build(deps): bump github.com/go-openapi/runtime in /src/runtime

Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.28.0 to 0.29.3. - [Release notes](https://github.com/go-openapi/runtime/releases) - [Commits](https://github.com/go-openapi/runtime/compare/v0.28.0...v0.29.3) --- updated-dependencies: - dependency-name: github.com/go-openapi/runtime dependency-version: 0.29.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #12704 from stevenhorsman/security-fixes-23-mar-26
2026-03-25 14:12:21 +00:00 · 2026-03-23 14:31:30 +00:00 · 2026-03-23 15:27:07 +01:00 · 2026-03-23 15:18:38 +01:00 · 2026-03-23 13:08:51 +01:00 · 2026-03-23 12:50:15 +01:00
701 changed files with 45509 additions and 90315 deletions
--- a/.cspell.yaml
+++ b/.cspell.yaml
@@ -0,0 +1,37 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/streetsidesoftware/cspell/main/cspell.schema.json
+version: "0.2"
+language: en,en-GB
+
+dictionaryDefinitions:
+  - name: kata-terms
+    path: ./tests/spellcheck/kata-dictionary.txt
+    addWords: true
+
+dictionaries:
+  - en-GB
+  - en_US
+  - bash
+  - git
+  - golang
+  - k8s
+  - python
+  - rust
+  - companies
+  - mnemonics
+  - peopleNames
+  - softwareTerms
+  - networking-terms
+  - kata-terms
+
+ignoreRegExpList:
+  - /@[a-z\d](?:[a-z\d]|-(?=[a-z\d])){0,38}/gi  # Ignores github handles
+  # Ignore code blocks
+  - /^\s*`{3,}[\s\S]*?^\s*`{3,}/gm
+  - /`[^`\n]+`/g
+
+ignorePaths:
+  - "**/vendor/**"  # vendor files aren't owned by us
+  - "**/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/**"  # Generated files
+  - "**/requirements.txt"
+
+useGitignore: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -37,9 +37,9 @@ updates:
    # create groups for common dependencies, so they can all go in a single PR
    # We can extend this as we see more frequent groups
    groups:
-      bit-vec:
+      aws-libcrypto:
        patterns:
-          - bit-vec
+          - aws-lc-*
      bumpalo:
        patterns:
          - bumpalo
@@ -67,6 +67,9 @@ updates:
      rustix:
        patterns:
          - rustix
+      rustls-webpki:
+        patterns:
+          - rustls-webpki
      slab:
        patterns:
          - slab
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -47,6 +47,7 @@ jobs:
          - coco-guest-components
          - firecracker
          - kernel
+          - kernel-debug
          - kernel-dragonball-experimental
          - kernel-nvidia-gpu
          - nydus
@@ -168,8 +169,6 @@ jobs:
          - rootfs-image-nvidia-gpu-confidential
          - rootfs-initrd
          - rootfs-initrd-confidential
-          - rootfs-initrd-nvidia-gpu
-          - rootfs-initrd-nvidia-gpu-confidential
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -349,6 +348,16 @@ jobs:
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
        env:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
      - name: store-artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
@@ -367,7 +376,6 @@ jobs:
      matrix:
        asset:
          - agent-ctl
-          - csi-kata-directvolume
          - genpolicy
          - kata-ctl
          - kata-manager
@@ -450,6 +458,16 @@ jobs:
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
        env:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata-tools tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-tools-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
      - name: store-artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -45,6 +45,7 @@ jobs:
          - cloud-hypervisor
          - firecracker
          - kernel
+          - kernel-debug
          - kernel-dragonball-experimental
          - kernel-nvidia-gpu
          - kernel-cca-confidential
@@ -152,7 +153,6 @@ jobs:
          - rootfs-image
          - rootfs-image-nvidia-gpu
          - rootfs-initrd
-          - rootfs-initrd-nvidia-gpu
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -327,6 +327,16 @@ jobs:
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
        env:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
      - name: store-artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -262,6 +262,16 @@ jobs:
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
        env:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
      - name: store-artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -350,6 +350,16 @@ jobs:
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
        env:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
      - name: store-artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -4,17 +4,18 @@ on:
    branches:
      - main
 permissions: {}
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  deploy-docs:
-    name: deploy-docs
+  build:
+    runs-on: ubuntu-24.04
+    name: Build docs
    permissions:
      contents: read
      pages: write
      id-token: write
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
    steps:
      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ -23,10 +24,30 @@ jobs:
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
-      - run: pip install zensical
-      - run: zensical build --clean
+
+      - run: pip install -r docs/requirements.txt
+      - run: python3 -m mkdocs build --config-file ./mkdocs.yaml --site-dir site/
+        id: build
+
      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
-        with:
-          path: site
-      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
        id: deployment
+        with:
+          path: site/
+          name: github-pages
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-24.04
+    name: Deploy docs
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+        id: deployment
+        with:
+          artifact_name: github-pages
--- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
@@ -49,6 +49,8 @@ jobs:
      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
      KUBERNETES: kubeadm
      KBS: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
+      SNAPSHOTTER: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'nydus' || '' }}
+      USE_EXPERIMENTAL_SNAPSHOTTER_SETUP: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
      K8S_TEST_HOST_TYPE: baremetal
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -98,7 +100,7 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh install-bats

      - name: Run tests ${{ matrix.environment.vmm }}
-        timeout-minutes: 30
+        timeout-minutes: 60
        run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
        env:
          NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -110,10 +110,6 @@ jobs:
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
      - name: Run tests
        timeout-minutes: 100
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -134,10 +130,6 @@ jobs:
          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
  # Generate jobs for testing CoCo on non-TEE environments
  run-k8s-tests-coco-nontee:
    name: run-k8s-tests-coco-nontee
@@ -235,10 +227,6 @@ jobs:
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
      - name: Run tests
        timeout-minutes: 80
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -257,11 +245,6 @@ jobs:
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

-      - name: Delete CSI driver
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
  # Extensive matrix: autogenerated policy tests (nydus + experimental-force-guest-pull) on k0s, k3s, rke2, microk8s with qemu-coco-dev / qemu-coco-dev-runtime-rs
  run-k8s-tests-coco-nontee-extensive-matrix:
    if: ${{ inputs.extensive-matrix-autogenerated-policy == 'yes' }}
@@ -365,10 +348,6 @@ jobs:
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
      - name: Run tests
        timeout-minutes: 80
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -387,11 +366,6 @@ jobs:
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

-      - name: Delete CSI driver
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
@@ -478,10 +452,6 @@ jobs:
        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
      - name: Run tests
        timeout-minutes: 80
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -494,8 +464,3 @@ jobs:
        if: always()
        timeout-minutes: 15
        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-
-      - name: Delete CSI driver
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
--- a/.github/workflows/spellcheck.yaml
+++ b/.github/workflows/spellcheck.yaml
@@ -0,0 +1,30 @@
+name: Spelling check
+
+on: ["pull_request"]
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check-spelling:
+    name: check-spelling
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Check Spelling
+        uses: streetsidesoftware/cspell-action@9cd41bb518a24fefdafd9880cbab8f0ceba04d28  # 8.3.0
+        with:
+          files: |
+            **/*.md
+            **/*.rst
+            **/*.txt
+          incremental_files_only: true
+          config: ".cspell.yaml"
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -138,7 +138,7 @@ jobs:
          go-version: ${{ env.GO_VERSION }}
      - name: Install system dependencies
        run: |
-          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
+          sudo apt-get update && sudo apt-get -y install moreutils
      - name: Install open-policy-agent
        run: |
          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -148,9 +148,10 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 [[package]]
 name = "api_client"
 version = "0.1.0"
-source = "git+https://github.com/cloud-hypervisor/cloud-hypervisor?tag=v27.0#2ba6a9bfcfd79629aecf77504fa554ab821d138e"
+source = "git+https://github.com/cloud-hypervisor/cloud-hypervisor?tag=v51.0#00e106e53e7ba48b01f194f7887b20b9a0bfb905"
 dependencies = [
- "vmm-sys-util 0.10.0",
+ "thiserror 2.0.18",
+ "vmm-sys-util 0.14.0",
 ]

 [[package]]
@@ -340,9 +341,9 @@ checksum = "cc17ab023b4091c10ff099f9deebaeeb59b5189df07e554c4fef042b70745d68"

 [[package]]
 name = "aws-lc-rs"
-version = "1.16.1"
+version = "1.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
+checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
 dependencies = [
 "aws-lc-sys",
 "zeroize",
@@ -350,9 +351,9 @@ dependencies = [

 [[package]]
 name = "aws-lc-sys"
-version = "0.38.0"
+version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
 dependencies = [
 "cc",
 "cmake",
@@ -693,7 +694,7 @@ dependencies = [
 "nix 0.26.4",
 "serde",
 "serde_json",
- "thiserror 1.0.69",
+ "thiserror 2.0.18",
 "tokio",
 ]

@@ -5124,9 +5125,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"

 [[package]]
 name = "rustls-webpki"
-version = "0.103.9"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
 "aws-lc-rs",
 "ring",
@@ -5919,9 +5920,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369"

 [[package]]
 name = "tar"
-version = "0.4.44"
+version = "0.4.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a"
+checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973"
 dependencies = [
 "filetime",
 "libc",
@@ -6784,9 +6785,9 @@ checksum = "69c376a9b84afdf97bddd2628096cf3554208b2a676cf06b4532e0f433a54e02"

 [[package]]
 name = "vmm-sys-util"
-version = "0.10.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08604d7be03eb26e33b3cee3ed4aef2bf550b305d1cca60e84da5d28d3790b62"
+checksum = "d21f366bf22bfba3e868349978766a965cbe628c323d58e026be80b8357ab789"
 dependencies = [
 "bitflags 1.3.2",
 "libc",
--- a/8
+++ b/8
@@ -49,8 +49,11 @@ docs-url-alive-check:
 build-and-publish-kata-debug:
 	bash tools/packaging/kata-debug/kata-debug-build-and-upload-payload.sh ${KATA_DEBUG_REGISTRY} ${KATA_DEBUG_TAG}

-docs-serve:
-	docker run --rm -p 8000:8000 -v ./docs:/docs:ro -v ${PWD}/zensical.toml:/zensical.toml:ro zensical/zensical serve --config-file /zensical.toml -a 0.0.0.0:8000
+docs-build:
+	docker build -t kata-docs:latest -f ./docs/Dockerfile ./docs
+
+docs-serve: docs-build
+	docker run --rm -p 8000:8000 -v ${PWD}:/docs:ro kata-docs:latest serve --config-file /docs/mkdocs.yaml -a 0.0.0.0:8000

 .PHONY: \
 	all \
@@ -59,4 +62,5 @@ docs-serve:
 	default \
 	static-checks \
 	docs-url-alive-check \
+	docs-build \
 	docs-serve
--- a/2
+++ b/2
@@ -1 +1 @@
-3.27.0
+3.28.0
--- a/ci/README.md
+++ b/ci/README.md
@@ -378,7 +378,7 @@ that is used in the test" section.  From there you can see exactly what you'll
 have to use when deploying kata-deploy in your local cluster.

 > [!NOTE]
-> TODO: WAINER TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI
+> TODO: @wainersm TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI

 ## Adding new runners

--- a/ci/openshift-ci/README.md
+++ b/ci/openshift-ci/README.md
@@ -98,7 +98,7 @@ Let's say the OCP pipeline passed running with
 but failed running with
 ``quay.io/kata-containers/kata-deploy-ci:kata-containers-9f512c016e75599a4a921bd84ea47559fe610057-amd64``
 and you'd like to know which PR caused the regression. You can either run with
-all the 60 tags between or you can utilize the [bisecter](https://github.com/ldoktor/bisecter)
+all the 60 tags between or you can utilize the [`bisecter`](https://github.com/ldoktor/bisecter)
 to optimize the number of steps in between.

 Before running the bisection you need a reproducer script. Sample one called
--- a/docs/.nav.yml
+++ b/docs/.nav.yml
@@ -0,0 +1,18 @@
+# https://lukasgeiter.github.io/mkdocs-awesome-nav/
+nav:
+  - Home: index.md
+  - Getting Started:
+    - prerequisites.md
+    - installation.md
+    - Configuration:
+        - helm-configuration.md
+        - runtime-configuration.md
+  - Platform Support:
+    - hypervisors.md
+  - Guides:
+    - Use Cases:
+      - NVIDIA GPU Passthrough: use-cases/NVIDIA-GPU-passthrough-and-Kata-QEMU.md
+      - NVIDIA vGPU: use-cases/NVIDIA-GPU-passthrough-and-Kata.md
+      - Intel Discrete GPU: use-cases/Intel-Discrete-GPU-passthrough-and-Kata.md
+  - Misc:
+    - Architecture: design/architecture/
--- a/docs/Developer-Guide.md
+++ b/docs/Developer-Guide.md
@@ -730,7 +730,7 @@ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.debug_cons

 ##### Connecting to the debug console

-Next, connect to the debug console. The VSOCKS paths vary slightly between each
+Next, connect to the debug console. The VSOCK paths vary slightly between each
 VMM solution.

 In case of cloud-hypervisor, connect to the `vsock` as shown:
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@@ -0,0 +1,11 @@
+# Copyright 2026 Kata Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+FROM python:3.12-slim
+
+WORKDIR /
+COPY ./requirements.txt requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt
+
+ENTRYPOINT ["python3", "-m", "mkdocs"]
--- a/docs/Documentation-Requirements.md
+++ b/docs/Documentation-Requirements.md
@@ -188,15 +188,14 @@ and compare them with standard tools (e.g. `diff(1)`).
 # Spelling

 Since this project uses a number of terms not found in conventional
-dictionaries, we have a
-[spell checking tool](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-spelling)
-that checks both dictionary words and the additional terms we use.
+dictionaries, we have a [kata-dictionary](../tests/spellcheck/kata-dictionary.txt)
+that contains some project specific terms we use.

-Run the spell checking tool on your document before raising a PR to ensure it
+You can run the `cspell` checking tool on your document before raising a PR to ensure it
 is free of mistakes.

 If your document introduces new terms, you need to update the custom
-dictionary used by the spell checking tool to incorporate the new words.
+dictionary to incorporate the new words.

 # Names

--- a/docs/Release-Process.md
+++ b/docs/Release-Process.md
@@ -1,59 +1,69 @@
 # How to do a Kata Containers Release
+
 This document lists the tasks required to create a Kata Release.

 ## Requirements

 - GitHub permissions to run workflows.

-## Versioning
+## Release Model

-The Kata Containers project uses [semantic versioning](http://semver.org/) for all releases.
-Semantic versions are comprised of three fields in the form:
+Kata Containers follows a rolling release model with monthly snapshots.
+New features, bug fixes, and improvements are continuously integrated into
+`main`. Each month, a snapshot is tagged as a new `MINOR` release.

-```
-MAJOR.MINOR.PATCH
-```
+### Versioning

-When `MINOR` increases, the new release adds **new features** but *without changing the existing behavior*.
+Releases use the `MAJOR.MINOR.PATCH` scheme. Monthly snapshots increment
+`MINOR`; `PATCH` is typically `0`. Major releases are rare (years apart) and
+signal significant architectural changes that may require updates to container
+managers (Containerd, CRI-O) or other infrastructure. Breaking changes in
+`MINOR` releases are avoided where possible, but may occasionally occur as
+features are deprecated or removed.

-When `MAJOR` increases, the new release adds **new features, bug fixes, or
-both** and which **changes the behavior from the previous release** (incompatible with previous releases).
+### No Stable Branches

-A major release will also likely require a change of the container manager version used,
-for example Containerd or CRI-O. Please refer to the release notes for further details.
-
-**Important** : the Kata Containers project doesn't have stable branches (see
-[this issue](https://github.com/kata-containers/kata-containers/issues/9064) for details).
-Bug fixes are released as part of `MINOR` or `MAJOR` releases only. `PATCH` is always `0`.
+The Kata Containers project does not maintain stable branches (see
+[#9064](https://github.com/kata-containers/kata-containers/issues/9064)).
+Bug fixes land on `main` and ship in the next monthly snapshot rather than
+being backported. Downstream projects that need extended support or compliance
+certifications should select a monthly snapshot as their stable base and manage
+their own validation and patch backporting from there.

 ## Release Process

-### Bump the `VERSION` and `Chart.yaml` file
+### Lock the `main` branch and announce release process

-When the `kata-containers/kata-containers` repository is ready for a new release,
-first create a PR to set the release in the [`VERSION`](./../VERSION) file and update the
-`version` and `appVersion` in the
-[`Chart.yaml`](./../tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml) file and
-have it merged.
-
-### Lock the `main` branch
-
-In order to prevent any PRs getting merged during the release process, and slowing the release
-process down, by impacting the payload caches, we have recently trailed setting the `main`
-branch to read only whilst the release action runs.
+In order to prevent any PRs getting merged during the release process, and
+slowing the release process down, by impacting the payload caches, we have
+recently trialed setting the `main` branch to read-only.
+Once the `kata-containers/kata-containers` repository is ready for a new
+release, lock the main branch until the release action has completed.
+Notify the #kata-dev Slack channel about the ongoing release process.
+Ideally, CI usage by others should be reduced to a minimum during the
+ongoing release process.

 > [!NOTE]
-> Admin permission is needed to complete this task.
+> Admin permission is needed to lock/unlock the `main` branch.
+
+### Bump the `VERSION` and `Chart.yaml` file
+
+Create a PR to set the release in the [`VERSION`](./../VERSION) file and to
+update the `version` and `appVersion` fields in the
+[`Chart.yaml`](./../tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml)
+file. Temporarily unlock the main branch to merge the PR.

 ### Wait for the `VERSION` bump PR payload publish to complete

-To reduce the chance of need to re-run the release workflow, check the
-[CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml)
+To reduce the chance of need to re-run the release workflow, check the [CI |
+Publish Kata Containers
+payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml)
 once the `VERSION` PR bump has merged to check that the assets build correctly
 and are cached, so that the release process can just download these artifacts
-rather than needing to build them all, which takes time and can reveal errors in infra.
+rather than needing to build them all, which takes time and can reveal errors in
+infra.

-### Check GitHub Actions
+### Trigger the `Release Kata Containers` GitHub Action

 We make use of [GitHub actions](https://github.com/features/actions) in the
 [release](https://github.com/kata-containers/kata-containers/actions/workflows/release.yaml)
@@ -63,11 +73,10 @@ release artifacts.
 > [!NOTE]
 > Write permissions to trigger the action.

-The action is manually triggered and is responsible for generating a new
-release (including a new tag), pushing those to the
-`kata-containers/kata-containers` repository. The new release is initially
-created as a draft. It is promoted to an official release when the whole
-workflow has completed successfully.
+The action is manually triggered and is responsible for generating a new release
+(including a new tag), pushing those to the `kata-containers/kata-containers`
+repository. The new release is initially created as a draft. It is promoted to
+an official release when the whole workflow has completed successfully.

 Check the [actions status
 page](https://github.com/kata-containers/kata-containers/actions) to verify all
@@ -75,12 +84,13 @@ steps in the actions workflow have completed successfully. On success, a static
 tarball containing Kata release artifacts will be uploaded to the [Release
 page](https://github.com/kata-containers/kata-containers/releases).

-If the workflow fails because of some external environmental causes, e.g. network
-timeout, simply re-run the failed jobs until they eventually succeed.
+If the workflow fails because of some external environmental causes, e.g.
+network timeout, simply re-run the failed jobs until they eventually succeed.

-If for some reason you need to cancel the workflow or re-run it entirely, go first
-to the [Release page](https://github.com/kata-containers/kata-containers/releases) and
-delete the draft release from the previous run.
+If for some reason you need to cancel the workflow or re-run it entirely, go
+first to the [Release
+page](https://github.com/kata-containers/kata-containers/releases) and delete
+the draft release from the previous run.

 ### Unlock the `main` branch

@@ -90,9 +100,8 @@ an admin to do it.
 ### Improve the release notes

 Release notes are auto-generated by the GitHub CLI tool used as part of our
-release workflow.  However, some manual tweaking may still be necessary in
-order to highlight the most important features and bug fixes in a specific
-release.
+release workflow.  However, some manual tweaking may still be necessary in order
+to highlight the most important features and bug fixes in a specific release.

 With this in mind, please, poke @channel on #kata-dev and people who worked on
 the release will be able to contribute to that.
--- a/docs/assets/images/favicon.svg
+++ b/docs/assets/images/favicon.svg
--- a/docs/code-pr-advice.md
+++ b/docs/code-pr-advice.md
@@ -231,12 +231,6 @@ Run the
 [markdown checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-markdown)
 on your documentation changes.

-### Spell check
-
-Run the
-[spell checker](https://github.com/kata-containers/kata-containers/tree/main/tests/cmd/check-spelling)
-on your documentation changes.
-
 ## Finally

 You may wish to read the documentation that the
--- a/docs/design/kata-api-design.md
+++ b/docs/design/kata-api-design.md
@@ -43,7 +43,7 @@ To fulfill the [Kata design requirements](kata-design-requirements.md), and base
 |`sandbox.AddInterface(inf)`| Add new NIC to the sandbox.|
 |`sandbox.RemoveInterface(inf)`| Remove a NIC from the sandbox.|
 |`sandbox.ListInterfaces()`| List all NICs and their configurations in the sandbox, return a `pbTypes.Interface` list.|
-|`sandbox.UpdateRoutes(routes)`| Update the sandbox route table (e.g. for portmapping support), return a `pbTypes.Route` list.|
+|`sandbox.UpdateRoutes(routes)`| Update the sandbox route table (e.g. for port mapping support), return a `pbTypes.Route` list.|
 |`sandbox.ListRoutes()`| List the sandbox route table, return a `pbTypes.Route` list.|

 ### Sandbox Relay API
--- a/docs/design/kata-nydus-design.md
+++ b/docs/design/kata-nydus-design.md
@@ -8,7 +8,7 @@ The following benchmarking result shows the performance improvement compared wit

 ## Proposal - Bring `lazyload` ability to Kata Containers

-`Nydusd` is a fuse/`virtiofs` daemon which is provided by `nydus` project and it supports `PassthroughFS` and [RAFS](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-design.md) (Registry Acceleration File System) natively, so in Kata Containers, we can use `nydusd` in place of `virtiofsd` and mount `nydus` image to guest in the meanwhile.
+`Nydusd` is a fuse/`virtiofs` daemon which is provided by `nydus` project and it supports `PassthroughFS` and [`rafs`](https://github.com/dragonflyoss/image-service/blob/master/docs/nydus-design.md) (Registry Acceleration File System) natively, so in Kata Containers, we can use `nydusd` in place of `virtiofsd` and mount `nydus` image to guest in the meanwhile.

