AppendSegments(segments ...string) (ID, error) {
-	if id.IsZero() {
-		return ID{}, errors.New("cannot append path segments on a zero ID value")
-	}
-	path, err := JoinPathSegments(segments...)
-	if err != nil {
-		return ID{}, err
-	}
-	id.id += path
-	return id, nil
-}
-
-// Replace path returns an ID with the given path in the same trust domain. It
-// will fail if called on a zero value. The given path must be a valid absolute
-// path according to the SPIFFE specification.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func (id ID) ReplacePath(path string) (ID, error) {
-	if id.IsZero() {
-		return ID{}, errors.New("cannot replace path on a zero ID value")
-	}
-	return FromPath(id.TrustDomain(), path)
-}
-
-// ReplacePathf returns an ID with the formatted path in the same trust domain.
-// It will fail if called on a zero value. The formatted path must be a valid
-// absolute path according to the SPIFFE specification.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func (id ID) ReplacePathf(format string, args ...interface{}) (ID, error) {
-	if id.IsZero() {
-		return ID{}, errors.New("cannot replace path on a zero ID value")
-	}
-	return FromPathf(id.TrustDomain(), format, args...)
-}
-
-// ReplaceSegments returns an ID with the joined path segments in the same
-// trust domain. It will fail if called on a zero value. The path segments must
-// be valid according to the SPIFFE specification and must not contain path
-// separators.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func (id ID) ReplaceSegments(segments ...string) (ID, error) {
-	if id.IsZero() {
-		return ID{}, errors.New("cannot replace path segments on a zero ID value")
-	}
-	return FromSegments(id.TrustDomain(), segments...)
-}
-
-// MarshalText returns a text representation of the ID. If the ID is the zero
-// value, nil is returned.
-func (id ID) MarshalText() ([]byte, error) {
-	if id.IsZero() {
-		return nil, nil
-	}
-	return []byte(id.String()), nil
-}
-
-// UnmarshalText decodes a text representation of the ID. If the text is empty,
-// the ID is set to the zero value.
-func (id *ID) UnmarshalText(text []byte) error {
-	if len(text) == 0 {
-		*id = ID{}
-		return nil
-	}
-	unmarshaled, err := FromString(string(text))
-	if err != nil {
-		return err
-	}
-	*id = unmarshaled
-	return nil
-}
-
-func makeID(td TrustDomain, path string) (ID, error) {
-	if td.IsZero() {
-		return ID{}, errors.New("trust domain is empty")
-	}
-	return ID{
-		id:      schemePrefix + td.name + path,
-		pathidx: schemePrefixLen + len(td.name),
-	}, nil
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/match.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/match.go
deleted file mode 100644
index ae129738071..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/match.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package spiffeid
-
-import "fmt"
-
-// Matcher is used to match a SPIFFE ID.
-type Matcher func(ID) error
-
-// MatchAny matches any SPIFFE ID.
-func MatchAny() Matcher {
-	return Matcher(func(actual ID) error {
-		return nil
-	})
-}
-
-// MatchID matches a specific SPIFFE ID.
-func MatchID(expected ID) Matcher {
-	return Matcher(func(actual ID) error {
-		if actual != expected {
-			return fmt.Errorf("unexpected ID %q", actual)
-		}
-		return nil
-	})
-}
-
-// MatchOneOf matches any SPIFFE ID in the given list of IDs.
-func MatchOneOf(expected ...ID) Matcher {
-	set := make(map[ID]struct{})
-	for _, id := range expected {
-		set[id] = struct{}{}
-	}
-	return Matcher(func(actual ID) error {
-		if _, ok := set[actual]; !ok {
-			return fmt.Errorf("unexpected ID %q", actual)
-		}
-		return nil
-	})
-}
-
-// MatchMemberOf matches any SPIFFE ID in the given trust domain.
-func MatchMemberOf(expected TrustDomain) Matcher {
-	return Matcher(func(actual ID) error {
-		if !actual.MemberOf(expected) {
-			return fmt.Errorf("unexpected trust domain %q", actual.TrustDomain())
-		}
-		return nil
-	})
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/path.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/path.go
deleted file mode 100644
index d65dc8f0129..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/path.go
+++ /dev/null
@@ -1,107 +0,0 @@
-package spiffeid
-
-import (
-	"fmt"
-	"strings"
-)
-
-// FormatPath builds a path by formatting the given formatting string with
-// the given args (i.e. fmt.Sprintf). The resulting path must be valid or
-// an error is returned.
-func FormatPath(format string, args ...interface{}) (string, error) {
-	path := fmt.Sprintf(format, args...)
-	if err := ValidatePath(path); err != nil {
-		return "", err
-	}
-	return path, nil
-}
-
-// JoinPathSegments joins one or more path segments into a slash separated
-// path. Segments cannot contain slashes. The resulting path must be valid or
-// an error is returned. If no segments are provided, an empty string is
-// returned.
-func JoinPathSegments(segments ...string) (string, error) {
-	var builder strings.Builder
-	for _, segment := range segments {
-		if err := ValidatePathSegment(segment); err != nil {
-			return "", err
-		}
-		builder.WriteByte('/')
-		builder.WriteString(segment)
-	}
-	return builder.String(), nil
-}
-
-// ValidatePath validates that a path string is a conformant path for a SPIFFE
-// ID.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func ValidatePath(path string) error {
-	switch {
-	case path == "":
-		return nil
-	case path[0] != '/':
-		return errNoLeadingSlash
-	}
-
-	segmentStart := 0
-	segmentEnd := 0
-	for ; segmentEnd < len(path); segmentEnd++ {
-		c := path[segmentEnd]
-		if c == '/' {
-			switch path[segmentStart:segmentEnd] {
-			case "/":
-				return errEmptySegment
-			case "/.", "/..":
-				return errDotSegment
-			}
-			segmentStart = segmentEnd
-			continue
-		}
-		if !isValidPathSegmentChar(c) {
-			return errBadPathSegmentChar
-		}
-	}
-
-	switch path[segmentStart:segmentEnd] {
-	case "/":
-		return errTrailingSlash
-	case "/.", "/..":
-		return errDotSegment
-	}
-	return nil
-}
-
-// ValidatePathSegment validates that a string is a conformant segment for
-// inclusion in the path for a SPIFFE ID.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#22-path
-func ValidatePathSegment(segment string) error {
-	switch segment {
-	case "":
-		return errEmptySegment
-	case ".", "..":
-		return errDotSegment
-	}
-	for i := 0; i < len(segment); i++ {
-		if !isValidPathSegmentChar(segment[i]) {
-			return errBadPathSegmentChar
-		}
-	}
-	return nil
-}
-
-func isValidPathSegmentChar(c uint8) bool {
-	switch {
-	case c >= 'a' && c <= 'z':
-		return true
-	case c >= 'A' && c <= 'Z':
-		return true
-	case c >= '0' && c <= '9':
-		return true
-	case c == '-', c == '.', c == '_':
-		return true
-	case isBackcompatPathChar(c):
-		return true
-	default:
-		return false
-	}
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/require.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/require.go
deleted file mode 100644
index 798b54c1bbc..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/require.go
+++ /dev/null
@@ -1,103 +0,0 @@
-package spiffeid
-
-import (
-	"net/url"
-)
-
-// RequireFromPath is similar to FromPath except that instead of returning an
-// error on malformed input, it panics. It should only be used when the input
-// is statically verifiable.
-func RequireFromPath(td TrustDomain, path string) ID {
-	id, err := FromPath(td, path)
-	panicOnErr(err)
-	return id
-}
-
-// RequireFromPathf is similar to FromPathf except that instead of returning an
-// error on malformed input, it panics. It should only be used when the input
-// is statically verifiable.
-func RequireFromPathf(td TrustDomain, format string, args ...interface{}) ID {
-	id, err := FromPathf(td, format, args...)
-	panicOnErr(err)
-	return id
-}
-
-// RequireFromSegments is similar to FromSegments except that instead of
-// returning an error on malformed input, it panics. It should only be used
-// when the input is statically verifiable.
-func RequireFromSegments(td TrustDomain, segments ...string) ID {
-	id, err := FromSegments(td, segments...)
-	panicOnErr(err)
-	return id
-}
-
-// RequireFromString is similar to FromString except that instead of returning
-// an error on malformed input, it panics. It should only be used when the
-// input is statically verifiable.
-func RequireFromString(s string) ID {
-	id, err := FromString(s)
-	panicOnErr(err)
-	return id
-}
-
-// RequireFromStringf is similar to FromStringf except that instead of
-// returning an error on malformed input, it panics. It should only be used
-// when the input is statically verifiable.
-func RequireFromStringf(format string, args ...interface{}) ID {
-	id, err := FromStringf(format, args...)
-	panicOnErr(err)
-	return id
-}
-
-// RequireFromURI is similar to FromURI except that instead of returning an
-// error on malformed input, it panics. It should only be used when the input is
-// statically verifiable.
-func RequireFromURI(uri *url.URL) ID {
-	id, err := FromURI(uri)
-	panicOnErr(err)
-	return id
-}
-
-// RequireTrustDomainFromString is similar to TrustDomainFromString except that
-// instead of returning an error on malformed input, it panics. It should only
-// be used when the input is statically verifiable.
-func RequireTrustDomainFromString(s string) TrustDomain {
-	td, err := TrustDomainFromString(s)
-	panicOnErr(err)
-	return td
-}
-
-// RequireTrustDomainFromURI is similar to TrustDomainFromURI except that
-// instead of returning an error on malformed input, it panics. It should only
-// be used when the input is statically verifiable.
-func RequireTrustDomainFromURI(uri *url.URL) TrustDomain {
-	td, err := TrustDomainFromURI(uri)
-	panicOnErr(err)
-	return td
-}
-
-// RequireFormatPath builds a path by formatting the given formatting string
-// with the given args (i.e. fmt.Sprintf). The resulting path must be valid or
-// the function panics. It should only be used when the input is statically
-// verifiable.
-func RequireFormatPath(format string, args ...interface{}) string {
-	path, err := FormatPath(format, args...)
-	panicOnErr(err)
-	return path
-}
-
-// RequireJoinPathSegments joins one or more path segments into a slash separated
-// path. Segments cannot contain slashes. The resulting path must be valid or
-// the function panics. It should only be used when the input is statically
-// verifiable.
-func RequireJoinPathSegments(segments ...string) string {
-	path, err := JoinPathSegments(segments...)
-	panicOnErr(err)
-	return path
-}
-
-func panicOnErr(err error) {
-	if err != nil {
-		panic(err)
-	}
-}
diff --git a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/trustdomain.go b/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/trustdomain.go
deleted file mode 100644
index 467ed5e6c9b..00000000000
--- a/vendor/github.com/spiffe/go-spiffe/v2/spiffeid/trustdomain.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package spiffeid
-
-import (
-	"net/url"
-	"strings"
-)
-
-// TrustDomain represents the trust domain portion of a SPIFFE ID (e.g.
-// example.org).
-type TrustDomain struct {
-	name string
-}
-
-// TrustDomainFromString returns a new TrustDomain from a string. The string
-// can either be a trust domain name (e.g. example.org), or a valid SPIFFE ID
-// URI (e.g. spiffe://example.org), otherwise an error is returned.
-// See https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md#21-trust-domain.
-func TrustDomainFromString(idOrName string) (TrustDomain, error) {
-	switch {
-	case idOrName == "":
-		return TrustDomain{}, errMissingTrustDomain
-	case strings.Contains(idOrName, ":/"):
-		// The ID looks like it has something like a scheme separator, let's
-		// try to parse as an ID. We use :/ instead of :// since the
-		// diagnostics are better for a bad input like spiffe:/trustdomain.
-		id, err := FromString(idOrName)
-		if err != nil {
-			return TrustDomain{}, err
-		}
-		return id.TrustDomain(), nil
-	default:
-		for i := 0; i < len(idOrName); i++ {
-			if !isValidTrustDomainChar(idOrName[i]) {
-				return TrustDomain{}, errBadTrustDomainChar
-			}
-		}
-		return TrustDomain{name: idOrName}, nil
-	}
-}
-
-// TrustDomainFromURI returns a new TrustDomain from a URI. The URI must be a
-// valid SPIFFE ID (see FromURI) or an error is returned. The trust domain is
-// extracted from the host field.
-func TrustDomainFromURI(uri *url.URL) (TrustDomain, error) {
-	id, err := FromURI(uri)
-	if err != nil {
-		return TrustDomain{}, err
-	}
-
-	return id.TrustDomain(), nil
-}
-
-// Name returns the trust domain name as a string, e.g. example.org.
-func (td TrustDomain) Name() string {
-	return td.name
-}
-
-// String returns the trust domain name as a string, e.g. example.org.
-func (td TrustDomain) String() string {
-	return td.name
-}
-
-// ID returns the SPIFFE ID of the trust domain.
-func (td TrustDomain) ID() ID {
-	if id, err := makeID(td, ""); err == nil {
-		return id
-	}
-	return ID{}
-}
-
-// IDString returns a string representation of the the SPIFFE ID of the trust
-// domain, e.g. "spiffe://example.org".
-func (td TrustDomain) IDString() string {
-	return td.ID().String()
-}
-
-// IsZero returns true if the trust domain is the zero value.
-func (td TrustDomain) IsZero() bool {
-	return td.name == ""
-}
-
-// Compare returns an integer comparing the trust domain to another
-// lexicographically. The result will be 0 if td==other, -1 if td < other, and
-// +1 if td > other.
-func (td TrustDomain) Compare(other TrustDomain) int {
-	return strings.Compare(td.name, other.name)
-}
-
-// MarshalText returns a text representation of the trust domain. If the trust
-// domain is the zero value, nil is returned.
-func (td TrustDomain) MarshalText() ([]byte, error) {
-	if td.IsZero() {
-		return nil, nil
-	}
-	return []byte(td.String()), nil
-}
-
-// UnmarshalText decodes a text representation of the trust domain. If the text
-// is empty, the trust domain is set to the zero value.
-func (td *TrustDomain) UnmarshalText(text []byte) error {
-	if len(text) == 0 {
-		*td = TrustDomain{}
-		return nil
-	}
-
-	unmarshaled, err := TrustDomainFromString(string(text))
-	if err != nil {
-		return err
-	}
-	*td = unmarshaled
-	return nil
-}
-
-func isValidTrustDomainChar(c uint8) bool {
-	switch {
-	case c >= 'a' && c <= 'z':
-		return true
-	case c >= '0' && c <= '9':
-		return true
-	case c == '-', c == '.', c == '_':
-		return true
-	case isBackcompatTrustDomainChar(c):
-		return true
-	default:
-		return false
-	}
-}
diff --git a/vendor/github.com/zeebo/errs/.gitignore b/vendor/github.com/zeebo/errs/.gitignore
deleted file mode 100644
index 722d5e71d93..00000000000
--- a/vendor/github.com/zeebo/errs/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.vscode
diff --git a/vendor/github.com/zeebo/errs/AUTHORS b/vendor/github.com/zeebo/errs/AUTHORS
deleted file mode 100644
index 6246e7403d5..00000000000
--- a/vendor/github.com/zeebo/errs/AUTHORS
+++ /dev/null
@@ -1,5 +0,0 @@
-Egon Elbre <github.com/egonelbre>
-Jeff Wendling <leterip@gmail.com>
-JT Olio <github.com/jtolds>
-Kaloyan Raev <github.com/kaloyan-raev>
-paul cannon <github.com/thepaul>
diff --git a/vendor/github.com/zeebo/errs/LICENSE b/vendor/github.com/zeebo/errs/LICENSE
deleted file mode 100644
index 3ba91930ed2..00000000000
--- a/vendor/github.com/zeebo/errs/LICENSE
+++ /dev/null
@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2017 The Authors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
diff --git a/vendor/github.com/zeebo/errs/README.md b/vendor/github.com/zeebo/errs/README.md
deleted file mode 100644
index 0f72bf7b012..00000000000
--- a/vendor/github.com/zeebo/errs/README.md
+++ /dev/null
@@ -1,235 +0,0 @@
-# errs
-
-[![GoDoc](https://godoc.org/github.com/zeebo/errs?status.svg)](https://godoc.org/github.com/zeebo/errs)
-[![Sourcegraph](https://sourcegraph.com/github.com/zeebo/errs/-/badge.svg)](https://sourcegraph.com/github.com/zeebo/errs?badge)
-[![Go Report Card](https://goreportcard.com/badge/github.com/zeebo/errs)](https://goreportcard.com/report/github.com/zeebo/errs)
-
-errs is a package for making errors friendly and easy.
-
-### Creating Errors
-
-The easiest way to use it, is to use the package level [New][New] function.
-It's much like `fmt.Errorf`, but better. For example:
-
-```go
-func checkThing() error {
-	return errs.New("what's up with %q?", "zeebo")
-}
-```
-
-Why is it better? Errors come with a stack trace that is only printed
-when a `"+"` character is used in the format string. This should retain the
-benefits of being able to diagnose where and why errors happen, without all of
-the noise of printing a stack trace in every situation. For example:
-
-```go
-func doSomeRealWork() {
-	err := checkThing()
-	if err != nil {
-		fmt.Printf("%+v\n", err) // contains stack trace if it's a errs error.
-		fmt.Printf("%v\n", err)  // does not contain a stack trace
-		return
-	}
-}
-```
-
-### Error Classes
-
-You can create a [Class][Class] of errors and check if any error was created by
-that class. The class name is prefixed to all of the errors it creates. For example:
-
-```go
-var Unauthorized = errs.Class("unauthorized")
-
-func checkUser(username, password string) error {
-	if username != "zeebo" {
-		return Unauthorized.New("who is %q?", username)
-	}
-	if password != "hunter2" {
-		return Unauthorized.New("that's not a good password, jerkmo!")
-	}
-	return nil
-}
-
-func handleRequest() {
-	if err := checkUser("zeebo", "hunter3"); Unauthorized.Has(err) {
-		fmt.Println(err)
-	}
-
-	// output:
-	// unauthorized: that's not a good password, jerkmo!
-}
-```
-
-Classes can also [Wrap][ClassWrap] other errors, and errors may be wrapped
-multiple times. For example:
-
-```go
-var (
-	Error        = errs.Class("mypackage")
-	Unauthorized = errs.Class("unauthorized")
-)
-
-func deep3() error {
-	return fmt.Errorf("ouch")
-}
-
-func deep2() error {
-	return Unauthorized.Wrap(deep3())
-}
-
-func deep1() error {
-	return Error.Wrap(deep2())
-}
-
-func deep() {
-	fmt.Println(deep1())
-
-	// output:
-	// mypackage: unauthorized: ouch
-}
-```
-
-In the above example, both `Error.Has(deep1())` and `Unauthorized.Has(deep1())`
-would return `true`, and the stack trace would only be recorded once at the
-`deep2` call.
-
-In addition, when an error has been wrapped, wrapping it again with the same class will
-not do anything. For example:
-
-```go
-func doubleWrap() {
-	fmt.Println(Error.Wrap(Error.New("foo")))
-
-	// output:
-	// mypackage: foo
-}
-```
-
-This is to make it an easier decision if you should wrap or not (you should).
-
-### Utilities
-
-[Classes][Classes] is a helper function to get a slice of classes that an error
-has. The latest wrap is first in the slice. For example:
-
-```go
-func getClasses() {
-	classes := errs.Classes(deep1())
-	fmt.Println(classes[0] == &Error)
-	fmt.Println(classes[1] == &Unauthorized)
-
-	// output:
-	// true
-	// true
-}
-```
-
-Finally, a helper function, [Unwrap][Unwrap] is provided to get the
-wrapped error in cases where you might want to inspect details. For
-example:
-
-```go
-var Error = errs.Class("mypackage")
-
-func getHandle() (*os.File, error) {
-	fh, err := os.Open("neat_things")
-	if err != nil {
-		return nil, Error.Wrap(err)
-	}
-	return fh, nil
-}
-
-func checkForNeatThings() {
-	fh, err := getHandle()
-	if os.IsNotExist(errs.Unwrap(err)) {
-		panic("no neat things?!")
-	}
-	if err != nil {
-		panic("phew, at least there are neat things, even if i can't see them")
-	}
-	fh.Close()
-}
-```
-
-It knows about both the `Unwrap() error` and `Unwrap() []error` methods that are
-often used in the community, and will call them as many times as possible.
-
-### Defer
-
-The package also provides [WrapP][WrapP] versions of [Wrap][Wrap] that are useful
-in defer contexts. For example:
-
-```go
-func checkDefer() (err error) {
-	defer Error.WrapP(&err)
-
-	fh, err := os.Open("secret_stash")
-	if err != nil {
-		return nil, err
-	}
-	return fh.Close()
-}
-```
-
-### Groups
-
-[Groups][Group] allow one to collect a set of errors. For example:
-
-```go
-func tonsOfErrors() error {
-	var group errs.Group
-	for _, work := range someWork {
-		group.Add(maybeErrors(work))
-	}
-	return group.Err()
-}
-```
-
-Some things to note:
-
-- The [Add][GroupAdd] method only adds to the group if the passed in error is non-nil.
-- The [Err][GroupErr] method returns an error only if non-nil errors have been added, and
-  additionally returns just the error if only one error was added. Thus, we always
-  have that if you only call `group.Add(err)`, then `group.Err() == err`.
-
-The returned error will format itself similarly:
-
-```go
-func groupFormat() {
-	var group errs.Group
-	group.Add(errs.New("first"))
-	group.Add(errs.New("second"))
-	err := group.Err()
-
-	fmt.Printf("%v\n", err)
-	fmt.Println()
-	fmt.Printf("%+v\n", err)
-
-	// output:
-	// first; second
-	//
-	// group:
-	// --- first
-	//     ... stack trace
-	// --- second
-	//     ... stack trace
-}
-```
-
-### Contributing
-
-errs is released under an MIT License. If you want to contribute, be sure to
-add yourself to the list in AUTHORS.
-
-[New]: https://godoc.org/github.com/zeebo/errs#New
-[Wrap]: https://godoc.org/github.com/zeebo/errs#Wrap
-[WrapP]: https://godoc.org/github.com/zeebo/errs#WrapP
-[Class]: https://godoc.org/github.com/zeebo/errs#Class
-[ClassNew]: https://godoc.org/github.com/zeebo/errs#Class.New
-[ClassWrap]: https://godoc.org/github.com/zeebo/errs#Class.Wrap
-[Unwrap]: https://godoc.org/github.com/zeebo/errs#Unwrap
-[Classes]: https://godoc.org/github.com/zeebo/errs#Classes
-[Group]: https://godoc.org/github.com/zeebo/errs#Group
-[GroupAdd]: https://godoc.org/github.com/zeebo/errs#Group.Add
-[GroupErr]: https://godoc.org/github.com/zeebo/errs#Group.Err
diff --git a/vendor/github.com/zeebo/errs/errs.go b/vendor/github.com/zeebo/errs/errs.go
deleted file mode 100644
index 9a42e3da87e..00000000000
--- a/vendor/github.com/zeebo/errs/errs.go
+++ /dev/null
@@ -1,298 +0,0 @@
-// Package errs provides a simple error package with stack traces.
-package errs
-
-import (
-	"fmt"
-	"io"
-	"runtime"
-)
-
-// Namer is implemented by all errors returned in this package. It returns a
-// name for the class of error it is, and a boolean indicating if the name is
-// valid.
-type Namer interface{ Name() (string, bool) }
-
-// Causer is implemented by all errors returned in this package. It returns
-// the underlying cause of the error, or nil if there is no underlying cause.
-//
-// Deprecated: check for the 'Unwrap()' interface from the stdlib errors package
-// instead.
-type Causer interface{ Cause() error }
-
-// New returns an error not contained in any class. This is the same as calling
-// fmt.Errorf(...) except it captures a stack trace on creation.
-func New(format string, args ...interface{}) error {
-	return (*Class).create(nil, 3, fmt.Errorf(format, args...))
-}
-
-// Wrap returns an error not contained in any class. It just associates a stack
-// trace with the error. Wrap returns nil if err is nil.
-func Wrap(err error) error {
-	return (*Class).create(nil, 3, err)
-}
-
-// WrapP stores into the error pointer if it contains a non-nil error an error not
-// contained in any class. It just associates a stack trace with the error. WrapP
-// does nothing if the pointer or pointed at error is nil.
-func WrapP(err *error) {
-	if err != nil && *err != nil {
-		*err = (*Class).create(nil, 3, *err)
-	}
-}
-
-// Often, we call Unwrap as much as possible. Since comparing arbitrary
-// interfaces with equality isn't panic safe, we only loop up to 100
-// times to ensure that a poor implementation that causes a cycle does
-// not run forever.
-const maxUnwrap = 100
-
-// Unwrap returns the final, most underlying error, if any, or just the error.
-//
-// Deprecated: Prefer errors.Is() and errors.As().
-func Unwrap(err error) error {
-	for i := 0; err != nil && i < maxUnwrap; i++ {
-		var nerr error
-
-		switch e := err.(type) {
-		case Causer:
-			nerr = e.Cause()
-
-		case interface{ Unwrap() error }:
-			nerr = e.Unwrap()
-
-		case interface{ Ungroup() []error }:
-			// consider the first error to be the "main" error.
-			errs := e.Ungroup()
-			if len(errs) > 0 {
-				nerr = errs[0]
-			}
-		case interface{ Unwrap() []error }:
-			// consider the first error to be the "main" error.
-			errs := e.Unwrap()
-			if len(errs) > 0 {
-				nerr = errs[0]
-			}
-		}
-
-		if nerr == nil {
-			return err
-		}
-		err = nerr
-	}
-
-	return err
-}
-
-// Classes returns all the classes that have wrapped the error.
-func Classes(err error) (classes []*Class) {
-	IsFunc(err, func(err error) bool {
-		if e, ok := err.(*errorT); ok {
-			classes = append(classes, e.class)
-		}
-		return false
-	})
-	return classes
-}
-
-// IsFunc checks if any of the underlying errors matches the func
-func IsFunc(err error, is func(err error) bool) bool {
-	for {
-		if is(err) {
-			return true
-		}
-
-		switch u := err.(type) {
-		case interface{ Unwrap() error }:
-			err = u.Unwrap()
-		case Causer:
-			err = u.Cause()
-
-		case interface{ Ungroup() []error }:
-			for _, err := range u.Ungroup() {
-				if IsFunc(err, is) {
-					return true
-				}
-			}
-			return false
-		case interface{ Unwrap() []error }:
-			for _, err := range u.Unwrap() {
-				if IsFunc(err, is) {
-					return true
-				}
-			}
-			return false
-
-		default:
-			return false
-		}
-	}
-}
-
-//
-// error classes
-//
-
-// Class represents a class of errors. You can construct errors, and check if
-// errors are part of the class.
-type Class string
-
-// Has returns true if the passed in error (or any error wrapped by it) has
-// this class.
-func (c *Class) Has(err error) bool {
-	return IsFunc(err, func(err error) bool {
-		errt, ok := err.(*errorT)
-		return ok && errt.class == c
-	})
-}
-
-// New constructs an error with the format string that will be contained by
-// this class. This is the same as calling Wrap(fmt.Errorf(...)).
-func (c *Class) New(format string, args ...interface{}) error {
-	return c.create(3, fmt.Errorf(format, args...))
-}
-
-// Wrap returns a new error based on the passed in error that is contained in
-// this class. Wrap returns nil if err is nil.
-func (c *Class) Wrap(err error) error {
-	return c.create(3, err)
-}
-
-// WrapP stores into the error pointer if it contains a non-nil error an error contained
-// in this class. WrapP does nothing if the pointer or pointed at error is nil.
-func (c *Class) WrapP(err *error) {
-	if err != nil && *err != nil {
-		*err = c.create(3, *err)
-	}
-}
-
-// Instance creates a class membership object which implements the error
-// interface and allows errors.Is() to check whether given errors are
-// (or contain) an instance of this class.
-//
-// This makes possible a construct like the following:
-//
-//	if errors.Is(err, MyClass.Instance()) {
-//		fmt.Printf("err is an instance of MyClass")
-//	}
-//
-// ..without requiring the Class type to implement the error interface itself,
-// as that would open the door to sundry misunderstandings and misusage.
-func (c *Class) Instance() error {
-	return (*classMembershipChecker)(c)
-}
-
-// create constructs the error, or just adds the class to the error, keeping
-// track of the stack if it needs to construct it.
-func (c *Class) create(depth int, err error) error {
-	if err == nil {
-		return nil
-	}
-
-	var pcs []uintptr
-	if err, ok := err.(*errorT); ok {
-		if c == nil || err.class == c {
-			return err
-		}
-		pcs = err.pcs
-	}
-
-	errt := &errorT{
-		class: c,
-		err:   err,
-		pcs:   pcs,
-	}
-
-	if errt.pcs == nil {
-		errt.pcs = make([]uintptr, 64)
-		n := runtime.Callers(depth, errt.pcs)
-		errt.pcs = errt.pcs[:n:n]
-	}
-
-	return errt
-}
-
-type classMembershipChecker Class
-
-func (cmc *classMembershipChecker) Error() string {
-	panic("classMembershipChecker used as concrete error! don't do that")
-}
-
-//
-// errors
-//
-
-// errorT is the type of errors returned from this package.
-type errorT struct {
-	class *Class
-	err   error
-	pcs   []uintptr
-}
-
-var ( // ensure *errorT implements the helper interfaces.
-	_ Namer  = (*errorT)(nil)
-	_ Causer = (*errorT)(nil)
-	_ error  = (*errorT)(nil)
-)
-
-// Stack returns the pcs for the stack trace associated with the error.
-func (e *errorT) Stack() []uintptr { return e.pcs }
-
-// errorT implements the error interface.
-func (e *errorT) Error() string {
-	return fmt.Sprintf("%v", e)
-}
-
-// Format handles the formatting of the error. Using a "+" on the format string
-// specifier will also write the stack trace.
-func (e *errorT) Format(f fmt.State, c rune) {
-	sep := ""
-	if e.class != nil && *e.class != "" {
-		fmt.Fprintf(f, "%s", string(*e.class))
-		sep = ": "
-	}
-	if text := e.err.Error(); len(text) > 0 {
-		fmt.Fprintf(f, "%s%v", sep, text)
-	}
-	if f.Flag(int('+')) {
-		summarizeStack(f, e.pcs)
-	}
-}
-
-// Cause implements the interface wrapping errors were previously
-// expected to implement to allow getting at underlying causes.
-func (e *errorT) Cause() error {
-	return e.err
-}
-
-// Unwrap returns the immediate underlying error.
-func (e *errorT) Unwrap() error {
-	return e.err
-}
-
-// Name returns the name for the error, which is the first wrapping class.
-func (e *errorT) Name() (string, bool) {
-	if e.class == nil {
-		return "", false
-	}
-	return string(*e.class), true
-}
-
-// Is determines whether an error is an instance of the given error class.
-//
-// Use with (*Class).Instance().
-func (e *errorT) Is(err error) bool {
-	cmc, ok := err.(*classMembershipChecker)
-	return ok && e.class == (*Class)(cmc)
-}
-
-// summarizeStack writes stack line entries to the writer.
-func summarizeStack(w io.Writer, pcs []uintptr) {
-	frames := runtime.CallersFrames(pcs)
-	for {
-		frame, more := frames.Next()
-		if !more {
-			return
-		}
-		fmt.Fprintf(w, "\n\t%s:%d", frame.Function, frame.Line)
-	}
-}
diff --git a/vendor/github.com/zeebo/errs/group.go b/vendor/github.com/zeebo/errs/group.go
deleted file mode 100644
index 22b824aaf86..00000000000
--- a/vendor/github.com/zeebo/errs/group.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package errs
-
-import (
-	"fmt"
-	"io"
-)
-
-// Group is a list of errors.
-type Group []error
-
-// Combine combines multiple non-empty errors into a single error.
-func Combine(errs ...error) error {
-	var group Group
-	group.Add(errs...)
-	return group.Err()
-}
-
-// Add adds non-empty errors to the Group.
-func (group *Group) Add(errs ...error) {
-	for _, err := range errs {
-		if err != nil {
-			*group = append(*group, err)
-		}
-	}
-}
-
-// Err returns an error containing all of the non-nil errors.
-// If there was only one error, it will return it.
-// If there were none, it returns nil.
-func (group Group) Err() error {
-	sanitized := group.sanitize()
-	if len(sanitized) == 0 {
-		return nil
-	}
-	if len(sanitized) == 1 {
-		return sanitized[0]
-	}
-	return combinedError(sanitized)
-}
-
-// sanitize returns group that doesn't contain nil-s
-func (group Group) sanitize() Group {
-	// sanity check for non-nil errors
-	for i, err := range group {
-		if err == nil {
-			sanitized := make(Group, 0, len(group)-1)
-			sanitized = append(sanitized, group[:i]...)
-			sanitized.Add(group[i+1:]...)
-			return sanitized
-		}
-	}
-
-	return group
-}
-
-// combinedError is a list of non-empty errors
-type combinedError []error
-
-// Unwrap returns the first error.
-func (group combinedError) Unwrap() []error { return group }
-
-// Error returns error string delimited by semicolons.
-func (group combinedError) Error() string { return fmt.Sprintf("%v", group) }
-
-// Format handles the formatting of the error. Using a "+" on the format
-// string specifier will cause the errors to be formatted with "+" and
-// delimited by newlines. They are delimited by semicolons otherwise.
-func (group combinedError) Format(f fmt.State, c rune) {
-	delim := "; "
-	if f.Flag(int('+')) {
-		io.WriteString(f, "group:\n--- ")
-		delim = "\n--- "
-	}
-
-	for i, err := range group {
-		if i != 0 {
-			io.WriteString(f, delim)
-		}
-		if formatter, ok := err.(fmt.Formatter); ok {
-			formatter.Format(f, c)
-		} else {
-			fmt.Fprintf(f, "%v", err)
-		}
-	}
-}
diff --git a/vendor/github.com/zeebo/errs/is_go1.20.go b/vendor/github.com/zeebo/errs/is_go1.20.go
deleted file mode 100644
index 6f8799aa482..00000000000
--- a/vendor/github.com/zeebo/errs/is_go1.20.go
+++ /dev/null
@@ -1,8 +0,0 @@
-//go:build go1.20
-
-package errs
-
-import "errors"
-
-// Is checks if any of the underlying errors matches target
-func Is(err, target error) bool { return errors.Is(err, target) }
diff --git a/vendor/github.com/zeebo/errs/is_go_other.go b/vendor/github.com/zeebo/errs/is_go_other.go
deleted file mode 100644
index 92f3b5b61f8..00000000000
--- a/vendor/github.com/zeebo/errs/is_go_other.go
+++ /dev/null
@@ -1,17 +0,0 @@
-//go:build !go1.20
-// +build !go1.20
-
-package errs
-
-// Is checks if any of the underlying errors matches target
-func Is(err, target error) bool {
-	return IsFunc(err, func(err error) bool {
-		if err == target {
-			return true
-		}
-		if x, ok := err.(interface{ Is(error) bool }); ok && x.Is(target) {
-			return true
-		}
-		return false
-	})
-}
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
deleted file mode 100644
index 28cd99c7f3f..00000000000
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
+++ /dev/null
@@ -1,77 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-/*
-Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
-2898 / PKCS #5 v2.0.
-
-A key derivation function is useful when encrypting data based on a password
-or any other not-fully-random data. It uses a pseudorandom function to derive
-a secure encryption key based on the password.
-
-While v2.0 of the standard defines only one pseudorandom function to use,
-HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
-Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
-choose, you can pass the `New` functions from the different SHA packages to
-pbkdf2.Key.
-*/
-package pbkdf2
-
-import (
-	"crypto/hmac"
-	"hash"
-)
-
-// Key derives a key from the password, salt and iteration count, returning a
-// []byte of length keylen that can be used as cryptographic key. The key is
-// derived based on the method described as PBKDF2 with the HMAC variant using
-// the supplied hash function.
-//
-// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
-// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
-// doing:
-//
-//	dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
-//
-// Remember to get a good random salt. At least 8 bytes is recommended by the
-// RFC.
-//
-// Using a higher iteration count will increase the cost of an exhaustive
-// search but will also make derivation proportionally slower.
-func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
-	prf := hmac.New(h, password)
-	hashLen := prf.Size()
-	numBlocks := (keyLen + hashLen - 1) / hashLen
-
-	var buf [4]byte
-	dk := make([]byte, 0, numBlocks*hashLen)
-	U := make([]byte, hashLen)
-	for block := 1; block <= numBlocks; block++ {
-		// N.B.: || means concatenation, ^ means XOR
-		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
-		// U_1 = PRF(password, salt || uint(i))
-		prf.Reset()
-		prf.Write(salt)
-		buf[0] = byte(block >> 24)
-		buf[1] = byte(block >> 16)
-		buf[2] = byte(block >> 8)
-		buf[3] = byte(block)
-		prf.Write(buf[:4])
-		dk = prf.Sum(dk)
-		T := dk[len(dk)-hashLen:]
-		copy(U, T)
-
-		// U_n = PRF(password, U_(n-1))
-		for n := 2; n <= iter; n++ {
-			prf.Reset()
-			prf.Write(U)
-			U = U[:0]
-			U = prf.Sum(U)
-			for x := range U {
-				T[x] ^= U[x]
-			}
-		}
-	}
-	return dk[:keyLen]
-}
diff --git a/vendor/google.golang.org/grpc/CONTRIBUTING.md b/vendor/google.golang.org/grpc/CONTRIBUTING.md
index 1de0ce66691..d9bfa6e1e7c 100644
--- a/vendor/google.golang.org/grpc/CONTRIBUTING.md
+++ b/vendor/google.golang.org/grpc/CONTRIBUTING.md
@@ -1,102 +1,73 @@
 # How to contribute
 
-We welcome your patches and contributions to gRPC! Please read the gRPC
-organization's [governance
-rules](https://github.com/grpc/grpc-community/blob/master/governance.md) before
-proceeding.
+We definitely welcome your patches and contributions to gRPC! Please read the gRPC
+organization's [governance rules](https://github.com/grpc/grpc-community/blob/master/governance.md)
+and [contribution guidelines](https://github.com/grpc/grpc-community/blob/master/CONTRIBUTING.md) before proceeding.
 
 If you are new to GitHub, please start by reading [Pull Request howto](https://help.github.com/articles/about-pull-requests/)
 
 ## Legal requirements
 
 In order to protect both you and ourselves, you will need to sign the
-[Contributor License
-Agreement](https://identity.linuxfoundation.org/projects/cncf). When you create
-your first PR, a link will be added as a comment that contains the steps needed
-to complete this process.
+[Contributor License Agreement](https://identity.linuxfoundation.org/projects/cncf).
 
-## Getting Started
-
-A great way to start is by searching through our open issues. [Unassigned issues
-labeled as "help
-wanted"](https://github.com/grpc/grpc-go/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20label%3A%22Status%3A%20Help%20Wanted%22%20no%3Aassignee)
-are especially nice for first-time contributors, as they should be well-defined
-problems that already have agreed-upon solutions.
+## Guidelines for Pull Requests
+How to get your contributions merged smoothly and quickly.
 
-## Code Style
+- Create **small PRs** that are narrowly focused on **addressing a single
+  concern**. We often times receive PRs that are trying to fix several things at
+  a time, but only one fix is considered acceptable, nothing gets merged and
+  both author's & review's time is wasted. Create more PRs to address different
+  concerns and everyone will be happy.
 
-We follow [Google's published Go style
-guide](https://google.github.io/styleguide/go/). Note that there are three
-primary documents that make up this style guide; please follow them as closely
-as possible. If a reviewer recommends something that contradicts those
-guidelines, there may be valid reasons to do so, but it should be rare.
+- If you are searching for features to work on, issues labeled [Status: Help
+  Wanted](https://github.com/grpc/grpc-go/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22Status%3A+Help+Wanted%22)
+  is a great place to start. These issues are well-documented and usually can be
+  resolved with a single pull request.
 
-## Guidelines for Pull Requests
+- If you are adding a new file, make sure it has the copyright message template
+  at the top as a comment. You can copy over the message from an existing file
+  and update the year.
 
-How to get your contributions merged smoothly and quickly:
+- The grpc package should only depend on standard Go packages and a small number
+  of exceptions. If your contribution introduces new dependencies which are NOT
+  in the [list](https://godoc.org/google.golang.org/grpc?imports), you need a
+  discussion with gRPC-Go authors and consultants.
 
-- Create **small PRs** that are narrowly focused on **addressing a single
-  concern**. We often receive PRs that attempt to fix several things at the same
-  time, and if one part of the PR has a problem, that will hold up the entire
-  PR.
-
-- For **speculative changes**, consider opening an issue and discussing it
-  first. If you are suggesting a behavioral or API change, consider starting
-  with a [gRFC proposal](https://github.com/grpc/proposal). Many new features
-  that are not bug fixes will require cross-language agreement.
-
-- If you want to fix **formatting or style**, consider whether your changes are
-  an obvious improvement or might be considered a personal preference. If a
-  style change is based on preference, it likely will not be accepted. If it
-  corrects widely agreed-upon anti-patterns, then please do create a PR and
-  explain the benefits of the change.
-
-- For correcting **misspellings**, please be aware that we use some terms that
-  are sometimes flagged by spell checkers. As an example, "if an only if" is
-  often written as "iff". Please do not make spelling correction changes unless
-  you are certain they are misspellings.
+- For speculative changes, consider opening an issue and discussing it first. If
+  you are suggesting a behavioral or API change, consider starting with a [gRFC
+  proposal](https://github.com/grpc/proposal).
 
 - Provide a good **PR description** as a record of **what** change is being made
   and **why** it was made. Link to a GitHub issue if it exists.
 
-- Maintain a **clean commit history** and use **meaningful commit messages**.
-  PRs with messy commit histories are difficult to review and won't be merged.
-  Before sending your PR, ensure your changes are based on top of the latest
-  `upstream/master` commits, and avoid rebasing in the middle of a code review.
-  You should **never use `git push -f`** unless absolutely necessary during a
-  review, as it can interfere with GitHub's tracking of comments.
-
-- **All tests need to be passing** before your change can be merged. We
-  recommend you run tests locally before creating your PR to catch breakages
-  early on:
-
-  - `./scripts/vet.sh` to catch vet errors.
-  - `go test -cpu 1,4 -timeout 7m ./...` to run the tests.
-  - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode.
-
-  Note that we have a multi-module repo, so `go test` commands may need to be
-  run from the root of each module in order to cause all tests to run.
+- If you want to fix formatting or style, consider whether your changes are an
+  obvious improvement or might be considered a personal preference. If a style
+  change is based on preference, it likely will not be accepted. If it corrects
+  widely agreed-upon anti-patterns, then please do create a PR and explain the
+  benefits of the change.
 
-  *Alternatively*, you may find it easier to push your changes to your fork on
-  GitHub, which will trigger a GitHub Actions run that you can use to verify
-  everything is passing.
+- Unless your PR is trivial, you should expect there will be reviewer comments
+  that you'll need to address before merging. We'll mark it as `Status: Requires
+  Reporter Clarification` if we expect you to respond to these comments in a
+  timely manner. If the PR remains inactive for 6 days, it will be marked as
+  `stale` and automatically close 7 days after that if we don't hear back from
+  you.
 
-- If you are adding a new file, make sure it has the **copyright message**
-  template at the top as a comment. You can copy the message from an existing
-  file and update the year.
+- Maintain **clean commit history** and use **meaningful commit messages**. PRs
+  with messy commit history are difficult to review and won't be merged. Use
+  `rebase -i upstream/master` to curate your commit history and/or to bring in
+  latest changes from master (but avoid rebasing in the middle of a code
+  review).
 
-- The grpc package should only depend on standard Go packages and a small number
-  of exceptions. **If your contribution introduces new dependencies**, you will
-  need a discussion with gRPC-Go maintainers. A GitHub action check will run on
-  every PR, and will flag any transitive dependency changes from any public
-  package.
+- Keep your PR up to date with upstream/master (if there are merge conflicts, we
+  can't really merge your change).
 
-- Unless your PR is trivial, you should **expect reviewer comments** that you
-  will need to address before merging. We'll label the PR as `Status: Requires
-  Reporter Clarification` if we expect you to respond to these comments in a
-  timely manner. If the PR remains inactive for 6 days, it will be marked as
-  `stale`, and we will automatically close it after 7 days if we don't hear back
-  from you. Please feel free to ping issues or bugs if you do not get a response
-  within a week.
+- **All tests need to be passing** before your change can be merged. We
+  recommend you **run tests locally** before creating your PR to catch breakages
+  early on.
+  - `./scripts/vet.sh` to catch vet errors
+  - `go test -cpu 1,4 -timeout 7m ./...` to run the tests
+  - `go test -race -cpu 1,4 -timeout 7m ./...` to run tests in race mode
 
-- Exceptions to the rules can be made if there's a compelling reason to do so.
+- Exceptions to the rules can be made if there's a compelling reason for doing so.
diff --git a/vendor/google.golang.org/grpc/README.md b/vendor/google.golang.org/grpc/README.md
index f9a88d597ec..b572707c623 100644
--- a/vendor/google.golang.org/grpc/README.md
+++ b/vendor/google.golang.org/grpc/README.md
@@ -32,7 +32,6 @@ import "google.golang.org/grpc"
 - [Low-level technical docs](Documentation) from this repository
 - [Performance benchmark][]
 - [Examples](examples)
-- [Contribution guidelines](CONTRIBUTING.md)
 
 ## FAQ
 
diff --git a/vendor/google.golang.org/grpc/balancer/base/balancer.go b/vendor/google.golang.org/grpc/balancer/base/balancer.go
index 4d576876d8c..d5ed172ae69 100644
--- a/vendor/google.golang.org/grpc/balancer/base/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/base/balancer.go
@@ -41,7 +41,7 @@ func (bb *baseBuilder) Build(cc balancer.ClientConn, _ balancer.BuildOptions) ba
 		cc:            cc,
 		pickerBuilder: bb.pickerBuilder,
 
-		subConns: resolver.NewAddressMapV2[balancer.SubConn](),
+		subConns: resolver.NewAddressMap(),
 		scStates: make(map[balancer.SubConn]connectivity.State),
 		csEvltr:  &balancer.ConnectivityStateEvaluator{},
 		config:   bb.config,
@@ -65,7 +65,7 @@ type baseBalancer struct {
 	csEvltr *balancer.ConnectivityStateEvaluator
 	state   connectivity.State
 
-	subConns *resolver.AddressMapV2[balancer.SubConn]
+	subConns *resolver.AddressMap
 	scStates map[balancer.SubConn]connectivity.State
 	picker   balancer.Picker
 	config   Config
@@ -100,7 +100,7 @@ func (b *baseBalancer) UpdateClientConnState(s balancer.ClientConnState) error {
 	// Successful resolution; clear resolver error and ensure we return nil.
 	b.resolverErr = nil
 	// addrsSet is the set converted from addrs, it's used for quick lookup of an address.
-	addrsSet := resolver.NewAddressMapV2[any]()
+	addrsSet := resolver.NewAddressMap()
 	for _, a := range s.ResolverState.Addresses {
 		addrsSet.Set(a, nil)
 		if _, ok := b.subConns.Get(a); !ok {
@@ -122,7 +122,8 @@ func (b *baseBalancer) UpdateClientConnState(s balancer.ClientConnState) error {
 		}
 	}
 	for _, a := range b.subConns.Keys() {
-		sc, _ := b.subConns.Get(a)
+		sci, _ := b.subConns.Get(a)
+		sc := sci.(balancer.SubConn)
 		// a was removed by resolver.
 		if _, ok := addrsSet.Get(a); !ok {
 			sc.Shutdown()
@@ -172,7 +173,8 @@ func (b *baseBalancer) regeneratePicker() {
 
 	// Filter out all ready SCs from full subConn map.
 	for _, addr := range b.subConns.Keys() {
-		sc, _ := b.subConns.Get(addr)
+		sci, _ := b.subConns.Get(addr)
+		sc := sci.(balancer.SubConn)
 		if st, ok := b.scStates[sc]; ok && st == connectivity.Ready {
 			readySCs[sc] = SubConnInfo{Address: addr}
 		}
diff --git a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
index cc606f4dae4..421c4fecc99 100644
--- a/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
+++ b/vendor/google.golang.org/grpc/balancer/endpointsharding/endpointsharding.go
@@ -73,7 +73,7 @@ func NewBalancer(cc balancer.ClientConn, opts balancer.BuildOptions, childBuilde
 		esOpts:       esOpts,
 		childBuilder: childBuilder,
 	}
-	es.children.Store(resolver.NewEndpointMap[*balancerWrapper]())
+	es.children.Store(resolver.NewEndpointMap())
 	return es
 }
 
@@ -90,7 +90,7 @@ type endpointSharding struct {
 	// calls into a child. To avoid deadlocks, do not acquire childMu while
 	// holding mu.
 	childMu  sync.Mutex
-	children atomic.Pointer[resolver.EndpointMap[*balancerWrapper]]
+	children atomic.Pointer[resolver.EndpointMap] // endpoint -> *balancerWrapper
 
 	// inhibitChildUpdates is set during UpdateClientConnState/ResolverError
 	// calls (calls to children will each produce an update, only want one
@@ -122,7 +122,7 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 	var ret error
 
 	children := es.children.Load()
-	newChildren := resolver.NewEndpointMap[*balancerWrapper]()
+	newChildren := resolver.NewEndpointMap()
 
 	// Update/Create new children.
 	for _, endpoint := range state.ResolverState.Endpoints {
@@ -131,8 +131,9 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 			// update.
 			continue
 		}
-		childBalancer, ok := children.Get(endpoint)
-		if ok {
+		var childBalancer *balancerWrapper
+		if val, ok := children.Get(endpoint); ok {
+			childBalancer = val.(*balancerWrapper)
 			// Endpoint attributes may have changed, update the stored endpoint.
 			es.mu.Lock()
 			childBalancer.childState.Endpoint = endpoint
@@ -165,7 +166,7 @@ func (es *endpointSharding) UpdateClientConnState(state balancer.ClientConnState
 	for _, e := range children.Keys() {
 		child, _ := children.Get(e)
 		if _, ok := newChildren.Get(e); !ok {
-			child.closeLocked()
+			child.(*balancerWrapper).closeLocked()
 		}
 	}
 	es.children.Store(newChildren)
@@ -188,7 +189,7 @@ func (es *endpointSharding) ResolverError(err error) {
 	}()
 	children := es.children.Load()
 	for _, child := range children.Values() {
-		child.resolverErrorLocked(err)
+		child.(*balancerWrapper).resolverErrorLocked(err)
 	}
 }
 
@@ -201,7 +202,7 @@ func (es *endpointSharding) Close() {
 	defer es.childMu.Unlock()
 	children := es.children.Load()
 	for _, child := range children.Values() {
-		child.closeLocked()
+		child.(*balancerWrapper).closeLocked()
 	}
 }
 
@@ -221,7 +222,8 @@ func (es *endpointSharding) updateState() {
 	childStates := make([]ChildState, 0, children.Len())
 
 	for _, child := range children.Values() {
-		childState := child.childState
+		bw := child.(*balancerWrapper)
+		childState := bw.childState
 		childStates = append(childStates, childState)
 		childPicker := childState.State.Picker
 		switch childState.State.ConnectivityState {
diff --git a/vendor/google.golang.org/grpc/balancer/grpclb/grpc_lb_v1/load_balancer.pb.go b/vendor/google.golang.org/grpc/balancer/grpclb/grpc_lb_v1/load_balancer.pb.go
index 01ac7f6f349..eecfa12571d 100644
--- a/vendor/google.golang.org/grpc/balancer/grpclb/grpc_lb_v1/load_balancer.pb.go
+++ b/vendor/google.golang.org/grpc/balancer/grpclb/grpc_lb_v1/load_balancer.pb.go
@@ -19,7 +19,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/lb/v1/load_balancer.proto
 
@@ -642,47 +642,115 @@ func (x *Server) GetDrop() bool {
 
 var File_grpc_lb_v1_load_balancer_proto protoreflect.FileDescriptor
 
-const file_grpc_lb_v1_load_balancer_proto_rawDesc = "" +
-	"\n" +
-	"\x1egrpc/lb/v1/load_balancer.proto\x12\n" +
-	"grpc.lb.v1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xc1\x01\n" +
-	"\x12LoadBalanceRequest\x12P\n" +
-	"\x0finitial_request\x18\x01 \x01(\v2%.grpc.lb.v1.InitialLoadBalanceRequestH\x00R\x0einitialRequest\x12<\n" +
-	"\fclient_stats\x18\x02 \x01(\v2\x17.grpc.lb.v1.ClientStatsH\x00R\vclientStatsB\x1b\n" +
-	"\x19load_balance_request_type\"/\n" +
-	"\x19InitialLoadBalanceRequest\x12\x12\n" +
-	"\x04name\x18\x01 \x01(\tR\x04name\"`\n" +
-	"\x13ClientStatsPerToken\x12,\n" +
-	"\x12load_balance_token\x18\x01 \x01(\tR\x10loadBalanceToken\x12\x1b\n" +
-	"\tnum_calls\x18\x02 \x01(\x03R\bnumCalls\"\xb0\x03\n" +
-	"\vClientStats\x128\n" +
-	"\ttimestamp\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\ttimestamp\x12*\n" +
-	"\x11num_calls_started\x18\x02 \x01(\x03R\x0fnumCallsStarted\x12,\n" +
-	"\x12num_calls_finished\x18\x03 \x01(\x03R\x10numCallsFinished\x12]\n" +
-	"-num_calls_finished_with_client_failed_to_send\x18\x06 \x01(\x03R&numCallsFinishedWithClientFailedToSend\x12H\n" +
-	"!num_calls_finished_known_received\x18\a \x01(\x03R\x1dnumCallsFinishedKnownReceived\x12X\n" +
-	"\x18calls_finished_with_drop\x18\b \x03(\v2\x1f.grpc.lb.v1.ClientStatsPerTokenR\x15callsFinishedWithDropJ\x04\b\x04\x10\x05J\x04\b\x05\x10\x06\"\x90\x02\n" +
-	"\x13LoadBalanceResponse\x12S\n" +
-	"\x10initial_response\x18\x01 \x01(\v2&.grpc.lb.v1.InitialLoadBalanceResponseH\x00R\x0finitialResponse\x129\n" +
-	"\vserver_list\x18\x02 \x01(\v2\x16.grpc.lb.v1.ServerListH\x00R\n" +
-	"serverList\x12K\n" +
-	"\x11fallback_response\x18\x03 \x01(\v2\x1c.grpc.lb.v1.FallbackResponseH\x00R\x10fallbackResponseB\x1c\n" +
-	"\x1aload_balance_response_type\"\x12\n" +
-	"\x10FallbackResponse\"~\n" +
-	"\x1aInitialLoadBalanceResponse\x12Z\n" +
-	"\x1cclient_stats_report_interval\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\x19clientStatsReportIntervalJ\x04\b\x01\x10\x02\"@\n" +
-	"\n" +
-	"ServerList\x12,\n" +
-	"\aservers\x18\x01 \x03(\v2\x12.grpc.lb.v1.ServerR\aserversJ\x04\b\x03\x10\x04\"\x83\x01\n" +
-	"\x06Server\x12\x1d\n" +
-	"\n" +
-	"ip_address\x18\x01 \x01(\fR\tipAddress\x12\x12\n" +
-	"\x04port\x18\x02 \x01(\x05R\x04port\x12,\n" +
-	"\x12load_balance_token\x18\x03 \x01(\tR\x10loadBalanceToken\x12\x12\n" +
-	"\x04drop\x18\x04 \x01(\bR\x04dropJ\x04\b\x05\x10\x062b\n" +
-	"\fLoadBalancer\x12R\n" +
-	"\vBalanceLoad\x12\x1e.grpc.lb.v1.LoadBalanceRequest\x1a\x1f.grpc.lb.v1.LoadBalanceResponse(\x010\x01BW\n" +
-	"\rio.grpc.lb.v1B\x11LoadBalancerProtoP\x01Z1google.golang.org/grpc/balancer/grpclb/grpc_lb_v1b\x06proto3"
+var file_grpc_lb_v1_load_balancer_proto_rawDesc = string([]byte{
+	0x0a, 0x1e, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x6c, 0x62, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x6f, 0x61,
+	0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x0a, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc1, 0x01,
+	0x0a, 0x12, 0x4c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x50, 0x0a, 0x0f, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f,
+	0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x69,
+	0x61, 0x6c, 0x4c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x0e, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3c, 0x0a, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x5f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x53, 0x74, 0x61, 0x74, 0x73, 0x48, 0x00, 0x52, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53,
+	0x74, 0x61, 0x74, 0x73, 0x42, 0x1b, 0x0a, 0x19, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c,
+	0x61, 0x6e, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x74, 0x79, 0x70,
+	0x65, 0x22, 0x2f, 0x0a, 0x19, 0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x4c, 0x6f, 0x61, 0x64,
+	0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12,
+	0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
+	0x6d, 0x65, 0x22, 0x60, 0x0a, 0x13, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74,
+	0x73, 0x50, 0x65, 0x72, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x2c, 0x0a, 0x12, 0x6c, 0x6f, 0x61,
+	0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e,
+	0x63, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x75, 0x6d, 0x5f, 0x63,
+	0x61, 0x6c, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6e, 0x75, 0x6d, 0x43,
+	0x61, 0x6c, 0x6c, 0x73, 0x22, 0xb0, 0x03, 0x0a, 0x0b, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53,
+	0x74, 0x61, 0x74, 0x73, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
+	0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74,
+	0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x2a,
+	0x0a, 0x11, 0x6e, 0x75, 0x6d, 0x5f, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x73, 0x74, 0x61, 0x72,
+	0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0f, 0x6e, 0x75, 0x6d, 0x43, 0x61,
+	0x6c, 0x6c, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x12, 0x2c, 0x0a, 0x12, 0x6e, 0x75,
+	0x6d, 0x5f, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x66, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65, 0x64,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x10, 0x6e, 0x75, 0x6d, 0x43, 0x61, 0x6c, 0x6c, 0x73,
+	0x46, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65, 0x64, 0x12, 0x5d, 0x0a, 0x2d, 0x6e, 0x75, 0x6d, 0x5f,
+	0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x66, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65, 0x64, 0x5f, 0x77,
+	0x69, 0x74, 0x68, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65,
+	0x64, 0x5f, 0x74, 0x6f, 0x5f, 0x73, 0x65, 0x6e, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x26, 0x6e, 0x75, 0x6d, 0x43, 0x61, 0x6c, 0x6c, 0x73, 0x46, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65,
+	0x64, 0x57, 0x69, 0x74, 0x68, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x46, 0x61, 0x69, 0x6c, 0x65,
+	0x64, 0x54, 0x6f, 0x53, 0x65, 0x6e, 0x64, 0x12, 0x48, 0x0a, 0x21, 0x6e, 0x75, 0x6d, 0x5f, 0x63,
+	0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x66, 0x69, 0x6e, 0x69, 0x73, 0x68, 0x65, 0x64, 0x5f, 0x6b, 0x6e,
+	0x6f, 0x77, 0x6e, 0x5f, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x64, 0x18, 0x07, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x1d, 0x6e, 0x75, 0x6d, 0x43, 0x61, 0x6c, 0x6c, 0x73, 0x46, 0x69, 0x6e, 0x69,
+	0x73, 0x68, 0x65, 0x64, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65,
+	0x64, 0x12, 0x58, 0x0a, 0x18, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x66, 0x69, 0x6e, 0x69, 0x73,
+	0x68, 0x65, 0x64, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x5f, 0x64, 0x72, 0x6f, 0x70, 0x18, 0x08, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31,
+	0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x50, 0x65, 0x72, 0x54,
+	0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x15, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x46, 0x69, 0x6e, 0x69, 0x73,
+	0x68, 0x65, 0x64, 0x57, 0x69, 0x74, 0x68, 0x44, 0x72, 0x6f, 0x70, 0x4a, 0x04, 0x08, 0x04, 0x10,
+	0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x22, 0x90, 0x02, 0x0a, 0x13, 0x4c, 0x6f, 0x61, 0x64,
+	0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
+	0x53, 0x0a, 0x10, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x72, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x4c, 0x6f,
+	0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x48, 0x00, 0x52, 0x0f, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x39, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x6c,
+	0x69, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4c, 0x69, 0x73,
+	0x74, 0x48, 0x00, 0x52, 0x0a, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4c, 0x69, 0x73, 0x74, 0x12,
+	0x4b, 0x0a, 0x11, 0x66, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x5f, 0x72, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72, 0x70,
+	0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x2e, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x00, 0x52, 0x10, 0x66, 0x61, 0x6c, 0x6c,
+	0x62, 0x61, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x1c, 0x0a, 0x1a,
+	0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x12, 0x0a, 0x10, 0x46, 0x61,
+	0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x7e,
+	0x0a, 0x1a, 0x49, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x4c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c,
+	0x61, 0x6e, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x1c,
+	0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x5f, 0x72, 0x65, 0x70,
+	0x6f, 0x72, 0x74, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x19, 0x63,
+	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x73, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x22, 0x40,
+	0x0a, 0x0a, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x2c, 0x0a, 0x07,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04,
+	0x22, 0x83, 0x01, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x69,
+	0x70, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
+	0x09, 0x69, 0x70, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f,
+	0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x2c,
+	0x0a, 0x12, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x6c, 0x6f, 0x61, 0x64,
+	0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x12, 0x0a, 0x04,
+	0x64, 0x72, 0x6f, 0x70, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x64, 0x72, 0x6f, 0x70,
+	0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x32, 0x62, 0x0a, 0x0c, 0x4c, 0x6f, 0x61, 0x64, 0x42, 0x61,
+	0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x12, 0x52, 0x0a, 0x0b, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63,
+	0x65, 0x4c, 0x6f, 0x61, 0x64, 0x12, 0x1e, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e,
+	0x76, 0x31, 0x2e, 0x4c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e,
+	0x76, 0x31, 0x2e, 0x4c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x28, 0x01, 0x30, 0x01, 0x42, 0x57, 0x0a, 0x0d, 0x69, 0x6f,
+	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x62, 0x2e, 0x76, 0x31, 0x42, 0x11, 0x4c, 0x6f, 0x61,
+	0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
+	0x5a, 0x31, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e,
+	0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65,
+	0x72, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x6c, 0x62, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x6c, 0x62,
+	0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_lb_v1_load_balancer_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/balancer/grpclb/grpclb_remote_balancer.go b/vendor/google.golang.org/grpc/balancer/grpclb/grpclb_remote_balancer.go
index f2df56120fe..506fae0d4e2 100644
--- a/vendor/google.golang.org/grpc/balancer/grpclb/grpclb_remote_balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/grpclb/grpclb_remote_balancer.go
@@ -260,11 +260,10 @@ func (lb *lbBalancer) newRemoteBalancerCCWrapper() error {
 	// The grpclb server addresses will set field ServerName, and creds will
 	// receive ServerName as authority.
 	target := lb.manualResolver.Scheme() + ":///grpclb.subClientConn"
-	cc, err := grpc.NewClient(target, dopts...)
+	cc, err := grpc.Dial(target, dopts...)
 	if err != nil {
-		return fmt.Errorf("grpc.NewClient(%s): %v", target, err)
+		return fmt.Errorf("grpc.Dial(%s): %v", target, err)
 	}
-	cc.Connect()
 	ccw := &remoteBalancerCCWrapper{
 		cc:      cc,
 		lb:      lb,
diff --git a/vendor/google.golang.org/grpc/balancer/leastrequest/leastrequest.go b/vendor/google.golang.org/grpc/balancer/leastrequest/leastrequest.go
index f758f954e9f..d25f9178b9d 100644
--- a/vendor/google.golang.org/grpc/balancer/leastrequest/leastrequest.go
+++ b/vendor/google.golang.org/grpc/balancer/leastrequest/leastrequest.go
@@ -88,7 +88,7 @@ func (bb) Name() string {
 func (bb) Build(cc balancer.ClientConn, bOpts balancer.BuildOptions) balancer.Balancer {
 	b := &leastRequestBalancer{
 		ClientConn:        cc,
-		endpointRPCCounts: resolver.NewEndpointMap[*atomic.Int32](),
+		endpointRPCCounts: resolver.NewEndpointMap(),
 	}
 	b.child = endpointsharding.NewBalancer(b, bOpts, balancer.Get(pickfirstleaf.Name).Build, endpointsharding.Options{})
 	b.logger = internalgrpclog.NewPrefixLogger(logger, fmt.Sprintf("[%p] ", b))
@@ -97,8 +97,11 @@ func (bb) Build(cc balancer.ClientConn, bOpts balancer.BuildOptions) balancer.Ba
 }
 
 type leastRequestBalancer struct {
-	// Embeds balancer.ClientConn because we need to intercept UpdateState
-	// calls from the child balancer.
+	// Embeds balancer.Balancer because needs to intercept UpdateClientConnState
+	// to learn about choiceCount.
+	balancer.Balancer
+	// Embeds balancer.ClientConn because needs to intercept UpdateState calls
+	// from the child balancer.
 	balancer.ClientConn
 	child  balancer.Balancer
 	logger *internalgrpclog.PrefixLogger
@@ -107,7 +110,7 @@ type leastRequestBalancer struct {
 	choiceCount uint32
 	// endpointRPCCounts holds RPC counts to keep track for subsequent picker
 	// updates.
-	endpointRPCCounts *resolver.EndpointMap[*atomic.Int32]
+	endpointRPCCounts *resolver.EndpointMap // endpoint -> *atomic.Int32
 }
 
 func (lrb *leastRequestBalancer) Close() {
@@ -115,21 +118,6 @@ func (lrb *leastRequestBalancer) Close() {
 	lrb.endpointRPCCounts = nil
 }
 