 The process of creating/starting Kata Containers with `virtiofsd`,

--- a/docs/helm-configuration.md
+++ b/docs/helm-configuration.md
@@ -0,0 +1,264 @@
+# Helm Configuration
+
+## Parameters
+
+The helm chart provides a comprehensive set of configuration options. You may view the parameters and their descriptions by going to the [GitHub source](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml) or by using helm:
+
+```sh
+# List available kata-deploy chart versions:
+#   helm search repo kata-deploy-charts/kata-deploy --versions
+#
+# Then replace X.Y.Z below with the desired chart version:
+helm show values --version X.Y.Z oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy
+```
+
+### shims
+
+Kata ships with a number of pre-built artifacts and runtimes. You may selectively enable or disable specific shims. For example:
+
+```yaml title="values.yaml"
+shims:
+  disableAll: true
+  qemu:
+    enabled: true
+  qemu-nvidia-gpu:
+    enabled: true
+  qemu-nvidia-gpu-snp:
+    enabled: false
+
+```
+
+Shims can also have configuration options specific to them:
+
+```yaml
+  qemu-nvidia-gpu:
+    enabled: ~
+    supportedArches:
+      - amd64
+      - arm64
+    allowedHypervisorAnnotations: []
+    containerd:
+      snapshotter: ""
+    runtimeClass:
+      # This label is automatically added by gpu-operator. Override it
+      # if you want to use a different label.
+      # Uncomment once GPU Operator v26.3 is out
+      # nodeSelector:
+        # nvidia.com/cc.ready.state: "false"
+```
+
+It's best to reference the default `values.yaml` file above for more details.
+
+### Custom Runtimes
+
+Kata allows you to create custom runtime configurations. This is done by overlaying one of the pre-existing runtime configs with user-provided configs. For example, we can use the `qemu-nvidia-gpu` as a base config and overlay our own parameters to it:
+
+```yaml
+customRuntimes:
+  enabled: false
+  runtimes:
+    my-gpu-runtime:
+      baseConfig: "qemu-nvidia-gpu"  # Required: existing config to use as base
+      dropIn: |                      # Optional: overrides via config.d mechanism
+        [hypervisor.qemu]
+        default_memory = 1024
+        default_vcpus = 4
+      runtimeClass: |
+        kind: RuntimeClass
+        apiVersion: node.k8s.io/v1
+        metadata:
+          name: kata-my-gpu-runtime
+          labels:
+            app.kubernetes.io/managed-by: kata-deploy
+        handler: kata-my-gpu-runtime
+        overhead:
+          podFixed:
+            memory: "640Mi"
+            cpu: "500m"
+        scheduling:
+          nodeSelector:
+            katacontainers.io/kata-runtime: "true"
+      # Optional: CRI-specific configuration
+      containerd:
+        snapshotter: "nydus"  # Configure containerd snapshotter (nydus, erofs, etc.)
+      crio:
+        pullType: "guest-pull"  # Configure CRI-O runtime_pull_image = true
+```
+
+Again, view the default [`values.yaml`](#parameters) file for more details.
+
+## Examples
+
+We provide a few examples that you can pass to helm via the `-f`/`--values` flag.
+
+### [`try-kata-tee.values.yaml`](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml)
+
+This file enables only the TEE (Trusted Execution Environment) shims for confidential computing:
+
+```sh
+helm install kata-deploy oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy \
+  --version VERSION \
+  -f try-kata-tee.values.yaml
+```
+
+Includes:
+
+- `qemu-snp` - AMD SEV-SNP (amd64)
+- `qemu-tdx` - Intel TDX (amd64)
+- `qemu-se` - IBM Secure Execution for Linux (SEL) (s390x)
+- `qemu-se-runtime-rs` - IBM Secure Execution for Linux (SEL) Rust runtime (s390x)
+- `qemu-cca` - Arm Confidential Compute Architecture (arm64)
+- `qemu-coco-dev` - Confidential Containers development (amd64, s390x)
+- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, s390x)
+
+### [`try-kata-nvidia-gpu.values.yaml`](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml)
+
+This file enables only the NVIDIA GPU-enabled shims:
+
+```sh
+helm install kata-deploy oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy \
+  --version VERSION \
+  -f try-kata-nvidia-gpu.values.yaml
+```
+
+Includes:
+
+- `qemu-nvidia-gpu` - Standard NVIDIA GPU support (amd64, arm64)
+- `qemu-nvidia-gpu-snp` - NVIDIA GPU with AMD SEV-SNP (amd64)
+- `qemu-nvidia-gpu-tdx` - NVIDIA GPU with Intel TDX (amd64)
+
+### `nodeSelector`
+
+We can deploy Kata only to specific nodes using `nodeSelector`
+
+```sh
+# First, label the nodes where you want kata-containers to be installed
+$ kubectl label nodes worker-node-1 kata-containers=enabled
+$ kubectl label nodes worker-node-2 kata-containers=enabled
+
+# Then install the chart with `nodeSelector`
+$ helm install kata-deploy \
+  --set nodeSelector.kata-containers="enabled" \
+  "${CHART}" --version  "${VERSION}"
+```
+
+You can also use a values file:
+
+```yaml title="values.yaml"
+nodeSelector:
+  kata-containers: "enabled"
+  node-type: "worker"
+```
+
+```sh
+$ helm install kata-deploy -f values.yaml "${CHART}" --version "${VERSION}"
+```
+
+### Multiple Kata installations on the Same Node
+
+For debugging, testing and other use-case it is possible to deploy multiple
+versions of Kata on the very same node. All the needed artifacts are getting the
+`multiInstallSuffix` appended to distinguish each installation. **BEWARE** that one
+needs at least **containerd-2.0** since this version has drop-in conf support
+which is a prerequisite for the `multiInstallSuffix` to work properly.
+
+```sh
+$ helm install kata-deploy-cicd       \
+  -n kata-deploy-cicd                 \
+  --set env.multiInstallSuffix=cicd   \
+  --set env.debug=true                \
+  "${CHART}" --version  "${VERSION}"
+```
+
+Note: `runtimeClasses` are automatically created by Helm (via
+      `runtimeClasses.enabled=true`, which is the default).
+
+Now verify the installation by examining the `runtimeClasses`:
+
+```sh
+$ kubectl get runtimeClasses
+NAME                            HANDLER                         AGE
+kata-clh-cicd                   kata-clh-cicd                   77s
+kata-cloud-hypervisor-cicd      kata-cloud-hypervisor-cicd      77s
+kata-dragonball-cicd            kata-dragonball-cicd            77s
+kata-fc-cicd                    kata-fc-cicd                    77s
+kata-qemu-cicd                  kata-qemu-cicd                  77s
+kata-qemu-coco-dev-cicd         kata-qemu-coco-dev-cicd         77s
+kata-qemu-nvidia-gpu-cicd       kata-qemu-nvidia-gpu-cicd       77s
+kata-qemu-nvidia-gpu-snp-cicd   kata-qemu-nvidia-gpu-snp-cicd   77s
+kata-qemu-nvidia-gpu-tdx-cicd   kata-qemu-nvidia-gpu-tdx-cicd   76s
+kata-qemu-runtime-rs-cicd       kata-qemu-runtime-rs-cicd       77s
+kata-qemu-se-runtime-rs-cicd    kata-qemu-se-runtime-rs-cicd    77s
+kata-qemu-snp-cicd              kata-qemu-snp-cicd              77s
+kata-qemu-tdx-cicd              kata-qemu-tdx-cicd              77s
+kata-stratovirt-cicd            kata-stratovirt-cicd            77s
+```
+
+## RuntimeClass Node Selectors for TEE Shims
+
+**Manual configuration:** Any `nodeSelector` you set under `shims.<shim>.runtimeClass.nodeSelector`
+is **always applied** to that shim's RuntimeClass, whether or not NFD is present. Use this when
+you want to pin TEE workloads to specific nodes (e.g. without NFD, or with custom labels).
+
+**Auto-inject when NFD is present:** If you do *not* set a `runtimeClass.nodeSelector` for a
+TEE shim, the chart can **automatically inject** NFD-based labels when NFD is detected in the
+cluster (deployed by this chart with `node-feature-discovery.enabled=true` or found externally):
+
+- AMD SEV-SNP shims: `amd.feature.node.kubernetes.io/snp: "true"`
+- Intel TDX shims: `intel.feature.node.kubernetes.io/tdx: "true"`
+- IBM Secure Execution for Linux (SEL) shims (s390x): `feature.node.kubernetes.io/cpu-security.se.enabled: "true"`
+
+The chart uses Helm's `lookup` function to detect NFD (by looking for the
+`node-feature-discovery-worker` DaemonSet). Auto-inject only runs when NFD is detected and
+no manual `runtimeClass.nodeSelector` is set for that shim.
+
+**Note**: NFD detection requires cluster access. During `helm template` (dry-run without a
+cluster), external NFD is not seen, so auto-injected labels are not added. Manual
+`runtimeClass.nodeSelector` values are still applied in all cases.
+
+## Customizing Configuration with Drop-in Files
+
+When kata-deploy installs Kata Containers, the base configuration files should not
+be modified directly. Instead, use drop-in configuration files to customize
+settings. This approach ensures your customizations survive kata-deploy upgrades.
+
+### How Drop-in Files Work
+
+The Kata runtime reads the base configuration file and then applies any `.toml`
+files found in the `config.d/` directory alongside it. Files are processed in
+alphabetical order, with later files overriding earlier settings.
+
+### Creating Custom Drop-in Files
+
+To add custom settings, create a `.toml` file in the appropriate `config.d/`
+directory. Use a numeric prefix to control the order of application.
+
+**Reserved prefixes** (used by kata-deploy):
+
+- `10-*`: Core kata-deploy settings
+- `20-*`: Debug settings
+- `30-*`: Kernel parameters
+
+**Recommended prefixes for custom settings**: `50-89`
+
+### Drop-In Config Examples
+
+#### Adding Custom Kernel Parameters
+
+```bash
+# SSH into the node or use kubectl exec
+sudo mkdir -p /opt/kata/share/defaults/kata-containers/runtimes/qemu/config.d/
+sudo cat > /opt/kata/share/defaults/kata-containers/runtimes/qemu/config.d/50-custom.toml << 'EOF'
+[hypervisor.qemu]
+kernel_params = "my_param=value"
+EOF
+```
+
+#### Changing Default Memory Size
+
+```bash
+sudo cat > /opt/kata/share/defaults/kata-containers/runtimes/qemu/config.d/50-memory.toml << 'EOF'
+[hypervisor.qemu]
+default_memory = 4096
+EOF
+```
--- a/docs/how-to/containerd-kata.md
+++ b/docs/how-to/containerd-kata.md
@@ -23,7 +23,7 @@ workloads with isolated sandboxes (i.e. Kata Containers).

 As a result, the CRI implementations extended their semantics for the requirements:

- At the beginning, [Frakti](https://github.com/kubernetes/frakti) checks the network configuration of a Pod, and
+- At the beginning, [`Frakti`](https://github.com/kubernetes/frakti) checks the network configuration of a Pod, and
  treat Pod with `host` network as trusted, while others are treated as untrusted.
 - The containerd introduced an annotation for untrusted Pods since [v1.0](https://github.com/containerd/cri/blob/v1.0.0-rc.0/docs/config.md):
  ```yaml
--- a/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
+++ b/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
@@ -18,7 +18,7 @@ The host kernel must be equal to or later than upstream version [6.11](https://c

 [`sev-utils`](https://github.com/amd/sev-utils/blob/coco-202501150000/docs/snp.md) is an easy way to install the required host kernel with the `setup-host` command. However, it will also build compatible guest kernel, OVMF, and QEMU components which are not necessary as these components are packaged with kata. The `sev-utils` script utility can be used with these additional components to test the memory encrypted launch and attestation of a base QEMU SNP guest.

-For a simplified way to build just the upstream compatible host kernel, use the Confidential Containers fork of [AMDESE AMDSEV](https://github.com/confidential-containers/amdese-amdsev/tree/amd-snp-202501150000). Individual components can be built by running the following command:
+For a simplified way to build just the upstream compatible host kernel, use the Confidential Containers fork of [`amdese-amdsev`](https://github.com/confidential-containers/amdese-amdsev/tree/amd-snp-202501150000). Individual components can be built by running the following command:

 ```
 ./build.sh kernel host --install
@@ -65,7 +65,7 @@ $ ./configure --enable-virtfs --target-list=x86_64-softmmu --enable-debug
 $ make -j "$(nproc)"
 $ popd
 ```
- Create cert-chain for SNP attestation ( using [snphost](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) )
+- Create cert-chain for SNP attestation ( using [`snphost`](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) )
 ```bash
 $ git clone https://github.com/virtee/snphost.git && cd snphost/
 $ cargo build
@@ -178,4 +178,3 @@ sudo reboot
 ```bash
 sudo rmmod kvm_amd && sudo modprobe kvm_amd sev_snp=0
 ```
-
--- a/docs/how-to/how-to-use-memory-agent.md
+++ b/docs/how-to/how-to-use-memory-agent.md
@@ -315,7 +315,7 @@ $ kata-agent-ctl connect --server-address "unix:///var/run/kata/$PODID/root/kata
 ### compact_threshold
 Control the mem-agent compaction function compact threshold.<br>
 compact_threshold is the pages number.<br>
-When examining the /proc/pagetypeinfo, if there's an increase in the number of movable pages of orders smaller than the compact_order compared to the amount following the previous compaction period, and this increase surpasses a certain threshold specifically, more than compact_threshold number of pages, or the number of free pages has decreased by compact_threshold since the previous compaction. Current compact run period will not do compaction because there is no enough fragmented pages to be compaction.<br>
+When examining the `/proc/pagetypeinfo`, if there's an increase in the number of movable pages of orders smaller than the compact_order compared to the amount following the previous compaction period, and this increase surpasses a certain threshold specifically, more than compact_threshold number of pages, or the number of free pages has decreased by compact_threshold since the previous compaction. Current compact run period will not do compaction because there is no enough fragmented pages to be compaction.<br>
 This design aims to minimize the impact of unnecessary compaction calls on system performance.<br>
 Default to 1024.

--- a/docs/how-to/run-kata-with-crictl.md
+++ b/docs/how-to/run-kata-with-crictl.md
@@ -8,7 +8,7 @@

 > **Note:** `cri-tools` is only used for debugging and validation purpose, and don't use it to run production workloads.

-> **Note:** For how to install and configure `cri-tools` with CRI runtimes like `containerd` or CRI-O, please also refer to other [howtos](./README.md).
+> **Note:** For how to install and configure `cri-tools` with CRI runtimes like `containerd` or CRI-O, please also refer to other [how-tos](./README.md).

 ## Use `crictl` run Pods in Kata containers

--- a/docs/hypervisors.md
+++ b/docs/hypervisors.md
@@ -16,83 +16,38 @@ which hypervisors you may wish to investigate further.

 ## Types

-| Hypervisor | Written in | Architectures | Type |
-|-|-|-|-|
-|[Cloud Hypervisor] | rust | `aarch64`, `x86_64` | Type 2 ([KVM]) |
-|[Firecracker] | rust | `aarch64`, `x86_64` | Type 2 ([KVM]) |
-|[QEMU] | C | all | Type 2 ([KVM]) | `configuration-qemu.toml` |
-|[`Dragonball`] | rust | `aarch64`, `x86_64` | Type 2 ([KVM]) |
-|[StratoVirt] | rust | `aarch64`, `x86_64` | Type 2 ([KVM]) |
+| Hypervisor | Written in | Architectures | GPU Support | Intel TDX | AMD SEV-SNP |
+|-|-|-|-|-|-|
+|[Cloud Hypervisor](#cloud-hypervisor) | rust | `aarch64`, `x86_64` | :x: | :x: | :x: |
+|[Firecracker](#firecracker) | rust | `aarch64`, `x86_64` | :x: | :x: | :x: |
+|[QEMU](#qemu) | C | all | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+|[Dragonball](#dragonball) | rust | `aarch64`, `x86_64` | :x: | :x: | :x: |
+|StratoVirt | rust | `aarch64`, `x86_64` | :x: | :x: | :x: |

-## Determine currently configured hypervisor
+Each Kata runtime is configured for a specific hypervisor through the runtime's configuration file. For example:

-```bash
-$ kata-runtime kata-env | awk -v RS= '/\[Hypervisor\]/' | grep Path
+```toml title="/opt/kata/share/defaults/kata-containers/configuration.toml"
+[hypervisor.qemu]
+path = "/opt/kata/bin/qemu-system-x86_64"
 ```

-## Choose a Hypervisor
+```toml title="/opt/kata/share/defaults/kata-containers/configuration-clh.toml"
+[hypervisor.clh]
+path = "/opt/kata/bin/cloud-hypervisor"
+```

-The table below provides a brief summary of some of the differences between
-the hypervisors:
+## Cloud Hypervisor

-| Hypervisor | Summary | Features | Limitations | Container Creation speed | Memory density | Use cases | Comment |
-|-|-|-|-|-|-|-|-|
-|[Cloud Hypervisor] | Low latency, small memory footprint, small attack surface | Minimal | | excellent | excellent | High performance modern cloud workloads | |
-|[Firecracker] | Very slimline | Extremely minimal | Doesn't support all device types | excellent | excellent | Serverless / FaaS | |
-|[QEMU] | Lots of features | Lots | | good | good | Good option for most users | |
-|[`Dragonball`] | Built-in VMM,  low CPU and memory overhead| Minimal | | excellent | excellent | Optimized for most container workloads | `out-of-the-box` Kata Containers experience |
-|[StratoVirt] | Unified architecture supporting three scenarios: VM, container, and serverless | Extremely minimal(`MicroVM`) to Lots(`StandardVM`) | | excellent | excellent | Common container workloads | `StandardVM` type of StratoVirt for Kata is under development |
+[Cloud Hypervisor](https://www.cloudhypervisor.org/) is a more modern hypervisor written in Rust.

-For further details, see the [Virtualization in Kata Containers](design/virtualization.md) document and the official documentation for each hypervisor.
+## Firecracker

-## Hypervisor configuration files
+[Firecracker](https://firecracker-microvm.github.io/) is a minimal and lightweight hypervisor created for the AWS Lambda product.

-Since each hypervisor offers different features and options, Kata Containers
-provides a separate
-[configuration file](../src/runtime/README.md#configuration)
-for each. The configuration files contain comments explaining which options
-are available, their default values and how each setting can be used.
+## QEMU

-| Hypervisor | Golang runtime config file | golang runtime short name | golang runtime default | rust runtime config file | rust runtime short name | rust runtime default |
-|-|-|-|-|-|-|-|
-| [Cloud Hypervisor] | [`configuration-clh.toml`](../src/runtime/config/configuration-clh.toml.in) | `clh` | | [`configuration-cloud-hypervisor.toml`](../src/runtime-rs/config/configuration-cloud-hypervisor.toml.in) | `cloud-hypervisor` | |
-| [Firecracker] | [`configuration-fc.toml`](../src/runtime/config/configuration-fc.toml.in) | `fc` | | | | |
-| [QEMU] | [`configuration-qemu.toml`](../src/runtime/config/configuration-qemu.toml.in) | `qemu` | yes | [`configuration-qemu.toml`](../src/runtime-rs/config/configuration-qemu-runtime-rs.toml.in) | `qemu` | |
-| [`Dragonball`] | | | | [`configuration-dragonball.toml`](../src/runtime-rs/config/configuration-dragonball.toml.in) | `dragonball` | yes |
-| [StratoVirt] | [`configuration-stratovirt.toml`](../src/runtime/config/configuration-stratovirt.toml.in) | `stratovirt` | | | | |
+QEMU is the best supported hypervisor for NVIDIA-based GPUs and for confidential computing use-cases (such as Intel TDX and AMD SEV-SNP). Runtimes that use this are normally named `kata-qemu-nvidia-gpu-*`. The Kata project focuses primarily on QEMU runtimes for GPU support.

-> **Notes:**
->
-> - The short names specified are used by the [`kata-manager`](../utils/README.md) tool.
-> - As shown by the default columns, each runtime type has its own default hypervisor.
-> - The [golang runtime](../src/runtime) is the current default runtime.
-> - The [rust runtime](../src/runtime-rs), also known as `runtime-rs`,
->   is the newer runtime written in the rust language.
-> - See the [Configuration](../README.md#configuration) for further details.
-> - The configuration file links in the table link to the "source"
->   versions: these are not usable configuration files as they contain
->   variables that need to be expanded:
->   - The links are provided for reference only.
->   - The final (installed) versions, where all variables have been
->     expanded, are built from these source configuration files.
-> - The pristine configuration files are usually installed in the
->   `/opt/kata/share/defaults/kata-containers/` or
->   `/usr/share/defaults/kata-containers/` directories.
-> - Some hypervisors may have the same name for both golang and rust
->   runtimes, but the file contents may differ.
-> - If there is no configuration file listed for the golang or
->   rust runtimes, this either means the hypervisor cannot be run with
->   a particular runtime, or that a driver has not yet been made
->   available for that runtime.
+## Dragonball

-## Switch configured hypervisor
-
-To switch the configured hypervisor, you only need to run a single command.
-See [the `kata-manager` documentation](../utils/README.md#choose-a-hypervisor) for further details.
-
-[Cloud Hypervisor]: https://github.com/cloud-hypervisor/cloud-hypervisor
-[Firecracker]: https://github.com/firecracker-microvm/firecracker
-[KVM]: https://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
-[QEMU]: http://www.qemu.org
-[`Dragonball`]: https://github.com/kata-containers/kata-containers/blob/main/src/dragonball
-[StratoVirt]: https://gitee.com/openeuler/stratovirt
+Dragonball is a special hypervisor created by the Ant Group that runs in the same process as the Rust-based containerd shim.
--- a/docs/index.md
+++ b/docs/index.md
@@ -0,0 +1,94 @@
+# Kata Containers
+
+Kata Containers is an open source community working to build a secure container runtime with lightweight virtual machines (VM's) that feel and perform like standard Linux containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
+
+## How it Works
+
+Kata implements the [Open Containers Runtime Specification](https://github.com/opencontainers/runtime-spec). More specifically, it implements a containerd shim that implements the expected interface for managing container lifecycles. The default containerd runtime of `runc` spawns a container like this:
+
+```mermaid
+flowchart TD
+    subgraph Host
+        containerd
+        runc
+        process[Container Process]
+        containerd --> runc --> process
+    end
+```
+
+When containerd receives a request to spawn a container, it will pull the container image down and then call out to the runc shim (usually located at `/usr/local/bin/containerd-shim-runc-v2`). runc will then create various process isolation resources like Linux namespaces (networking, PIDs, mounts etc), seccomp filters, Linux capability reductions, and then spawn the process inside of those resources. This process runs in the host kernel.
+
+Kata spawns containers like this:
+
+```mermaid
+flowchart TD
+    subgraph Host
+        containerdOuter[containerd]
+        kata
+
+        containerdOuter --> kata
+        kata --> kataAgent
+
+        subgraph VM
+            kataAgent[Kata Agent]
+            process[Container Process]
+            kataAgent --> process
+        end
+    end
+```
+
+The container process spawned inside of the VM allows us to isolate the guest kernel from the host system. This is the fundamental principle of how Kata achieves its isolation boundaries.
+
+## Example
+
+When Kata is installed in a system, a number of artifacts are laid down. containerd's config will be modified as such:
+
+```toml title="/etc/containerd/config.toml"
+imports = ["/opt/kata/containerd/config.d/kata-deploy.toml"]
+```
+
+This file will contain configuration for various flavors of Kata runtimes. We can see the vanilla CPU runtime config here:
+
+```toml title="/opt/kata/containerd/config.d/kata-deploy.toml"
+[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.kata-qemu]
+runtime_type = "io.containerd.kata-qemu.v2"
+runtime_path = "/opt/kata/bin/containerd-shim-kata-v2"
+privileged_without_host_devices = true
+pod_annotations = ["io.katacontainers.*"]
+
+[plugins."io.containerd.cri.v1.runtime".containerd.runtimes.kata-qemu.options]
+ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration-qemu.toml"
+```
+
+Because containerd's CRI is aware of the Kata runtimes, we can spawn Kubernetes pods:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test
+spec:
+  runtimeClassName: kata-qemu
+  containers:
+    - name: test
+      image: "quay.io/libpod/ubuntu:latest"
+      command: ["/bin/bash", "-c"]
+      args: ["echo hello"]
+```
+
+We can also spawn a Kata container by submitting a request to containerd like so:
+
+<div class="annotate" markdown>
+
+```sh
+$ ctr image pull quay.io/libpod/ubuntu:latest
+$ ctr run --runtime "io.containerd.kata.v2" --runtime-config-path /opt/kata/share/defaults/kata-containers/configuration-qemu.toml --rm -t "quay.io/libpod/ubuntu:latest" foo sh
+# echo hello
+hello
+```
+
+</div>
+
+!!! tip
+
+    `ctr` is not aware of the CRI config in `/etc/containerd/config.toml`. This is why you must specify the `--runtime-config-path`. Additionally, the `--runtime` value is converted into a specific binary name which containerd then searches for in its `PATH`. See the [containerd docs](https://github.com/containerd/containerd/blob/release/2.2/core/runtime/v2/README.md#usage) for more details.
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -0,0 +1,64 @@
+# Installation
+
+## Helm Chart
+
+[helm](https://helm.sh/docs/intro/install/) can be used to install templated kubernetes manifests.
+
+### Prerequisites
+
+- **Kubernetes ≥ v1.22** – v1.22 is the first release where the CRI v1 API
+  became the default and `RuntimeClass` left alpha.  The chart depends on those
+  stable interfaces; earlier clusters need `feature‑gates` or CRI shims that are
+  out of scope.
+
+- **Kata Release 3.12** - v3.12.0 introduced publishing the helm-chart on the
+  release page for easier consumption, since v3.8.0 we shipped the helm-chart
+  via source code in the kata-containers `GitHub` repository.
+
+- CRI‑compatible runtime (containerd or CRI‑O). If one wants to use the
+  `multiInstallSuffix` feature one needs at least **containerd-2.0** which
+  supports drop-in config files
+
+- Nodes must allow loading kernel modules and installing Kata artifacts (the
+  chart runs privileged containers to do so)
+
+### `helm install`
+
+```sh
+# Install directly from the official ghcr.io OCI registry
+# update the VERSION X.YY.Z to your needs or just use the latest
+
+export VERSION=$(curl -sSL https://api.github.com/repos/kata-containers/kata-containers/releases/latest | jq .tag_name | tr -d '"')
+export CHART="oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy"
+
+$ helm install kata-deploy "${CHART}" --version "${VERSION}"
+
+# See everything you can configure
+$ helm show values "${CHART}" --version "${VERSION}"
+```
+
+This installs the `kata-deploy` DaemonSet and the default Kata `RuntimeClass`
+resources on your cluster.
+
+To see what versions of the chart are available:
+
+```sh
+$ helm show chart oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy
+```
+
+### `helm uninstall`
+
+```sh
+$ helm uninstall kata-deploy -n kube-system
+```
+
+During uninstall, Helm will report that some resources were kept due to the
+resource policy (`ServiceAccount`, `ClusterRole`, `ClusterRoleBinding`). This
+is **normal**. A post-delete hook Job runs after uninstall and removes those
+resources so no cluster-wide `RBAC` is left behind.
+
+## Pre-Built Release
+
+Kata can also be installed using the pre-built releases: https://github.com/kata-containers/kata-containers/releases
+
+This method does not have any facilities for artifact lifecycle management.
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@@ -0,0 +1,116 @@
+# Prerequisites
+
+## Kubernetes
+
+If using Kubernetes, at least version `v1.22` is recommended. This is the first release that the CRI v1 API and the `RuntimeClass` left alpha.
+
+## containerd
+
+Kata requires a [CRI](https://kubernetes.io/docs/concepts/containers/cri/)-compatible container runtime. containerd is commonly used for Kata. We recommend installing containerd using your platform's package distribution mechanism. We recommend at least the latest version of containerd v2.1.x.[^1]
+
+
+### Debian/Ubuntu
+
+To install on Debian-based systems:
+
+```sh
+$ apt update
+$ apt install containerd
+$ systemctl status containerd
+● containerd.service - containerd container runtime
+     Loaded: loaded (/etc/systemd/system/containerd.service; enabled; preset: enabled)
+    Drop-In: /etc/systemd/system/containerd.service.d
+             └─http-proxy.conf
+     Active: active (running) since Wed 2026-02-25 22:58:13 UTC; 5 days ago
+       Docs: https://containerd.io
+   Main PID: 3767885 (containerd)
+      Tasks: 540
+     Memory: 70.7G (peak: 70.8G)
+        CPU: 4h 9min 26.153s
+     CGroup: /runtime.slice/containerd.service
+             ├─  12694 /usr/local/bin/container
+```
+
+### Fedora/RedHat
+
+To install on Fedora-based systems:
+
+```
+$ yum install containerd
+```
+
+??? help
+
+    Documentation assistance is requested for more specific instructions on Fedora systems.
+
+### Pre-Built Releases
+
+Many Linux distributions will not package the latest versions of containerd. If you find that your distribution provides very old versions of containerd, it's recommended to upgrade with the [pre-built releases](https://github.com/containerd/containerd/releases).
+
+#### Executable
+
+Download the latest release of containerd:
+
+```sh
+$ wget https://github.com/containerd/containerd/releases/download/v${VERSION}/containerd-${VERSION}-linux-${PLATFORM}.tar.gz
+
+# Extract to the current directory
+$ tar -xf ./containerd*.tar.gz
+
+# Extract to root if you want it installed to its final location.
+$ tar -C / -xf ./*.tar.gz
+```
+
+### Containerd Config
+
+Containerd requires a config file at `/etc/containerd/config.toml`. This needs to be populated with a simple default config:
+
+```sh
+$ /usr/local/bin/containerd config default > /etc/containerd/config.toml
+```
+
+### Systemd Unit File
+
+Install the systemd unit file:
+
+```sh
+$ wget -O /etc/systemd/system/containerd.service https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+```
+
+!!! info
+
+    - You must modify the `ExecStart` line to the location of the installed containerd executable.
+    - containerd's `PATH` variable must allow it to find `containerd-shim-kata-v2`. You can do this by either creating a symlink from `/usr/local/bin/containerd-shim-kata-v2` to `/opt/kata/bin/containerd-shim-kata-v2` or by modifying containerd's `PATH` variable to search in `/opt/kata/bin/`. See the Environment= command in systemd.exec(5) for further details.
+
+
+Reload systemd and start containerd:
+
+```sh
+$ systemctl daemon-reload
+$ systemctl enable --now containerd
+$ systemctl start containerd
+$ systemctl status containerd
+```
+
+More details can be found on the [containerd installation docs](https://github.com/containerd/containerd/blob/main/docs/getting-started.md).
+
+### Enable CRI
+
+If you're using Kubernetes, you must enable the containerd Container Runtime Interface (CRI) plugin:
+
+```sh
+$ ctr plugins ls | grep cri
+io.containerd.cri.v1                      images                   -              ok
+io.containerd.cri.v1                      runtime                  linux/amd64    ok
+io.containerd.grpc.v1                     cri                      -              ok
+```
+
+If these are not enabled, you'll need to remove it from the `disabled_plugins` section of the containerd config.
+
+
+[^1]: Kata makes use of containerd's drop-in config merging in `/etc/containerd/config.d/` which is only available starting from containerd v2. containerd v1 may work, but some Kata features will not work as expected.
+
+
+## runc
+
+The default `runc` runtime needs to be installed for non-kata containers. More details can be found at the [containerd docs](https://github.com/containerd/containerd/blob/979c80d8a5d7fc7be34102a1ada53ae5a0ff09e8/docs/RUNC.md).
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -0,0 +1,9 @@
+mkdocs-materialx==10.0.9
+mkdocs-glightbox==0.4.0
+mkdocs-macros-plugin==1.5.0
+mkdocs-awesome-nav==3.3.0
+mkdocs-open-in-new-tab==1.0.8
+mkdocs-redirects==1.2.2
+CairoSVG==2.9.0
+pillow==12.1.1
+click==8.2.1
--- a/docs/runtime-configuration.md
+++ b/docs/runtime-configuration.md
@@ -0,0 +1,56 @@
+# Runtime Configuration
+
+The containerd shims (both the Rust and Go implementations) take configuration files to control their behavior. These files are in `/opt/kata/share/defaults/kata-containers/`. An example excerpt:
+
+```toml title="/opt/kata/share/defaults/kata-containers/configuration.toml"
+[hypervisor.qemu]
+path = "/opt/kata/bin/qemu-system-x86_64"
+kernel = "/opt/kata/share/kata-containers/vmlinux.container"
+image = "/opt/kata/share/kata-containers/kata-containers.img"
+machine_type = "q35"
+
+# rootfs filesystem type:
+#   - ext4 (default)
+#   - xfs
+#   - erofs
+rootfs_type = "ext4"
+
+# Enable running QEMU VMM as a non-root user.
+# By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as
+# a non-root random user. See documentation for the limitations of this mode.
+rootless = false
+
+# List of valid annotation names for the hypervisor
+# Each member of the list is a regular expression, which is the base name
+# of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"
+enable_annotations = ["enable_iommu", "virtio_fs_extra_args", "kernel_params"]
+```
+
+These files should never be modified directly. If you wish to create a modified version of these files, you may create your own [custom runtime](helm-configuration.md#custom-runtimes). For example, to modify the image path, we provide these values to helm:
+
+```yaml title="values.yaml"
+customRuntimes:
+  enabled: true
+  runtimes:
+    my-gpu-runtime:
+      baseConfig: "qemu-nvidia-gpu"
+      dropIn: |
+        [hypervisor.qemu]
+        image = "/path/to/custom-image.img"
+      runtimeClass: |
+        kind: RuntimeClass
+        apiVersion: node.k8s.io/v1
+        metadata:
+          name: kata-my-gpu-runtime
+          labels:
+            app.kubernetes.io/managed-by: kata-deploy
+        handler: kata-my-gpu-runtime
+        overhead:
+          podFixed:
+            memory: "640Mi"
+            cpu: "500m"
+        scheduling:
+          nodeSelector:
+            katacontainers.io/kata-runtime: "true"
+```
+
--- a/docs/threat-model/threat-model.md
+++ b/docs/threat-model/threat-model.md
@@ -175,7 +175,7 @@ specific).

 ##### Dragonball networking

-For Dragonball, the `virtio-net` backend default is within Dragonbasll's VMM.
+For Dragonball, the `virtio-net` backend default is within Dragonball's VMM.


 #### virtio-vsock
--- a/docs/use-cases/NVIDIA-GPU-passthrough-and-Kata-QEMU.md
+++ b/docs/use-cases/NVIDIA-GPU-passthrough-and-Kata-QEMU.md
@@ -1,11 +1,12 @@
 # Enabling NVIDIA GPU workloads using GPU passthrough with Kata Containers

 This page provides:
+
 1. A description of the components involved when running GPU workloads with
   Kata Containers using the NVIDIA TEE and non-TEE GPU runtime classes.
 1. An explanation of the orchestration flow on a Kubernetes node for this
   scenario.
-1. A deployment guide enabling to utilize these runtime classes.
+1. A deployment guide to utilize these runtime classes.

 The goal is to educate readers familiar with Kubernetes and Kata Containers
 on NVIDIA's reference implementation which is reflected in Kata CI's build
@@ -18,58 +19,56 @@ Confidential Containers.

 > **Note:**
 >
-> The current supported mode for enabling GPU workloads in the TEE scenario
-> is single GPU passthrough (one GPU per pod) on AMD64 platforms (AMD SEV-SNP
-> being the only supported TEE scenario so far with support for Intel TDX being
-> on the way).
+> The currently supported modes for enabling GPU workloads in the TEE
+> scenario are: (1) single‑GPU passthrough (one physical GPU per pod) and
+> (2) multi-GPU passthrough on NVSwitch (NVLink) based HGX systems
+> (for example, HGX Hopper (SXM) and HGX Blackwell / HGX B200).

 ## Component Overview

 Before providing deployment guidance, we describe the components involved to
 support running GPU workloads. We start from a top to bottom perspective
-from the NVIDIA GPU operator via the Kata runtime to the components within
+from the NVIDIA GPU Operator via the Kata runtime to the components within
 the NVIDIA GPU Utility Virtual Machine (UVM) root filesystem.

 ### NVIDIA GPU Operator

 A central component is the
-[NVIDIA GPU operator](https://github.com/NVIDIA/gpu-operator) which can be
-deployed onto your cluster as a helm chart. Installing the GPU operator
+[NVIDIA GPU Operator](https://github.com/NVIDIA/gpu-operator) which can be
+deployed onto your cluster as a helm chart. Installing the GPU Operator
 delivers various operands on your nodes in the form of Kubernetes DaemonSets.
 These operands are vital to support the flow of orchestrating pod manifests
 using NVIDIA GPU runtime classes with GPU passthrough on your nodes. Without
 getting into the details, the most important operands and their
 responsibilities are:

- **nvidia-vfio-manager:** Binding discovered NVIDIA GPUs to the `vfio-pci`
-  driver for VFIO passthrough.
+- **nvidia-vfio-manager:** Binding discovered NVIDIA GPUs and nvswitches to
+  the `vfio-pci` driver for VFIO passthrough.
 - **nvidia-cc-manager:** Transitioning GPUs into confidential computing (CC)
  and non-CC mode (see the
  [NVIDIA/k8s-cc-manager](https://github.com/NVIDIA/k8s-cc-manager)
  repository).
- **nvidia-kata-manager:** Creating host-side CDI specifications for GPU
-  passthrough, resulting in the file `/var/run/cdi/nvidia.yaml`, containing
-  `kind: nvidia.com/pgpu` (see the
-  [NVIDIA/k8s-kata-manager](https://github.com/NVIDIA/k8s-kata-manager)
-  repository).
 - **nvidia-sandbox-device-plugin** (see the
  [NVIDIA/sandbox-device-plugin](https://github.com/NVIDIA/sandbox-device-plugin)
  repository):
+  - Creating host-side CDI specifications for GPU passthrough,
+    resulting in the file `/var/run/cdi/nvidia.yaml`, containing
+    `kind: nvidia.com/pgpu`
  - Allocating GPUs during pod deployment.
  - Discovering NVIDIA GPUs, their capabilities, and advertising these to
    the Kubernetes control plane (allocatable resources as type
    `nvidia.com/pgpu` resources will appear for the node and GPU Device IDs
    will be registered with Kubelet). These GPUs can thus be allocated as
-    container resources in your pod manifests. See below GPU operator
+    container resources in your pod manifests. See below GPU Operator
    deployment instructions for the use of the key `pgpu`, controlled via a
    variable.

-To summarize, the GPU operator manages the GPUs on each node, allowing for
+To summarize, the GPU Operator manages the GPUs on each node, allowing for
 simple orchestration of pod manifests using Kata Containers. Once the cluster
-with GPU operator and Kata bits is up and running, the end user can schedule
+with GPU Operator and Kata bits is up and running, the end user can schedule
 Kata NVIDIA GPU workloads, using resource limits and the
-`kata-qemu-nvidia-gpu` or `kata-qemu-nvidia-gpu-snp` runtime classes, for
-example:
+`kata-qemu-nvidia-gpu`, `kata-qemu-nvidia-gpu-tdx` or
+`kata-qemu-nvidia-gpu-snp` runtime classes, for example:

 ```yaml
 apiVersion: v1
@@ -213,7 +212,7 @@ API and kernel drivers, interacting with the pass-through GPU device.

 An additional step is exercised in our CI samples: when using images from an
 authenticated registry, the guest-pull mechanism triggers attestation using
-trustee's Key Broker Service (KBS) for secure release of the NGC API
+Trustee's Key Broker Service (KBS) for secure release of the NGC API
 authentication key used to access the NVCR container registry. As part of
 this, the attestation agent exercises composite attestation and transitions
 the GPU into `Ready` state (without this, the GPU has to explicitly be
@@ -232,24 +231,40 @@ NVIDIA GPU CI validation jobs. Note that, this setup:
 - uses the genpolicy tool to attach Kata agent security policies to the pod
  manifest
 - has dedicated (composite) attestation tests, a CUDA vectorAdd test, and a
-  NIM/RA test sample with secure API key release
+  NIM/RA test sample with secure API key release using sealed secrets.

 A similar deployment guide and scenario description can be found in NVIDIA resources
 under
-[Early Access: NVIDIA GPU Operator with Confidential Containers based on Kata](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/confidential-containers.html).
+[NVIDIA Confidential Containers Overview (Early Access)](https://docs.nvidia.com/datacenter/cloud-native/confidential-containers/latest/overview.html).
+
+### Feature Set
+
+The NVIDIA stack for Kata Containers leverages features for the confidential
+computing scenario from both the confidential containers open source project
+and from the Kata Containers source tree, such as:
+- composite attestation using Trustee and the NVIDIA Remote Attestation
+Service NRAS
+- generating kata agent security policies using the genpolicy tool
+- use of signed sealed secrets
+- access to authenticated registries for container image guest-pull
+- container image signature verification and encrypted container images
+- ephemeral container data and image layer storage

 ### Requirements

 The requirements for the TEE scenario are:

 - Ubuntu 25.10 as host OS
- CPU with AMD SEV-SNP support with proper BIOS/UEFI version and settings
+- CPU with AMD SEV-SNP or Intel TDX support with proper BIOS/UEFI version
+and settings
 - CC-capable Hopper/Blackwell GPU with proper VBIOS version.

 BIOS and VBIOS configuration is out of scope for this guide. Other resources,
 such as the documentation found on the
 [NVIDIA Trusted Computing Solutions](https://docs.nvidia.com/nvtrust/index.html)
-page and the above linked NVIDIA documentation, provide guidance on
+page, on the
+[Secure AI Compatibility Matrix](https://www.nvidia.com/en-us/data-center/solutions/confidential-computing/secure-ai-compatibility-matrix/)
+page, and on the above linked NVIDIA documentation, provide guidance on
 selecting proper hardware and on properly configuring its firmware and OS.

 ### Installation
@@ -257,12 +272,16 @@ selecting proper hardware and on properly configuring its firmware and OS.
 #### Containerd and Kubernetes

 First, set up your Kubernetes cluster. For instance, in Kata CI, our NVIDIA
-jobs use a single-node vanilla Kubernetes cluster with a 2.x containerd
-version and Kata's current supported Kubernetes version. We set this cluster
-up using the `deploy_k8s` function from `tests/integration/kubernetes/gha-run.sh`
-as follows:
-
+jobs use a single-node vanilla Kubernetes cluster with a 2.1 containerd
+version and Kata's current supported Kubernetes version. This cluster is
+being set up using the `deploy_k8s` function from the script file
+`tests/integration/kubernetes/gha-run.sh`. If you intend to run this script,
+follow these steps, and make sure you have `yq` and `helm` installed. Note
+that, these scripts query the GitHub API, so creating and declaring a
+personal access token prevents rate limiting issues.
+You can execute the function as follows:
 ```bash
+$ export GH_TOKEN="<your-gh-pat>"
 $ export KUBERNETES="vanilla"
 $ export CONTAINER_ENGINE="containerd"
 $ export CONTAINER_ENGINE_VERSION="v2.1"
@@ -276,8 +295,11 @@ $ deploy_k8s
 > `runtimeRequestTimeout` timeout value than the two minute default timeout.
 > Using the guest-pull mechanism, pulling large images may take a significant
 > amount of time and may delay container start, possibly leading your Kubelet
-> to de-allocate your pod before it transitions from the *container created*
-> to the *container running* state.
+> to de-allocate your pod before it transitions from the *container creating*
+> to the *container running* state. The NVIDIA shim configurations use a
+> `create_container_timeout` of 1200s, which is the equivalent value on shim
+> side, controlling the time the shim allows for a container to remain in
+> *container creating* state.

 > **Note:**
 >
@@ -291,7 +313,7 @@ $ deploy_k8s
 #### GPU Operator

 Assuming you have the helm tools installed, deploy the latest version of the
-GPU Operator as a helm chart (minimum version: `v25.10.0`):
+GPU Operator as a helm chart (minimum version: `v26.3.0`):

 ```bash
 $ helm repo add nvidia https://helm.ngc.nvidia.com/nvidia && helm repo update
@@ -300,33 +322,27 @@ $ helm install --wait --generate-name \
    nvidia/gpu-operator \
    --set sandboxWorkloads.enabled=true \
    --set sandboxWorkloads.defaultWorkload=vm-passthrough \
-    --set kataManager.enabled=true \
-    --set kataManager.config.runtimeClasses=null \
-    --set kataManager.repository=nvcr.io/nvidia/cloud-native \
-    --set kataManager.image=k8s-kata-manager \
-    --set kataManager.version=v0.2.4 \
-    --set ccManager.enabled=true \
-    --set ccManager.defaultMode=on \
-    --set ccManager.repository=nvcr.io/nvidia/cloud-native \
-    --set ccManager.image=k8s-cc-manager \
-    --set ccManager.version=v0.2.0 \
-    --set sandboxDevicePlugin.repository=nvcr.io/nvidia/cloud-native \
-    --set sandboxDevicePlugin.image=nvidia-sandbox-device-plugin \
-    --set sandboxDevicePlugin.version=v0.0.1 \
-    --set 'sandboxDevicePlugin.env[0].name=P_GPU_ALIAS' \
-    --set 'sandboxDevicePlugin.env[0].value=pgpu' \
+    --set sandboxWorkloads.mode=kata \
    --set nfd.enabled=true \
    --set nfd.nodefeaturerules=true
 ```

 > **Note:**
 >
-> For heterogeneous clusters with different GPU types, you can omit
-> the `P_GPU_ALIAS` environment variable lines. This will cause the sandbox
-> device plugin to create GPU model-specific resource types (e.g.,
-> `nvidia.com/GH100_H100L_94GB`) instead of the generic `nvidia.com/pgpu`,
-> which in turn can be used by pods through respective resource limits.
-> For simplicity, this guide uses the generic alias.
+> For heterogeneous clusters with different GPU types, you can specify an
+> empty `P_GPU_ALIAS` environment variable for the sandbox device plugin:
+> `-    --set 'sandboxDevicePlugin.env[0].name=P_GPU_ALIAS' \`
+> `-    --set 'sandboxDevicePlugin.env[0].value=""' \`
+> This will cause the sandbox device plugin to create GPU model-specific
+> resource types (e.g., `nvidia.com/GH100_H100L_94GB`) instead of the
+> default `pgpu` type, which usually results in advertising a resource of
+> type `nvidia.com/pgpu`
+> The exposed device resource types can be used for pods by specifying
+> respective resource limits.
+> Your node's nvswitches are exposed as resources of type
+> `nvidia.com/nvswitch` by default. Using the variable `NVSWITCH_ALIAS`
+> allows to control the advertising behavior similar to the `P_GPU_ALIAS`
+> variable.

 > **Note:**
 >
@@ -351,8 +367,7 @@ $ helm install kata-deploy \
    --create-namespace \
    -f "https://raw.githubusercontent.com/kata-containers/kata-containers/refs/tags/${VERSION}/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml" \
    --set nfd.enabled=false \
-    --set shims.qemu-nvidia-gpu-tdx.enabled=false \
-    --wait --timeout 10m --atomic \
+    --wait --timeout 10m \
    "${CHART}" --version "${VERSION}"
 ```

@@ -382,31 +397,22 @@ mode which requires entering a licensing agreement with NVIDIA, see the
 ### Cluster validation and preparation

 If you did not use the `sandboxWorkloads.defaultWorkload=vm-passthrough`
-parameter during GPU operator deployment, label your nodes for GPU VM
+parameter during GPU Operator deployment, label your nodes for GPU VM
 passthrough, for the example of using all nodes for GPU passthrough, run:

 ```bash
 $ kubectl label nodes --all nvidia.com/gpu.workload.config=vm-passthrough --overwrite
 ```

-Check if the `nvidia-cc-manager` pod is running if you intend to run GPU TEE
-scenarios. If not, you need to manually label the node as CC capable. Current
-GPU Operator node feature rules do not yet recognize all CC capable GPU PCI
-IDs. Run the following command:
-
-```bash
-$ kubectl label nodes --all nvidia.com/cc.capable=true
-```
-
-After this, assure the `nvidia-cc-manager` pod is running. With the suggested
-parameters for GPU Operator deployment, the `nvidia-cc-manager` will
-automatically transition the GPU into CC mode.
+With the suggested parameters for GPU Operator deployment, the
+`nvidia-cc-manager` operand will automatically transition the GPU into CC
+mode.

 After deployment, you can transition your node(s) to the desired CC state,
-using either the `on` or `off` value, depending on your scenario. For the
-non-CC scenario, transition to the `off` state via:
+using either the `on`, `ppcie`, or `off` value, depending on your scenario.
+For the non-CC scenario, transition to the `off` state via:
 `kubectl label nodes --all nvidia.com/cc.mode=off` and wait until all pods
-are back running. When an actual change is exercised, various GPU operator
+are back running. When an actual change is exercised, various GPU Operator
 operands will be restarted.

 Ensure all pods are running:
@@ -425,9 +431,10 @@ $ lspci -nnk -d 10de:

 ### Run the CUDA vectorAdd sample

-Create the following file:
+Create the pod manifest with:

-```yaml
+```bash
+$ cat > cuda-vectoradd-kata.yaml.in << 'EOF'
 apiVersion: v1
 kind: Pod
 metadata:
@@ -445,6 +452,7 @@ spec:
      limits:
        nvidia.com/pgpu: "1"
        memory: 16Gi
+EOF
 ```

 Depending on your scenario and on the CC state, export your desired runtime
@@ -477,6 +485,17 @@ To stop the pod, run: `kubectl delete pod cuda-vectoradd-kata`.

 ### Next steps

+#### Use multi-GPU passthrough
+
+If you have machines supporting multi-GPU passthrough, use a pod deployment
+manifest which uses 8 pgpu and 4 nvswitch resources.
+On the NVIDIA Hopper architecture multi-GPU passthrough uses protected PCIe
+(PPCIE) which claims exclusive use of the nvswitches for a single CVM. In
+this case, transition your relevant node(s) GPU mode to `ppcie` mode.
+The NVIDIA Blackwell architecture uses NVLink encryption which places the
+switches outside of the Trusted Computing Base (TCB) and so does not
+require a separate switch setting.
+
 #### Transition between CC and non-CC mode

 Use the previously described node labeling approach to transition between
@@ -492,7 +511,7 @@ and a basic NIM/RAG deployment. Running CI tests for the TEE GPU scenario
 requires KBS to be deployed (except for the CUDA vectorAdd test). The best
 place to get started running these tests locally is to look into our
 [NVIDIA CI workflow manifest](https://github.com/kata-containers/kata-containers/blob/main/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml)
-and into the underling
+and into the underlying
 [run_kubernetes_nv_tests.sh](https://github.com/kata-containers/kata-containers/blob/main/tests/integration/kubernetes/run_kubernetes_nv_tests.sh)
 script. For example, to run the CUDA vectorAdd scenario against the TEE GPU
 runtime class use the following commands:
@@ -547,6 +566,22 @@ With GPU passthrough being supported by the
 you can use the tool to create a Kata agent security policy. Our CI deploys
 all sample pod manifests with a Kata agent security policy.

+Note that, using containerd 2.1 in upstream's CI, we use the following
+modification to the genpolicy default settings:
+```bash
+[
+  {
+    "op": "replace",
+    "path": "/kata_config/oci_version",
+    "value": "1.2.1"
+  }
+]
+```
+This modification is applied via the genpolicy drop-in configuration file
+`src\tools\genpolicy\drop-in-examples\20-oci-1.2.1-drop-in.json`.
+When using a newer containerd version, such as containerd 2.2, the OCI
+version field needs to be adjusted to "1.3.0", for instance.
+
 #### Deploy pods using your own containers and manifests

 You can author pod manifests leveraging your own containers, for instance,
@@ -564,6 +599,3 @@ following annotation in the manifest:
 >
 > - musl-based container images (e.g., using Alpine), or distro-less
 >   containers are not supported.
-> - for the TEE scenario, only single-GPU passthrough per pod is supported,
->   so your pod resource limit must be: `nvidia.com/pgpu: "1"` (on a system
->   with multiple GPUs, you can thus pass through one GPU per pod).
--- a/mkdocs.yaml
+++ b/mkdocs.yaml
@@ -0,0 +1,91 @@
+site_name: "Kata Containers Docs"
+site_description: "Developer and user documentation for the Kata Containers project."
+site_author: "Kata Containers Community"
+
+repo_url: "https://github.com/kata-containers/kata-containers"
+site_url: "https://kata-containers.github.io/kata-containers"
+edit_uri: "edit/main/docs/"
+repo_name: kata-containers
+
+theme:
+    name: materialx
+    favicon: "assets/images/favicon.svg"
+    logo: "assets/images/favicon.svg"
+    topbar_style: glass
+    palette:
+      - media: "(prefers-color-scheme)"
+        toggle:
+            icon: material/brightness-auto
+            name: Switch to light mode
+      - media: "(prefers-color-scheme: light)"
+        scheme: default
+        primary: blue
+        accent: light blue
+        toggle:
+            icon: material/weather-sunny
+            name: Switch to dark mode
+      - media: "(prefers-color-scheme: dark)"
+        scheme: slate
+        primary: cyan
+        accent: cyan
+        toggle:
+            icon: material/brightness-4
+            name: Switch to system preference
+    features:
+        - content.action.edit
+        - content.action.view
+        - content.code.annotate
+        - content.code.copy
+        - content.code.select
+        - content.footnote.tooltips
+        - content.tabs.link
+        - content.tooltips
+        - navigation.expand
+        - navigation.indexes
+        - navigation.path
+        - navigation.sections
+        - navigation.tabs
+        - navigation.tracking
+        - navigation.top
+        - navigation.instant
+        - navigation.instant.prefetch
+        - navigation.instant.progress
+        - toc.follow
+markdown_extensions:
+    - abbr
+    - admonition
+    - attr_list
+    - def_list
+    - footnotes
+    - md_in_html
+    - pymdownx.arithmatex:
+        generic: true
+    - pymdownx.emoji:
+        emoji_index: !!python/name:material.extensions.emoji.twemoji
+        emoji_generator: !!python/name:material.extensions.emoji.to_svg
+    - pymdownx.details
+    - pymdownx.highlight:
+        anchor_linenums: true
+        line_spans: __span
+        pygments_lang_class: true
+        auto_title: true
+    - pymdownx.keys
+    - pymdownx.magiclink
+    - pymdownx.superfences:
+        custom_fences:
+            - name: mermaid
+              class: mermaid
+              format: !!python/name:pymdownx.superfences.fence_code_format
+    - pymdownx.inlinehilite
+    - pymdownx.tabbed:
+        alternate_style: true
+    - pymdownx.tilde
+    - pymdownx.caret
+    - pymdownx.mark
+    - toc:
+        permalink: true
+
+plugins:
+    - search
+    - awesome-nav
+
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,3 +1,3 @@
 [toolchain]
 # Keep in sync with versions.yaml
-channel = "1.91"
+channel = "1.92"
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@@ -63,9 +63,9 @@ cgroups = { package = "cgroups-rs", git = "https://github.com/kata-containers/cg

 # Tracing
 tracing = "0.1.41"
-tracing-subscriber = "0.2.18"
-tracing-opentelemetry = "0.13.0"
-opentelemetry = { version = "0.14.0", features = ["rt-tokio-current-thread"] }
+tracing-subscriber = "0.3.20"
+tracing-opentelemetry = "0.17.0"
+opentelemetry = { version = "0.17.0", features = ["rt-tokio"] }

 # Configuration
 serde = { version = "1.0.129", features = ["derive"] }
@@ -78,7 +78,6 @@ strum_macros = "0.26.2"
 tempfile = "3.19.1"
 which = "4.3.0"
 rstest = "0.18.0"
-async-std = { version = "1.12.0", features = ["attributes"] }

 # Local dependencies
 kata-agent-policy = { path = "policy" }
@@ -195,7 +194,6 @@ pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504
 tempfile.workspace = true
 which.workspace = true
 rstest.workspace = true
-async-std.workspace = true

 test-utils.workspace = true

--- a/src/agent/src/mount.rs
+++ b/src/agent/src/mount.rs
@@ -89,7 +89,7 @@ pub fn baremount(
    let destination_str = destination.to_string_lossy();
    if let Ok(m) = get_linux_mount_info(destination_str.deref()) {
        if m.fs_type == fs_type && !flags.contains(MsFlags::MS_REMOUNT) {
-            slog_info!(logger, "{source:?} is already mounted at {destination:?}");
+            slog::info!(logger, "{source:?} is already mounted at {destination:?}");
            return Ok(());
        }
    }
--- a/src/agent/src/namespace.rs
+++ b/src/agent/src/namespace.rs
@@ -110,8 +110,10 @@ impl Namespace {

                unshare(cf)?;

-                if ns_type == NamespaceType::Uts && hostname.is_some() {
-                    nix::unistd::sethostname(hostname.unwrap())?;
+                if ns_type == NamespaceType::Uts {
+                    if let Some(host) = hostname {
+                        nix::unistd::sethostname(host)?;
+                    }
                }
                // Bind mount the new namespace from the current thread onto the mount point to persist it.

--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -2317,8 +2317,14 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
        for specdev in devices.iter() {
            if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
                let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
-                cdh_secure_mount("BlockDevice", &dev_major_minor, "LUKS", KATA_IMAGE_WORK_DIR)
-                    .await?;
+                cdh_secure_mount(
+                    "block-device",
+                    &dev_major_minor,
+                    "luks2",
+                    KATA_IMAGE_WORK_DIR,
+                    "-E lazy_journal_init",
+                )
+                .await?;
                break;
            }
        }
@@ -2331,6 +2337,7 @@ pub(crate) async fn cdh_secure_mount(
    device_id: &str,
    encrypt_type: &str,
    mount_point: &str,
+    mkfs_opts: &str,
 ) -> Result<()> {
    if !confidential_data_hub::is_cdh_client_initialized() {
        return Ok(());
@@ -2340,19 +2347,31 @@ pub(crate) async fn cdh_secure_mount(

    info!(
        sl(),
-        "cdh_secure_mount: device_type {}, device_id {}, encrypt_type {}, integrity {}",
+        "cdh_secure_mount: device_type {}, device_id {}, encrypt_type {}, integrity {}, mkfs_opts {}",
        device_type,
        device_id,
        encrypt_type,
-        integrity
+        integrity,
+        mkfs_opts
    );

    let options = std::collections::HashMap::from([
        ("deviceId".to_string(), device_id.to_string()),
-        ("encryptType".to_string(), encrypt_type.to_string()),
+        ("sourceType".to_string(), "empty".to_string()),
+        ("targetType".to_string(), "fileSystem".to_string()),
+        ("filesystemType".to_string(), "ext4".to_string()),
+        ("mkfsOpts".to_string(), mkfs_opts.to_string()),
+        ("encryptionType".to_string(), encrypt_type.to_string()),
        ("dataIntegrity".to_string(), integrity),
    ]);

+    std::fs::create_dir_all(mount_point).inspect_err(|e| {
+        error!(
+            sl(),
+            "Failed to create mount point directory {}: {:?}", mount_point, e
+        );
+    })?;
+
    confidential_data_hub::secure_mount(device_type, &options, vec![], mount_point).await?;

    Ok(())
--- a/src/agent/src/storage/block_handler.rs
+++ b/src/agent/src/storage/block_handler.rs
@@ -59,7 +59,14 @@ async fn handle_block_storage(
        .contains(&"encryption_key=ephemeral".to_string());

    if has_ephemeral_encryption {
-        crate::rpc::cdh_secure_mount("BlockDevice", dev_num, "LUKS", &storage.mount_point).await?;
+        crate::rpc::cdh_secure_mount(
+            "block-device",
+            dev_num,
+            "luks2",
+            &storage.mount_point,
+            "-O ^has_journal -m 0 -i 163840 -I 128",
+        )
+        .await?;
        set_ownership(logger, storage)?;
        new_device(storage.mount_point.clone())
    } else {
--- a/src/agent/src/tracer.rs
+++ b/src/agent/src/tracer.rs
@@ -5,7 +5,8 @@

 use anyhow::Result;
 use opentelemetry::sdk::propagation::TraceContextPropagator;
-use opentelemetry::{global, sdk::trace::Config, trace::TracerProvider};
+use opentelemetry::trace::TracerProvider;
+use opentelemetry::{global, sdk::trace::Config};
 use slog::{info, o, Logger};
 use std::collections::HashMap;
 use tracing_opentelemetry::OpenTelemetryLayer;
@@ -23,15 +24,12 @@ pub fn setup_tracing(name: &'static str, logger: &Logger) -> Result<()> {
    let config = Config::default();

    let builder = opentelemetry::sdk::trace::TracerProvider::builder()
-        .with_batch_exporter(exporter, opentelemetry::runtime::TokioCurrentThread)
+        .with_batch_exporter(exporter, opentelemetry::runtime::Tokio)
        .with_config(config);

    let provider = builder.build();

-    // We don't need a versioned tracer.
-    let version = None;
-
-    let tracer = provider.get_tracer(name, version);
+    let tracer = provider.tracer(name);

    let _global_provider = global::set_tracer_provider(provider);

--- a/src/agent/vsock-exporter/Cargo.toml
+++ b/src/agent/vsock-exporter/Cargo.toml
@@ -10,7 +10,7 @@ libc.workspace = true
 thiserror.workspace = true
 opentelemetry = { workspace = true, features = ["serialize"] }
 tokio-vsock.workspace = true
-bincode = "1.3.3"
+serde_json = "1.0"
 byteorder = "1.4.3"
 slog = { workspace = true, features = [
    "dynamic-keys",
--- a/src/agent/vsock-exporter/src/lib.rs
+++ b/src/agent/vsock-exporter/src/lib.rs
@@ -58,7 +58,7 @@ pub enum Error {
    #[error("connection error: {0}")]
    ConnectionError(String),
    #[error("serialisation error: {0}")]
-    SerialisationError(#[from] bincode::Error),
+    SerialisationError(#[from] serde_json::Error),
    #[error("I/O error: {0}")]
    IOError(#[from] std::io::Error),
 }
@@ -81,8 +81,7 @@ async fn write_span(
    let mut writer = writer.lock().await;

    let encoded_payload: Vec<u8> =
-        bincode::serialize(&span).map_err(|e| make_io_error(e.to_string()))?;
-
+        serde_json::to_vec(span).map_err(|e| make_io_error(e.to_string()))?;
    let payload_len: u64 = encoded_payload.len() as u64;

    let mut payload_len_as_bytes: [u8; HEADER_SIZE_BYTES as usize] =
--- a/src/dragonball/dbs_boot/README.md
+++ b/src/dragonball/dbs_boot/README.md
@@ -10,10 +10,10 @@ This repository contains the following submodules:
 | Name | Arch| Description |
 | --- | --- | --- |
 | [`bootparam`](src/x86_64/bootparam.rs) | x86_64 | Magic addresses externally used to lay out x86_64 VMs |
-| [fdt](src/aarch64/fdt.rs) | aarch64| Create FDT for Aarch64 systems |
-| [layout](src/x86_64/layout.rs) | x86_64 | x86_64 layout constants |
-| [layout](src/aarch64/layout.rs/) | aarch64 | aarch64 layout constants |
-| [mptable](src/x86_64/mptable.rs) | x86_64 | MP Table configurations used for defining VM boot status |
+| [`fdt`](src/aarch64/fdt.rs) | aarch64| Create FDT for Aarch64 systems |
+| [`layout`](src/x86_64/layout.rs) | x86_64 | x86_64 layout constants |
+| [`layout`](src/aarch64/layout.rs/) | aarch64 | aarch64 layout constants |
+| [`mptable`](src/x86_64/mptable.rs) | x86_64 | MP Table configurations used for defining VM boot status |

 ## Acknowledgement

--- a/src/dragonball/dbs_tdx/README.md
+++ b/src/dragonball/dbs_tdx/README.md
@@ -3,7 +3,7 @@
 This crate is a collection of modules that provides helpers and utilities to create a TDX Dragonball VM.

 Currently this crate involves:
- tdx-ioctls
+- `tdx-ioctls`

 ## Acknowledgement

--- a/src/dragonball/dbs_virtio_devices/src/fs/device.rs
+++ b/src/dragonball/dbs_virtio_devices/src/fs/device.rs
@@ -6,7 +6,6 @@ use kata_sys_util::netns::NetnsGuard;
 use std::any::Any;
 use std::collections::HashMap;
 use std::ffi::CString;
-use std::fs;
 use std::fs::File;
 use std::io::{BufRead, BufReader, Read};
 use std::marker::PhantomData;
@@ -456,19 +455,11 @@ impl<AS: GuestAddressSpace> VirtioFs<AS> {
        prefetch_list_path: Option<String>,
    ) -> FsResult<()> {
        debug!("http_server rafs");
-        let currentnetns = fs::read_link("/proc/self/ns/net").unwrap_or_default();
-        info!("========fupan====1==netns={:?}", currentnetns);
-
-        let tid = unsafe { libc::syscall(libc::SYS_gettid) as i32 };
-
+        // We need to make sure the nydus worker thread in the runD main process's network namespace
+        // instead of the vmm thread's netns, which wouldn't access the host network.
        let _netns_guard =
            NetnsGuard::new("/proc/self/ns/net").map_err(|e| FsError::BackendFs(e.to_string()))?;

-        let netnspath = format!("/proc/{}/ns/net", tid);
-        let netns = fs::read_link(netnspath.as_str()).unwrap_or_default();
-        info!("========fupan====2==netns={:?}", netns);
-
-        info!("========fupan====3==config={:?}", config);
        let file = Path::new(&source);
        let (mut rafs, rafs_cfg) = match config.as_ref() {
            Some(cfg) => {
--- a/src/libs/protocols/protos/confidential_data_hub.proto
+++ b/src/libs/protocols/protos/confidential_data_hub.proto
@@ -24,9 +24,7 @@ message SecureMountRequest {
    string mount_point = 4;
 }

-message SecureMountResponse {
-    string mount_path = 1;
-}
+message SecureMountResponse {}

 message ImagePullRequest {
    // - `image_url`: The reference of the image to pull
--- a/src/libs/safe-path/README.md
+++ b/src/libs/safe-path/README.md
@@ -4,7 +4,7 @@ Safe Path

 A library to safely handle filesystem paths, typically for container runtimes.

-There are often path related attacks, such as symlink based attacks, TOCTTOU attacks. The `safe-path` crate
+There are often path related attacks, such as symlink based attacks, time-of-check to time-of-use (TOCTOU) attacks. The `safe-path` crate
 provides several functions and utility structures to protect against path resolution related attacks.

 ## Support
--- a/src/runtime-rs/crates/hypervisor/ch-config/Cargo.toml
+++ b/src/runtime-rs/crates/hypervisor/ch-config/Cargo.toml
@@ -15,13 +15,13 @@ serde = { workspace = true, features = ["rc", "derive"] }
 serde_json = { workspace = true }
 tokio = { workspace = true, features = ["sync", "rt"] }
 nix = "0.26.2"
-thiserror = { workspace = true }
+thiserror = "2.0.18"

 # Cloud Hypervisor public HTTP API functions
 # Note that the version specified is not necessarily the version of CH
 # being used. This version is used to pin the CH config structure
 # which is relatively static.
-api_client = { git = "https://github.com/cloud-hypervisor/cloud-hypervisor", crate = "api_client", tag = "v27.0" }
+api_client = { git = "https://github.com/cloud-hypervisor/cloud-hypervisor", tag = "v51.0" }

 # Local dependencies
 kata-types = { workspace = true }
--- a/src/runtime-rs/crates/hypervisor/ch-config/src/ch_api.rs
+++ b/src/runtime-rs/crates/hypervisor/ch-config/src/ch_api.rs
@@ -135,7 +135,7 @@ pub async fn cloud_hypervisor_vm_netdev_add_with_fds(
            "PUT",
            "vm.add-net",
            Some(&serialised),
-            request_fds,
+            &request_fds,
        )
        .map_err(|e| anyhow!(e))?;

--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -65,8 +65,6 @@ INITRDCONFIDENTIALNAME = $(PROJECT_TAG)-initrd-confidential.img

 IMAGENAME_NV = $(PROJECT_TAG)-nvidia-gpu.img
 IMAGENAME_CONFIDENTIAL_NV = $(PROJECT_TAG)-nvidia-gpu-confidential.img
-INITRDNAME_NV = $(PROJECT_TAG)-initrd-nvidia-gpu.img
-INITRDNAME_CONFIDENTIAL_NV = $(PROJECT_TAG)-initrd-nvidia-gpu-confidential.img

 TARGET = $(BIN_PREFIX)-runtime
 RUNTIME_OUTPUT = $(CURDIR)/$(TARGET)
@@ -136,8 +134,6 @@ INITRDCONFIDENTIALPATH := $(PKGDATADIR)/$(INITRDCONFIDENTIALNAME)

 IMAGEPATH_NV := $(PKGDATADIR)/$(IMAGENAME_NV)
 IMAGEPATH_CONFIDENTIAL_NV := $(PKGDATADIR)/$(IMAGENAME_CONFIDENTIAL_NV)
-INITRDPATH_NV := $(PKGDATADIR)/$(INITRDNAME_NV)
-INITRDPATH_CONFIDENTIAL_NV := $(PKGDATADIR)/$(INITRDNAME_CONFIDENTIAL_NV)

 ROOTFSTYPE_EXT4 := \"ext4\"
 ROOTFSTYPE_XFS := \"xfs\"
@@ -483,16 +479,12 @@ ifneq (,$(QEMUCMD))
    KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)

    DEFAULTVCPUS_NV = 1
-    DEFAULTMEMORY_NV = 2048
+    DEFAULTMEMORY_NV = 8192
    DEFAULTTIMEOUT_NV = 1200
    DEFAULTVFIOPORT_NV = root-port
    DEFAULTPCIEROOTPORT_NV = 8

-    # Disable the devtmpfs mount in guest. NVRC does this, and later kata-agent
-    # attempts this as well in a non-failing manner. Otherwise, NVRC fails when
-    # using an image and /dev is already mounted.
    KERNELPARAMS_NV = "cgroup_no_v1=all"
-    KERNELPARAMS_NV += "devtmpfs.mount=0"
    KERNELPARAMS_NV += "pci=realloc"
    KERNELPARAMS_NV += "pci=nocrs"
    KERNELPARAMS_NV += "pci=assign-busses"
@@ -660,10 +652,6 @@ USER_VARS += IMAGENAME_NV
 USER_VARS += IMAGENAME_CONFIDENTIAL_NV
 USER_VARS += IMAGEPATH_NV
 USER_VARS += IMAGEPATH_CONFIDENTIAL_NV
-USER_VARS += INITRDNAME_NV
-USER_VARS += INITRDNAME_CONFIDENTIAL_NV
-USER_VARS += INITRDPATH_NV
-USER_VARS += INITRDPATH_CONFIDENTIAL_NV
 USER_VARS += KERNELNAME_NV
 USER_VARS += KERNELPATH_NV
 USER_VARS += KERNELNAME_CONFIDENTIAL_NV
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
@@ -599,7 +599,7 @@ debug_console_enabled = false

 # Agent connection dialing timeout value in seconds
 # (default: 90)
-dial_timeout = 90
+dial_timeout = @DEFAULTTIMEOUT_NV@

 [runtime]
 # If enabled, the runtime will log additional debug messages to the
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
@@ -576,7 +576,7 @@ debug_console_enabled = false

 # Agent connection dialing timeout value in seconds
 # (default: 90)
-dial_timeout = 90
+dial_timeout = @DEFAULTTIMEOUT_NV@

 [runtime]
 # If enabled, the runtime will log additional debug messages to the
--- a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
@@ -578,7 +578,7 @@ debug_console_enabled = false

 # Agent connection dialing timeout value in seconds
 # (default: 90)
-dial_timeout = 90
+dial_timeout = @DEFAULTTIMEOUT_NV@

 [runtime]
 # If enabled, the runtime will log additional debug messages to the
--- a/src/runtime/go.mod
+++ b/src/runtime/go.mod
@@ -1,7 +1,7 @@
 module github.com/kata-containers/kata-containers/src/runtime

 // Keep in sync with version in versions.yaml
-go 1.25.7
+go 1.25.8

 // WARNING: Do NOT use `replace` directives as those break dependabot:
 // https://github.com/kata-containers/kata-containers/issues/11020
@@ -26,11 +26,11 @@ require (
 	github.com/docker/go-units v0.5.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/go-ini/ini v1.67.0
-	github.com/go-openapi/errors v0.22.1
-	github.com/go-openapi/runtime v0.28.0
-	github.com/go-openapi/strfmt v0.23.0
+	github.com/go-openapi/errors v0.22.7
+	github.com/go-openapi/runtime v0.29.3
+	github.com/go-openapi/strfmt v0.26.0
 	github.com/go-openapi/swag v0.23.1
-	github.com/go-openapi/validate v0.24.0
+	github.com/go-openapi/validate v0.25.2
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/intel-go/cpuid v0.0.0-20210602155658-5747e5cec0d9
@@ -52,14 +52,14 @@ require (
 	github.com/urfave/cli v1.22.17
 	github.com/vishvananda/netlink v1.3.1
 	github.com/vishvananda/netns v0.0.5
-	go.opentelemetry.io/otel v1.40.0
+	go.opentelemetry.io/otel v1.41.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.0.0
-	go.opentelemetry.io/otel/sdk v1.40.0
-	go.opentelemetry.io/otel/trace v1.40.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sys v0.40.0
-	google.golang.org/grpc v1.72.0
-	google.golang.org/protobuf v1.36.7
+	go.opentelemetry.io/otel/sdk v1.41.0
+	go.opentelemetry.io/otel/trace v1.41.0
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sys v0.41.0
+	google.golang.org/grpc v1.79.3
+	google.golang.org/protobuf v1.36.10
 	k8s.io/apimachinery v0.33.0
 	k8s.io/cri-api v0.33.0
 	k8s.io/kubelet v0.33.0
@@ -72,7 +72,6 @@ require (
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.13.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cilium/ebpf v0.16.0 // indirect
@@ -93,11 +92,21 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.23.0 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.21.0 // indirect
-	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/analysis v0.24.3 // indirect
+	github.com/go-openapi/jsonpointer v0.22.5 // indirect
+	github.com/go-openapi/jsonreference v0.21.5 // indirect
+	github.com/go-openapi/loads v0.23.3 // indirect
+	github.com/go-openapi/spec v0.22.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.5 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.5 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.5 // indirect
+	github.com/go-openapi/swag/loading v0.25.5 // indirect
+	github.com/go-openapi/swag/mangling v0.25.5 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.5 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.5 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.5 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
@@ -108,34 +117,32 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/sys/symlink v0.2.0 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/oklog/ulid/v2 v2.1.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552 // indirect
-	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.41.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
-	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/mod v0.32.0 // indirect
+	golang.org/x/net v0.50.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
--- a/src/runtime/go.sum
+++ b/src/runtime/go.sum
@@ -17,8 +17,6 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA=
 github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
-github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
@@ -105,32 +103,58 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
-github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