-func (lrb *leastRequestBalancer) UpdateSubConnState(sc balancer.SubConn, state balancer.SubConnState) {
-	lrb.logger.Errorf("UpdateSubConnState(%v, %+v) called unexpectedly", sc, state)
-}
-
-func (lrb *leastRequestBalancer) ResolverError(err error) {
-	// Will cause inline picker update from endpoint sharding.
-	lrb.child.ResolverError(err)
-}
-
-func (lrb *leastRequestBalancer) ExitIdle() {
-	if ei, ok := lrb.child.(balancer.ExitIdler); ok { // Should always be ok, as child is endpoint sharding.
-		ei.ExitIdle()
-	}
-}
-
 func (lrb *leastRequestBalancer) UpdateClientConnState(ccs balancer.ClientConnState) error {
 	lrCfg, ok := ccs.BalancerConfig.(*LBConfig)
 	if !ok {
@@ -176,7 +164,7 @@ func (lrb *leastRequestBalancer) UpdateState(state balancer.State) {
 	}
 
 	// Reconcile endpoints.
-	newEndpoints := resolver.NewEndpointMap[any]()
+	newEndpoints := resolver.NewEndpointMap() // endpoint -> nil
 	for _, child := range readyEndpoints {
 		newEndpoints.Set(child.Endpoint, nil)
 	}
@@ -191,11 +179,13 @@ func (lrb *leastRequestBalancer) UpdateState(state balancer.State) {
 	// Copy refs to counters into picker.
 	endpointStates := make([]endpointState, 0, len(readyEndpoints))
 	for _, child := range readyEndpoints {
-		counter, ok := lrb.endpointRPCCounts.Get(child.Endpoint)
-		if !ok {
+		var counter *atomic.Int32
+		if val, ok := lrb.endpointRPCCounts.Get(child.Endpoint); !ok {
 			// Create new counts if needed.
 			counter = new(atomic.Int32)
 			lrb.endpointRPCCounts.Set(child.Endpoint, counter)
+		} else {
+			counter = val.(*atomic.Int32)
 		}
 		endpointStates = append(endpointStates, endpointState{
 			picker:  child.State.Picker,
diff --git a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
index 494314f2358..113181e6b35 100644
--- a/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
+++ b/vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go
@@ -122,7 +122,7 @@ func (pickfirstBuilder) Build(cc balancer.ClientConn, bo balancer.BuildOptions)
 		target:          bo.Target.String(),
 		metricsRecorder: cc.MetricsRecorder(),
 
-		subConns:              resolver.NewAddressMapV2[*scData](),
+		subConns:              resolver.NewAddressMap(),
 		state:                 connectivity.Connecting,
 		cancelConnectionTimer: func() {},
 	}
@@ -220,7 +220,7 @@ type pickfirstBalancer struct {
 	// updates.
 	state connectivity.State
 	// scData for active subonns mapped by address.
-	subConns              *resolver.AddressMapV2[*scData]
+	subConns              *resolver.AddressMap
 	addressList           addressList
 	firstPass             bool
 	numTF                 int
@@ -319,7 +319,7 @@ func (b *pickfirstBalancer) UpdateClientConnState(state balancer.ClientConnState
 	prevAddr := b.addressList.currentAddress()
 	prevSCData, found := b.subConns.Get(prevAddr)
 	prevAddrsCount := b.addressList.size()
-	isPrevRawConnectivityStateReady := found && prevSCData.rawConnectivityState == connectivity.Ready
+	isPrevRawConnectivityStateReady := found && prevSCData.(*scData).rawConnectivityState == connectivity.Ready
 	b.addressList.updateAddrs(newAddrs)
 
 	// If the previous ready SubConn exists in new address list,
@@ -381,21 +381,21 @@ func (b *pickfirstBalancer) startFirstPassLocked() {
 	b.numTF = 0
 	// Reset the connection attempt record for existing SubConns.
 	for _, sd := range b.subConns.Values() {
-		sd.connectionFailedInFirstPass = false
+		sd.(*scData).connectionFailedInFirstPass = false
 	}
 	b.requestConnectionLocked()
 }
 
 func (b *pickfirstBalancer) closeSubConnsLocked() {
 	for _, sd := range b.subConns.Values() {
-		sd.subConn.Shutdown()
+		sd.(*scData).subConn.Shutdown()
 	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
+	b.subConns = resolver.NewAddressMap()
 }
 
 // deDupAddresses ensures that each address appears only once in the slice.
 func deDupAddresses(addrs []resolver.Address) []resolver.Address {
-	seenAddrs := resolver.NewAddressMapV2[*scData]()
+	seenAddrs := resolver.NewAddressMap()
 	retAddrs := []resolver.Address{}
 
 	for _, addr := range addrs {
@@ -481,7 +481,7 @@ func addressFamily(address string) ipAddrFamily {
 // This ensures that the subchannel map accurately reflects the current set of
 // addresses received from the name resolver.
 func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address) {
-	newAddrsMap := resolver.NewAddressMapV2[bool]()
+	newAddrsMap := resolver.NewAddressMap()
 	for _, addr := range newAddrs {
 		newAddrsMap.Set(addr, true)
 	}
@@ -491,7 +491,7 @@ func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address)
 			continue
 		}
 		val, _ := b.subConns.Get(oldAddr)
-		val.subConn.Shutdown()
+		val.(*scData).subConn.Shutdown()
 		b.subConns.Delete(oldAddr)
 	}
 }
@@ -500,12 +500,13 @@ func (b *pickfirstBalancer) reconcileSubConnsLocked(newAddrs []resolver.Address)
 // becomes ready, which means that all other subConn must be shutdown.
 func (b *pickfirstBalancer) shutdownRemainingLocked(selected *scData) {
 	b.cancelConnectionTimer()
-	for _, sd := range b.subConns.Values() {
+	for _, v := range b.subConns.Values() {
+		sd := v.(*scData)
 		if sd.subConn != selected.subConn {
 			sd.subConn.Shutdown()
 		}
 	}
-	b.subConns = resolver.NewAddressMapV2[*scData]()
+	b.subConns = resolver.NewAddressMap()
 	b.subConns.Set(selected.addr, selected)
 }
 
@@ -538,17 +539,18 @@ func (b *pickfirstBalancer) requestConnectionLocked() {
 			b.subConns.Set(curAddr, sd)
 		}
 
-		switch sd.rawConnectivityState {
+		scd := sd.(*scData)
+		switch scd.rawConnectivityState {
 		case connectivity.Idle:
-			sd.subConn.Connect()
+			scd.subConn.Connect()
 			b.scheduleNextConnectionLocked()
 			return
 		case connectivity.TransientFailure:
 			// The SubConn is being re-used and failed during a previous pass
 			// over the addressList. It has not completed backoff yet.
 			// Mark it as having failed and try the next address.
-			sd.connectionFailedInFirstPass = true
-			lastErr = sd.lastErr
+			scd.connectionFailedInFirstPass = true
+			lastErr = scd.lastErr
 			continue
 		case connectivity.Connecting:
 			// Wait for the connection attempt to complete or the timer to fire
@@ -556,7 +558,7 @@ func (b *pickfirstBalancer) requestConnectionLocked() {
 			b.scheduleNextConnectionLocked()
 			return
 		default:
-			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", sd.rawConnectivityState)
+			b.logger.Errorf("SubConn with unexpected state %v present in SubConns map.", scd.rawConnectivityState)
 			return
 
 		}
@@ -751,7 +753,8 @@ func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
 	}
 	// Connect() has been called on all the SubConns. The first pass can be
 	// ended if all the SubConns have reported a failure.
-	for _, sd := range b.subConns.Values() {
+	for _, v := range b.subConns.Values() {
+		sd := v.(*scData)
 		if !sd.connectionFailedInFirstPass {
 			return
 		}
@@ -762,7 +765,8 @@ func (b *pickfirstBalancer) endFirstPassIfPossibleLocked(lastErr error) {
 		Picker:            &picker{err: lastErr},
 	})
 	// Start re-connecting all the SubConns that are already in IDLE.
-	for _, sd := range b.subConns.Values() {
+	for _, v := range b.subConns.Values() {
+		sd := v.(*scData)
 		if sd.rawConnectivityState == connectivity.Idle {
 			sd.subConn.Connect()
 		}
@@ -923,5 +927,6 @@ func (al *addressList) hasNext() bool {
 // fields that are meaningful to the SubConn.
 func equalAddressIgnoringBalAttributes(a, b *resolver.Address) bool {
 	return a.Addr == b.Addr && a.ServerName == b.ServerName &&
-		a.Attributes.Equal(b.Attributes)
+		a.Attributes.Equal(b.Attributes) &&
+		a.Metadata == b.Metadata
 }
diff --git a/vendor/google.golang.org/grpc/balancer/ringhash/picker.go b/vendor/google.golang.org/grpc/balancer/ringhash/picker.go
deleted file mode 100644
index 96f72905ec9..00000000000
--- a/vendor/google.golang.org/grpc/balancer/ringhash/picker.go
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- *
- * Copyright 2021 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-package ringhash
-
-import (
-	"fmt"
-	"strings"
-
-	xxhash "github.com/cespare/xxhash/v2"
-
-	"google.golang.org/grpc/balancer"
-	"google.golang.org/grpc/connectivity"
-	iringhash "google.golang.org/grpc/internal/ringhash"
-	"google.golang.org/grpc/metadata"
-)
-
-type picker struct {
-	ring *ring
-
-	// endpointStates is a cache of endpoint states.
-	// The ringhash balancer stores endpoint states in a `resolver.EndpointMap`,
-	// with access guarded by `ringhashBalancer.mu`. The `endpointStates` cache
-	// in the picker helps avoid locking the ringhash balancer's mutex when
-	// reading the latest state at RPC time.
-	endpointStates map[string]endpointState // endpointState.hashKey -> endpointState
-
-	// requestHashHeader is the header key to look for the request hash. If it's
-	// empty, the request hash is expected to be set in the context via xDS.
-	// See gRFC A76.
-	requestHashHeader string
-
-	// hasEndpointInConnectingState is true if any of the endpoints is in
-	// CONNECTING.
-	hasEndpointInConnectingState bool
-
-	randUint64 func() uint64
-}
-
-func (p *picker) Pick(info balancer.PickInfo) (balancer.PickResult, error) {
-	usingRandomHash := false
-	var requestHash uint64
-	if p.requestHashHeader == "" {
-		var ok bool
-		if requestHash, ok = iringhash.XDSRequestHash(info.Ctx); !ok {
-			return balancer.PickResult{}, fmt.Errorf("ringhash: expected xDS config selector to set the request hash")
-		}
-	} else {
-		md, ok := metadata.FromOutgoingContext(info.Ctx)
-		if !ok || len(md.Get(p.requestHashHeader)) == 0 {
-			requestHash = p.randUint64()
-			usingRandomHash = true
-		} else {
-			values := strings.Join(md.Get(p.requestHashHeader), ",")
-			requestHash = xxhash.Sum64String(values)
-		}
-	}
-
-	e := p.ring.pick(requestHash)
-	ringSize := len(p.ring.items)
-	if !usingRandomHash {
-		// Per gRFC A61, because of sticky-TF with PickFirst's auto reconnect on TF,
-		// we ignore all TF subchannels and find the first ring entry in READY,
-		// CONNECTING or IDLE.  If that entry is in IDLE, we need to initiate a
-		// connection. The idlePicker returned by the LazyLB or the new Pickfirst
-		// should do this automatically.
-		for i := 0; i < ringSize; i++ {
-			index := (e.idx + i) % ringSize
-			es := p.endpointState(p.ring.items[index])
-			switch es.state.ConnectivityState {
-			case connectivity.Ready, connectivity.Connecting, connectivity.Idle:
-				return es.state.Picker.Pick(info)
-			case connectivity.TransientFailure:
-			default:
-				panic(fmt.Sprintf("Found child balancer in unknown state: %v", es.state.ConnectivityState))
-			}
-		}
-	} else {
-		// If the picker has generated a random hash, it will walk the ring from
-		// this hash, and pick the first READY endpoint. If no endpoint is
-		// currently in CONNECTING state, it will trigger a connection attempt
-		// on at most one endpoint that is in IDLE state along the way. - A76
-		requestedConnection := p.hasEndpointInConnectingState
-		for i := 0; i < ringSize; i++ {
-			index := (e.idx + i) % ringSize
-			es := p.endpointState(p.ring.items[index])
-			if es.state.ConnectivityState == connectivity.Ready {
-				return es.state.Picker.Pick(info)
-			}
-			if !requestedConnection && es.state.ConnectivityState == connectivity.Idle {
-				requestedConnection = true
-				// If the SubChannel is in idle state, initiate a connection but
-				// continue to check other pickers to see if there is one in
-				// ready state.
-				es.balancer.ExitIdle()
-			}
-		}
-		if requestedConnection {
-			return balancer.PickResult{}, balancer.ErrNoSubConnAvailable
-		}
-	}
-
-	// All children are in transient failure. Return the first failure.
-	return p.endpointState(e).state.Picker.Pick(info)
-}
-
-func (p *picker) endpointState(e *ringEntry) endpointState {
-	return p.endpointStates[e.hashKey]
-}
diff --git a/vendor/google.golang.org/grpc/balancer/rls/balancer.go b/vendor/google.golang.org/grpc/balancer/rls/balancer.go
index db885a6d3c4..f75f6708dc7 100644
--- a/vendor/google.golang.org/grpc/balancer/rls/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/rls/balancer.go
@@ -148,6 +148,7 @@ func (rlsBB) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.
 		Logger:                  lb.logger,
 		SubBalancerCloseTimeout: time.Duration(0), // Disable caching of removed child policies
 	})
+	lb.bg.Start()
 	go lb.run()
 	return lb
 }
diff --git a/vendor/google.golang.org/grpc/balancer/rls/config.go b/vendor/google.golang.org/grpc/balancer/rls/config.go
index 427cb6b63fd..ff540aa058b 100644
--- a/vendor/google.golang.org/grpc/balancer/rls/config.go
+++ b/vendor/google.golang.org/grpc/balancer/rls/config.go
@@ -220,43 +220,27 @@ func parseRLSProto(rlsProto *rlspb.RouteLookupConfig) (*lbConfig, error) {
 
 	// Validations performed here:
 	// - if `max_age` > 5m, it should be set to 5 minutes
-	//   only if stale age is not set
 	// - if `stale_age` > `max_age`, ignore it
 	// - if `stale_age` is set, then `max_age` must also be set
-	maxAgeSet := false
 	maxAge, err := convertDuration(rlsProto.GetMaxAge())
 	if err != nil {
 		return nil, fmt.Errorf("rls: failed to parse max_age in route lookup config %+v: %v", rlsProto, err)
 	}
-	if maxAge == 0 {
-		maxAge = maxMaxAge
-	} else {
-		maxAgeSet = true
-	}
-
-	staleAgeSet := false
 	staleAge, err := convertDuration(rlsProto.GetStaleAge())
 	if err != nil {
 		return nil, fmt.Errorf("rls: failed to parse staleAge in route lookup config %+v: %v", rlsProto, err)
 	}
-	if staleAge == 0 {
-		staleAge = maxMaxAge
-	} else {
-		staleAgeSet = true
-	}
-
-	if staleAgeSet && !maxAgeSet {
+	if staleAge != 0 && maxAge == 0 {
 		return nil, fmt.Errorf("rls: stale_age is set, but max_age is not in route lookup config %+v", rlsProto)
 	}
-	if staleAge > maxMaxAge {
-		staleAge = maxMaxAge
+	if staleAge >= maxAge {
+		logger.Infof("rls: stale_age %v is not less than max_age %v, ignoring it", staleAge, maxAge)
+		staleAge = 0
 	}
-	if !staleAgeSet && maxAge > maxMaxAge {
+	if maxAge == 0 || maxAge > maxMaxAge {
+		logger.Infof("rls: max_age in route lookup config is %v, using %v", maxAge, maxMaxAge)
 		maxAge = maxMaxAge
 	}
-	if staleAge > maxAge {
-		staleAge = maxAge
-	}
 
 	// `cache_size_bytes` field must have a value greater than 0, and if its
 	// value is greater than 5M, we cap it at 5M
diff --git a/vendor/google.golang.org/grpc/balancer/weightedroundrobin/balancer.go b/vendor/google.golang.org/grpc/balancer/weightedroundrobin/balancer.go
index e6fe5a37acd..09c8df13d46 100644
--- a/vendor/google.golang.org/grpc/balancer/weightedroundrobin/balancer.go
+++ b/vendor/google.golang.org/grpc/balancer/weightedroundrobin/balancer.go
@@ -16,15 +16,6 @@
  *
  */
 
-// Package weightedroundrobin provides an implementation of the weighted round
-// robin LB policy, as defined in [gRFC A58].
-//
-// # Experimental
-//
-// Notice: This package is EXPERIMENTAL and may be changed or removed in a
-// later release.
-//
-// [gRFC A58]: https://github.com/grpc/proposal/blob/master/A58-client-side-weighted-round-robin-lb-policy.md
 package weightedroundrobin
 
 import (
@@ -104,8 +95,8 @@ func (bb) Build(cc balancer.ClientConn, bOpts balancer.BuildOptions) balancer.Ba
 		ClientConn:       cc,
 		target:           bOpts.Target.String(),
 		metricsRecorder:  cc.MetricsRecorder(),
-		addressWeights:   resolver.NewAddressMapV2[*endpointWeight](),
-		endpointToWeight: resolver.NewEndpointMap[*endpointWeight](),
+		addressWeights:   resolver.NewAddressMap(),
+		endpointToWeight: resolver.NewEndpointMap(),
 		scToWeight:       make(map[balancer.SubConn]*endpointWeight),
 	}
 
@@ -155,15 +146,17 @@ func (bb) Name() string {
 //
 // Caller must hold b.mu.
 func (b *wrrBalancer) updateEndpointsLocked(endpoints []resolver.Endpoint) {
-	endpointSet := resolver.NewEndpointMap[*endpointWeight]()
-	addressSet := resolver.NewAddressMapV2[*endpointWeight]()
+	endpointSet := resolver.NewEndpointMap()
+	addressSet := resolver.NewAddressMap()
 	for _, endpoint := range endpoints {
 		endpointSet.Set(endpoint, nil)
 		for _, addr := range endpoint.Addresses {
 			addressSet.Set(addr, nil)
 		}
-		ew, ok := b.endpointToWeight.Get(endpoint)
-		if !ok {
+		var ew *endpointWeight
+		if ewi, ok := b.endpointToWeight.Get(endpoint); ok {
+			ew = ewi.(*endpointWeight)
+		} else {
 			ew = &endpointWeight{
 				logger:            b.logger,
 				connectivityState: connectivity.Connecting,
@@ -212,8 +205,8 @@ type wrrBalancer struct {
 	cfg              *lbConfig // active config
 	locality         string
 	stopPicker       *grpcsync.Event
-	addressWeights   *resolver.AddressMapV2[*endpointWeight]
-	endpointToWeight *resolver.EndpointMap[*endpointWeight]
+	addressWeights   *resolver.AddressMap  // addr -> endpointWeight
+	endpointToWeight *resolver.EndpointMap // endpoint -> endpointWeight
 	scToWeight       map[balancer.SubConn]*endpointWeight
 }
 
@@ -258,12 +251,13 @@ func (b *wrrBalancer) UpdateState(state balancer.State) {
 
 	for _, childState := range childStates {
 		if childState.State.ConnectivityState == connectivity.Ready {
-			ew, ok := b.endpointToWeight.Get(childState.Endpoint)
+			ewv, ok := b.endpointToWeight.Get(childState.Endpoint)
 			if !ok {
 				// Should never happen, simply continue and ignore this endpoint
 				// for READY pickers.
 				continue
 			}
+			ew := ewv.(*endpointWeight)
 			readyPickersWeight = append(readyPickersWeight, pickerWeightedEndpoint{
 				picker:           childState.State.Picker,
 				weightedEndpoint: ew,
@@ -326,7 +320,7 @@ func (b *wrrBalancer) NewSubConn(addrs []resolver.Address, opts balancer.NewSubC
 	if err != nil {
 		return nil, err
 	}
-	b.scToWeight[sc] = ewi
+	b.scToWeight[sc] = ewi.(*endpointWeight)
 	return sc, nil
 }
 
@@ -395,7 +389,8 @@ func (b *wrrBalancer) Close() {
 	b.mu.Unlock()
 
 	// Ensure any lingering OOB watchers are stopped.
-	for _, ew := range b.endpointToWeight.Values() {
+	for _, ewv := range b.endpointToWeight.Values() {
+		ew := ewv.(*endpointWeight)
 		if ew.stopORCAListener != nil {
 			ew.stopORCAListener()
 		}
@@ -497,6 +492,7 @@ func (p *picker) start(stopPicker *grpcsync.Event) {
 // that listener.
 type endpointWeight struct {
 	// The following fields are immutable.
+	balancer.SubConn
 	logger          *grpclog.PrefixLogger
 	target          string
 	metricsRecorder estats.MetricsRecorder
@@ -526,7 +522,7 @@ type endpointWeight struct {
 
 func (w *endpointWeight) OnLoadReport(load *v3orcapb.OrcaLoadReport) {
 	if w.logger.V(2) {
-		w.logger.Infof("Received load report for subchannel %v: %v", w.pickedSC, load)
+		w.logger.Infof("Received load report for subchannel %v: %v", w.SubConn, load)
 	}
 	// Update weights of this endpoint according to the reported load.
 	utilization := load.ApplicationUtilization
@@ -535,7 +531,7 @@ func (w *endpointWeight) OnLoadReport(load *v3orcapb.OrcaLoadReport) {
 	}
 	if utilization == 0 || load.RpsFractional == 0 {
 		if w.logger.V(2) {
-			w.logger.Infof("Ignoring empty load report for subchannel %v", w.pickedSC)
+			w.logger.Infof("Ignoring empty load report for subchannel %v", w.SubConn)
 		}
 		return
 	}
@@ -546,7 +542,7 @@ func (w *endpointWeight) OnLoadReport(load *v3orcapb.OrcaLoadReport) {
 	errorRate := load.Eps / load.RpsFractional
 	w.weightVal = load.RpsFractional / (utilization + errorRate*w.cfg.ErrorUtilizationPenalty)
 	if w.logger.V(2) {
-		w.logger.Infof("New weight for subchannel %v: %v", w.pickedSC, w.weightVal)
+		w.logger.Infof("New weight for subchannel %v: %v", w.SubConn, w.weightVal)
 	}
 
 	w.lastUpdated = internal.TimeNow()
diff --git a/vendor/google.golang.org/grpc/balancer/weightedroundrobin/weightedroundrobin.go b/vendor/google.golang.org/grpc/balancer/weightedroundrobin/weightedroundrobin.go
new file mode 100644
index 00000000000..f50c2ef29b9
--- /dev/null
+++ b/vendor/google.golang.org/grpc/balancer/weightedroundrobin/weightedroundrobin.go
@@ -0,0 +1,85 @@
+/*
+ *
+ * Copyright 2019 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package weightedroundrobin provides an implementation of the weighted round
+// robin LB policy, as defined in [gRFC A58].
+//
+// # Experimental
+//
+// Notice: This package is EXPERIMENTAL and may be changed or removed in a
+// later release.
+//
+// [gRFC A58]: https://github.com/grpc/proposal/blob/master/A58-client-side-weighted-round-robin-lb-policy.md
+package weightedroundrobin
+
+import (
+	"fmt"
+
+	"google.golang.org/grpc/resolver"
+)
+
+// attributeKey is the type used as the key to store AddrInfo in the
+// BalancerAttributes field of resolver.Address or Attributes field of
+// resolver.Endpoint.
+type attributeKey struct{}
+
+// AddrInfo will be stored in the BalancerAttributes field of Address in order
+// to use weighted roundrobin balancer.
+type AddrInfo struct {
+	Weight uint32
+}
+
+// Equal allows the values to be compared by Attributes.Equal.
+func (a AddrInfo) Equal(o any) bool {
+	oa, ok := o.(AddrInfo)
+	return ok && oa.Weight == a.Weight
+}
+
+// SetAddrInfo returns a copy of addr in which the BalancerAttributes field is
+// updated with addrInfo.
+func SetAddrInfo(addr resolver.Address, addrInfo AddrInfo) resolver.Address {
+	addr.BalancerAttributes = addr.BalancerAttributes.WithValue(attributeKey{}, addrInfo)
+	return addr
+}
+
+// SetAddrInfoInEndpoint returns a copy of endpoint in which the Attributes
+// field is updated with addrInfo.
+func SetAddrInfoInEndpoint(endpoint resolver.Endpoint, addrInfo AddrInfo) resolver.Endpoint {
+	endpoint.Attributes = endpoint.Attributes.WithValue(attributeKey{}, addrInfo)
+	return endpoint
+}
+
+// GetAddrInfo returns the AddrInfo stored in the BalancerAttributes field of
+// addr.
+func GetAddrInfo(addr resolver.Address) AddrInfo {
+	v := addr.BalancerAttributes.Value(attributeKey{})
+	ai, _ := v.(AddrInfo)
+	return ai
+}
+
+// AddrInfoFromEndpoint returns the AddrInfo stored in the Attributes field of
+// endpoint.
+func AddrInfoFromEndpoint(endpoint resolver.Endpoint) AddrInfo {
+	v := endpoint.Attributes.Value(attributeKey{})
+	ai, _ := v.(AddrInfo)
+	return ai
+}
+
+func (a AddrInfo) String() string {
+	return fmt.Sprintf("Weight: %d", a.Weight)
+}
diff --git a/vendor/google.golang.org/grpc/balancer/weightedtarget/weightedtarget.go b/vendor/google.golang.org/grpc/balancer/weightedtarget/weightedtarget.go
index b47925a34ca..a617f6a63a2 100644
--- a/vendor/google.golang.org/grpc/balancer/weightedtarget/weightedtarget.go
+++ b/vendor/google.golang.org/grpc/balancer/weightedtarget/weightedtarget.go
@@ -62,6 +62,7 @@ func (bb) Build(cc balancer.ClientConn, bOpts balancer.BuildOptions) balancer.Ba
 		Logger:                  b.logger,
 		SubBalancerCloseTimeout: time.Duration(0), // Disable caching of removed child policies
 	})
+	b.bg.Start()
 	b.logger.Infof("Created")
 	return b
 }
diff --git a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
index b1364a03252..b2f8fc7f436 100644
--- a/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
+++ b/vendor/google.golang.org/grpc/binarylog/grpc_binarylog_v1/binarylog.pb.go
@@ -18,7 +18,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/binlog/v1/binarylog.proto
 
@@ -858,68 +858,133 @@ func (x *Address) GetIpPort() uint32 {
 
 var File_grpc_binlog_v1_binarylog_proto protoreflect.FileDescriptor
 
-const file_grpc_binlog_v1_binarylog_proto_rawDesc = "" +
-	"\n" +
-	"\x1egrpc/binlog/v1/binarylog.proto\x12\x11grpc.binarylog.v1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xbb\a\n" +
-	"\fGrpcLogEntry\x128\n" +
-	"\ttimestamp\x18\x01 \x01(\v2\x1a.google.protobuf.TimestampR\ttimestamp\x12\x17\n" +
-	"\acall_id\x18\x02 \x01(\x04R\x06callId\x125\n" +
-	"\x17sequence_id_within_call\x18\x03 \x01(\x04R\x14sequenceIdWithinCall\x12=\n" +
-	"\x04type\x18\x04 \x01(\x0e2).grpc.binarylog.v1.GrpcLogEntry.EventTypeR\x04type\x12>\n" +
-	"\x06logger\x18\x05 \x01(\x0e2&.grpc.binarylog.v1.GrpcLogEntry.LoggerR\x06logger\x12F\n" +
-	"\rclient_header\x18\x06 \x01(\v2\x1f.grpc.binarylog.v1.ClientHeaderH\x00R\fclientHeader\x12F\n" +
-	"\rserver_header\x18\a \x01(\v2\x1f.grpc.binarylog.v1.ServerHeaderH\x00R\fserverHeader\x126\n" +
-	"\amessage\x18\b \x01(\v2\x1a.grpc.binarylog.v1.MessageH\x00R\amessage\x126\n" +
-	"\atrailer\x18\t \x01(\v2\x1a.grpc.binarylog.v1.TrailerH\x00R\atrailer\x12+\n" +
-	"\x11payload_truncated\x18\n" +
-	" \x01(\bR\x10payloadTruncated\x12.\n" +
-	"\x04peer\x18\v \x01(\v2\x1a.grpc.binarylog.v1.AddressR\x04peer\"\xf5\x01\n" +
-	"\tEventType\x12\x16\n" +
-	"\x12EVENT_TYPE_UNKNOWN\x10\x00\x12\x1c\n" +
-	"\x18EVENT_TYPE_CLIENT_HEADER\x10\x01\x12\x1c\n" +
-	"\x18EVENT_TYPE_SERVER_HEADER\x10\x02\x12\x1d\n" +
-	"\x19EVENT_TYPE_CLIENT_MESSAGE\x10\x03\x12\x1d\n" +
-	"\x19EVENT_TYPE_SERVER_MESSAGE\x10\x04\x12 \n" +
-	"\x1cEVENT_TYPE_CLIENT_HALF_CLOSE\x10\x05\x12\x1d\n" +
-	"\x19EVENT_TYPE_SERVER_TRAILER\x10\x06\x12\x15\n" +
-	"\x11EVENT_TYPE_CANCEL\x10\a\"B\n" +
-	"\x06Logger\x12\x12\n" +
-	"\x0eLOGGER_UNKNOWN\x10\x00\x12\x11\n" +
-	"\rLOGGER_CLIENT\x10\x01\x12\x11\n" +
-	"\rLOGGER_SERVER\x10\x02B\t\n" +
-	"\apayload\"\xbb\x01\n" +
-	"\fClientHeader\x127\n" +
-	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
-	"\vmethod_name\x18\x02 \x01(\tR\n" +
-	"methodName\x12\x1c\n" +
-	"\tauthority\x18\x03 \x01(\tR\tauthority\x123\n" +
-	"\atimeout\x18\x04 \x01(\v2\x19.google.protobuf.DurationR\atimeout\"G\n" +
-	"\fServerHeader\x127\n" +
-	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\"\xb1\x01\n" +
-	"\aTrailer\x127\n" +
-	"\bmetadata\x18\x01 \x01(\v2\x1b.grpc.binarylog.v1.MetadataR\bmetadata\x12\x1f\n" +
-	"\vstatus_code\x18\x02 \x01(\rR\n" +
-	"statusCode\x12%\n" +
-	"\x0estatus_message\x18\x03 \x01(\tR\rstatusMessage\x12%\n" +
-	"\x0estatus_details\x18\x04 \x01(\fR\rstatusDetails\"5\n" +
-	"\aMessage\x12\x16\n" +
-	"\x06length\x18\x01 \x01(\rR\x06length\x12\x12\n" +
-	"\x04data\x18\x02 \x01(\fR\x04data\"B\n" +
-	"\bMetadata\x126\n" +
-	"\x05entry\x18\x01 \x03(\v2 .grpc.binarylog.v1.MetadataEntryR\x05entry\"7\n" +
-	"\rMetadataEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\fR\x05value\"\xb8\x01\n" +
-	"\aAddress\x123\n" +
-	"\x04type\x18\x01 \x01(\x0e2\x1f.grpc.binarylog.v1.Address.TypeR\x04type\x12\x18\n" +
-	"\aaddress\x18\x02 \x01(\tR\aaddress\x12\x17\n" +
-	"\aip_port\x18\x03 \x01(\rR\x06ipPort\"E\n" +
-	"\x04Type\x12\x10\n" +
-	"\fTYPE_UNKNOWN\x10\x00\x12\r\n" +
-	"\tTYPE_IPV4\x10\x01\x12\r\n" +
-	"\tTYPE_IPV6\x10\x02\x12\r\n" +
-	"\tTYPE_UNIX\x10\x03B\\\n" +
-	"\x14io.grpc.binarylog.v1B\x0eBinaryLogProtoP\x01Z2google.golang.org/grpc/binarylog/grpc_binarylog_v1b\x06proto3"
+var file_grpc_binlog_v1_binarylog_proto_rawDesc = string([]byte{
+	0x0a, 0x1e, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62, 0x69, 0x6e, 0x6c, 0x6f, 0x67, 0x2f, 0x76, 0x31,
+	0x2f, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x11, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
+	0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbb, 0x07, 0x0a, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67,
+	0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+	0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12,
+	0x17, 0x0a, 0x07, 0x63, 0x61, 0x6c, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04,
+	0x52, 0x06, 0x63, 0x61, 0x6c, 0x6c, 0x49, 0x64, 0x12, 0x35, 0x0a, 0x17, 0x73, 0x65, 0x71, 0x75,
+	0x65, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x5f, 0x77, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x5f, 0x63,
+	0x61, 0x6c, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x04, 0x52, 0x14, 0x73, 0x65, 0x71, 0x75, 0x65,
+	0x6e, 0x63, 0x65, 0x49, 0x64, 0x57, 0x69, 0x74, 0x68, 0x69, 0x6e, 0x43, 0x61, 0x6c, 0x6c, 0x12,
+	0x3d, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
+	0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x45,
+	0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x3e,
+	0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26,
+	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e,
+	0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e,
+	0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x52, 0x06, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x46,
+	0x0a, 0x0d, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
+	0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00, 0x52, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76,
+	0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00,
+	0x52, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x36,
+	0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
+	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x48, 0x00, 0x52, 0x07, 0x6d,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x36, 0x0a, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65,
+	0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
+	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69,
+	0x6c, 0x65, 0x72, 0x48, 0x00, 0x52, 0x07, 0x74, 0x72, 0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x2b,
+	0x0a, 0x11, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61,
+	0x74, 0x65, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x70, 0x61, 0x79, 0x6c, 0x6f,
+	0x61, 0x64, 0x54, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2e, 0x0a, 0x04, 0x70,
+	0x65, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x64,
+	0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x04, 0x70, 0x65, 0x65, 0x72, 0x22, 0xf5, 0x01, 0x0a, 0x09,
+	0x45, 0x76, 0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x12, 0x45, 0x56, 0x45,
+	0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
+	0x00, 0x12, 0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x01, 0x12,
+	0x1c, 0x0a, 0x18, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45,
+	0x52, 0x56, 0x45, 0x52, 0x5f, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x1d, 0x0a,
+	0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45,
+	0x4e, 0x54, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x03, 0x12, 0x1d, 0x0a, 0x19,
+	0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x45,
+	0x52, 0x5f, 0x4d, 0x45, 0x53, 0x53, 0x41, 0x47, 0x45, 0x10, 0x04, 0x12, 0x20, 0x0a, 0x1c, 0x45,
+	0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54,
+	0x5f, 0x48, 0x41, 0x4c, 0x46, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x05, 0x12, 0x1d, 0x0a,
+	0x19, 0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56,
+	0x45, 0x52, 0x5f, 0x54, 0x52, 0x41, 0x49, 0x4c, 0x45, 0x52, 0x10, 0x06, 0x12, 0x15, 0x0a, 0x11,
+	0x45, 0x56, 0x45, 0x4e, 0x54, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x41, 0x4e, 0x43, 0x45,
+	0x4c, 0x10, 0x07, 0x22, 0x42, 0x0a, 0x06, 0x4c, 0x6f, 0x67, 0x67, 0x65, 0x72, 0x12, 0x12, 0x0a,
+	0x0e, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
+	0x00, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x43, 0x4c, 0x49, 0x45,
+	0x4e, 0x54, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x4c, 0x4f, 0x47, 0x47, 0x45, 0x52, 0x5f, 0x53,
+	0x45, 0x52, 0x56, 0x45, 0x52, 0x10, 0x02, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f,
+	0x61, 0x64, 0x22, 0xbb, 0x01, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x48, 0x65, 0x61,
+	0x64, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e,
+	0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f, 0x0a, 0x0b,
+	0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a,
+	0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x09, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x33, 0x0a, 0x07, 0x74,
+	0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44,
+	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74,
+	0x22, 0x47, 0x0a, 0x0c, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79,
+	0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52,
+	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb1, 0x01, 0x0a, 0x07, 0x54, 0x72,
+	0x61, 0x69, 0x6c, 0x65, 0x72, 0x12, 0x37, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62,
+	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1f,
+	0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x6f, 0x64, 0x65, 0x12,
+	0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
+	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x4d,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
+	0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x22, 0x35, 0x0a,
+	0x07, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67,
+	0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68,
+	0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04,
+	0x64, 0x61, 0x74, 0x61, 0x22, 0x42, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+	0x12, 0x36, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x20, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67,
+	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x37, 0x0a, 0x0d, 0x4d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x22, 0xb8, 0x01, 0x0a, 0x07, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x33, 0x0a,
+	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x2e,
+	0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79,
+	0x70, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x17, 0x0a, 0x07,
+	0x69, 0x70, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x69,
+	0x70, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x45, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a,
+	0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12,
+	0x0d, 0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x34, 0x10, 0x01, 0x12, 0x0d,
+	0x0a, 0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x50, 0x56, 0x36, 0x10, 0x02, 0x12, 0x0d, 0x0a,
+	0x09, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x49, 0x58, 0x10, 0x03, 0x42, 0x5c, 0x0a, 0x14,
+	0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f,
+	0x67, 0x2e, 0x76, 0x31, 0x42, 0x0e, 0x42, 0x69, 0x6e, 0x61, 0x72, 0x79, 0x4c, 0x6f, 0x67, 0x50,
+	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x32, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
+	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x62,
+	0x69, 0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x62, 0x69,
+	0x6e, 0x61, 0x72, 0x79, 0x6c, 0x6f, 0x67, 0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
+})
 
 var (
 	file_grpc_binlog_v1_binarylog_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/channelz/grpc_channelz_v1/channelz.pb.go b/vendor/google.golang.org/grpc/channelz/grpc_channelz_v1/channelz.pb.go
index 7ce1029cb55..7bf14ca03a8 100644
--- a/vendor/google.golang.org/grpc/channelz/grpc_channelz_v1/channelz.pb.go
+++ b/vendor/google.golang.org/grpc/channelz/grpc_channelz_v1/channelz.pb.go
@@ -21,7 +21,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/channelz/v1/channelz.proto
 
@@ -2964,245 +2964,518 @@ func (x *Security_OtherSecurity) GetValue() *anypb.Any {
 