-github.com/go-openapi/errors v0.22.1 h1:kslMRRnK7NCb/CvR1q1VWuEQCEIsBGn5GgKD9e+HYhU=
-github.com/go-openapi/errors v0.22.1/go.mod h1:+n/5UdIqdVnLIJ6Q9Se8HNGUXYaY6CN8ImWzfi/Gzp0=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
-github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
-github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
-github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=
-github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc=
-github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
-github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
-github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
-github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
+github.com/go-openapi/analysis v0.24.3 h1:a1hrvMr8X0Xt69KP5uVTu5jH62DscmDifrLzNglAayk=
+github.com/go-openapi/analysis v0.24.3/go.mod h1:Nc+dWJ/FxZbhSow5Yh3ozg5CLJioB+XXT6MdLvJUsUw=
+github.com/go-openapi/errors v0.22.7 h1:JLFBGC0Apwdzw3484MmBqspjPbwa2SHvpDm0u5aGhUA=
+github.com/go-openapi/errors v0.22.7/go.mod h1://QW6SD9OsWtH6gHllUCddOXDL0tk0ZGNYHwsw4sW3w=
+github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA=
+github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0=
+github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
+github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
+github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
+github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
+github.com/go-openapi/runtime v0.29.3 h1:h5twGaEqxtQg40ePiYm9vFFH1q06Czd7Ot6ufdK0w/Y=
+github.com/go-openapi/runtime v0.29.3/go.mod h1:8A1W0/L5eyNJvKciqZtvIVQvYO66NlB7INMSZ9bw/oI=
+github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
+github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
+github.com/go-openapi/strfmt v0.26.0 h1:SDdQLyOEqu8W96rO1FRG1fuCtVyzmukky0zcD6gMGLU=
+github.com/go-openapi/strfmt v0.26.0/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
 github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
 github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
-github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
-github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
+github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+tGu97g=
+github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k=
+github.com/go-openapi/swag/fileutils v0.25.5 h1:B6JTdOcs2c0dBIs9HnkyTW+5gC+8NIhVBUwERkFhMWk=
+github.com/go-openapi/swag/fileutils v0.25.5/go.mod h1:V3cT9UdMQIaH4WiTrUc9EPtVA4txS0TOmRURmhGF4kc=
+github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo=
+github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU=
+github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo=
+github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5/go.mod h1:/2KvOTrKWjVA5Xli3DZWdMCZDzz3uV/T7bXwrKWPquo=
+github.com/go-openapi/swag/loading v0.25.5 h1:odQ/umlIZ1ZVRteI6ckSrvP6e2w9UTF5qgNdemJHjuU=
+github.com/go-openapi/swag/loading v0.25.5/go.mod h1:I8A8RaaQ4DApxhPSWLNYWh9NvmX2YKMoB9nwvv6oW6g=
+github.com/go-openapi/swag/mangling v0.25.5 h1:hyrnvbQRS7vKePQPHHDso+k6CGn5ZBs5232UqWZmJZw=
+github.com/go-openapi/swag/mangling v0.25.5/go.mod h1:6hadXM/o312N/h98RwByLg088U61TPGiltQn71Iw0NY=
+github.com/go-openapi/swag/stringutils v0.25.5 h1:NVkoDOA8YBgtAR/zvCx5rhJKtZF3IzXcDdwOsYzrB6M=
+github.com/go-openapi/swag/stringutils v0.25.5/go.mod h1:PKK8EZdu4QJq8iezt17HM8RXnLAzY7gW0O1KKarrZII=
+github.com/go-openapi/swag/typeutils v0.25.5 h1:EFJ+PCga2HfHGdo8s8VJXEVbeXRCYwzzr9u4rJk7L7E=
+github.com/go-openapi/swag/typeutils v0.25.5/go.mod h1:itmFmScAYE1bSD8C4rS0W+0InZUBrB2xSPbWt6DLGuc=
+github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
+github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.1 h1:NZOrZmIb6PTv5LTFxr5/mKV/FjbUzGE7E6gLz7vFoOQ=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.1/go.mod h1:r7dwsujEHawapMsxA69i+XMGZrQ5tRauhLAjV/sxg3Q=
+github.com/go-openapi/testify/v2 v2.4.1 h1:zB34HDKj4tHwyUQHrUkpV0Q0iXQ6dUCOQtIqn8hE6Iw=
+github.com/go-openapi/testify/v2 v2.4.1/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
+github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
+github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
+github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
 github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -202,8 +226,6 @@ github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos
 github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/mdlayher/vsock v1.2.1 h1:pC1mTJTvjo1r9n9fbm7S1j04rCgCzhCOS5DY0zqHlnQ=
 github.com/mdlayher/vsock v1.2.1/go.mod h1:NRfCibel++DgeMD8z/hP+PPTjlNJsdPOmxcnENvE+SE=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
@@ -223,8 +245,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8m
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
+github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
@@ -248,10 +270,9 @@ github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552 h1:
 github.com/opencontainers/runtime-tools v0.9.1-0.20250303011046-260e151b8552/go.mod h1:T487Kf80NeF2i0OyVXHiylg217e0buz8pQsa0T791RA=
 github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84=
 github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
-github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
-github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 h1:onHthvaw9LFnH4t2DcNVpwGmV9E1BkGknEliJkfwQj0=
 github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhMYhSNPKjeNKa5WY9YCIEBRbNzFFPJbWO6Y=
+github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -281,7 +302,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -309,8 +329,6 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
-go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
@@ -318,20 +336,20 @@ go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbE
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
 go.opentelemetry.io/otel v1.0.0/go.mod h1:AjRVh9A5/5DE7S+mZtTR6t8vpKKryam+0lREnfmS4cg=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
 go.opentelemetry.io/otel/exporters/jaeger v1.0.0 h1:cLhx8llHw02h5JTqGqaRbYn+QVKHmrzD9vEbKnSPk5U=
 go.opentelemetry.io/otel/exporters/jaeger v1.0.0/go.mod h1:q10N1AolE1JjqKrFJK2tYw0iZpmX+HBaXBtuCzRnBGQ=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
 go.opentelemetry.io/otel/sdk v1.0.0/go.mod h1:PCrDHlSy5x1kjezSdL37PhbFUMjrsLRshJ2zCzeXwbM=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/sdk v1.41.0 h1:YPIEXKmiAwkGl3Gu1huk1aYWwtpRLeskpV+wPisxBp8=
+go.opentelemetry.io/otel/sdk v1.41.0/go.mod h1:ahFdU0G5y8IxglBf0QBJXgSe7agzjE4GiTJ6HT9ud90=
+go.opentelemetry.io/otel/sdk/metric v1.41.0 h1:siZQIYBAUd1rlIWQT2uCxWJxcCO7q3TriaMlf08rXw8=
+go.opentelemetry.io/otel/sdk/metric v1.41.0/go.mod h1:HNBuSvT7ROaGtGI50ArdRLUnvRTRGniSUZbxiWxSO8Y=
 go.opentelemetry.io/otel/trace v1.0.0/go.mod h1:PXTWqayeFUlJV1YDNhsJYB184+IvAH814St6o6ajzIs=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -349,8 +367,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -363,11 +381,11 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -394,14 +412,14 @@ golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -411,12 +429,14 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -424,15 +444,15 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb h1:ITgPrl429bc6+2ZraNSzMDk3I95nmQln2fuPstKwFDE=
 google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:sAo5UzpjUwgFBCzupwhcLcxHVDK7vG5IqI30YnwX2eE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
-google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -444,8 +464,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/src/runtime/pkg/device/drivers/utils.go
+++ b/src/runtime/pkg/device/drivers/utils.go
@@ -72,7 +72,7 @@ func IsPCIeDevice(bdf string) bool {
 }

 // read from /sys/bus/pci/devices/xxx/property
-func getPCIDeviceProperty(bdf string, property PCISysFsProperty) string {
+func GetPCIDeviceProperty(bdf string, property PCISysFsProperty) string {
 	if len(strings.Split(bdf, ":")) == 2 {
 		bdf = PCIDomain + ":" + bdf
 	}
@@ -220,9 +220,9 @@ func GetDeviceFromVFIODev(device config.DeviceInfo) ([]*config.VFIODev, error) {
 		return nil, err
 	}

-	vendorID := getPCIDeviceProperty(deviceBDF, PCISysFsDevicesVendor)
-	deviceID := getPCIDeviceProperty(deviceBDF, PCISysFsDevicesDevice)
-	pciClass := getPCIDeviceProperty(deviceBDF, PCISysFsDevicesClass)
+	vendorID := GetPCIDeviceProperty(deviceBDF, PCISysFsDevicesVendor)
+	deviceID := GetPCIDeviceProperty(deviceBDF, PCISysFsDevicesDevice)
+	pciClass := GetPCIDeviceProperty(deviceBDF, PCISysFsDevicesClass)

 	i, err := extractIndex(device.HostPath)
 	if err != nil {
@@ -276,7 +276,7 @@ func GetAllVFIODevicesFromIOMMUGroup(device config.DeviceInfo) ([]*config.VFIODe
 		switch vfioDeviceType {
 		case config.VFIOPCIDeviceNormalType, config.VFIOPCIDeviceMediatedType:
 			// This is vfio-pci and vfio-mdev specific
-			pciClass := getPCIDeviceProperty(deviceBDF, PCISysFsDevicesClass)
+			pciClass := GetPCIDeviceProperty(deviceBDF, PCISysFsDevicesClass)
 			// We need to ignore Host or PCI Bridges that are in the same IOMMU group as the
 			// passed-through devices. One CANNOT pass-through a PCI bridge or Host bridge.
 			// Class 0x0604 is PCI bridge, 0x0600 is Host bridge
@@ -288,8 +288,8 @@ func GetAllVFIODevicesFromIOMMUGroup(device config.DeviceInfo) ([]*config.VFIODe
 				continue
 			}
 			// Fetch the PCI Vendor ID and Device ID
-			vendorID := getPCIDeviceProperty(deviceBDF, PCISysFsDevicesVendor)
-			deviceID := getPCIDeviceProperty(deviceBDF, PCISysFsDevicesDevice)
+			vendorID := GetPCIDeviceProperty(deviceBDF, PCISysFsDevicesVendor)
+			deviceID := GetPCIDeviceProperty(deviceBDF, PCISysFsDevicesDevice)

 			// Do not directly assign to `vfio` -- need to access field still
 			vfio = config.VFIODev{
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/.gitignore
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/.gitignore
@@ -1,15 +0,0 @@
-bin/
-.idea/
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/.travis.yml
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/.travis.yml
@@ -1,12 +0,0 @@
-language: go
-dist: xenial
-go:
-  - '1.10'
-  - '1.11'
-  - '1.12'
-  - '1.13'
-  - 'tip'
-
-script:
-     - go test -coverpkg=./... -coverprofile=coverage.info -timeout=5s
-     - bash <(curl -s https://codecov.io/bash)
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md
@@ -1,43 +0,0 @@
-# Contributor Code of Conduct
-
-This project adheres to [The Code Manifesto](http://codemanifesto.com)
-as its guidelines for contributor interactions.
-
-## The Code Manifesto
-
-We want to work in an ecosystem that empowers developers to reach their
-potential — one that encourages growth and effective collaboration. A space
-that is safe for all.
-
-A space such as this benefits everyone that participates in it. It encourages
-new developers to enter our field. It is through discussion and collaboration
-that we grow, and through growth that we improve.
-
-In the effort to create such a place, we hold to these values:
-
-1. **Discrimination limits us.** This includes discrimination on the basis of
-   race, gender, sexual orientation, gender identity, age, nationality,
-   technology and any other arbitrary exclusion of a group of people.
-2. **Boundaries honor us.** Your comfort levels are not everyone’s comfort
-   levels. Remember that, and if brought to your attention, heed it.
-3. **We are our biggest assets.** None of us were born masters of our trade.
-   Each of us has been helped along the way. Return that favor, when and where
-   you can.
-4. **We are resources for the future.** As an extension of #3, share what you
-   know. Make yourself a resource to help those that come after you.
-5. **Respect defines us.** Treat others as you wish to be treated. Make your
-   discussions, criticisms and debates from a position of respectfulness. Ask
-   yourself, is it true? Is it necessary? Is it constructive? Anything less is
-   unacceptable.
-6. **Reactions require grace.** Angry responses are valid, but abusive language
-   and vindictive actions are toxic. When something happens that offends you,
-   handle it assertively, but be respectful. Escalate reasonably, and try to
-   allow the offender an opportunity to explain themselves, and possibly
-   correct the issue.
-7. **Opinions are just that: opinions.** Each and every one of us, due to our
-   background and upbringing, have varying opinions. That is perfectly
-   acceptable. Remember this: if you respect your own opinions, you should
-   respect the opinions of others.
-8. **To err is human.** You might not intend it, but mistakes do happen and
-   contribute to build experience. Tolerate honest mistakes, and don't
-   hesitate to apologize if you make one yourself.
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md
@@ -1,63 +0,0 @@
-#### Support
-If you do have a contribution to the package, feel free to create a Pull Request or an Issue.
-
-#### What to contribute
-If you don't know what to do, there are some features and functions that need to be done
-
- [ ] Refactor code
- [ ] Edit docs and [README](https://github.com/asaskevich/govalidator/README.md): spellcheck, grammar and typo check
- [ ] Create actual list of contributors and projects that currently using this package
- [ ] Resolve [issues and bugs](https://github.com/asaskevich/govalidator/issues)
- [ ] Update actual [list of functions](https://github.com/asaskevich/govalidator#list-of-functions)
- [ ] Update [list of validators](https://github.com/asaskevich/govalidator#validatestruct-2) that available for `ValidateStruct` and add new
- [ ] Implement new validators: `IsFQDN`, `IsIMEI`, `IsPostalCode`, `IsISIN`, `IsISRC` etc
- [x] Implement [validation by maps](https://github.com/asaskevich/govalidator/issues/224)
- [ ] Implement fuzzing testing
- [ ] Implement some struct/map/array utilities
- [ ] Implement map/array validation
- [ ] Implement benchmarking
- [ ] Implement batch of examples
- [ ] Look at forks for new features and fixes
-
-#### Advice
-Feel free to create what you want, but keep in mind when you implement new features:
- Code must be clear and readable, names of variables/constants clearly describes what they are doing
- Public functions must be documented and described in source file and added to README.md to the list of available functions
- There are must be unit-tests for any new functions and improvements
-
-## Financial contributions
-
-We also welcome financial contributions in full transparency on our [open collective](https://opencollective.com/govalidator).
-Anyone can file an expense. If the expense makes sense for the development of the community, it will be "merged" in the ledger of our open collective by the core contributors and the person who filed the expense will be reimbursed.
-
-
-## Credits
-
-
-### Contributors
-
-Thank you to all the people who have already contributed to govalidator!
-<a href="https://github.com/asaskevich/govalidator/graphs/contributors"><img src="https://opencollective.com/govalidator/contributors.svg?width=890" /></a>
-
-
-### Backers
-
-Thank you to all our backers! [[Become a backer](https://opencollective.com/govalidator#backer)]
-
-<a href="https://opencollective.com/govalidator#backers" target="_blank"><img src="https://opencollective.com/govalidator/backers.svg?width=890"></a>
-
-
-### Sponsors
-
-Thank you to all our sponsors! (please ask your company to also support this open source project by [becoming a sponsor](https://opencollective.com/govalidator#sponsor))
-
-<a href="https://opencollective.com/govalidator/sponsor/0/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/0/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/1/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/1/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/2/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/2/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/3/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/3/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/4/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/4/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/5/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/5/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/6/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/6/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/7/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/7/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/8/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/8/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/9/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/9/avatar.svg"></a>
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/LICENSE
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/LICENSE
@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2014-2020 Alex Saskevich
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/README.md
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/README.md
@@ -1,622 +0,0 @@
-govalidator
-===========
-[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/asaskevich/govalidator?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![GoDoc](https://godoc.org/github.com/asaskevich/govalidator?status.png)](https://godoc.org/github.com/asaskevich/govalidator)
-[![Build Status](https://travis-ci.org/asaskevich/govalidator.svg?branch=master)](https://travis-ci.org/asaskevich/govalidator)
-[![Coverage](https://codecov.io/gh/asaskevich/govalidator/branch/master/graph/badge.svg)](https://codecov.io/gh/asaskevich/govalidator) [![Go Report Card](https://goreportcard.com/badge/github.com/asaskevich/govalidator)](https://goreportcard.com/report/github.com/asaskevich/govalidator) [![GoSearch](http://go-search.org/badge?id=github.com%2Fasaskevich%2Fgovalidator)](http://go-search.org/view?id=github.com%2Fasaskevich%2Fgovalidator) [![Backers on Open Collective](https://opencollective.com/govalidator/backers/badge.svg)](#backers) [![Sponsors on Open Collective](https://opencollective.com/govalidator/sponsors/badge.svg)](#sponsors) [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fasaskevich%2Fgovalidator.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fasaskevich%2Fgovalidator?ref=badge_shield)
-
-A package of validators and sanitizers for strings, structs and collections. Based on [validator.js](https://github.com/chriso/validator.js).
-
-#### Installation
-Make sure that Go is installed on your computer.
-Type the following command in your terminal:
-
-	go get github.com/asaskevich/govalidator
-
-or you can get specified release of the package with `gopkg.in`:
-
-	go get gopkg.in/asaskevich/govalidator.v10
-
-After it the package is ready to use.
-
-
-#### Import package in your project
-Add following line in your `*.go` file:
-```go
-import "github.com/asaskevich/govalidator"
-```
-If you are unhappy to use long `govalidator`, you can do something like this:
-```go
-import (
-  valid "github.com/asaskevich/govalidator"
-)
-```
-
-#### Activate behavior to require all fields have a validation tag by default
-`SetFieldsRequiredByDefault` causes validation to fail when struct fields do not include validations or are not explicitly marked as exempt (using `valid:"-"` or `valid:"email,optional"`). A good place to activate this is a package init function or the main() function.
-
-`SetNilPtrAllowedByRequired` causes validation to pass when struct fields marked by `required` are set to nil. This is disabled by default for consistency, but some packages that need to be able to determine between `nil` and `zero value` state can use this. If disabled, both `nil` and `zero` values cause validation errors.
-
-```go
-import "github.com/asaskevich/govalidator"
-
-func init() {
-  govalidator.SetFieldsRequiredByDefault(true)
-}
-```
-
-Here's some code to explain it:
-```go
-// this struct definition will fail govalidator.ValidateStruct() (and the field values do not matter):
-type exampleStruct struct {
-  Name  string ``
-  Email string `valid:"email"`
-}
-
-// this, however, will only fail when Email is empty or an invalid email address:
-type exampleStruct2 struct {
-  Name  string `valid:"-"`
-  Email string `valid:"email"`
-}
-
-// lastly, this will only fail when Email is an invalid email address but not when it's empty:
-type exampleStruct2 struct {
-  Name  string `valid:"-"`
-  Email string `valid:"email,optional"`
-}
-```
-
-#### Recent breaking changes (see [#123](https://github.com/asaskevich/govalidator/pull/123))
-##### Custom validator function signature
-A context was added as the second parameter, for structs this is the object being validated – this makes dependent validation possible.
-```go
-import "github.com/asaskevich/govalidator"
-
-// old signature
-func(i interface{}) bool
-
-// new signature
-func(i interface{}, o interface{}) bool
-```
-
-##### Adding a custom validator
-This was changed to prevent data races when accessing custom validators.
-```go
-import "github.com/asaskevich/govalidator"
-
-// before
-govalidator.CustomTypeTagMap["customByteArrayValidator"] = func(i interface{}, o interface{}) bool {
-  // ...
-}
-
-// after
-govalidator.CustomTypeTagMap.Set("customByteArrayValidator", func(i interface{}, o interface{}) bool {
-  // ...
-})
-```
-
-#### List of functions:
-```go
-func Abs(value float64) float64
-func BlackList(str, chars string) string
-func ByteLength(str string, params ...string) bool
-func CamelCaseToUnderscore(str string) string
-func Contains(str, substring string) bool
-func Count(array []interface{}, iterator ConditionIterator) int
-func Each(array []interface{}, iterator Iterator)
-func ErrorByField(e error, field string) string
-func ErrorsByField(e error) map[string]string
-func Filter(array []interface{}, iterator ConditionIterator) []interface{}
-func Find(array []interface{}, iterator ConditionIterator) interface{}
-func GetLine(s string, index int) (string, error)
-func GetLines(s string) []string
-func HasLowerCase(str string) bool
-func HasUpperCase(str string) bool
-func HasWhitespace(str string) bool
-func HasWhitespaceOnly(str string) bool
-func InRange(value interface{}, left interface{}, right interface{}) bool
-func InRangeFloat32(value, left, right float32) bool
-func InRangeFloat64(value, left, right float64) bool
-func InRangeInt(value, left, right interface{}) bool
-func IsASCII(str string) bool
-func IsAlpha(str string) bool
-func IsAlphanumeric(str string) bool
-func IsBase64(str string) bool
-func IsByteLength(str string, min, max int) bool
-func IsCIDR(str string) bool
-func IsCRC32(str string) bool
-func IsCRC32b(str string) bool
-func IsCreditCard(str string) bool
-func IsDNSName(str string) bool
-func IsDataURI(str string) bool
-func IsDialString(str string) bool
-func IsDivisibleBy(str, num string) bool
-func IsEmail(str string) bool
-func IsExistingEmail(email string) bool
-func IsFilePath(str string) (bool, int)
-func IsFloat(str string) bool
-func IsFullWidth(str string) bool
-func IsHalfWidth(str string) bool
-func IsHash(str string, algorithm string) bool
-func IsHexadecimal(str string) bool
-func IsHexcolor(str string) bool
-func IsHost(str string) bool
-func IsIP(str string) bool
-func IsIPv4(str string) bool
-func IsIPv6(str string) bool
-func IsISBN(str string, version int) bool
-func IsISBN10(str string) bool
-func IsISBN13(str string) bool
-func IsISO3166Alpha2(str string) bool
-func IsISO3166Alpha3(str string) bool
-func IsISO4217(str string) bool
-func IsISO693Alpha2(str string) bool
-func IsISO693Alpha3b(str string) bool
-func IsIn(str string, params ...string) bool
-func IsInRaw(str string, params ...string) bool
-func IsInt(str string) bool
-func IsJSON(str string) bool
-func IsLatitude(str string) bool
-func IsLongitude(str string) bool
-func IsLowerCase(str string) bool
-func IsMAC(str string) bool
-func IsMD4(str string) bool
-func IsMD5(str string) bool
-func IsMagnetURI(str string) bool
-func IsMongoID(str string) bool
-func IsMultibyte(str string) bool
-func IsNatural(value float64) bool
-func IsNegative(value float64) bool
-func IsNonNegative(value float64) bool
-func IsNonPositive(value float64) bool
-func IsNotNull(str string) bool
-func IsNull(str string) bool
-func IsNumeric(str string) bool
-func IsPort(str string) bool
-func IsPositive(value float64) bool
-func IsPrintableASCII(str string) bool
-func IsRFC3339(str string) bool
-func IsRFC3339WithoutZone(str string) bool
-func IsRGBcolor(str string) bool
-func IsRegex(str string) bool
-func IsRequestURI(rawurl string) bool
-func IsRequestURL(rawurl string) bool
-func IsRipeMD128(str string) bool
-func IsRipeMD160(str string) bool