 var File_grpc_channelz_v1_channelz_proto protoreflect.FileDescriptor
 
-const file_grpc_channelz_v1_channelz_proto_rawDesc = "" +
-	"\n" +
-	"\x1fgrpc/channelz/v1/channelz.proto\x12\x10grpc.channelz.v1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xaf\x02\n" +
-	"\aChannel\x12.\n" +
-	"\x03ref\x18\x01 \x01(\v2\x1c.grpc.channelz.v1.ChannelRefR\x03ref\x121\n" +
-	"\x04data\x18\x02 \x01(\v2\x1d.grpc.channelz.v1.ChannelDataR\x04data\x12=\n" +
-	"\vchannel_ref\x18\x03 \x03(\v2\x1c.grpc.channelz.v1.ChannelRefR\n" +
-	"channelRef\x12F\n" +
-	"\x0esubchannel_ref\x18\x04 \x03(\v2\x1f.grpc.channelz.v1.SubchannelRefR\rsubchannelRef\x12:\n" +
-	"\n" +
-	"socket_ref\x18\x05 \x03(\v2\x1b.grpc.channelz.v1.SocketRefR\tsocketRef\"\xb5\x02\n" +
-	"\n" +
-	"Subchannel\x121\n" +
-	"\x03ref\x18\x01 \x01(\v2\x1f.grpc.channelz.v1.SubchannelRefR\x03ref\x121\n" +
-	"\x04data\x18\x02 \x01(\v2\x1d.grpc.channelz.v1.ChannelDataR\x04data\x12=\n" +
-	"\vchannel_ref\x18\x03 \x03(\v2\x1c.grpc.channelz.v1.ChannelRefR\n" +
-	"channelRef\x12F\n" +
-	"\x0esubchannel_ref\x18\x04 \x03(\v2\x1f.grpc.channelz.v1.SubchannelRefR\rsubchannelRef\x12:\n" +
-	"\n" +
-	"socket_ref\x18\x05 \x03(\v2\x1b.grpc.channelz.v1.SocketRefR\tsocketRef\"\xc2\x01\n" +
-	"\x18ChannelConnectivityState\x12F\n" +
-	"\x05state\x18\x01 \x01(\x0e20.grpc.channelz.v1.ChannelConnectivityState.StateR\x05state\"^\n" +
-	"\x05State\x12\v\n" +
-	"\aUNKNOWN\x10\x00\x12\b\n" +
-	"\x04IDLE\x10\x01\x12\x0e\n" +
-	"\n" +
-	"CONNECTING\x10\x02\x12\t\n" +
-	"\x05READY\x10\x03\x12\x15\n" +
-	"\x11TRANSIENT_FAILURE\x10\x04\x12\f\n" +
-	"\bSHUTDOWN\x10\x05\"\xe9\x02\n" +
-	"\vChannelData\x12@\n" +
-	"\x05state\x18\x01 \x01(\v2*.grpc.channelz.v1.ChannelConnectivityStateR\x05state\x12\x16\n" +
-	"\x06target\x18\x02 \x01(\tR\x06target\x124\n" +
-	"\x05trace\x18\x03 \x01(\v2\x1e.grpc.channelz.v1.ChannelTraceR\x05trace\x12#\n" +
-	"\rcalls_started\x18\x04 \x01(\x03R\fcallsStarted\x12'\n" +
-	"\x0fcalls_succeeded\x18\x05 \x01(\x03R\x0ecallsSucceeded\x12!\n" +
-	"\fcalls_failed\x18\x06 \x01(\x03R\vcallsFailed\x12Y\n" +
-	"\x1blast_call_started_timestamp\x18\a \x01(\v2\x1a.google.protobuf.TimestampR\x18lastCallStartedTimestamp\"\x98\x03\n" +
-	"\x11ChannelTraceEvent\x12 \n" +
-	"\vdescription\x18\x01 \x01(\tR\vdescription\x12H\n" +
-	"\bseverity\x18\x02 \x01(\x0e2,.grpc.channelz.v1.ChannelTraceEvent.SeverityR\bseverity\x128\n" +
-	"\ttimestamp\x18\x03 \x01(\v2\x1a.google.protobuf.TimestampR\ttimestamp\x12?\n" +
-	"\vchannel_ref\x18\x04 \x01(\v2\x1c.grpc.channelz.v1.ChannelRefH\x00R\n" +
-	"channelRef\x12H\n" +
-	"\x0esubchannel_ref\x18\x05 \x01(\v2\x1f.grpc.channelz.v1.SubchannelRefH\x00R\rsubchannelRef\"E\n" +
-	"\bSeverity\x12\x0e\n" +
-	"\n" +
-	"CT_UNKNOWN\x10\x00\x12\v\n" +
-	"\aCT_INFO\x10\x01\x12\x0e\n" +
-	"\n" +
-	"CT_WARNING\x10\x02\x12\f\n" +
-	"\bCT_ERROR\x10\x03B\v\n" +
-	"\tchild_ref\"\xc2\x01\n" +
-	"\fChannelTrace\x12*\n" +
-	"\x11num_events_logged\x18\x01 \x01(\x03R\x0fnumEventsLogged\x12I\n" +
-	"\x12creation_timestamp\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\x11creationTimestamp\x12;\n" +
-	"\x06events\x18\x03 \x03(\v2#.grpc.channelz.v1.ChannelTraceEventR\x06events\"c\n" +
-	"\n" +
-	"ChannelRef\x12\x1d\n" +
-	"\n" +
-	"channel_id\x18\x01 \x01(\x03R\tchannelId\x12\x12\n" +
-	"\x04name\x18\x02 \x01(\tR\x04nameJ\x04\b\x03\x10\x04J\x04\b\x04\x10\x05J\x04\b\x05\x10\x06J\x04\b\x06\x10\aJ\x04\b\a\x10\bJ\x04\b\b\x10\t\"l\n" +
-	"\rSubchannelRef\x12#\n" +
-	"\rsubchannel_id\x18\a \x01(\x03R\fsubchannelId\x12\x12\n" +
-	"\x04name\x18\b \x01(\tR\x04nameJ\x04\b\x01\x10\x02J\x04\b\x02\x10\x03J\x04\b\x03\x10\x04J\x04\b\x04\x10\x05J\x04\b\x05\x10\x06J\x04\b\x06\x10\a\"`\n" +
-	"\tSocketRef\x12\x1b\n" +
-	"\tsocket_id\x18\x03 \x01(\x03R\bsocketId\x12\x12\n" +
-	"\x04name\x18\x04 \x01(\tR\x04nameJ\x04\b\x01\x10\x02J\x04\b\x02\x10\x03J\x04\b\x05\x10\x06J\x04\b\x06\x10\aJ\x04\b\a\x10\bJ\x04\b\b\x10\t\"`\n" +
-	"\tServerRef\x12\x1b\n" +
-	"\tserver_id\x18\x05 \x01(\x03R\bserverId\x12\x12\n" +
-	"\x04name\x18\x06 \x01(\tR\x04nameJ\x04\b\x01\x10\x02J\x04\b\x02\x10\x03J\x04\b\x03\x10\x04J\x04\b\x04\x10\x05J\x04\b\a\x10\bJ\x04\b\b\x10\t\"\xab\x01\n" +
-	"\x06Server\x12-\n" +
-	"\x03ref\x18\x01 \x01(\v2\x1b.grpc.channelz.v1.ServerRefR\x03ref\x120\n" +
-	"\x04data\x18\x02 \x01(\v2\x1c.grpc.channelz.v1.ServerDataR\x04data\x12@\n" +
-	"\rlisten_socket\x18\x03 \x03(\v2\x1b.grpc.channelz.v1.SocketRefR\flistenSocket\"\x8e\x02\n" +
-	"\n" +
-	"ServerData\x124\n" +
-	"\x05trace\x18\x01 \x01(\v2\x1e.grpc.channelz.v1.ChannelTraceR\x05trace\x12#\n" +
-	"\rcalls_started\x18\x02 \x01(\x03R\fcallsStarted\x12'\n" +
-	"\x0fcalls_succeeded\x18\x03 \x01(\x03R\x0ecallsSucceeded\x12!\n" +
-	"\fcalls_failed\x18\x04 \x01(\x03R\vcallsFailed\x12Y\n" +
-	"\x1blast_call_started_timestamp\x18\x05 \x01(\v2\x1a.google.protobuf.TimestampR\x18lastCallStartedTimestamp\"\xa6\x02\n" +
-	"\x06Socket\x12-\n" +
-	"\x03ref\x18\x01 \x01(\v2\x1b.grpc.channelz.v1.SocketRefR\x03ref\x120\n" +
-	"\x04data\x18\x02 \x01(\v2\x1c.grpc.channelz.v1.SocketDataR\x04data\x12/\n" +
-	"\x05local\x18\x03 \x01(\v2\x19.grpc.channelz.v1.AddressR\x05local\x121\n" +
-	"\x06remote\x18\x04 \x01(\v2\x19.grpc.channelz.v1.AddressR\x06remote\x126\n" +
-	"\bsecurity\x18\x05 \x01(\v2\x1a.grpc.channelz.v1.SecurityR\bsecurity\x12\x1f\n" +
-	"\vremote_name\x18\x06 \x01(\tR\n" +
-	"remoteName\"\x83\a\n" +
-	"\n" +
-	"SocketData\x12'\n" +
-	"\x0fstreams_started\x18\x01 \x01(\x03R\x0estreamsStarted\x12+\n" +
-	"\x11streams_succeeded\x18\x02 \x01(\x03R\x10streamsSucceeded\x12%\n" +
-	"\x0estreams_failed\x18\x03 \x01(\x03R\rstreamsFailed\x12#\n" +
-	"\rmessages_sent\x18\x04 \x01(\x03R\fmessagesSent\x12+\n" +
-	"\x11messages_received\x18\x05 \x01(\x03R\x10messagesReceived\x12(\n" +
-	"\x10keep_alives_sent\x18\x06 \x01(\x03R\x0ekeepAlivesSent\x12h\n" +
-	"#last_local_stream_created_timestamp\x18\a \x01(\v2\x1a.google.protobuf.TimestampR\x1flastLocalStreamCreatedTimestamp\x12j\n" +
-	"$last_remote_stream_created_timestamp\x18\b \x01(\v2\x1a.google.protobuf.TimestampR lastRemoteStreamCreatedTimestamp\x12Y\n" +
-	"\x1blast_message_sent_timestamp\x18\t \x01(\v2\x1a.google.protobuf.TimestampR\x18lastMessageSentTimestamp\x12a\n" +
-	"\x1flast_message_received_timestamp\x18\n" +
-	" \x01(\v2\x1a.google.protobuf.TimestampR\x1clastMessageReceivedTimestamp\x12V\n" +
-	"\x19local_flow_control_window\x18\v \x01(\v2\x1b.google.protobuf.Int64ValueR\x16localFlowControlWindow\x12X\n" +
-	"\x1aremote_flow_control_window\x18\f \x01(\v2\x1b.google.protobuf.Int64ValueR\x17remoteFlowControlWindow\x126\n" +
-	"\x06option\x18\r \x03(\v2\x1e.grpc.channelz.v1.SocketOptionR\x06option\"\xb8\x03\n" +
-	"\aAddress\x12M\n" +
-	"\rtcpip_address\x18\x01 \x01(\v2&.grpc.channelz.v1.Address.TcpIpAddressH\x00R\ftcpipAddress\x12G\n" +
-	"\vuds_address\x18\x02 \x01(\v2$.grpc.channelz.v1.Address.UdsAddressH\x00R\n" +
-	"udsAddress\x12M\n" +
-	"\rother_address\x18\x03 \x01(\v2&.grpc.channelz.v1.Address.OtherAddressH\x00R\fotherAddress\x1aA\n" +
-	"\fTcpIpAddress\x12\x1d\n" +
-	"\n" +
-	"ip_address\x18\x01 \x01(\fR\tipAddress\x12\x12\n" +
-	"\x04port\x18\x02 \x01(\x05R\x04port\x1a(\n" +
-	"\n" +
-	"UdsAddress\x12\x1a\n" +
-	"\bfilename\x18\x01 \x01(\tR\bfilename\x1aN\n" +
-	"\fOtherAddress\x12\x12\n" +
-	"\x04name\x18\x01 \x01(\tR\x04name\x12*\n" +
-	"\x05value\x18\x02 \x01(\v2\x14.google.protobuf.AnyR\x05valueB\t\n" +
-	"\aaddress\"\x96\x03\n" +
-	"\bSecurity\x122\n" +
-	"\x03tls\x18\x01 \x01(\v2\x1e.grpc.channelz.v1.Security.TlsH\x00R\x03tls\x12@\n" +
-	"\x05other\x18\x02 \x01(\v2(.grpc.channelz.v1.Security.OtherSecurityH\x00R\x05other\x1a\xb9\x01\n" +
-	"\x03Tls\x12%\n" +
-	"\rstandard_name\x18\x01 \x01(\tH\x00R\fstandardName\x12\x1f\n" +
-	"\n" +
-	"other_name\x18\x02 \x01(\tH\x00R\totherName\x12+\n" +
-	"\x11local_certificate\x18\x03 \x01(\fR\x10localCertificate\x12-\n" +
-	"\x12remote_certificate\x18\x04 \x01(\fR\x11remoteCertificateB\x0e\n" +
-	"\fcipher_suite\x1aO\n" +
-	"\rOtherSecurity\x12\x12\n" +
-	"\x04name\x18\x01 \x01(\tR\x04name\x12*\n" +
-	"\x05value\x18\x02 \x01(\v2\x14.google.protobuf.AnyR\x05valueB\a\n" +
-	"\x05model\"n\n" +
-	"\fSocketOption\x12\x12\n" +
-	"\x04name\x18\x01 \x01(\tR\x04name\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\tR\x05value\x124\n" +
-	"\n" +
-	"additional\x18\x03 \x01(\v2\x14.google.protobuf.AnyR\n" +
-	"additional\"L\n" +
-	"\x13SocketOptionTimeout\x125\n" +
-	"\bduration\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\bduration\"c\n" +
-	"\x12SocketOptionLinger\x12\x16\n" +
-	"\x06active\x18\x01 \x01(\bR\x06active\x125\n" +
-	"\bduration\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\bduration\"\xb2\b\n" +
-	"\x13SocketOptionTcpInfo\x12\x1d\n" +
-	"\n" +
-	"tcpi_state\x18\x01 \x01(\rR\ttcpiState\x12\"\n" +
-	"\rtcpi_ca_state\x18\x02 \x01(\rR\vtcpiCaState\x12)\n" +
-	"\x10tcpi_retransmits\x18\x03 \x01(\rR\x0ftcpiRetransmits\x12\x1f\n" +
-	"\vtcpi_probes\x18\x04 \x01(\rR\n" +
-	"tcpiProbes\x12!\n" +
-	"\ftcpi_backoff\x18\x05 \x01(\rR\vtcpiBackoff\x12!\n" +
-	"\ftcpi_options\x18\x06 \x01(\rR\vtcpiOptions\x12&\n" +
-	"\x0ftcpi_snd_wscale\x18\a \x01(\rR\rtcpiSndWscale\x12&\n" +
-	"\x0ftcpi_rcv_wscale\x18\b \x01(\rR\rtcpiRcvWscale\x12\x19\n" +
-	"\btcpi_rto\x18\t \x01(\rR\atcpiRto\x12\x19\n" +
-	"\btcpi_ato\x18\n" +
-	" \x01(\rR\atcpiAto\x12 \n" +
-	"\ftcpi_snd_mss\x18\v \x01(\rR\n" +
-	"tcpiSndMss\x12 \n" +
-	"\ftcpi_rcv_mss\x18\f \x01(\rR\n" +
-	"tcpiRcvMss\x12!\n" +
-	"\ftcpi_unacked\x18\r \x01(\rR\vtcpiUnacked\x12\x1f\n" +
-	"\vtcpi_sacked\x18\x0e \x01(\rR\n" +
-	"tcpiSacked\x12\x1b\n" +
-	"\ttcpi_lost\x18\x0f \x01(\rR\btcpiLost\x12!\n" +
-	"\ftcpi_retrans\x18\x10 \x01(\rR\vtcpiRetrans\x12!\n" +
-	"\ftcpi_fackets\x18\x11 \x01(\rR\vtcpiFackets\x12-\n" +
-	"\x13tcpi_last_data_sent\x18\x12 \x01(\rR\x10tcpiLastDataSent\x12+\n" +
-	"\x12tcpi_last_ack_sent\x18\x13 \x01(\rR\x0ftcpiLastAckSent\x12-\n" +
-	"\x13tcpi_last_data_recv\x18\x14 \x01(\rR\x10tcpiLastDataRecv\x12+\n" +
-	"\x12tcpi_last_ack_recv\x18\x15 \x01(\rR\x0ftcpiLastAckRecv\x12\x1b\n" +
-	"\ttcpi_pmtu\x18\x16 \x01(\rR\btcpiPmtu\x12*\n" +
-	"\x11tcpi_rcv_ssthresh\x18\x17 \x01(\rR\x0ftcpiRcvSsthresh\x12\x19\n" +
-	"\btcpi_rtt\x18\x18 \x01(\rR\atcpiRtt\x12\x1f\n" +
-	"\vtcpi_rttvar\x18\x19 \x01(\rR\n" +
-	"tcpiRttvar\x12*\n" +
-	"\x11tcpi_snd_ssthresh\x18\x1a \x01(\rR\x0ftcpiSndSsthresh\x12\"\n" +
-	"\rtcpi_snd_cwnd\x18\x1b \x01(\rR\vtcpiSndCwnd\x12\x1f\n" +
-	"\vtcpi_advmss\x18\x1c \x01(\rR\n" +
-	"tcpiAdvmss\x12'\n" +
-	"\x0ftcpi_reordering\x18\x1d \x01(\rR\x0etcpiReordering\"b\n" +
-	"\x15GetTopChannelsRequest\x12(\n" +
-	"\x10start_channel_id\x18\x01 \x01(\x03R\x0estartChannelId\x12\x1f\n" +
-	"\vmax_results\x18\x02 \x01(\x03R\n" +
-	"maxResults\"_\n" +
-	"\x16GetTopChannelsResponse\x123\n" +
-	"\achannel\x18\x01 \x03(\v2\x19.grpc.channelz.v1.ChannelR\achannel\x12\x10\n" +
-	"\x03end\x18\x02 \x01(\bR\x03end\"\\\n" +
-	"\x11GetServersRequest\x12&\n" +
-	"\x0fstart_server_id\x18\x01 \x01(\x03R\rstartServerId\x12\x1f\n" +
-	"\vmax_results\x18\x02 \x01(\x03R\n" +
-	"maxResults\"X\n" +
-	"\x12GetServersResponse\x120\n" +
-	"\x06server\x18\x01 \x03(\v2\x18.grpc.channelz.v1.ServerR\x06server\x12\x10\n" +
-	"\x03end\x18\x02 \x01(\bR\x03end\"/\n" +
-	"\x10GetServerRequest\x12\x1b\n" +
-	"\tserver_id\x18\x01 \x01(\x03R\bserverId\"E\n" +
-	"\x11GetServerResponse\x120\n" +
-	"\x06server\x18\x01 \x01(\v2\x18.grpc.channelz.v1.ServerR\x06server\"\x7f\n" +
-	"\x17GetServerSocketsRequest\x12\x1b\n" +
-	"\tserver_id\x18\x01 \x01(\x03R\bserverId\x12&\n" +
-	"\x0fstart_socket_id\x18\x02 \x01(\x03R\rstartSocketId\x12\x1f\n" +
-	"\vmax_results\x18\x03 \x01(\x03R\n" +
-	"maxResults\"h\n" +
-	"\x18GetServerSocketsResponse\x12:\n" +
-	"\n" +
-	"socket_ref\x18\x01 \x03(\v2\x1b.grpc.channelz.v1.SocketRefR\tsocketRef\x12\x10\n" +
-	"\x03end\x18\x02 \x01(\bR\x03end\"2\n" +
-	"\x11GetChannelRequest\x12\x1d\n" +
-	"\n" +
-	"channel_id\x18\x01 \x01(\x03R\tchannelId\"I\n" +
-	"\x12GetChannelResponse\x123\n" +
-	"\achannel\x18\x01 \x01(\v2\x19.grpc.channelz.v1.ChannelR\achannel\";\n" +
-	"\x14GetSubchannelRequest\x12#\n" +
-	"\rsubchannel_id\x18\x01 \x01(\x03R\fsubchannelId\"U\n" +
-	"\x15GetSubchannelResponse\x12<\n" +
-	"\n" +
-	"subchannel\x18\x01 \x01(\v2\x1c.grpc.channelz.v1.SubchannelR\n" +
-	"subchannel\"I\n" +
-	"\x10GetSocketRequest\x12\x1b\n" +
-	"\tsocket_id\x18\x01 \x01(\x03R\bsocketId\x12\x18\n" +
-	"\asummary\x18\x02 \x01(\bR\asummary\"E\n" +
-	"\x11GetSocketResponse\x120\n" +
-	"\x06socket\x18\x01 \x01(\v2\x18.grpc.channelz.v1.SocketR\x06socket2\x9a\x05\n" +
-	"\bChannelz\x12c\n" +
-	"\x0eGetTopChannels\x12'.grpc.channelz.v1.GetTopChannelsRequest\x1a(.grpc.channelz.v1.GetTopChannelsResponse\x12W\n" +
-	"\n" +
-	"GetServers\x12#.grpc.channelz.v1.GetServersRequest\x1a$.grpc.channelz.v1.GetServersResponse\x12T\n" +
-	"\tGetServer\x12\".grpc.channelz.v1.GetServerRequest\x1a#.grpc.channelz.v1.GetServerResponse\x12i\n" +
-	"\x10GetServerSockets\x12).grpc.channelz.v1.GetServerSocketsRequest\x1a*.grpc.channelz.v1.GetServerSocketsResponse\x12W\n" +
-	"\n" +
-	"GetChannel\x12#.grpc.channelz.v1.GetChannelRequest\x1a$.grpc.channelz.v1.GetChannelResponse\x12`\n" +
-	"\rGetSubchannel\x12&.grpc.channelz.v1.GetSubchannelRequest\x1a'.grpc.channelz.v1.GetSubchannelResponse\x12T\n" +
-	"\tGetSocket\x12\".grpc.channelz.v1.GetSocketRequest\x1a#.grpc.channelz.v1.GetSocketResponseBX\n" +
-	"\x13io.grpc.channelz.v1B\rChannelzProtoP\x01Z0google.golang.org/grpc/channelz/grpc_channelz_v1b\x06proto3"
+var file_grpc_channelz_v1_channelz_proto_rawDesc = string([]byte{
+	0x0a, 0x1f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2f,
+	0x76, 0x31, 0x2f, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x10, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a,
+	0x2e, 0x76, 0x31, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f,
+	0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f,
+	0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
+	0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0xaf, 0x02, 0x0a, 0x07, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x12, 0x2e, 0x0a, 0x03, 0x72,
+	0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x52, 0x03, 0x72, 0x65, 0x66, 0x12, 0x31, 0x0a, 0x04, 0x64,
+	0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x44, 0x61, 0x74, 0x61, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3d,
+	0x0a, 0x0b, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x03, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e,
+	0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65,
+	0x66, 0x52, 0x0a, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x12, 0x46, 0x0a,
+	0x0e, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x72, 0x65, 0x66, 0x18,
+	0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x52, 0x0d, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e,
+	0x65, 0x6c, 0x52, 0x65, 0x66, 0x12, 0x3a, 0x0a, 0x0a, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x5f,
+	0x72, 0x65, 0x66, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63,
+	0x6b, 0x65, 0x74, 0x52, 0x65, 0x66, 0x52, 0x09, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
+	0x66, 0x22, 0xb5, 0x02, 0x0a, 0x0a, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x12, 0x31, 0x0a, 0x03, 0x72, 0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31,
+	0x2e, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x52, 0x03,
+	0x72, 0x65, 0x66, 0x12, 0x31, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x44, 0x61, 0x74, 0x61,
+	0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3d, 0x0a, 0x0b, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65,
+	0x6c, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43,
+	0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x52, 0x0a, 0x63, 0x68, 0x61, 0x6e, 0x6e,
+	0x65, 0x6c, 0x52, 0x65, 0x66, 0x12, 0x46, 0x0a, 0x0e, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31,
+	0x2e, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x52, 0x0d,
+	0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x12, 0x3a, 0x0a,
+	0x0a, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x05, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x66, 0x52, 0x09,
+	0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x66, 0x22, 0xc2, 0x01, 0x0a, 0x18, 0x43, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74,
+	0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x46, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x30, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x76, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x5e,
+	0x0a, 0x05, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f,
+	0x57, 0x4e, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x49, 0x44, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0e,
+	0x0a, 0x0a, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x09,
+	0x0a, 0x05, 0x52, 0x45, 0x41, 0x44, 0x59, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x54, 0x52, 0x41,
+	0x4e, 0x53, 0x49, 0x45, 0x4e, 0x54, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x04,
+	0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x55, 0x54, 0x44, 0x4f, 0x57, 0x4e, 0x10, 0x05, 0x22, 0xe9,
+	0x02, 0x0a, 0x0b, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x44, 0x61, 0x74, 0x61, 0x12, 0x40,
+	0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31,
+	0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
+	0x76, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65,
+	0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x34, 0x0a, 0x05, 0x74, 0x72, 0x61, 0x63,
+	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63,
+	0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e,
+	0x65, 0x6c, 0x54, 0x72, 0x61, 0x63, 0x65, 0x52, 0x05, 0x74, 0x72, 0x61, 0x63, 0x65, 0x12, 0x23,
+	0x0a, 0x0d, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x53, 0x74, 0x61, 0x72,
+	0x74, 0x65, 0x64, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x73, 0x75, 0x63,
+	0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x63, 0x61,
+	0x6c, 0x6c, 0x73, 0x53, 0x75, 0x63, 0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x12, 0x21, 0x0a, 0x0c,
+	0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x0b, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x12,
+	0x59, 0x0a, 0x1b, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x63, 0x61, 0x6c, 0x6c, 0x5f, 0x73, 0x74, 0x61,
+	0x72, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x07,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+	0x52, 0x18, 0x6c, 0x61, 0x73, 0x74, 0x43, 0x61, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x72, 0x74, 0x65,
+	0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x98, 0x03, 0x0a, 0x11, 0x43,
+	0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74,
+	0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69,
+	0x6f, 0x6e, 0x12, 0x48, 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x2c, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x54,
+	0x72, 0x61, 0x63, 0x65, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69,
+	0x74, 0x79, 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x38, 0x0a, 0x09,
+	0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x3f, 0x0a, 0x0b, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65,
+	0x6c, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43,
+	0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x48, 0x00, 0x52, 0x0a, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x12, 0x48, 0x0a, 0x0e, 0x73, 0x75, 0x62, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x1f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e,
+	0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66,
+	0x48, 0x00, 0x52, 0x0d, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65,
+	0x66, 0x22, 0x45, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x0e, 0x0a,
+	0x0a, 0x43, 0x54, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b, 0x0a,
+	0x07, 0x43, 0x54, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x43, 0x54,
+	0x5f, 0x57, 0x41, 0x52, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x43, 0x54,
+	0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x42, 0x0b, 0x0a, 0x09, 0x63, 0x68, 0x69, 0x6c,
+	0x64, 0x5f, 0x72, 0x65, 0x66, 0x22, 0xc2, 0x01, 0x0a, 0x0c, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65,
+	0x6c, 0x54, 0x72, 0x61, 0x63, 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x6e, 0x75, 0x6d, 0x5f, 0x65, 0x76,
+	0x65, 0x6e, 0x74, 0x73, 0x5f, 0x6c, 0x6f, 0x67, 0x67, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x0f, 0x6e, 0x75, 0x6d, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x4c, 0x6f, 0x67, 0x67,
+	0x65, 0x64, 0x12, 0x49, 0x0a, 0x12, 0x63, 0x72, 0x65, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74,
+	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x63, 0x72, 0x65, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x3b, 0x0a,
+	0x06, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31,
+	0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x54, 0x72, 0x61, 0x63, 0x65, 0x45, 0x76, 0x65,
+	0x6e, 0x74, 0x52, 0x06, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x63, 0x0a, 0x0a, 0x43, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08, 0x03, 0x10,
+	0x04, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08,
+	0x06, 0x10, 0x07, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22,
+	0x6c, 0x0a, 0x0d, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x66,
+	0x12, 0x23, 0x0a, 0x0d, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x69,
+	0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a,
+	0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x04, 0x10,
+	0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x22, 0x60, 0x0a,
+	0x09, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x66, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x6f,
+	0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73,
+	0x6f, 0x63, 0x6b, 0x65, 0x74, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08, 0x01, 0x10,
+	0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08,
+	0x06, 0x10, 0x07, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22,
+	0x60, 0x0a, 0x09, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x66, 0x12, 0x1b, 0x0a, 0x09,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x08, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
+	0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08,
+	0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a,
+	0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10,
+	0x09, 0x22, 0xab, 0x01, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x2d, 0x0a, 0x03,
+	0x72, 0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x52, 0x65, 0x66, 0x52, 0x03, 0x72, 0x65, 0x66, 0x12, 0x30, 0x0a, 0x04, 0x64,
+	0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x40, 0x0a,
+	0x0d, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x18, 0x03,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
+	0x66, 0x52, 0x0c, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x22,
+	0x8e, 0x02, 0x0a, 0x0a, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x12, 0x34,
+	0x0a, 0x05, 0x74, 0x72, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31,
+	0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x54, 0x72, 0x61, 0x63, 0x65, 0x52, 0x05, 0x74,
+	0x72, 0x61, 0x63, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x73, 0x74,
+	0x61, 0x72, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x63, 0x61, 0x6c,
+	0x6c, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x6c,
+	0x6c, 0x73, 0x5f, 0x73, 0x75, 0x63, 0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x0e, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x53, 0x75, 0x63, 0x63, 0x65, 0x65, 0x64,
+	0x65, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x5f, 0x66, 0x61, 0x69, 0x6c,
+	0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x63, 0x61, 0x6c, 0x6c, 0x73, 0x46,
+	0x61, 0x69, 0x6c, 0x65, 0x64, 0x12, 0x59, 0x0a, 0x1b, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x63, 0x61,
+	0x6c, 0x6c, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x18, 0x6c, 0x61, 0x73, 0x74, 0x43, 0x61, 0x6c, 0x6c,
+	0x53, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+	0x22, 0xa6, 0x02, 0x0a, 0x06, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x2d, 0x0a, 0x03, 0x72,
+	0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b,
+	0x65, 0x74, 0x52, 0x65, 0x66, 0x52, 0x03, 0x72, 0x65, 0x66, 0x12, 0x30, 0x0a, 0x04, 0x64, 0x61,
+	0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b,
+	0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x12, 0x2f, 0x0a, 0x05,
+	0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x41,
+	0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x12, 0x31, 0x0a,
+	0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31,
+	0x2e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
+	0x12, 0x36, 0x0a, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65,
+	0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x52, 0x08,
+	0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f,
+	0x74, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x83, 0x07, 0x0a, 0x0a, 0x53, 0x6f,
+	0x63, 0x6b, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x74, 0x72, 0x65,
+	0x61, 0x6d, 0x73, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x0e, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x65,
+	0x64, 0x12, 0x2b, 0x0a, 0x11, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x73, 0x5f, 0x73, 0x75, 0x63,
+	0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x10, 0x73, 0x74,
+	0x72, 0x65, 0x61, 0x6d, 0x73, 0x53, 0x75, 0x63, 0x63, 0x65, 0x65, 0x64, 0x65, 0x64, 0x12, 0x25,
+	0x0a, 0x0e, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x73, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x73, 0x46,
+	0x61, 0x69, 0x6c, 0x65, 0x64, 0x12, 0x23, 0x0a, 0x0d, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x73, 0x5f, 0x73, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x6d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x53, 0x65, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x11, 0x6d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x5f, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x64, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x10, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x52,
+	0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x64, 0x12, 0x28, 0x0a, 0x10, 0x6b, 0x65, 0x65, 0x70, 0x5f,
+	0x61, 0x6c, 0x69, 0x76, 0x65, 0x73, 0x5f, 0x73, 0x65, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x0e, 0x6b, 0x65, 0x65, 0x70, 0x41, 0x6c, 0x69, 0x76, 0x65, 0x73, 0x53, 0x65, 0x6e,
+	0x74, 0x12, 0x68, 0x0a, 0x23, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f,
+	0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74,
+	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x1f, 0x6c, 0x61, 0x73, 0x74,
+	0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x43, 0x72, 0x65, 0x61, 0x74,
+	0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x6a, 0x0a, 0x24, 0x6c,
+	0x61, 0x73, 0x74, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x73, 0x74, 0x72, 0x65, 0x61,
+	0x6d, 0x5f, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74,
+	0x61, 0x6d, 0x70, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x20, 0x6c, 0x61, 0x73, 0x74, 0x52, 0x65, 0x6d, 0x6f, 0x74,
+	0x65, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x59, 0x0a, 0x1b, 0x6c, 0x61, 0x73, 0x74, 0x5f,
+	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x69, 0x6d,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
+	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x18, 0x6c, 0x61, 0x73, 0x74, 0x4d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x65, 0x6e, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+	0x6d, 0x70, 0x12, 0x61, 0x0a, 0x1f, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61,
+	0x67, 0x65, 0x5f, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x1c, 0x6c, 0x61, 0x73, 0x74, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x56, 0x0a, 0x19, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x66,
+	0x6c, 0x6f, 0x77, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x77, 0x69, 0x6e, 0x64,
+	0x6f, 0x77, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x36, 0x34,
+	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x16, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x46, 0x6c, 0x6f, 0x77,
+	0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x12, 0x58, 0x0a,
+	0x1a, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x66, 0x6c, 0x6f, 0x77, 0x5f, 0x63, 0x6f, 0x6e,
+	0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x18, 0x0c, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x36, 0x34, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x17,
+	0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x46, 0x6c, 0x6f, 0x77, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f,
+	0x6c, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x12, 0x36, 0x0a, 0x06, 0x6f, 0x70, 0x74, 0x69, 0x6f,
+	0x6e, 0x18, 0x0d, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63,
+	0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65,
+	0x74, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22,
+	0xb8, 0x03, 0x0a, 0x07, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x4d, 0x0a, 0x0d, 0x74,
+	0x63, 0x70, 0x69, 0x70, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x26, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65,
+	0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x54, 0x63,
+	0x70, 0x49, 0x70, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x48, 0x00, 0x52, 0x0c, 0x74, 0x63,
+	0x70, 0x69, 0x70, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x47, 0x0a, 0x0b, 0x75, 0x64,
+	0x73, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x24, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e,
+	0x76, 0x31, 0x2e, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x55, 0x64, 0x73, 0x41, 0x64,
+	0x64, 0x72, 0x65, 0x73, 0x73, 0x48, 0x00, 0x52, 0x0a, 0x75, 0x64, 0x73, 0x41, 0x64, 0x64, 0x72,
+	0x65, 0x73, 0x73, 0x12, 0x4d, 0x0a, 0x0d, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x5f, 0x61, 0x64, 0x64,
+	0x72, 0x65, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x67, 0x72, 0x70,
+	0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x64,
+	0x64, 0x72, 0x65, 0x73, 0x73, 0x2e, 0x4f, 0x74, 0x68, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x65,
+	0x73, 0x73, 0x48, 0x00, 0x52, 0x0c, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x65,
+	0x73, 0x73, 0x1a, 0x41, 0x0a, 0x0c, 0x54, 0x63, 0x70, 0x49, 0x70, 0x41, 0x64, 0x64, 0x72, 0x65,
+	0x73, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x70, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x69, 0x70, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73,
+	0x73, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52,
+	0x04, 0x70, 0x6f, 0x72, 0x74, 0x1a, 0x28, 0x0a, 0x0a, 0x55, 0x64, 0x73, 0x41, 0x64, 0x64, 0x72,
+	0x65, 0x73, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x1a,
+	0x4e, 0x0a, 0x0c, 0x4f, 0x74, 0x68, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12,
+	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x12, 0x2a, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x42,
+	0x09, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x96, 0x03, 0x0a, 0x08, 0x53,
+	0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x32, 0x0a, 0x03, 0x74, 0x6c, 0x73, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+	0x2e, 0x54, 0x6c, 0x73, 0x48, 0x00, 0x52, 0x03, 0x74, 0x6c, 0x73, 0x12, 0x40, 0x0a, 0x05, 0x6f,
+	0x74, 0x68, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x67, 0x72, 0x70,
+	0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65,
+	0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x4f, 0x74, 0x68, 0x65, 0x72, 0x53, 0x65, 0x63, 0x75,
+	0x72, 0x69, 0x74, 0x79, 0x48, 0x00, 0x52, 0x05, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x1a, 0xb9, 0x01,
+	0x0a, 0x03, 0x54, 0x6c, 0x73, 0x12, 0x25, 0x0a, 0x0d, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72,
+	0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0c,
+	0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0a,
+	0x6f, 0x74, 0x68, 0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x48, 0x00, 0x52, 0x09, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x2b, 0x0a,
+	0x11, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x43,
+	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x2d, 0x0a, 0x12, 0x72, 0x65,
+	0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x43, 0x65,
+	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x42, 0x0e, 0x0a, 0x0c, 0x63, 0x69, 0x70,
+	0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x1a, 0x4f, 0x0a, 0x0d, 0x4f, 0x74, 0x68,
+	0x65, 0x72, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
+	0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2a,
+	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e,
+	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+	0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x07, 0x0a, 0x05, 0x6d, 0x6f,
+	0x64, 0x65, 0x6c, 0x22, 0x6e, 0x0a, 0x0c, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x4f, 0x70, 0x74,
+	0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x34, 0x0a,
+	0x0a, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x0a, 0x61, 0x64, 0x64, 0x69, 0x74, 0x69, 0x6f,
+	0x6e, 0x61, 0x6c, 0x22, 0x4c, 0x0a, 0x13, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x4f, 0x70, 0x74,
+	0x69, 0x6f, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x35, 0x0a, 0x08, 0x64, 0x75,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44,
+	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x22, 0x63, 0x0a, 0x12, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x4f, 0x70, 0x74, 0x69, 0x6f,
+	0x6e, 0x4c, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x12,
+	0x35, 0x0a, 0x08, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x64, 0x75,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xb2, 0x08, 0x0a, 0x13, 0x53, 0x6f, 0x63, 0x6b, 0x65,
+	0x74, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x63, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1d,
+	0x0a, 0x0a, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0d, 0x52, 0x09, 0x74, 0x63, 0x70, 0x69, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x22, 0x0a,
+	0x0d, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x63, 0x61, 0x5f, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x43, 0x61, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x12, 0x29, 0x0a, 0x10, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x72, 0x65, 0x74, 0x72, 0x61, 0x6e,
+	0x73, 0x6d, 0x69, 0x74, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0f, 0x74, 0x63, 0x70,
+	0x69, 0x52, 0x65, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x73, 0x12, 0x1f, 0x0a, 0x0b,
+	0x74, 0x63, 0x70, 0x69, 0x5f, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x0d, 0x52, 0x0a, 0x74, 0x63, 0x70, 0x69, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x73, 0x12, 0x21, 0x0a,
+	0x0c, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x62, 0x61, 0x63, 0x6b, 0x6f, 0x66, 0x66, 0x18, 0x05, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x42, 0x61, 0x63, 0x6b, 0x6f, 0x66, 0x66,
+	0x12, 0x21, 0x0a, 0x0c, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73,
+	0x18, 0x06, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x4f, 0x70, 0x74, 0x69,
+	0x6f, 0x6e, 0x73, 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x73, 0x6e, 0x64, 0x5f,
+	0x77, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0d, 0x74, 0x63,
+	0x70, 0x69, 0x53, 0x6e, 0x64, 0x57, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x74,
+	0x63, 0x70, 0x69, 0x5f, 0x72, 0x63, 0x76, 0x5f, 0x77, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x18, 0x08,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x0d, 0x74, 0x63, 0x70, 0x69, 0x52, 0x63, 0x76, 0x57, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x72, 0x74, 0x6f, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x74, 0x63, 0x70, 0x69, 0x52, 0x74, 0x6f, 0x12, 0x19,
+	0x0a, 0x08, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x61, 0x74, 0x6f, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0d,
+	0x52, 0x07, 0x74, 0x63, 0x70, 0x69, 0x41, 0x74, 0x6f, 0x12, 0x20, 0x0a, 0x0c, 0x74, 0x63, 0x70,
+	0x69, 0x5f, 0x73, 0x6e, 0x64, 0x5f, 0x6d, 0x73, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0d, 0x52,
+	0x0a, 0x74, 0x63, 0x70, 0x69, 0x53, 0x6e, 0x64, 0x4d, 0x73, 0x73, 0x12, 0x20, 0x0a, 0x0c, 0x74,
+	0x63, 0x70, 0x69, 0x5f, 0x72, 0x63, 0x76, 0x5f, 0x6d, 0x73, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28,
+	0x0d, 0x52, 0x0a, 0x74, 0x63, 0x70, 0x69, 0x52, 0x63, 0x76, 0x4d, 0x73, 0x73, 0x12, 0x21, 0x0a,
+	0x0c, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x75, 0x6e, 0x61, 0x63, 0x6b, 0x65, 0x64, 0x18, 0x0d, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x55, 0x6e, 0x61, 0x63, 0x6b, 0x65, 0x64,
+	0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x73, 0x61, 0x63, 0x6b, 0x65, 0x64, 0x18,
+	0x0e, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x74, 0x63, 0x70, 0x69, 0x53, 0x61, 0x63, 0x6b, 0x65,
+	0x64, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x6c, 0x6f, 0x73, 0x74, 0x18, 0x0f,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x08, 0x74, 0x63, 0x70, 0x69, 0x4c, 0x6f, 0x73, 0x74, 0x12, 0x21,
+	0x0a, 0x0c, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x72, 0x65, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x18, 0x10,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x52, 0x65, 0x74, 0x72, 0x61, 0x6e,
+	0x73, 0x12, 0x21, 0x0a, 0x0c, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x66, 0x61, 0x63, 0x6b, 0x65, 0x74,
+	0x73, 0x18, 0x11, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x46, 0x61, 0x63,
+	0x6b, 0x65, 0x74, 0x73, 0x12, 0x2d, 0x0a, 0x13, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x6c, 0x61, 0x73,
+	0x74, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x73, 0x65, 0x6e, 0x74, 0x18, 0x12, 0x20, 0x01, 0x28,
+	0x0d, 0x52, 0x10, 0x74, 0x63, 0x70, 0x69, 0x4c, 0x61, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x53,
+	0x65, 0x6e, 0x74, 0x12, 0x2b, 0x0a, 0x12, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x6c, 0x61, 0x73, 0x74,
+	0x5f, 0x61, 0x63, 0x6b, 0x5f, 0x73, 0x65, 0x6e, 0x74, 0x18, 0x13, 0x20, 0x01, 0x28, 0x0d, 0x52,
+	0x0f, 0x74, 0x63, 0x70, 0x69, 0x4c, 0x61, 0x73, 0x74, 0x41, 0x63, 0x6b, 0x53, 0x65, 0x6e, 0x74,
+	0x12, 0x2d, 0x0a, 0x13, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x64, 0x61,
+	0x74, 0x61, 0x5f, 0x72, 0x65, 0x63, 0x76, 0x18, 0x14, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x74,
+	0x63, 0x70, 0x69, 0x4c, 0x61, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x52, 0x65, 0x63, 0x76, 0x12,
+	0x2b, 0x0a, 0x12, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x6b,
+	0x5f, 0x72, 0x65, 0x63, 0x76, 0x18, 0x15, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0f, 0x74, 0x63, 0x70,
+	0x69, 0x4c, 0x61, 0x73, 0x74, 0x41, 0x63, 0x6b, 0x52, 0x65, 0x63, 0x76, 0x12, 0x1b, 0x0a, 0x09,
+	0x74, 0x63, 0x70, 0x69, 0x5f, 0x70, 0x6d, 0x74, 0x75, 0x18, 0x16, 0x20, 0x01, 0x28, 0x0d, 0x52,
+	0x08, 0x74, 0x63, 0x70, 0x69, 0x50, 0x6d, 0x74, 0x75, 0x12, 0x2a, 0x0a, 0x11, 0x74, 0x63, 0x70,
+	0x69, 0x5f, 0x72, 0x63, 0x76, 0x5f, 0x73, 0x73, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x18, 0x17,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x0f, 0x74, 0x63, 0x70, 0x69, 0x52, 0x63, 0x76, 0x53, 0x73, 0x74,
+	0x68, 0x72, 0x65, 0x73, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x72, 0x74,
+	0x74, 0x18, 0x18, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07, 0x74, 0x63, 0x70, 0x69, 0x52, 0x74, 0x74,
+	0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x72, 0x74, 0x74, 0x76, 0x61, 0x72, 0x18,
+	0x19, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x74, 0x63, 0x70, 0x69, 0x52, 0x74, 0x74, 0x76, 0x61,
+	0x72, 0x12, 0x2a, 0x0a, 0x11, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x73, 0x6e, 0x64, 0x5f, 0x73, 0x73,
+	0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0f, 0x74, 0x63,
+	0x70, 0x69, 0x53, 0x6e, 0x64, 0x53, 0x73, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x12, 0x22, 0x0a,
+	0x0d, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x73, 0x6e, 0x64, 0x5f, 0x63, 0x77, 0x6e, 0x64, 0x18, 0x1b,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x53, 0x6e, 0x64, 0x43, 0x77, 0x6e,
+	0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x61, 0x64, 0x76, 0x6d, 0x73, 0x73,
+	0x18, 0x1c, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x74, 0x63, 0x70, 0x69, 0x41, 0x64, 0x76, 0x6d,
+	0x73, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x74, 0x63, 0x70, 0x69, 0x5f, 0x72, 0x65, 0x6f, 0x72, 0x64,
+	0x65, 0x72, 0x69, 0x6e, 0x67, 0x18, 0x1d, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x74, 0x63, 0x70,
+	0x69, 0x52, 0x65, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x22, 0x62, 0x0a, 0x15, 0x47,
+	0x65, 0x74, 0x54, 0x6f, 0x70, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x28, 0x0a, 0x10, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e,
+	0x73, 0x74, 0x61, 0x72, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x49, 0x64, 0x12, 0x1f,
+	0x0a, 0x0b, 0x6d, 0x61, 0x78, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x03, 0x52, 0x0a, 0x6d, 0x61, 0x78, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22,
+	0x5f, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x54, 0x6f, 0x70, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x33, 0x0a, 0x07, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x72, 0x70,
+	0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x07, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x12, 0x10,
+	0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x65, 0x6e, 0x64,
+	0x22, 0x5c, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x73,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d,
+	0x73, 0x74, 0x61, 0x72, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x49, 0x64, 0x12, 0x1f, 0x0a,
+	0x0b, 0x6d, 0x61, 0x78, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x0a, 0x6d, 0x61, 0x78, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x22, 0x58,
+	0x0a, 0x12, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x30, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x06,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x22, 0x2f, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x08, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x49, 0x64, 0x22, 0x45, 0x0a, 0x11, 0x47, 0x65, 0x74,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x30,
+	0x0a, 0x06, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18,
+	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76,
+	0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x06, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x22, 0x7f, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x6f, 0x63,
+	0x6b, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x73,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x49, 0x64, 0x12, 0x26, 0x0a, 0x0f, 0x73, 0x74, 0x61, 0x72,
+	0x74, 0x5f, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x0d, 0x73, 0x74, 0x61, 0x72, 0x74, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x49, 0x64,
+	0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x61, 0x78, 0x5f, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0a, 0x6d, 0x61, 0x78, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74,
+	0x73, 0x22, 0x68, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x6f,
+	0x63, 0x6b, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a,
+	0x0a, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x01, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x66, 0x52, 0x09,
+	0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x66, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x22, 0x32, 0x0a, 0x11, 0x47,
+	0x65, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x49, 0x64, 0x22,
+	0x49, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x33, 0x0a, 0x07, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65,
+	0x6c, 0x52, 0x07, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x22, 0x3b, 0x0a, 0x14, 0x47, 0x65,
+	0x74, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x23, 0x0a, 0x0d, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x73, 0x75, 0x62, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x49, 0x64, 0x22, 0x55, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x53, 0x75,
+	0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x3c, 0x0a, 0x0a, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e,
+	0x65, 0x6c, 0x52, 0x0a, 0x73, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x22, 0x49,
+	0x0a, 0x10, 0x47, 0x65, 0x74, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x49, 0x64, 0x12,
+	0x18, 0x0a, 0x07, 0x73, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08,
+	0x52, 0x07, 0x73, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79, 0x22, 0x45, 0x0a, 0x11, 0x47, 0x65, 0x74,
+	0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x30,
+	0x0a, 0x06, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18,
+	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76,
+	0x31, 0x2e, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x06, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74,
+	0x32, 0x9a, 0x05, 0x0a, 0x08, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x12, 0x63, 0x0a,
+	0x0e, 0x47, 0x65, 0x74, 0x54, 0x6f, 0x70, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x73, 0x12,
+	0x27, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e,
+	0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x6f, 0x70, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x54,
+	0x6f, 0x70, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x57, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
+	0x12, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a,
+	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x24, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x54, 0x0a, 0x09, 0x47,
+	0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e,
+	0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x69, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x6f,
+	0x63, 0x6b, 0x65, 0x74, 0x73, 0x12, 0x29, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x2a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a,
+	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x6f, 0x63,
+	0x6b, 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x57, 0x0a, 0x0a,
+	0x47, 0x65, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x12, 0x23, 0x2e, 0x67, 0x72, 0x70,
+	0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
+	0x74, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x24, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e,
+	0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x60, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x63,
+	0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x12, 0x26, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x27,
+	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76,
+	0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x75, 0x62, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x54, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x53, 0x6f,
+	0x63, 0x6b, 0x65, 0x74, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x6f, 0x63, 0x6b, 0x65,
+	0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53,
+	0x6f, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x58, 0x0a,
+	0x13, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x63, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c,
+	0x7a, 0x2e, 0x76, 0x31, 0x42, 0x0d, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x50, 0x72,
+	0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x30, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f,
+	0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x68,
+	0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x7a, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x63, 0x68, 0x61, 0x6e,
+	0x6e, 0x65, 0x6c, 0x7a, 0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_channelz_v1_channelz_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/clientconn.go b/vendor/google.golang.org/grpc/clientconn.go
index cd3eaf8ddcb..a319ef97944 100644
--- a/vendor/google.golang.org/grpc/clientconn.go
+++ b/vendor/google.golang.org/grpc/clientconn.go
@@ -689,31 +689,22 @@ func (cc *ClientConn) Connect() {
 	cc.mu.Unlock()
 }
 
-// waitForResolvedAddrs blocks until the resolver provides addresses or the
-// context expires, whichever happens first.
-//
-// Error is nil unless the context expires first; otherwise returns a status
-// error based on the context.
-//
-// The returned boolean indicates whether it did block or not. If the
-// resolution has already happened once before, it returns false without
-// blocking. Otherwise, it wait for the resolution and return true if
-// resolution has succeeded or return false along with error if resolution has
-// failed.
-func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) (bool, error) {
+// waitForResolvedAddrs blocks until the resolver has provided addresses or the
+// context expires.  Returns nil unless the context expires first; otherwise
+// returns a status error based on the context.
+func (cc *ClientConn) waitForResolvedAddrs(ctx context.Context) error {
 	// This is on the RPC path, so we use a fast path to avoid the
 	// more-expensive "select" below after the resolver has returned once.
 	if cc.firstResolveEvent.HasFired() {
-		return false, nil
+		return nil
 	}
-	internal.NewStreamWaitingForResolver()
 	select {
 	case <-cc.firstResolveEvent.Done():
-		return true, nil
+		return nil
 	case <-ctx.Done():
-		return false, status.FromContextError(ctx.Err()).Err()
+		return status.FromContextError(ctx.Err()).Err()
 	case <-cc.ctx.Done():
-		return false, ErrClientConnClosing
+		return ErrClientConnClosing
 	}
 }
 
@@ -1240,7 +1231,8 @@ func (ac *addrConn) updateConnectivityState(s connectivity.State, lastErr error)
 // adjustParams updates parameters used to create transports upon
 // receiving a GoAway.
 func (ac *addrConn) adjustParams(r transport.GoAwayReason) {
-	if r == transport.GoAwayTooManyPings {
+	switch r {
+	case transport.GoAwayTooManyPings:
 		v := 2 * ac.dopts.copts.KeepaliveParams.Time
 		ac.cc.mu.Lock()
 		if v > ac.cc.keepaliveParams.Time {
diff --git a/vendor/google.golang.org/grpc/credentials/alts/alts.go b/vendor/google.golang.org/grpc/credentials/alts/alts.go
index 35539eb1ad4..afcdb8a0db8 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/alts.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/alts.go
@@ -133,11 +133,10 @@ func DefaultServerOptions() *ServerOptions {
 // altsTC is the credentials required for authenticating a connection using ALTS.
 // It implements credentials.TransportCredentials interface.
 type altsTC struct {
-	info             *credentials.ProtocolInfo
-	side             core.Side
-	accounts         []string
-	hsAddress        string
-	boundAccessToken string
+	info      *credentials.ProtocolInfo
+	side      core.Side
+	accounts  []string
+	hsAddress string
 }
 
 // NewClientCreds constructs a client-side ALTS TransportCredentials object.
@@ -199,7 +198,6 @@ func (g *altsTC) ClientHandshake(ctx context.Context, addr string, rawConn net.C
 		MaxRpcVersion: maxRPCVersion,
 		MinRpcVersion: minRPCVersion,
 	}
-	opts.BoundAccessToken = g.boundAccessToken
 	chs, err := handshaker.NewClientHandshaker(ctx, hsConn, rawConn, opts)
 	if err != nil {
 		return nil, nil, err
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/conn/common.go b/vendor/google.golang.org/grpc/credentials/alts/internal/conn/common.go
index 46617132a45..1795d0c9e37 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/conn/common.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/conn/common.go
@@ -54,10 +54,11 @@ func SliceForAppend(in []byte, n int) (head, tail []byte) {
 func ParseFramedMsg(b []byte, maxLen uint32) ([]byte, []byte, error) {
 	// If the size field is not complete, return the provided buffer as
 	// remaining buffer.
-	length, sufficientBytes := parseMessageLength(b)
-	if !sufficientBytes {
+	if len(b) < MsgLenFieldSize {
 		return nil, b, nil
 	}
+	msgLenField := b[:MsgLenFieldSize]
+	length := binary.LittleEndian.Uint32(msgLenField)
 	if length > maxLen {
 		return nil, nil, fmt.Errorf("received the frame length %d larger than the limit %d", length, maxLen)
 	}
@@ -67,14 +68,3 @@ func ParseFramedMsg(b []byte, maxLen uint32) ([]byte, []byte, error) {
 	}
 	return b[:MsgLenFieldSize+length], b[MsgLenFieldSize+length:], nil
 }
-
-// parseMessageLength returns the message length based on frame header. It also
-// returns a boolean indicating if the buffer contains sufficient bytes to parse
-// the length header. If there are insufficient bytes, (0, false) is returned.
-func parseMessageLength(b []byte) (uint32, bool) {
-	if len(b) < MsgLenFieldSize {
-		return 0, false
-	}
-	msgLenField := b[:MsgLenFieldSize]
-	return binary.LittleEndian.Uint32(msgLenField), true
-}
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/conn/record.go b/vendor/google.golang.org/grpc/credentials/alts/internal/conn/record.go
index f9d2646d4b2..f1ea7bb2081 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/conn/record.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/conn/record.go
@@ -31,18 +31,14 @@ import (
 
 // ALTSRecordCrypto is the interface for gRPC ALTS record protocol.
 type ALTSRecordCrypto interface {
-	// Encrypt encrypts the plaintext, computes the tag (if any) of dst and
-	// plaintext, and appends the result to dst, returning the updated slice.
-	// dst and plaintext may fully overlap or not at all.
+	// Encrypt encrypts the plaintext and computes the tag (if any) of dst
+	// and plaintext. dst and plaintext may fully overlap or not at all.
 	Encrypt(dst, plaintext []byte) ([]byte, error)
 	// EncryptionOverhead returns the tag size (if any) in bytes.
 	EncryptionOverhead() int
-	// Decrypt decrypts ciphertext and verifies the tag (if any). If successful,
-	// this function appends the resulting plaintext to dst, returning the
-	// updated slice. dst and ciphertext may alias exactly or not at all. To
-	// reuse ciphertext's storage for the decrypted output, use ciphertext[:0]
-	// as dst. Even if the function fails, the contents of dst, up to its
-	// capacity, may be overwritten.
+	// Decrypt decrypts ciphertext and verify the tag (if any). dst and
+	// ciphertext may alias exactly or not at all. To reuse ciphertext's
+	// storage for the decrypted output, use ciphertext[:0] as dst.
 	Decrypt(dst, ciphertext []byte) ([]byte, error)
 }
 
@@ -67,8 +63,6 @@ const (
 	// The maximum write buffer size. This *must* be multiple of
 	// altsRecordDefaultLength.
 	altsWriteBufferMaxSize = 512 * 1024 // 512KiB
-	// The initial buffer used to read from the network.
-	altsReadBufferInitialSize = 32 * 1024 // 32KiB
 )
 
 var (
@@ -89,7 +83,7 @@ type conn struct {
 	net.Conn
 	crypto ALTSRecordCrypto
 	// buf holds data that has been read from the connection and decrypted,
-	// but has not yet been returned by Read. It is a sub-slice of protected.
+	// but has not yet been returned by Read.
 	buf                []byte
 	payloadLengthLimit int
 	// protected holds data read from the network but have not yet been
@@ -117,13 +111,21 @@ func NewConn(c net.Conn, side core.Side, recordProtocol string, key []byte, prot
 	}
 	overhead := MsgLenFieldSize + msgTypeFieldSize + crypto.EncryptionOverhead()
 	payloadLengthLimit := altsRecordDefaultLength - overhead
-	// We pre-allocate protected to be of size 32KB during initialization.
-	// We increase the size of the buffer by the required amount if it can't
-	// hold a complete encrypted record.
-	protectedBuf := make([]byte, max(altsReadBufferInitialSize, len(protected)))
-	// Copy additional data from hanshaker service.
-	copy(protectedBuf, protected)
-	protectedBuf = protectedBuf[:len(protected)]
+	var protectedBuf []byte
+	if protected == nil {
+		// We pre-allocate protected to be of size
+		// 2*altsRecordDefaultLength-1 during initialization. We only
+		// read from the network into protected when protected does not
+		// contain a complete frame, which is at most
+		// altsRecordDefaultLength-1 (bytes). And we read at most
+		// altsRecordDefaultLength (bytes) data into protected at one
+		// time. Therefore, 2*altsRecordDefaultLength-1 is large enough
+		// to buffer data read from the network.
+		protectedBuf = make([]byte, 0, 2*altsRecordDefaultLength-1)
+	} else {
+		protectedBuf = make([]byte, len(protected))
+		copy(protectedBuf, protected)
+	}
 
 	altsConn := &conn{
 		Conn:               c,
@@ -160,26 +162,11 @@ func (p *conn) Read(b []byte) (n int, err error) {
 		// Check whether a complete frame has been received yet.
 		for len(framedMsg) == 0 {
 			if len(p.protected) == cap(p.protected) {
-				// We can parse the length header to know exactly how large
-				// the buffer needs to be to hold the entire frame.
-				length, didParse := parseMessageLength(p.protected)
-				if !didParse {
-					// The protected buffer is initialized with a capacity of
-					// larger than 4B. It should always hold the message length
-					// header.
-					panic(fmt.Sprintf("protected buffer length shorter than expected: %d vs %d", len(p.protected), MsgLenFieldSize))
-				}
-				oldProtectedBuf := p.protected
-				// The new buffer must be able to hold the message length header
-				// and the entire message.
-				requiredCapacity := int(length) + MsgLenFieldSize
-				p.protected = make([]byte, requiredCapacity)
-				// Copy the contents of the old buffer and set the length of the
-				// new buffer to the number of bytes already read.
-				copy(p.protected, oldProtectedBuf)
-				p.protected = p.protected[:len(oldProtectedBuf)]
+				tmp := make([]byte, len(p.protected), cap(p.protected)+altsRecordDefaultLength)
+				copy(tmp, p.protected)
+				p.protected = tmp
 			}
-			n, err = p.Conn.Read(p.protected[len(p.protected):cap(p.protected)])
+			n, err = p.Conn.Read(p.protected[len(p.protected):min(cap(p.protected), len(p.protected)+altsRecordDefaultLength)])
 			if err != nil {
 				return 0, err
 			}
@@ -198,15 +185,6 @@ func (p *conn) Read(b []byte) (n int, err error) {
 		}
 		ciphertext := msg[msgTypeFieldSize:]
 
-		// Decrypt directly into the buffer, avoiding a copy from p.buf if
-		// possible.
-		if len(b) >= len(ciphertext) {
-			dec, err := p.crypto.Decrypt(b[:0], ciphertext)
-			if err != nil {
-				return 0, err
-			}
-			return len(dec), nil
-		}
 		// Decrypt requires that if the dst and ciphertext alias, they
 		// must alias exactly. Code here used to use msg[:0], but msg
 		// starts MsgLenFieldSize+msgTypeFieldSize bytes earlier than
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/handshaker.go b/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/handshaker.go
index 0360842eb8f..50721f690ac 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/handshaker.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/handshaker.go
@@ -88,8 +88,6 @@ type ClientHandshakerOptions struct {
 	TargetServiceAccounts []string
 	// RPCVersions specifies the gRPC versions accepted by the client.
 	RPCVersions *altspb.RpcProtocolVersions
-	// BoundAccessToken is a bound access token to be sent to the server for authentication.
-	BoundAccessToken string
 }
 
 // ServerHandshakerOptions contains the server handshaker options that can
@@ -197,9 +195,7 @@ func (h *altsHandshaker) ClientHandshake(ctx context.Context) (net.Conn, credent
 			},
 		},
 	}
-	if h.clientOpts.BoundAccessToken != "" {
-		req.GetClientStart().AccessToken = h.clientOpts.BoundAccessToken
-	}
+
 	conn, result, err := h.doHandshake(req)
 	if err != nil {
 		return nil, nil, err
@@ -312,7 +308,6 @@ func (h *altsHandshaker) accessHandshakerService(req *altspb.HandshakerReq) (*al
 // whatever received from the network and send it to the handshaker service.
 func (h *altsHandshaker) processUntilDone(resp *altspb.HandshakerResp, extra []byte) (*altspb.HandshakerResult, []byte, error) {
 	var lastWriteTime time.Time
-	buf := make([]byte, frameLimit)
 	for {
 		if len(resp.OutFrames) > 0 {
 			lastWriteTime = time.Now()
@@ -323,6 +318,7 @@ func (h *altsHandshaker) processUntilDone(resp *altspb.HandshakerResp, extra []b
 		if resp.Result != nil {
 			return resp.Result, extra, nil
 		}
+		buf := make([]byte, frameLimit)
 		n, err := h.conn.Read(buf)
 		if err != nil && err != io.EOF {
 			return nil, nil, err
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/service/service.go b/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/service/service.go
index 2580995d99c..fbfde5d047f 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/service/service.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/handshaker/service/service.go
@@ -22,12 +22,9 @@ package service
 
 import (
 	"sync"
-	"time"
 
 	grpc "google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
-	"google.golang.org/grpc/internal/envconfig"
-	"google.golang.org/grpc/keepalive"
 )
 
 var (
@@ -53,17 +50,7 @@ func Dial(hsAddress string) (*grpc.ClientConn, error) {
 		// Disable the service config to avoid unnecessary TXT record lookups that
 		// cause timeouts with some versions of systemd-resolved.
 		var err error
-		opts := []grpc.DialOption{
-			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithDisableServiceConfig(),
-		}
-		if envconfig.ALTSHandshakerKeepaliveParams {
-			opts = append(opts, grpc.WithKeepaliveParams(keepalive.ClientParameters{
-				Timeout: 10 * time.Second,
-				Time:    10 * time.Minute,
-			}))
-		}
-		hsConn, err = grpc.NewClient(hsAddress, opts...)
+		hsConn, err = grpc.Dial(hsAddress, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDisableServiceConfig())
 		if err != nil {
 			return nil, err
 		}
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/altscontext.pb.go b/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/altscontext.pb.go
index 331dd6c8463..ac9ed4f05ac 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/altscontext.pb.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/altscontext.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/gcp/altscontext.proto
 
@@ -139,21 +139,52 @@ func (x *AltsContext) GetPeerAttributes() map[string]string {
 
 var File_grpc_gcp_altscontext_proto protoreflect.FileDescriptor
 
-const file_grpc_gcp_altscontext_proto_rawDesc = "" +
-	"\n" +
-	"\x1agrpc/gcp/altscontext.proto\x12\bgrpc.gcp\x1a(grpc/gcp/transport_security_common.proto\"\xf1\x03\n" +
-	"\vAltsContext\x121\n" +
-	"\x14application_protocol\x18\x01 \x01(\tR\x13applicationProtocol\x12'\n" +
-	"\x0frecord_protocol\x18\x02 \x01(\tR\x0erecordProtocol\x12>\n" +
-	"\x0esecurity_level\x18\x03 \x01(\x0e2\x17.grpc.gcp.SecurityLevelR\rsecurityLevel\x120\n" +
-	"\x14peer_service_account\x18\x04 \x01(\tR\x12peerServiceAccount\x122\n" +
-	"\x15local_service_account\x18\x05 \x01(\tR\x13localServiceAccount\x12I\n" +
-	"\x11peer_rpc_versions\x18\x06 \x01(\v2\x1d.grpc.gcp.RpcProtocolVersionsR\x0fpeerRpcVersions\x12R\n" +
-	"\x0fpeer_attributes\x18\a \x03(\v2).grpc.gcp.AltsContext.PeerAttributesEntryR\x0epeerAttributes\x1aA\n" +
-	"\x13PeerAttributesEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01Bl\n" +
-	"\x15io.grpc.alts.internalB\x10AltsContextProtoP\x01Z?google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcpb\x06proto3"
+var file_grpc_gcp_altscontext_proto_rawDesc = string([]byte{
+	0x0a, 0x1a, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x67, 0x63, 0x70, 0x2f, 0x61, 0x6c, 0x74, 0x73, 0x63,
+	0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x1a, 0x28, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x67, 0x63, 0x70,
+	0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72,
+	0x69, 0x74, 0x79, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x22, 0xf1, 0x03, 0x0a, 0x0b, 0x41, 0x6c, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+	0x12, 0x31, 0x0a, 0x14, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13,
+	0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x5f, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x65,
+	0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x3e, 0x0a, 0x0e,
+	0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x0e, 0x32, 0x17, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e,
+	0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x52, 0x0d, 0x73,
+	0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x30, 0x0a, 0x14,
+	0x70, 0x65, 0x65, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63,
+	0x6f, 0x75, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x70, 0x65, 0x65, 0x72,
+	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x32,
+	0x0a, 0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f,
+	0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x6c,
+	0x6f, 0x63, 0x61, 0x6c, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75,
+	0x6e, 0x74, 0x12, 0x49, 0x0a, 0x11, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x72, 0x70, 0x63, 0x5f, 0x76,
+	0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x0f, 0x70, 0x65,
+	0x65, 0x72, 0x52, 0x70, 0x63, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x52, 0x0a,
+	0x0f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73,
+	0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63,
+	0x70, 0x2e, 0x41, 0x6c, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x2e, 0x50, 0x65,
+	0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x52, 0x0e, 0x70, 0x65, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65,
+	0x73, 0x1a, 0x41, 0x0a, 0x13, 0x50, 0x65, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75,
+	0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x3a, 0x02, 0x38, 0x01, 0x42, 0x6c, 0x0a, 0x15, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x61, 0x6c, 0x74, 0x73, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x42, 0x10, 0x41,
+	0x6c, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
+	0x01, 0x5a, 0x3f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67,
+	0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x61, 0x6c, 0x73, 0x2f, 0x61, 0x6c, 0x74, 0x73, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72,
+	0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x67,
+	0x63, 0x70, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_gcp_altscontext_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/handshaker.pb.go b/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/handshaker.pb.go
index 6370b2a6d22..1caa2638caa 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/handshaker.pb.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/handshaker.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/gcp/handshaker.proto
 
@@ -331,11 +331,9 @@ type StartClientHandshakeReq struct {
 	// ALTS connections. The access token that should be used to authenticate to
 	// the peer. The access token MUST be strongly bound to the ALTS credentials
 	// used to establish the connection that the token is sent over.
-	AccessToken string `protobuf:"bytes,11,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"`
-	// (Optional) Ordered transport protocol preferences supported by the client.
-	TransportProtocolPreferences *TransportProtocolPreferences `protobuf:"bytes,12,opt,name=transport_protocol_preferences,json=transportProtocolPreferences,proto3" json:"transport_protocol_preferences,omitempty"`
-	unknownFields                protoimpl.UnknownFields
-	sizeCache                    protoimpl.SizeCache
+	AccessToken   string `protobuf:"bytes,11,opt,name=access_token,json=accessToken,proto3" json:"access_token,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *StartClientHandshakeReq) Reset() {
@@ -445,13 +443,6 @@ func (x *StartClientHandshakeReq) GetAccessToken() string {
 	return ""
 }
 
-func (x *StartClientHandshakeReq) GetTransportProtocolPreferences() *TransportProtocolPreferences {
-	if x != nil {
-		return x.TransportProtocolPreferences
-	}
-	return nil
-}
-
 type ServerHandshakeParameters struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The record protocols supported by the server, e.g.,
@@ -543,11 +534,9 @@ type StartServerHandshakeReq struct {
 	// (Optional) RPC protocol versions supported by the server.
 	RpcVersions *RpcProtocolVersions `protobuf:"bytes,6,opt,name=rpc_versions,json=rpcVersions,proto3" json:"rpc_versions,omitempty"`
 	// (Optional) Maximum frame size supported by the server.
-	MaxFrameSize uint32 `protobuf:"varint,7,opt,name=max_frame_size,json=maxFrameSize,proto3" json:"max_frame_size,omitempty"`
-	// (Optional) Transport protocol preferences supported by the server.
-	TransportProtocolPreferences *TransportProtocolPreferences `protobuf:"bytes,8,opt,name=transport_protocol_preferences,json=transportProtocolPreferences,proto3" json:"transport_protocol_preferences,omitempty"`
-	unknownFields                protoimpl.UnknownFields
-	sizeCache                    protoimpl.SizeCache
+	MaxFrameSize  uint32 `protobuf:"varint,7,opt,name=max_frame_size,json=maxFrameSize,proto3" json:"max_frame_size,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *StartServerHandshakeReq) Reset() {
@@ -629,13 +618,6 @@ func (x *StartServerHandshakeReq) GetMaxFrameSize() uint32 {
 	return 0
 }
 
-func (x *StartServerHandshakeReq) GetTransportProtocolPreferences() *TransportProtocolPreferences {
-	if x != nil {
-		return x.TransportProtocolPreferences
-	}
-	return nil
-}
-
 type NextHandshakeMessageReq struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// Bytes in out_frames returned from the peer's HandshakerResp. It is possible
@@ -816,11 +798,9 @@ type HandshakerResult struct {
 	// The RPC protocol versions supported by the peer.
 	PeerRpcVersions *RpcProtocolVersions `protobuf:"bytes,7,opt,name=peer_rpc_versions,json=peerRpcVersions,proto3" json:"peer_rpc_versions,omitempty"`
 	// The maximum frame size of the peer.
-	MaxFrameSize uint32 `protobuf:"varint,8,opt,name=max_frame_size,json=maxFrameSize,proto3" json:"max_frame_size,omitempty"`
-	// (Optional) The transport protocol negotiated for this connection.
-	TransportProtocol *NegotiatedTransportProtocol `protobuf:"bytes,9,opt,name=transport_protocol,json=transportProtocol,proto3" json:"transport_protocol,omitempty"`
-	unknownFields     protoimpl.UnknownFields
-	sizeCache         protoimpl.SizeCache
+	MaxFrameSize  uint32 `protobuf:"varint,8,opt,name=max_frame_size,json=maxFrameSize,proto3" json:"max_frame_size,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }
 
 func (x *HandshakerResult) Reset() {
@@ -909,13 +889,6 @@ func (x *HandshakerResult) GetMaxFrameSize() uint32 {
 	return 0
 }
 
-func (x *HandshakerResult) GetTransportProtocol() *NegotiatedTransportProtocol {
-	if x != nil {
-		return x.TransportProtocol
-	}
-	return nil
-}
-
 type HandshakerStatus struct {
 	state protoimpl.MessageState `protogen:"open.v1"`
 	// The status code. This could be the gRPC status code.
@@ -1051,94 +1024,206 @@ func (x *HandshakerResp) GetStatus() *HandshakerStatus {
 
 var File_grpc_gcp_handshaker_proto protoreflect.FileDescriptor
 
-const file_grpc_gcp_handshaker_proto_rawDesc = "" +
-	"\n" +
-	"\x19grpc/gcp/handshaker.proto\x12\bgrpc.gcp\x1a(grpc/gcp/transport_security_common.proto\"t\n" +
-	"\bEndpoint\x12\x1d\n" +
-	"\n" +
-	"ip_address\x18\x01 \x01(\tR\tipAddress\x12\x12\n" +
-	"\x04port\x18\x02 \x01(\x05R\x04port\x125\n" +
-	"\bprotocol\x18\x03 \x01(\x0e2\x19.grpc.gcp.NetworkProtocolR\bprotocol\"\xe8\x01\n" +
-	"\bIdentity\x12)\n" +
-	"\x0fservice_account\x18\x01 \x01(\tH\x00R\x0eserviceAccount\x12\x1c\n" +
-	"\bhostname\x18\x02 \x01(\tH\x00R\bhostname\x12B\n" +
-	"\n" +
-	"attributes\x18\x03 \x03(\v2\".grpc.gcp.Identity.AttributesEntryR\n" +
-	"attributes\x1a=\n" +
-	"\x0fAttributesEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x10\n" +
-	"\x0eidentity_oneof\"\xe9\x05\n" +
-	"\x17StartClientHandshakeReq\x12[\n" +
-	"\x1bhandshake_security_protocol\x18\x01 \x01(\x0e2\x1b.grpc.gcp.HandshakeProtocolR\x19handshakeSecurityProtocol\x123\n" +
-	"\x15application_protocols\x18\x02 \x03(\tR\x14applicationProtocols\x12)\n" +
-	"\x10record_protocols\x18\x03 \x03(\tR\x0frecordProtocols\x12?\n" +
-	"\x11target_identities\x18\x04 \x03(\v2\x12.grpc.gcp.IdentityR\x10targetIdentities\x129\n" +
-	"\x0elocal_identity\x18\x05 \x01(\v2\x12.grpc.gcp.IdentityR\rlocalIdentity\x129\n" +
-	"\x0elocal_endpoint\x18\x06 \x01(\v2\x12.grpc.gcp.EndpointR\rlocalEndpoint\x12;\n" +
-	"\x0fremote_endpoint\x18\a \x01(\v2\x12.grpc.gcp.EndpointR\x0eremoteEndpoint\x12\x1f\n" +
-	"\vtarget_name\x18\b \x01(\tR\n" +
-	"targetName\x12@\n" +
-	"\frpc_versions\x18\t \x01(\v2\x1d.grpc.gcp.RpcProtocolVersionsR\vrpcVersions\x12$\n" +
-	"\x0emax_frame_size\x18\n" +
-	" \x01(\rR\fmaxFrameSize\x12&\n" +
-	"\faccess_token\x18\v \x01(\tB\x03\x80\x01\x01R\vaccessToken\x12l\n" +
-	"\x1etransport_protocol_preferences\x18\f \x01(\v2&.grpc.gcp.TransportProtocolPreferencesR\x1ctransportProtocolPreferences\"\xaf\x01\n" +
-	"\x19ServerHandshakeParameters\x12)\n" +
-	"\x10record_protocols\x18\x01 \x03(\tR\x0frecordProtocols\x12=\n" +
-	"\x10local_identities\x18\x02 \x03(\v2\x12.grpc.gcp.IdentityR\x0flocalIdentities\x12\x1e\n" +
-	"\x05token\x18\x03 \x01(\tB\x03\x80\x01\x01H\x00R\x05token\x88\x01\x01B\b\n" +
-	"\x06_token\"\x93\x05\n" +
-	"\x17StartServerHandshakeReq\x123\n" +
-	"\x15application_protocols\x18\x01 \x03(\tR\x14applicationProtocols\x12m\n" +
-	"\x14handshake_parameters\x18\x02 \x03(\v2:.grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntryR\x13handshakeParameters\x12\x19\n" +
-	"\bin_bytes\x18\x03 \x01(\fR\ainBytes\x129\n" +
-	"\x0elocal_endpoint\x18\x04 \x01(\v2\x12.grpc.gcp.EndpointR\rlocalEndpoint\x12;\n" +
-	"\x0fremote_endpoint\x18\x05 \x01(\v2\x12.grpc.gcp.EndpointR\x0eremoteEndpoint\x12@\n" +
-	"\frpc_versions\x18\x06 \x01(\v2\x1d.grpc.gcp.RpcProtocolVersionsR\vrpcVersions\x12$\n" +
-	"\x0emax_frame_size\x18\a \x01(\rR\fmaxFrameSize\x12l\n" +
-	"\x1etransport_protocol_preferences\x18\b \x01(\v2&.grpc.gcp.TransportProtocolPreferencesR\x1ctransportProtocolPreferences\x1ak\n" +
-	"\x18HandshakeParametersEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\x05R\x03key\x129\n" +
-	"\x05value\x18\x02 \x01(\v2#.grpc.gcp.ServerHandshakeParametersR\x05value:\x028\x01\"b\n" +
-	"\x17NextHandshakeMessageReq\x12\x19\n" +
-	"\bin_bytes\x18\x01 \x01(\fR\ainBytes\x12,\n" +
-	"\x12network_latency_ms\x18\x02 \x01(\rR\x10networkLatencyMs\"\xe5\x01\n" +
-	"\rHandshakerReq\x12F\n" +
-	"\fclient_start\x18\x01 \x01(\v2!.grpc.gcp.StartClientHandshakeReqH\x00R\vclientStart\x12F\n" +
-	"\fserver_start\x18\x02 \x01(\v2!.grpc.gcp.StartServerHandshakeReqH\x00R\vserverStart\x127\n" +
-	"\x04next\x18\x03 \x01(\v2!.grpc.gcp.NextHandshakeMessageReqH\x00R\x04nextB\v\n" +
-	"\treq_oneof\"\xf0\x03\n" +
-	"\x10HandshakerResult\x121\n" +
-	"\x14application_protocol\x18\x01 \x01(\tR\x13applicationProtocol\x12'\n" +
-	"\x0frecord_protocol\x18\x02 \x01(\tR\x0erecordProtocol\x12\x19\n" +
-	"\bkey_data\x18\x03 \x01(\fR\akeyData\x127\n" +
-	"\rpeer_identity\x18\x04 \x01(\v2\x12.grpc.gcp.IdentityR\fpeerIdentity\x129\n" +
-	"\x0elocal_identity\x18\x05 \x01(\v2\x12.grpc.gcp.IdentityR\rlocalIdentity\x12*\n" +
-	"\x11keep_channel_open\x18\x06 \x01(\bR\x0fkeepChannelOpen\x12I\n" +
-	"\x11peer_rpc_versions\x18\a \x01(\v2\x1d.grpc.gcp.RpcProtocolVersionsR\x0fpeerRpcVersions\x12$\n" +
-	"\x0emax_frame_size\x18\b \x01(\rR\fmaxFrameSize\x12T\n" +
-	"\x12transport_protocol\x18\t \x01(\v2%.grpc.gcp.NegotiatedTransportProtocolR\x11transportProtocol\"@\n" +
-	"\x10HandshakerStatus\x12\x12\n" +
-	"\x04code\x18\x01 \x01(\rR\x04code\x12\x18\n" +
-	"\adetails\x18\x02 \x01(\tR\adetails\"\xbe\x01\n" +
-	"\x0eHandshakerResp\x12\x1d\n" +
-	"\n" +
-	"out_frames\x18\x01 \x01(\fR\toutFrames\x12%\n" +
-	"\x0ebytes_consumed\x18\x02 \x01(\rR\rbytesConsumed\x122\n" +
-	"\x06result\x18\x03 \x01(\v2\x1a.grpc.gcp.HandshakerResultR\x06result\x122\n" +
-	"\x06status\x18\x04 \x01(\v2\x1a.grpc.gcp.HandshakerStatusR\x06status*J\n" +
-	"\x11HandshakeProtocol\x12\"\n" +
-	"\x1eHANDSHAKE_PROTOCOL_UNSPECIFIED\x10\x00\x12\a\n" +
-	"\x03TLS\x10\x01\x12\b\n" +
-	"\x04ALTS\x10\x02*E\n" +
-	"\x0fNetworkProtocol\x12 \n" +
-	"\x1cNETWORK_PROTOCOL_UNSPECIFIED\x10\x00\x12\a\n" +
-	"\x03TCP\x10\x01\x12\a\n" +
-	"\x03UDP\x10\x022[\n" +
-	"\x11HandshakerService\x12F\n" +
-	"\vDoHandshake\x12\x17.grpc.gcp.HandshakerReq\x1a\x18.grpc.gcp.HandshakerResp\"\x00(\x010\x01Bk\n" +
-	"\x15io.grpc.alts.internalB\x0fHandshakerProtoP\x01Z?google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcpb\x06proto3"
+var file_grpc_gcp_handshaker_proto_rawDesc = string([]byte{
+	0x0a, 0x19, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x67, 0x63, 0x70, 0x2f, 0x68, 0x61, 0x6e, 0x64, 0x73,
+	0x68, 0x61, 0x6b, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x67, 0x72, 0x70,
+	0x63, 0x2e, 0x67, 0x63, 0x70, 0x1a, 0x28, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x67, 0x63, 0x70, 0x2f,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69,
+	0x74, 0x79, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0x74, 0x0a, 0x08, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x69,
+	0x70, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x09, 0x69, 0x70, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f,
+	0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x35,
+	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x19, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x4e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0xe8, 0x01, 0x0a, 0x08, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x12, 0x29, 0x0a, 0x0f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63,
+	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0e, 0x73,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x1c, 0x0a,
+	0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48,
+	0x00, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x42, 0x0a, 0x0a, 0x61,
+	0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74,
+	0x69, 0x74, 0x79, 0x2e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e,
+	0x74, 0x72, 0x79, 0x52, 0x0a, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x1a,
+	0x3d, 0x0a, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74,
+	0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x10,
+	0x0a, 0x0e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x6f, 0x6e, 0x65, 0x6f, 0x66,
+	0x22, 0xfb, 0x04, 0x0a, 0x17, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74,
+	0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x52, 0x65, 0x71, 0x12, 0x5b, 0x0a, 0x1b,
+	0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69,
+	0x74, 0x79, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x48, 0x61, 0x6e,
+	0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x19,
+	0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+	0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x33, 0x0a, 0x15, 0x61, 0x70, 0x70,
+	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x14, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x12, 0x29,
+	0x0a, 0x10, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64,
+	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x12, 0x3f, 0x0a, 0x11, 0x74, 0x61, 0x72,
+	0x67, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x04,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e,
+	0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x10, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74,
+	0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x0e, 0x6c, 0x6f,
+	0x63, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x49, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x39, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x65,
+	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
+	0x74, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+	0x12, 0x3b, 0x0a, 0x0f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f,
+	0x69, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x67, 0x63, 0x70, 0x2e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x52, 0x0e, 0x72,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x1f, 0x0a,
+	0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x40,
+	0x0a, 0x0c, 0x72, 0x70, 0x63, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e,
+	0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69,
+	0x6f, 0x6e, 0x73, 0x52, 0x0b, 0x72, 0x70, 0x63, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73,
+	0x12, 0x24, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x5f, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x5f, 0x73, 0x69,
+	0x7a, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0c, 0x6d, 0x61, 0x78, 0x46, 0x72, 0x61,
+	0x6d, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x26, 0x0a, 0x0c, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
+	0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0x80, 0x01,
+	0x01, 0x52, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xaf,
+	0x01, 0x0a, 0x19, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61,
+	0x6b, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x73, 0x12, 0x29, 0x0a, 0x10,
+	0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72,
+	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x12, 0x3d, 0x0a, 0x10, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
+	0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x49, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x1e, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0x80, 0x01, 0x01, 0x48, 0x00, 0x52, 0x05, 0x74, 0x6f,
+	0x6b, 0x65, 0x6e, 0x88, 0x01, 0x01, 0x42, 0x08, 0x0a, 0x06, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e,
+	0x22, 0xa5, 0x04, 0x0a, 0x17, 0x53, 0x74, 0x61, 0x72, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x52, 0x65, 0x71, 0x12, 0x33, 0x0a, 0x15,
+	0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x14, 0x61, 0x70, 0x70,
+	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x73, 0x12, 0x6d, 0x0a, 0x14, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x5f, 0x70,
+	0x61, 0x72, 0x61, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x3a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x53, 0x74, 0x61, 0x72, 0x74,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x52,
+	0x65, 0x71, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x50, 0x61, 0x72, 0x61,
+	0x6d, 0x65, 0x74, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x13, 0x68, 0x61, 0x6e,
+	0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x73,
+	0x12, 0x19, 0x0a, 0x08, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x07, 0x69, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x39, 0x0a, 0x0e, 0x6c,
+	0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x45,
+	0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x45, 0x6e,
+	0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x3b, 0x0a, 0x0f, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
+	0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x45, 0x6e, 0x64, 0x70, 0x6f,
+	0x69, 0x6e, 0x74, 0x52, 0x0e, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f,
+	0x69, 0x6e, 0x74, 0x12, 0x40, 0x0a, 0x0c, 0x72, 0x70, 0x63, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69,
+	0x6f, 0x6e, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x67, 0x63, 0x70, 0x2e, 0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x0b, 0x72, 0x70, 0x63, 0x56, 0x65, 0x72,
+	0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x5f, 0x66, 0x72, 0x61,
+	0x6d, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0c, 0x6d,
+	0x61, 0x78, 0x46, 0x72, 0x61, 0x6d, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x1a, 0x6b, 0x0a, 0x18, 0x48,
+	0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x65, 0x74, 0x65,
+	0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x05, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x39, 0x0a, 0x05, 0x76, 0x61, 0x6c,
+	0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x67, 0x63, 0x70, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68,
+	0x61, 0x6b, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x73, 0x52, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x62, 0x0a, 0x17, 0x4e, 0x65, 0x78, 0x74,
+	0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x52, 0x65, 0x71, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x69, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x2c,
+	0x0a, 0x12, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x5f, 0x6c, 0x61, 0x74, 0x65, 0x6e, 0x63,
+	0x79, 0x5f, 0x6d, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x10, 0x6e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x4c, 0x61, 0x74, 0x65, 0x6e, 0x63, 0x79, 0x4d, 0x73, 0x22, 0xe5, 0x01, 0x0a,
+	0x0d, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x72, 0x52, 0x65, 0x71, 0x12, 0x46,
+	0x0a, 0x0c, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e,
+	0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x48, 0x61, 0x6e, 0x64, 0x73,
+	0x68, 0x61, 0x6b, 0x65, 0x52, 0x65, 0x71, 0x48, 0x00, 0x52, 0x0b, 0x63, 0x6c, 0x69, 0x65, 0x6e,
+	0x74, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, 0x46, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72,
+	0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x53, 0x74, 0x61, 0x72, 0x74, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x52, 0x65, 0x71, 0x48,
+	0x00, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, 0x37,
+	0x0a, 0x04, 0x6e, 0x65, 0x78, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x4e, 0x65, 0x78, 0x74, 0x48, 0x61, 0x6e, 0x64,
+	0x73, 0x68, 0x61, 0x6b, 0x65, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x48,
+	0x00, 0x52, 0x04, 0x6e, 0x65, 0x78, 0x74, 0x42, 0x0b, 0x0a, 0x09, 0x72, 0x65, 0x71, 0x5f, 0x6f,
+	0x6e, 0x65, 0x6f, 0x66, 0x22, 0x9a, 0x03, 0x0a, 0x10, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61,
+	0x6b, 0x65, 0x72, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x31, 0x0a, 0x14, 0x61, 0x70, 0x70,
+	0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x27, 0x0a, 0x0f,
+	0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x50, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x19, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x64, 0x61, 0x74,
+	0x61, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x44, 0x61, 0x74, 0x61,
+	0x12, 0x37, 0x0a, 0x0d, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67,
+	0x63, 0x70, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0c, 0x70, 0x65, 0x65,
+	0x72, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x39, 0x0a, 0x0e, 0x6c, 0x6f, 0x63,
+	0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x12, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x49, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0d, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x79, 0x12, 0x2a, 0x0a, 0x11, 0x6b, 0x65, 0x65, 0x70, 0x5f, 0x63, 0x68, 0x61,
+	0x6e, 0x6e, 0x65, 0x6c, 0x5f, 0x6f, 0x70, 0x65, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x0f, 0x6b, 0x65, 0x65, 0x70, 0x43, 0x68, 0x61, 0x6e, 0x6e, 0x65, 0x6c, 0x4f, 0x70, 0x65, 0x6e,
+	0x12, 0x49, 0x0a, 0x11, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x72, 0x70, 0x63, 0x5f, 0x76, 0x65, 0x72,
+	0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x0f, 0x70, 0x65, 0x65, 0x72,
+	0x52, 0x70, 0x63, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0e, 0x6d,
+	0x61, 0x78, 0x5f, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x08, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x0c, 0x6d, 0x61, 0x78, 0x46, 0x72, 0x61, 0x6d, 0x65, 0x53, 0x69, 0x7a,
+	0x65, 0x22, 0x40, 0x0a, 0x10, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x72, 0x53,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x65, 0x74,
+	0x61, 0x69, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x74, 0x61,
+	0x69, 0x6c, 0x73, 0x22, 0xbe, 0x01, 0x0a, 0x0e, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b,
+	0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x12, 0x1d, 0x0a, 0x0a, 0x6f, 0x75, 0x74, 0x5f, 0x66, 0x72,
+	0x61, 0x6d, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x6f, 0x75, 0x74, 0x46,
+	0x72, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x62, 0x79, 0x74, 0x65, 0x73, 0x5f, 0x63,
+	0x6f, 0x6e, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0d, 0x62,
+	0x79, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6d, 0x65, 0x64, 0x12, 0x32, 0x0a, 0x06,
+	0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b,
+	0x65, 0x72, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x52, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74,
+	0x12, 0x32, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x1a, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x48, 0x61, 0x6e, 0x64,
+	0x73, 0x68, 0x61, 0x6b, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x2a, 0x4a, 0x0a, 0x11, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b,
+	0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x22, 0x0a, 0x1e, 0x48, 0x41, 0x4e,
+	0x44, 0x53, 0x48, 0x41, 0x4b, 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f,
+	0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x07, 0x0a,
+	0x03, 0x54, 0x4c, 0x53, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4c, 0x54, 0x53, 0x10, 0x02,
+	0x2a, 0x45, 0x0a, 0x0f, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x12, 0x20, 0x0a, 0x1c, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x5f, 0x50,
+	0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46,
+	0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, 0x12, 0x07,
+	0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x02, 0x32, 0x5b, 0x0a, 0x11, 0x48, 0x61, 0x6e, 0x64, 0x73,
+	0x68, 0x61, 0x6b, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x46, 0x0a, 0x0b,
+	0x44, 0x6f, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x12, 0x17, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65,
+	0x72, 0x52, 0x65, 0x71, 0x1a, 0x18, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e,
+	0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x72, 0x52, 0x65, 0x73, 0x70, 0x22, 0x00,
+	0x28, 0x01, 0x30, 0x01, 0x42, 0x6b, 0x0a, 0x15, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x61, 0x6c, 0x74, 0x73, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x42, 0x0f, 0x48,
+	0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
+	0x5a, 0x3f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e,
+	0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74,
+	0x69, 0x61, 0x6c, 0x73, 0x2f, 0x61, 0x6c, 0x74, 0x73, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+	0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x67, 0x63,
+	0x70, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_gcp_handshaker_proto_rawDescOnce sync.Once
@@ -1155,23 +1240,21 @@ func file_grpc_gcp_handshaker_proto_rawDescGZIP() []byte {
 var file_grpc_gcp_handshaker_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
 var file_grpc_gcp_handshaker_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
 var file_grpc_gcp_handshaker_proto_goTypes = []any{
-	(HandshakeProtocol)(0),               // 0: grpc.gcp.HandshakeProtocol
-	(NetworkProtocol)(0),                 // 1: grpc.gcp.NetworkProtocol
-	(*Endpoint)(nil),                     // 2: grpc.gcp.Endpoint
-	(*Identity)(nil),                     // 3: grpc.gcp.Identity
-	(*StartClientHandshakeReq)(nil),      // 4: grpc.gcp.StartClientHandshakeReq
-	(*ServerHandshakeParameters)(nil),    // 5: grpc.gcp.ServerHandshakeParameters
-	(*StartServerHandshakeReq)(nil),      // 6: grpc.gcp.StartServerHandshakeReq
-	(*NextHandshakeMessageReq)(nil),      // 7: grpc.gcp.NextHandshakeMessageReq
-	(*HandshakerReq)(nil),                // 8: grpc.gcp.HandshakerReq
-	(*HandshakerResult)(nil),             // 9: grpc.gcp.HandshakerResult
-	(*HandshakerStatus)(nil),             // 10: grpc.gcp.HandshakerStatus
-	(*HandshakerResp)(nil),               // 11: grpc.gcp.HandshakerResp
-	nil,                                  // 12: grpc.gcp.Identity.AttributesEntry
-	nil,                                  // 13: grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntry
-	(*RpcProtocolVersions)(nil),          // 14: grpc.gcp.RpcProtocolVersions
-	(*TransportProtocolPreferences)(nil), // 15: grpc.gcp.TransportProtocolPreferences
-	(*NegotiatedTransportProtocol)(nil),  // 16: grpc.gcp.NegotiatedTransportProtocol
+	(HandshakeProtocol)(0),            // 0: grpc.gcp.HandshakeProtocol
+	(NetworkProtocol)(0),              // 1: grpc.gcp.NetworkProtocol
+	(*Endpoint)(nil),                  // 2: grpc.gcp.Endpoint
+	(*Identity)(nil),                  // 3: grpc.gcp.Identity
+	(*StartClientHandshakeReq)(nil),   // 4: grpc.gcp.StartClientHandshakeReq
+	(*ServerHandshakeParameters)(nil), // 5: grpc.gcp.ServerHandshakeParameters
+	(*StartServerHandshakeReq)(nil),   // 6: grpc.gcp.StartServerHandshakeReq
+	(*NextHandshakeMessageReq)(nil),   // 7: grpc.gcp.NextHandshakeMessageReq
+	(*HandshakerReq)(nil),             // 8: grpc.gcp.HandshakerReq
+	(*HandshakerResult)(nil),          // 9: grpc.gcp.HandshakerResult
+	(*HandshakerStatus)(nil),          // 10: grpc.gcp.HandshakerStatus
+	(*HandshakerResp)(nil),            // 11: grpc.gcp.HandshakerResp
+	nil,                               // 12: grpc.gcp.Identity.AttributesEntry
+	nil,                               // 13: grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntry
+	(*RpcProtocolVersions)(nil),       // 14: grpc.gcp.RpcProtocolVersions
 }
 var file_grpc_gcp_handshaker_proto_depIdxs = []int32{
 	1,  // 0: grpc.gcp.Endpoint.protocol:type_name -> grpc.gcp.NetworkProtocol
@@ -1182,30 +1265,27 @@ var file_grpc_gcp_handshaker_proto_depIdxs = []int32{
 	2,  // 5: grpc.gcp.StartClientHandshakeReq.local_endpoint:type_name -> grpc.gcp.Endpoint
 	2,  // 6: grpc.gcp.StartClientHandshakeReq.remote_endpoint:type_name -> grpc.gcp.Endpoint
 	14, // 7: grpc.gcp.StartClientHandshakeReq.rpc_versions:type_name -> grpc.gcp.RpcProtocolVersions
-	15, // 8: grpc.gcp.StartClientHandshakeReq.transport_protocol_preferences:type_name -> grpc.gcp.TransportProtocolPreferences
-	3,  // 9: grpc.gcp.ServerHandshakeParameters.local_identities:type_name -> grpc.gcp.Identity
-	13, // 10: grpc.gcp.StartServerHandshakeReq.handshake_parameters:type_name -> grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntry
-	2,  // 11: grpc.gcp.StartServerHandshakeReq.local_endpoint:type_name -> grpc.gcp.Endpoint
-	2,  // 12: grpc.gcp.StartServerHandshakeReq.remote_endpoint:type_name -> grpc.gcp.Endpoint
-	14, // 13: grpc.gcp.StartServerHandshakeReq.rpc_versions:type_name -> grpc.gcp.RpcProtocolVersions
-	15, // 14: grpc.gcp.StartServerHandshakeReq.transport_protocol_preferences:type_name -> grpc.gcp.TransportProtocolPreferences
-	4,  // 15: grpc.gcp.HandshakerReq.client_start:type_name -> grpc.gcp.StartClientHandshakeReq
-	6,  // 16: grpc.gcp.HandshakerReq.server_start:type_name -> grpc.gcp.StartServerHandshakeReq
-	7,  // 17: grpc.gcp.HandshakerReq.next:type_name -> grpc.gcp.NextHandshakeMessageReq
-	3,  // 18: grpc.gcp.HandshakerResult.peer_identity:type_name -> grpc.gcp.Identity
-	3,  // 19: grpc.gcp.HandshakerResult.local_identity:type_name -> grpc.gcp.Identity
-	14, // 20: grpc.gcp.HandshakerResult.peer_rpc_versions:type_name -> grpc.gcp.RpcProtocolVersions
-	16, // 21: grpc.gcp.HandshakerResult.transport_protocol:type_name -> grpc.gcp.NegotiatedTransportProtocol
-	9,  // 22: grpc.gcp.HandshakerResp.result:type_name -> grpc.gcp.HandshakerResult
-	10, // 23: grpc.gcp.HandshakerResp.status:type_name -> grpc.gcp.HandshakerStatus
-	5,  // 24: grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntry.value:type_name -> grpc.gcp.ServerHandshakeParameters
-	8,  // 25: grpc.gcp.HandshakerService.DoHandshake:input_type -> grpc.gcp.HandshakerReq
-	11, // 26: grpc.gcp.HandshakerService.DoHandshake:output_type -> grpc.gcp.HandshakerResp
-	26, // [26:27] is the sub-list for method output_type
-	25, // [25:26] is the sub-list for method input_type
-	25, // [25:25] is the sub-list for extension type_name
-	25, // [25:25] is the sub-list for extension extendee
-	0,  // [0:25] is the sub-list for field type_name
+	3,  // 8: grpc.gcp.ServerHandshakeParameters.local_identities:type_name -> grpc.gcp.Identity
+	13, // 9: grpc.gcp.StartServerHandshakeReq.handshake_parameters:type_name -> grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntry
+	2,  // 10: grpc.gcp.StartServerHandshakeReq.local_endpoint:type_name -> grpc.gcp.Endpoint
+	2,  // 11: grpc.gcp.StartServerHandshakeReq.remote_endpoint:type_name -> grpc.gcp.Endpoint
+	14, // 12: grpc.gcp.StartServerHandshakeReq.rpc_versions:type_name -> grpc.gcp.RpcProtocolVersions
+	4,  // 13: grpc.gcp.HandshakerReq.client_start:type_name -> grpc.gcp.StartClientHandshakeReq
+	6,  // 14: grpc.gcp.HandshakerReq.server_start:type_name -> grpc.gcp.StartServerHandshakeReq
+	7,  // 15: grpc.gcp.HandshakerReq.next:type_name -> grpc.gcp.NextHandshakeMessageReq
+	3,  // 16: grpc.gcp.HandshakerResult.peer_identity:type_name -> grpc.gcp.Identity
+	3,  // 17: grpc.gcp.HandshakerResult.local_identity:type_name -> grpc.gcp.Identity
+	14, // 18: grpc.gcp.HandshakerResult.peer_rpc_versions:type_name -> grpc.gcp.RpcProtocolVersions
+	9,  // 19: grpc.gcp.HandshakerResp.result:type_name -> grpc.gcp.HandshakerResult
+	10, // 20: grpc.gcp.HandshakerResp.status:type_name -> grpc.gcp.HandshakerStatus
+	5,  // 21: grpc.gcp.StartServerHandshakeReq.HandshakeParametersEntry.value:type_name -> grpc.gcp.ServerHandshakeParameters
+	8,  // 22: grpc.gcp.HandshakerService.DoHandshake:input_type -> grpc.gcp.HandshakerReq
+	11, // 23: grpc.gcp.HandshakerService.DoHandshake:output_type -> grpc.gcp.HandshakerResp
+	23, // [23:24] is the sub-list for method output_type
+	22, // [22:23] is the sub-list for method input_type
+	22, // [22:22] is the sub-list for extension type_name
+	22, // [22:22] is the sub-list for extension extendee
+	0,  // [0:22] is the sub-list for field type_name
 }
 