-func IsRsaPub(str string, params ...string) bool
-func IsRsaPublicKey(str string, keylen int) bool
-func IsSHA1(str string) bool
-func IsSHA256(str string) bool
-func IsSHA384(str string) bool
-func IsSHA512(str string) bool
-func IsSSN(str string) bool
-func IsSemver(str string) bool
-func IsTiger128(str string) bool
-func IsTiger160(str string) bool
-func IsTiger192(str string) bool
-func IsTime(str string, format string) bool
-func IsType(v interface{}, params ...string) bool
-func IsURL(str string) bool
-func IsUTFDigit(str string) bool
-func IsUTFLetter(str string) bool
-func IsUTFLetterNumeric(str string) bool
-func IsUTFNumeric(str string) bool
-func IsUUID(str string) bool
-func IsUUIDv3(str string) bool
-func IsUUIDv4(str string) bool
-func IsUUIDv5(str string) bool
-func IsULID(str string) bool
-func IsUnixTime(str string) bool
-func IsUpperCase(str string) bool
-func IsVariableWidth(str string) bool
-func IsWhole(value float64) bool
-func LeftTrim(str, chars string) string
-func Map(array []interface{}, iterator ResultIterator) []interface{}
-func Matches(str, pattern string) bool
-func MaxStringLength(str string, params ...string) bool
-func MinStringLength(str string, params ...string) bool
-func NormalizeEmail(str string) (string, error)
-func PadBoth(str string, padStr string, padLen int) string
-func PadLeft(str string, padStr string, padLen int) string
-func PadRight(str string, padStr string, padLen int) string
-func PrependPathToErrors(err error, path string) error
-func Range(str string, params ...string) bool
-func RemoveTags(s string) string
-func ReplacePattern(str, pattern, replace string) string
-func Reverse(s string) string
-func RightTrim(str, chars string) string
-func RuneLength(str string, params ...string) bool
-func SafeFileName(str string) string
-func SetFieldsRequiredByDefault(value bool)
-func SetNilPtrAllowedByRequired(value bool)
-func Sign(value float64) float64
-func StringLength(str string, params ...string) bool
-func StringMatches(s string, params ...string) bool
-func StripLow(str string, keepNewLines bool) string
-func ToBoolean(str string) (bool, error)
-func ToFloat(str string) (float64, error)
-func ToInt(value interface{}) (res int64, err error)
-func ToJSON(obj interface{}) (string, error)
-func ToString(obj interface{}) string
-func Trim(str, chars string) string
-func Truncate(str string, length int, ending string) string
-func TruncatingErrorf(str string, args ...interface{}) error
-func UnderscoreToCamelCase(s string) string
-func ValidateMap(inputMap map[string]interface{}, validationMap map[string]interface{}) (bool, error)
-func ValidateStruct(s interface{}) (bool, error)
-func WhiteList(str, chars string) string
-type ConditionIterator
-type CustomTypeValidator
-type Error
-func (e Error) Error() string
-type Errors
-func (es Errors) Error() string
-func (es Errors) Errors() []error
-type ISO3166Entry
-type ISO693Entry
-type InterfaceParamValidator
-type Iterator
-type ParamValidator
-type ResultIterator
-type UnsupportedTypeError
-func (e *UnsupportedTypeError) Error() string
-type Validator
-```
-
-#### Examples
-###### IsURL
-```go
-println(govalidator.IsURL(`http://user@pass:domain.com/path/page`))
-```
-###### IsType
-```go
-println(govalidator.IsType("Bob", "string"))
-println(govalidator.IsType(1, "int"))
-i := 1
-println(govalidator.IsType(&i, "*int"))
-```
-
-IsType can be used through the tag `type` which is essential for map validation:
-```go
-type User	struct {
-  Name string      `valid:"type(string)"`
-  Age  int         `valid:"type(int)"`
-  Meta interface{} `valid:"type(string)"`
-}
-result, err := govalidator.ValidateStruct(User{"Bob", 20, "meta"})
-if err != nil {
-	println("error: " + err.Error())
-}
-println(result)
-```
-###### ToString
-```go
-type User struct {
-	FirstName string
-	LastName string
-}
-
-str := govalidator.ToString(&User{"John", "Juan"})
-println(str)
-```
-###### Each, Map, Filter, Count for slices
-Each iterates over the slice/array and calls Iterator for every item
-```go
-data := []interface{}{1, 2, 3, 4, 5}
-var fn govalidator.Iterator = func(value interface{}, index int) {
-	println(value.(int))
-}
-govalidator.Each(data, fn)
-```
-```go
-data := []interface{}{1, 2, 3, 4, 5}
-var fn govalidator.ResultIterator = func(value interface{}, index int) interface{} {
-	return value.(int) * 3
-}
-_ = govalidator.Map(data, fn) // result = []interface{}{1, 6, 9, 12, 15}
-```
-```go
-data := []interface{}{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
-var fn govalidator.ConditionIterator = func(value interface{}, index int) bool {
-	return value.(int)%2 == 0
-}
-_ = govalidator.Filter(data, fn) // result = []interface{}{2, 4, 6, 8, 10}
-_ = govalidator.Count(data, fn) // result = 5
-```
-###### ValidateStruct [#2](https://github.com/asaskevich/govalidator/pull/2)
-If you want to validate structs, you can use tag `valid` for any field in your structure. All validators used with this field in one tag are separated by comma. If you want to skip validation, place `-` in your tag. If you need a validator that is not on the list below, you can add it like this:
-```go
-govalidator.TagMap["duck"] = govalidator.Validator(func(str string) bool {
-	return str == "duck"
-})
-```
-For completely custom validators (interface-based), see below.
-
-Here is a list of available validators for struct fields (validator - used function):
-```go
-"email":              IsEmail,
-"url":                IsURL,
-"dialstring":         IsDialString,
-"requrl":             IsRequestURL,
-"requri":             IsRequestURI,
-"alpha":              IsAlpha,
-"utfletter":          IsUTFLetter,
-"alphanum":           IsAlphanumeric,
-"utfletternum":       IsUTFLetterNumeric,
-"numeric":            IsNumeric,
-"utfnumeric":         IsUTFNumeric,
-"utfdigit":           IsUTFDigit,
-"hexadecimal":        IsHexadecimal,
-"hexcolor":           IsHexcolor,
-"rgbcolor":           IsRGBcolor,
-"lowercase":          IsLowerCase,
-"uppercase":          IsUpperCase,
-"int":                IsInt,
-"float":              IsFloat,
-"null":               IsNull,
-"uuid":               IsUUID,
-"uuidv3":             IsUUIDv3,
-"uuidv4":             IsUUIDv4,
-"uuidv5":             IsUUIDv5,
-"creditcard":         IsCreditCard,
-"isbn10":             IsISBN10,
-"isbn13":             IsISBN13,
-"json":               IsJSON,
-"multibyte":          IsMultibyte,
-"ascii":              IsASCII,
-"printableascii":     IsPrintableASCII,
-"fullwidth":          IsFullWidth,
-"halfwidth":          IsHalfWidth,
-"variablewidth":      IsVariableWidth,
-"base64":             IsBase64,
-"datauri":            IsDataURI,
-"ip":                 IsIP,
-"port":               IsPort,
-"ipv4":               IsIPv4,
-"ipv6":               IsIPv6,
-"dns":                IsDNSName,
-"host":               IsHost,
-"mac":                IsMAC,
-"latitude":           IsLatitude,
-"longitude":          IsLongitude,
-"ssn":                IsSSN,
-"semver":             IsSemver,
-"rfc3339":            IsRFC3339,
-"rfc3339WithoutZone": IsRFC3339WithoutZone,
-"ISO3166Alpha2":      IsISO3166Alpha2,
-"ISO3166Alpha3":      IsISO3166Alpha3,
-"ulid":               IsULID,
-```
-Validators with parameters
-
-```go
-"range(min|max)": Range,
-"length(min|max)": ByteLength,
-"runelength(min|max)": RuneLength,
-"stringlength(min|max)": StringLength,
-"matches(pattern)": StringMatches,
-"in(string1|string2|...|stringN)": IsIn,
-"rsapub(keylength)" : IsRsaPub,
-"minstringlength(int): MinStringLength,
-"maxstringlength(int): MaxStringLength,
-```
-Validators with parameters for any type
-
-```go
-"type(type)": IsType,
-```
-
-And here is small example of usage:
-```go
-type Post struct {
-	Title    string `valid:"alphanum,required"`
-	Message  string `valid:"duck,ascii"`
-	Message2 string `valid:"animal(dog)"`
-	AuthorIP string `valid:"ipv4"`
-	Date     string `valid:"-"`
-}
-post := &Post{
-	Title:   "My Example Post",
-	Message: "duck",
-	Message2: "dog",
-	AuthorIP: "123.234.54.3",
-}
-
-// Add your own struct validation tags
-govalidator.TagMap["duck"] = govalidator.Validator(func(str string) bool {
-	return str == "duck"
-})
-
-// Add your own struct validation tags with parameter
-govalidator.ParamTagMap["animal"] = govalidator.ParamValidator(func(str string, params ...string) bool {
-    species := params[0]
-    return str == species
-})
-govalidator.ParamTagRegexMap["animal"] = regexp.MustCompile("^animal\\((\\w+)\\)$")
-
-result, err := govalidator.ValidateStruct(post)
-if err != nil {
-	println("error: " + err.Error())
-}
-println(result)
-```
-###### ValidateMap [#2](https://github.com/asaskevich/govalidator/pull/338)
-If you want to validate maps, you can use the map to be validated and a validation map that contain the same tags used in ValidateStruct, both maps have to be in the form `map[string]interface{}`
-
-So here is small example of usage:
-```go
-var mapTemplate = map[string]interface{}{
-	"name":"required,alpha",
-	"family":"required,alpha",
-	"email":"required,email",
-	"cell-phone":"numeric",
-	"address":map[string]interface{}{
-		"line1":"required,alphanum",
-		"line2":"alphanum",
-		"postal-code":"numeric",
-	},
-}
-
-var inputMap = map[string]interface{}{
-	"name":"Bob",
-	"family":"Smith",
-	"email":"foo@bar.baz",
-	"address":map[string]interface{}{
-		"line1":"",
-		"line2":"",
-		"postal-code":"",
-	},
-}
-
-result, err := govalidator.ValidateMap(inputMap, mapTemplate)
-if err != nil {
-	println("error: " + err.Error())
-}
-println(result)
-```
-
-###### WhiteList
-```go
-// Remove all characters from string ignoring characters between "a" and "z"
-println(govalidator.WhiteList("a3a43a5a4a3a2a23a4a5a4a3a4", "a-z") == "aaaaaaaaaaaa")
-```
-
-###### Custom validation functions
-Custom validation using your own domain specific validators is also available - here's an example of how to use it:
-```go
-import "github.com/asaskevich/govalidator"
-
-type CustomByteArray [6]byte // custom types are supported and can be validated
-
-type StructWithCustomByteArray struct {
-  ID              CustomByteArray `valid:"customByteArrayValidator,customMinLengthValidator"` // multiple custom validators are possible as well and will be evaluated in sequence
-  Email           string          `valid:"email"`
-  CustomMinLength int             `valid:"-"`
-}
-
-govalidator.CustomTypeTagMap.Set("customByteArrayValidator", func(i interface{}, context interface{}) bool {
-  switch v := context.(type) { // you can type switch on the context interface being validated
-  case StructWithCustomByteArray:
-    // you can check and validate against some other field in the context,
-    // return early or not validate against the context at all – your choice
-  case SomeOtherType:
-    // ...
-  default:
-    // expecting some other type? Throw/panic here or continue
-  }
-
-  switch v := i.(type) { // type switch on the struct field being validated
-  case CustomByteArray:
-    for _, e := range v { // this validator checks that the byte array is not empty, i.e. not all zeroes
-      if e != 0 {
-        return true
-      }
-    }
-  }
-  return false
-})
-govalidator.CustomTypeTagMap.Set("customMinLengthValidator", func(i interface{}, context interface{}) bool {
-  switch v := context.(type) { // this validates a field against the value in another field, i.e. dependent validation
-  case StructWithCustomByteArray:
-    return len(v.ID) >= v.CustomMinLength
-  }
-  return false
-})
-```
-
-###### Loop over Error()
-By default .Error() returns all errors in a single String. To access each error you can do this:
-```go
-  if err != nil {
-    errs := err.(govalidator.Errors).Errors()
-    for _, e := range errs {
-      fmt.Println(e.Error())
-    }
-  }
-```
-
-###### Custom error messages
-Custom error messages are supported via annotations by adding the `~` separator - here's an example of how to use it:
-```go
-type Ticket struct {
-  Id        int64     `json:"id"`
-  FirstName string    `json:"firstname" valid:"required~First name is blank"`
-}
-```
-
-#### Notes
-Documentation is available here: [godoc.org](https://godoc.org/github.com/asaskevich/govalidator).
-Full information about code coverage is also available here: [govalidator on gocover.io](http://gocover.io/github.com/asaskevich/govalidator).
-
-#### Support
-If you do have a contribution to the package, feel free to create a Pull Request or an Issue.
-
-#### What to contribute
-If you don't know what to do, there are some features and functions that need to be done
-
- [ ] Refactor code
- [ ] Edit docs and [README](https://github.com/asaskevich/govalidator/README.md): spellcheck, grammar and typo check
- [ ] Create actual list of contributors and projects that currently using this package
- [ ] Resolve [issues and bugs](https://github.com/asaskevich/govalidator/issues)
- [ ] Update actual [list of functions](https://github.com/asaskevich/govalidator#list-of-functions)
- [ ] Update [list of validators](https://github.com/asaskevich/govalidator#validatestruct-2) that available for `ValidateStruct` and add new
- [ ] Implement new validators: `IsFQDN`, `IsIMEI`, `IsPostalCode`, `IsISIN`, `IsISRC` etc
- [x] Implement [validation by maps](https://github.com/asaskevich/govalidator/issues/224)
- [ ] Implement fuzzing testing
- [ ] Implement some struct/map/array utilities
- [ ] Implement map/array validation
- [ ] Implement benchmarking
- [ ] Implement batch of examples
- [ ] Look at forks for new features and fixes
-
-#### Advice
-Feel free to create what you want, but keep in mind when you implement new features:
- Code must be clear and readable, names of variables/constants clearly describes what they are doing
- Public functions must be documented and described in source file and added to README.md to the list of available functions
- There are must be unit-tests for any new functions and improvements
-
-## Credits
-### Contributors
-
-This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
-
-#### Special thanks to [contributors](https://github.com/asaskevich/govalidator/graphs/contributors)
-* [Daniel Lohse](https://github.com/annismckenzie)
-* [Attila Oláh](https://github.com/attilaolah)
-* [Daniel Korner](https://github.com/Dadie)
-* [Steven Wilkin](https://github.com/stevenwilkin)
-* [Deiwin Sarjas](https://github.com/deiwin)
-* [Noah Shibley](https://github.com/slugmobile)
-* [Nathan Davies](https://github.com/nathj07)
-* [Matt Sanford](https://github.com/mzsanford)
-* [Simon ccl1115](https://github.com/ccl1115)
-
-<a href="https://github.com/asaskevich/govalidator/graphs/contributors"><img src="https://opencollective.com/govalidator/contributors.svg?width=890" /></a>
-
-
-### Backers
-
-Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/govalidator#backer)]
-
-<a href="https://opencollective.com/govalidator#backers" target="_blank"><img src="https://opencollective.com/govalidator/backers.svg?width=890"></a>
-
-
-### Sponsors
-
-Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/govalidator#sponsor)]
-
-<a href="https://opencollective.com/govalidator/sponsor/0/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/0/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/1/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/1/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/2/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/2/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/3/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/3/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/4/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/4/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/5/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/5/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/6/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/6/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/7/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/7/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/8/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/8/avatar.svg"></a>
-<a href="https://opencollective.com/govalidator/sponsor/9/website" target="_blank"><img src="https://opencollective.com/govalidator/sponsor/9/avatar.svg"></a>
-
-
-
-
-## License
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fasaskevich%2Fgovalidator.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fasaskevich%2Fgovalidator?ref=badge_large)
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/arrays.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/arrays.go
@@ -1,87 +0,0 @@
-package govalidator
-
-// Iterator is the function that accepts element of slice/array and its index
-type Iterator func(interface{}, int)
-
-// ResultIterator is the function that accepts element of slice/array and its index and returns any result
-type ResultIterator func(interface{}, int) interface{}
-
-// ConditionIterator is the function that accepts element of slice/array and its index and returns boolean
-type ConditionIterator func(interface{}, int) bool
-
-// ReduceIterator is the function that accepts two element of slice/array and returns result of merging those values
-type ReduceIterator func(interface{}, interface{}) interface{}
-
-// Some validates that any item of array corresponds to ConditionIterator. Returns boolean.
-func Some(array []interface{}, iterator ConditionIterator) bool {
-	res := false
-	for index, data := range array {
-		res = res || iterator(data, index)
-	}
-	return res
-}
-
-// Every validates that every item of array corresponds to ConditionIterator. Returns boolean.
-func Every(array []interface{}, iterator ConditionIterator) bool {
-	res := true
-	for index, data := range array {
-		res = res && iterator(data, index)
-	}
-	return res
-}
-
-// Reduce boils down a list of values into a single value by ReduceIterator
-func Reduce(array []interface{}, iterator ReduceIterator, initialValue interface{}) interface{} {
-	for _, data := range array {
-		initialValue = iterator(initialValue, data)
-	}
-	return initialValue
-}
-
-// Each iterates over the slice and apply Iterator to every item
-func Each(array []interface{}, iterator Iterator) {
-	for index, data := range array {
-		iterator(data, index)
-	}
-}
-
-// Map iterates over the slice and apply ResultIterator to every item. Returns new slice as a result.
-func Map(array []interface{}, iterator ResultIterator) []interface{} {
-	var result = make([]interface{}, len(array))
-	for index, data := range array {
-		result[index] = iterator(data, index)
-	}
-	return result
-}
-
-// Find iterates over the slice and apply ConditionIterator to every item. Returns first item that meet ConditionIterator or nil otherwise.
-func Find(array []interface{}, iterator ConditionIterator) interface{} {
-	for index, data := range array {
-		if iterator(data, index) {
-			return data
-		}
-	}
-	return nil
-}
-
-// Filter iterates over the slice and apply ConditionIterator to every item. Returns new slice.
-func Filter(array []interface{}, iterator ConditionIterator) []interface{} {
-	var result = make([]interface{}, 0)
-	for index, data := range array {
-		if iterator(data, index) {
-			result = append(result, data)
-		}
-	}
-	return result
-}
-
-// Count iterates over the slice and apply ConditionIterator to every item. Returns count of items that meets ConditionIterator.
-func Count(array []interface{}, iterator ConditionIterator) int {
-	count := 0
-	for index, data := range array {
-		if iterator(data, index) {
-			count = count + 1
-		}
-	}
-	return count
-}
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/converter.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/converter.go
@@ -1,81 +0,0 @@
-package govalidator
-
-import (
-	"encoding/json"
-	"fmt"
-	"reflect"
-	"strconv"
-)
-
-// ToString convert the input to a string.
-func ToString(obj interface{}) string {
-	res := fmt.Sprintf("%v", obj)
-	return res
-}
-
-// ToJSON convert the input to a valid JSON string
-func ToJSON(obj interface{}) (string, error) {
-	res, err := json.Marshal(obj)
-	if err != nil {
-		res = []byte("")
-	}
-	return string(res), err
-}
-
-// ToFloat convert the input string to a float, or 0.0 if the input is not a float.
-func ToFloat(value interface{}) (res float64, err error) {
-	val := reflect.ValueOf(value)
-
-	switch value.(type) {
-	case int, int8, int16, int32, int64:
-		res = float64(val.Int())
-	case uint, uint8, uint16, uint32, uint64:
-		res = float64(val.Uint())
-	case float32, float64:
-		res = val.Float()
-	case string:
-		res, err = strconv.ParseFloat(val.String(), 64)
-		if err != nil {
-			res = 0
-		}
-	default:
-		err = fmt.Errorf("ToInt: unknown interface type %T", value)
-		res = 0
-	}
-
-	return
-}
-
-// ToInt convert the input string or any int type to an integer type 64, or 0 if the input is not an integer.
-func ToInt(value interface{}) (res int64, err error) {
-	val := reflect.ValueOf(value)
-
-	switch value.(type) {
-	case int, int8, int16, int32, int64:
-		res = val.Int()
-	case uint, uint8, uint16, uint32, uint64:
-		res = int64(val.Uint())
-	case float32, float64:
-		res = int64(val.Float())
-	case string:
-		if IsInt(val.String()) {
-			res, err = strconv.ParseInt(val.String(), 0, 64)
-			if err != nil {
-				res = 0
-			}
-		} else {
-			err = fmt.Errorf("ToInt: invalid numeric format %g", value)
-			res = 0
-		}
-	default:
-		err = fmt.Errorf("ToInt: unknown interface type %T", value)
-		res = 0
-	}
-
-	return
-}
-
-// ToBoolean convert the input string to a boolean.
-func ToBoolean(str string) (bool, error) {
-	return strconv.ParseBool(str)
-}
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/doc.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/doc.go
@@ -1,3 +0,0 @@
-package govalidator
-
-// A package of validators and sanitizers for strings, structures and collections.
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/error.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/error.go
@@ -1,47 +0,0 @@
-package govalidator
-
-import (
-	"sort"
-	"strings"
-)
-
-// Errors is an array of multiple errors and conforms to the error interface.
-type Errors []error
-
-// Errors returns itself.
-func (es Errors) Errors() []error {
-	return es
-}
-
-func (es Errors) Error() string {
-	var errs []string
-	for _, e := range es {
-		errs = append(errs, e.Error())
-	}
-	sort.Strings(errs)
-	return strings.Join(errs, ";")
-}
-
-// Error encapsulates a name, an error and whether there's a custom error message or not.
-type Error struct {
-	Name                     string
-	Err                      error
-	CustomErrorMessageExists bool
-
-	// Validator indicates the name of the validator that failed
-	Validator string
-	Path      []string
-}
-
-func (e Error) Error() string {
-	if e.CustomErrorMessageExists {
-		return e.Err.Error()
-	}
-
-	errName := e.Name
-	if len(e.Path) > 0 {
-		errName = strings.Join(append(e.Path, e.Name), ".")
-	}
-
-	return errName + ": " + e.Err.Error()
-}
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/numerics.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/numerics.go
@@ -1,100 +0,0 @@
-package govalidator
-
-import (
-	"math"
-)
-
-// Abs returns absolute value of number
-func Abs(value float64) float64 {
-	return math.Abs(value)
-}
-
-// Sign returns signum of number: 1 in case of value > 0, -1 in case of value < 0, 0 otherwise
-func Sign(value float64) float64 {
-	if value > 0 {
-		return 1
-	} else if value < 0 {
-		return -1
-	} else {
-		return 0
-	}
-}
-
-// IsNegative returns true if value < 0
-func IsNegative(value float64) bool {
-	return value < 0
-}
-
-// IsPositive returns true if value > 0
-func IsPositive(value float64) bool {
-	return value > 0
-}
-
-// IsNonNegative returns true if value >= 0
-func IsNonNegative(value float64) bool {
-	return value >= 0
-}
-
-// IsNonPositive returns true if value <= 0
-func IsNonPositive(value float64) bool {
-	return value <= 0
-}
-
-// InRangeInt returns true if value lies between left and right border
-func InRangeInt(value, left, right interface{}) bool {
-	value64, _ := ToInt(value)
-	left64, _ := ToInt(left)
-	right64, _ := ToInt(right)
-	if left64 > right64 {
-		left64, right64 = right64, left64
-	}
-	return value64 >= left64 && value64 <= right64
-}
-
-// InRangeFloat32 returns true if value lies between left and right border
-func InRangeFloat32(value, left, right float32) bool {
-	if left > right {
-		left, right = right, left
-	}
-	return value >= left && value <= right
-}
-
-// InRangeFloat64 returns true if value lies between left and right border