 func init() { file_grpc_gcp_handshaker_proto_init() }
diff --git a/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/transport_security_common.pb.go b/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/transport_security_common.pb.go
index cf48193cb2c..7c533bd6c0e 100644
--- a/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/transport_security_common.pb.go
+++ b/vendor/google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcp/transport_security_common.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/gcp/transport_security_common.proto
 
@@ -144,97 +144,6 @@ func (x *RpcProtocolVersions) GetMinRpcVersion() *RpcProtocolVersions_Version {
 	return nil
 }
 
-// The ordered list of protocols that the client wishes to use, or the set
-// that the server supports.
-type TransportProtocolPreferences struct {
-	state             protoimpl.MessageState `protogen:"open.v1"`
-	TransportProtocol []string               `protobuf:"bytes,1,rep,name=transport_protocol,json=transportProtocol,proto3" json:"transport_protocol,omitempty"`
-	unknownFields     protoimpl.UnknownFields
-	sizeCache         protoimpl.SizeCache
-}
-
-func (x *TransportProtocolPreferences) Reset() {
-	*x = TransportProtocolPreferences{}
-	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[1]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *TransportProtocolPreferences) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*TransportProtocolPreferences) ProtoMessage() {}
-
-func (x *TransportProtocolPreferences) ProtoReflect() protoreflect.Message {
-	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[1]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use TransportProtocolPreferences.ProtoReflect.Descriptor instead.
-func (*TransportProtocolPreferences) Descriptor() ([]byte, []int) {
-	return file_grpc_gcp_transport_security_common_proto_rawDescGZIP(), []int{1}
-}
-
-func (x *TransportProtocolPreferences) GetTransportProtocol() []string {
-	if x != nil {
-		return x.TransportProtocol
-	}
-	return nil
-}
-
-// The negotiated transport protocol.
-type NegotiatedTransportProtocol struct {
-	state             protoimpl.MessageState `protogen:"open.v1"`
-	TransportProtocol string                 `protobuf:"bytes,1,opt,name=transport_protocol,json=transportProtocol,proto3" json:"transport_protocol,omitempty"`
-	unknownFields     protoimpl.UnknownFields
-	sizeCache         protoimpl.SizeCache
-}
-
-func (x *NegotiatedTransportProtocol) Reset() {
-	*x = NegotiatedTransportProtocol{}
-	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[2]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *NegotiatedTransportProtocol) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*NegotiatedTransportProtocol) ProtoMessage() {}
-
-func (x *NegotiatedTransportProtocol) ProtoReflect() protoreflect.Message {
-	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[2]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use NegotiatedTransportProtocol.ProtoReflect.Descriptor instead.
-func (*NegotiatedTransportProtocol) Descriptor() ([]byte, []int) {
-	return file_grpc_gcp_transport_security_common_proto_rawDescGZIP(), []int{2}
-}
-
-func (x *NegotiatedTransportProtocol) GetTransportProtocol() string {
-	if x != nil {
-		return x.TransportProtocol
-	}
-	return ""
-}
-
 // RPC version contains a major version and a minor version.
 type RpcProtocolVersions_Version struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -246,7 +155,7 @@ type RpcProtocolVersions_Version struct {
 
 func (x *RpcProtocolVersions_Version) Reset() {
 	*x = RpcProtocolVersions_Version{}
-	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[3]
+	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[1]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -258,7 +167,7 @@ func (x *RpcProtocolVersions_Version) String() string {
 func (*RpcProtocolVersions_Version) ProtoMessage() {}
 
 func (x *RpcProtocolVersions_Version) ProtoReflect() protoreflect.Message {
-	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[3]
+	mi := &file_grpc_gcp_transport_security_common_proto_msgTypes[1]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -290,24 +199,40 @@ func (x *RpcProtocolVersions_Version) GetMinor() uint32 {
 
 var File_grpc_gcp_transport_security_common_proto protoreflect.FileDescriptor
 
-const file_grpc_gcp_transport_security_common_proto_rawDesc = "" +
-	"\n" +
-	"(grpc/gcp/transport_security_common.proto\x12\bgrpc.gcp\"\xea\x01\n" +
-	"\x13RpcProtocolVersions\x12M\n" +
-	"\x0fmax_rpc_version\x18\x01 \x01(\v2%.grpc.gcp.RpcProtocolVersions.VersionR\rmaxRpcVersion\x12M\n" +
-	"\x0fmin_rpc_version\x18\x02 \x01(\v2%.grpc.gcp.RpcProtocolVersions.VersionR\rminRpcVersion\x1a5\n" +
-	"\aVersion\x12\x14\n" +
-	"\x05major\x18\x01 \x01(\rR\x05major\x12\x14\n" +
-	"\x05minor\x18\x02 \x01(\rR\x05minor\"M\n" +
-	"\x1cTransportProtocolPreferences\x12-\n" +
-	"\x12transport_protocol\x18\x01 \x03(\tR\x11transportProtocol\"L\n" +
-	"\x1bNegotiatedTransportProtocol\x12-\n" +
-	"\x12transport_protocol\x18\x01 \x01(\tR\x11transportProtocol*Q\n" +
-	"\rSecurityLevel\x12\x11\n" +
-	"\rSECURITY_NONE\x10\x00\x12\x12\n" +
-	"\x0eINTEGRITY_ONLY\x10\x01\x12\x19\n" +
-	"\x15INTEGRITY_AND_PRIVACY\x10\x02Bx\n" +
-	"\x15io.grpc.alts.internalB\x1cTransportSecurityCommonProtoP\x01Z?google.golang.org/grpc/credentials/alts/internal/proto/grpc_gcpb\x06proto3"
+var file_grpc_gcp_transport_security_common_proto_rawDesc = string([]byte{
+	0x0a, 0x28, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x67, 0x63, 0x70, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73,
+	0x70, 0x6f, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x67, 0x63, 0x70, 0x22, 0xea, 0x01, 0x0a, 0x13, 0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x4d, 0x0a, 0x0f,
+	0x6d, 0x61, 0x78, 0x5f, 0x72, 0x70, 0x63, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70,
+	0x2e, 0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x61,
+	0x78, 0x52, 0x70, 0x63, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x0f, 0x6d,
+	0x69, 0x6e, 0x5f, 0x72, 0x70, 0x63, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x67, 0x63, 0x70, 0x2e,
+	0x52, 0x70, 0x63, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69,
+	0x6f, 0x6e, 0x73, 0x2e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x69, 0x6e,
+	0x52, 0x70, 0x63, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x1a, 0x35, 0x0a, 0x07, 0x56, 0x65,
+	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x6d, 0x61, 0x6a, 0x6f, 0x72, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x6d, 0x61, 0x6a, 0x6f, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x6d,
+	0x69, 0x6e, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x6d, 0x69, 0x6e, 0x6f,
+	0x72, 0x2a, 0x51, 0x0a, 0x0d, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x4c, 0x65, 0x76,
+	0x65, 0x6c, 0x12, 0x11, 0x0a, 0x0d, 0x53, 0x45, 0x43, 0x55, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x4e,
+	0x4f, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x12, 0x0a, 0x0e, 0x49, 0x4e, 0x54, 0x45, 0x47, 0x52, 0x49,
+	0x54, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x49, 0x4e, 0x54,
+	0x45, 0x47, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x41, 0x4e, 0x44, 0x5f, 0x50, 0x52, 0x49, 0x56, 0x41,
+	0x43, 0x59, 0x10, 0x02, 0x42, 0x78, 0x0a, 0x15, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x61, 0x6c, 0x74, 0x73, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x42, 0x1c, 0x54,
+	0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+	0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3f, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67,
+	0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c,
+	0x73, 0x2f, 0x61, 0x6c, 0x74, 0x73, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x67, 0x63, 0x70, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_gcp_transport_security_common_proto_rawDescOnce sync.Once
@@ -322,17 +247,15 @@ func file_grpc_gcp_transport_security_common_proto_rawDescGZIP() []byte {
 }
 
 var file_grpc_gcp_transport_security_common_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_grpc_gcp_transport_security_common_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_grpc_gcp_transport_security_common_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_grpc_gcp_transport_security_common_proto_goTypes = []any{
-	(SecurityLevel)(0),                   // 0: grpc.gcp.SecurityLevel
-	(*RpcProtocolVersions)(nil),          // 1: grpc.gcp.RpcProtocolVersions
-	(*TransportProtocolPreferences)(nil), // 2: grpc.gcp.TransportProtocolPreferences
-	(*NegotiatedTransportProtocol)(nil),  // 3: grpc.gcp.NegotiatedTransportProtocol
-	(*RpcProtocolVersions_Version)(nil),  // 4: grpc.gcp.RpcProtocolVersions.Version
+	(SecurityLevel)(0),                  // 0: grpc.gcp.SecurityLevel
+	(*RpcProtocolVersions)(nil),         // 1: grpc.gcp.RpcProtocolVersions
+	(*RpcProtocolVersions_Version)(nil), // 2: grpc.gcp.RpcProtocolVersions.Version
 }
 var file_grpc_gcp_transport_security_common_proto_depIdxs = []int32{
-	4, // 0: grpc.gcp.RpcProtocolVersions.max_rpc_version:type_name -> grpc.gcp.RpcProtocolVersions.Version
-	4, // 1: grpc.gcp.RpcProtocolVersions.min_rpc_version:type_name -> grpc.gcp.RpcProtocolVersions.Version
+	2, // 0: grpc.gcp.RpcProtocolVersions.max_rpc_version:type_name -> grpc.gcp.RpcProtocolVersions.Version
+	2, // 1: grpc.gcp.RpcProtocolVersions.min_rpc_version:type_name -> grpc.gcp.RpcProtocolVersions.Version
 	2, // [2:2] is the sub-list for method output_type
 	2, // [2:2] is the sub-list for method input_type
 	2, // [2:2] is the sub-list for extension type_name
@@ -351,7 +274,7 @@ func file_grpc_gcp_transport_security_common_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_grpc_gcp_transport_security_common_proto_rawDesc), len(file_grpc_gcp_transport_security_common_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   4,
+			NumMessages:   2,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index a63ab606e66..665e790bb0f 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -120,20 +120,6 @@ type AuthInfo interface {
 	AuthType() string
 }
 
-// AuthorityValidator validates the authority used to override the `:authority`
-// header. This is an optional interface that implementations of AuthInfo can
-// implement if they support per-RPC authority overrides. It is invoked when the
-// application attempts to override the HTTP/2 `:authority` header using the
-// CallAuthority call option.
-type AuthorityValidator interface {
-	// ValidateAuthority checks the authority value used to override the
-	// `:authority` header. The authority parameter is the override value
-	// provided by the application via the CallAuthority option. This value
-	// typically corresponds to the server hostname or endpoint the RPC is
-	// targeting. It returns non-nil error if the validation fails.
-	ValidateAuthority(authority string) error
-}
-
 // ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
 // and the caller should not close rawConn.
 var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
@@ -221,32 +207,14 @@ type RequestInfo struct {
 	AuthInfo AuthInfo
 }
 
-// requestInfoKey is a struct to be used as the key to store RequestInfo in a
-// context.
-type requestInfoKey struct{}
-
 // RequestInfoFromContext extracts the RequestInfo from the context if it exists.
 //
 // This API is experimental.
 func RequestInfoFromContext(ctx context.Context) (ri RequestInfo, ok bool) {
-	ri, ok = ctx.Value(requestInfoKey{}).(RequestInfo)
+	ri, ok = icredentials.RequestInfoFromContext(ctx).(RequestInfo)
 	return ri, ok
 }
 
-// NewContextWithRequestInfo creates a new context from ctx and attaches ri to it.
-//
-// This RequestInfo will be accessible via RequestInfoFromContext.
-//
-// Intended to be used from tests for PerRPCCredentials implementations (that
-// often need to check connection's SecurityLevel). Should not be used from
-// non-test code: the gRPC client already prepares a context with the correct
-// RequestInfo attached when calling PerRPCCredentials.GetRequestMetadata.
-//
-// This API is experimental.
-func NewContextWithRequestInfo(ctx context.Context, ri RequestInfo) context.Context {
-	return context.WithValue(ctx, requestInfoKey{}, ri)
-}
-
 // ClientHandshakeInfo holds data to be passed to ClientHandshake. This makes
 // it possible to pass arbitrary data to the handshaker from gRPC, resolver,
 // balancer etc. Individual credential implementations control the actual
diff --git a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
index 93156c0f345..4c805c64462 100644
--- a/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
+++ b/vendor/google.golang.org/grpc/credentials/insecure/insecure.go
@@ -30,7 +30,7 @@ import (
 // NewCredentials returns a credentials which disables transport security.
 //
 // Note that using this credentials with per-RPC credentials which require
-// transport security is incompatible and will cause RPCs to fail.
+// transport security is incompatible and will cause grpc.Dial() to fail.
 func NewCredentials() credentials.TransportCredentials {
 	return insecureTC{}
 }
@@ -71,12 +71,6 @@ func (info) AuthType() string {
 	return "insecure"
 }
 
-// ValidateAuthority allows any value to be overridden for the :authority
-// header.
-func (info) ValidateAuthority(string) error {
-	return nil
-}
-
 // insecureBundle implements an insecure bundle.
 // An insecure bundle provides a thin wrapper around insecureTC to support
 // the credentials.Bundle interface.
diff --git a/vendor/google.golang.org/grpc/credentials/tls.go b/vendor/google.golang.org/grpc/credentials/tls.go
index 20f65f7bd95..bd5fe22b6af 100644
--- a/vendor/google.golang.org/grpc/credentials/tls.go
+++ b/vendor/google.golang.org/grpc/credentials/tls.go
@@ -22,7 +22,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -51,21 +50,6 @@ func (t TLSInfo) AuthType() string {
 	return "tls"
 }
 
-// ValidateAuthority validates the provided authority being used to override the
-// :authority header by verifying it against the peer certificates. It returns a
-// non-nil error if the validation fails.
-func (t TLSInfo) ValidateAuthority(authority string) error {
-	var errs []error
-	for _, cert := range t.State.PeerCertificates {
-		var err error
-		if err = cert.VerifyHostname(authority); err == nil {
-			return nil
-		}
-		errs = append(errs, err)
-	}
-	return fmt.Errorf("credentials: invalid authority %q: %v", authority, errors.Join(errs...))
-}
-
 // cipherSuiteLookup returns the string version of a TLS cipher suite ID.
 func cipherSuiteLookup(cipherSuiteID uint16) string {
 	for _, s := range tls.CipherSuites() {
diff --git a/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/builder.go b/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/builder.go
index a7f2f79106b..ad4207892b7 100644
--- a/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/builder.go
+++ b/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/builder.go
@@ -24,7 +24,6 @@ import (
 	"time"
 
 	"google.golang.org/grpc/credentials/tls/certprovider"
-	"google.golang.org/grpc/internal/envconfig"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/durationpb"
 )
@@ -64,24 +63,19 @@ func pluginConfigFromJSON(jd json.RawMessage) (Options, error) {
 	// is that the refresh_interval is represented here as a duration proto,
 	// while in the latter a time.Duration is used.
 	cfg := &struct {
-		CertificateFile          string          `json:"certificate_file,omitempty"`
-		PrivateKeyFile           string          `json:"private_key_file,omitempty"`
-		CACertificateFile        string          `json:"ca_certificate_file,omitempty"`
-		SPIFFETrustBundleMapFile string          `json:"spiffe_trust_bundle_map_file,omitempty"`
-		RefreshInterval          json.RawMessage `json:"refresh_interval,omitempty"`
+		CertificateFile   string          `json:"certificate_file,omitempty"`
+		PrivateKeyFile    string          `json:"private_key_file,omitempty"`
+		CACertificateFile string          `json:"ca_certificate_file,omitempty"`
+		RefreshInterval   json.RawMessage `json:"refresh_interval,omitempty"`
 	}{}
 	if err := json.Unmarshal(jd, cfg); err != nil {
 		return Options{}, fmt.Errorf("pemfile: json.Unmarshal(%s) failed: %v", string(jd), err)
 	}
-	if !envconfig.XDSSPIFFEEnabled {
-		cfg.SPIFFETrustBundleMapFile = ""
-	}
 
 	opts := Options{
-		CertFile:            cfg.CertificateFile,
-		KeyFile:             cfg.PrivateKeyFile,
-		RootFile:            cfg.CACertificateFile,
-		SPIFFEBundleMapFile: cfg.SPIFFETrustBundleMapFile,
+		CertFile: cfg.CertificateFile,
+		KeyFile:  cfg.PrivateKeyFile,
+		RootFile: cfg.CACertificateFile,
 		// Refresh interval is the only field in the configuration for which we
 		// support a default value. We cannot possibly have valid defaults for
 		// file paths to watch. Also, it is valid to specify an empty path for
diff --git a/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/watcher.go b/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/watcher.go
index bc9c545a7bf..7ed5c53ba40 100644
--- a/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/watcher.go
+++ b/vendor/google.golang.org/grpc/credentials/tls/certprovider/pemfile/watcher.go
@@ -38,7 +38,6 @@ import (
 
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	"google.golang.org/grpc/grpclog"
-	"google.golang.org/grpc/internal/credentials/spiffe"
 )
 
 const defaultCertRefreshDuration = 1 * time.Hour
@@ -62,11 +61,6 @@ type Options struct {
 	// RootFile is the file that holds trusted root certificate(s).
 	// Optional.
 	RootFile string
-	// SPIFFEBundleMapFile is the file that holds the spiffe bundle map.
-	// If a given provider configures both the RootFile and the
-	// SPIFFEBundleMapFile, the SPIFFEBundleMapFile will be preferred.
-	// Optional.
-	SPIFFEBundleMapFile string
 	// RefreshDuration is the amount of time the plugin waits before checking
 	// for updates in the specified files.
 	// Optional. If not set, a default value (1 hour) will be used.
@@ -74,11 +68,11 @@ type Options struct {
 }
 
 func (o Options) canonical() []byte {
-	return []byte(fmt.Sprintf("%s:%s:%s:%s:%s", o.CertFile, o.KeyFile, o.RootFile, o.SPIFFEBundleMapFile, o.RefreshDuration))
+	return []byte(fmt.Sprintf("%s:%s:%s:%s", o.CertFile, o.KeyFile, o.RootFile, o.RefreshDuration))
 }
 
 func (o Options) validate() error {
-	if o.CertFile == "" && o.KeyFile == "" && o.RootFile == "" && o.SPIFFEBundleMapFile == "" {
+	if o.CertFile == "" && o.KeyFile == "" && o.RootFile == "" {
 		return fmt.Errorf("pemfile: at least one credential file needs to be specified")
 	}
 	if keySpecified, certSpecified := o.KeyFile != "", o.CertFile != ""; keySpecified != certSpecified {
@@ -115,7 +109,7 @@ func newProvider(o Options) certprovider.Provider {
 	if o.CertFile != "" && o.KeyFile != "" {
 		provider.identityDistributor = newDistributor()
 	}
-	if o.RootFile != "" || o.SPIFFEBundleMapFile != "" {
+	if o.RootFile != "" {
 		provider.rootDistributor = newDistributor()
 	}
 
@@ -130,14 +124,13 @@ func newProvider(o Options) certprovider.Provider {
 // files and provides the most up-to-date key material for consumption by
 // credentials implementation.
 type watcher struct {
-	identityDistributor         distributor
-	rootDistributor             distributor
-	opts                        Options
-	certFileContents            []byte
-	keyFileContents             []byte
-	rootFileContents            []byte
-	spiffeBundleMapFileContents []byte
-	cancel                      context.CancelFunc
+	identityDistributor distributor
+	rootDistributor     distributor
+	opts                Options
+	certFileContents    []byte
+	keyFileContents     []byte
+	rootFileContents    []byte
+	cancel              context.CancelFunc
 }
 
 // distributor wraps the methods on certprovider.Distributor which are used by
@@ -198,35 +191,6 @@ func (w *watcher) updateRootDistributor() {
 		return
 	}
 
-	// If SPIFFEBundleMap is set, use it and DON'T use the RootFile, even if it
-	// fails
-	if w.opts.SPIFFEBundleMapFile != "" {
-		w.maybeUpdateSPIFFEBundleMap()
-	} else {
-		w.maybeUpdateRootFile()
-	}
-}
-
-func (w *watcher) maybeUpdateSPIFFEBundleMap() {
-	spiffeBundleMapContents, err := os.ReadFile(w.opts.SPIFFEBundleMapFile)
-	if err != nil {
-		logger.Warningf("spiffeBundleMapFile (%s) read failed: %v", w.opts.SPIFFEBundleMapFile, err)
-		return
-	}
-	// If the file contents have not changed, skip updating the distributor.
-	if bytes.Equal(w.spiffeBundleMapFileContents, spiffeBundleMapContents) {
-		return
-	}
-	bundleMap, err := spiffe.BundleMapFromBytes(spiffeBundleMapContents)
-	if err != nil {
-		logger.Warning("Failed to parse spiffe bundle map")
-		return
-	}
-	w.spiffeBundleMapFileContents = spiffeBundleMapContents
-	w.rootDistributor.Set(&certprovider.KeyMaterial{SPIFFEBundleMap: bundleMap}, nil)
-}
-
-func (w *watcher) maybeUpdateRootFile() {
 	rootFileContents, err := os.ReadFile(w.opts.RootFile)
 	if err != nil {
 		logger.Warningf("rootFile (%s) read failed: %v", w.opts.RootFile, err)
@@ -234,7 +198,7 @@ func (w *watcher) maybeUpdateRootFile() {
 	}
 	trustPool := x509.NewCertPool()
 	if !trustPool.AppendCertsFromPEM(rootFileContents) {
-		logger.Warning("Failed to parse root certificate")
+		logger.Warning("failed to parse root certificate")
 		return
 	}
 	// If the file contents have not changed, skip updating the distributor.
@@ -285,7 +249,6 @@ func (w *watcher) KeyMaterial(ctx context.Context) (*certprovider.KeyMaterial, e
 		if err != nil {
 			return nil, err
 		}
-		km.SPIFFEBundleMap = rootKM.SPIFFEBundleMap
 		km.Roots = rootKM.Roots
 	}
 	return km, nil
diff --git a/vendor/google.golang.org/grpc/credentials/tls/certprovider/provider.go b/vendor/google.golang.org/grpc/credentials/tls/certprovider/provider.go
index c415b82401e..07ba05b1074 100644
--- a/vendor/google.golang.org/grpc/credentials/tls/certprovider/provider.go
+++ b/vendor/google.golang.org/grpc/credentials/tls/certprovider/provider.go
@@ -30,7 +30,6 @@ import (
 	"crypto/x509"
 	"errors"
 
-	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
 	"google.golang.org/grpc/internal"
 )
 
@@ -94,12 +93,7 @@ type KeyMaterial struct {
 	// Certs contains a slice of cert/key pairs used to prove local identity.
 	Certs []tls.Certificate
 	// Roots contains the set of trusted roots to validate the peer's identity.
-	// This field will only be used if the `SPIFFEBundleMap` field is unset.
 	Roots *x509.CertPool
-	// SPIFFEBundleMap is an in-memory representation of a spiffe trust bundle
-	// map. If this value exists, it will be used to find the roots for a given
-	// trust domain rather than the Roots in this struct.
-	SPIFFEBundleMap map[string]*spiffebundle.Bundle
 }
 
 // BuildOptions contains parameters passed to a Provider at build time.
diff --git a/vendor/google.golang.org/grpc/dialoptions.go b/vendor/google.golang.org/grpc/dialoptions.go
index 050ba0f1611..405a2ffeb39 100644
--- a/vendor/google.golang.org/grpc/dialoptions.go
+++ b/vendor/google.golang.org/grpc/dialoptions.go
@@ -360,7 +360,7 @@ func WithReturnConnectionError() DialOption {
 //
 // Note that using this DialOption with per-RPC credentials (through
 // WithCredentialsBundle or WithPerRPCCredentials) which require transport
-// security is incompatible and will cause RPCs to fail.
+// security is incompatible and will cause grpc.Dial() to fail.
 //
 // Deprecated: use WithTransportCredentials and insecure.NewCredentials()
 // instead. Will be supported throughout 1.x.
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
index 22d263fb94b..94177b05c2d 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/health/v1/health.proto
 
@@ -178,112 +178,46 @@ func (x *HealthCheckResponse) GetStatus() HealthCheckResponse_ServingStatus {
 	return HealthCheckResponse_UNKNOWN
 }
 
-type HealthListRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *HealthListRequest) Reset() {
-	*x = HealthListRequest{}
-	mi := &file_grpc_health_v1_health_proto_msgTypes[2]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *HealthListRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*HealthListRequest) ProtoMessage() {}
-
-func (x *HealthListRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_grpc_health_v1_health_proto_msgTypes[2]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use HealthListRequest.ProtoReflect.Descriptor instead.
-func (*HealthListRequest) Descriptor() ([]byte, []int) {
-	return file_grpc_health_v1_health_proto_rawDescGZIP(), []int{2}
-}
-
-type HealthListResponse struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// statuses contains all the services and their respective status.
-	Statuses      map[string]*HealthCheckResponse `protobuf:"bytes,1,rep,name=statuses,proto3" json:"statuses,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *HealthListResponse) Reset() {
-	*x = HealthListResponse{}
-	mi := &file_grpc_health_v1_health_proto_msgTypes[3]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *HealthListResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*HealthListResponse) ProtoMessage() {}
-
-func (x *HealthListResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_grpc_health_v1_health_proto_msgTypes[3]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use HealthListResponse.ProtoReflect.Descriptor instead.
-func (*HealthListResponse) Descriptor() ([]byte, []int) {
-	return file_grpc_health_v1_health_proto_rawDescGZIP(), []int{3}
-}
-
-func (x *HealthListResponse) GetStatuses() map[string]*HealthCheckResponse {
-	if x != nil {
-		return x.Statuses
-	}
-	return nil
-}
-
 var File_grpc_health_v1_health_proto protoreflect.FileDescriptor
 
-const file_grpc_health_v1_health_proto_rawDesc = "" +
-	"\n" +
-	"\x1bgrpc/health/v1/health.proto\x12\x0egrpc.health.v1\".\n" +
-	"\x12HealthCheckRequest\x12\x18\n" +
-	"\aservice\x18\x01 \x01(\tR\aservice\"\xb1\x01\n" +
-	"\x13HealthCheckResponse\x12I\n" +
-	"\x06status\x18\x01 \x01(\x0e21.grpc.health.v1.HealthCheckResponse.ServingStatusR\x06status\"O\n" +
-	"\rServingStatus\x12\v\n" +
-	"\aUNKNOWN\x10\x00\x12\v\n" +
-	"\aSERVING\x10\x01\x12\x0f\n" +
-	"\vNOT_SERVING\x10\x02\x12\x13\n" +
-	"\x0fSERVICE_UNKNOWN\x10\x03\"\x13\n" +
-	"\x11HealthListRequest\"\xc4\x01\n" +
-	"\x12HealthListResponse\x12L\n" +
-	"\bstatuses\x18\x01 \x03(\v20.grpc.health.v1.HealthListResponse.StatusesEntryR\bstatuses\x1a`\n" +
-	"\rStatusesEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x129\n" +
-	"\x05value\x18\x02 \x01(\v2#.grpc.health.v1.HealthCheckResponseR\x05value:\x028\x012\xfd\x01\n" +
-	"\x06Health\x12P\n" +
-	"\x05Check\x12\".grpc.health.v1.HealthCheckRequest\x1a#.grpc.health.v1.HealthCheckResponse\x12M\n" +
-	"\x04List\x12!.grpc.health.v1.HealthListRequest\x1a\".grpc.health.v1.HealthListResponse\x12R\n" +
-	"\x05Watch\x12\".grpc.health.v1.HealthCheckRequest\x1a#.grpc.health.v1.HealthCheckResponse0\x01Bp\n" +
-	"\x11io.grpc.health.v1B\vHealthProtoP\x01Z,google.golang.org/grpc/health/grpc_health_v1\xa2\x02\fGrpcHealthV1\xaa\x02\x0eGrpc.Health.V1b\x06proto3"
+var file_grpc_health_v1_health_proto_rawDesc = string([]byte{
+	0x0a, 0x1b, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x76, 0x31,
+	0x2f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x22, 0x2e, 0x0a,
+	0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0xb1, 0x01,
+	0x0a, 0x13, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x49, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
+	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65,
+	0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x6e, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
+	0x22, 0x4f, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75,
+	0x73, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0b,
+	0x0a, 0x07, 0x53, 0x45, 0x52, 0x56, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x4e,
+	0x4f, 0x54, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x4e, 0x47, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f,
+	0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
+	0x03, 0x32, 0xae, 0x01, 0x0a, 0x06, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x12, 0x50, 0x0a, 0x05,
+	0x43, 0x68, 0x65, 0x63, 0x6b, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65, 0x61,
+	0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65,
+	0x63, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74,
+	0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x52,
+	0x0a, 0x05, 0x57, 0x61, 0x74, 0x63, 0x68, 0x12, 0x22, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43,
+	0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72,
+	0x70, 0x63, 0x2e, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x65, 0x61,
+	0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x30, 0x01, 0x42, 0x70, 0x0a, 0x11, 0x69, 0x6f, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x68, 0x65,
+	0x61, 0x6c, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x50,
+	0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67,
+	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x68,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x68, 0x65, 0x61, 0x6c, 0x74,
+	0x68, 0x5f, 0x76, 0x31, 0xa2, 0x02, 0x0c, 0x47, 0x72, 0x70, 0x63, 0x48, 0x65, 0x61, 0x6c, 0x74,
+	0x68, 0x56, 0x31, 0xaa, 0x02, 0x0e, 0x47, 0x72, 0x70, 0x63, 0x2e, 0x48, 0x65, 0x61, 0x6c, 0x74,
+	0x68, 0x2e, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_health_v1_health_proto_rawDescOnce sync.Once
@@ -298,30 +232,23 @@ func file_grpc_health_v1_health_proto_rawDescGZIP() []byte {
 }
 
 var file_grpc_health_v1_health_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_grpc_health_v1_health_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_grpc_health_v1_health_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_grpc_health_v1_health_proto_goTypes = []any{
 	(HealthCheckResponse_ServingStatus)(0), // 0: grpc.health.v1.HealthCheckResponse.ServingStatus
 	(*HealthCheckRequest)(nil),             // 1: grpc.health.v1.HealthCheckRequest
 	(*HealthCheckResponse)(nil),            // 2: grpc.health.v1.HealthCheckResponse
-	(*HealthListRequest)(nil),              // 3: grpc.health.v1.HealthListRequest
-	(*HealthListResponse)(nil),             // 4: grpc.health.v1.HealthListResponse
-	nil,                                    // 5: grpc.health.v1.HealthListResponse.StatusesEntry
 }
 var file_grpc_health_v1_health_proto_depIdxs = []int32{
 	0, // 0: grpc.health.v1.HealthCheckResponse.status:type_name -> grpc.health.v1.HealthCheckResponse.ServingStatus
-	5, // 1: grpc.health.v1.HealthListResponse.statuses:type_name -> grpc.health.v1.HealthListResponse.StatusesEntry
-	2, // 2: grpc.health.v1.HealthListResponse.StatusesEntry.value:type_name -> grpc.health.v1.HealthCheckResponse
-	1, // 3: grpc.health.v1.Health.Check:input_type -> grpc.health.v1.HealthCheckRequest
-	3, // 4: grpc.health.v1.Health.List:input_type -> grpc.health.v1.HealthListRequest
-	1, // 5: grpc.health.v1.Health.Watch:input_type -> grpc.health.v1.HealthCheckRequest
-	2, // 6: grpc.health.v1.Health.Check:output_type -> grpc.health.v1.HealthCheckResponse
-	4, // 7: grpc.health.v1.Health.List:output_type -> grpc.health.v1.HealthListResponse
-	2, // 8: grpc.health.v1.Health.Watch:output_type -> grpc.health.v1.HealthCheckResponse
-	6, // [6:9] is the sub-list for method output_type
-	3, // [3:6] is the sub-list for method input_type
-	3, // [3:3] is the sub-list for extension type_name
-	3, // [3:3] is the sub-list for extension extendee
-	0, // [0:3] is the sub-list for field type_name
+	1, // 1: grpc.health.v1.Health.Check:input_type -> grpc.health.v1.HealthCheckRequest
+	1, // 2: grpc.health.v1.Health.Watch:input_type -> grpc.health.v1.HealthCheckRequest
+	2, // 3: grpc.health.v1.Health.Check:output_type -> grpc.health.v1.HealthCheckResponse
+	2, // 4: grpc.health.v1.Health.Watch:output_type -> grpc.health.v1.HealthCheckResponse
+	3, // [3:5] is the sub-list for method output_type
+	1, // [1:3] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }
 
 func init() { file_grpc_health_v1_health_proto_init() }
@@ -335,7 +262,7 @@ func file_grpc_health_v1_health_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_grpc_health_v1_health_proto_rawDesc), len(file_grpc_health_v1_health_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   5,
+			NumMessages:   2,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
index 93136610ec6..f96b8ab4927 100644
--- a/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
+++ b/vendor/google.golang.org/grpc/health/grpc_health_v1/health_grpc.pb.go
@@ -37,7 +37,6 @@ const _ = grpc.SupportPackageIsVersion9
 
 const (
 	Health_Check_FullMethodName = "/grpc.health.v1.Health/Check"
-	Health_List_FullMethodName  = "/grpc.health.v1.Health/List"
 	Health_Watch_FullMethodName = "/grpc.health.v1.Health/Watch"
 )
 
@@ -56,19 +55,9 @@ type HealthClient interface {
 	//
 	// Clients should set a deadline when calling Check, and can declare the
 	// server unhealthy if they do not receive a timely response.
-	Check(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (*HealthCheckResponse, error)
-	// List provides a non-atomic snapshot of the health of all the available
-	// services.
-	//
-	// The server may respond with a RESOURCE_EXHAUSTED error if too many services
-	// exist.
 	//
-	// Clients should set a deadline when calling List, and can declare the server
-	// unhealthy if they do not receive a timely response.
-	//
-	// Clients should keep in mind that the list of health services exposed by an
-	// application can change over the lifetime of the process.
-	List(ctx context.Context, in *HealthListRequest, opts ...grpc.CallOption) (*HealthListResponse, error)
+	// Check implementations should be idempotent and side effect free.
+	Check(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (*HealthCheckResponse, error)
 	// Performs a watch for the serving status of the requested service.
 	// The server will immediately send back a message indicating the current
 	// serving status.  It will then subsequently send a new message whenever
@@ -105,16 +94,6 @@ func (c *healthClient) Check(ctx context.Context, in *HealthCheckRequest, opts .
 	return out, nil
 }
 
-func (c *healthClient) List(ctx context.Context, in *HealthListRequest, opts ...grpc.CallOption) (*HealthListResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(HealthListResponse)
-	err := c.cc.Invoke(ctx, Health_List_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *healthClient) Watch(ctx context.Context, in *HealthCheckRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[HealthCheckResponse], error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	stream, err := c.cc.NewStream(ctx, &Health_ServiceDesc.Streams[0], Health_Watch_FullMethodName, cOpts...)
@@ -149,19 +128,9 @@ type HealthServer interface {
 	//
 	// Clients should set a deadline when calling Check, and can declare the
 	// server unhealthy if they do not receive a timely response.
-	Check(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error)
-	// List provides a non-atomic snapshot of the health of all the available
-	// services.
 	//
-	// The server may respond with a RESOURCE_EXHAUSTED error if too many services
-	// exist.
-	//
-	// Clients should set a deadline when calling List, and can declare the server
-	// unhealthy if they do not receive a timely response.
-	//
-	// Clients should keep in mind that the list of health services exposed by an
-	// application can change over the lifetime of the process.
-	List(context.Context, *HealthListRequest) (*HealthListResponse, error)
+	// Check implementations should be idempotent and side effect free.
+	Check(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error)
 	// Performs a watch for the serving status of the requested service.
 	// The server will immediately send back a message indicating the current
 	// serving status.  It will then subsequently send a new message whenever
@@ -190,9 +159,6 @@ type UnimplementedHealthServer struct{}
 func (UnimplementedHealthServer) Check(context.Context, *HealthCheckRequest) (*HealthCheckResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Check not implemented")
 }
-func (UnimplementedHealthServer) List(context.Context, *HealthListRequest) (*HealthListResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method List not implemented")
-}
 func (UnimplementedHealthServer) Watch(*HealthCheckRequest, grpc.ServerStreamingServer[HealthCheckResponse]) error {
 	return status.Errorf(codes.Unimplemented, "method Watch not implemented")
 }
@@ -234,24 +200,6 @@ func _Health_Check_Handler(srv interface{}, ctx context.Context, dec func(interf
 	return interceptor(ctx, in, info, handler)
 }
 
-func _Health_List_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(HealthListRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(HealthServer).List(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: Health_List_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HealthServer).List(ctx, req.(*HealthListRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _Health_Watch_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(HealthCheckRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -274,10 +222,6 @@ var Health_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Check",
 			Handler:    _Health_Check_Handler,
 		},
-		{
-			MethodName: "List",
-			Handler:    _Health_List_Handler,
-		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
diff --git a/vendor/google.golang.org/grpc/internal/balancer/weight/weight.go b/vendor/google.golang.org/grpc/internal/balancer/weight/weight.go
deleted file mode 100644
index 11beb07d149..00000000000
--- a/vendor/google.golang.org/grpc/internal/balancer/weight/weight.go
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- *
- * Copyright 2025 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package weight contains utilities to manage endpoint weights. Weights are
-// used by LB policies such as ringhash to distribute load across multiple
-// endpoints.
-package weight
-
-import (
-	"fmt"
-
-	"google.golang.org/grpc/resolver"
-)
-
-// attributeKey is the type used as the key to store EndpointInfo in the
-// Attributes field of resolver.Endpoint.
-type attributeKey struct{}
-
-// EndpointInfo will be stored in the Attributes field of Endpoints in order to
-// use the ringhash balancer.
-type EndpointInfo struct {
-	Weight uint32
-}
-
-// Equal allows the values to be compared by Attributes.Equal.
-func (a EndpointInfo) Equal(o any) bool {
-	oa, ok := o.(EndpointInfo)
-	return ok && oa.Weight == a.Weight
-}
-
-// Set returns a copy of endpoint in which the Attributes field is updated with
-// EndpointInfo.
-func Set(endpoint resolver.Endpoint, epInfo EndpointInfo) resolver.Endpoint {
-	endpoint.Attributes = endpoint.Attributes.WithValue(attributeKey{}, epInfo)
-	return endpoint
-}
-
-// String returns a human-readable representation of EndpointInfo.
-// This method is intended for logging, testing, and debugging purposes only.
-// Do not rely on the output format, as it is not guaranteed to remain stable.
-func (a EndpointInfo) String() string {
-	return fmt.Sprintf("Weight: %d", a.Weight)
-}
-
-// FromEndpoint returns the EndpointInfo stored in the Attributes field of an
-// endpoint. It returns an empty EndpointInfo if attribute is not found.
-func FromEndpoint(endpoint resolver.Endpoint) EndpointInfo {
-	v := endpoint.Attributes.Value(attributeKey{})
-	ei, _ := v.(EndpointInfo)
-	return ei
-}
diff --git a/vendor/google.golang.org/grpc/internal/balancergroup/balancergroup.go b/vendor/google.golang.org/grpc/internal/balancergroup/balancergroup.go
index 9addcf18530..31c9cdc9d02 100644
--- a/vendor/google.golang.org/grpc/internal/balancergroup/balancergroup.go
+++ b/vendor/google.golang.org/grpc/internal/balancergroup/balancergroup.go
@@ -194,7 +194,7 @@ type BalancerGroup struct {
 	// The corresponding boolean outgoingStarted is used to stop further updates
 	// to sub-balancers after they are closed.
 	outgoingMu         sync.Mutex
-	outgoingClosed     bool
+	outgoingStarted    bool
 	idToBalancerConfig map[string]*subBalancerWrapper
 	// Cache for sub-balancers when they are removed. This is `nil` if caching
 	// is disabled by passing `0` for Options.SubBalancerCloseTimeout`.
@@ -224,7 +224,7 @@ type BalancerGroup struct {
 	// The corresponding boolean incomingStarted is used to stop further updates
 	// from sub-balancers after they are closed.
 	incomingMu      sync.Mutex
-	incomingClosed  bool // This boolean only guards calls back to ClientConn.
+	incomingStarted bool // This boolean only guards calls back to ClientConn.
 	scToSubBalancer map[balancer.SubConn]*subBalancerWrapper
 }
 
@@ -265,6 +265,30 @@ func New(opts Options) *BalancerGroup {
 	}
 }
 
+// Start starts the balancer group, including building all the sub-balancers,
+// and send the existing addresses to them.
+//
+// A BalancerGroup can be closed and started later. When a BalancerGroup is
+// closed, it can still receive address updates, which will be applied when
+// restarted.
+func (bg *BalancerGroup) Start() {
+	bg.incomingMu.Lock()
+	bg.incomingStarted = true
+	bg.incomingMu.Unlock()
+
+	bg.outgoingMu.Lock()
+	if bg.outgoingStarted {
+		bg.outgoingMu.Unlock()
+		return
+	}
+
+	for _, config := range bg.idToBalancerConfig {
+		config.startBalancer()
+	}
+	bg.outgoingStarted = true
+	bg.outgoingMu.Unlock()
+}
+
 // AddWithClientConn adds a balancer with the given id to the group. The
 // balancer is built with a balancer builder registered with balancerName. The
 // given ClientConn is passed to the newly built balancer instead of the
@@ -275,18 +299,17 @@ func (bg *BalancerGroup) AddWithClientConn(id, balancerName string, cc balancer.
 	bg.logger.Infof("Adding child policy of type %q for child %q", balancerName, id)
 	builder := balancer.Get(balancerName)
 	if builder == nil {
-		return fmt.Errorf("balancergroup: unregistered balancer name %q", balancerName)
+		return fmt.Errorf("unregistered balancer name %q", balancerName)
 	}
 
 	// Store data in static map, and then check to see if bg is started.
 	bg.outgoingMu.Lock()
 	defer bg.outgoingMu.Unlock()
-	if bg.outgoingClosed {
-		return fmt.Errorf("balancergroup: already closed")
-	}
 	var sbc *subBalancerWrapper
-	// Skip searching the cache if disabled.
-	if bg.deletedBalancerCache != nil {
+	// If outgoingStarted is true, search in the cache. Otherwise, cache is
+	// guaranteed to be empty, searching is unnecessary. Also, skip the cache if
+	// caching is disabled.
+	if bg.outgoingStarted && bg.deletedBalancerCache != nil {
 		if old, ok := bg.deletedBalancerCache.Remove(id); ok {
 			if bg.logger.V(2) {
 				bg.logger.Infof("Removing and reusing child policy of type %q for child %q from the balancer cache", balancerName, id)
@@ -318,7 +341,11 @@ func (bg *BalancerGroup) AddWithClientConn(id, balancerName string, cc balancer.
 			builder:    builder,
 			buildOpts:  bg.buildOpts,
 		}
-		sbc.startBalancer()
+		if bg.outgoingStarted {
+			// Only start the balancer if bg is started. Otherwise, we only keep the
+			// static data.
+			sbc.startBalancer()
+		}
 	} else {
 		// When brining back a sub-balancer from cache, re-send the cached
 		// picker and state.
@@ -342,10 +369,6 @@ func (bg *BalancerGroup) Remove(id string) {
 	bg.logger.Infof("Removing child policy for child %q", id)
 
 	bg.outgoingMu.Lock()
-	if bg.outgoingClosed {
-		bg.outgoingMu.Unlock()
-		return
-	}
 
 	sbToRemove, ok := bg.idToBalancerConfig[id]
 	if !ok {
@@ -356,6 +379,12 @@ func (bg *BalancerGroup) Remove(id string) {
 
 	// Unconditionally remove the sub-balancer config from the map.
 	delete(bg.idToBalancerConfig, id)
+	if !bg.outgoingStarted {
+		// Nothing needs to be done here, since we wouldn't have created the
+		// sub-balancer.
+		bg.outgoingMu.Unlock()
+		return
+	}
 
 	if bg.deletedBalancerCache != nil {
 		if bg.logger.V(2) {
@@ -395,7 +424,6 @@ func (bg *BalancerGroup) Remove(id string) {
 // cleanup after the timeout.
 func (bg *BalancerGroup) cleanupSubConns(config *subBalancerWrapper) {
 	bg.incomingMu.Lock()
-	defer bg.incomingMu.Unlock()
 	// Remove SubConns. This is only done after the balancer is
 	// actually closed.
 	//
@@ -409,20 +437,18 @@ func (bg *BalancerGroup) cleanupSubConns(config *subBalancerWrapper) {
 			delete(bg.scToSubBalancer, sc)
 		}
 	}
+	bg.incomingMu.Unlock()
 }
 
 // connect attempts to connect to all subConns belonging to sb.
 func (bg *BalancerGroup) connect(sb *subBalancerWrapper) {
 	bg.incomingMu.Lock()
-	defer bg.incomingMu.Unlock()
-	if bg.incomingClosed {
-		return
-	}
 	for sc, b := range bg.scToSubBalancer {
 		if b == sb {
 			sc.Connect()
 		}
 	}
+	bg.incomingMu.Unlock()
 }
 
 // Following are actions from the parent grpc.ClientConn, forward to sub-balancers.
@@ -431,10 +457,6 @@ func (bg *BalancerGroup) connect(sb *subBalancerWrapper) {
 // needed.
 func (bg *BalancerGroup) updateSubConnState(sc balancer.SubConn, state balancer.SubConnState, cb func(balancer.SubConnState)) {
 	bg.incomingMu.Lock()
-	if bg.incomingClosed {
-		bg.incomingMu.Unlock()
-		return
-	}
 	if _, ok := bg.scToSubBalancer[sc]; !ok {
 		bg.incomingMu.Unlock()
 		return
@@ -446,13 +468,10 @@ func (bg *BalancerGroup) updateSubConnState(sc balancer.SubConn, state balancer.
 	bg.incomingMu.Unlock()
 
 	bg.outgoingMu.Lock()
-	defer bg.outgoingMu.Unlock()
-	if bg.outgoingClosed {
-		return
-	}
 	if cb != nil {
 		cb(state)
 	}
+	bg.outgoingMu.Unlock()
 }
 
 // UpdateSubConnState handles the state for the subconn. It finds the
@@ -466,9 +485,6 @@ func (bg *BalancerGroup) UpdateSubConnState(sc balancer.SubConn, state balancer.
 func (bg *BalancerGroup) UpdateClientConnState(id string, s balancer.ClientConnState) error {
 	bg.outgoingMu.Lock()
 	defer bg.outgoingMu.Unlock()
-	if bg.outgoingClosed {
-		return nil
-	}
 	if config, ok := bg.idToBalancerConfig[id]; ok {
 		return config.updateClientConnState(s)
 	}
@@ -478,13 +494,10 @@ func (bg *BalancerGroup) UpdateClientConnState(id string, s balancer.ClientConnS
 // ResolverError forwards resolver errors to all sub-balancers.
 func (bg *BalancerGroup) ResolverError(err error) {
 	bg.outgoingMu.Lock()
-	defer bg.outgoingMu.Unlock()
-	if bg.outgoingClosed {
-		return
-	}
 	for _, config := range bg.idToBalancerConfig {
 		config.resolverError(err)
 	}
+	bg.outgoingMu.Unlock()
 }
 
 // Following are actions from sub-balancers, forward to ClientConn.
@@ -501,9 +514,9 @@ func (bg *BalancerGroup) newSubConn(config *subBalancerWrapper, addrs []resolver
 	// error. But since we call balancer.stopBalancer when removing the balancer, this
 	// shouldn't happen.
 	bg.incomingMu.Lock()
-	if bg.incomingClosed {
+	if !bg.incomingStarted {
 		bg.incomingMu.Unlock()
-		return nil, fmt.Errorf("balancergroup: NewSubConn is called after balancer group is closed")
+		return nil, fmt.Errorf("NewSubConn is called after balancer group is closed")
 	}
 	var sc balancer.SubConn
 	oldListener := opts.StateListener
@@ -534,23 +547,19 @@ func (bg *BalancerGroup) updateBalancerState(id string, state balancer.State) {
 }
 
 // Close closes the balancer. It stops sub-balancers, and removes the subconns.
-// When a BalancerGroup is closed, it can not receive further address updates.
+// The BalancerGroup can be restarted later.
 func (bg *BalancerGroup) Close() {
 	bg.incomingMu.Lock()
-	bg.incomingClosed = true
-	// Also remove all SubConns.
-	for sc := range bg.scToSubBalancer {
-		sc.Shutdown()
-		delete(bg.scToSubBalancer, sc)
+	if bg.incomingStarted {
+		bg.incomingStarted = false
+		// Also remove all SubConns.
+		for sc := range bg.scToSubBalancer {
+			sc.Shutdown()
+			delete(bg.scToSubBalancer, sc)
+		}
 	}
 	bg.incomingMu.Unlock()
 
-	bg.outgoingMu.Lock()
-	// Setting `outgoingClosed` ensures that no entries are added to
-	// `deletedBalancerCache` after this point.
-	bg.outgoingClosed = true
-	bg.outgoingMu.Unlock()
-
 	// Clear(true) runs clear function to close sub-balancers in cache. It
 	// must be called out of outgoing mutex.
 	if bg.deletedBalancerCache != nil {
@@ -558,9 +567,11 @@ func (bg *BalancerGroup) Close() {
 	}
 
 	bg.outgoingMu.Lock()
-	for id, config := range bg.idToBalancerConfig {
-		config.stopBalancer()
-		delete(bg.idToBalancerConfig, id)
+	if bg.outgoingStarted {
+		bg.outgoingStarted = false
+		for _, config := range bg.idToBalancerConfig {
+			config.stopBalancer()
+		}
 	}
 	bg.outgoingMu.Unlock()
 }
@@ -570,30 +581,24 @@ func (bg *BalancerGroup) Close() {
 // not supported.
 func (bg *BalancerGroup) ExitIdle() {
 	bg.outgoingMu.Lock()
-	defer bg.outgoingMu.Unlock()
-	if bg.outgoingClosed {
-		return
-	}
 	for _, config := range bg.idToBalancerConfig {
 		if !config.exitIdle() {
 			bg.connect(config)
 		}
 	}
+	bg.outgoingMu.Unlock()
 }
 
 // ExitIdleOne instructs the sub-balancer `id` to exit IDLE state, if
 // appropriate and possible.
 func (bg *BalancerGroup) ExitIdleOne(id string) {
 	bg.outgoingMu.Lock()
-	defer bg.outgoingMu.Unlock()
-	if bg.outgoingClosed {
-		return
-	}
 	if config := bg.idToBalancerConfig[id]; config != nil {
 		if !config.exitIdle() {
 			bg.connect(config)
 		}
 	}
+	bg.outgoingMu.Unlock()
 }
 
 // ParseConfig parses a child config list and returns a LB config for the
diff --git a/vendor/google.golang.org/grpc/internal/credentials/credentials.go b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
index 48b22d9cf07..9deee7f6513 100644
--- a/vendor/google.golang.org/grpc/internal/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/internal/credentials/credentials.go
@@ -20,6 +20,20 @@ import (
 	"context"
 )
 
+// requestInfoKey is a struct to be used as the key to store RequestInfo in a
+// context.
+type requestInfoKey struct{}
+
+// NewRequestInfoContext creates a context with ri.
+func NewRequestInfoContext(ctx context.Context, ri any) context.Context {
+	return context.WithValue(ctx, requestInfoKey{}, ri)
+}
+
+// RequestInfoFromContext extracts the RequestInfo from ctx.
+func RequestInfoFromContext(ctx context.Context) any {
+	return ctx.Value(requestInfoKey{})
+}
+
 // clientHandshakeInfoKey is a struct used as the key to store
 // ClientHandshakeInfo in a context.
 type clientHandshakeInfoKey struct{}
diff --git a/vendor/google.golang.org/grpc/internal/credentials/spiffe/spiffe.go b/vendor/google.golang.org/grpc/internal/credentials/spiffe/spiffe.go
deleted file mode 100644
index 7be008a1985..00000000000
--- a/vendor/google.golang.org/grpc/internal/credentials/spiffe/spiffe.go
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- *
- * Copyright 2025 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package spiffe defines APIs for working with SPIFFE Bundle Maps.
-//
-// All APIs in this package are experimental.
-package spiffe
-
-import (
-	"crypto/x509"
-	"encoding/json"
-	"fmt"
-
-	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
-)
-
-type partialParsedSPIFFEBundleMap struct {
-	Bundles map[string]json.RawMessage `json:"trust_domains"`
-}
-
-// BundleMapFromBytes parses bytes into a SPIFFE Bundle Map. See the
-// SPIFFE Bundle Map spec for more detail -
-// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format
-// If duplicate keys are encountered in the JSON parsing, Go's default unmarshal
-// behavior occurs which causes the last processed entry to be the entry in the
-// parsed map.
-func BundleMapFromBytes(bundleMapBytes []byte) (map[string]*spiffebundle.Bundle, error) {
-	var result partialParsedSPIFFEBundleMap
-	if err := json.Unmarshal(bundleMapBytes, &result); err != nil {
-		return nil, err
-	}
-	if result.Bundles == nil {
-		return nil, fmt.Errorf("spiffe: BundleMapFromBytes() no bundles parsed from spiffe bundle map bytes")
-	}
-	bundleMap := map[string]*spiffebundle.Bundle{}
-	for td, jsonBundle := range result.Bundles {
-		trustDomain, err := spiffeid.TrustDomainFromString(td)
-		if err != nil {
-			return nil, fmt.Errorf("spiffe: BundleMapFromBytes() invalid trust domain %q found when parsing SPIFFE Bundle Map: %v", td, err)
-		}
-		bundle, err := spiffebundle.Parse(trustDomain, jsonBundle)
-		if err != nil {
-			return nil, fmt.Errorf("spiffe: BundleMapFromBytes() failed to parse bundle for trust domain %q: %v", td, err)
-		}
-		bundleMap[td] = bundle
-	}
-	return bundleMap, nil
-}
-
-// GetRootsFromSPIFFEBundleMap returns the root trust certificates from the
-// SPIFFE bundle map for the given trust domain from the leaf certificate.
-func GetRootsFromSPIFFEBundleMap(bundleMap map[string]*spiffebundle.Bundle, leafCert *x509.Certificate) (*x509.CertPool, error) {
-	// 1. Upon receiving a peer certificate, verify that it is a well-formed SPIFFE
-	//    leaf certificate.  In particular, it must have a single URI SAN containing
-	//    a well-formed SPIFFE ID ([SPIFFE ID format]).
-	spiffeID, err := idFromCert(leafCert)
-	if err != nil {
-		return nil, fmt.Errorf("spiffe: could not get spiffe ID from peer leaf cert but verification with spiffe trust map was configured: %v", err)
-	}
-
-	// 2. Use the trust domain in the peer certificate's SPIFFE ID to lookup
-	//    the SPIFFE trust bundle. If the trust domain is not contained in the
-	//    configured trust map, reject the certificate.
-	spiffeBundle, ok := bundleMap[spiffeID.TrustDomain().Name()]
-	if !ok {
-		return nil, fmt.Errorf("spiffe: no bundle found for peer certificates trust domain %q but verification with a SPIFFE trust map was configured", spiffeID.TrustDomain().Name())
-	}
-	roots := spiffeBundle.X509Authorities()
-	rootPool := x509.NewCertPool()
-	for _, root := range roots {
-		rootPool.AddCert(root)
-	}
-	return rootPool, nil
-}
-
-// idFromCert parses the SPIFFE ID from the x509.Certificate. If the certificate
-// does not have a valid SPIFFE ID, returns an error.
-func idFromCert(cert *x509.Certificate) (*spiffeid.ID, error) {
-	if cert == nil {
-		return nil, fmt.Errorf("input cert is nil")
-	}
-	// A valid SPIFFE Certificate should have exactly one URI.
-	if len(cert.URIs) != 1 {
-		return nil, fmt.Errorf("input cert has %v URIs but should have 1", len(cert.URIs))
-	}
-	id, err := spiffeid.FromURI(cert.URIs[0])
-	if err != nil {
-		return nil, fmt.Errorf("invalid spiffeid: %v", err)
-	}
-	return &id, nil
-}
diff --git a/vendor/google.golang.org/grpc/internal/credentials/xds/handshake_info.go b/vendor/google.golang.org/grpc/internal/credentials/xds/handshake_info.go
index 81074bedb40..dcff7ad6222 100644
--- a/vendor/google.golang.org/grpc/internal/credentials/xds/handshake_info.go
+++ b/vendor/google.golang.org/grpc/internal/credentials/xds/handshake_info.go
@@ -31,7 +31,6 @@ import (
 	"google.golang.org/grpc/attributes"
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	"google.golang.org/grpc/internal"
-	"google.golang.org/grpc/internal/credentials/spiffe"
 	"google.golang.org/grpc/internal/xds/matcher"
 	"google.golang.org/grpc/resolver"
 )
@@ -145,7 +144,6 @@ func (hi *HandshakeInfo) ClientSideTLSConfig(ctx context.Context) (*tls.Config,
 		return nil, fmt.Errorf("xds: fetching trusted roots from CertificateProvider failed: %v", err)
 	}
 	cfg.RootCAs = km.Roots
-	cfg.VerifyPeerCertificate = hi.buildVerifyFunc(km, true)
 
 	if idProv != nil {
 		km, err := idProv.KeyMaterial(ctx)
@@ -157,60 +155,6 @@ func (hi *HandshakeInfo) ClientSideTLSConfig(ctx context.Context) (*tls.Config,
 	return cfg, nil
 }
 
-func (hi *HandshakeInfo) buildVerifyFunc(km *certprovider.KeyMaterial, isClient bool) func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-	return func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-		// Parse all raw certificates presented by the peer.
-		var certs []*x509.Certificate
-		for _, rc := range rawCerts {
-			cert, err := x509.ParseCertificate(rc)
-			if err != nil {
-				return err
-			}
-			certs = append(certs, cert)
-		}
-
-		// Build the intermediates list and verify that the leaf certificate is
-		// signed by one of the root certificates. If a SPIFFE Bundle Map is
-		// configured, it is used to get the root certs. Otherwise, the
-		// configured roots in the root provider are used.
-		intermediates := x509.NewCertPool()
-		for _, cert := range certs[1:] {
-			intermediates.AddCert(cert)
-		}
-		roots := km.Roots
-		// If a SPIFFE Bundle Map is configured, find the roots for the trust
-		// domain of the leaf certificate.
-		if km.SPIFFEBundleMap != nil {
-			var err error
-			roots, err = spiffe.GetRootsFromSPIFFEBundleMap(km.SPIFFEBundleMap, certs[0])
-			if err != nil {
-				return err
-			}
-		}
-		opts := x509.VerifyOptions{
-			Roots:         roots,
-			Intermediates: intermediates,
-			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		}
-		if isClient {
-			opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
-		} else {
-			opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
-		}
-		if _, err := certs[0].Verify(opts); err != nil {
-			return err
-		}
-		// The SANs sent by the MeshCA are encoded as SPIFFE IDs. We need to
-		// only look at the SANs on the leaf cert.
-		if cert := certs[0]; !hi.MatchingSANExists(cert) {
-			// TODO: Print the complete certificate once the x509 package
-			// supports a String() method on the Certificate type.
-			return fmt.Errorf("xds: received SANs {DNSNames: %v, EmailAddresses: %v, IPAddresses: %v, URIs: %v} do not match any of the accepted SANs", cert.DNSNames, cert.EmailAddresses, cert.IPAddresses, cert.URIs)
-		}
-		return nil
-	}
-}
-
 // ServerSideTLSConfig constructs a tls.Config to be used in a server-side
 // handshake based on the contents of the HandshakeInfo.
 func (hi *HandshakeInfo) ServerSideTLSConfig(ctx context.Context) (*tls.Config, error) {
@@ -242,15 +186,7 @@ func (hi *HandshakeInfo) ServerSideTLSConfig(ctx context.Context) (*tls.Config,
 		if err != nil {
 			return nil, fmt.Errorf("xds: fetching trusted roots from CertificateProvider failed: %v", err)
 		}
-		if km.SPIFFEBundleMap != nil && hi.requireClientCert {
-			// ClientAuth, if set greater than tls.RequireAnyClientCert, must be
-			// dropped to tls.RequireAnyClientCert so that custom verification
-			// to use SPIFFE Bundles is done.
-			cfg.ClientAuth = tls.RequireAnyClientCert
-			cfg.VerifyPeerCertificate = hi.buildVerifyFunc(km, false)
-		} else {
-			cfg.ClientCAs = km.Roots
-		}
+		cfg.ClientCAs = km.Roots
 	}
 	return cfg, nil
 }
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
index f5f2bdeb864..1e42b6fdc87 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go
@@ -36,7 +36,7 @@ var (
 	// LeastRequestLB is set if we should support the least_request_experimental
 	// LB policy, which can be enabled by setting the environment variable
 	// "GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST" to "true".
-	LeastRequestLB = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST", true)
+	LeastRequestLB = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST", false)
 	// ALTSMaxConcurrentHandshakes is the maximum number of concurrent ALTS
 	// handshakes that can be performed.
 	ALTSMaxConcurrentHandshakes = uint64FromEnv("GRPC_ALTS_MAX_CONCURRENT_HANDSHAKES", 100, 1, 100)
@@ -51,28 +51,10 @@ var (
 	// xDS server in the list of server configs will be used.
 	XDSFallbackSupport = boolFromEnv("GRPC_EXPERIMENTAL_XDS_FALLBACK", true)
 	// NewPickFirstEnabled is set if the new pickfirst leaf policy is to be used
-	// instead of the exiting pickfirst implementation. This can be disabled by
+	// instead of the exiting pickfirst implementation. This can be enabled by
 	// setting the environment variable "GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST"
-	// to "false".
-	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", true)
-
-	// XDSEndpointHashKeyBackwardCompat controls the parsing of the endpoint hash
-	// key from EDS LbEndpoint metadata. Endpoint hash keys can be disabled by
-	// setting "GRPC_XDS_ENDPOINT_HASH_KEY_BACKWARD_COMPAT" to "true". When the
-	// implementation of A76 is stable, we will flip the default value to false
-	// in a subsequent release. A final release will remove this environment
-	// variable, enabling the new behavior unconditionally.
-	XDSEndpointHashKeyBackwardCompat = boolFromEnv("GRPC_XDS_ENDPOINT_HASH_KEY_BACKWARD_COMPAT", true)
-
-	// RingHashSetRequestHashKey is set if the ring hash balancer can get the
-	// request hash header by setting the "requestHashHeader" field, according
-	// to gRFC A76. It can be enabled by setting the environment variable
-	// "GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY" to "true".
-	RingHashSetRequestHashKey = boolFromEnv("GRPC_EXPERIMENTAL_RING_HASH_SET_REQUEST_HASH_KEY", false)
-
-	// ALTSHandshakerKeepaliveParams is set if we should add the
-	// KeepaliveParams when dial the ALTS handshaker service.
-	ALTSHandshakerKeepaliveParams = boolFromEnv("GRPC_EXPERIMENTAL_ALTS_HANDSHAKER_KEEPALIVE_PARAMS", false)
+	// to "true".
+	NewPickFirstEnabled = boolFromEnv("GRPC_EXPERIMENTAL_ENABLE_NEW_PICK_FIRST", false)
 )
 
 func boolFromEnv(envVar string, def bool) bool {
diff --git a/vendor/google.golang.org/grpc/internal/envconfig/xds.go b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
index e87551552ad..2eb97f832b1 100644
--- a/vendor/google.golang.org/grpc/internal/envconfig/xds.go
+++ b/vendor/google.golang.org/grpc/internal/envconfig/xds.go
@@ -63,9 +63,4 @@ var (
 	// For more details, see:
 	// https://github.com/grpc/proposal/blob/master/A82-xds-system-root-certs.md.
 	XDSSystemRootCertsEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS", false)
-
-	// XDSSPIFFEEnabled controls if SPIFFE Bundle Maps can be used as roots of
-	// trust.  For more details, see:
-	// https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md
-	XDSSPIFFEEnabled = boolFromEnv("GRPC_EXPERIMENTAL_XDS_MTLS_SPIFFE", false)
 )
diff --git a/vendor/google.golang.org/grpc/internal/grpcsync/event.go b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
index d788c249300..fbe697c3768 100644
--- a/vendor/google.golang.org/grpc/internal/grpcsync/event.go
+++ b/vendor/google.golang.org/grpc/internal/grpcsync/event.go
@@ -21,25 +21,28 @@
 package grpcsync
 
 import (
+	"sync"
 	"sync/atomic"
 )
 
 // Event represents a one-time event that may occur in the future.
 type Event struct {
-	fired atomic.Bool
+	fired int32
 	c     chan struct{}
+	o     sync.Once
 }
 
 // Fire causes e to complete.  It is safe to call multiple times, and
 // concurrently.  It returns true iff this call to Fire caused the signaling
-// channel returned by Done to close. If Fire returns false, it is possible
-// the Done channel has not been closed yet.
+// channel returned by Done to close.
 func (e *Event) Fire() bool {
-	if e.fired.CompareAndSwap(false, true) {
+	ret := false
+	e.o.Do(func() {
+		atomic.StoreInt32(&e.fired, 1)
 		close(e.c)
-		return true
-	}
-	return false
+		ret = true
+	})
+	return ret
 }
 
 // Done returns a channel that will be closed when Fire is called.
@@ -49,7 +52,7 @@ func (e *Event) Done() <-chan struct{} {
 
 // HasFired returns true if Fire has been called.
 func (e *Event) HasFired() bool {
-	return e.fired.Load()
+	return atomic.LoadInt32(&e.fired) == 1
 }
 
 // NewEvent returns a new, ready-to-use Event.
diff --git a/vendor/google.golang.org/grpc/internal/internal.go b/vendor/google.golang.org/grpc/internal/internal.go
index 3ac798e8e60..13e1f386b1c 100644
--- a/vendor/google.golang.org/grpc/internal/internal.go
+++ b/vendor/google.golang.org/grpc/internal/internal.go
@@ -259,20 +259,6 @@ var (
 	// SetBufferPoolingThresholdForTesting updates the buffer pooling threshold, for
 	// testing purposes.
 	SetBufferPoolingThresholdForTesting any // func(int)
-
-	// TimeAfterFunc is used to create timers. During tests the function is
-	// replaced to track allocated timers and fail the test if a timer isn't
-	// cancelled.
-	TimeAfterFunc = func(d time.Duration, f func()) Timer {
-		return time.AfterFunc(d, f)
-	}
-
-	// NewStreamWaitingForResolver is a test hook that is triggered when a
-	// new stream blocks while waiting for name resolution. This can be
-	// used in tests to synchronize resolver updates and avoid race conditions.
-	// When set, the function will be called before the stream enters
-	// the blocking state.
-	NewStreamWaitingForResolver = func() {}
 )
 
 // HealthChecker defines the signature of the client-side LB channel health
@@ -314,9 +300,3 @@ type EnforceSubConnEmbedding interface {
 type EnforceClientConnEmbedding interface {
 	enforceClientConnEmbedding()
 }
-
-// Timer is an interface to allow injecting different time.Timer implementations
-// during tests.
-type Timer interface {
-	Stop() bool
-}
diff --git a/vendor/google.golang.org/grpc/internal/metadata/metadata.go b/vendor/google.golang.org/grpc/internal/metadata/metadata.go
index c4055bc00e5..900bfb71608 100644
--- a/vendor/google.golang.org/grpc/internal/metadata/metadata.go
+++ b/vendor/google.golang.org/grpc/internal/metadata/metadata.go
@@ -97,11 +97,13 @@ func hasNotPrintable(msg string) bool {
 	return false
 }
 
-// ValidateKey validates a key with the following rules (pseudo-headers are
-// skipped):
-// - the key must contain one or more characters.
-// - the characters in the key must be in [0-9 a-z _ - .].
-func ValidateKey(key string) error {
+// ValidatePair validate a key-value pair with the following rules (the pseudo-header will be skipped) :
+//
+// - key must contain one or more characters.
+// - the characters in the key must be contained in [0-9 a-z _ - .].
+// - if the key ends with a "-bin" suffix, no validation of the corresponding value is performed.
+// - the characters in the every value must be printable (in [%x20-%x7E]).
+func ValidatePair(key string, vals ...string) error {
 	// key should not be empty
 	if key == "" {
 		return fmt.Errorf("there is an empty key in the header")
@@ -117,20 +119,6 @@ func ValidateKey(key string) error {
 			return fmt.Errorf("header key %q contains illegal characters not in [0-9a-z-_.]", key)
 		}
 	}
-	return nil
-}
-
-// ValidatePair validates a key-value pair with the following rules
-// (pseudo-header are skipped):
-//   - the key must contain one or more characters.
-//   - the characters in the key must be in [0-9 a-z _ - .].
-//   - if the key ends with a "-bin" suffix, no validation of the corresponding
-//     value is performed.
-//   - the characters in every value must be printable (in [%x20-%x7E]).
-func ValidatePair(key string, vals ...string) error {
-	if err := ValidateKey(key); err != nil {
-		return err
-	}
 	if strings.HasSuffix(key, "-bin") {
 		return nil
 	}
diff --git a/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls.pb.go b/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls.pb.go
index 3503f7d3e26..1f04c4b5b08 100644
--- a/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls.pb.go
+++ b/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/lookup/v1/rls.proto
 
@@ -237,35 +237,62 @@ func (x *RouteLookupResponse) GetExtensions() []*anypb.Any {
 
 var File_grpc_lookup_v1_rls_proto protoreflect.FileDescriptor
 
-const file_grpc_lookup_v1_rls_proto_rawDesc = "" +
-	"\n" +
-	"\x18grpc/lookup/v1/rls.proto\x12\x0egrpc.lookup.v1\x1a\x19google/protobuf/any.proto\"\xb9\x03\n" +
-	"\x12RouteLookupRequest\x12\x1f\n" +
-	"\vtarget_type\x18\x03 \x01(\tR\n" +
-	"targetType\x12A\n" +
-	"\x06reason\x18\x05 \x01(\x0e2).grpc.lookup.v1.RouteLookupRequest.ReasonR\x06reason\x12*\n" +
-	"\x11stale_header_data\x18\x06 \x01(\tR\x0fstaleHeaderData\x12G\n" +
-	"\akey_map\x18\x04 \x03(\v2..grpc.lookup.v1.RouteLookupRequest.KeyMapEntryR\x06keyMap\x124\n" +
-	"\n" +
-	"extensions\x18\a \x03(\v2\x14.google.protobuf.AnyR\n" +
-	"extensions\x1a9\n" +
-	"\vKeyMapEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"?\n" +
-	"\x06Reason\x12\x12\n" +
-	"\x0eREASON_UNKNOWN\x10\x00\x12\x0f\n" +
-	"\vREASON_MISS\x10\x01\x12\x10\n" +
-	"\fREASON_STALE\x10\x02J\x04\b\x01\x10\x02J\x04\b\x02\x10\x03R\x06serverR\x04path\"\x94\x01\n" +
-	"\x13RouteLookupResponse\x12\x18\n" +
-	"\atargets\x18\x03 \x03(\tR\atargets\x12\x1f\n" +
-	"\vheader_data\x18\x02 \x01(\tR\n" +
-	"headerData\x124\n" +
-	"\n" +
-	"extensions\x18\x04 \x03(\v2\x14.google.protobuf.AnyR\n" +
-	"extensionsJ\x04\b\x01\x10\x02R\x06target2n\n" +
-	"\x12RouteLookupService\x12X\n" +
-	"\vRouteLookup\x12\".grpc.lookup.v1.RouteLookupRequest\x1a#.grpc.lookup.v1.RouteLookupResponse\"\x00BM\n" +
-	"\x11io.grpc.lookup.v1B\bRlsProtoP\x01Z,google.golang.org/grpc/lookup/grpc_lookup_v1b\x06proto3"
+var file_grpc_lookup_v1_rls_proto_rawDesc = string([]byte{
+	0x0a, 0x18, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2f, 0x76, 0x31,
+	0x2f, 0x72, 0x6c, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb9, 0x03, 0x0a, 0x12, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4c,
+	0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1f, 0x0a, 0x0b,
+	0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x41, 0x0a,
+	0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x2e, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e,
+	0x12, 0x2a, 0x0a, 0x11, 0x73, 0x74, 0x61, 0x6c, 0x65, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x74, 0x61,
+	0x6c, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x12, 0x47, 0x0a, 0x07,
+	0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x61, 0x70, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x2e, 0x4b, 0x65, 0x79, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6b,
+	0x65, 0x79, 0x4d, 0x61, 0x70, 0x12, 0x34, 0x0a, 0x0a, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69,
+	0x6f, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52,
+	0x0a, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4b,
+	0x65, 0x79, 0x4d, 0x61, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
+	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
+	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x3f, 0x0a, 0x06, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e,
+	0x12, 0x12, 0x0a, 0x0e, 0x52, 0x45, 0x41, 0x53, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f,
+	0x57, 0x4e, 0x10, 0x00, 0x12, 0x0f, 0x0a, 0x0b, 0x52, 0x45, 0x41, 0x53, 0x4f, 0x4e, 0x5f, 0x4d,
+	0x49, 0x53, 0x53, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x52, 0x45, 0x41, 0x53, 0x4f, 0x4e, 0x5f,
+	0x53, 0x54, 0x41, 0x4c, 0x45, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08,
+	0x02, 0x10, 0x03, 0x52, 0x06, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x04, 0x70, 0x61, 0x74,
+	0x68, 0x22, 0x94, 0x01, 0x0a, 0x13, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75,
+	0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x74, 0x61, 0x72,
+	0x67, 0x65, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x74, 0x61, 0x72, 0x67,
+	0x65, 0x74, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x64, 0x61,
+	0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x44, 0x61, 0x74, 0x61, 0x12, 0x34, 0x0a, 0x0a, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
+	0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x0a,
+	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02,
+	0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x32, 0x6e, 0x0a, 0x12, 0x52, 0x6f, 0x75, 0x74,
+	0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x58,
+	0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x12, 0x22, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x52,
+	0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e,
+	0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x4d, 0x0a, 0x11, 0x69, 0x6f, 0x2e, 0x67,
+	0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x42, 0x08, 0x52,
+	0x6c, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70,
+	0x63, 0x2f, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x6c, 0x6f,
+	0x6f, 0x6b, 0x75, 0x70, 0x5f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_lookup_v1_rls_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls_config.pb.go b/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls_config.pb.go
index 9e24bbde8b2..b7a922031c7 100644
--- a/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls_config.pb.go
+++ b/vendor/google.golang.org/grpc/internal/proto/grpc_lookup_v1/rls_config.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.6
+// 	protoc-gen-go v1.36.4
 // 	protoc        v5.27.1
 // source: grpc/lookup/v1/rls_config.proto
 
@@ -362,15 +362,13 @@ type RouteLookupConfig struct {
 	LookupServiceTimeout *durationpb.Duration `protobuf:"bytes,4,opt,name=lookup_service_timeout,json=lookupServiceTimeout,proto3" json:"lookup_service_timeout,omitempty"`
 	// How long are responses valid for (like HTTP Cache-Control).
 	// If omitted or zero, the longest valid cache time is used.
-	// This value is clamped to 5 minutes to avoid unflushable bad responses,
-	// unless stale_age is specified.
+	// This value is clamped to 5 minutes to avoid unflushable bad responses.
 	MaxAge *durationpb.Duration `protobuf:"bytes,5,opt,name=max_age,json=maxAge,proto3" json:"max_age,omitempty"`
 	// After a response has been in the client cache for this amount of time
 	// and is re-requested, start an asynchronous RPC to re-validate it.
 	// This value should be less than max_age by at least the length of a
 	// typical RTT to the Route Lookup Service to fully mask the RTT latency.
 	// If omitted, keys are only re-requested after they have expired.
-	// This value is clamped to 5 minutes.
 	StaleAge *durationpb.Duration `protobuf:"bytes,6,opt,name=stale_age,json=staleAge,proto3" json:"stale_age,omitempty"`
 	// Rough indicator of amount of memory to use for the client cache.  Some of
 	// the data structure overhead is not accounted for, so actual memory consumed
@@ -655,53 +653,123 @@ func (x *GrpcKeyBuilder_ExtraKeys) GetMethod() string {
 
 var File_grpc_lookup_v1_rls_config_proto protoreflect.FileDescriptor
 
-const file_grpc_lookup_v1_rls_config_proto_rawDesc = "" +
-	"\n" +
-	"\x1fgrpc/lookup/v1/rls_config.proto\x12\x0egrpc.lookup.v1\x1a\x1egoogle/protobuf/duration.proto\"\\\n" +
-	"\vNameMatcher\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05names\x18\x02 \x03(\tR\x05names\x12%\n" +
-	"\x0erequired_match\x18\x03 \x01(\bR\rrequiredMatch\"\xf0\x03\n" +
-	"\x0eGrpcKeyBuilder\x129\n" +
-	"\x05names\x18\x01 \x03(\v2#.grpc.lookup.v1.GrpcKeyBuilder.NameR\x05names\x12G\n" +
-	"\n" +
-	"extra_keys\x18\x03 \x01(\v2(.grpc.lookup.v1.GrpcKeyBuilder.ExtraKeysR\textraKeys\x125\n" +
-	"\aheaders\x18\x02 \x03(\v2\x1b.grpc.lookup.v1.NameMatcherR\aheaders\x12U\n" +
-	"\rconstant_keys\x18\x04 \x03(\v20.grpc.lookup.v1.GrpcKeyBuilder.ConstantKeysEntryR\fconstantKeys\x1a8\n" +
-	"\x04Name\x12\x18\n" +
-	"\aservice\x18\x01 \x01(\tR\aservice\x12\x16\n" +
-	"\x06method\x18\x02 \x01(\tR\x06method\x1aQ\n" +
-	"\tExtraKeys\x12\x12\n" +
-	"\x04host\x18\x01 \x01(\tR\x04host\x12\x18\n" +
-	"\aservice\x18\x02 \x01(\tR\aservice\x12\x16\n" +
-	"\x06method\x18\x03 \x01(\tR\x06method\x1a?\n" +
-	"\x11ConstantKeysEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x89\x03\n" +
-	"\x0eHttpKeyBuilder\x12#\n" +
-	"\rhost_patterns\x18\x01 \x03(\tR\fhostPatterns\x12#\n" +
-	"\rpath_patterns\x18\x02 \x03(\tR\fpathPatterns\x12F\n" +
-	"\x10query_parameters\x18\x03 \x03(\v2\x1b.grpc.lookup.v1.NameMatcherR\x0fqueryParameters\x125\n" +
-	"\aheaders\x18\x04 \x03(\v2\x1b.grpc.lookup.v1.NameMatcherR\aheaders\x12U\n" +
-	"\rconstant_keys\x18\x05 \x03(\v20.grpc.lookup.v1.HttpKeyBuilder.ConstantKeysEntryR\fconstantKeys\x12\x16\n" +
-	"\x06method\x18\x06 \x01(\tR\x06method\x1a?\n" +
-	"\x11ConstantKeysEntry\x12\x10\n" +
-	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
-	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xa6\x04\n" +
-	"\x11RouteLookupConfig\x12I\n" +
-	"\x10http_keybuilders\x18\x01 \x03(\v2\x1e.grpc.lookup.v1.HttpKeyBuilderR\x0fhttpKeybuilders\x12I\n" +
-	"\x10grpc_keybuilders\x18\x02 \x03(\v2\x1e.grpc.lookup.v1.GrpcKeyBuilderR\x0fgrpcKeybuilders\x12%\n" +
-	"\x0elookup_service\x18\x03 \x01(\tR\rlookupService\x12O\n" +
-	"\x16lookup_service_timeout\x18\x04 \x01(\v2\x19.google.protobuf.DurationR\x14lookupServiceTimeout\x122\n" +
-	"\amax_age\x18\x05 \x01(\v2\x19.google.protobuf.DurationR\x06maxAge\x126\n" +
-	"\tstale_age\x18\x06 \x01(\v2\x19.google.protobuf.DurationR\bstaleAge\x12(\n" +
-	"\x10cache_size_bytes\x18\a \x01(\x03R\x0ecacheSizeBytes\x12#\n" +
-	"\rvalid_targets\x18\b \x03(\tR\fvalidTargets\x12%\n" +
-	"\x0edefault_target\x18\t \x01(\tR\rdefaultTargetJ\x04\b\n" +
-	"\x10\vR\x1brequest_processing_strategy\"p\n" +
-	"\x1bRouteLookupClusterSpecifier\x12Q\n" +
-	"\x13route_lookup_config\x18\x01 \x01(\v2!.grpc.lookup.v1.RouteLookupConfigR\x11routeLookupConfigBS\n" +
-	"\x11io.grpc.lookup.v1B\x0eRlsConfigProtoP\x01Z,google.golang.org/grpc/lookup/grpc_lookup_v1b\x06proto3"
+var file_grpc_lookup_v1_rls_config_proto_rawDesc = string([]byte{
+	0x0a, 0x1f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2f, 0x76, 0x31,
+	0x2f, 0x72, 0x6c, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x0e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76,
+	0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x22, 0x5c, 0x0a, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72,
+	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
+	0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x71, 0x75,
+	0x69, 0x72, 0x65, 0x64, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08,
+	0x52, 0x0d, 0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x64, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x22,
+	0xf0, 0x03, 0x0a, 0x0e, 0x47, 0x72, 0x70, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64,
+	0x65, 0x72, 0x12, 0x39, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x23, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e,
+	0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65,
+	0x72, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x47, 0x0a,
+	0x0a, 0x65, 0x78, 0x74, 0x72, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x28, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e,
+	0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65,
+	0x72, 0x2e, 0x45, 0x78, 0x74, 0x72, 0x61, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x09, 0x65, 0x78, 0x74,
+	0x72, 0x61, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x35, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c,
+	0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x74,
+	0x63, 0x68, 0x65, 0x72, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x55, 0x0a,
+	0x0d, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x04,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b,
+	0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69,
+	0x6c, 0x64, 0x65, 0x72, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x4b, 0x65, 0x79,
+	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74,
+	0x4b, 0x65, 0x79, 0x73, 0x1a, 0x38, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07,
+	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x1a, 0x51,
+	0x0a, 0x09, 0x45, 0x78, 0x74, 0x72, 0x61, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x68,
+	0x6f, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x12,
+	0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x65, 0x74,
+	0x68, 0x6f, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f,
+	0x64, 0x1a, 0x3f, 0x0a, 0x11, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x4b, 0x65, 0x79,
+	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
+	0x38, 0x01, 0x22, 0x89, 0x03, 0x0a, 0x0e, 0x48, 0x74, 0x74, 0x70, 0x4b, 0x65, 0x79, 0x42, 0x75,
+	0x69, 0x6c, 0x64, 0x65, 0x72, 0x12, 0x23, 0x0a, 0x0d, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x70, 0x61,
+	0x74, 0x74, 0x65, 0x72, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x68, 0x6f,
+	0x73, 0x74, 0x50, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6e, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x70, 0x61,
+	0x74, 0x68, 0x5f, 0x70, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x0c, 0x70, 0x61, 0x74, 0x68, 0x50, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6e, 0x73, 0x12,
+	0x46, 0x0a, 0x10, 0x71, 0x75, 0x65, 0x72, 0x79, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x65, 0x74,
+	0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x4d,
+	0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x52, 0x0f, 0x71, 0x75, 0x65, 0x72, 0x79, 0x50, 0x61, 0x72,
+	0x61, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x73, 0x12, 0x35, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65,
+	0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e,
+	0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x4d, 0x61,
+	0x74, 0x63, 0x68, 0x65, 0x72, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x55,
+	0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18,
+	0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f,
+	0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x4b, 0x65, 0x79, 0x42, 0x75,
+	0x69, 0x6c, 0x64, 0x65, 0x72, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x4b, 0x65,
+	0x79, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e,
+	0x74, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x1a, 0x3f, 0x0a,
+	0x11, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x73, 0x45, 0x6e, 0x74,
+	0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xa6,
+	0x04, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x12, 0x49, 0x0a, 0x10, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x6b, 0x65, 0x79,
+	0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e,
+	0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e,
+	0x48, 0x74, 0x74, 0x70, 0x4b, 0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x52, 0x0f,
+	0x68, 0x74, 0x74, 0x70, 0x4b, 0x65, 0x79, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x73, 0x12,
+	0x49, 0x0a, 0x10, 0x67, 0x72, 0x70, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x62, 0x75, 0x69, 0x6c, 0x64,
+	0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x67, 0x72, 0x70, 0x63,
+	0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x72, 0x70, 0x63, 0x4b,
+	0x65, 0x79, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x52, 0x0f, 0x67, 0x72, 0x70, 0x63, 0x4b,
+	0x65, 0x79, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x6c, 0x6f,
+	0x6f, 0x6b, 0x75, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0d, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x12, 0x4f, 0x0a, 0x16, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x14, 0x6c, 0x6f,
+	0x6f, 0x6b, 0x75, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x6f,
+	0x75, 0x74, 0x12, 0x32, 0x0a, 0x07, 0x6d, 0x61, 0x78, 0x5f, 0x61, 0x67, 0x65, 0x18, 0x05, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06,
+	0x6d, 0x61, 0x78, 0x41, 0x67, 0x65, 0x12, 0x36, 0x0a, 0x09, 0x73, 0x74, 0x61, 0x6c, 0x65, 0x5f,
+	0x61, 0x67, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x73, 0x74, 0x61, 0x6c, 0x65, 0x41, 0x67, 0x65, 0x12, 0x28,
+	0x0a, 0x10, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x5f, 0x62, 0x79, 0x74,
+	0x65, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x63, 0x61, 0x63, 0x68, 0x65, 0x53,
+	0x69, 0x7a, 0x65, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x76, 0x61, 0x6c, 0x69,
+	0x64, 0x5f, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x0c, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x12, 0x25, 0x0a,
+	0x0e, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x54, 0x61,
+	0x72, 0x67, 0x65, 0x74, 0x4a, 0x04, 0x08, 0x0a, 0x10, 0x0b, 0x52, 0x1b, 0x72, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x5f, 0x70, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x5f, 0x73,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x22, 0x70, 0x0a, 0x1b, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x53, 0x70, 0x65,
+	0x63, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x51, 0x0a, 0x13, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f,
+	0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75,
+	0x70, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f, 0x6b, 0x75, 0x70,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x4c, 0x6f, 0x6f,
+	0x6b, 0x75, 0x70, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x53, 0x0a, 0x11, 0x69, 0x6f, 0x2e,
+	0x67, 0x72, 0x70, 0x63, 0x2e, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2e, 0x76, 0x31, 0x42, 0x0e,
+	0x52, 0x6c, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
+	0x5a, 0x2c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2e,
+	0x6f, 0x72, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63, 0x2f, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x2f,
+	0x67, 0x72, 0x70, 0x63, 0x5f, 0x6c, 0x6f, 0x6f, 0x6b, 0x75, 0x70, 0x5f, 0x76, 0x31, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_grpc_lookup_v1_rls_config_proto_rawDescOnce sync.Once
diff --git a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
index 20b8fb098ac..c0e22757727 100644
--- a/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
+++ b/vendor/google.golang.org/grpc/internal/resolver/delegatingresolver/delegatingresolver.go
@@ -186,15 +186,23 @@ func (r *delegatingResolver) Close() {
 	r.proxyResolver = nil
 }
 
-func needsProxyResolver(state *resolver.State) bool {
+func networkTypeFromAddr(addr resolver.Address) string {
+	networkType, ok := networktype.Get(addr)
+	if !ok {
+		networkType, _ = transport.ParseDialTarget(addr.Addr)
+	}
+	return networkType
+}
+
+func isTCPAddressPresent(state *resolver.State) bool {
 	for _, addr := range state.Addresses {
-		if !skipProxy(addr) {
+		if networkType := networkTypeFromAddr(addr); networkType == "tcp" {
 			return true
 		}
 	}
 	for _, endpoint := range state.Endpoints {
 		for _, addr := range endpoint.Addresses {
-			if !skipProxy(addr) {
+			if networktype := networkTypeFromAddr(addr); networktype == "tcp" {
 				return true
 			}
 		}
@@ -202,29 +210,6 @@ func needsProxyResolver(state *resolver.State) bool {
 	return false
 }
 
-func skipProxy(address resolver.Address) bool {
-	// Avoid proxy when network is not tcp.
-	networkType, ok := networktype.Get(address)
-	if !ok {
-		networkType, _ = transport.ParseDialTarget(address.Addr)
-	}
-	if networkType != "tcp" {
-		return true
-	}
-
-	req := &http.Request{URL: &url.URL{
-		Scheme: "https",
-		Host:   address.Addr,
-	}}
-	// Avoid proxy when address included in `NO_PROXY` environment variable or
-	// fails to get the proxy address.
-	url, err := HTTPSProxyFromEnvironment(req)
-	if err != nil || url == nil {
-		return true
-	}
-	return false
-}
-
 // updateClientConnStateLocked constructs a combined list of addresses by
 // pairing each proxy address with every target address of type TCP. For each
 // pair, it creates a new [resolver.Address] using the proxy address and
@@ -255,7 +240,8 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 	}
 	var addresses []resolver.Address
 	for _, targetAddr := range (*r.targetResolverState).Addresses {
-		if skipProxy(targetAddr) {
+		// Avoid proxy when network is not tcp.
+		if networkType := networkTypeFromAddr(targetAddr); networkType != "tcp" {
 			addresses = append(addresses, targetAddr)
 			continue
 		}
@@ -273,7 +259,7 @@ func (r *delegatingResolver) updateClientConnStateLocked() error {
 		var addrs []resolver.Address
 		for _, targetAddr := range endpt.Addresses {
 			// Avoid proxy when network is not tcp.
-			if skipProxy(targetAddr) {
+			if networkType := networkTypeFromAddr(targetAddr); networkType != "tcp" {
 				addrs = append(addrs, targetAddr)
 				continue
 			}
@@ -354,10 +340,9 @@ func (r *delegatingResolver) updateTargetResolverState(state resolver.State) err
 		logger.Infof("Addresses received from target resolver: %v", state.Addresses)
 	}
 	r.targetResolverState = &state
-	// If all addresses returned by the target resolver have a non-TCP network
-	// type, or are listed in the `NO_PROXY` environment variable, do not wait
-	// for proxy update.
-	if !needsProxyResolver(r.targetResolverState) {
+	// If no addresses returned by resolver have network type as tcp , do not
+	// wait for proxy update.
+	if !isTCPAddressPresent(r.targetResolverState) {
 		return r.cc.UpdateState(*r.targetResolverState)
 	}
 
diff --git a/vendor/google.golang.org/grpc/internal/ringhash/ringhash.go b/vendor/google.golang.org/grpc/internal/ringhash/ringhash.go
deleted file mode 100644
index c75ac1ce69c..00000000000
--- a/vendor/google.golang.org/grpc/internal/ringhash/ringhash.go
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- *
- * Copyright 2025 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package ringhash (internal) contains functions and types that need to be
-// shared by the ring hash balancer and other gRPC code (such as xDS)
-// without being exported.
-package ringhash
-
-import (
-	"context"
-
-	"google.golang.org/grpc/serviceconfig"
-)
-
-// LBConfig is the balancer config for ring_hash balancer.
-type LBConfig struct {
-	serviceconfig.LoadBalancingConfig `json:"-"`
-
-	MinRingSize       uint64 `json:"minRingSize,omitempty"`
-	MaxRingSize       uint64 `json:"maxRingSize,omitempty"`
-	RequestHashHeader string `json:"requestHashHeader,omitempty"`
-}
-
-// xdsHashKey is the type used as the key to store request hash in the context
-// used when combining the Ring Hash load balancing policy with xDS.
-type xdsHashKey struct{}
-
-// XDSRequestHash returns the request hash in the context and true if it was set
-// from the xDS config selector. If the xDS config selector has not set the hash,
-// it returns 0 and false.
-func XDSRequestHash(ctx context.Context) (uint64, bool) {
-	requestHash := ctx.Value(xdsHashKey{})
-	if requestHash == nil {
-		return 0, false
-	}
-	return requestHash.(uint64), true
-}
-
-// SetXDSRequestHash adds the request hash to the context for use in Ring Hash
-// Load Balancing using xDS route hash_policy.
-func SetXDSRequestHash(ctx context.Context, requestHash uint64) context.Context {
-	return context.WithValue(ctx, xdsHashKey{}, requestHash)
-}
diff --git a/vendor/google.golang.org/grpc/internal/status/status.go b/vendor/google.golang.org/grpc/internal/status/status.go
index aad171cd027..1186f1e9a9a 100644
--- a/vendor/google.golang.org/grpc/internal/status/status.go
+++ b/vendor/google.golang.org/grpc/internal/status/status.go
@@ -236,11 +236,3 @@ func IsRestrictedControlPlaneCode(s *Status) bool {
 	}
 	return false
 }
-
-// RawStatusProto returns the internal protobuf message for use by gRPC itself.
-func RawStatusProto(s *Status) *spb.Status {
-	if s == nil {
-		return nil
-	}
-	return s.s
-}
diff --git a/vendor/google.golang.org/grpc/internal/transport/client_stream.go b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
index ccc0e017e5e..8ed347c5419 100644
--- a/vendor/google.golang.org/grpc/internal/transport/client_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/client_stream.go
@@ -59,7 +59,7 @@ func (s *ClientStream) Read(n int) (mem.BufferSlice, error) {
 	return b, err
 }
 
-// Close closes the stream and propagates err to any readers.
+// Close closes the stream and popagates err to any readers.
 func (s *ClientStream) Close(err error) {
 	var (
 		rst     bool
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_client.go b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
index ef56592b944..e12ea02ac8c 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_client.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_client.go
@@ -545,7 +545,7 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		Method:   callHdr.Method,
 		AuthInfo: t.authInfo,
 	}
-	ctxWithRequestInfo := credentials.NewContextWithRequestInfo(ctx, ri)
+	ctxWithRequestInfo := icredentials.NewRequestInfoContext(ctx, ri)
 	authData, err := t.getTrAuthData(ctxWithRequestInfo, aud)
 	if err != nil {
 		return nil, err
@@ -592,9 +592,6 @@ func (t *http2Client) createHeaderFields(ctx context.Context, callHdr *CallHdr)
 		// Send out timeout regardless its value. The server can detect timeout context by itself.
 		// TODO(mmukhi): Perhaps this field should be updated when actually writing out to the wire.
 		timeout := time.Until(dl)
-		if timeout <= 0 {
-			return nil, status.Error(codes.DeadlineExceeded, context.DeadlineExceeded.Error())
-		}
 		headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-timeout", Value: grpcutil.EncodeDuration(timeout)})
 	}
 	for k, v := range authData {
@@ -752,25 +749,6 @@ func (t *http2Client) NewStream(ctx context.Context, callHdr *CallHdr) (*ClientS
 		callHdr = &newCallHdr
 	}
 
-	// The authority specified via the `CallAuthority` CallOption takes the
-	// highest precedence when determining the `:authority` header. It overrides
-	// any value present in the Host field of CallHdr. Before applying this
-	// override, the authority string is validated. If the credentials do not
-	// implement the AuthorityValidator interface, or if validation fails, the
-	// RPC is failed with a status code of `UNAVAILABLE`.
-	if callHdr.Authority != "" {
-		auth, ok := t.authInfo.(credentials.AuthorityValidator)
-		if !ok {
-			return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "credentials type %q does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType())}
-		}
-		if err := auth.ValidateAuthority(callHdr.Authority); err != nil {
-			return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "failed to validate authority %q : %v", callHdr.Authority, err)}
-		}
-		newCallHdr := *callHdr
-		newCallHdr.Host = callHdr.Authority
-		callHdr = &newCallHdr
-	}
-
 	headerFields, err := t.createHeaderFields(ctx, callHdr)
 	if err != nil {
 		return nil, &NewStreamError{Err: err, AllowTransparentRetry: false}
@@ -1264,8 +1242,7 @@ func (t *http2Client) handleRSTStream(f *http2.RSTStreamFrame) {
 			statusCode = codes.DeadlineExceeded
 		}
 	}
-	st := status.Newf(statusCode, "stream terminated by RST_STREAM with error code: %v", f.ErrCode)
-	t.closeStream(s, st.Err(), false, http2.ErrCodeNo, st, nil, false)
+	t.closeStream(s, io.EOF, false, http2.ErrCodeNo, status.Newf(statusCode, "stream terminated by RST_STREAM with error code: %v", f.ErrCode), nil, false)
 }
 
 func (t *http2Client) handleSettings(f *http2.SettingsFrame, isFirst bool) {
@@ -1413,7 +1390,8 @@ func (t *http2Client) handleGoAway(f *http2.GoAwayFrame) error {
 // the caller.
 func (t *http2Client) setGoAwayReason(f *http2.GoAwayFrame) {
 	t.goAwayReason = GoAwayNoReason
-	if f.ErrCode == http2.ErrCodeEnhanceYourCalm {
+	switch f.ErrCode {
+	case http2.ErrCodeEnhanceYourCalm:
 		if string(f.DebugData()) == "too_many_pings" {
 			t.goAwayReason = GoAwayTooManyPings
 		}
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index e4c3731bdb0..997b0a59b58 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -35,11 +35,9 @@ import (
 
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
-	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/grpcutil"
 	"google.golang.org/grpc/internal/pretty"
-	istatus "google.golang.org/grpc/internal/status"
 	"google.golang.org/grpc/internal/syscall"
 	"google.golang.org/grpc/mem"
 	"google.golang.org/protobuf/proto"
@@ -600,22 +598,6 @@ func (t *http2Server) operateHeaders(ctx context.Context, frame *http2.MetaHeade
 	if len(t.activeStreams) == 1 {
 		t.idle = time.Time{}
 	}
-	// Start a timer to close the stream on reaching the deadline.
-	if timeoutSet {
-		// We need to wait for s.cancel to be updated before calling
-		// t.closeStream to avoid data races.
-		cancelUpdated := make(chan struct{})
-		timer := internal.TimeAfterFunc(timeout, func() {
-			<-cancelUpdated
-			t.closeStream(s, true, http2.ErrCodeCancel, false)
-		})
-		oldCancel := s.cancel
-		s.cancel = func() {
-			oldCancel()
-			timer.Stop()
-		}
-		close(cancelUpdated)
-	}
 	t.mu.Unlock()
 	if channelz.IsOn() {
 		t.channelz.SocketMetrics.StreamsStarted.Add(1)
@@ -1056,7 +1038,7 @@ func (t *http2Server) writeHeaderLocked(s *ServerStream) error {
 	return nil
 }
 
-// writeStatus sends stream status to the client and terminates the stream.
+// WriteStatus sends stream status to the client and terminates the stream.
 // There is no further I/O operations being able to perform on this stream.
 // TODO(zhaoq): Now it indicates the end of entire stream. Revisit if early
 // OK is adopted.
@@ -1084,7 +1066,7 @@ func (t *http2Server) writeStatus(s *ServerStream, st *status.Status) error {
 	headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-status", Value: strconv.Itoa(int(st.Code()))})
 	headerFields = append(headerFields, hpack.HeaderField{Name: "grpc-message", Value: encodeGrpcMessage(st.Message())})
 
-	if p := istatus.RawStatusProto(st); len(p.GetDetails()) > 0 {
+	if p := st.Proto(); p != nil && len(p.Details) > 0 {
 		// Do not use the user's grpc-status-details-bin (if present) if we are
 		// even attempting to set our own.
 		delete(s.trailer, grpcStatusDetailsBinHeader)
@@ -1292,6 +1274,7 @@ func (t *http2Server) Close(err error) {
 
 // deleteStream deletes the stream s from transport's active streams.
 func (t *http2Server) deleteStream(s *ServerStream, eosReceived bool) {
+
 	t.mu.Lock()
 	if _, ok := t.activeStreams[s.id]; ok {
 		delete(t.activeStreams, s.id)
@@ -1341,10 +1324,7 @@ func (t *http2Server) closeStream(s *ServerStream, rst bool, rstCode http2.ErrCo
 	// called to interrupt the potential blocking on other goroutines.
 	s.cancel()
 
-	oldState := s.swapState(streamDone)
-	if oldState == streamDone {
-		return
-	}
+	s.swapState(streamDone)
 	t.deleteStream(s, eosReceived)
 
 	t.controlBuf.put(&cleanupStream{
diff --git a/vendor/google.golang.org/grpc/internal/transport/http_util.go b/vendor/google.golang.org/grpc/internal/transport/http_util.go
index 607d2c4cee0..f997f9fdb5d 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http_util.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http_util.go
@@ -196,14 +196,11 @@ func decodeTimeout(s string) (time.Duration, error) {
 	if !ok {
 		return 0, fmt.Errorf("transport: timeout unit is not recognized: %q", s)
 	}
-	t, err := strconv.ParseUint(s[:size-1], 10, 64)
+	t, err := strconv.ParseInt(s[:size-1], 10, 64)
 	if err != nil {
 		return 0, err
 	}
-	if t == 0 {
-		return 0, fmt.Errorf("transport: timeout must be positive: %q", s)
-	}
-	const maxHours = math.MaxInt64 / uint64(time.Hour)
+	const maxHours = math.MaxInt64 / int64(time.Hour)
 	if d == time.Hour && t > maxHours {
 		// This timeout would overflow math.MaxInt64; clamp it.
 		return time.Duration(math.MaxInt64), nil
diff --git a/vendor/google.golang.org/grpc/internal/transport/server_stream.go b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
index cf8da0b52d0..a22a9015149 100644
--- a/vendor/google.golang.org/grpc/internal/transport/server_stream.go
+++ b/vendor/google.golang.org/grpc/internal/transport/server_stream.go
@@ -35,10 +35,8 @@ type ServerStream struct {
 	*Stream // Embed for common stream functionality.
 
 	st      internalServerTransport
-	ctxDone <-chan struct{} // closed at the end of stream.  Cache of ctx.Done() (for performance)
-	// cancel is invoked at the end of stream to cancel ctx. It also stops the
-	// timer for monitoring the rpc deadline if configured.
-	cancel func()
+	ctxDone <-chan struct{}    // closed at the end of stream.  Cache of ctx.Done() (for performance)
+	cancel  context.CancelFunc // invoked at the end of stream to cancel ctx.
 
 	// Holds compressor names passed in grpc-accept-encoding metadata from the
 	// client.
diff --git a/vendor/google.golang.org/grpc/internal/transport/transport.go b/vendor/google.golang.org/grpc/internal/transport/transport.go
index 1730a639f9d..af4a4aeab14 100644
--- a/vendor/google.golang.org/grpc/internal/transport/transport.go
+++ b/vendor/google.golang.org/grpc/internal/transport/transport.go
@@ -540,11 +540,6 @@ type CallHdr struct {
 	PreviousAttempts int // value of grpc-previous-rpc-attempts header to set
 
 	DoneFunc func() // called when the stream is finished
-
-	// Authority is used to explicitly override the `:authority` header. If set,
-	// this value takes precedence over the Host field and will be used as the
-	// value for the `:authority` header.
-	Authority string
 }
 
 // ClientTransport is the common interface for all gRPC client-side transport
diff --git a/vendor/google.golang.org/grpc/internal/xds/bootstrap/bootstrap.go b/vendor/google.golang.org/grpc/internal/xds/bootstrap/bootstrap.go
index 142e803930e..69b7ee80dc8 100644
--- a/vendor/google.golang.org/grpc/internal/xds/bootstrap/bootstrap.go
+++ b/vendor/google.golang.org/grpc/internal/xds/bootstrap/bootstrap.go
@@ -206,7 +206,7 @@ func (sc *ServerConfig) ServerFeatures() []string {
 //
 // This feature controls the behavior of the xDS client when the server deletes
 // a previously sent Listener or Cluster resource. If set, the xDS client will
-// not invoke the watchers' ResourceError() method when a resource is
+// not invoke the watchers' OnResourceDoesNotExist() method when a resource is
 // deleted, nor will it remove the existing resource value from its cache.
 func (sc *ServerConfig) ServerFeaturesIgnoreResourceDeletion() bool {
 	for _, sf := range sc.serverFeatures {
diff --git a/vendor/google.golang.org/grpc/internal/xds/bootstrap/tlscreds/bundle.go b/vendor/google.golang.org/grpc/internal/xds/bootstrap/tlscreds/bundle.go
index dda233137e9..ed90720b581 100644
--- a/vendor/google.golang.org/grpc/internal/xds/bootstrap/tlscreds/bundle.go
+++ b/vendor/google.golang.org/grpc/internal/xds/bootstrap/tlscreds/bundle.go
@@ -23,20 +23,15 @@ package tlscreds
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"sync"
-	"time"
 
-	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/tls/certprovider"
 	"google.golang.org/grpc/credentials/tls/certprovider/pemfile"
-	"google.golang.org/grpc/internal/credentials/spiffe"
-	"google.golang.org/grpc/internal/envconfig"
 )
 
 // bundle is an implementation of credentials.Bundle which implements mTLS
@@ -53,10 +48,9 @@ type bundle struct {
 // See gRFC A65: github.com/grpc/proposal/blob/master/A65-xds-mtls-creds-in-bootstrap.md
 func NewBundle(jd json.RawMessage) (credentials.Bundle, func(), error) {
 	cfg := &struct {
-		CertificateFile          string `json:"certificate_file"`
-		CACertificateFile        string `json:"ca_certificate_file"`
-		PrivateKeyFile           string `json:"private_key_file"`
-		SPIFFETrustBundleMapFile string `json:"spiffe_trust_bundle_map_file"`
+		CertificateFile   string `json:"certificate_file"`
+		CACertificateFile string `json:"ca_certificate_file"`
+		PrivateKeyFile    string `json:"private_key_file"`
 	}{}
 
 	if jd != nil {
@@ -65,10 +59,7 @@ func NewBundle(jd json.RawMessage) (credentials.Bundle, func(), error) {
 		}
 	} // Else the config field is absent. Treat it as an empty config.
 
-	if !envconfig.XDSSPIFFEEnabled {
-		cfg.SPIFFETrustBundleMapFile = ""
-	}
-	if cfg.CACertificateFile == "" && cfg.CertificateFile == "" && cfg.PrivateKeyFile == "" && cfg.SPIFFETrustBundleMapFile == "" {
+	if cfg.CACertificateFile == "" && cfg.CertificateFile == "" && cfg.PrivateKeyFile == "" {
 		// We cannot use (and do not need) a file_watcher provider in this case,
 		// and can simply directly use the TLS transport credentials.
 		// Quoting A65:
@@ -78,8 +69,6 @@ func NewBundle(jd json.RawMessage) (credentials.Bundle, func(), error) {
 		// > provider, at least one of the "certificate_file" or
 		// > "ca_certificate_file" fields must be specified, whereas in this
 		// > configuration, it is acceptable to specify neither one.
-		// Further, with the introduction of SPIFFE Trust Map support, we also
-		// check for this value.
 		return &bundle{transportCredentials: credentials.NewTLS(&tls.Config{})}, func() {}, nil
 	}
 	// Otherwise we need to use a file_watcher provider to watch the CA,
@@ -125,18 +114,9 @@ func (c *reloadingCreds) ClientHandshake(ctx context.Context, authority string,
 	if err != nil {
 		return nil, nil, err
 	}
-	var config *tls.Config
-	if km.SPIFFEBundleMap != nil {
-		config = &tls.Config{
-			InsecureSkipVerify:    true,
-			VerifyPeerCertificate: buildSPIFFEVerifyFunc(km.SPIFFEBundleMap),
-			Certificates:          km.Certs,
-		}
-	} else {
-		config = &tls.Config{
-			RootCAs:      km.Roots,
-			Certificates: km.Certs,
-		}
+	config := &tls.Config{
+		RootCAs:      km.Roots,
+		Certificates: km.Certs,
 	}
 	return credentials.NewTLS(config).ClientHandshake(ctx, authority, rawConn)
 }
@@ -156,39 +136,3 @@ func (c *reloadingCreds) OverrideServerName(string) error {
 func (c *reloadingCreds) ServerHandshake(net.Conn) (net.Conn, credentials.AuthInfo, error) {
 	return nil, nil, errors.New("server handshake is not supported by xDS client TLS credentials")
 }
-
-func buildSPIFFEVerifyFunc(spiffeBundleMap map[string]*spiffebundle.Bundle) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	return func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-		rawCertList := make([]*x509.Certificate, len(rawCerts))
-		for i, asn1Data := range rawCerts {
-			cert, err := x509.ParseCertificate(asn1Data)
-			if err != nil {
-				return fmt.Errorf("spiffe: verify function could not parse input certificate: %v", err)
-			}
-			rawCertList[i] = cert
-		}
-		if len(rawCertList) == 0 {
-			return fmt.Errorf("spiffe: verify function has no valid input certificates")
-		}
-		leafCert := rawCertList[0]
-		roots, err := spiffe.GetRootsFromSPIFFEBundleMap(spiffeBundleMap, leafCert)
-		if err != nil {
-			return err
-		}
-
-		opts := x509.VerifyOptions{
-			Roots:         roots,
-			CurrentTime:   time.Now(),
-			Intermediates: x509.NewCertPool(),
-		}
-
-		for _, cert := range rawCertList[1:] {
-			opts.Intermediates.AddCert(cert)
-		}
-		// The verified chain is (surprisingly) unused.
-		if _, err = rawCertList[0].Verify(opts); err != nil {
-			return fmt.Errorf("spiffe: x509 certificate Verify failed: %v", err)
-		}
-		return nil
-	}
-}
diff --git a/vendor/google.golang.org/grpc/resolver/manual/manual.go b/vendor/google.golang.org/grpc/resolver/manual/manual.go
index 82fcc2e35fd..09e864a89d3 100644
--- a/vendor/google.golang.org/grpc/resolver/manual/manual.go
+++ b/vendor/google.golang.org/grpc/resolver/manual/manual.go
@@ -62,7 +62,7 @@ type Resolver struct {
 	// Fields actually belong to the resolver.
 	// Guards access to below fields.
 	mu sync.Mutex
-	cc resolver.ClientConn
+	CC resolver.ClientConn
 	// Storing the most recent state update makes this resolver resilient to
 	// restarts, which is possible with channel idleness.
 	lastSeenState *resolver.State
@@ -78,12 +78,12 @@ func (r *Resolver) InitialState(s resolver.State) {
 func (r *Resolver) Build(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOptions) (resolver.Resolver, error) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	// Call BuildCallback after locking to avoid a race when UpdateState or CC
-	// is called before Build returns.
+	// Call BuildCallback after locking to avoid a race when UpdateState
+	// or ReportError is called before Build returns.
 	r.BuildCallback(target, cc, opts)
-	r.cc = cc
+	r.CC = cc
 	if r.lastSeenState != nil {
-		err := r.cc.UpdateState(*r.lastSeenState)
+		err := r.CC.UpdateState(*r.lastSeenState)
 		go r.UpdateStateCallback(err)
 	}
 	return r, nil
@@ -104,27 +104,25 @@ func (r *Resolver) Close() {
 	r.CloseCallback()
 }
 
-// UpdateState calls UpdateState(s) on the channel.  If the resolver has not
-// been Built before, this instead sets the initial state of the resolver, like
-// InitialState.
+// UpdateState calls CC.UpdateState.
 func (r *Resolver) UpdateState(s resolver.State) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	r.lastSeenState = &s
-	if r.cc == nil {
-		return
+	var err error
+	if r.CC == nil {
+		panic("cannot update state as grpc.Dial with resolver has not been called")
 	}
-	err := r.cc.UpdateState(s)
+	err = r.CC.UpdateState(s)
+	r.lastSeenState = &s
 	r.UpdateStateCallback(err)
 }
 
-// CC returns r's ClientConn when r was last Built.  Panics if the resolver has
-// not been Built before.
-func (r *Resolver) CC() resolver.ClientConn {
+// ReportError calls CC.ReportError.
+func (r *Resolver) ReportError(err error) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	if r.cc == nil {
-		panic("Manual resolver instance has not yet been built.")
+	if r.CC == nil {
+		panic("cannot report error as grpc.Dial with resolver has not been called")
 	}
-	return r.cc
+	r.CC.ReportError(err)
 }
diff --git a/vendor/google.golang.org/grpc/resolver/map.go b/vendor/google.golang.org/grpc/resolver/map.go
index c3c15ac96f1..975b499706a 100644
--- a/vendor/google.golang.org/grpc/resolver/map.go
+++ b/vendor/google.golang.org/grpc/resolver/map.go
@@ -24,22 +24,16 @@ import (
 	"strings"
 )
 
-type addressMapEntry[T any] struct {
+type addressMapEntry struct {
 	addr  Address
-	value T
+	value any
 }
 
-// AddressMap is an AddressMapV2[any].  It will be deleted in an upcoming
-// release of grpc-go.
-//
-// Deprecated: use the generic AddressMapV2 type instead.
-type AddressMap = AddressMapV2[any]
-
-// AddressMapV2 is a map of addresses to arbitrary values taking into account
+// AddressMap is a map of addresses to arbitrary values taking into account
 // Attributes.  BalancerAttributes are ignored, as are Metadata and Type.
 // Multiple accesses may not be performed concurrently.  Must be created via
 // NewAddressMap; do not construct directly.
-type AddressMapV2[T any] struct {
+type AddressMap struct {
 	// The underlying map is keyed by an Address with fields that we don't care
 	// about being set to their zero values. The only fields that we care about
 	// are `Addr`, `ServerName` and `Attributes`. Since we need to be able to
@@ -53,30 +47,23 @@ type AddressMapV2[T any] struct {
 	// The value type of the map contains a slice of addresses which match the key
 	// in their `Addr` and `ServerName` fields and contain the corresponding value
 	// associated with them.
-	m map[Address]addressMapEntryList[T]
+	m map[Address]addressMapEntryList
 }
 
 func toMapKey(addr *Address) Address {
 	return Address{Addr: addr.Addr, ServerName: addr.ServerName}
 }
 
-type addressMapEntryList[T any] []*addressMapEntry[T]
+type addressMapEntryList []*addressMapEntry
 
-// NewAddressMap creates a new AddressMapV2[any].
-//
-// Deprecated: use the generic NewAddressMapV2 constructor instead.
+// NewAddressMap creates a new AddressMap.
 func NewAddressMap() *AddressMap {
-	return NewAddressMapV2[any]()
-}
-
-// NewAddressMapV2 creates a new AddressMapV2.
-func NewAddressMapV2[T any]() *AddressMapV2[T] {
-	return &AddressMapV2[T]{m: make(map[Address]addressMapEntryList[T])}
+	return &AddressMap{m: make(map[Address]addressMapEntryList)}
 }
 
 // find returns the index of addr in the addressMapEntry slice, or -1 if not
 // present.
-func (l addressMapEntryList[T]) find(addr Address) int {
+func (l addressMapEntryList) find(addr Address) int {
 	for i, entry := range l {
 		// Attributes are the only thing to match on here, since `Addr` and
 		// `ServerName` are already equal.
@@ -88,28 +75,28 @@ func (l addressMapEntryList[T]) find(addr Address) int {
 }
 
 // Get returns the value for the address in the map, if present.
-func (a *AddressMapV2[T]) Get(addr Address) (value T, ok bool) {
+func (a *AddressMap) Get(addr Address) (value any, ok bool) {
 	addrKey := toMapKey(&addr)
 	entryList := a.m[addrKey]
 	if entry := entryList.find(addr); entry != -1 {
 		return entryList[entry].value, true
 	}
-	return value, false
+	return nil, false
 }
 
 // Set updates or adds the value to the address in the map.
-func (a *AddressMapV2[T]) Set(addr Address, value T) {
+func (a *AddressMap) Set(addr Address, value any) {
 	addrKey := toMapKey(&addr)
 	entryList := a.m[addrKey]
 	if entry := entryList.find(addr); entry != -1 {
 		entryList[entry].value = value
 		return
 	}
-	a.m[addrKey] = append(entryList, &addressMapEntry[T]{addr: addr, value: value})
+	a.m[addrKey] = append(entryList, &addressMapEntry{addr: addr, value: value})
 }
 
 // Delete removes addr from the map.
-func (a *AddressMapV2[T]) Delete(addr Address) {
+func (a *AddressMap) Delete(addr Address) {
 	addrKey := toMapKey(&addr)
 	entryList := a.m[addrKey]
 	entry := entryList.find(addr)
@@ -126,7 +113,7 @@ func (a *AddressMapV2[T]) Delete(addr Address) {
 }
 
 // Len returns the number of entries in the map.
-func (a *AddressMapV2[T]) Len() int {
+func (a *AddressMap) Len() int {
 	ret := 0
 	for _, entryList := range a.m {
 		ret += len(entryList)
@@ -135,7 +122,7 @@ func (a *AddressMapV2[T]) Len() int {
 }
 
 // Keys returns a slice of all current map keys.
-func (a *AddressMapV2[T]) Keys() []Address {
+func (a *AddressMap) Keys() []Address {
 	ret := make([]Address, 0, a.Len())
 	for _, entryList := range a.m {
 		for _, entry := range entryList {
@@ -146,8 +133,8 @@ func (a *AddressMapV2[T]) Keys() []Address {
 }
 
 // Values returns a slice of all current map values.
-func (a *AddressMapV2[T]) Values() []T {
-	ret := make([]T, 0, a.Len())
+func (a *AddressMap) Values() []any {
+	ret := make([]any, 0, a.Len())
 	for _, entryList := range a.m {
 		for _, entry := range entryList {
 			ret = append(ret, entry.value)
@@ -162,21 +149,21 @@ type endpointMapKey string
 // unordered set of address strings within an endpoint. This map is not thread
 // safe, thus it is unsafe to access concurrently. Must be created via
 // NewEndpointMap; do not construct directly.
-type EndpointMap[T any] struct {
-	endpoints map[endpointMapKey]endpointData[T]
+type EndpointMap struct {
+	endpoints map[endpointMapKey]endpointData
 }
 
-type endpointData[T any] struct {
+type endpointData struct {
 	// decodedKey stores the original key to avoid decoding when iterating on
 	// EndpointMap keys.
 	decodedKey Endpoint
-	value      T
+	value      any
 }
 
 // NewEndpointMap creates a new EndpointMap.
-func NewEndpointMap[T any]() *EndpointMap[T] {
-	return &EndpointMap[T]{
-		endpoints: make(map[endpointMapKey]endpointData[T]),
+func NewEndpointMap() *EndpointMap {
+	return &EndpointMap{
+		endpoints: make(map[endpointMapKey]endpointData),
 	}
 }
 
@@ -196,25 +183,25 @@ func encodeEndpoint(e Endpoint) endpointMapKey {
 }
 
 // Get returns the value for the address in the map, if present.
-func (em *EndpointMap[T]) Get(e Endpoint) (value T, ok bool) {
+func (em *EndpointMap) Get(e Endpoint) (value any, ok bool) {
 	val, found := em.endpoints[encodeEndpoint(e)]
 	if found {
 		return val.value, true
 	}
-	return value, false
+	return nil, false
 }
 
 // Set updates or adds the value to the address in the map.
-func (em *EndpointMap[T]) Set(e Endpoint, value T) {
+func (em *EndpointMap) Set(e Endpoint, value any) {
 	en := encodeEndpoint(e)
-	em.endpoints[en] = endpointData[T]{
+	em.endpoints[en] = endpointData{
 		decodedKey: Endpoint{Addresses: e.Addresses},
 		value:      value,
 	}
 }
 
 // Len returns the number of entries in the map.
-func (em *EndpointMap[T]) Len() int {
+func (em *EndpointMap) Len() int {
 	return len(em.endpoints)
 }
 
@@ -223,7 +210,7 @@ func (em *EndpointMap[T]) Len() int {
 // the unordered set of addresses. Thus, endpoint information returned is not
 // the full endpoint data (drops duplicated addresses and attributes) but can be
 // used for EndpointMap accesses.
-func (em *EndpointMap[T]) Keys() []Endpoint {
+func (em *EndpointMap) Keys() []Endpoint {
 	ret := make([]Endpoint, 0, len(em.endpoints))
 	for _, en := range em.endpoints {
 		ret = append(ret, en.decodedKey)
@@ -232,8 +219,8 @@ func (em *EndpointMap[T]) Keys() []Endpoint {
 }
 
 // Values returns a slice of all current map values.
-func (em *EndpointMap[T]) Values() []T {
-	ret := make([]T, 0, len(em.endpoints))
+func (em *EndpointMap) Values() []any {
+	ret := make([]any, 0, len(em.endpoints))
 	for _, val := range em.endpoints {
 		ret = append(ret, val.value)
 	}
@@ -241,7 +228,7 @@ func (em *EndpointMap[T]) Values() []T {
 }
 
 // Delete removes the specified endpoint from the map.
-func (em *EndpointMap[T]) Delete(e Endpoint) {
+func (em *EndpointMap) Delete(e Endpoint) {
 	en := encodeEndpoint(e)
 	delete(em.endpoints, en)
 }
diff --git a/vendor/google.golang.org/grpc/resolver/ringhash/attr.go b/vendor/google.golang.org/grpc/resolver/ringhash/attr.go
deleted file mode 100644
index 154f0230779..00000000000
--- a/vendor/google.golang.org/grpc/resolver/ringhash/attr.go
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- *
- * Copyright 2025 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-// Package ringhash implements resolver related functions for the ring_hash
-// load balancing policy.
-package ringhash
-
-import (
-	"google.golang.org/grpc/resolver"
-)
-
-type hashKeyType string
-
-// hashKeyKey is the key to store the ring hash key attribute in
-// a resolver.Endpoint attribute.
-const hashKeyKey = hashKeyType("grpc.resolver.ringhash.hash_key")
-
-// SetHashKey sets the hash key for this endpoint. Combined with the ring_hash
-// load balancing policy, it allows placing the endpoint on the ring based on an
-// arbitrary string instead of the IP address. If hashKey is empty, the endpoint
-// is returned unmodified.
-//
-// # Experimental
-//
-// Notice: This API is EXPERIMENTAL and may be changed or removed in a
-// later release.
-func SetHashKey(endpoint resolver.Endpoint, hashKey string) resolver.Endpoint {
-	if hashKey == "" {
-		return endpoint
-	}
-	endpoint.Attributes = endpoint.Attributes.WithValue(hashKeyKey, hashKey)
-	return endpoint
-}
-
-// HashKey returns the hash key attribute of endpoint. If this attribute is
-// not set, it returns the empty string.
-//
-// # Experimental
-//
-// Notice: This API is EXPERIMENTAL and may be changed or removed in a
-// later release.
-func HashKey(endpoint resolver.Endpoint) string {
-	hashKey, _ := endpoint.Attributes.Value(hashKeyKey).(string)
-	return hashKey
-}
diff --git a/vendor/google.golang.org/grpc/rpc_util.go b/vendor/google.golang.org/grpc/rpc_util.go
index 47ea09f5c9b..ad20e9dff20 100644
--- a/vendor/google.golang.org/grpc/rpc_util.go
+++ b/vendor/google.golang.org/grpc/rpc_util.go
@@ -160,7 +160,6 @@ type callInfo struct {
 	codec                 baseCodec
 	maxRetryRPCBufferSize int
 	onFinish              []func(err error)
-	authority             string
 }
 
 func defaultCallInfo() *callInfo {
@@ -366,36 +365,6 @@ func (o MaxRecvMsgSizeCallOption) before(c *callInfo) error {
 }
 func (o MaxRecvMsgSizeCallOption) after(*callInfo, *csAttempt) {}
 
-// CallAuthority returns a CallOption that sets the HTTP/2 :authority header of
-// an RPC to the specified value. When using CallAuthority, the credentials in
-// use must implement the AuthorityValidator interface.
-//
-// # Experimental
-//
-// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
-// release.
-func CallAuthority(authority string) CallOption {
-	return AuthorityOverrideCallOption{Authority: authority}
-}
-
-// AuthorityOverrideCallOption is a CallOption that indicates the HTTP/2
-// :authority header value to use for the call.
-//
-// # Experimental
-//
-// Notice: This type is EXPERIMENTAL and may be changed or removed in a later
-// release.
-type AuthorityOverrideCallOption struct {
-	Authority string
-}
-
-func (o AuthorityOverrideCallOption) before(c *callInfo) error {
-	c.authority = o.Authority
-	return nil
-}
-
-func (o AuthorityOverrideCallOption) after(*callInfo, *csAttempt) {}
-
 // MaxCallSendMsgSize returns a CallOption which sets the maximum message size
 // in bytes the client can send. If this is not set, gRPC uses the default
 // `math.MaxInt32`.
diff --git a/vendor/google.golang.org/grpc/stats/handlers.go b/vendor/google.golang.org/grpc/stats/handlers.go
index 67194a592f2..dc03731e45e 100644
--- a/vendor/google.golang.org/grpc/stats/handlers.go
+++ b/vendor/google.golang.org/grpc/stats/handlers.go
@@ -38,15 +38,6 @@ type RPCTagInfo struct {
 	// FailFast indicates if this RPC is failfast.
 	// This field is only valid on client side, it's always false on server side.
 	FailFast bool
-	// NameResolutionDelay indicates if the RPC needed to wait for the
-	// initial name resolver update before it could begin. This should only
-	// happen if the channel is IDLE when the RPC is started.  Note that
-	// all retry or hedging attempts for an RPC that experienced a delay
-	// will have it set.
-	//
-	// This field is only valid on the client side; it is always false on
-	// the server side.
-	NameResolutionDelay bool
 }
 
 // Handler defines the interface for the related stats handling (e.g., RPCs, connections).
diff --git a/vendor/google.golang.org/grpc/stats/opentelemetry/client_metrics.go b/vendor/google.golang.org/grpc/stats/opentelemetry/client_metrics.go
index 7422bebd4f6..4fffba60fb3 100644
--- a/vendor/google.golang.org/grpc/stats/opentelemetry/client_metrics.go
+++ b/vendor/google.golang.org/grpc/stats/opentelemetry/client_metrics.go
@@ -21,23 +21,27 @@ import (
 	"sync/atomic"
 	"time"
 
-	otelattribute "go.opentelemetry.io/otel/attribute"
-	otelmetric "go.opentelemetry.io/otel/metric"
+	otelcodes "go.opentelemetry.io/otel/codes"
+	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
+	grpccodes "google.golang.org/grpc/codes"
 	estats "google.golang.org/grpc/experimental/stats"
 	istats "google.golang.org/grpc/internal/stats"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/stats"
 	"google.golang.org/grpc/status"
+
+	otelattribute "go.opentelemetry.io/otel/attribute"
+	otelmetric "go.opentelemetry.io/otel/metric"
 )
 
-type clientMetricsHandler struct {
+type clientStatsHandler struct {
 	estats.MetricsRecorder
 	options       Options
 	clientMetrics clientMetrics
 }
 
-func (h *clientMetricsHandler) initializeMetrics() {
+func (h *clientStatsHandler) initializeMetrics() {
 	// Will set no metrics to record, logically making this stats handler a
 	// no-op.
 	if h.options.MetricsOptions.MeterProvider == nil {
@@ -67,25 +71,12 @@ func (h *clientMetricsHandler) initializeMetrics() {
 	rm.registerMetrics(metrics, meter)
 }
 
-// getOrCreateCallInfo returns the existing callInfo from context if present,
-// or creates and attaches a new one.
-func getOrCreateCallInfo(ctx context.Context, cc *grpc.ClientConn, method string, opts ...grpc.CallOption) (context.Context, *callInfo) {
-	ci := getCallInfo(ctx)
-	if ci == nil {
-		if logger.V(2) {
-			logger.Info("Creating new CallInfo since its not present in context")
-		}
-		ci = &callInfo{
-			target: cc.CanonicalTarget(),
-			method: determineMethod(method, opts...),
-		}
-		ctx = setCallInfo(ctx, ci)
+func (h *clientStatsHandler) unaryInterceptor(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
+	ci := &callInfo{
+		target: cc.CanonicalTarget(),
+		method: h.determineMethod(method, opts...),
 	}
-	return ctx, ci
-}
-
-func (h *clientMetricsHandler) unaryInterceptor(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
-	ctx, ci := getOrCreateCallInfo(ctx, cc, method, opts...)
+	ctx = setCallInfo(ctx, ci)
 
 	if h.options.MetricsOptions.pluginOption != nil {
 		md := h.options.MetricsOptions.pluginOption.GetMetadata()
@@ -97,15 +88,19 @@ func (h *clientMetricsHandler) unaryInterceptor(ctx context.Context, method stri
 	}
 
 	startTime := time.Now()
+	var span trace.Span
+	if h.options.isTracingEnabled() {
+		ctx, span = h.createCallTraceSpan(ctx, method)
+	}
 	err := invoker(ctx, method, req, reply, cc, opts...)
-	h.perCallMetrics(ctx, err, startTime, ci)
+	h.perCallTracesAndMetrics(ctx, err, startTime, ci, span)
 	return err
 }
 
 // determineMethod determines the method to record attributes with. This will be
 // "other" if StaticMethod isn't specified or if method filter is set and
 // specifies, the method name as is otherwise.
-func determineMethod(method string, opts ...grpc.CallOption) string {
+func (h *clientStatsHandler) determineMethod(method string, opts ...grpc.CallOption) string {
 	for _, opt := range opts {
 		if _, ok := opt.(grpc.StaticMethodCallOption); ok {
 			return removeLeadingSlash(method)
@@ -114,8 +109,12 @@ func determineMethod(method string, opts ...grpc.CallOption) string {
 	return "other"
 }
 
-func (h *clientMetricsHandler) streamInterceptor(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error) {
-	ctx, ci := getOrCreateCallInfo(ctx, cc, method, opts...)
+func (h *clientStatsHandler) streamInterceptor(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error) {
+	ci := &callInfo{
+		target: cc.CanonicalTarget(),
+		method: h.determineMethod(method, opts...),
+	}
+	ctx = setCallInfo(ctx, ci)
 
 	if h.options.MetricsOptions.pluginOption != nil {
 		md := h.options.MetricsOptions.pluginOption.GetMetadata()
@@ -127,45 +126,49 @@ func (h *clientMetricsHandler) streamInterceptor(ctx context.Context, desc *grpc
 	}
 
 	startTime := time.Now()
+	var span trace.Span
+	if h.options.isTracingEnabled() {
+		ctx, span = h.createCallTraceSpan(ctx, method)
+	}
 	callback := func(err error) {
-		h.perCallMetrics(ctx, err, startTime, ci)
+		h.perCallTracesAndMetrics(ctx, err, startTime, ci, span)
 	}
 	opts = append([]grpc.CallOption{grpc.OnFinish(callback)}, opts...)
 	return streamer(ctx, desc, cc, method, opts...)
 }
 
-// perCallMetrics records per call metrics for both unary and stream calls.
-func (h *clientMetricsHandler) perCallMetrics(ctx context.Context, err error, startTime time.Time, ci *callInfo) {
-	callLatency := float64(time.Since(startTime)) / float64(time.Second)
-	attrs := otelmetric.WithAttributeSet(otelattribute.NewSet(
-		otelattribute.String("grpc.method", ci.method),
-		otelattribute.String("grpc.target", ci.target),
-		otelattribute.String("grpc.status", canonicalString(status.Code(err))),
-	))
-	h.clientMetrics.callDuration.Record(ctx, callLatency, attrs)
+// perCallTracesAndMetrics records per call trace spans and metrics.
+func (h *clientStatsHandler) perCallTracesAndMetrics(ctx context.Context, err error, startTime time.Time, ci *callInfo, ts trace.Span) {
+	if h.options.isTracingEnabled() {
+		s := status.Convert(err)
+		if s.Code() == grpccodes.OK {
+			ts.SetStatus(otelcodes.Ok, s.Message())
+		} else {
+			ts.SetStatus(otelcodes.Error, s.Message())
+		}
+		ts.End()
+	}
+	if h.options.isMetricsEnabled() {
+		callLatency := float64(time.Since(startTime)) / float64(time.Second)
+		attrs := otelmetric.WithAttributeSet(otelattribute.NewSet(
+			otelattribute.String("grpc.method", ci.method),
+			otelattribute.String("grpc.target", ci.target),
+			otelattribute.String("grpc.status", canonicalString(status.Code(err))),
+		))
+		h.clientMetrics.callDuration.Record(ctx, callLatency, attrs)
+	}
 }
 
 // TagConn exists to satisfy stats.Handler.
-func (h *clientMetricsHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
+func (h *clientStatsHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
 	return ctx
 }
 
 // HandleConn exists to satisfy stats.Handler.
-func (h *clientMetricsHandler) HandleConn(context.Context, stats.ConnStats) {}
-
-// getOrCreateRPCAttemptInfo retrieves or creates an rpc attemptInfo object
-// and ensures it is set in the context along with the rpcInfo.
-func getOrCreateRPCAttemptInfo(ctx context.Context) (context.Context, *attemptInfo) {
-	ri := getRPCInfo(ctx)
-	if ri != nil {
-		return ctx, ri.ai
-	}
-	ri = &rpcInfo{ai: &attemptInfo{}}
-	return setRPCInfo(ctx, ri), ri.ai
-}
+func (h *clientStatsHandler) HandleConn(context.Context, stats.ConnStats) {}
 
-// TagRPC implements per RPC attempt context management for metrics.
-func (h *clientMetricsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
+// TagRPC implements per RPC attempt context management.
+func (h *clientStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
 	// Numerous stats handlers can be used for the same channel. The cluster
 	// impl balancer which writes to this will only write once, thus have this
 	// stats handler's per attempt scoped context point to the same optional
@@ -182,25 +185,34 @@ func (h *clientMetricsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInf
 		}
 		ctx = istats.SetLabels(ctx, labels)
 	}
-	ctx, ai := getOrCreateRPCAttemptInfo(ctx)
-	ai.startTime = time.Now()
-	ai.xdsLabels = labels.TelemetryLabels
-	ai.method = removeLeadingSlash(info.FullMethodName)
-
-	return setRPCInfo(ctx, &rpcInfo{ai: ai})
+	ai := &attemptInfo{
+		startTime: time.Now(),
+		xdsLabels: labels.TelemetryLabels,
+		method:    removeLeadingSlash(info.FullMethodName),
+	}
+	if h.options.isTracingEnabled() {
+		ctx, ai = h.traceTagRPC(ctx, ai)
+	}
+	return setRPCInfo(ctx, &rpcInfo{
+		ai: ai,
+	})
 }
 
-// HandleRPC handles per RPC stats implementation.
-func (h *clientMetricsHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
+func (h *clientStatsHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
 	ri := getRPCInfo(ctx)
 	if ri == nil {
 		logger.Error("ctx passed into client side stats handler metrics event handling has no client attempt data present")
 		return
 	}
-	h.processRPCEvent(ctx, rs, ri.ai)
+	if h.options.isMetricsEnabled() {
+		h.processRPCEvent(ctx, rs, ri.ai)
+	}
+	if h.options.isTracingEnabled() {
+		populateSpan(rs, ri.ai)
+	}
 }
 
-func (h *clientMetricsHandler) processRPCEvent(ctx context.Context, s stats.RPCStats, ai *attemptInfo) {
+func (h *clientStatsHandler) processRPCEvent(ctx context.Context, s stats.RPCStats, ai *attemptInfo) {
 	switch st := s.(type) {
 	case *stats.Begin:
 		ci := getCallInfo(ctx)
@@ -228,7 +240,7 @@ func (h *clientMetricsHandler) processRPCEvent(ctx context.Context, s stats.RPCS
 	}
 }
 
-func (h *clientMetricsHandler) setLabelsFromPluginOption(ai *attemptInfo, incomingMetadata metadata.MD) {
+func (h *clientStatsHandler) setLabelsFromPluginOption(ai *attemptInfo, incomingMetadata metadata.MD) {
 	if ai.pluginOptionLabels == nil && h.options.MetricsOptions.pluginOption != nil {
 		labels := h.options.MetricsOptions.pluginOption.GetLabels(incomingMetadata)
 		if labels == nil {
@@ -238,7 +250,7 @@ func (h *clientMetricsHandler) setLabelsFromPluginOption(ai *attemptInfo, incomi
 	}
 }
 
-func (h *clientMetricsHandler) processRPCEnd(ctx context.Context, ai *attemptInfo, e *stats.End) {
+func (h *clientStatsHandler) processRPCEnd(ctx context.Context, ai *attemptInfo, e *stats.End) {
 	ci := getCallInfo(ctx)
 	if ci == nil {
 		logger.Error("ctx passed into client side stats handler metrics event handling has no metrics data present")
diff --git a/vendor/google.golang.org/grpc/stats/opentelemetry/client_tracing.go b/vendor/google.golang.org/grpc/stats/opentelemetry/client_tracing.go
index 868d6a2fc9c..2cc974b56cd 100644
--- a/vendor/google.golang.org/grpc/stats/opentelemetry/client_tracing.go
+++ b/vendor/google.golang.org/grpc/stats/opentelemetry/client_tracing.go
@@ -18,80 +18,21 @@ package opentelemetry
 
 import (
 	"context"
-	"log"
 	"strings"
 
-	otelcodes "go.opentelemetry.io/otel/codes"
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
-	grpccodes "google.golang.org/grpc/codes"
-	"google.golang.org/grpc/stats"
 	otelinternaltracing "google.golang.org/grpc/stats/opentelemetry/internal/tracing"
-	"google.golang.org/grpc/status"
 )
 
-const (
-	delayedResolutionEventName = "Delayed name resolution complete"
-	tracerName                 = "grpc-go"
-)
-
-type clientTracingHandler struct {
-	options Options
-}
-
-func (h *clientTracingHandler) initializeTraces() {
-	if h.options.TraceOptions.TracerProvider == nil {
-		log.Printf("TracerProvider is not provided in client TraceOptions")
-		return
-	}
-}
-
-func (h *clientTracingHandler) unaryInterceptor(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
-	ctx, _ = getOrCreateCallInfo(ctx, cc, method, opts...)
-
-	var span trace.Span
-	ctx, span = h.createCallTraceSpan(ctx, method)
-	err := invoker(ctx, method, req, reply, cc, opts...)
-	h.finishTrace(err, span)
-	return err
-}
-
-func (h *clientTracingHandler) streamInterceptor(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error) {
-	ctx, _ = getOrCreateCallInfo(ctx, cc, method, opts...)
-
-	var span trace.Span
-	ctx, span = h.createCallTraceSpan(ctx, method)
-	callback := func(err error) { h.finishTrace(err, span) }
-	opts = append([]grpc.CallOption{grpc.OnFinish(callback)}, opts...)
-	return streamer(ctx, desc, cc, method, opts...)
-}
-
-// finishTrace sets the span status based on the RPC result and ends the span.
-// It is used to finalize tracing for both unary and streaming calls.
-func (h *clientTracingHandler) finishTrace(err error, ts trace.Span) {
-	s := status.Convert(err)
-	if s.Code() == grpccodes.OK {
-		ts.SetStatus(otelcodes.Ok, s.Message())
-	} else {
-		ts.SetStatus(otelcodes.Error, s.Message())
-	}
-	ts.End()
-}
+const tracerName = "grpc-go"
 
 // traceTagRPC populates provided context with a new span using the
 // TextMapPropagator supplied in trace options and internal itracing.carrier.
 // It creates a new outgoing carrier which serializes information about this
 // span into gRPC Metadata, if TextMapPropagator is provided in the trace
 // options. if TextMapPropagator is not provided, it returns the context as is.
-func (h *clientTracingHandler) traceTagRPC(ctx context.Context, ai *attemptInfo, nameResolutionDelayed bool) (context.Context, *attemptInfo) {
-	// Add a "Delayed name resolution complete" event to the call span
-	// if there was name resolution delay. In case of multiple retry attempts,
-	// ensure that event is added only once.
-	callSpan := trace.SpanFromContext(ctx)
-	ci := getCallInfo(ctx)
-	if nameResolutionDelayed && !ci.nameResolutionEventAdded.Swap(true) && callSpan.SpanContext().IsValid() {
-		callSpan.AddEvent(delayedResolutionEventName)
-	}
+func (h *clientStatsHandler) traceTagRPC(ctx context.Context, ai *attemptInfo) (context.Context, *attemptInfo) {
 	mn := "Attempt." + strings.Replace(ai.method, "/", ".", -1)
 	tracer := h.options.TraceOptions.TracerProvider.Tracer(tracerName, trace.WithInstrumentationVersion(grpc.Version))
 	ctx, span := tracer.Start(ctx, mn)
@@ -103,34 +44,13 @@ func (h *clientTracingHandler) traceTagRPC(ctx context.Context, ai *attemptInfo,
 
 // createCallTraceSpan creates a call span to put in the provided context using
 // provided TraceProvider. If TraceProvider is nil, it returns context as is.
-func (h *clientTracingHandler) createCallTraceSpan(ctx context.Context, method string) (context.Context, trace.Span) {
-	mn := "Sent." + strings.Replace(removeLeadingSlash(method), "/", ".", -1)
+func (h *clientStatsHandler) createCallTraceSpan(ctx context.Context, method string) (context.Context, trace.Span) {
+	if h.options.TraceOptions.TracerProvider == nil {
+		logger.Error("TraceProvider is not provided in trace options")
+		return ctx, nil
+	}
+	mn := strings.Replace(removeLeadingSlash(method), "/", ".", -1)
 	tracer := h.options.TraceOptions.TracerProvider.Tracer(tracerName, trace.WithInstrumentationVersion(grpc.Version))
 	ctx, span := tracer.Start(ctx, mn, trace.WithSpanKind(trace.SpanKindClient))
 	return ctx, span
 }
-
-// TagConn exists to satisfy stats.Handler for tracing.
-func (h *clientTracingHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
-	return ctx
-}
-
-// HandleConn exists to satisfy stats.Handler for tracing.
-func (h *clientTracingHandler) HandleConn(context.Context, stats.ConnStats) {}
-
-// TagRPC implements per RPC attempt context management for traces.
-func (h *clientTracingHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
-	ctx, ai := getOrCreateRPCAttemptInfo(ctx)
-	ctx, ai = h.traceTagRPC(ctx, ai, info.NameResolutionDelay)
-	return setRPCInfo(ctx, &rpcInfo{ai: ai})
-}
-
-// HandleRPC handles per RPC tracing implementation.
-func (h *clientTracingHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
-	ri := getRPCInfo(ctx)
-	if ri == nil {
-		logger.Error("ctx passed into client side tracing handler trace event handling has no client attempt data present")
-		return
-	}
-	populateSpan(rs, ri.ai)
-}
diff --git a/vendor/google.golang.org/grpc/stats/opentelemetry/opentelemetry.go b/vendor/google.golang.org/grpc/stats/opentelemetry/opentelemetry.go
index cd01f86c498..d99169e2da6 100644
--- a/vendor/google.golang.org/grpc/stats/opentelemetry/opentelemetry.go
+++ b/vendor/google.golang.org/grpc/stats/opentelemetry/opentelemetry.go
@@ -25,7 +25,6 @@ package opentelemetry
 import (
 	"context"
 	"strings"
-	"sync/atomic"
 	"time"
 
 	otelattribute "go.opentelemetry.io/otel/attribute"
@@ -118,23 +117,10 @@ type MetricsOptions struct {
 // MeterProvider. If the passed in Meter Provider does not have the view
 // configured for an individual metric turned on, the API call in this component
 // will create a default view for that metric.
-//
-// For the traces supported by this instrumentation code, provide an
-// implementation of a TextMapPropagator and OpenTelemetry TracerProvider.
 func DialOption(o Options) grpc.DialOption {
-	var metricsOpts, tracingOpts []grpc.DialOption
-
-	if o.isMetricsEnabled() {
-		metricsHandler := &clientMetricsHandler{options: o}
-		metricsHandler.initializeMetrics()
-		metricsOpts = append(metricsOpts, grpc.WithChainUnaryInterceptor(metricsHandler.unaryInterceptor), grpc.WithChainStreamInterceptor(metricsHandler.streamInterceptor), grpc.WithStatsHandler(metricsHandler))
-	}
-	if o.isTracingEnabled() {
-		tracingHandler := &clientTracingHandler{options: o}
-		tracingHandler.initializeTraces()
-		tracingOpts = append(tracingOpts, grpc.WithChainUnaryInterceptor(tracingHandler.unaryInterceptor), grpc.WithChainStreamInterceptor(tracingHandler.streamInterceptor), grpc.WithStatsHandler(tracingHandler))
-	}
-	return joinDialOptions(append(metricsOpts, tracingOpts...)...)
+	csh := &clientStatsHandler{options: o}
+	csh.initializeMetrics()
+	return joinDialOptions(grpc.WithChainUnaryInterceptor(csh.unaryInterceptor), grpc.WithChainStreamInterceptor(csh.streamInterceptor), grpc.WithStatsHandler(csh))
 }
 
 var joinServerOptions = internal.JoinServerOptions.(func(...grpc.ServerOption) grpc.ServerOption)
@@ -151,23 +137,10 @@ var joinServerOptions = internal.JoinServerOptions.(func(...grpc.ServerOption) g
 // MeterProvider. If the passed in Meter Provider does not have the view
 // configured for an individual metric turned on, the API call in this component
 // will create a default view for that metric.
-//
-// For the traces supported by this instrumentation code, provide an
-// implementation of a TextMapPropagator and OpenTelemetry TracerProvider.
 func ServerOption(o Options) grpc.ServerOption {
-	var metricsOpts, tracingOpts []grpc.ServerOption
-
-	if o.isMetricsEnabled() {
-		metricsHandler := &serverMetricsHandler{options: o}
-		metricsHandler.initializeMetrics()
-		metricsOpts = append(metricsOpts, grpc.ChainUnaryInterceptor(metricsHandler.unaryInterceptor), grpc.ChainStreamInterceptor(metricsHandler.streamInterceptor), grpc.StatsHandler(metricsHandler))
-	}
-	if o.isTracingEnabled() {
-		tracingHandler := &serverTracingHandler{options: o}
-		tracingHandler.initializeTraces()
-		tracingOpts = append(tracingOpts, grpc.StatsHandler(tracingHandler))
-	}
-	return joinServerOptions(append(metricsOpts, tracingOpts...)...)
+	ssh := &serverStatsHandler{options: o}
+	ssh.initializeMetrics()
+	return joinServerOptions(grpc.ChainUnaryInterceptor(ssh.unaryInterceptor), grpc.ChainStreamInterceptor(ssh.streamInterceptor), grpc.StatsHandler(ssh))
 }
 
 // callInfo is information pertaining to the lifespan of the RPC client side.
@@ -175,10 +148,6 @@ type callInfo struct {
 	target string
 
 	method string
-
-	// nameResolutionEventAdded is set when the resolver delay trace event
-	// is added. Prevents duplicate events, since it is reported per-attempt.
-	nameResolutionEventAdded atomic.Bool
 }
 
 type callInfoKey struct{}
diff --git a/vendor/google.golang.org/grpc/stats/opentelemetry/server_metrics.go b/vendor/google.golang.org/grpc/stats/opentelemetry/server_metrics.go
index a02fc33b945..2976dc49097 100644
--- a/vendor/google.golang.org/grpc/stats/opentelemetry/server_metrics.go
+++ b/vendor/google.golang.org/grpc/stats/opentelemetry/server_metrics.go
@@ -21,24 +21,24 @@ import (
 	"sync/atomic"
 	"time"
 
-	otelattribute "go.opentelemetry.io/otel/attribute"
-	otelmetric "go.opentelemetry.io/otel/metric"
-
 	"google.golang.org/grpc"
 	estats "google.golang.org/grpc/experimental/stats"
 	"google.golang.org/grpc/internal"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/stats"
 	"google.golang.org/grpc/status"
+
+	otelattribute "go.opentelemetry.io/otel/attribute"
+	otelmetric "go.opentelemetry.io/otel/metric"
 )
 
-type serverMetricsHandler struct {
+type serverStatsHandler struct {
 	estats.MetricsRecorder
 	options       Options
 	serverMetrics serverMetrics
 }
 
-func (h *serverMetricsHandler) initializeMetrics() {
+func (h *serverStatsHandler) initializeMetrics() {
 	// Will set no metrics to record, logically making this stats handler a
 	// no-op.
 	if h.options.MetricsOptions.MeterProvider == nil {
@@ -90,12 +90,13 @@ func (s *attachLabelsTransportStream) SendHeader(md metadata.MD) error {
 	return s.ServerTransportStream.SendHeader(md)
 }
 
-func (h *serverMetricsHandler) unaryInterceptor(ctx context.Context, req any, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+func (h *serverStatsHandler) unaryInterceptor(ctx context.Context, req any, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
 	var metadataExchangeLabels metadata.MD
 	if h.options.MetricsOptions.pluginOption != nil {
 		metadataExchangeLabels = h.options.MetricsOptions.pluginOption.GetMetadata()
 	}
 
+	// - Server-side: The first stats event after the RPC request is received.
 	sts := grpc.ServerTransportStreamFromContext(ctx)
 
 	alts := &attachLabelsTransportStream{
@@ -151,7 +152,7 @@ func (s *attachLabelsStream) SendMsg(m any) error {
 	return s.ServerStream.SendMsg(m)
 }
 
-func (h *serverMetricsHandler) streamInterceptor(srv any, ss grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+func (h *serverStatsHandler) streamInterceptor(srv any, ss grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
 	var metadataExchangeLabels metadata.MD
 	if h.options.MetricsOptions.pluginOption != nil {
 		metadataExchangeLabels = h.options.MetricsOptions.pluginOption.GetMetadata()
@@ -171,15 +172,15 @@ func (h *serverMetricsHandler) streamInterceptor(srv any, ss grpc.ServerStream,
 }
 
 // TagConn exists to satisfy stats.Handler.
-func (h *serverMetricsHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
+func (h *serverStatsHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
 	return ctx
 }
 
 // HandleConn exists to satisfy stats.Handler.
-func (h *serverMetricsHandler) HandleConn(context.Context, stats.ConnStats) {}
+func (h *serverStatsHandler) HandleConn(context.Context, stats.ConnStats) {}
 
-// TagRPC implements per RPC context management for metrics.
-func (h *serverMetricsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
+// TagRPC implements per RPC context management.
+func (h *serverStatsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInfo) context.Context {
 	method := info.FullMethodName
 	if h.options.MetricsOptions.MethodAttributeFilter != nil {
 		if !h.options.MetricsOptions.MethodAttributeFilter(method) {
@@ -196,24 +197,35 @@ func (h *serverMetricsHandler) TagRPC(ctx context.Context, info *stats.RPCTagInf
 			method = "other"
 		}
 	}
-	ctx, ai := getOrCreateRPCAttemptInfo(ctx)
-	ai.startTime = time.Now()
-	ai.method = removeLeadingSlash(method)
 
-	return setRPCInfo(ctx, &rpcInfo{ai: ai})
+	ai := &attemptInfo{
+		startTime: time.Now(),
+		method:    removeLeadingSlash(method),
+	}
+	if h.options.isTracingEnabled() {
+		ctx, ai = h.traceTagRPC(ctx, ai)
+	}
+	return setRPCInfo(ctx, &rpcInfo{
+		ai: ai,
+	})
 }
 
-// HandleRPC handles per RPC stats implementation.
-func (h *serverMetricsHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
+// HandleRPC implements per RPC tracing and stats implementation.
+func (h *serverStatsHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
 	ri := getRPCInfo(ctx)
 	if ri == nil {
 		logger.Error("ctx passed into server side stats handler metrics event handling has no server call data present")
 		return
 	}
-	h.processRPCData(ctx, rs, ri.ai)
+	if h.options.isTracingEnabled() {
+		populateSpan(rs, ri.ai)
+	}
+	if h.options.isMetricsEnabled() {
+		h.processRPCData(ctx, rs, ri.ai)
+	}
 }
 
-func (h *serverMetricsHandler) processRPCData(ctx context.Context, s stats.RPCStats, ai *attemptInfo) {
+func (h *serverStatsHandler) processRPCData(ctx context.Context, s stats.RPCStats, ai *attemptInfo) {
 	switch st := s.(type) {
 	case *stats.InHeader:
 		if ai.pluginOptionLabels == nil && h.options.MetricsOptions.pluginOption != nil {
@@ -237,7 +249,7 @@ func (h *serverMetricsHandler) processRPCData(ctx context.Context, s stats.RPCSt
 	}
 }
 
-func (h *serverMetricsHandler) processRPCEnd(ctx context.Context, ai *attemptInfo, e *stats.End) {
+func (h *serverStatsHandler) processRPCEnd(ctx context.Context, ai *attemptInfo, e *stats.End) {
 	latency := float64(time.Since(ai.startTime)) / float64(time.Second)
 	st := "OK"
 	if e.Error != nil {
diff --git a/vendor/google.golang.org/grpc/stats/opentelemetry/server_tracing.go b/vendor/google.golang.org/grpc/stats/opentelemetry/server_tracing.go
index 0e2181bf114..f04d28c52ec 100644
--- a/vendor/google.golang.org/grpc/stats/opentelemetry/server_tracing.go
+++ b/vendor/google.golang.org/grpc/stats/opentelemetry/server_tracing.go
@@ -18,33 +18,13 @@ package opentelemetry
 
 import (
 	"context"
-	"log"
 	"strings"
 
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/stats"
 	otelinternaltracing "google.golang.org/grpc/stats/opentelemetry/internal/tracing"
 )
 
-type serverTracingHandler struct {
-	options Options
-}
-
-func (h *serverTracingHandler) initializeTraces() {
-	if h.options.TraceOptions.TracerProvider == nil {
-		log.Printf("TracerProvider is not provided in server TraceOptions")
-		return
-	}
-}
-
-// TagRPC implements per RPC attempt context management for traces.
-func (h *serverTracingHandler) TagRPC(ctx context.Context, _ *stats.RPCTagInfo) context.Context {
-	ctx, ai := getOrCreateRPCAttemptInfo(ctx)
-	ctx, ai = h.traceTagRPC(ctx, ai)
-	return setRPCInfo(ctx, &rpcInfo{ai: ai})
-}
-
 // traceTagRPC populates context with new span data using the TextMapPropagator
 // supplied in trace options and internal itracing.Carrier. It creates a new
 // incoming carrier which extracts an existing span context (if present) by
@@ -52,8 +32,8 @@ func (h *serverTracingHandler) TagRPC(ctx context.Context, _ *stats.RPCTagInfo)
 // is set as parent of the new span otherwise new span remains the root span.
 // If TextMapPropagator is not provided in the trace options, it returns context
 // as is.
-func (h *serverTracingHandler) traceTagRPC(ctx context.Context, ai *attemptInfo) (context.Context, *attemptInfo) {
-	mn := "Recv." + strings.Replace(ai.method, "/", ".", -1)
+func (h *serverStatsHandler) traceTagRPC(ctx context.Context, ai *attemptInfo) (context.Context, *attemptInfo) {
+	mn := strings.Replace(ai.method, "/", ".", -1)
 	var span trace.Span
 	tracer := h.options.TraceOptions.TracerProvider.Tracer(tracerName, trace.WithInstrumentationVersion(grpc.Version))
 	ctx = h.options.TraceOptions.TextMapPropagator.Extract(ctx, otelinternaltracing.NewIncomingCarrier(ctx))
@@ -64,21 +44,3 @@ func (h *serverTracingHandler) traceTagRPC(ctx context.Context, ai *attemptInfo)
 	ai.traceSpan = span
 	return ctx, ai
 }
-
-// HandleRPC handles per RPC tracing implementation.
-func (h *serverTracingHandler) HandleRPC(ctx context.Context, rs stats.RPCStats) {
-	ri := getRPCInfo(ctx)
-	if ri == nil {
-		logger.Error("ctx passed into server side tracing handler trace event handling has no server call data present")
-		return
-	}
-	populateSpan(rs, ri.ai)
-}
-
-// TagConn exists to satisfy stats.Handler for tracing.
-func (h *serverTracingHandler) TagConn(ctx context.Context, _ *stats.ConnTagInfo) context.Context {
-	return ctx
-}
-
-// HandleConn exists to satisfy stats.Handler for tracing.
-func (h *serverTracingHandler) HandleConn(context.Context, stats.ConnStats) {}
diff --git a/vendor/google.golang.org/grpc/stats/opentelemetry/trace.go b/vendor/google.golang.org/grpc/stats/opentelemetry/trace.go
index efafdd0756e..cd5c23cd3b2 100644
--- a/vendor/google.golang.org/grpc/stats/opentelemetry/trace.go
+++ b/vendor/google.golang.org/grpc/stats/opentelemetry/trace.go
@@ -46,7 +46,7 @@ func populateSpan(rs stats.RPCStats, ai *attemptInfo) {
 		// correctness.
 		span.SetAttributes(
 			attribute.Bool("Client", rs.Client),
-			attribute.Bool("FailFast", rs.FailFast),
+			attribute.Bool("FailFast", rs.Client),
 			attribute.Int64("previous-rpc-attempts", int64(ai.previousRPCAttempts)),
 			attribute.Bool("transparent-retry", rs.IsTransparentRetryAttempt),
 		)
@@ -57,25 +57,19 @@ func populateSpan(rs stats.RPCStats, ai *attemptInfo) {
 	case *stats.InPayload:
 		// message id - "must be calculated as two different counters starting
 		// from one for sent messages and one for received messages."
-		attrs := []attribute.KeyValue{
+		ai.countRecvMsg++
+		span.AddEvent("Inbound compressed message", trace.WithAttributes(
 			attribute.Int64("sequence-number", int64(ai.countRecvMsg)),
 			attribute.Int64("message-size", int64(rs.Length)),
-		}
-		if rs.CompressedLength != rs.Length {
-			attrs = append(attrs, attribute.Int64("message-size-compressed", int64(rs.CompressedLength)))
-		}
-		span.AddEvent("Inbound message", trace.WithAttributes(attrs...))
-		ai.countRecvMsg++
+			attribute.Int64("message-size-compressed", int64(rs.CompressedLength)),
+		))
 	case *stats.OutPayload:
-		attrs := []attribute.KeyValue{
+		ai.countSentMsg++
+		span.AddEvent("Outbound compressed message", trace.WithAttributes(
 			attribute.Int64("sequence-number", int64(ai.countSentMsg)),
 			attribute.Int64("message-size", int64(rs.Length)),
-		}
-		if rs.CompressedLength != rs.Length {
-			attrs = append(attrs, attribute.Int64("message-size-compressed", int64(rs.CompressedLength)))
-		}
-		span.AddEvent("Outbound message", trace.WithAttributes(attrs...))
-		ai.countSentMsg++
+			attribute.Int64("message-size-compressed", int64(rs.CompressedLength)),
+		))
 	case *stats.End:
 		if rs.Error != nil {
 			s := status.Convert(rs.Error)
diff --git a/vendor/google.golang.org/grpc/stats/stats.go b/vendor/google.golang.org/grpc/stats/stats.go
index baf7740efba..6f20d2d5486 100644
--- a/vendor/google.golang.org/grpc/stats/stats.go
+++ b/vendor/google.golang.org/grpc/stats/stats.go
@@ -36,12 +36,7 @@ type RPCStats interface {
 	IsClient() bool
 }
 
-// Begin contains stats for the start of an RPC attempt.
-//
-//   - Server-side: Triggered after `InHeader`, as headers are processed
-//     before the RPC lifecycle begins.
-//   - Client-side: The first stats event recorded.
-//
+// Begin contains stats when an RPC attempt begins.
 // FailFast is only valid if this Begin is from client side.
 type Begin struct {
 	// Client is true if this Begin is from client side.
@@ -74,7 +69,7 @@ func (*PickerUpdated) IsClient() bool { return true }
 
 func (*PickerUpdated) isRPCStats() {}
 
-// InPayload contains stats about an incoming payload.
+// InPayload contains the information for an incoming payload.
 type InPayload struct {
 	// Client is true if this InPayload is from client side.
 	Client bool
@@ -103,9 +98,7 @@ func (s *InPayload) IsClient() bool { return s.Client }
 
 func (s *InPayload) isRPCStats() {}
 
-// InHeader contains stats about header reception.
-//
-// - Server-side: The first stats event after the RPC request is received.
+// InHeader contains stats when a header is received.
 type InHeader struct {
 	// Client is true if this InHeader is from client side.
 	Client bool
@@ -130,7 +123,7 @@ func (s *InHeader) IsClient() bool { return s.Client }
 
 func (s *InHeader) isRPCStats() {}
 
-// InTrailer contains stats about trailer reception.
+// InTrailer contains stats when a trailer is received.
 type InTrailer struct {
 	// Client is true if this InTrailer is from client side.
 	Client bool
@@ -146,7 +139,7 @@ func (s *InTrailer) IsClient() bool { return s.Client }
 
 func (s *InTrailer) isRPCStats() {}
 
-// OutPayload contains stats about an outgoing payload.
+// OutPayload contains the information for an outgoing payload.
 type OutPayload struct {
 	// Client is true if this OutPayload is from client side.
 	Client bool
@@ -173,10 +166,7 @@ func (s *OutPayload) IsClient() bool { return s.Client }
 
 func (s *OutPayload) isRPCStats() {}
 
-// OutHeader contains stats about header transmission.
-//
-//   - Client-side: Only occurs after 'Begin', as headers are always the first
-//     thing sent on a stream.
+// OutHeader contains stats when a header is sent.
 type OutHeader struct {
 	// Client is true if this OutHeader is from client side.
 	Client bool
@@ -199,15 +189,14 @@ func (s *OutHeader) IsClient() bool { return s.Client }
 
 func (s *OutHeader) isRPCStats() {}
 
-// OutTrailer contains stats about trailer transmission.
+// OutTrailer contains stats when a trailer is sent.
 type OutTrailer struct {
 	// Client is true if this OutTrailer is from client side.
 	Client bool
 	// WireLength is the wire length of trailer.
 	//
-	// Deprecated: This field is never set. The length is not known when this
-	// message is emitted because the trailer fields are compressed with hpack
-	// after that.
+	// Deprecated: This field is never set. The length is not known when this message is
+	// emitted because the trailer fields are compressed with hpack after that.
 	WireLength int
 	// Trailer contains the trailer metadata sent to the client. This
 	// field is only valid if this OutTrailer is from the server side.
@@ -219,7 +208,7 @@ func (s *OutTrailer) IsClient() bool { return s.Client }
 
 func (s *OutTrailer) isRPCStats() {}
 
-// End contains stats about RPC completion.
+// End contains stats when an RPC ends.
 type End struct {
 	// Client is true if this End is from client side.
 	Client bool
@@ -249,7 +238,7 @@ type ConnStats interface {
 	IsClient() bool
 }
 
-// ConnBegin contains stats about connection establishment.
+// ConnBegin contains the stats of a connection when it is established.
 type ConnBegin struct {
 	// Client is true if this ConnBegin is from client side.
 	Client bool
@@ -260,7 +249,7 @@ func (s *ConnBegin) IsClient() bool { return s.Client }
 
 func (s *ConnBegin) isConnStats() {}
 
-// ConnEnd contains stats about connection termination.
+// ConnEnd contains the stats of a connection when it ends.
 type ConnEnd struct {
 	// Client is true if this ConnEnd is from client side.
 	Client bool
diff --git a/vendor/google.golang.org/grpc/stream.go b/vendor/google.golang.org/grpc/stream.go
index d58bb6471a8..12163150ba7 100644
--- a/vendor/google.golang.org/grpc/stream.go
+++ b/vendor/google.golang.org/grpc/stream.go
@@ -101,9 +101,9 @@ type ClientStream interface {
 	// It must only be called after stream.CloseAndRecv has returned, or
 	// stream.Recv has returned a non-nil error (including io.EOF).
 	Trailer() metadata.MD
-	// CloseSend closes the send direction of the stream. This method always
-	// returns a nil error. The status of the stream may be discovered using
-	// RecvMsg. It is also not safe to call CloseSend concurrently with SendMsg.
+	// CloseSend closes the send direction of the stream. It closes the stream
+	// when non-nil error is met. It is also not safe to call CloseSend
+	// concurrently with SendMsg.
 	CloseSend() error
 	// Context returns the context for this stream.
 	//
@@ -212,15 +212,14 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	}
 	// Provide an opportunity for the first RPC to see the first service config
 	// provided by the resolver.
-	nameResolutionDelayed, err := cc.waitForResolvedAddrs(ctx)
-	if err != nil {
+	if err := cc.waitForResolvedAddrs(ctx); err != nil {
 		return nil, err
 	}
 
 	var mc serviceconfig.MethodConfig
 	var onCommit func()
 	newStream := func(ctx context.Context, done func()) (iresolver.ClientStream, error) {
-		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, nameResolutionDelayed, opts...)
+		return newClientStreamWithParams(ctx, desc, cc, method, mc, onCommit, done, opts...)
 	}
 
 	rpcInfo := iresolver.RPCInfo{Context: ctx, Method: method}
@@ -258,7 +257,7 @@ func newClientStream(ctx context.Context, desc *StreamDesc, cc *ClientConn, meth
 	return newStream(ctx, func() {})
 }
 
-func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), nameResolutionDelayed bool, opts ...CallOption) (_ iresolver.ClientStream, err error) {
+func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *ClientConn, method string, mc serviceconfig.MethodConfig, onCommit, doneFunc func(), opts ...CallOption) (_ iresolver.ClientStream, err error) {
 	callInfo := defaultCallInfo()
 	if mc.WaitForReady != nil {
 		callInfo.failFast = !*mc.WaitForReady
@@ -297,7 +296,6 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 		Method:         method,
 		ContentSubtype: callInfo.contentSubtype,
 		DoneFunc:       doneFunc,
-		Authority:      callInfo.authority,
 	}
 
 	// Set our outgoing compression according to the UseCompressor CallOption, if
@@ -323,20 +321,19 @@ func newClientStreamWithParams(ctx context.Context, desc *StreamDesc, cc *Client
 	}
 
 	cs := &clientStream{
-		callHdr:             callHdr,
-		ctx:                 ctx,
-		methodConfig:        &mc,
-		opts:                opts,
-		callInfo:            callInfo,
-		cc:                  cc,
-		desc:                desc,
-		codec:               callInfo.codec,
-		compressorV0:        compressorV0,
-		compressorV1:        compressorV1,
-		cancel:              cancel,
-		firstAttempt:        true,
-		onCommit:            onCommit,
-		nameResolutionDelay: nameResolutionDelayed,
+		callHdr:      callHdr,
+		ctx:          ctx,
+		methodConfig: &mc,
+		opts:         opts,
+		callInfo:     callInfo,
+		cc:           cc,
+		desc:         desc,
+		codec:        callInfo.codec,
+		compressorV0: compressorV0,
+		compressorV1: compressorV1,
+		cancel:       cancel,
+		firstAttempt: true,
+		onCommit:     onCommit,
 	}
 	if !cc.dopts.disableRetry {
 		cs.retryThrottler = cc.retryThrottler.Load().(*retryThrottler)
@@ -420,7 +417,7 @@ func (cs *clientStream) newAttemptLocked(isTransparent bool) (*csAttempt, error)
 	var beginTime time.Time
 	shs := cs.cc.dopts.copts.StatsHandlers
 	for _, sh := range shs {
-		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast, NameResolutionDelay: cs.nameResolutionDelay})
+		ctx = sh.TagRPC(ctx, &stats.RPCTagInfo{FullMethodName: method, FailFast: cs.callInfo.failFast})
 		beginTime = time.Now()
 		begin := &stats.Begin{
 			Client:                    true,
@@ -576,9 +573,6 @@ type clientStream struct {
 	onCommit         func()
 	replayBuffer     []replayOp // operations to replay on retry
 	replayBufferSize int        // current size of replayBuffer
-	// nameResolutionDelay indicates if there was a delay in the name resolution.
-	// This field is only valid on client side, it's always false on server side.
-	nameResolutionDelay bool
 }
 
 type replayOp struct {
@@ -993,7 +987,7 @@ func (cs *clientStream) RecvMsg(m any) error {
 
 func (cs *clientStream) CloseSend() error {
 	if cs.sentLast {
-		// Return a nil error on repeated calls to this method.
+		// TODO: return an error and finish the stream instead, due to API misuse?
 		return nil
 	}
 	cs.sentLast = true
@@ -1014,10 +1008,7 @@ func (cs *clientStream) CloseSend() error {
 			binlog.Log(cs.ctx, chc)
 		}
 	}
-	// We don't return an error here as we expect users to read all messages
-	// from the stream and get the RPC status from RecvMsg().  Note that
-	// SendMsg() must return an error when one occurs so the application
-	// knows to stop sending messages, but that does not apply here.
+	// We never returned an error here for reasons.
 	return nil
 }
 
@@ -1381,7 +1372,7 @@ func (as *addrConnStream) Trailer() metadata.MD {
 
 func (as *addrConnStream) CloseSend() error {
 	if as.sentLast {
-		// Return a nil error on repeated calls to this method.
+		// TODO: return an error and finish the stream instead, due to API misuse?
 		return nil
 	}
 	as.sentLast = true
diff --git a/vendor/google.golang.org/grpc/test/bufconn/bufconn.go b/vendor/google.golang.org/grpc/test/bufconn/bufconn.go
index 9f69a55b631..e6eb4feebb9 100644
--- a/vendor/google.golang.org/grpc/test/bufconn/bufconn.go
+++ b/vendor/google.golang.org/grpc/test/bufconn/bufconn.go
@@ -73,6 +73,7 @@ func (l *Listener) Close() error {
 	select {
 	case <-l.done:
 		// Already closed.
+		break
 	default:
 		close(l.done)
 	}
diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go
index bd82673dc9f..32cfe4238f7 100644
--- a/vendor/google.golang.org/grpc/version.go
+++ b/vendor/google.golang.org/grpc/version.go
@@ -19,4 +19,4 @@
 package grpc
 
 // Version is the current grpc version.
-const Version = "1.73.0"
+const Version = "1.71.2"
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cdsbalancer.go b/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cdsbalancer.go
index fa34748c882..7aff6064e9e 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cdsbalancer.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cdsbalancer.go
@@ -344,14 +344,10 @@ func (b *cdsBalancer) UpdateClientConnState(state balancer.ClientConnState) erro
 // ResolverError handles errors reported by the xdsResolver.
 func (b *cdsBalancer) ResolverError(err error) {
 	b.serializer.TrySchedule(func(context.Context) {
-		// Missing Listener or RouteConfiguration on the management server
-		// results in a 'resource not found' error from the xDS resolver. In
-		// these cases, we should stap watching all of the current clusters
-		// being watched.
+		// Resource not found error is reported by the resolver when the
+		// top-level cluster resource is removed by the management server.
 		if xdsresource.ErrType(err) == xdsresource.ErrorTypeResourceNotFound {
 			b.closeAllWatchers()
-			b.closeChildPolicyAndReportTF(err)
-			return
 		}
 		var root string
 		if b.lbCfg != nil {
@@ -376,22 +372,6 @@ func (b *cdsBalancer) closeAllWatchers() {
 	}
 }
 
-// closeChildPolicyAndReportTF closes the child policy, if it exists, and
-// updates the connectivity state of the channel to TransientFailure with an
-// error picker.
-//
-// Only executed in the context of a serializer callback.
-func (b *cdsBalancer) closeChildPolicyAndReportTF(err error) {
-	if b.childLB != nil {
-		b.childLB.Close()
-		b.childLB = nil
-	}
-	b.ccw.UpdateState(balancer.State{
-		ConnectivityState: connectivity.TransientFailure,
-		Picker:            base.NewErrPicker(err),
-	})
-}
-
 // Close cancels the CDS watch, closes the child policy and closes the
 // cdsBalancer.
 func (b *cdsBalancer) Close() {
@@ -430,21 +410,6 @@ func (b *cdsBalancer) ExitIdle() {
 	})
 }
 
-// Node ID needs to be manually added to errors generated in the following
-// scenarios:
-//   - resource-does-not-exist: since the xDS watch API uses a separate callback
-//     instead of returning an error value. TODO(gRFC A88): Once A88 is
-//     implemented, the xDS client will be able to add the node ID to
-//     resource-does-not-exist errors as well, and we can get rid of this
-//     special handling.
-//   - received a good update from the xDS client, but the update either contains
-//     an invalid security configuration or contains invalid aggragate cluster
-//     config.
-func (b *cdsBalancer) annotateErrorWithNodeID(err error) error {
-	nodeID := b.xdsClient.BootstrapConfig().Node().GetId()
-	return fmt.Errorf("[xDS node id: %v]: %w", nodeID, err)
-}
-
 // Handles a good Cluster update from the xDS client. Kicks off the discovery
 // mechanism generation process from the top-level cluster and if the cluster
 // graph is resolved, generates child policy config and pushes it down.
@@ -474,7 +439,7 @@ func (b *cdsBalancer) onClusterUpdate(name string, update xdsresource.ClusterUpd
 			// If the security config is invalid, for example, if the provider
 			// instance is not found in the bootstrap config, we need to put the
 			// channel in transient failure.
-			b.onClusterError(name, b.annotateErrorWithNodeID(fmt.Errorf("received Cluster resource contains invalid security config: %v", err)))
+			b.onClusterError(name, fmt.Errorf("received Cluster resource contains invalid security config: %v", err))
 			return
 		}
 	}
@@ -482,12 +447,12 @@ func (b *cdsBalancer) onClusterUpdate(name string, update xdsresource.ClusterUpd
 	clustersSeen := make(map[string]bool)
 	dms, ok, err := b.generateDMsForCluster(b.lbCfg.ClusterName, 0, nil, clustersSeen)
 	if err != nil {
-		b.onClusterError(b.lbCfg.ClusterName, b.annotateErrorWithNodeID(fmt.Errorf("failed to generate discovery mechanisms: %v", err)))
+		b.onClusterError(b.lbCfg.ClusterName, fmt.Errorf("failed to generate discovery mechanisms: %v", err))
 		return
 	}
 	if ok {
 		if len(dms) == 0 {
-			b.onClusterError(b.lbCfg.ClusterName, b.annotateErrorWithNodeID(fmt.Errorf("aggregate cluster graph has no leaf clusters")))
+			b.onClusterError(b.lbCfg.ClusterName, fmt.Errorf("aggregate cluster graph has no leaf clusters"))
 			return
 		}
 		// Child policy is built the first time we resolve the cluster graph.
@@ -542,28 +507,46 @@ func (b *cdsBalancer) onClusterUpdate(name string, update xdsresource.ClusterUpd
 	}
 }
 
-// Handles an ambient error Cluster update from the xDS client to not stop
-// using the previously seen resource.
+// Handles an error Cluster update from the xDS client. Propagates the error
+// down to the child policy if one exists, or puts the channel in
+// TRANSIENT_FAILURE.
 //
 // Only executed in the context of a serializer callback.
-func (b *cdsBalancer) onClusterAmbientError(name string, err error) {
-	b.logger.Warningf("Cluster resource %q received ambient error update: %v", name, err)
+func (b *cdsBalancer) onClusterError(name string, err error) {
+	b.logger.Warningf("Cluster resource %q received error update: %v", name, err)
 
-	if xdsresource.ErrType(err) != xdsresource.ErrorTypeConnection && b.childLB != nil {
-		// Connection errors will be sent to the child balancers directly.
-		// There's no need to forward them.
-		b.childLB.ResolverError(err)
+	if b.childLB != nil {
+		if xdsresource.ErrType(err) != xdsresource.ErrorTypeConnection {
+			// Connection errors will be sent to the child balancers directly.
+			// There's no need to forward them.
+			b.childLB.ResolverError(err)
+		}
+	} else {
+		// If child balancer was never created, fail the RPCs with
+		// errors.
+		b.ccw.UpdateState(balancer.State{
+			ConnectivityState: connectivity.TransientFailure,
+			Picker:            base.NewErrPicker(fmt.Errorf("%q: %v", name, err)),
+		})
 	}
 }
 
-// Handles an error Cluster update from the xDS client to stop using the
-// previously seen resource. Propagates the error down to the child policy
-// if one exists, and puts the channel in TRANSIENT_FAILURE.
+// Handles a resource-not-found error from the xDS client. Propagates the error
+// down to the child policy if one exists, or puts the channel in
+// TRANSIENT_FAILURE.
 //
 // Only executed in the context of a serializer callback.
-func (b *cdsBalancer) onClusterResourceError(name string, err error) {
-	b.logger.Warningf("CDS watch for resource %q reported resource error", name)
-	b.closeChildPolicyAndReportTF(err)
+func (b *cdsBalancer) onClusterResourceNotFound(name string) {
+	err := xdsresource.NewErrorf(xdsresource.ErrorTypeResourceNotFound, "resource name %q of type Cluster not found in received response", name)
+	if b.childLB != nil {
+		b.childLB.ResolverError(err)
+	} else {
+		// If child balancer was never created, fail the RPCs with errors.
+		b.ccw.UpdateState(balancer.State{
+			ConnectivityState: connectivity.TransientFailure,
+			Picker:            base.NewErrPicker(err),
+		})
+	}
 }
 
 // Generates discovery mechanisms for the cluster graph rooted at `name`. This
@@ -641,11 +624,9 @@ func (b *cdsBalancer) generateDMsForCluster(name string, depth int, dms []cluste
 		}
 	case xdsresource.ClusterTypeLogicalDNS:
 		dm = clusterresolver.DiscoveryMechanism{
-			Type:                  clusterresolver.DiscoveryMechanismTypeLogicalDNS,
-			Cluster:               cluster.ClusterName,
-			DNSHostname:           cluster.DNSHostName,
-			MaxConcurrentRequests: cluster.MaxRequests,
-			LoadReportingServer:   cluster.LRSServerConfig,
+			Type:        clusterresolver.DiscoveryMechanismTypeLogicalDNS,
+			Cluster:     cluster.ClusterName,
+			DNSHostname: cluster.DNSHostName,
 		}
 	}
 	odJSON := cluster.OutlierDetection
@@ -666,14 +647,6 @@ func (b *cdsBalancer) generateDMsForCluster(name string, depth int, dms []cluste
 	return append(dms, dm), true, nil
 }
 
-func (b *cdsBalancer) onClusterError(name string, err error) {
-	if b.childLB != nil {
-		b.onClusterAmbientError(name, err)
-	} else {
-		b.onClusterResourceError(name, err)
-	}
-}
-
 // ccWrapper wraps the balancer.ClientConn passed to the CDS balancer at
 // creation and intercepts the NewSubConn() and UpdateAddresses() call from the
 // child policy to add security configuration required by xDS credentials.
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cluster_watcher.go b/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cluster_watcher.go
index a9adea0c804..835461d0997 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cluster_watcher.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/cdsbalancer/cluster_watcher.go
@@ -32,19 +32,19 @@ type clusterWatcher struct {
 	parent *cdsBalancer
 }
 
-func (cw *clusterWatcher) ResourceChanged(u *xdsresource.ClusterResourceData, onDone func()) {
+func (cw *clusterWatcher) OnUpdate(u *xdsresource.ClusterResourceData, onDone xdsresource.OnDoneFunc) {
 	handleUpdate := func(context.Context) { cw.parent.onClusterUpdate(cw.name, u.Resource); onDone() }
 	cw.parent.serializer.ScheduleOr(handleUpdate, onDone)
 }
 
-func (cw *clusterWatcher) ResourceError(err error, onDone func()) {
-	handleResourceError := func(context.Context) { cw.parent.onClusterResourceError(cw.name, err); onDone() }
-	cw.parent.serializer.ScheduleOr(handleResourceError, onDone)
+func (cw *clusterWatcher) OnError(err error, onDone xdsresource.OnDoneFunc) {
+	handleError := func(context.Context) { cw.parent.onClusterError(cw.name, err); onDone() }
+	cw.parent.serializer.ScheduleOr(handleError, onDone)
 }
 
-func (cw *clusterWatcher) AmbientError(err error, onDone func()) {
-	handleError := func(context.Context) { cw.parent.onClusterAmbientError(cw.name, err); onDone() }
-	cw.parent.serializer.ScheduleOr(handleError, onDone)
+func (cw *clusterWatcher) OnResourceDoesNotExist(onDone xdsresource.OnDoneFunc) {
+	handleNotFound := func(context.Context) { cw.parent.onClusterResourceNotFound(cw.name); onDone() }
+	cw.parent.serializer.ScheduleOr(handleNotFound, onDone)
 }
 
 // watcherState groups the state associated with a clusterWatcher.
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterimpl/picker.go b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterimpl/picker.go
index 018122f2c68..cd94182fa71 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterimpl/picker.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterimpl/picker.go
@@ -139,9 +139,13 @@ func (d *picker) Pick(info balancer.PickInfo) (balancer.PickResult, error) {
 		// This OK check also covers the case err!=nil, because SubConn will be
 		// nil.
 		pr.SubConn = scw.SubConn
+		var e error
 		// If locality ID isn't found in the wrapper, an empty locality ID will
 		// be used.
-		lIDStr = scw.localityID().ToString()
+		lIDStr, e = scw.localityID().ToString()
+		if e != nil {
+			logger.Infof("failed to marshal LocalityID: %#v, loads won't be reported", scw.localityID())
+		}
 	}
 
 	if err != nil {
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/clustermanager/clustermanager.go b/vendor/google.golang.org/grpc/xds/internal/balancer/clustermanager/clustermanager.go
index e0a75afa8e9..24ad2399ddd 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/clustermanager/clustermanager.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/clustermanager/clustermanager.go
@@ -55,6 +55,7 @@ func (bb) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.Bal
 		Logger:                  b.logger,
 		SubBalancerCloseTimeout: time.Duration(0), // Disable caching of removed child policies
 	})
+	b.bg.Start()
 	b.logger.Infof("Created")
 	return b
 }
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/clusterresolver.go b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/clusterresolver.go
index fe5d93dbfbd..f0a8905d374 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/clusterresolver.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/clusterresolver.go
@@ -327,12 +327,7 @@ func (b *clusterResolverBalancer) run() {
 				b.handleClientConnUpdate(update)
 			case exitIdle:
 				if b.child == nil {
-					// This is not necessarily an error. The EDS/DNS watch may
-					// not have  returned a list of endpoints yet, so the child
-					// may not be built.
-					if b.logger.V(2) {
-						b.logger.Infof("xds: received ExitIdle with no child balancer")
-					}
+					b.logger.Errorf("xds: received ExitIdle with no child balancer")
 					break
 				}
 				// This implementation assumes the child balancer supports
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/configbuilder.go b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/configbuilder.go
index 72a023646a0..9a3a71c2e5c 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/configbuilder.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/configbuilder.go
@@ -23,11 +23,10 @@ import (
 	"fmt"
 	"sort"
 
-	"google.golang.org/grpc/internal/balancer/weight"
+	"google.golang.org/grpc/balancer/weightedroundrobin"
 	"google.golang.org/grpc/internal/hierarchy"
 	internalserviceconfig "google.golang.org/grpc/internal/serviceconfig"
 	"google.golang.org/grpc/resolver"
-	"google.golang.org/grpc/resolver/ringhash"
 	"google.golang.org/grpc/xds/internal"
 	"google.golang.org/grpc/xds/internal/balancer/clusterimpl"
 	"google.golang.org/grpc/xds/internal/balancer/outlierdetection"
@@ -150,11 +149,9 @@ func buildClusterImplConfigForDNS(g *nameGenerator, endpoints []resolver.Endpoin
 		retEndpoints[i].Addresses = append([]resolver.Address{}, e.Addresses...)
 	}
 	return pName, &clusterimpl.LBConfig{
-		Cluster:               mechanism.Cluster,
-		TelemetryLabels:       mechanism.TelemetryLabels,
-		ChildPolicy:           &internalserviceconfig.BalancerConfig{Name: childPolicy},
-		MaxConcurrentRequests: mechanism.MaxConcurrentRequests,
-		LoadReportingServer:   mechanism.LoadReportingServer,
+		Cluster:         mechanism.Cluster,
+		TelemetryLabels: mechanism.TelemetryLabels,
+		ChildPolicy:     &internalserviceconfig.BalancerConfig{Name: childPolicy},
 	}, retEndpoints
 }
 
@@ -257,7 +254,10 @@ func priorityLocalitiesToClusterImpl(localities []xdsresource.Locality, priority
 		if locality.Weight != 0 {
 			lw = locality.Weight
 		}
-		localityStr := locality.ID.ToString()
+		localityStr, err := locality.ID.ToString()
+		if err != nil {
+			localityStr = fmt.Sprintf("%+v", locality.ID)
+		}
 		for _, endpoint := range locality.Endpoints {
 			// Filter out all "unhealthy" endpoints (unknown and healthy are
 			// both considered to be healthy:
@@ -281,8 +281,7 @@ func priorityLocalitiesToClusterImpl(localities []xdsresource.Locality, priority
 			if endpoint.Weight != 0 {
 				ew = endpoint.Weight
 			}
-			resolverEndpoint = weight.Set(resolverEndpoint, weight.EndpointInfo{Weight: lw * ew})
-			resolverEndpoint = ringhash.SetHashKey(resolverEndpoint, endpoint.HashKey)
+			resolverEndpoint = weightedroundrobin.SetAddrInfoInEndpoint(resolverEndpoint, weightedroundrobin.AddrInfo{Weight: lw * ew})
 			retEndpoints = append(retEndpoints, resolverEndpoint)
 		}
 	}
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver.go b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver.go
index c1a656c5972..d9315c3acef 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver.go
@@ -38,7 +38,7 @@ type resourceUpdate struct {
 	priorities []priorityConfig
 	// To be invoked once the update is completely processed, or is dropped in
 	// favor of a newer update.
-	onDone func()
+	onDone xdsresource.OnDoneFunc
 }
 
 // topLevelResolver is used by concrete endpointsResolver implementations for
@@ -50,7 +50,7 @@ type topLevelResolver interface {
 	// endpointsResolver implementation. The onDone callback is to be invoked
 	// once the update is completely processed, or is dropped in favor of a
 	// newer update.
-	onUpdate(onDone func())
+	onUpdate(onDone xdsresource.OnDoneFunc)
 }
 
 // endpointsResolver wraps the functionality to resolve a given resource name to
@@ -282,7 +282,7 @@ func (rr *resourceResolver) stop(closing bool) {
 // clusterresolver LB policy.
 //
 // Caller must hold rr.mu.
-func (rr *resourceResolver) generateLocked(onDone func()) {
+func (rr *resourceResolver) generateLocked(onDone xdsresource.OnDoneFunc) {
 	var ret []priorityConfig
 	for _, rDM := range rr.children {
 		u, ok := rDM.r.lastUpdate()
@@ -312,7 +312,7 @@ func (rr *resourceResolver) generateLocked(onDone func()) {
 	rr.updateChannel <- &resourceUpdate{priorities: ret, onDone: onDone}
 }
 
-func (rr *resourceResolver) onUpdate(onDone func()) {
+func (rr *resourceResolver) onUpdate(onDone xdsresource.OnDoneFunc) {
 	handleUpdate := func(context.Context) {
 		rr.mu.Lock()
 		rr.generateLocked(onDone)
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver_eds.go b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver_eds.go
index 043def95079..ddb949019ee 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver_eds.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/clusterresolver/resource_resolver_eds.go
@@ -75,8 +75,8 @@ func newEDSResolver(nameToWatch string, producer xdsresource.Producer, topLevelR
 	return ret
 }
 
-// ResourceChanged is invoked to report an update for the resource being watched.
-func (er *edsDiscoveryMechanism) ResourceChanged(update *xdsresource.EndpointsResourceData, onDone func()) {
+// OnUpdate is invoked to report an update for the resource being watched.
+func (er *edsDiscoveryMechanism) OnUpdate(update *xdsresource.EndpointsResourceData, onDone xdsresource.OnDoneFunc) {
 	if er.stopped.HasFired() {
 		onDone()
 		return
@@ -89,36 +89,56 @@ func (er *edsDiscoveryMechanism) ResourceChanged(update *xdsresource.EndpointsRe
 	er.topLevelResolver.onUpdate(onDone)
 }
 
-func (er *edsDiscoveryMechanism) ResourceError(err error, onDone func()) {
+func (er *edsDiscoveryMechanism) OnError(err error, onDone xdsresource.OnDoneFunc) {
 	if er.stopped.HasFired() {
 		onDone()
 		return
 	}
 
 	if er.logger.V(2) {
-		er.logger.Infof("EDS discovery mechanism for resource %q reported resource error: %v", er.nameToWatch, err)
+		er.logger.Infof("EDS discovery mechanism for resource %q reported error: %v", er.nameToWatch, err)
 	}
 
-	// Report an empty update that would result in no priority child being
+	er.mu.Lock()
+	if er.update != nil {
+		// Continue using a previously received good configuration if one
+		// exists.
+		er.mu.Unlock()
+		onDone()
+		return
+	}
+
+	// Else report an empty update that would result in no priority child being
 	// created for this discovery mechanism. This would result in the priority
 	// LB policy reporting TRANSIENT_FAILURE (as there would be no priorities or
 	// localities) if this was the only discovery mechanism, or would result in
 	// the priority LB policy using a lower priority discovery mechanism when
 	// that becomes available.
-	er.mu.Lock()
 	er.update = &xdsresource.EndpointsUpdate{}
 	er.mu.Unlock()
 
 	er.topLevelResolver.onUpdate(onDone)
 }
 
-func (er *edsDiscoveryMechanism) AmbientError(err error, onDone func()) {
+func (er *edsDiscoveryMechanism) OnResourceDoesNotExist(onDone xdsresource.OnDoneFunc) {
 	if er.stopped.HasFired() {
 		onDone()
 		return
 	}
 
 	if er.logger.V(2) {
-		er.logger.Infof("EDS discovery mechanism for resource %q reported ambient error: %v", er.nameToWatch, err)
+		er.logger.Infof("EDS discovery mechanism for resource %q reported resource-does-not-exist error", er.nameToWatch)
 	}
+
+	// Report an empty update that would result in no priority child being
+	// created for this discovery mechanism. This would result in the priority
+	// LB policy reporting TRANSIENT_FAILURE (as there would be no priorities or
+	// localities) if this was the only discovery mechanism, or would result in
+	// the priority LB policy using a lower priority discovery mechanism when
+	// that becomes available.
+	er.mu.Lock()
+	er.update = &xdsresource.EndpointsUpdate{}
+	er.mu.Unlock()
+
+	er.topLevelResolver.onUpdate(onDone)
 }
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/outlierdetection/balancer.go b/vendor/google.golang.org/grpc/xds/internal/balancer/outlierdetection/balancer.go
index bc5cea40cc1..0d60ab2e86f 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/outlierdetection/balancer.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/outlierdetection/balancer.go
@@ -68,7 +68,7 @@ func (bb) Build(cc balancer.ClientConn, bOpts balancer.BuildOptions) balancer.Ba
 		scUpdateCh:     buffer.NewUnbounded(),
 		pickerUpdateCh: buffer.NewUnbounded(),
 		channelzParent: bOpts.ChannelzParent,
-		endpoints:      resolver.NewEndpointMap[*endpointInfo](),
+		endpoints:      resolver.NewEndpointMap(),
 	}
 	b.logger = prefixLogger(b)
 	b.logger.Infof("Created")
@@ -196,7 +196,7 @@ type outlierDetectionBalancer struct {
 	// (within the context of a single goroutine).
 	mu sync.Mutex
 	// endpoints stores pointers to endpointInfo objects for each endpoint.
-	endpoints *resolver.EndpointMap[*endpointInfo]
+	endpoints *resolver.EndpointMap // endpoint -> endpointInfo
 	// addrs stores pointers to endpointInfo objects for each address. Addresses
 	// belonging to the same endpoint point to the same object.
 	addrs                 map[string]*endpointInfo
@@ -229,7 +229,8 @@ func (b *outlierDetectionBalancer) onIntervalConfig() {
 	var interval time.Duration
 	if b.timerStartTime.IsZero() {
 		b.timerStartTime = time.Now()
-		for _, epInfo := range b.endpoints.Values() {
+		for _, val := range b.endpoints.Values() {
+			epInfo := val.(*endpointInfo)
 			epInfo.callCounter.clear()
 		}
 		interval = time.Duration(b.cfg.Interval)
@@ -252,7 +253,8 @@ func (b *outlierDetectionBalancer) onNoopConfig() {
 	// do the following:"
 	// "Unset the timer start timestamp."
 	b.timerStartTime = time.Time{}
-	for _, epInfo := range b.endpoints.Values() {
+	for _, val := range b.endpoints.Values() {
+		epInfo := val.(*endpointInfo)
 		// "Uneject all currently ejected endpoints."
 		if !epInfo.latestEjectionTimestamp.IsZero() {
 			b.unejectEndpoint(epInfo)
@@ -296,7 +298,7 @@ func (b *outlierDetectionBalancer) UpdateClientConnState(s balancer.ClientConnSt
 	b.updateUnconditionally = false
 	b.cfg = lbCfg
 
-	newEndpoints := resolver.NewEndpointMap[bool]()
+	newEndpoints := resolver.NewEndpointMap()
 	for _, ep := range s.ResolverState.Endpoints {
 		newEndpoints.Set(ep, true)
 		if _, ok := b.endpoints.Get(ep); !ok {
@@ -313,7 +315,8 @@ func (b *outlierDetectionBalancer) UpdateClientConnState(s balancer.ClientConnSt
 	// populate the addrs map.
 	b.addrs = map[string]*endpointInfo{}
 	for _, ep := range s.ResolverState.Endpoints {
-		epInfo, _ := b.endpoints.Get(ep)
+		val, _ := b.endpoints.Get(ep)
+		epInfo := val.(*endpointInfo)
 		for _, addr := range ep.Addresses {
 			if _, ok := b.addrs[addr.Addr]; ok {
 				b.logger.Errorf("Endpoints contain duplicate address %q", addr.Addr)
@@ -702,7 +705,8 @@ func (b *outlierDetectionBalancer) intervalTimerAlgorithm() {
 	defer b.mu.Unlock()
 	b.timerStartTime = time.Now()
 
-	for _, epInfo := range b.endpoints.Values() {
+	for _, val := range b.endpoints.Values() {
+		epInfo := val.(*endpointInfo)
 		epInfo.callCounter.swap()
 	}
 
@@ -714,7 +718,8 @@ func (b *outlierDetectionBalancer) intervalTimerAlgorithm() {
 		b.failurePercentageAlgorithm()
 	}
 
-	for _, epInfo := range b.endpoints.Values() {
+	for _, val := range b.endpoints.Values() {
+		epInfo := val.(*endpointInfo)
 		if epInfo.latestEjectionTimestamp.IsZero() && epInfo.ejectionTimeMultiplier > 0 {
 			epInfo.ejectionTimeMultiplier--
 			continue
@@ -746,7 +751,8 @@ func (b *outlierDetectionBalancer) intervalTimerAlgorithm() {
 // Caller must hold b.mu.
 func (b *outlierDetectionBalancer) endpointsWithAtLeastRequestVolume(requestVolume uint32) []*endpointInfo {
 	var endpoints []*endpointInfo
-	for _, epInfo := range b.endpoints.Values() {
+	for _, val := range b.endpoints.Values() {
+		epInfo := val.(*endpointInfo)
 		bucket1 := epInfo.callCounter.inactiveBucket
 		rv := bucket1.numSuccesses + bucket1.numFailures
 		if rv >= requestVolume {
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/priority/balancer.go b/vendor/google.golang.org/grpc/xds/internal/balancer/priority/balancer.go
index 194e0319086..ba3fe52e5c0 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/priority/balancer.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/priority/balancer.go
@@ -71,6 +71,7 @@ func (bb) Build(cc balancer.ClientConn, bOpts balancer.BuildOptions) balancer.Ba
 		Logger:                  b.logger,
 		SubBalancerCloseTimeout: DefaultSubBalancerCloseTimeout,
 	})
+	b.bg.Start()
 	go b.run()
 	b.logger.Infof("Created")
 	return b
@@ -210,9 +211,6 @@ func (b *priorityBalancer) UpdateClientConnState(s balancer.ClientConnState) err
 }
 
 func (b *priorityBalancer) ResolverError(err error) {
-	if b.logger.V(2) {
-		b.logger.Infof("Received error from the resolver: %v", err)
-	}
 	b.bg.ResolverError(err)
 }
 
diff --git a/vendor/google.golang.org/grpc/balancer/ringhash/config.go b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/config.go
similarity index 67%
rename from vendor/google.golang.org/grpc/balancer/ringhash/config.go
rename to vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/config.go
index 65d9e8e46f0..b4afcf10013 100644
--- a/vendor/google.golang.org/grpc/balancer/ringhash/config.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/config.go
@@ -21,21 +21,27 @@ package ringhash
 import (
 	"encoding/json"
 	"fmt"
-	"strings"
 
 	"google.golang.org/grpc/internal/envconfig"
-	"google.golang.org/grpc/internal/metadata"
-	iringhash "google.golang.org/grpc/internal/ringhash"
+	"google.golang.org/grpc/serviceconfig"
 )
 
+// LBConfig is the balancer config for ring_hash balancer.
+type LBConfig struct {
+	serviceconfig.LoadBalancingConfig `json:"-"`
+
+	MinRingSize uint64 `json:"minRingSize,omitempty"`
+	MaxRingSize uint64 `json:"maxRingSize,omitempty"`
+}
+
 const (
 	defaultMinSize         = 1024
 	defaultMaxSize         = 4096
 	ringHashSizeUpperBound = 8 * 1024 * 1024 // 8M
 )
 
-func parseConfig(c json.RawMessage) (*iringhash.LBConfig, error) {
-	var cfg iringhash.LBConfig
+func parseConfig(c json.RawMessage) (*LBConfig, error) {
+	var cfg LBConfig
 	if err := json.Unmarshal(c, &cfg); err != nil {
 		return nil, err
 	}
@@ -60,18 +66,5 @@ func parseConfig(c json.RawMessage) (*iringhash.LBConfig, error) {
 	if cfg.MaxRingSize > envconfig.RingHashCap {
 		cfg.MaxRingSize = envconfig.RingHashCap
 	}
-	if !envconfig.RingHashSetRequestHashKey {
-		cfg.RequestHashHeader = ""
-	}
-	if cfg.RequestHashHeader != "" {
-		cfg.RequestHashHeader = strings.ToLower(cfg.RequestHashHeader)
-		// See rules in https://github.com/grpc/proposal/blob/master/A76-ring-hash-improvements.md#explicitly-setting-the-request-hash-key
-		if err := metadata.ValidateKey(cfg.RequestHashHeader); err != nil {
-			return nil, fmt.Errorf("invalid requestHashHeader %q: %v", cfg.RequestHashHeader, err)
-		}
-		if strings.HasSuffix(cfg.RequestHashHeader, "-bin") {
-			return nil, fmt.Errorf("invalid requestHashHeader %q: key must not end with \"-bin\"", cfg.RequestHashHeader)
-		}
-	}
 	return &cfg, nil
 }
diff --git a/vendor/google.golang.org/grpc/balancer/ringhash/logging.go b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/logging.go
similarity index 100%
rename from vendor/google.golang.org/grpc/balancer/ringhash/logging.go
rename to vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/logging.go
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/picker.go b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/picker.go
new file mode 100644
index 00000000000..fc6bf67558c
--- /dev/null
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/picker.go
@@ -0,0 +1,65 @@
+/*
+ *
+ * Copyright 2021 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package ringhash
+
+import (
+	"fmt"
+
+	"google.golang.org/grpc/balancer"
+	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/internal/grpclog"
+)
+
+type picker struct {
+	ring   *ring
+	logger *grpclog.PrefixLogger
+	// endpointStates is a cache of endpoint connectivity states and pickers.
+	// The ringhash balancer stores endpoint states in a `resolver.EndpointMap`,
+	// with access guarded by `ringhashBalancer.mu`. The `endpointStates` cache
+	// in the picker helps avoid locking the ringhash balancer's mutex when
+	// reading the latest state at RPC time.
+	endpointStates map[string]balancer.State // endpointState.firstAddr -> balancer.State
+}
+
+func (p *picker) Pick(info balancer.PickInfo) (balancer.PickResult, error) {
+	e := p.ring.pick(getRequestHash(info.Ctx))
+	ringSize := len(p.ring.items)
+	// Per gRFC A61, because of sticky-TF with PickFirst's auto reconnect on TF,
+	// we ignore all TF subchannels and find the first ring entry in READY,
+	// CONNECTING or IDLE.  If that entry is in IDLE, we need to initiate a
+	// connection. The idlePicker returned by the LazyLB or the new Pickfirst
+	// should do this automatically.
+	for i := 0; i < ringSize; i++ {
+		index := (e.idx + i) % ringSize
+		balState := p.balancerState(p.ring.items[index])
+		switch balState.ConnectivityState {
+		case connectivity.Ready, connectivity.Connecting, connectivity.Idle:
+			return balState.Picker.Pick(info)
+		case connectivity.TransientFailure:
+		default:
+			panic(fmt.Sprintf("Found child balancer in unknown state: %v", balState.ConnectivityState))
+		}
+	}
+	// All children are in transient failure. Return the first failure.
+	return p.balancerState(e).Picker.Pick(info)
+}
+
+func (p *picker) balancerState(e *ringEntry) balancer.State {
+	return p.endpointStates[e.firstAddr]
+}
diff --git a/vendor/google.golang.org/grpc/balancer/ringhash/ring.go b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/ring.go
similarity index 88%
rename from vendor/google.golang.org/grpc/balancer/ringhash/ring.go
rename to vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/ring.go
index d2e003494a9..c2e556bb166 100644
--- a/vendor/google.golang.org/grpc/balancer/ringhash/ring.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/ring.go
@@ -33,23 +33,23 @@ type ring struct {
 }
 
 type endpointInfo struct {
-	hashKey        string
+	firstAddr      string
 	scaledWeight   float64
 	originalWeight uint32
 }
 
 type ringEntry struct {
-	idx     int
-	hash    uint64
-	hashKey string
-	weight  uint32
+	idx       int
+	hash      uint64
+	firstAddr string
+	weight    uint32
 }
 
 // newRing creates a ring from the endpoints stored in the EndpointMap. The ring
 // size is limited by the passed in max/min.
 //
 // ring entries will be created for each endpoint, and endpoints with high
-// weight (specified by the endpoint) may have multiple entries.
+// weight (specified by the address) may have multiple entries.
 //
 // For example, for endpoints with weights {a:3, b:3, c:4}, a generated ring of
 // size 10 could be:
@@ -68,7 +68,7 @@ type ringEntry struct {
 // and first item with hash >= given hash will be returned.
 //
 // Must be called with a non-empty endpoints map.
-func newRing(endpoints *resolver.EndpointMap[*endpointState], minRingSize, maxRingSize uint64, logger *grpclog.PrefixLogger) *ring {
+func newRing(endpoints *resolver.EndpointMap, minRingSize, maxRingSize uint64, logger *grpclog.PrefixLogger) *ring {
 	if logger.V(2) {
 		logger.Infof("newRing: number of endpoints is %d, minRingSize is %d, maxRingSize is %d", endpoints.Len(), minRingSize, maxRingSize)
 	}
@@ -109,8 +109,8 @@ func newRing(endpoints *resolver.EndpointMap[*endpointState], minRingSize, maxRi
 		// updates.
 		idx := 0
 		for currentHashes < targetHashes {
-			h := xxhash.Sum64String(epInfo.hashKey + "_" + strconv.Itoa(idx))
-			items = append(items, &ringEntry{hash: h, hashKey: epInfo.hashKey, weight: epInfo.originalWeight})
+			h := xxhash.Sum64String(epInfo.firstAddr + "_" + strconv.Itoa(idx))
+			items = append(items, &ringEntry{hash: h, firstAddr: epInfo.firstAddr, weight: epInfo.originalWeight})
 			idx++
 			currentHashes++
 		}
@@ -136,24 +136,25 @@ func newRing(endpoints *resolver.EndpointMap[*endpointState], minRingSize, maxRi
 // The endpoints are sorted in ascending order to ensure consistent results.
 //
 // Must be called with a non-empty endpoints map.
-func normalizeWeights(endpoints *resolver.EndpointMap[*endpointState]) ([]endpointInfo, float64) {
+func normalizeWeights(endpoints *resolver.EndpointMap) ([]endpointInfo, float64) {
 	var weightSum uint32
 	// Since attributes are explicitly ignored in the EndpointMap key, we need
 	// to iterate over the values to get the weights.
 	endpointVals := endpoints.Values()
-	for _, epState := range endpointVals {
-		weightSum += epState.weight
+	for _, a := range endpointVals {
+		weightSum += a.(*endpointState).weight
 	}
 	ret := make([]endpointInfo, 0, endpoints.Len())
 	min := 1.0
-	for _, epState := range endpointVals {
+	for _, a := range endpointVals {
+		epState := a.(*endpointState)
 		// (*endpointState).weight is set to 1 if the weight attribute is not
 		// found on the endpoint. And since this function is guaranteed to be
 		// called with a non-empty endpoints map, weightSum is guaranteed to be
 		// non-zero. So, we need not worry about divide by zero error here.
 		nw := float64(epState.weight) / float64(weightSum)
 		ret = append(ret, endpointInfo{
-			hashKey:        epState.hashKey,
+			firstAddr:      epState.firstAddr,
 			scaledWeight:   nw,
 			originalWeight: epState.weight,
 		})
@@ -166,7 +167,7 @@ func normalizeWeights(endpoints *resolver.EndpointMap[*endpointState]) ([]endpoi
 	// where an endpoint is added and then removed, the RPCs will still pick the
 	// same old endpoint.
 	sort.Slice(ret, func(i, j int) bool {
-		return ret[i].hashKey < ret[j].hashKey
+		return ret[i].firstAddr < ret[j].firstAddr
 	})
 	return ret, min
 }
diff --git a/vendor/google.golang.org/grpc/balancer/ringhash/ringhash.go b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/ringhash.go
similarity index 78%
rename from vendor/google.golang.org/grpc/balancer/ringhash/ringhash.go
rename to vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/ringhash.go
index acd9ae3afe4..b1de5db7884 100644
--- a/vendor/google.golang.org/grpc/balancer/ringhash/ringhash.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/ringhash.go
@@ -16,23 +16,13 @@
  *
  */
 
-// Package ringhash implements the ringhash balancer. See the following
-// gRFCs for details:
-// - https://github.com/grpc/proposal/blob/master/A42-xds-ring-hash-lb-policy.md
-// - https://github.com/grpc/proposal/blob/master/A61-IPv4-IPv6-dualstack-backends.md#ring-hash
-// - https://github.com/grpc/proposal/blob/master/A76-ring-hash-improvements.md
-//
-// # Experimental
-//
-// Notice: This package is EXPERIMENTAL and may be changed or removed in a
-// later release.
+// Package ringhash implements the ringhash balancer.
 package ringhash
 
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"math/rand/v2"
 	"sort"
 	"sync"
 
@@ -41,13 +31,11 @@ import (
 	"google.golang.org/grpc/balancer/endpointsharding"
 	"google.golang.org/grpc/balancer/lazy"
 	"google.golang.org/grpc/balancer/pickfirst/pickfirstleaf"
+	"google.golang.org/grpc/balancer/weightedroundrobin"
 	"google.golang.org/grpc/connectivity"
-	"google.golang.org/grpc/internal/balancer/weight"
 	"google.golang.org/grpc/internal/grpclog"
 	"google.golang.org/grpc/internal/pretty"
-	iringhash "google.golang.org/grpc/internal/ringhash"
 	"google.golang.org/grpc/resolver"
-	"google.golang.org/grpc/resolver/ringhash"
 	"google.golang.org/grpc/serviceconfig"
 )
 
@@ -67,7 +55,7 @@ type bb struct{}
 func (bb) Build(cc balancer.ClientConn, opts balancer.BuildOptions) balancer.Balancer {
 	b := &ringhashBalancer{
 		ClientConn:     cc,
-		endpointStates: resolver.NewEndpointMap[*endpointState](),
+		endpointStates: resolver.NewEndpointMap(),
 	}
 	esOpts := endpointsharding.Options{DisableAutoReconnect: true}
 	b.child = endpointsharding.NewBalancer(b, opts, lazyPickFirstBuilder, esOpts)
@@ -95,10 +83,10 @@ type ringhashBalancer struct {
 	child  balancer.Balancer
 
 	mu                   sync.Mutex
-	config               *iringhash.LBConfig
+	config               *LBConfig
 	inhibitChildUpdates  bool
 	shouldRegenerateRing bool
-	endpointStates       *resolver.EndpointMap[*endpointState]
+	endpointStates       *resolver.EndpointMap // Map from endpoint -> *endpointState
 
 	// ring is always in sync with endpoints. When endpoints change, a new ring
 	// is generated. Note that address weights updates also regenerates the
@@ -106,18 +94,6 @@ type ringhashBalancer struct {
 	ring *ring
 }
 
-// hashKey returns the hash key to use for an endpoint. Per gRFC A61, each entry
-// in the ring is a hash of the endpoint's hash key concatenated with a
-// per-entry unique suffix.
-func hashKey(endpoint resolver.Endpoint) string {
-	if hk := ringhash.HashKey(endpoint); hk != "" {
-		return hk
-	}
-	// If no hash key is set, use the endpoint's first address as the hash key.
-	// This is the default behavior when no hash key is set.
-	return endpoint.Addresses[0].Addr
-}
-
 // UpdateState intercepts child balancer state updates. It updates the
 // per-endpoint state stored in the ring, and also the aggregated state based on
 // the child picker. It also reconciles the endpoint list. It sets
@@ -132,35 +108,37 @@ func (b *ringhashBalancer) UpdateState(state balancer.State) {
 	defer b.mu.Unlock()
 	childStates := endpointsharding.ChildStatesFromPicker(state.Picker)
 	// endpointsSet is the set converted from endpoints, used for quick lookup.
-	endpointsSet := resolver.NewEndpointMap[bool]()
+	endpointsSet := resolver.NewEndpointMap()
 
 	for _, childState := range childStates {
 		endpoint := childState.Endpoint
 		endpointsSet.Set(endpoint, true)
 		newWeight := getWeightAttribute(endpoint)
-		hk := hashKey(endpoint)
-		es, ok := b.endpointStates.Get(endpoint)
-		if !ok {
+		if val, ok := b.endpointStates.Get(endpoint); !ok {
 			es := &endpointState{
-				balancer: childState.Balancer,
-				hashKey:  hk,
-				weight:   newWeight,
-				state:    childState.State,
+				balancer:  childState.Balancer,
+				weight:    newWeight,
+				firstAddr: endpoint.Addresses[0].Addr,
+				state:     childState.State,
 			}
 			b.endpointStates.Set(endpoint, es)
 			b.shouldRegenerateRing = true
 		} else {
 			// We have seen this endpoint before and created a `endpointState`
-			// object for it. If the weight or the hash key of the endpoint has
-			// changed, update the endpoint state map with the new weight or
-			// hash key. This will be used when a new ring is created.
+			// object for it. If the weight or the first address of the endpoint
+			// has changed, update the endpoint state map with the new weight.
+			// This will be used when a new ring is created.
+			es := val.(*endpointState)
 			if oldWeight := es.weight; oldWeight != newWeight {
 				b.shouldRegenerateRing = true
 				es.weight = newWeight
 			}
-			if es.hashKey != hk {
+			if es.firstAddr != endpoint.Addresses[0].Addr {
+				// If the order of the addresses for a given endpoint change,
+				// that will change the position of the endpoint in the ring.
+				// -A61
 				b.shouldRegenerateRing = true
-				es.hashKey = hk
+				es.firstAddr = endpoint.Addresses[0].Addr
 			}
 			es.state = childState.State
 		}
@@ -183,7 +161,7 @@ func (b *ringhashBalancer) UpdateClientConnState(ccs balancer.ClientConnState) e
 		b.logger.Infof("Received update from resolver, balancer config: %+v", pretty.ToJSON(ccs.BalancerConfig))
 	}
 
-	newConfig, ok := ccs.BalancerConfig.(*iringhash.LBConfig)
+	newConfig, ok := ccs.BalancerConfig.(*LBConfig)
 	if !ok {
 		return fmt.Errorf("unexpected balancer config with type: %T", ccs.BalancerConfig)
 	}
@@ -262,11 +240,11 @@ func (b *ringhashBalancer) updatePickerLocked() {
 		// ensure `ExitIdle` is called on the same child, preventing unnecessary
 		// connections.
 		var endpointStates = make([]*endpointState, b.endpointStates.Len())
-		for i, s := range b.endpointStates.Values() {
-			endpointStates[i] = s
+		for i, val := range b.endpointStates.Values() {
+			endpointStates[i] = val.(*endpointState)
 		}
 		sort.Slice(endpointStates, func(i, j int) bool {
-			return endpointStates[i].hashKey < endpointStates[j].hashKey
+			return endpointStates[i].firstAddr < endpointStates[j].firstAddr
 		})
 		var idleBalancer balancer.ExitIdler
 		for _, es := range endpointStates {
@@ -300,6 +278,7 @@ func (b *ringhashBalancer) updatePickerLocked() {
 	} else {
 		newPicker = b.newPickerLocked()
 	}
+	b.logger.Infof("Pushing new state %v and picker %p", state, newPicker)
 	b.ClientConn.UpdateState(balancer.State{
 		ConnectivityState: state,
 		Picker:            newPicker,
@@ -320,23 +299,12 @@ func (b *ringhashBalancer) ExitIdle() {
 // over to avoid locking the mutex at RPC time. The picker should be
 // re-generated every time an endpoint state is updated.
 func (b *ringhashBalancer) newPickerLocked() *picker {
-	states := make(map[string]endpointState)
-	hasEndpointConnecting := false
-	for _, epState := range b.endpointStates.Values() {
-		// Copy the endpoint state to avoid races, since ring hash
-		// mutates the state, weight and hash key in place.
-		states[epState.hashKey] = *epState
-		if epState.state.ConnectivityState == connectivity.Connecting {
-			hasEndpointConnecting = true
-		}
-	}
-	return &picker{
-		ring:                         b.ring,
-		endpointStates:               states,
-		requestHashHeader:            b.config.RequestHashHeader,
-		hasEndpointInConnectingState: hasEndpointConnecting,
-		randUint64:                   rand.Uint64,
+	states := make(map[string]balancer.State)
+	for _, val := range b.endpointStates.Values() {
+		epState := val.(*endpointState)
+		states[epState.firstAddr] = epState.state
 	}
+	return &picker{ring: b.ring, logger: b.logger, endpointStates: states}
 }
 
 // aggregatedStateLocked returns the aggregated child balancers state
@@ -356,7 +324,8 @@ func (b *ringhashBalancer) newPickerLocked() *picker {
 // failure to failover to the lower priority.
 func (b *ringhashBalancer) aggregatedStateLocked() connectivity.State {
 	var nums [5]int
-	for _, es := range b.endpointStates.Values() {
+	for _, val := range b.endpointStates.Values() {
+		es := val.(*endpointState)
 		nums[es.state.ConnectivityState]++
 	}
 
@@ -379,13 +348,14 @@ func (b *ringhashBalancer) aggregatedStateLocked() connectivity.State {
 }
 
 // getWeightAttribute is a convenience function which returns the value of the
-// weight endpoint Attribute.
+// weight attribute stored in the BalancerAttributes field of addr, using the
+// weightedroundrobin package.
 //
 // When used in the xDS context, the weight attribute is guaranteed to be
 // non-zero. But, when used in a non-xDS context, the weight attribute could be
 // unset. A Default of 1 is used in the latter case.
 func getWeightAttribute(e resolver.Endpoint) uint32 {
-	w := weight.FromEndpoint(e).Weight
+	w := weightedroundrobin.AddrInfoFromEndpoint(e).Weight
 	if w == 0 {
 		return 1
 	}
@@ -393,13 +363,12 @@ func getWeightAttribute(e resolver.Endpoint) uint32 {
 }
 
 type endpointState struct {
-	// hashKey is the hash key of the endpoint. Per gRFC A61, each entry in the
-	// ring is an endpoint, positioned based on the hash of the endpoint's first
-	// address by default. Per gRFC A76, the hash key of an endpoint may be
-	// overridden, for example based on EDS endpoint metadata.
-	hashKey  string
-	weight   uint32
-	balancer balancer.ExitIdler
+	// firstAddr is the first address in the endpoint. Per gRFC A61, each entry
+	// in the ring is an endpoint, positioned based on the hash of the
+	// endpoint's first address.
+	firstAddr string
+	weight    uint32
+	balancer  balancer.ExitIdler
 
 	// state is updated by the balancer while receiving resolver updates from
 	// the channel and picker updates from its children. Access to it is guarded
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/util.go b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/util.go
new file mode 100644
index 00000000000..92bb3ae5b79
--- /dev/null
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/ringhash/util.go
@@ -0,0 +1,40 @@
+/*
+ *
+ * Copyright 2021 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package ringhash
+
+import "context"
+
+type clusterKey struct{}
+
+func getRequestHash(ctx context.Context) uint64 {
+	requestHash, _ := ctx.Value(clusterKey{}).(uint64)
+	return requestHash
+}
+
+// GetRequestHashForTesting returns the request hash in the context; to be used
+// for testing only.
+func GetRequestHashForTesting(ctx context.Context) uint64 {
+	return getRequestHash(ctx)
+}
+
+// SetRequestHash adds the request hash to the context for use in Ring Hash Load
+// Balancing.
+func SetRequestHash(ctx context.Context, requestHash uint64) context.Context {
+	return context.WithValue(ctx, clusterKey{}, requestHash)
+}
diff --git a/vendor/google.golang.org/grpc/xds/internal/balancer/wrrlocality/balancer.go b/vendor/google.golang.org/grpc/xds/internal/balancer/wrrlocality/balancer.go
index 065de200f40..2b289a81143 100644
--- a/vendor/google.golang.org/grpc/xds/internal/balancer/wrrlocality/balancer.go
+++ b/vendor/google.golang.org/grpc/xds/internal/balancer/wrrlocality/balancer.go
@@ -167,7 +167,11 @@ func (b *wrrLocalityBalancer) UpdateClientConnState(s balancer.ClientConnState)
 		// shouldn't happen though (this attribute that is set actually gets
 		// used to build localities in the first place), and thus don't error
 		// out, and just build a weighted target with undefined behavior.
-		locality := internal.GetLocalityID(addr).ToString()
+		locality, err := internal.GetLocalityID(addr).ToString()
+		if err != nil {
+			// Should never happen.
+			logger.Errorf("Failed to marshal LocalityID: %v, skipping this locality in weighted target")
+		}
 		ai, ok := getAddrInfo(addr)
 		if !ok {
 			return fmt.Errorf("xds_wrr_locality: missing locality weight information in address %q", addr)
diff --git a/vendor/google.golang.org/grpc/xds/internal/internal.go b/vendor/google.golang.org/grpc/xds/internal/internal.go
index 23db64a4d48..74c91952155 100644
--- a/vendor/google.golang.org/grpc/xds/internal/internal.go
+++ b/vendor/google.golang.org/grpc/xds/internal/internal.go
@@ -20,6 +20,7 @@
 package internal
 
 import (
+	"encoding/json"
 	"fmt"
 
 	"google.golang.org/grpc/resolver"
@@ -35,10 +36,14 @@ type LocalityID struct {
 	SubZone string `json:"subZone,omitempty"`
 }
 
-// ToString generates a string representation of LocalityID in the format
-// specified in gRFC A76. Not calling it String() so printf won't call it.
-func (l LocalityID) ToString() string {
-	return fmt.Sprintf("{region=%q, zone=%q, sub_zone=%q}", l.Region, l.Zone, l.SubZone)
+// ToString generates a string representation of LocalityID by marshalling it into
+// json. Not calling it String() so printf won't call it.
+func (l LocalityID) ToString() (string, error) {
+	b, err := json.Marshal(l)
+	if err != nil {
+		return "", err
+	}
+	return string(b), nil
 }
 
 // Equal allows the values to be compared by Attributes.Equal.
@@ -55,10 +60,10 @@ func (l LocalityID) Empty() bool {
 	return l.Region == "" && l.Zone == "" && l.SubZone == ""
 }
 
-// LocalityIDFromString converts a string representation of locality as
-// specified in gRFC A76, into a LocalityID struct.
+// LocalityIDFromString converts a json representation of locality, into a
+// LocalityID struct.
 func LocalityIDFromString(s string) (ret LocalityID, _ error) {
-	_, err := fmt.Sscanf(s, "{region=%q, zone=%q, sub_zone=%q}", &ret.Region, &ret.Zone, &ret.SubZone)
+	err := json.Unmarshal([]byte(s), &ret)
 	if err != nil {
 		return LocalityID{}, fmt.Errorf("%s is not a well formatted locality ID, error: %v", s, err)
 	}
diff --git a/vendor/google.golang.org/grpc/xds/internal/resolver/serviceconfig.go b/vendor/google.golang.org/grpc/xds/internal/resolver/serviceconfig.go
index 40f038b8a64..7df75465ac6 100644
--- a/vendor/google.golang.org/grpc/xds/internal/resolver/serviceconfig.go
+++ b/vendor/google.golang.org/grpc/xds/internal/resolver/serviceconfig.go
@@ -32,12 +32,12 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/internal/grpcutil"
 	iresolver "google.golang.org/grpc/internal/resolver"
-	iringhash "google.golang.org/grpc/internal/ringhash"
 	"google.golang.org/grpc/internal/serviceconfig"
 	"google.golang.org/grpc/internal/wrr"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 	"google.golang.org/grpc/xds/internal/balancer/clustermanager"
+	"google.golang.org/grpc/xds/internal/balancer/ringhash"
 	"google.golang.org/grpc/xds/internal/httpfilter"
 	"google.golang.org/grpc/xds/internal/xdsclient/xdsresource"
 )
@@ -71,10 +71,10 @@ type xdsClusterManagerConfig struct {
 	Children map[string]xdsChildConfig `json:"children"`
 }
 
-// serviceConfigJSON produces a service config in JSON format that contains LB
-// policy config for the "xds_cluster_manager" LB policy, with entries in the
-// children map for all active clusters.
-func serviceConfigJSON(activeClusters map[string]*clusterInfo) []byte {
+// serviceConfigJSON produces a service config in JSON format representing all
+// the clusters referenced in activeClusters.  This includes clusters with zero
+// references, so they must be pruned first.
+func serviceConfigJSON(activeClusters map[string]*clusterInfo) ([]byte, error) {
 	// Generate children (all entries in activeClusters).
 	children := make(map[string]xdsChildConfig)
 	for cluster, ci := range activeClusters {
@@ -87,13 +87,11 @@ func serviceConfigJSON(activeClusters map[string]*clusterInfo) []byte {
 		),
 	}
 
-	// This is not expected to fail as we have constructed the service config by
-	// hand right above, and therefore ok to panic.
 	bs, err := json.Marshal(sc)
 	if err != nil {
-		panic(fmt.Sprintf("failed to marshal service config %+v: %v", sc, err))
+		return nil, fmt.Errorf("failed to marshal json: %v", err)
 	}
-	return bs
+	return bs, nil
 }
 
 type virtualHost struct {
@@ -125,34 +123,8 @@ func (r route) String() string {
 	return fmt.Sprintf("%s -> { clusters: %v, maxStreamDuration: %v }", r.m.String(), r.clusters, r.maxStreamDuration)
 }
 
-// stoppableConfigSelector extends the iresolver.ConfigSelector interface with a
-// stop() method. This makes it possible to swap the current config selector
-// with an erroring config selector when the LDS or RDS resource is not found on
-// the management server.
-type stoppableConfigSelector interface {
-	iresolver.ConfigSelector
-	stop()
-}
-
-// erroringConfigSelector always returns an error, with the xDS node ID included
-// in the error message. It is used to swap out the current config selector
-// when the LDS or RDS resource is not found on the management server.
-type erroringConfigSelector struct {
-	err error
-}
-
-func newErroringConfigSelector(err error, xdsNodeID string) *erroringConfigSelector {
-	return &erroringConfigSelector{err: annotateErrorWithNodeID(status.Error(codes.Unavailable, err.Error()), xdsNodeID)}
-}
-
-func (cs *erroringConfigSelector) SelectConfig(iresolver.RPCInfo) (*iresolver.RPCConfig, error) {
-	return nil, cs.err
-}
-func (cs *erroringConfigSelector) stop() {}
-
 type configSelector struct {
 	r                *xdsResolver
-	xdsNodeID        string
 	virtualHost      virtualHost
 	routes           []route
 	clusters         map[string]*clusterInfo
@@ -162,14 +134,10 @@ type configSelector struct {
 var errNoMatchedRouteFound = status.Errorf(codes.Unavailable, "no matched route was found")
 var errUnsupportedClientRouteAction = status.Errorf(codes.Unavailable, "matched route does not have a supported route action type")
 
-// annotateErrorWithNodeID annotates the given error with the provided xDS node
-// ID. This is used by the real config selector when it runs into errors, and
-// also by the erroring config selector.
-func annotateErrorWithNodeID(err error, nodeID string) error {
-	return fmt.Errorf("[xDS node id: %s]: %w", nodeID, err)
-}
-
 func (cs *configSelector) SelectConfig(rpcInfo iresolver.RPCInfo) (*iresolver.RPCConfig, error) {
+	if cs == nil {
+		return nil, status.Errorf(codes.Unavailable, "no valid clusters")
+	}
 	var rt *route
 	// Loop through routes in order and select first match.
 	for _, r := range cs.routes {
@@ -180,16 +148,16 @@ func (cs *configSelector) SelectConfig(rpcInfo iresolver.RPCInfo) (*iresolver.RP
 	}
 
 	if rt == nil || rt.clusters == nil {
-		return nil, annotateErrorWithNodeID(errNoMatchedRouteFound, cs.xdsNodeID)
+		return nil, errNoMatchedRouteFound
 	}
 
 	if rt.actionType != xdsresource.RouteActionRoute {
-		return nil, annotateErrorWithNodeID(errUnsupportedClientRouteAction, cs.xdsNodeID)
+		return nil, errUnsupportedClientRouteAction
 	}
 
 	cluster, ok := rt.clusters.Next().(*routeCluster)
 	if !ok {
-		return nil, annotateErrorWithNodeID(status.Errorf(codes.Internal, "error retrieving cluster for match: %v (%T)", cluster, cluster), cs.xdsNodeID)
+		return nil, status.Errorf(codes.Internal, "error retrieving cluster for match: %v (%T)", cluster, cluster)
 	}
 
 	// Add a ref to the selected cluster, as this RPC needs this cluster until
@@ -199,11 +167,11 @@ func (cs *configSelector) SelectConfig(rpcInfo iresolver.RPCInfo) (*iresolver.RP
 
 	interceptor, err := cs.newInterceptor(rt, cluster)
 	if err != nil {
-		return nil, annotateErrorWithNodeID(err, cs.xdsNodeID)
+		return nil, err
 	}
 
 	lbCtx := clustermanager.SetPickedCluster(rpcInfo.Context, cluster.name)
-	lbCtx = iringhash.SetXDSRequestHash(lbCtx, cs.generateHash(rpcInfo, rt.hashPolicies))
+	lbCtx = ringhash.SetRequestHash(lbCtx, cs.generateHash(rpcInfo, rt.hashPolicies))
 
 	config := &iresolver.RPCConfig{
 		// Communicate to the LB policy the chosen cluster and request hash, if Ring Hash LB policy.
diff --git a/vendor/google.golang.org/grpc/xds/internal/resolver/watch_service.go b/vendor/google.golang.org/grpc/xds/internal/resolver/watch_service.go
index e8d52d0e073..0de6604484b 100644
--- a/vendor/google.golang.org/grpc/xds/internal/resolver/watch_service.go
+++ b/vendor/google.golang.org/grpc/xds/internal/resolver/watch_service.go
@@ -36,19 +36,19 @@ func newListenerWatcher(resourceName string, parent *xdsResolver) *listenerWatch
 	return lw
 }
 
-func (l *listenerWatcher) ResourceChanged(update *xdsresource.ListenerResourceData, onDone func()) {
+func (l *listenerWatcher) OnUpdate(update *xdsresource.ListenerResourceData, onDone xdsresource.OnDoneFunc) {
 	handleUpdate := func(context.Context) { l.parent.onListenerResourceUpdate(update.Resource); onDone() }
 	l.parent.serializer.ScheduleOr(handleUpdate, onDone)
 }
 
-func (l *listenerWatcher) ResourceError(err error, onDone func()) {
+func (l *listenerWatcher) OnError(err error, onDone xdsresource.OnDoneFunc) {
 	handleError := func(context.Context) { l.parent.onListenerResourceError(err); onDone() }
 	l.parent.serializer.ScheduleOr(handleError, onDone)
 }
 
-func (l *listenerWatcher) AmbientError(err error, onDone func()) {
-	handleError := func(context.Context) { l.parent.onListenerResourceAmbientError(err); onDone() }
-	l.parent.serializer.ScheduleOr(handleError, onDone)
+func (l *listenerWatcher) OnResourceDoesNotExist(onDone xdsresource.OnDoneFunc) {
+	handleNotFound := func(context.Context) { l.parent.onListenerResourceNotFound(); onDone() }
+	l.parent.serializer.ScheduleOr(handleNotFound, onDone)
 }
 
 func (l *listenerWatcher) stop() {
@@ -68,7 +68,7 @@ func newRouteConfigWatcher(resourceName string, parent *xdsResolver) *routeConfi
 	return rw
 }
 
-func (r *routeConfigWatcher) ResourceChanged(u *xdsresource.RouteConfigResourceData, onDone func()) {
+func (r *routeConfigWatcher) OnUpdate(u *xdsresource.RouteConfigResourceData, onDone xdsresource.OnDoneFunc) {
 	handleUpdate := func(context.Context) {
 		r.parent.onRouteConfigResourceUpdate(r.resourceName, u.Resource)
 		onDone()
@@ -76,14 +76,14 @@ func (r *routeConfigWatcher) ResourceChanged(u *xdsresource.RouteConfigResourceD
 	r.parent.serializer.ScheduleOr(handleUpdate, onDone)
 }
 
-func (r *routeConfigWatcher) ResourceError(err error, onDone func()) {
+func (r *routeConfigWatcher) OnError(err error, onDone xdsresource.OnDoneFunc) {
 	handleError := func(context.Context) { r.parent.onRouteConfigResourceError(r.resourceName, err); onDone() }
 	r.parent.serializer.ScheduleOr(handleError, onDone)
 }
 
-func (r *routeConfigWatcher) AmbientError(err error, onDone func()) {
-	handleError := func(context.Context) { r.parent.onRouteConfigResourceAmbientError(r.resourceName, err); onDone() }
-	r.parent.serializer.ScheduleOr(handleError, onDone)
+func (r *routeConfigWatcher) OnResourceDoesNotExist(onDone xdsresource.OnDoneFunc) {
+	handleNotFound := func(context.Context) { r.parent.onRouteConfigResourceNotFound(r.resourceName); onDone() }
+	r.parent.serializer.ScheduleOr(handleNotFound, onDone)
 }
 
 func (r *routeConfigWatcher) stop() {
diff --git a/vendor/google.golang.org/grpc/xds/internal/resolver/xds_resolver.go b/vendor/google.golang.org/grpc/xds/internal/resolver/xds_resolver.go
index a66719d0685..dfe3fcc4e11 100644
--- a/vendor/google.golang.org/grpc/xds/internal/resolver/xds_resolver.go
+++ b/vendor/google.golang.org/grpc/xds/internal/resolver/xds_resolver.go
@@ -249,7 +249,7 @@ type xdsResolver struct {
 	// cluster that includes a ref count and load balancing configuration.
 	activeClusters map[string]*clusterInfo
 
-	curConfigSelector stoppableConfigSelector
+	curConfigSelector *configSelector
 }
 
 // ResolveNow is a no-op at this point.
@@ -281,45 +281,38 @@ func (r *xdsResolver) Close() {
 // sendNewServiceConfig prunes active clusters, generates a new service config
 // based on the current set of active clusters, and sends an update to the
 // channel with that service config and the provided config selector.  Returns
-// false if an error occurs while sending an update to the channel.
+// false if an error occurs while generating the service config and the update
+// cannot be sent.
 //
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) sendNewServiceConfig(cs stoppableConfigSelector) bool {
+func (r *xdsResolver) sendNewServiceConfig(cs *configSelector) bool {
 	// Delete entries from r.activeClusters with zero references;
 	// otherwise serviceConfigJSON will generate a config including
 	// them.
 	r.pruneActiveClusters()
 
-	errCS, ok := cs.(*erroringConfigSelector)
-	if ok && len(r.activeClusters) == 0 {
+	if cs == nil && len(r.activeClusters) == 0 {
 		// There are no clusters and we are sending a failing configSelector.
 		// Send an empty config, which picks pick-first, with no address, and
 		// puts the ClientConn into transient failure.
-		//
-		// This call to UpdateState is expected to return ErrBadResolverState
-		// since pick_first doesn't like an update with no addresses.
 		r.cc.UpdateState(resolver.State{ServiceConfig: r.cc.ParseServiceConfig("{}")})
-
-		// Send a resolver error to pick_first so that RPCs will fail with a
-		// more meaningful error, as opposed to one that says that pick_first
-		// received no addresses.
-		r.cc.ReportError(errCS.err)
 		return true
 	}
 
-	sc := serviceConfigJSON(r.activeClusters)
+	sc, err := serviceConfigJSON(r.activeClusters)
+	if err != nil {
+		// JSON marshal error; should never happen.
+		r.logger.Errorf("For Listener resource %q and RouteConfiguration resource %q, failed to marshal newly built service config: %v", r.ldsResourceName, r.rdsResourceName, err)
+		r.cc.ReportError(err)
+		return false
+	}
 	r.logger.Infof("For Listener resource %q and RouteConfiguration resource %q, generated service config: %v", r.ldsResourceName, r.rdsResourceName, pretty.FormatJSON(sc))
 
 	// Send the update to the ClientConn.
 	state := iresolver.SetConfigSelector(resolver.State{
 		ServiceConfig: r.cc.ParseServiceConfig(string(sc)),
 	}, cs)
-	if err := r.cc.UpdateState(xdsclient.SetClient(state, r.xdsClient)); err != nil {
-		if r.logger.V(2) {
-			r.logger.Infof("Channel rejected new state: %+v with error: %v", state, err)
-		}
-		return false
-	}
+	r.cc.UpdateState(xdsclient.SetClient(state, r.xdsClient))
 	return true
 }
 
@@ -328,10 +321,9 @@ func (r *xdsResolver) sendNewServiceConfig(cs stoppableConfigSelector) bool {
 // r.activeClusters for previously-unseen clusters.
 //
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) newConfigSelector() *configSelector {
+func (r *xdsResolver) newConfigSelector() (*configSelector, error) {
 	cs := &configSelector{
-		r:         r,
-		xdsNodeID: r.xdsClient.BootstrapConfig().Node().GetId(),
+		r: r,
 		virtualHost: virtualHost{
 			httpFilterConfigOverride: r.currentVirtualHost.HTTPFilterConfigOverride,
 			retryConfig:              r.currentVirtualHost.RetryConfig,
@@ -365,7 +357,11 @@ func (r *xdsResolver) newConfigSelector() *configSelector {
 		}
 		cs.routes[i].clusters = clusters
 
-		cs.routes[i].m = xdsresource.RouteToMatcher(rt)
+		var err error
+		cs.routes[i].m, err = xdsresource.RouteToMatcher(rt)
+		if err != nil {
+			return nil, err
+		}
 		cs.routes[i].actionType = rt.ActionType
 		if rt.MaxStreamDuration == nil {
 			cs.routes[i].maxStreamDuration = r.currentListener.MaxStreamDuration
@@ -385,7 +381,7 @@ func (r *xdsResolver) newConfigSelector() *configSelector {
 		atomic.AddInt32(&ci.refCount, 1)
 	}
 
-	return cs
+	return cs, nil
 }
 
 // pruneActiveClusters deletes entries in r.activeClusters with zero
@@ -441,28 +437,29 @@ func (r *xdsResolver) onResolutionComplete() {
 		return
 	}
 
-	cs := r.newConfigSelector()
+	cs, err := r.newConfigSelector()
+	if err != nil {
+		r.logger.Warningf("Failed to build a config selector for resource %q: %v", r.ldsResourceName, err)
+		r.cc.ReportError(err)
+		return
+	}
+
 	if !r.sendNewServiceConfig(cs) {
-		// Channel didn't like the update we provided (unexpected); erase
+		// JSON error creating the service config (unexpected); erase
 		// this config selector and ignore this update, continuing with
 		// the previous config selector.
 		cs.stop()
 		return
 	}
 
-	if r.curConfigSelector != nil {
-		r.curConfigSelector.stop()
-	}
+	r.curConfigSelector.stop()
 	r.curConfigSelector = cs
 }
 
 func (r *xdsResolver) applyRouteConfigUpdate(update xdsresource.RouteConfigUpdate) {
 	matchVh := xdsresource.FindBestMatchingVirtualHost(r.dataplaneAuthority, update.VirtualHosts)
 	if matchVh == nil {
-		// TODO(purnesh42h): Should this be a resource or ambient error? Note
-		// that its being called only from resource update methods when we have
-		// finished removing the previous update.
-		r.onAmbientError(fmt.Errorf("no matching virtual host found for %q", r.dataplaneAuthority))
+		r.onError(fmt.Errorf("no matching virtual host found for %q", r.dataplaneAuthority))
 		return
 	}
 	r.currentRouteConfig = update
@@ -472,12 +469,12 @@ func (r *xdsResolver) applyRouteConfigUpdate(update xdsresource.RouteConfigUpdat
 	r.onResolutionComplete()
 }
 
-// onAmbientError propagates the error up to the channel. And since this is
-// invoked only for non resource errors, we don't have to update resolver
+// onError propagates the error up to the channel. And since this is invoked
+// only for non resource-not-found errors, we don't have to update resolver
 // state and we can keep using the old config.
 //
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) onAmbientError(err error) {
+func (r *xdsResolver) onError(err error) {
 	r.cc.ReportError(err)
 }
 
@@ -485,23 +482,20 @@ func (r *xdsResolver) onAmbientError(err error) {
 // are removed.
 //
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) onResourceError(err error) {
+func (r *xdsResolver) onResourceNotFound() {
 	// We cannot remove clusters from the service config that have ongoing RPCs.
-	// Instead, what we can do is to send an erroring config selector
+	// Instead, what we can do is to send an erroring (nil) config selector
 	// along with normal service config. This will ensure that new RPCs will
 	// fail, and once the active RPCs complete, the reference counts on the
 	// clusters will come down to zero. At that point, we will send an empty
 	// service config with no addresses. This results in the pick-first
 	// LB policy being configured on the channel, and since there are no
 	// address, pick-first will put the channel in TRANSIENT_FAILURE.
-	cs := newErroringConfigSelector(err, r.xdsClient.BootstrapConfig().Node().GetId())
-	r.sendNewServiceConfig(cs)
+	r.sendNewServiceConfig(nil)
 
 	// Stop and dereference the active config selector, if one exists.
-	if r.curConfigSelector != nil {
-		r.curConfigSelector.stop()
-	}
-	r.curConfigSelector = cs
+	r.curConfigSelector.stop()
+	r.curConfigSelector = nil
 }
 
 // Only executed in the context of a serializer callback.
@@ -549,20 +543,21 @@ func (r *xdsResolver) onListenerResourceUpdate(update xdsresource.ListenerUpdate
 	r.routeConfigWatcher = newRouteConfigWatcher(r.rdsResourceName, r)
 }
 
-func (r *xdsResolver) onListenerResourceAmbientError(err error) {
+func (r *xdsResolver) onListenerResourceError(err error) {
 	if r.logger.V(2) {
-		r.logger.Infof("Received ambient error for Listener resource %q: %v", r.ldsResourceName, err)
+		r.logger.Infof("Received error for Listener resource %q: %v", r.ldsResourceName, err)
 	}
-	r.onAmbientError(err)
+	r.onError(err)
 }
 
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) onListenerResourceError(err error) {
+func (r *xdsResolver) onListenerResourceNotFound() {
 	if r.logger.V(2) {
-		r.logger.Infof("Received resource error for Listener resource %q: %v", r.ldsResourceName, err)
+		r.logger.Infof("Received resource-not-found-error for Listener resource %q", r.ldsResourceName)
 	}
 
 	r.listenerUpdateRecvd = false
+
 	if r.routeConfigWatcher != nil {
 		r.routeConfigWatcher.stop()
 	}
@@ -571,7 +566,7 @@ func (r *xdsResolver) onListenerResourceError(err error) {
 	r.routeConfigUpdateRecvd = false
 	r.routeConfigWatcher = nil
 
-	r.onResourceError(err)
+	r.onResourceNotFound()
 }
 
 // Only executed in the context of a serializer callback.
@@ -589,23 +584,23 @@ func (r *xdsResolver) onRouteConfigResourceUpdate(name string, update xdsresourc
 }
 
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) onRouteConfigResourceAmbientError(name string, err error) {
+func (r *xdsResolver) onRouteConfigResourceError(name string, err error) {
 	if r.logger.V(2) {
-		r.logger.Infof("Received ambient error for RouteConfiguration resource %q: %v", name, err)
+		r.logger.Infof("Received error for RouteConfiguration resource %q: %v", name, err)
 	}
-	r.onAmbientError(err)
+	r.onError(err)
 }
 
 // Only executed in the context of a serializer callback.
-func (r *xdsResolver) onRouteConfigResourceError(name string, err error) {
+func (r *xdsResolver) onRouteConfigResourceNotFound(name string) {
 	if r.logger.V(2) {
-		r.logger.Infof("Received resource error for RouteConfiguration resource %q: %v", name, err)
+		r.logger.Infof("Received resource-not-found-error for RouteConfiguration resource %q", name)
 	}
 
 	if r.rdsResourceName != name {
 		return
 	}
-	r.onResourceError(err)
+	r.onResourceNotFound()
 }
 
 // Only executed in the context of a serializer callback.
diff --git a/vendor/google.golang.org/grpc/xds/internal/server/listener_wrapper.go b/vendor/google.golang.org/grpc/xds/internal/server/listener_wrapper.go
index 2c32ace8ab0..09d320018ae 100644
--- a/vendor/google.golang.org/grpc/xds/internal/server/listener_wrapper.go
+++ b/vendor/google.golang.org/grpc/xds/internal/server/listener_wrapper.go
@@ -84,7 +84,6 @@ func NewListenerWrapper(params ListenerWrapperParams) net.Listener {
 		Listener:          params.Listener,
 		name:              params.ListenerResourceName,
 		xdsC:              params.XDSClient,
-		xdsNodeID:         params.XDSClient.BootstrapConfig().Node().GetId(),
 		modeCallback:      params.ModeCallback,
 		isUnspecifiedAddr: params.Listener.Addr().(*net.TCPAddr).IP.IsUnspecified(),
 		conns:             make(map[*connWrapper]bool),
@@ -117,7 +116,6 @@ type listenerWrapper struct {
 
 	name         string
 	xdsC         XDSClient
-	xdsNodeID    string
 	cancelWatch  func()
 	modeCallback ServingModeCallback
 
@@ -159,6 +157,35 @@ type listenerWrapper struct {
 	rdsHandler *rdsHandler
 }
 
+func (l *listenerWrapper) handleLDSUpdate(update xdsresource.ListenerUpdate) {
+	ilc := update.InboundListenerCfg
+	// Make sure that the socket address on the received Listener resource
+	// matches the address of the net.Listener passed to us by the user. This
+	// check is done here instead of at the XDSClient layer because of the
+	// following couple of reasons:
+	// - XDSClient cannot know the listening address of every listener in the
+	//   system, and hence cannot perform this check.
+	// - this is a very context-dependent check and only the server has the
+	//   appropriate context to perform this check.
+	//
+	// What this means is that the XDSClient has ACKed a resource which can push
+	// the server into a "not serving" mode. This is not ideal, but this is
+	// what we have decided to do.
+	if ilc.Address != l.addr || ilc.Port != l.port {
+		l.mu.Lock()
+		l.switchModeLocked(connectivity.ServingModeNotServing, fmt.Errorf("address (%s:%s) in Listener update does not match listening address: (%s:%s)", ilc.Address, ilc.Port, l.addr, l.port))
+		l.mu.Unlock()
+		return
+	}
+
+	l.pendingFilterChainManager = ilc.FilterChains
+	l.rdsHandler.updateRouteNamesToWatch(ilc.FilterChains.RouteConfigNames)
+
+	if l.rdsHandler.determineRouteConfigurationReady() {
+		l.maybeUpdateFilterChains()
+	}
+}
+
 // maybeUpdateFilterChains swaps in the pending filter chain manager to the
 // active one if the pending filter chain manager is present. If a swap occurs,
 // it also drains (gracefully stops) any connections that were accepted on the
@@ -201,14 +228,12 @@ func (l *listenerWrapper) handleRDSUpdate(routeName string, rcu rdsWatcherUpdate
 				continue
 			}
 			if rcu.err != nil && rcu.data == nil { // Either NACK before update, or resource not found triggers this conditional.
-				urc := &xdsresource.UsableRouteConfiguration{Err: rcu.err}
-				urc.NodeID = l.xdsNodeID
-				fc.UsableRouteConfiguration.Store(urc)
+				fc.UsableRouteConfiguration.Store(&xdsresource.UsableRouteConfiguration{
+					Err: rcu.err,
+				})
 				continue
 			}
-			urc := fc.ConstructUsableRouteConfiguration(*rcu.data)
-			urc.NodeID = l.xdsNodeID
-			fc.UsableRouteConfiguration.Store(urc)
+			fc.UsableRouteConfiguration.Store(fc.ConstructUsableRouteConfiguration(*rcu.data))
 		}
 	}
 	if l.rdsHandler.determineRouteConfigurationReady() {
@@ -223,21 +248,15 @@ func (l *listenerWrapper) handleRDSUpdate(routeName string, rcu rdsWatcherUpdate
 func (l *listenerWrapper) instantiateFilterChainRoutingConfigurationsLocked() {
 	for _, fc := range l.activeFilterChainManager.FilterChains() {
 		if fc.InlineRouteConfig != nil {
-			urc := fc.ConstructUsableRouteConfiguration(*fc.InlineRouteConfig)
-			urc.NodeID = l.xdsNodeID
-			fc.UsableRouteConfiguration.Store(urc) // Can't race with an RPC coming in but no harm making atomic.
+			fc.UsableRouteConfiguration.Store(fc.ConstructUsableRouteConfiguration(*fc.InlineRouteConfig)) // Can't race with an RPC coming in but no harm making atomic.
 			continue
 		} // Inline configuration constructed once here, will remain for lifetime of filter chain.
 		rcu := l.rdsHandler.updates[fc.RouteConfigName]
 		if rcu.err != nil && rcu.data == nil {
-			urc := &xdsresource.UsableRouteConfiguration{Err: rcu.err}
-			urc.NodeID = l.xdsNodeID
-			fc.UsableRouteConfiguration.Store(urc)
+			fc.UsableRouteConfiguration.Store(&xdsresource.UsableRouteConfiguration{Err: rcu.err})
 			continue
 		}
-		urc := fc.ConstructUsableRouteConfiguration(*rcu.data)
-		urc.NodeID = l.xdsNodeID
-		fc.UsableRouteConfiguration.Store(urc) // Can't race with an RPC coming in but no harm making atomic.
+		fc.UsableRouteConfiguration.Store(fc.ConstructUsableRouteConfiguration(*rcu.data)) // Can't race with an RPC coming in but no harm making atomic.
 	}
 }
 
@@ -378,6 +397,15 @@ func (l *listenerWrapper) switchModeLocked(newMode connectivity.ServingMode, err
 	}
 }
 
+func (l *listenerWrapper) onLDSResourceDoesNotExist(err error) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	l.switchModeLocked(connectivity.ServingModeNotServing, err)
+	l.activeFilterChainManager = nil
+	l.pendingFilterChainManager = nil
+	l.rdsHandler.updateRouteNamesToWatch(make(map[string]bool))
+}
+
 // ldsWatcher implements the xdsresource.ListenerWatcher interface and is
 // passed to the WatchListener API.
 type ldsWatcher struct {
@@ -386,7 +414,7 @@ type ldsWatcher struct {
 	name   string
 }
 
-func (lw *ldsWatcher) ResourceChanged(update *xdsresource.ListenerResourceData, onDone func()) {
+func (lw *ldsWatcher) OnUpdate(update *xdsresource.ListenerResourceData, onDone xdsresource.OnDoneFunc) {
 	defer onDone()
 	if lw.parent.closed.HasFired() {
 		lw.logger.Warningf("Resource %q received update: %#v after listener was closed", lw.name, update)
@@ -395,64 +423,32 @@ func (lw *ldsWatcher) ResourceChanged(update *xdsresource.ListenerResourceData,
 	if lw.logger.V(2) {
 		lw.logger.Infof("LDS watch for resource %q received update: %#v", lw.name, update.Resource)
 	}
-	l := lw.parent
-	ilc := update.Resource.InboundListenerCfg
-	// Make sure that the socket address on the received Listener resource
-	// matches the address of the net.Listener passed to us by the user. This
-	// check is done here instead of at the XDSClient layer because of the
-	// following couple of reasons:
-	// - XDSClient cannot know the listening address of every listener in the
-	//   system, and hence cannot perform this check.
-	// - this is a very context-dependent check and only the server has the
-	//   appropriate context to perform this check.
-	//
-	// What this means is that the XDSClient has ACKed a resource which can push
-	// the server into a "not serving" mode. This is not ideal, but this is
-	// what we have decided to do.
-	if ilc.Address != l.addr || ilc.Port != l.port {
-		// TODO(purnesh42h): Are there any other cases where this can be
-		// treated as an ambient error?
-		l.mu.Lock()
-		err := fmt.Errorf("[xDS node id: %v]: %w", l.xdsNodeID, fmt.Errorf("address (%s:%s) in Listener update does not match listening address: (%s:%s)", ilc.Address, ilc.Port, l.addr, l.port))
-		l.switchModeLocked(connectivity.ServingModeNotServing, err)
-		l.mu.Unlock()
-		return
-	}
-
-	l.pendingFilterChainManager = ilc.FilterChains
-	l.rdsHandler.updateRouteNamesToWatch(ilc.FilterChains.RouteConfigNames)
-
-	if l.rdsHandler.determineRouteConfigurationReady() {
-		l.maybeUpdateFilterChains()
-	}
+	lw.parent.handleLDSUpdate(update.Resource)
 }
 
-func (lw *ldsWatcher) ResourceError(err error, onDone func()) {
+func (lw *ldsWatcher) OnError(err error, onDone xdsresource.OnDoneFunc) {
 	defer onDone()
 	if lw.parent.closed.HasFired() {
-		lw.logger.Warningf("Resource %q received resource error: %v after listener was closed", lw.name, err)
+		lw.logger.Warningf("Resource %q received error: %v after listener was closed", lw.name, err)
 		return
 	}
 	if lw.logger.V(2) {
-		lw.logger.Infof("LDS watch for resource %q reported resource error: %v", lw.name, err)
+		lw.logger.Infof("LDS watch for resource %q reported error: %v", lw.name, err)
 	}
-
-	l := lw.parent
-	l.mu.Lock()
-	defer l.mu.Unlock()
-	l.switchModeLocked(connectivity.ServingModeNotServing, err)
-	l.activeFilterChainManager = nil
-	l.pendingFilterChainManager = nil
-	l.rdsHandler.updateRouteNamesToWatch(make(map[string]bool))
+	// For errors which are anything other than "resource-not-found", we
+	// continue to use the old configuration.
 }
 
-func (lw *ldsWatcher) AmbientError(err error, onDone func()) {
+func (lw *ldsWatcher) OnResourceDoesNotExist(onDone xdsresource.OnDoneFunc) {
 	defer onDone()
 	if lw.parent.closed.HasFired() {
-		lw.logger.Warningf("Resource %q received ambient error: %v after listener was closed", lw.name, err)
+		lw.logger.Warningf("Resource %q received resource-does-not-exist error after listener was closed", lw.name)
 		return
 	}
 	if lw.logger.V(2) {
-		lw.logger.Infof("LDS watch for resource %q reported ambient error: %v", lw.name, err)
+		lw.logger.Infof("LDS watch for resource %q reported resource-does-not-exist error", lw.name)
 	}
+
+	err := xdsresource.NewErrorf(xdsresource.ErrorTypeResourceNotFound, "resource name %q of type Listener not found in received response", lw.name)
+	lw.parent.onLDSResourceDoesNotExist(err)
 }
diff --git a/vendor/google.golang.org/grpc/xds/internal/server/rds_handler.go b/vendor/google.golang.org/grpc/xds/internal/server/rds_handler.go
index 4b8eb22de8d..bcd3938e6f1 100644
--- a/vendor/google.golang.org/grpc/xds/internal/server/rds_handler.go
+++ b/vendor/google.golang.org/grpc/xds/internal/server/rds_handler.go
@@ -30,9 +30,8 @@ import (
 // updates for later use and also determines whether all the rdsWatcher updates
 // needed have been received or not.
 type rdsHandler struct {
-	xdsC      XDSClient
-	xdsNodeID string
-	logger    *igrpclog.PrefixLogger
+	xdsC   XDSClient
+	logger *igrpclog.PrefixLogger
 
 	callback func(string, rdsWatcherUpdate)
 
@@ -51,15 +50,13 @@ type rdsHandler struct {
 // resources. listenerWrapper updates the list of route names to watch by
 // calling updateRouteNamesToWatch() upon receipt of new Listener configuration.
 func newRDSHandler(cb func(string, rdsWatcherUpdate), xdsC XDSClient, logger *igrpclog.PrefixLogger) *rdsHandler {
-	r := &rdsHandler{
+	return &rdsHandler{
 		xdsC:     xdsC,
 		logger:   logger,
 		callback: cb,
 		updates:  make(map[string]rdsWatcherUpdate),
 		cancels:  make(map[string]func()),
 	}
-	r.xdsNodeID = xdsC.BootstrapConfig().Node().GetId()
-	return r
 }
 
 // updateRouteNamesToWatch handles a list of route names to watch for a given
@@ -108,6 +105,21 @@ func (rh *rdsHandler) determineRouteConfigurationReady() bool {
 	return len(rh.updates) == len(rh.cancels)
 }
 
+// Must be called from an xDS Client Callback.
+func (rh *rdsHandler) handleRouteUpdate(routeName string, update rdsWatcherUpdate) {
+	rwu := rh.updates[routeName]
+
+	// Accept the new update if any of the following are true:
+	// 1. we had no valid update data.
+	// 2. the update is valid.
+	// 3. the update error is ResourceNotFound.
+	if rwu.data == nil || update.err == nil || xdsresource.ErrType(update.err) == xdsresource.ErrorTypeResourceNotFound {
+		rwu = update
+	}
+	rh.updates[routeName] = rwu
+	rh.callback(routeName, rwu)
+}
+
 // close() is meant to be called by wrapped listener when the wrapped listener
 // is closed, and it cleans up resources by canceling all the active RDS
 // watches.
@@ -135,7 +147,7 @@ type rdsWatcher struct {
 	canceled bool // eats callbacks if true
 }
 
-func (rw *rdsWatcher) ResourceChanged(update *xdsresource.RouteConfigResourceData, onDone func()) {
+func (rw *rdsWatcher) OnUpdate(update *xdsresource.RouteConfigResourceData, onDone xdsresource.OnDoneFunc) {
 	defer onDone()
 	rw.mu.Lock()
 	if rw.canceled {
@@ -146,14 +158,10 @@ func (rw *rdsWatcher) ResourceChanged(update *xdsresource.RouteConfigResourceDat
 	if rw.logger.V(2) {
 		rw.logger.Infof("RDS watch for resource %q received update: %#v", rw.routeName, update.Resource)
 	}
-
-	routeName := rw.routeName
-	rwu := rdsWatcherUpdate{data: &update.Resource}
-	rw.parent.updates[routeName] = rwu
-	rw.parent.callback(routeName, rwu)
+	rw.parent.handleRouteUpdate(rw.routeName, rdsWatcherUpdate{data: &update.Resource})
 }
 
-func (rw *rdsWatcher) ResourceError(err error, onDone func()) {
+func (rw *rdsWatcher) OnError(err error, onDone xdsresource.OnDoneFunc) {
 	defer onDone()
 	rw.mu.Lock()
 	if rw.canceled {
@@ -162,16 +170,12 @@ func (rw *rdsWatcher) ResourceError(err error, onDone func()) {
 	}
 	rw.mu.Unlock()
 	if rw.logger.V(2) {
-		rw.logger.Infof("RDS watch for resource %q reported resource error", rw.routeName)
+		rw.logger.Infof("RDS watch for resource %q reported error: %v", rw.routeName, err)
 	}
-
-	routeName := rw.routeName
-	rwu := rdsWatcherUpdate{err: err}
-	rw.parent.updates[routeName] = rwu
-	rw.parent.callback(routeName, rwu)
+	rw.parent.handleRouteUpdate(rw.routeName, rdsWatcherUpdate{err: err})
 }
 
-func (rw *rdsWatcher) AmbientError(err error, onDone func()) {
+func (rw *rdsWatcher) OnResourceDoesNotExist(onDone xdsresource.OnDoneFunc) {
 	defer onDone()
 	rw.mu.Lock()
 	if rw.canceled {
@@ -180,9 +184,8 @@ func (rw *rdsWatcher) AmbientError(err error, onDone func()) {
 	}
 	rw.mu.Unlock()
 	if rw.logger.V(2) {
-		rw.logger.Infof("RDS watch for resource %q reported ambient error: %v", rw.routeName, err)
+		rw.logger.Infof("RDS watch for resource %q reported resource-does-not-exist error: %v", rw.routeName)
 	}
-	routeName := rw.routeName
-	rwu := rw.parent.updates[routeName]
-	rw.parent.callback(routeName, rwu)
+	err := xdsresource.NewErrorf(xdsresource.ErrorTypeResourceNotFound, "resource name %q of type RouteConfiguration not found in received response", rw.routeName)
+	rw.parent.handleRouteUpdate(rw.routeName, rdsWatcherUpdate{err: err})
 }
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/authority.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/authority.go
index ec3a7352f9b..05c3e49b2ce 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/authority.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/authority.go
@@ -238,15 +238,9 @@ func (a *authority) propagateConnectivityErrorToAllWatchers(err error) {
 	for _, rType := range a.resources {
 		for _, state := range rType {
 			for watcher := range state.watchers {
-				if state.cache == nil {
-					a.watcherCallbackSerializer.TrySchedule(func(context.Context) {
-						watcher.ResourceError(xdsresource.NewErrorf(xdsresource.ErrorTypeConnection, "xds: error received from xDS stream: %v", err), func() {})
-					})
-				} else {
-					a.watcherCallbackSerializer.TrySchedule(func(context.Context) {
-						watcher.AmbientError(xdsresource.NewErrorf(xdsresource.ErrorTypeConnection, "xds: error received from xDS stream: %v", err), func() {})
-					})
-				}
+				a.watcherCallbackSerializer.TrySchedule(func(context.Context) {
+					watcher.OnError(xdsresource.NewErrorf(xdsresource.ErrorTypeConnection, "xds: error received from xDS stream: %v", err), func() {})
+				})
 			}
 		}
 	}
@@ -375,11 +369,7 @@ func (a *authority) handleADSResourceUpdate(serverConfig *bootstrap.ServerConfig
 				watcher := watcher
 				err := uErr.Err
 				watcherCnt.Add(1)
-				if state.cache == nil {
-					funcsToSchedule = append(funcsToSchedule, func(context.Context) { watcher.ResourceError(err, done) })
-				} else {
-					funcsToSchedule = append(funcsToSchedule, func(context.Context) { watcher.AmbientError(err, done) })
-				}
+				funcsToSchedule = append(funcsToSchedule, func(context.Context) { watcher.OnError(err, done) })
 			}
 			continue
 		}
@@ -406,7 +396,7 @@ func (a *authority) handleADSResourceUpdate(serverConfig *bootstrap.ServerConfig
 				watcher := watcher
 				resource := uErr.Resource
 				watcherCnt.Add(1)
-				funcsToSchedule = append(funcsToSchedule, func(context.Context) { watcher.ResourceChanged(resource, done) })
+				funcsToSchedule = append(funcsToSchedule, func(context.Context) { watcher.OnUpdate(resource, done) })
 			}
 		}
 
@@ -464,7 +454,7 @@ func (a *authority) handleADSResourceUpdate(serverConfig *bootstrap.ServerConfig
 			// `ignore_resource_deletion` server feature is enabled through the
 			// bootstrap configuration. If the resource deletion is to be
 			// ignored, the resource is not removed from the cache and the
-			// corresponding ResourceError() callback is not invoked on
+			// corresponding OnResourceDoesNotExist() callback is not invoked on
 			// the watchers.
 			if !state.deletionIgnored {
 				state.deletionIgnored = true
@@ -483,9 +473,7 @@ func (a *authority) handleADSResourceUpdate(serverConfig *bootstrap.ServerConfig
 		for watcher := range state.watchers {
 			watcher := watcher
 			watcherCnt.Add(1)
-			funcsToSchedule = append(funcsToSchedule, func(context.Context) {
-				watcher.ResourceError(xdsresource.NewErrorf(xdsresource.ErrorTypeResourceNotFound, "xds: resource %q of type %q has been removed", name, rType.TypeName()), done)
-			})
+			funcsToSchedule = append(funcsToSchedule, func(context.Context) { watcher.OnResourceDoesNotExist(done) })
 		}
 	}
 }
@@ -527,9 +515,7 @@ func (a *authority) handleADSResourceDoesNotExist(rType xdsresource.Type, resour
 	state.md = xdsresource.UpdateMetadata{Status: xdsresource.ServiceStatusNotExist}
 	for watcher := range state.watchers {
 		watcher := watcher
-		a.watcherCallbackSerializer.TrySchedule(func(context.Context) {
-			watcher.ResourceError(xdsresource.NewErrorf(xdsresource.ErrorTypeResourceNotFound, "xds: resource %q of type %q does not exist", resourceName, rType.TypeName()), func() {})
-		})
+		a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.OnResourceDoesNotExist(func() {}) })
 	}
 }
 
@@ -620,7 +606,7 @@ func (a *authority) watchResource(rType xdsresource.Type, resourceName string, w
 
 		xdsChannel, err := a.xdsChannelToUse()
 		if err != nil {
-			a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.ResourceError(err, func() {}) })
+			a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.OnError(err, func() {}) })
 			return
 		}
 
@@ -661,7 +647,7 @@ func (a *authority) watchResource(rType xdsresource.Type, resourceName string, w
 			// xdsClientSerializer callback. Hence making a copy of the cached
 			// resource here for watchCallbackSerializer.
 			resource := state.cache
-			a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.ResourceChanged(resource, func() {}) })
+			a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.OnUpdate(resource, func() {}) })
 		}
 		// If last update was NACK'd, notify the new watcher of error
 		// immediately as well.
@@ -673,18 +659,12 @@ func (a *authority) watchResource(rType xdsresource.Type, resourceName string, w
 			// xdsClientSerializer callback. Hence making a copy of the error
 			// here for watchCallbackSerializer.
 			err := state.md.ErrState.Err
-			if state.cache == nil {
-				a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.ResourceError(err, func() {}) })
-			} else {
-				a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.AmbientError(err, func() {}) })
-			}
+			a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.OnError(err, func() {}) })
 		}
 		// If the metadata field is updated to indicate that the management
 		// server does not have this resource, notify the new watcher.
 		if state.md.Status == xdsresource.ServiceStatusNotExist {
-			a.watcherCallbackSerializer.TrySchedule(func(context.Context) {
-				watcher.ResourceError(xdsresource.NewErrorf(xdsresource.ErrorTypeResourceNotFound, "xds: resource %q of type %q does not exist", resourceName, rType.TypeName()), func() {})
-			})
+			a.watcherCallbackSerializer.TrySchedule(func(context.Context) { watcher.OnResourceDoesNotExist(func() {}) })
 		}
 		cleanup = a.unwatchResource(rType, resourceName, watcher)
 	}, func() {
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/channel.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/channel.go
index 60ab9290b55..df6162ad632 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/channel.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/channel.go
@@ -287,7 +287,7 @@ func decodeResponse(opts *xdsresource.DecodeOptions, rType xdsresource.Type, res
 		perResourceErrors[name] = err
 		// Add place holder in the map so we know this resource name was in
 		// the response.
-		ret[name] = ads.DataAndErrTuple{Err: xdsresource.NewError(xdsresource.ErrorTypeNACKed, err.Error())}
+		ret[name] = ads.DataAndErrTuple{Err: err}
 	}
 
 	if len(topLevelErrors) == 0 && len(perResourceErrors) == 0 {
@@ -299,7 +299,7 @@ func decodeResponse(opts *xdsresource.DecodeOptions, rType xdsresource.Type, res
 	errRet := combineErrors(rType.TypeName(), topLevelErrors, perResourceErrors)
 	md.ErrState = &xdsresource.UpdateErrorMetadata{
 		Version:   resp.Version,
-		Err:       xdsresource.NewError(xdsresource.ErrorTypeNACKed, errRet.Error()),
+		Err:       errRet,
 		Timestamp: timestamp,
 	}
 	return ret, md, errRet
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl.go
index d8e727e3180..966986d2fec 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl.go
@@ -76,13 +76,6 @@ var (
 		Labels:      []string{"grpc.target", "grpc.xds.server", "grpc.xds.resource_type"},
 		Default:     false,
 	})
-	xdsClientServerFailureMetric = estats.RegisterInt64Count(estats.MetricDescriptor{
-		Name:        "grpc.xds_client.server_failure",
-		Description: "A counter of xDS servers going from healthy to unhealthy. A server goes unhealthy when we have a connectivity failure or when the ADS stream fails without seeing a response message, as per gRFC A57.",
-		Unit:        "failure",
-		Labels:      []string{"grpc.target", "grpc.xds.server"},
-		Default:     false,
-	})
 )
 
 // clientImpl is the real implementation of the xDS client. The exported Client
@@ -424,10 +417,6 @@ func (cs *channelState) adsStreamFailure(err error) {
 		return
 	}
 
-	if xdsresource.ErrType(err) != xdsresource.ErrTypeStreamFailedAfterRecv {
-		xdsClientServerFailureMetric.Record(cs.parent.metricsRecorder, 1, cs.parent.target, cs.serverConfig.ServerURI())
-	}
-
 	cs.parent.channelsMu.Lock()
 	defer cs.parent.channelsMu.Unlock()
 	for authority := range cs.interestedAuthorities {
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl_watchers.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl_watchers.go
index 2cce17b05a2..cc8e0849598 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl_watchers.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/clientimpl_watchers.go
@@ -33,12 +33,8 @@ type wrappingWatcher struct {
 	nodeID string
 }
 
-func (w *wrappingWatcher) ResourceError(err error, done func()) {
-	w.ResourceWatcher.ResourceError(fmt.Errorf("[xDS node id: %v]: %w", w.nodeID, err), done)
-}
-
-func (w *wrappingWatcher) AmbientError(err error, done func()) {
-	w.ResourceWatcher.AmbientError(fmt.Errorf("[xDS node id: %v]: %w", w.nodeID, err), done)
+func (w *wrappingWatcher) OnError(err error, done xdsresource.OnDoneFunc) {
+	w.ResourceWatcher.OnError(fmt.Errorf("[xDS node id: %v]: %v", w.nodeID, err), done)
 }
 
 // WatchResource uses xDS to discover the resource associated with the provided
@@ -64,8 +60,8 @@ func (c *clientImpl) WatchResource(rType xdsresource.Type, resourceName string,
 	}
 
 	if err := c.resourceTypes.maybeRegister(rType); err != nil {
-		logger.Warningf("Watch registered for type %q, which is already registered", rType.TypeName())
-		c.serializer.TrySchedule(func(context.Context) { watcher.ResourceError(err, func() {}) })
+		logger.Warningf("Watch registered for name %q of type %q which is already registered", rType.TypeName(), resourceName)
+		c.serializer.TrySchedule(func(context.Context) { watcher.OnError(err, func() {}) })
 		return func() {}
 	}
 
@@ -73,7 +69,7 @@ func (c *clientImpl) WatchResource(rType xdsresource.Type, resourceName string,
 	a := c.getAuthorityForResource(n)
 	if a == nil {
 		logger.Warningf("Watch registered for name %q of type %q, authority %q is not found", rType.TypeName(), resourceName, n.Authority)
-		watcher.ResourceError(fmt.Errorf("authority %q not found in bootstrap config for resource %q", n.Authority, resourceName), func() {})
+		watcher.OnError(fmt.Errorf("authority %q not found in bootstrap config for resource %q", n.Authority, resourceName), func() {})
 		return func() {}
 	}
 	// The watchResource method on the authority is invoked with n.String()
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/ads/ads_stream.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/ads/ads_stream.go
index fc41b38edad..bf7510058c5 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/ads/ads_stream.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/ads/ads_stream.go
@@ -664,7 +664,7 @@ func (s *StreamImpl) onError(err error, msgReceived bool) {
 	// connection hitting its max connection age limit.
 	// (see [gRFC A9](https://github.com/grpc/proposal/blob/master/A9-server-side-conn-mgt.md)).
 	if msgReceived {
-		err = xdsresource.NewError(xdsresource.ErrTypeStreamFailedAfterRecv, err.Error())
+		err = xdsresource.NewErrorf(xdsresource.ErrTypeStreamFailedAfterRecv, "%s", err.Error())
 	}
 
 	s.eventHandler.OnADSStreamError(err)
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/lrs/lrs_stream.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/lrs/lrs_stream.go
index 7260816b671..e33ac694df0 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/lrs/lrs_stream.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/transport/lrs/lrs_stream.go
@@ -241,11 +241,11 @@ func (lrs *StreamImpl) recvFirstLoadStatsResponse(stream transport.StreamingCall
 		lrs.logger.Infof("Received first LoadStatsResponse: %s", pretty.ToJSON(resp))
 	}
 
-	interval := resp.GetLoadReportingInterval()
-	if err := interval.CheckValid(); err != nil {
+	internal := resp.GetLoadReportingInterval()
+	if internal.CheckValid() != nil {
 		return nil, 0, fmt.Errorf("lrs: invalid load_reporting_interval: %v", err)
 	}
-	loadReportingInterval := interval.AsDuration()
+	loadReportingInterval := internal.AsDuration()
 
 	clusters := resp.Clusters
 	if resp.SendAllClusters {
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/converter/converter.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/converter/converter.go
index f0d064c679a..3c48f1bdea3 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/converter/converter.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/converter/converter.go
@@ -30,12 +30,11 @@ import (
 	"google.golang.org/grpc/balancer"
 	"google.golang.org/grpc/balancer/leastrequest"
 	"google.golang.org/grpc/balancer/pickfirst"
-	"google.golang.org/grpc/balancer/ringhash"
 	"google.golang.org/grpc/balancer/roundrobin"
 	"google.golang.org/grpc/balancer/weightedroundrobin"
 	"google.golang.org/grpc/internal/envconfig"
-	iringhash "google.golang.org/grpc/internal/ringhash"
 	internalserviceconfig "google.golang.org/grpc/internal/serviceconfig"
+	"google.golang.org/grpc/xds/internal/balancer/ringhash"
 	"google.golang.org/grpc/xds/internal/balancer/wrrlocality"
 	"google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry"
 	"google.golang.org/protobuf/proto"
@@ -84,7 +83,7 @@ func convertRingHashProtoToServiceConfig(rawProto []byte, _ int) (json.RawMessag
 		maxSize = max.GetValue()
 	}
 
-	rhCfg := &iringhash.LBConfig{
+	rhCfg := &ringhash.LBConfig{
 		MinRingSize: minSize,
 		MaxRingSize: maxSize,
 	}
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/xdslbregistry.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/xdslbregistry.go
index 88ee9fab7a9..a7782709d46 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/xdslbregistry.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdslbregistry/xdslbregistry.go
@@ -69,6 +69,8 @@ func ConvertToServiceConfig(lbPolicy *v3clusterpb.LoadBalancingPolicy, depth int
 		converter := m[policy.GetTypedExtensionConfig().GetTypedConfig().GetTypeUrl()]
 		// "Any entry not in the above list is unsupported and will be skipped."
 		// - A52
+		// This includes Least Request as well, since grpc-go does not support
+		// the Least Request Load Balancing Policy.
 		if converter == nil {
 			continue
 		}
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/cluster_resource_type.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/cluster_resource_type.go
index 3d85c31ff43..8e9375fcbbe 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/cluster_resource_type.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/cluster_resource_type.go
@@ -108,40 +108,41 @@ func (c *ClusterResourceData) Raw() *anypb.Any {
 }
 
 // ClusterWatcher wraps the callbacks to be invoked for different events
-// corresponding to the cluster resource being watched. gRFC A88 contains an
-// exhaustive list of what method is invoked under what conditions.
+// corresponding to the cluster resource being watched.
 type ClusterWatcher interface {
-	// ResourceChanged indicates a new version of the resource is available.
-	ResourceChanged(resource *ClusterResourceData, done func())
-
-	// ResourceError indicates an error occurred while trying to fetch or
-	// decode the associated resource. The previous version of the resource
-	// should be considered invalid.
-	ResourceError(err error, done func())
-
-	// AmbientError indicates an error occurred after a resource has been
-	// received that should not modify the use of that resource but may provide
-	// useful information about the state of the XDSClient for debugging
-	// purposes. The previous version of the resource should still be
-	// considered valid.
-	AmbientError(err error, done func())
+	// OnUpdate is invoked to report an update for the resource being watched.
+	OnUpdate(*ClusterResourceData, OnDoneFunc)
+
+	// OnError is invoked under different error conditions including but not
+	// limited to the following:
+	//	- authority mentioned in the resource is not found
+	//	- resource name parsing error
+	//	- resource deserialization error
+	//	- resource validation error
+	//	- ADS stream failure
+	//	- connection failure
+	OnError(error, OnDoneFunc)
+
+	// OnResourceDoesNotExist is invoked for a specific error condition where
+	// the requested resource is not found on the xDS management server.
+	OnResourceDoesNotExist(OnDoneFunc)
 }
 
 type delegatingClusterWatcher struct {
 	watcher ClusterWatcher
 }
 
-func (d *delegatingClusterWatcher) ResourceChanged(data ResourceData, onDone func()) {
+func (d *delegatingClusterWatcher) OnUpdate(data ResourceData, onDone OnDoneFunc) {
 	c := data.(*ClusterResourceData)
-	d.watcher.ResourceChanged(c, onDone)
+	d.watcher.OnUpdate(c, onDone)
 }
 
-func (d *delegatingClusterWatcher) ResourceError(err error, onDone func()) {
-	d.watcher.ResourceError(err, onDone)
+func (d *delegatingClusterWatcher) OnError(err error, onDone OnDoneFunc) {
+	d.watcher.OnError(err, onDone)
 }
 
-func (d *delegatingClusterWatcher) AmbientError(err error, onDone func()) {
-	d.watcher.AmbientError(err, onDone)
+func (d *delegatingClusterWatcher) OnResourceDoesNotExist(onDone OnDoneFunc) {
+	d.watcher.OnResourceDoesNotExist(onDone)
 }
 
 // WatchCluster uses xDS to discover the configuration associated with the
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/endpoints_resource_type.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/endpoints_resource_type.go
index de574dd8d34..94c03d0c522 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/endpoints_resource_type.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/endpoints_resource_type.go
@@ -104,40 +104,41 @@ func (e *EndpointsResourceData) Raw() *anypb.Any {
 }
 
 // EndpointsWatcher wraps the callbacks to be invoked for different
-// events corresponding to the endpoints resource being watched. gRFC A88
-// contains an exhaustive list of what method is invoked under what conditions.
+// events corresponding to the endpoints resource being watched.
 type EndpointsWatcher interface {
-	// ResourceChanged indicates a new version of the resource is available.
-	ResourceChanged(resource *EndpointsResourceData, done func())
-
-	// ResourceError indicates an error occurred while trying to fetch or
-	// decode the associated resource. The previous version of the resource
-	// should be considered invalid.
-	ResourceError(err error, done func())
-
-	// AmbientError indicates an error occurred after a resource has been
-	// received that should not modify the use of that resource but may provide
-	// useful information about the state of the XDSClient for debugging
-	// purposes. The previous version of the resource should still be
-	// considered valid.
-	AmbientError(err error, done func())
+	// OnUpdate is invoked to report an update for the resource being watched.
+	OnUpdate(*EndpointsResourceData, OnDoneFunc)
+
+	// OnError is invoked under different error conditions including but not
+	// limited to the following:
+	//	- authority mentioned in the resource is not found
+	//	- resource name parsing error
+	//	- resource deserialization error
+	//	- resource validation error
+	//	- ADS stream failure
+	//	- connection failure
+	OnError(error, OnDoneFunc)
+
+	// OnResourceDoesNotExist is invoked for a specific error condition where
+	// the requested resource is not found on the xDS management server.
+	OnResourceDoesNotExist(OnDoneFunc)
 }
 
 type delegatingEndpointsWatcher struct {
 	watcher EndpointsWatcher
 }
 
-func (d *delegatingEndpointsWatcher) ResourceChanged(data ResourceData, onDone func()) {
+func (d *delegatingEndpointsWatcher) OnUpdate(data ResourceData, onDone OnDoneFunc) {
 	e := data.(*EndpointsResourceData)
-	d.watcher.ResourceChanged(e, onDone)
+	d.watcher.OnUpdate(e, onDone)
 }
 
-func (d *delegatingEndpointsWatcher) ResourceError(err error, onDone func()) {
-	d.watcher.ResourceError(err, onDone)
+func (d *delegatingEndpointsWatcher) OnError(err error, onDone OnDoneFunc) {
+	d.watcher.OnError(err, onDone)
 }
 
-func (d *delegatingEndpointsWatcher) AmbientError(err error, onDone func()) {
-	d.watcher.AmbientError(err, onDone)
+func (d *delegatingEndpointsWatcher) OnResourceDoesNotExist(onDone OnDoneFunc) {
+	d.watcher.OnResourceDoesNotExist(onDone)
 }
 
 // WatchEndpoints uses xDS to discover the configuration associated with the
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/errors.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/errors.go
index f90d30b3a3f..d47d6283fe1 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/errors.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/errors.go
@@ -18,10 +18,7 @@
 
 package xdsresource
 
-import (
-	"errors"
-	"fmt"
-)
+import "fmt"
 
 // ErrorType is the type of the error that the watcher will receive from the xds
 // client.
@@ -43,9 +40,6 @@ const (
 	// ErrTypeStreamFailedAfterRecv indicates an ADS stream error, after
 	// successful receipt of at least one message from the server.
 	ErrTypeStreamFailedAfterRecv
-	// ErrorTypeNACKed indicates that configuration provided by the xDS management
-	// server was NACKed.
-	ErrorTypeNACKed
 )
 
 type xdsClientError struct {
@@ -63,16 +57,9 @@ func NewErrorf(t ErrorType, format string, args ...any) error {
 	return &xdsClientError{t: t, desc: fmt.Sprintf(format, args...)}
 }
 
-// NewError creates an xDS client error. The callbacks are called with this
-// error, to pass additional information about the error.
-func NewError(t ErrorType, message string) error {
-	return NewErrorf(t, "%s", message)
-}
-
 // ErrType returns the error's type.
-func ErrType(err error) ErrorType {
-	var xe *xdsClientError
-	if errors.As(err, &xe) {
+func ErrType(e error) ErrorType {
+	if xe, ok := e.(*xdsClientError); ok {
 		return xe.t
 	}
 	return ErrorTypeUnknown
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/filter_chain.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/filter_chain.go
index 3945199133e..196bb9f873f 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/filter_chain.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/filter_chain.go
@@ -23,9 +23,7 @@ import (
 	"net"
 	"sync/atomic"
 
-	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/internal/resolver"
-	"google.golang.org/grpc/status"
 	"google.golang.org/grpc/xds/internal/httpfilter"
 	"google.golang.org/grpc/xds/internal/xdsclient/xdsresource/version"
 	"google.golang.org/protobuf/proto"
@@ -101,15 +99,8 @@ type RouteWithInterceptors struct {
 // UsableRouteConfiguration contains a matchable route configuration, with
 // instantiated HTTP Filters per route.
 type UsableRouteConfiguration struct {
-	VHS    []VirtualHostWithInterceptors
-	Err    error
-	NodeID string // For logging purposes. Populated by the listener wrapper.
-}
-
-// StatusErrWithNodeID returns an error produced by the status package with the
-// specified code and message, and includes the xDS node ID.
-func (rc *UsableRouteConfiguration) StatusErrWithNodeID(c codes.Code, msg string, args ...any) error {
-	return status.Error(c, fmt.Sprintf("[xDS node id: %v]: %s", rc.NodeID, fmt.Sprintf(msg, args...)))
+	VHS []VirtualHostWithInterceptors
+	Err error
 }
 
 // ConstructUsableRouteConfiguration takes Route Configuration and converts it
@@ -131,8 +122,12 @@ func (fc *FilterChain) ConstructUsableRouteConfiguration(config RouteConfigUpdat
 func (fc *FilterChain) convertVirtualHost(virtualHost *VirtualHost) (VirtualHostWithInterceptors, error) {
 	rs := make([]RouteWithInterceptors, len(virtualHost.Routes))
 	for i, r := range virtualHost.Routes {
+		var err error
 		rs[i].ActionType = r.ActionType
-		rs[i].M = RouteToMatcher(r)
+		rs[i].M, err = RouteToMatcher(r)
+		if err != nil {
+			return VirtualHostWithInterceptors{}, fmt.Errorf("matcher construction: %v", err)
+		}
 		for _, filter := range fc.HTTPFilters {
 			// Route is highest priority on server side, as there is no concept
 			// of an upstream cluster on server side.
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/listener_resource_type.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/listener_resource_type.go
index 0f49e6c56a3..e3ca1134a07 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/listener_resource_type.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/listener_resource_type.go
@@ -141,39 +141,41 @@ func (l *ListenerResourceData) Raw() *anypb.Any {
 }
 
 // ListenerWatcher wraps the callbacks to be invoked for different
-// events corresponding to the listener resource being watched. gRFC A88
-// contains an exhaustive list of what method is invoked under what conditions.
+// events corresponding to the listener resource being watched.
 type ListenerWatcher interface {
-	// ResourceChanged indicates a new version of the resource is available.
-	ResourceChanged(resource *ListenerResourceData, done func())
-
-	// ResourceError indicates an error occurred while trying to fetch or
-	// decode the associated resource. The previous version of the resource
-	// should be considered invalid.
-	ResourceError(err error, done func())
-
-	// AmbientError indicates an error occurred after a resource has been
-	// received that should not modify the use of that resource but may provide
-	// useful information about the state of the XDSClient for debugging
-	// purposes. The previous version of the resource should still be
-	// considered valid.
-	AmbientError(err error, done func())
+	// OnUpdate is invoked to report an update for the resource being watched.
+	OnUpdate(*ListenerResourceData, OnDoneFunc)
+
+	// OnError is invoked under different error conditions including but not
+	// limited to the following:
+	//	- authority mentioned in the resource is not found
+	//	- resource name parsing error
+	//	- resource deserialization error
+	//	- resource validation error
+	//	- ADS stream failure
+	//	- connection failure
+	OnError(error, OnDoneFunc)
+
+	// OnResourceDoesNotExist is invoked for a specific error condition where
+	// the requested resource is not found on the xDS management server.
+	OnResourceDoesNotExist(OnDoneFunc)
 }
 
 type delegatingListenerWatcher struct {
 	watcher ListenerWatcher
 }
 
-func (d *delegatingListenerWatcher) ResourceChanged(data ResourceData, onDone func()) {
+func (d *delegatingListenerWatcher) OnUpdate(data ResourceData, onDone OnDoneFunc) {
 	l := data.(*ListenerResourceData)
-	d.watcher.ResourceChanged(l, onDone)
+	d.watcher.OnUpdate(l, onDone)
 }
-func (d *delegatingListenerWatcher) ResourceError(err error, onDone func()) {
-	d.watcher.ResourceError(err, onDone)
+
+func (d *delegatingListenerWatcher) OnError(err error, onDone OnDoneFunc) {
+	d.watcher.OnError(err, onDone)
 }
 
-func (d *delegatingListenerWatcher) AmbientError(err error, onDone func()) {
-	d.watcher.AmbientError(err, onDone)
+func (d *delegatingListenerWatcher) OnResourceDoesNotExist(onDone OnDoneFunc) {
+	d.watcher.OnResourceDoesNotExist(onDone)
 }
 
 // WatchListener uses xDS to discover the configuration associated with the
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/matcher.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/matcher.go
index cedfa58622e..798f6188492 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/matcher.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/matcher.go
@@ -29,10 +29,7 @@ import (
 )
 
 // RouteToMatcher converts a route to a Matcher to match incoming RPC's against.
-//
-// Only expected to be called on a Route that passed validation checks by the
-// xDS client.
-func RouteToMatcher(r *Route) *CompositeMatcher {
+func RouteToMatcher(r *Route) (*CompositeMatcher, error) {
 	var pm pathMatcher
 	switch {
 	case r.Regex != nil:
@@ -42,7 +39,7 @@ func RouteToMatcher(r *Route) *CompositeMatcher {
 	case r.Prefix != nil:
 		pm = newPathPrefixMatcher(*r.Prefix, r.CaseInsensitive)
 	default:
-		panic("illegal route: missing path_matcher")
+		return nil, fmt.Errorf("illegal route: missing path_matcher")
 	}
 
 	headerMatchers := make([]matcher.HeaderMatcher, 0, len(r.Headers))
@@ -65,7 +62,7 @@ func RouteToMatcher(r *Route) *CompositeMatcher {
 		case h.StringMatch != nil:
 			matcherT = matcher.NewHeaderStringMatcher(h.Name, *h.StringMatch, invert)
 		default:
-			panic("illegal route: missing header_match_specifier")
+			return nil, fmt.Errorf("illegal route: missing header_match_specifier")
 		}
 		headerMatchers = append(headerMatchers, matcherT)
 	}
@@ -74,7 +71,7 @@ func RouteToMatcher(r *Route) *CompositeMatcher {
 	if r.Fraction != nil {
 		fractionMatcher = newFractionMatcher(*r.Fraction)
 	}
-	return newCompositeMatcher(pm, headerMatchers, fractionMatcher)
+	return newCompositeMatcher(pm, headerMatchers, fractionMatcher), nil
 }
 
 // CompositeMatcher is a matcher that holds onto many matchers and aggregates
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/resource_type.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/resource_type.go
index c22c5a6a3a8..e14f56f781d 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/resource_type.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/resource_type.go
@@ -52,30 +52,33 @@ type Producer interface {
 	WatchResource(rType Type, resourceName string, watcher ResourceWatcher) (cancel func())
 }
 
-// ResourceWatcher is notified of the resource updates and errors that are
-// received by the xDS client from the management server.
-//
-// All methods contain a done parameter which should be called when processing
-// of the update has completed.  For example, if processing a resource requires
-// watching new resources, registration of those new watchers should be
-// completed before done is called, which can happen after the ResourceWatcher
-// method has returned. Failure to call done will prevent the xDS client from
-// providing future ResourceWatcher notifications.
+// OnDoneFunc is a function to be invoked by watcher implementations upon
+// completing the processing of a callback from the xDS client. Failure to
+// invoke this callback prevents the xDS client from reading further messages
+// from the xDS server.
+type OnDoneFunc func()
+
+// ResourceWatcher wraps the callbacks to be invoked for different events
+// corresponding to the resource being watched.
 type ResourceWatcher interface {
-	// ResourceChanged indicates a new version of the resource is available.
-	ResourceChanged(resourceData ResourceData, done func())
-
-	// ResourceError indicates an error occurred while trying to fetch or
-	// decode the associated resource. The previous version of the resource
-	// should be considered invalid.
-	ResourceError(err error, done func())
-
-	// AmbientError indicates an error occurred after a resource has been
-	// received that should not modify the use of that resource but may provide
-	// useful information about the state of the XDSClient for debugging
-	// purposes. The previous version of the resource should still be
-	// considered valid.
-	AmbientError(err error, done func())
+	// OnUpdate is invoked to report an update for the resource being watched.
+	// The ResourceData parameter needs to be type asserted to the appropriate
+	// type for the resource being watched.
+	OnUpdate(ResourceData, OnDoneFunc)
+
+	// OnError is invoked under different error conditions including but not
+	// limited to the following:
+	//	- authority mentioned in the resource is not found
+	//	- resource name parsing error
+	//	- resource deserialization error
+	//	- resource validation error
+	//	- ADS stream failure
+	//	- connection failure
+	OnError(error, OnDoneFunc)
+
+	// OnResourceDoesNotExist is invoked for a specific error condition where
+	// the requested resource is not found on the xDS management server.
+	OnResourceDoesNotExist(OnDoneFunc)
 }
 
 // TODO: Once the implementation is complete, rename this interface as
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/route_config_resource_type.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/route_config_resource_type.go
index c292b1b8ef2..98ac313288a 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/route_config_resource_type.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/route_config_resource_type.go
@@ -105,41 +105,41 @@ func (r *RouteConfigResourceData) Raw() *anypb.Any {
 }
 
 // RouteConfigWatcher wraps the callbacks to be invoked for different
-// events corresponding to the route configuration resource being watched. gRFC
-// A88 contains an exhaustive list of what method is invoked under what
-// conditions.
+// events corresponding to the route configuration resource being watched.
 type RouteConfigWatcher interface {
-	// ResourceChanged indicates a new version of the resource is available.
-	ResourceChanged(resource *RouteConfigResourceData, done func())
-
-	// ResourceError indicates an error occurred while trying to fetch or
-	// decode the associated resource. The previous version of the resource
-	// should be considered invalid.
-	ResourceError(err error, done func())
-
-	// AmbientError indicates an error occurred after a resource has been
-	// received that should not modify the use of that resource but may provide
-	// useful information about the state of the XDSClient for debugging
-	// purposes. The previous version of the resource should still be
-	// considered valid.
-	AmbientError(err error, done func())
+	// OnUpdate is invoked to report an update for the resource being watched.
+	OnUpdate(*RouteConfigResourceData, OnDoneFunc)
+
+	// OnError is invoked under different error conditions including but not
+	// limited to the following:
+	//	- authority mentioned in the resource is not found
+	//	- resource name parsing error
+	//	- resource deserialization error
+	//	- resource validation error
+	//	- ADS stream failure
+	//	- connection failure
+	OnError(error, OnDoneFunc)
+
+	// OnResourceDoesNotExist is invoked for a specific error condition where
+	// the requested resource is not found on the xDS management server.
+	OnResourceDoesNotExist(OnDoneFunc)
 }
 
 type delegatingRouteConfigWatcher struct {
 	watcher RouteConfigWatcher
 }
 
-func (d *delegatingRouteConfigWatcher) ResourceChanged(data ResourceData, onDone func()) {
+func (d *delegatingRouteConfigWatcher) OnUpdate(data ResourceData, onDone OnDoneFunc) {
 	rc := data.(*RouteConfigResourceData)
-	d.watcher.ResourceChanged(rc, onDone)
+	d.watcher.OnUpdate(rc, onDone)
 }
 
-func (d *delegatingRouteConfigWatcher) ResourceError(err error, onDone func()) {
-	d.watcher.ResourceError(err, onDone)
+func (d *delegatingRouteConfigWatcher) OnError(err error, onDone OnDoneFunc) {
+	d.watcher.OnError(err, onDone)
 }
 
-func (d *delegatingRouteConfigWatcher) AmbientError(err error, onDone func()) {
-	d.watcher.AmbientError(err, onDone)
+func (d *delegatingRouteConfigWatcher) OnResourceDoesNotExist(onDone OnDoneFunc) {
+	d.watcher.OnResourceDoesNotExist(onDone)
 }
 
 // WatchRouteConfig uses xDS to discover the configuration associated with the
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/type_eds.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/type_eds.go
index a7eab2361d3..f94a17e7c66 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/type_eds.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/type_eds.go
@@ -52,7 +52,6 @@ type Endpoint struct {
 	Addresses    []string
 	HealthStatus EndpointHealthStatus
 	Weight       uint32
-	HashKey      string
 }
 
 // Locality contains information of a locality.
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_eds.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_eds.go
index 8a7397d160a..fd780d6632d 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_eds.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_eds.go
@@ -111,31 +111,11 @@ func parseEndpoints(lbEndpoints []*v3endpointpb.LbEndpoint, uniqueEndpointAddrs
 			HealthStatus: EndpointHealthStatus(lbEndpoint.GetHealthStatus()),
 			Addresses:    addrs,
 			Weight:       weight,
-			HashKey:      hashKey(lbEndpoint),
 		})
 	}
 	return endpoints, nil
 }
 
-// hashKey extracts and returns the hash key from the given LbEndpoint. If no
-// hash key is found, it returns an empty string.
-func hashKey(lbEndpoint *v3endpointpb.LbEndpoint) string {
-	// "The xDS resolver, described in A74, will be changed to set the hash_key
-	// endpoint attribute to the value of LbEndpoint.Metadata envoy.lb hash_key
-	// field, as described in Envoy's documentation for the ring hash load
-	// balancer." - A76
-	if envconfig.XDSEndpointHashKeyBackwardCompat {
-		return ""
-	}
-	envoyLB := lbEndpoint.GetMetadata().GetFilterMetadata()["envoy.lb"]
-	if envoyLB != nil {
-		if h := envoyLB.GetFields()["hash_key"]; h != nil {
-			return h.GetStringValue()
-		}
-	}
-	return ""
-}
-
 func parseEDSRespProto(m *v3endpointpb.ClusterLoadAssignment) (EndpointsUpdate, error) {
 	ret := EndpointsUpdate{}
 	for _, dropPolicy := range m.GetPolicy().GetDropOverloads() {
@@ -169,7 +149,7 @@ func parseEDSRespProto(m *v3endpointpb.ClusterLoadAssignment) (EndpointsUpdate,
 			Zone:    l.Zone,
 			SubZone: l.SubZone,
 		}
-		lidStr := lid.ToString()
+		lidStr, _ := lid.ToString()
 
 		// "Since an xDS configuration can place a given locality under multiple
 		// priorities, it is possible to see locality weight attributes with
diff --git a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_lds.go b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_lds.go
index 475300cefcc..1b0d4599f10 100644
--- a/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_lds.go
+++ b/vendor/google.golang.org/grpc/xds/internal/xdsclient/xdsresource/unmarshal_lds.go
@@ -250,7 +250,7 @@ func processServerSideListener(lis *v3listenerpb.Listener) (*ListenerUpdate, err
 	if n := len(lis.ListenerFilters); n != 0 {
 		return nil, fmt.Errorf("unsupported field 'listener_filters' contains %d entries", n)
 	}
-	if lis.GetUseOriginalDst().GetValue() {
+	if useOrigDst := lis.GetUseOriginalDst(); useOrigDst != nil && useOrigDst.GetValue() {
 		return nil, errors.New("unsupported field 'use_original_dst' is present and set to true")
 	}
 	addr := lis.GetAddress()
diff --git a/vendor/google.golang.org/grpc/xds/server.go b/vendor/google.golang.org/grpc/xds/server.go
index 5baf91def22..aa93130d162 100644
--- a/vendor/google.golang.org/grpc/xds/server.go
+++ b/vendor/google.golang.org/grpc/xds/server.go
@@ -256,7 +256,7 @@ func routeAndProcess(ctx context.Context) error {
 		if logger.V(2) {
 			logger.Infof("RPC on connection with xDS Configuration error: %v", rc.Err)
 		}
-		return status.Error(codes.Unavailable, fmt.Sprintf("error from xDS configuration for matched route configuration: %v", rc.Err))
+		return status.Error(codes.Unavailable, "error from xDS configuration for matched route configuration")
 	}
 
 	mn, ok := grpc.Method(ctx)
@@ -273,7 +273,7 @@ func routeAndProcess(ctx context.Context) error {
 	authority := md.Get(":authority")
 	vh := xdsresource.FindBestMatchingVirtualHostServer(authority[0], rc.VHS)
 	if vh == nil {
-		return rc.StatusErrWithNodeID(codes.Unavailable, "the incoming RPC did not match a configured Virtual Host")
+		return status.Error(codes.Unavailable, "the incoming RPC did not match a configured Virtual Host")
 	}
 
 	var rwi *xdsresource.RouteWithInterceptors
@@ -283,22 +283,21 @@ func routeAndProcess(ctx context.Context) error {
 	}
 	for _, r := range vh.Routes {
 		if r.M.Match(rpcInfo) {
-			// "NonForwardingAction is expected for all Routes used on
-			// server-side; a route with an inappropriate action causes RPCs
-			// matching that route to fail with UNAVAILABLE." - A36
+			// "NonForwardingAction is expected for all Routes used on server-side; a route with an inappropriate action causes
+			// RPCs matching that route to fail with UNAVAILABLE." - A36
 			if r.ActionType != xdsresource.RouteActionNonForwardingAction {
-				return rc.StatusErrWithNodeID(codes.Unavailable, "the incoming RPC matched to a route that was not of action type non forwarding")
+				return status.Error(codes.Unavailable, "the incoming RPC matched to a route that was not of action type non forwarding")
 			}
 			rwi = &r
 			break
 		}
 	}
 	if rwi == nil {
-		return rc.StatusErrWithNodeID(codes.Unavailable, "the incoming RPC did not match a configured Route")
+		return status.Error(codes.Unavailable, "the incoming RPC did not match a configured Route")
 	}
 	for _, interceptor := range rwi.Interceptors {
 		if err := interceptor.AllowRPC(ctx); err != nil {
-			return rc.StatusErrWithNodeID(codes.PermissionDenied, "Incoming RPC is not allowed: %v", err)
+			return status.Errorf(codes.PermissionDenied, "Incoming RPC is not allowed: %v", err)
 		}
 	}
 	return nil
diff --git a/vendor/modules.txt b/vendor/modules.txt
index c44481ae754..dceb67af080 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -454,11 +454,6 @@ github.com/go-chi/chi/v5
 # github.com/go-ini/ini v1.67.0
 ## explicit
 github.com/go-ini/ini
-# github.com/go-jose/go-jose/v4 v4.0.5
-## explicit; go 1.21
-github.com/go-jose/go-jose/v4
-github.com/go-jose/go-jose/v4/cipher
-github.com/go-jose/go-jose/v4/json
 # github.com/go-kit/log v0.2.1
 ## explicit; go 1.17
 github.com/go-kit/log
@@ -1186,16 +1181,6 @@ github.com/sony/gobreaker
 github.com/spf13/afero
 github.com/spf13/afero/internal/common
 github.com/spf13/afero/mem
-# github.com/spiffe/go-spiffe/v2 v2.5.0
-## explicit; go 1.22.11
-github.com/spiffe/go-spiffe/v2/bundle/jwtbundle
-github.com/spiffe/go-spiffe/v2/bundle/spiffebundle
-github.com/spiffe/go-spiffe/v2/bundle/x509bundle
-github.com/spiffe/go-spiffe/v2/internal/cryptoutil
-github.com/spiffe/go-spiffe/v2/internal/jwtutil
-github.com/spiffe/go-spiffe/v2/internal/pemutil
-github.com/spiffe/go-spiffe/v2/internal/x509util
-github.com/spiffe/go-spiffe/v2/spiffeid
 # github.com/stretchr/objx v0.5.2
 ## explicit; go 1.20
 github.com/stretchr/objx
@@ -1365,9 +1350,6 @@ github.com/yuin/gopher-lua
 github.com/yuin/gopher-lua/ast
 github.com/yuin/gopher-lua/parse
 github.com/yuin/gopher-lua/pm
-# github.com/zeebo/errs v1.4.0
-## explicit; go 1.12
-github.com/zeebo/errs
 # go.etcd.io/etcd/api/v3 v3.5.17
 ## explicit; go 1.22
 go.etcd.io/etcd/api/v3/authpb
@@ -1631,7 +1613,6 @@ golang.org/x/crypto/cryptobyte/asn1
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
-golang.org/x/crypto/pbkdf2
 golang.org/x/crypto/pkcs12
 golang.org/x/crypto/pkcs12/internal/rc2
 # golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476
@@ -1776,8 +1757,8 @@ google.golang.org/genproto/googleapis/api/monitoredres
 google.golang.org/genproto/googleapis/rpc/code
 google.golang.org/genproto/googleapis/rpc/errdetails
 google.golang.org/genproto/googleapis/rpc/status
-# google.golang.org/grpc v1.73.0
-## explicit; go 1.23.0
+# google.golang.org/grpc v1.73.0 => google.golang.org/grpc v1.71.2
+## explicit; go 1.22.0
 google.golang.org/grpc
 google.golang.org/grpc/attributes
 google.golang.org/grpc/authz/audit
@@ -1794,7 +1775,6 @@ google.golang.org/grpc/balancer/leastrequest
 google.golang.org/grpc/balancer/pickfirst
 google.golang.org/grpc/balancer/pickfirst/internal
 google.golang.org/grpc/balancer/pickfirst/pickfirstleaf
-google.golang.org/grpc/balancer/ringhash
 google.golang.org/grpc/balancer/rls
 google.golang.org/grpc/balancer/rls/internal/adaptive
 google.golang.org/grpc/balancer/rls/internal/keys
@@ -1836,7 +1816,6 @@ google.golang.org/grpc/internal/admin
 google.golang.org/grpc/internal/backoff
 google.golang.org/grpc/internal/balancer/gracefulswitch
 google.golang.org/grpc/internal/balancer/nop
-google.golang.org/grpc/internal/balancer/weight
 google.golang.org/grpc/internal/balancergroup
 google.golang.org/grpc/internal/balancerload
 google.golang.org/grpc/internal/binarylog
@@ -1844,7 +1823,6 @@ google.golang.org/grpc/internal/buffer
 google.golang.org/grpc/internal/cache
 google.golang.org/grpc/internal/channelz
 google.golang.org/grpc/internal/credentials
-google.golang.org/grpc/internal/credentials/spiffe
 google.golang.org/grpc/internal/credentials/xds
 google.golang.org/grpc/internal/envconfig
 google.golang.org/grpc/internal/googlecloud
@@ -1863,7 +1841,6 @@ google.golang.org/grpc/internal/resolver/dns
 google.golang.org/grpc/internal/resolver/dns/internal
 google.golang.org/grpc/internal/resolver/passthrough
 google.golang.org/grpc/internal/resolver/unix
-google.golang.org/grpc/internal/ringhash
 google.golang.org/grpc/internal/serviceconfig
 google.golang.org/grpc/internal/stats
 google.golang.org/grpc/internal/status
@@ -1885,7 +1862,6 @@ google.golang.org/grpc/peer
 google.golang.org/grpc/resolver
 google.golang.org/grpc/resolver/dns
 google.golang.org/grpc/resolver/manual
-google.golang.org/grpc/resolver/ringhash
 google.golang.org/grpc/serviceconfig
 google.golang.org/grpc/stats
 google.golang.org/grpc/stats/opentelemetry
@@ -1907,6 +1883,7 @@ google.golang.org/grpc/xds/internal/balancer/clusterresolver
 google.golang.org/grpc/xds/internal/balancer/loadstore
 google.golang.org/grpc/xds/internal/balancer/outlierdetection
 google.golang.org/grpc/xds/internal/balancer/priority
+google.golang.org/grpc/xds/internal/balancer/ringhash
 google.golang.org/grpc/xds/internal/balancer/wrrlocality
 google.golang.org/grpc/xds/internal/clusterspecifier
 google.golang.org/grpc/xds/internal/clusterspecifier/rls
@@ -2012,3 +1989,4 @@ sigs.k8s.io/yaml/goyaml.v3
 # github.com/ionos-cloud/sdk-go/v6 => github.com/ionos-cloud/sdk-go/v6 v6.0.4
 # github.com/google/gnostic => github.com/googleapis/gnostic v0.6.9
 # gopkg.in/alecthomas/kingpin.v2 => github.com/alecthomas/kingpin v1.3.8-0.20210301060133-17f40c25f497
+# google.golang.org/grpc => google.golang.org/grpc v1.71.2

From 752855118a5c9d6ab92a387c195bb3194aaff558 Mon Sep 17 00:00:00 2001
From: yeya24 <benye@amazon.com>
Date: Tue, 12 Aug 2025 14:27:05 -0700
Subject: [PATCH 2/3] fix test

Signed-off-by: yeya24 <benye@amazon.com>
---
 pkg/ring/client/pool_test.go              |  7 -------
 pkg/util/tls/test/tls_integration_test.go | 13 -------------
 2 files changed, 20 deletions(-)

diff --git a/pkg/ring/client/pool_test.go b/pkg/ring/client/pool_test.go
index 5ab735966bc..948d49d3a01 100644
--- a/pkg/ring/client/pool_test.go
+++ b/pkg/ring/client/pool_test.go
@@ -21,13 +21,6 @@ type mockClient struct {
 	status grpc_health_v1.HealthCheckResponse_ServingStatus
 }
 
-func (i mockClient) List(ctx context.Context, in *grpc_health_v1.HealthListRequest, opts ...grpc.CallOption) (*grpc_health_v1.HealthListResponse, error) {
-	if !i.happy {
-		return nil, fmt.Errorf("Fail")
-	}
-	return &grpc_health_v1.HealthListResponse{}, nil
-}
-
 func (i mockClient) Check(ctx context.Context, in *grpc_health_v1.HealthCheckRequest, opts ...grpc.CallOption) (*grpc_health_v1.HealthCheckResponse, error) {
 	if !i.happy {
 		return nil, fmt.Errorf("Fail")
diff --git a/pkg/util/tls/test/tls_integration_test.go b/pkg/util/tls/test/tls_integration_test.go
index ce3bcb4cb95..d37e57f2c6e 100644
--- a/pkg/util/tls/test/tls_integration_test.go
+++ b/pkg/util/tls/test/tls_integration_test.go
@@ -39,19 +39,6 @@ type grpcHealthCheck struct {
 	healthy bool
 }
 
-func (h *grpcHealthCheck) List(ctx context.Context, request *grpc_health_v1.HealthListRequest) (*grpc_health_v1.HealthListResponse, error) {
-	checkResp, err := h.Check(ctx, nil)
-	if err != nil {
-		return &grpc_health_v1.HealthListResponse{}, err
-	}
-
-	return &grpc_health_v1.HealthListResponse{
-		Statuses: map[string]*grpc_health_v1.HealthCheckResponse{
-			"server": checkResp,
-		},
-	}, nil
-}
-
 func (h *grpcHealthCheck) Check(_ context.Context, _ *grpc_health_v1.HealthCheckRequest) (*grpc_health_v1.HealthCheckResponse, error) {
 	if !h.healthy {
 		return &grpc_health_v1.HealthCheckResponse{Status: grpc_health_v1.HealthCheckResponse_NOT_SERVING}, nil

From 0e8479742847cf63703a03ce7c566ad55d589a47 Mon Sep 17 00:00:00 2001
From: yeya24 <benye@amazon.com>
Date: Tue, 12 Aug 2025 14:45:29 -0700
Subject: [PATCH 3/3] exclude a version that causes checksum mismatch

Signed-off-by: yeya24 <benye@amazon.com>
---
 go.mod | 3 +++
 go.sum | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 29db2e6124e..3f8e467d790 100644
--- a/go.mod
+++ b/go.mod
@@ -326,3 +326,6 @@ replace gopkg.in/alecthomas/kingpin.v2 => github.com/alecthomas/kingpin v1.3.8-0
 
 // Wait for fix for https://github.com/grpc/grpc-go/pull/8504.
 replace google.golang.org/grpc => google.golang.org/grpc v1.71.2
+
+// See https://github.com/envoyproxy/go-control-plane/issues/1083 as this version introduces checksum mismatch.
+exclude github.com/envoyproxy/go-control-plane/envoy v1.32.3
diff --git a/go.sum b/go.sum
index 360c76bbb8a..d1bd00828f3 100644
--- a/go.sum
+++ b/go.sum
@@ -1013,7 +1013,6 @@ github.com/envoyproxy/go-control-plane v0.11.0/go.mod h1:VnHyVMpzcLvCFt9yUz1UnCw
 github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
 github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
 github.com/envoyproxy/go-control-plane/envoy v1.32.2/go.mod h1:eR2SOX2IedqlPvmiKjUH7Wu//S602JKI7HPC/L3SRq8=
-github.com/envoyproxy/go-control-plane/envoy v1.32.3/go.mod h1:c955gQjaXHsMxMjHjEZ7nwIzMJYxXpN+sJIGufsSbg4=
 github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
 github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=