-func InRangeFloat64(value, left, right float64) bool {
-	if left > right {
-		left, right = right, left
-	}
-	return value >= left && value <= right
-}
-
-// InRange returns true if value lies between left and right border, generic type to handle int, float32, float64 and string.
-// All types must the same type.
-// False if value doesn't lie in range or if it incompatible or not comparable
-func InRange(value interface{}, left interface{}, right interface{}) bool {
-	switch value.(type) {
-	case int:
-		intValue, _ := ToInt(value)
-		intLeft, _ := ToInt(left)
-		intRight, _ := ToInt(right)
-		return InRangeInt(intValue, intLeft, intRight)
-	case float32, float64:
-		intValue, _ := ToFloat(value)
-		intLeft, _ := ToFloat(left)
-		intRight, _ := ToFloat(right)
-		return InRangeFloat64(intValue, intLeft, intRight)
-	case string:
-		return value.(string) >= left.(string) && value.(string) <= right.(string)
-	default:
-		return false
-	}
-}
-
-// IsWhole returns true if value is whole number
-func IsWhole(value float64) bool {
-	return math.Remainder(value, 1) == 0
-}
-
-// IsNatural returns true if value is natural number (positive and whole)
-func IsNatural(value float64) bool {
-	return IsWhole(value) && IsPositive(value)
-}
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/patterns.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/patterns.go
@@ -1,113 +0,0 @@
-package govalidator
-
-import "regexp"
-
-// Basic regular expressions for validating strings
-const (
-	Email             string = "^(((([a-zA-Z]|\\d|[!#\\$%&'\\*\\+\\-\\/=\\?\\^_`{\\|}~]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])+(\\.([a-zA-Z]|\\d|[!#\\$%&'\\*\\+\\-\\/=\\?\\^_`{\\|}~]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])+)*)|((\\x22)((((\\x20|\\x09)*(\\x0d\\x0a))?(\\x20|\\x09)+)?(([\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f]|\\x21|[\\x23-\\x5b]|[\\x5d-\\x7e]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(\\([\\x01-\\x09\\x0b\\x0c\\x0d-\\x7f]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}]))))*(((\\x20|\\x09)*(\\x0d\\x0a))?(\\x20|\\x09)+)?(\\x22)))@((([a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(([a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])([a-zA-Z]|\\d|-|\\.|_|~|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])*([a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])))\\.)+(([a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(([a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])([a-zA-Z]|\\d|-|_|~|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])*([a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])))\\.?$"
-	CreditCard        string = "^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|(222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11}|6[27][0-9]{14})$"
-	ISBN10            string = "^(?:[0-9]{9}X|[0-9]{10})$"
-	ISBN13            string = "^(?:[0-9]{13})$"
-	UUID3             string = "^[0-9a-f]{8}-[0-9a-f]{4}-3[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}$"
-	UUID4             string = "^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$"
-	UUID5             string = "^[0-9a-f]{8}-[0-9a-f]{4}-5[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$"
-	UUID              string = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
-	Alpha             string = "^[a-zA-Z]+$"
-	Alphanumeric      string = "^[a-zA-Z0-9]+$"
-	Numeric           string = "^[0-9]+$"
-	Int               string = "^(?:[-+]?(?:0|[1-9][0-9]*))$"
-	Float             string = "^(?:[-+]?(?:[0-9]+))?(?:\\.[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$"
-	Hexadecimal       string = "^[0-9a-fA-F]+$"
-	Hexcolor          string = "^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$"
-	RGBcolor          string = "^rgb\\(\\s*(0|[1-9]\\d?|1\\d\\d?|2[0-4]\\d|25[0-5])\\s*,\\s*(0|[1-9]\\d?|1\\d\\d?|2[0-4]\\d|25[0-5])\\s*,\\s*(0|[1-9]\\d?|1\\d\\d?|2[0-4]\\d|25[0-5])\\s*\\)$"
-	ASCII             string = "^[\x00-\x7F]+$"
-	Multibyte         string = "[^\x00-\x7F]"
-	FullWidth         string = "[^\u0020-\u007E\uFF61-\uFF9F\uFFA0-\uFFDC\uFFE8-\uFFEE0-9a-zA-Z]"
-	HalfWidth         string = "[\u0020-\u007E\uFF61-\uFF9F\uFFA0-\uFFDC\uFFE8-\uFFEE0-9a-zA-Z]"
-	Base64            string = "^(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{4})$"
-	PrintableASCII    string = "^[\x20-\x7E]+$"
-	DataURI           string = "^data:.+\\/(.+);base64$"
-	MagnetURI         string = "^magnet:\\?xt=urn:[a-zA-Z0-9]+:[a-zA-Z0-9]{32,40}&dn=.+&tr=.+$"
-	Latitude          string = "^[-+]?([1-8]?\\d(\\.\\d+)?|90(\\.0+)?)$"
-	Longitude         string = "^[-+]?(180(\\.0+)?|((1[0-7]\\d)|([1-9]?\\d))(\\.\\d+)?)$"
-	DNSName           string = `^([a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62}){1}(\.[a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62})*[\._]?$`
-	IP                string = `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))`
-	URLSchema         string = `((ftp|tcp|udp|wss?|https?):\/\/)`
-	URLUsername       string = `(\S+(:\S*)?@)`
-	URLPath           string = `((\/|\?|#)[^\s]*)`
-	URLPort           string = `(:(\d{1,5}))`
-	URLIP             string = `([1-9]\d?|1\d\d|2[01]\d|22[0-3]|24\d|25[0-5])(\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])){2}(?:\.([0-9]\d?|1\d\d|2[0-4]\d|25[0-5]))`
-	URLSubdomain      string = `((www\.)|([a-zA-Z0-9]+([-_\.]?[a-zA-Z0-9])*[a-zA-Z0-9]\.[a-zA-Z0-9]+))`
-	URL                      = `^` + URLSchema + `?` + URLUsername + `?` + `((` + URLIP + `|(\[` + IP + `\])|(([a-zA-Z0-9]([a-zA-Z0-9-_]+)?[a-zA-Z0-9]([-\.][a-zA-Z0-9]+)*)|(` + URLSubdomain + `?))?(([a-zA-Z\x{00a1}-\x{ffff}0-9]+-?-?)*[a-zA-Z\x{00a1}-\x{ffff}0-9]+)(?:\.([a-zA-Z\x{00a1}-\x{ffff}]{1,}))?))\.?` + URLPort + `?` + URLPath + `?$`
-	SSN               string = `^\d{3}[- ]?\d{2}[- ]?\d{4}$`
-	WinPath           string = `^[a-zA-Z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*$`
-	UnixPath          string = `^(/[^/\x00]*)+/?$`
-	WinARPath         string = `^(?:(?:[a-zA-Z]:|\\\\[a-z0-9_.$●-]+\\[a-z0-9_.$●-]+)\\|\\?[^\\/:*?"<>|\r\n]+\\?)(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*$`
-	UnixARPath        string = `^((\.{0,2}/)?([^/\x00]*))+/?$`
-	Semver            string = "^v?(?:0|[1-9]\\d*)\\.(?:0|[1-9]\\d*)\\.(?:0|[1-9]\\d*)(-(0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*)?(\\+[0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*)?$"
-	tagName           string = "valid"
-	hasLowerCase      string = ".*[[:lower:]]"
-	hasUpperCase      string = ".*[[:upper:]]"
-	hasWhitespace     string = ".*[[:space:]]"
-	hasWhitespaceOnly string = "^[[:space:]]+$"
-	IMEI              string = "^[0-9a-f]{14}$|^\\d{15}$|^\\d{18}$"
-	IMSI              string = "^\\d{14,15}$"
-	E164              string = `^\+?[1-9]\d{1,14}$`
-)
-
-// Used by IsFilePath func
-const (
-	// Unknown is unresolved OS type
-	Unknown = iota
-	// Win is Windows type
-	Win
-	// Unix is *nix OS types
-	Unix
-)
-
-var (
-	userRegexp          = regexp.MustCompile("^[a-zA-Z0-9!#$%&'*+/=?^_`{|}~.-]+$")
-	hostRegexp          = regexp.MustCompile("^[^\\s]+\\.[^\\s]+$")
-	userDotRegexp       = regexp.MustCompile("(^[.]{1})|([.]{1}$)|([.]{2,})")
-	rxEmail             = regexp.MustCompile(Email)
-	rxCreditCard        = regexp.MustCompile(CreditCard)
-	rxISBN10            = regexp.MustCompile(ISBN10)
-	rxISBN13            = regexp.MustCompile(ISBN13)
-	rxUUID3             = regexp.MustCompile(UUID3)
-	rxUUID4             = regexp.MustCompile(UUID4)
-	rxUUID5             = regexp.MustCompile(UUID5)
-	rxUUID              = regexp.MustCompile(UUID)
-	rxAlpha             = regexp.MustCompile(Alpha)
-	rxAlphanumeric      = regexp.MustCompile(Alphanumeric)
-	rxNumeric           = regexp.MustCompile(Numeric)
-	rxInt               = regexp.MustCompile(Int)
-	rxFloat             = regexp.MustCompile(Float)
-	rxHexadecimal       = regexp.MustCompile(Hexadecimal)
-	rxHexcolor          = regexp.MustCompile(Hexcolor)
-	rxRGBcolor          = regexp.MustCompile(RGBcolor)
-	rxASCII             = regexp.MustCompile(ASCII)
-	rxPrintableASCII    = regexp.MustCompile(PrintableASCII)
-	rxMultibyte         = regexp.MustCompile(Multibyte)
-	rxFullWidth         = regexp.MustCompile(FullWidth)
-	rxHalfWidth         = regexp.MustCompile(HalfWidth)
-	rxBase64            = regexp.MustCompile(Base64)
-	rxDataURI           = regexp.MustCompile(DataURI)
-	rxMagnetURI         = regexp.MustCompile(MagnetURI)
-	rxLatitude          = regexp.MustCompile(Latitude)
-	rxLongitude         = regexp.MustCompile(Longitude)
-	rxDNSName           = regexp.MustCompile(DNSName)
-	rxURL               = regexp.MustCompile(URL)
-	rxSSN               = regexp.MustCompile(SSN)
-	rxWinPath           = regexp.MustCompile(WinPath)
-	rxUnixPath          = regexp.MustCompile(UnixPath)
-	rxARWinPath         = regexp.MustCompile(WinARPath)
-	rxARUnixPath        = regexp.MustCompile(UnixARPath)
-	rxSemver            = regexp.MustCompile(Semver)
-	rxHasLowerCase      = regexp.MustCompile(hasLowerCase)
-	rxHasUpperCase      = regexp.MustCompile(hasUpperCase)
-	rxHasWhitespace     = regexp.MustCompile(hasWhitespace)
-	rxHasWhitespaceOnly = regexp.MustCompile(hasWhitespaceOnly)
-	rxIMEI              = regexp.MustCompile(IMEI)
-	rxIMSI              = regexp.MustCompile(IMSI)
-	rxE164              = regexp.MustCompile(E164)
-)
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/types.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/types.go
@@ -1,656 +0,0 @@
-package govalidator
-
-import (
-	"reflect"
-	"regexp"
-	"sort"
-	"sync"
-)
-
-// Validator is a wrapper for a validator function that returns bool and accepts string.
-type Validator func(str string) bool
-
-// CustomTypeValidator is a wrapper for validator functions that returns bool and accepts any type.
-// The second parameter should be the context (in the case of validating a struct: the whole object being validated).
-type CustomTypeValidator func(i interface{}, o interface{}) bool
-
-// ParamValidator is a wrapper for validator functions that accept additional parameters.
-type ParamValidator func(str string, params ...string) bool
-
-// InterfaceParamValidator is a wrapper for functions that accept variants parameters for an interface value
-type InterfaceParamValidator func(in interface{}, params ...string) bool
-type tagOptionsMap map[string]tagOption
-
-func (t tagOptionsMap) orderedKeys() []string {
-	var keys []string
-	for k := range t {
-		keys = append(keys, k)
-	}
-
-	sort.Slice(keys, func(a, b int) bool {
-		return t[keys[a]].order < t[keys[b]].order
-	})
-
-	return keys
-}
-
-type tagOption struct {
-	name               string
-	customErrorMessage string
-	order              int
-}
-
-// UnsupportedTypeError is a wrapper for reflect.Type
-type UnsupportedTypeError struct {
-	Type reflect.Type
-}
-
-// stringValues is a slice of reflect.Value holding *reflect.StringValue.
-// It implements the methods to sort by string.
-type stringValues []reflect.Value
-
-// InterfaceParamTagMap is a map of functions accept variants parameters for an interface value
-var InterfaceParamTagMap = map[string]InterfaceParamValidator{
-	"type": IsType,
-}
-
-// InterfaceParamTagRegexMap maps interface param tags to their respective regexes.
-var InterfaceParamTagRegexMap = map[string]*regexp.Regexp{
-	"type": regexp.MustCompile(`^type\((.*)\)$`),
-}
-
-// ParamTagMap is a map of functions accept variants parameters
-var ParamTagMap = map[string]ParamValidator{
-	"length":          ByteLength,
-	"range":           Range,
-	"runelength":      RuneLength,
-	"stringlength":    StringLength,
-	"matches":         StringMatches,
-	"in":              IsInRaw,
-	"rsapub":          IsRsaPub,
-	"minstringlength": MinStringLength,
-	"maxstringlength": MaxStringLength,
-}
-
-// ParamTagRegexMap maps param tags to their respective regexes.
-var ParamTagRegexMap = map[string]*regexp.Regexp{
-	"range":           regexp.MustCompile("^range\\((\\d+)\\|(\\d+)\\)$"),
-	"length":          regexp.MustCompile("^length\\((\\d+)\\|(\\d+)\\)$"),
-	"runelength":      regexp.MustCompile("^runelength\\((\\d+)\\|(\\d+)\\)$"),
-	"stringlength":    regexp.MustCompile("^stringlength\\((\\d+)\\|(\\d+)\\)$"),
-	"in":              regexp.MustCompile(`^in\((.*)\)`),
-	"matches":         regexp.MustCompile(`^matches\((.+)\)$`),
-	"rsapub":          regexp.MustCompile("^rsapub\\((\\d+)\\)$"),
-	"minstringlength": regexp.MustCompile("^minstringlength\\((\\d+)\\)$"),
-	"maxstringlength": regexp.MustCompile("^maxstringlength\\((\\d+)\\)$"),
-}
-
-type customTypeTagMap struct {
-	validators map[string]CustomTypeValidator
-
-	sync.RWMutex
-}
-
-func (tm *customTypeTagMap) Get(name string) (CustomTypeValidator, bool) {
-	tm.RLock()
-	defer tm.RUnlock()
-	v, ok := tm.validators[name]
-	return v, ok
-}
-
-func (tm *customTypeTagMap) Set(name string, ctv CustomTypeValidator) {
-	tm.Lock()
-	defer tm.Unlock()
-	tm.validators[name] = ctv
-}
-
-// CustomTypeTagMap is a map of functions that can be used as tags for ValidateStruct function.
-// Use this to validate compound or custom types that need to be handled as a whole, e.g.
-// `type UUID [16]byte` (this would be handled as an array of bytes).
-var CustomTypeTagMap = &customTypeTagMap{validators: make(map[string]CustomTypeValidator)}
-
-// TagMap is a map of functions, that can be used as tags for ValidateStruct function.
-var TagMap = map[string]Validator{
-	"email":              IsEmail,
-	"url":                IsURL,
-	"dialstring":         IsDialString,
-	"requrl":             IsRequestURL,
-	"requri":             IsRequestURI,
-	"alpha":              IsAlpha,
-	"utfletter":          IsUTFLetter,
-	"alphanum":           IsAlphanumeric,
-	"utfletternum":       IsUTFLetterNumeric,
-	"numeric":            IsNumeric,
-	"utfnumeric":         IsUTFNumeric,
-	"utfdigit":           IsUTFDigit,
-	"hexadecimal":        IsHexadecimal,
-	"hexcolor":           IsHexcolor,
-	"rgbcolor":           IsRGBcolor,
-	"lowercase":          IsLowerCase,
-	"uppercase":          IsUpperCase,
-	"int":                IsInt,
-	"float":              IsFloat,
-	"null":               IsNull,
-	"notnull":            IsNotNull,
-	"uuid":               IsUUID,
-	"uuidv3":             IsUUIDv3,
-	"uuidv4":             IsUUIDv4,
-	"uuidv5":             IsUUIDv5,
-	"creditcard":         IsCreditCard,
-	"isbn10":             IsISBN10,
-	"isbn13":             IsISBN13,
-	"json":               IsJSON,
-	"multibyte":          IsMultibyte,
-	"ascii":              IsASCII,
-	"printableascii":     IsPrintableASCII,
-	"fullwidth":          IsFullWidth,
-	"halfwidth":          IsHalfWidth,
-	"variablewidth":      IsVariableWidth,
-	"base64":             IsBase64,
-	"datauri":            IsDataURI,
-	"ip":                 IsIP,
-	"port":               IsPort,
-	"ipv4":               IsIPv4,
-	"ipv6":               IsIPv6,
-	"dns":                IsDNSName,
-	"host":               IsHost,
-	"mac":                IsMAC,
-	"latitude":           IsLatitude,
-	"longitude":          IsLongitude,
-	"ssn":                IsSSN,
-	"semver":             IsSemver,
-	"rfc3339":            IsRFC3339,
-	"rfc3339WithoutZone": IsRFC3339WithoutZone,
-	"ISO3166Alpha2":      IsISO3166Alpha2,
-	"ISO3166Alpha3":      IsISO3166Alpha3,
-	"ISO4217":            IsISO4217,
-	"IMEI":               IsIMEI,
-	"ulid":               IsULID,
-}
-
-// ISO3166Entry stores country codes
-type ISO3166Entry struct {
-	EnglishShortName string
-	FrenchShortName  string
-	Alpha2Code       string
-	Alpha3Code       string
-	Numeric          string
-}
-
-//ISO3166List based on https://www.iso.org/obp/ui/#search/code/ Code Type "Officially Assigned Codes"
-var ISO3166List = []ISO3166Entry{
-	{"Afghanistan", "Afghanistan (l')", "AF", "AFG", "004"},
-	{"Albania", "Albanie (l')", "AL", "ALB", "008"},
-	{"Antarctica", "Antarctique (l')", "AQ", "ATA", "010"},
-	{"Algeria", "Algérie (l')", "DZ", "DZA", "012"},
-	{"American Samoa", "Samoa américaines (les)", "AS", "ASM", "016"},
-	{"Andorra", "Andorre (l')", "AD", "AND", "020"},
-	{"Angola", "Angola (l')", "AO", "AGO", "024"},
-	{"Antigua and Barbuda", "Antigua-et-Barbuda", "AG", "ATG", "028"},
-	{"Azerbaijan", "Azerbaïdjan (l')", "AZ", "AZE", "031"},
-	{"Argentina", "Argentine (l')", "AR", "ARG", "032"},
-	{"Australia", "Australie (l')", "AU", "AUS", "036"},
-	{"Austria", "Autriche (l')", "AT", "AUT", "040"},
-	{"Bahamas (the)", "Bahamas (les)", "BS", "BHS", "044"},
-	{"Bahrain", "Bahreïn", "BH", "BHR", "048"},
-	{"Bangladesh", "Bangladesh (le)", "BD", "BGD", "050"},
-	{"Armenia", "Arménie (l')", "AM", "ARM", "051"},
-	{"Barbados", "Barbade (la)", "BB", "BRB", "052"},
-	{"Belgium", "Belgique (la)", "BE", "BEL", "056"},
-	{"Bermuda", "Bermudes (les)", "BM", "BMU", "060"},
-	{"Bhutan", "Bhoutan (le)", "BT", "BTN", "064"},
-	{"Bolivia (Plurinational State of)", "Bolivie (État plurinational de)", "BO", "BOL", "068"},
-	{"Bosnia and Herzegovina", "Bosnie-Herzégovine (la)", "BA", "BIH", "070"},
-	{"Botswana", "Botswana (le)", "BW", "BWA", "072"},
-	{"Bouvet Island", "Bouvet (l'Île)", "BV", "BVT", "074"},
-	{"Brazil", "Brésil (le)", "BR", "BRA", "076"},
-	{"Belize", "Belize (le)", "BZ", "BLZ", "084"},
-	{"British Indian Ocean Territory (the)", "Indien (le Territoire britannique de l'océan)", "IO", "IOT", "086"},
-	{"Solomon Islands", "Salomon (Îles)", "SB", "SLB", "090"},
-	{"Virgin Islands (British)", "Vierges britanniques (les Îles)", "VG", "VGB", "092"},
-	{"Brunei Darussalam", "Brunéi Darussalam (le)", "BN", "BRN", "096"},
-	{"Bulgaria", "Bulgarie (la)", "BG", "BGR", "100"},
-	{"Myanmar", "Myanmar (le)", "MM", "MMR", "104"},
-	{"Burundi", "Burundi (le)", "BI", "BDI", "108"},
-	{"Belarus", "Bélarus (le)", "BY", "BLR", "112"},
-	{"Cambodia", "Cambodge (le)", "KH", "KHM", "116"},
-	{"Cameroon", "Cameroun (le)", "CM", "CMR", "120"},
-	{"Canada", "Canada (le)", "CA", "CAN", "124"},
-	{"Cabo Verde", "Cabo Verde", "CV", "CPV", "132"},
-	{"Cayman Islands (the)", "Caïmans (les Îles)", "KY", "CYM", "136"},
-	{"Central African Republic (the)", "République centrafricaine (la)", "CF", "CAF", "140"},
-	{"Sri Lanka", "Sri Lanka", "LK", "LKA", "144"},
-	{"Chad", "Tchad (le)", "TD", "TCD", "148"},
-	{"Chile", "Chili (le)", "CL", "CHL", "152"},
-	{"China", "Chine (la)", "CN", "CHN", "156"},
-	{"Taiwan (Province of China)", "Taïwan (Province de Chine)", "TW", "TWN", "158"},
-	{"Christmas Island", "Christmas (l'Île)", "CX", "CXR", "162"},
-	{"Cocos (Keeling) Islands (the)", "Cocos (les Îles)/ Keeling (les Îles)", "CC", "CCK", "166"},
-	{"Colombia", "Colombie (la)", "CO", "COL", "170"},
-	{"Comoros (the)", "Comores (les)", "KM", "COM", "174"},
-	{"Mayotte", "Mayotte", "YT", "MYT", "175"},
-	{"Congo (the)", "Congo (le)", "CG", "COG", "178"},
-	{"Congo (the Democratic Republic of the)", "Congo (la République démocratique du)", "CD", "COD", "180"},
-	{"Cook Islands (the)", "Cook (les Îles)", "CK", "COK", "184"},
-	{"Costa Rica", "Costa Rica (le)", "CR", "CRI", "188"},
-	{"Croatia", "Croatie (la)", "HR", "HRV", "191"},
-	{"Cuba", "Cuba", "CU", "CUB", "192"},
-	{"Cyprus", "Chypre", "CY", "CYP", "196"},
-	{"Czech Republic (the)", "tchèque (la République)", "CZ", "CZE", "203"},
-	{"Benin", "Bénin (le)", "BJ", "BEN", "204"},
-	{"Denmark", "Danemark (le)", "DK", "DNK", "208"},
-	{"Dominica", "Dominique (la)", "DM", "DMA", "212"},
-	{"Dominican Republic (the)", "dominicaine (la République)", "DO", "DOM", "214"},
-	{"Ecuador", "Équateur (l')", "EC", "ECU", "218"},
-	{"El Salvador", "El Salvador", "SV", "SLV", "222"},
-	{"Equatorial Guinea", "Guinée équatoriale (la)", "GQ", "GNQ", "226"},
-	{"Ethiopia", "Éthiopie (l')", "ET", "ETH", "231"},
-	{"Eritrea", "Érythrée (l')", "ER", "ERI", "232"},
-	{"Estonia", "Estonie (l')", "EE", "EST", "233"},
-	{"Faroe Islands (the)", "Féroé (les Îles)", "FO", "FRO", "234"},
-	{"Falkland Islands (the) [Malvinas]", "Falkland (les Îles)/Malouines (les Îles)", "FK", "FLK", "238"},
-	{"South Georgia and the South Sandwich Islands", "Géorgie du Sud-et-les Îles Sandwich du Sud (la)", "GS", "SGS", "239"},
-	{"Fiji", "Fidji (les)", "FJ", "FJI", "242"},
-	{"Finland", "Finlande (la)", "FI", "FIN", "246"},
-	{"Åland Islands", "Åland(les Îles)", "AX", "ALA", "248"},
-	{"France", "France (la)", "FR", "FRA", "250"},
-	{"French Guiana", "Guyane française (la )", "GF", "GUF", "254"},
-	{"French Polynesia", "Polynésie française (la)", "PF", "PYF", "258"},
-	{"French Southern Territories (the)", "Terres australes françaises (les)", "TF", "ATF", "260"},
-	{"Djibouti", "Djibouti", "DJ", "DJI", "262"},
-	{"Gabon", "Gabon (le)", "GA", "GAB", "266"},
-	{"Georgia", "Géorgie (la)", "GE", "GEO", "268"},
-	{"Gambia (the)", "Gambie (la)", "GM", "GMB", "270"},
-	{"Palestine, State of", "Palestine, État de", "PS", "PSE", "275"},
-	{"Germany", "Allemagne (l')", "DE", "DEU", "276"},
-	{"Ghana", "Ghana (le)", "GH", "GHA", "288"},
-	{"Gibraltar", "Gibraltar", "GI", "GIB", "292"},
-	{"Kiribati", "Kiribati", "KI", "KIR", "296"},
-	{"Greece", "Grèce (la)", "GR", "GRC", "300"},
-	{"Greenland", "Groenland (le)", "GL", "GRL", "304"},
-	{"Grenada", "Grenade (la)", "GD", "GRD", "308"},
-	{"Guadeloupe", "Guadeloupe (la)", "GP", "GLP", "312"},
-	{"Guam", "Guam", "GU", "GUM", "316"},
-	{"Guatemala", "Guatemala (le)", "GT", "GTM", "320"},
-	{"Guinea", "Guinée (la)", "GN", "GIN", "324"},
-	{"Guyana", "Guyana (le)", "GY", "GUY", "328"},
-	{"Haiti", "Haïti", "HT", "HTI", "332"},
-	{"Heard Island and McDonald Islands", "Heard-et-Îles MacDonald (l'Île)", "HM", "HMD", "334"},
-	{"Holy See (the)", "Saint-Siège (le)", "VA", "VAT", "336"},
-	{"Honduras", "Honduras (le)", "HN", "HND", "340"},
-	{"Hong Kong", "Hong Kong", "HK", "HKG", "344"},
-	{"Hungary", "Hongrie (la)", "HU", "HUN", "348"},
-	{"Iceland", "Islande (l')", "IS", "ISL", "352"},
-	{"India", "Inde (l')", "IN", "IND", "356"},
-	{"Indonesia", "Indonésie (l')", "ID", "IDN", "360"},
-	{"Iran (Islamic Republic of)", "Iran (République Islamique d')", "IR", "IRN", "364"},
-	{"Iraq", "Iraq (l')", "IQ", "IRQ", "368"},
-	{"Ireland", "Irlande (l')", "IE", "IRL", "372"},
-	{"Israel", "Israël", "IL", "ISR", "376"},
-	{"Italy", "Italie (l')", "IT", "ITA", "380"},
-	{"Côte d'Ivoire", "Côte d'Ivoire (la)", "CI", "CIV", "384"},
-	{"Jamaica", "Jamaïque (la)", "JM", "JAM", "388"},
-	{"Japan", "Japon (le)", "JP", "JPN", "392"},
-	{"Kazakhstan", "Kazakhstan (le)", "KZ", "KAZ", "398"},
-	{"Jordan", "Jordanie (la)", "JO", "JOR", "400"},
-	{"Kenya", "Kenya (le)", "KE", "KEN", "404"},
-	{"Korea (the Democratic People's Republic of)", "Corée (la République populaire démocratique de)", "KP", "PRK", "408"},
-	{"Korea (the Republic of)", "Corée (la République de)", "KR", "KOR", "410"},
-	{"Kuwait", "Koweït (le)", "KW", "KWT", "414"},
-	{"Kyrgyzstan", "Kirghizistan (le)", "KG", "KGZ", "417"},
-	{"Lao People's Democratic Republic (the)", "Lao, République démocratique populaire", "LA", "LAO", "418"},
-	{"Lebanon", "Liban (le)", "LB", "LBN", "422"},
-	{"Lesotho", "Lesotho (le)", "LS", "LSO", "426"},
-	{"Latvia", "Lettonie (la)", "LV", "LVA", "428"},
-	{"Liberia", "Libéria (le)", "LR", "LBR", "430"},
-	{"Libya", "Libye (la)", "LY", "LBY", "434"},
-	{"Liechtenstein", "Liechtenstein (le)", "LI", "LIE", "438"},
-	{"Lithuania", "Lituanie (la)", "LT", "LTU", "440"},
-	{"Luxembourg", "Luxembourg (le)", "LU", "LUX", "442"},
-	{"Macao", "Macao", "MO", "MAC", "446"},
-	{"Madagascar", "Madagascar", "MG", "MDG", "450"},
-	{"Malawi", "Malawi (le)", "MW", "MWI", "454"},
-	{"Malaysia", "Malaisie (la)", "MY", "MYS", "458"},
-	{"Maldives", "Maldives (les)", "MV", "MDV", "462"},
-	{"Mali", "Mali (le)", "ML", "MLI", "466"},
-	{"Malta", "Malte", "MT", "MLT", "470"},
-	{"Martinique", "Martinique (la)", "MQ", "MTQ", "474"},
-	{"Mauritania", "Mauritanie (la)", "MR", "MRT", "478"},
-	{"Mauritius", "Maurice", "MU", "MUS", "480"},
-	{"Mexico", "Mexique (le)", "MX", "MEX", "484"},
-	{"Monaco", "Monaco", "MC", "MCO", "492"},
-	{"Mongolia", "Mongolie (la)", "MN", "MNG", "496"},
-	{"Moldova (the Republic of)", "Moldova , République de", "MD", "MDA", "498"},
-	{"Montenegro", "Monténégro (le)", "ME", "MNE", "499"},
-	{"Montserrat", "Montserrat", "MS", "MSR", "500"},
-	{"Morocco", "Maroc (le)", "MA", "MAR", "504"},
-	{"Mozambique", "Mozambique (le)", "MZ", "MOZ", "508"},
-	{"Oman", "Oman", "OM", "OMN", "512"},
-	{"Namibia", "Namibie (la)", "NA", "NAM", "516"},
-	{"Nauru", "Nauru", "NR", "NRU", "520"},
-	{"Nepal", "Népal (le)", "NP", "NPL", "524"},
-	{"Netherlands (the)", "Pays-Bas (les)", "NL", "NLD", "528"},
-	{"Curaçao", "Curaçao", "CW", "CUW", "531"},
-	{"Aruba", "Aruba", "AW", "ABW", "533"},
-	{"Sint Maarten (Dutch part)", "Saint-Martin (partie néerlandaise)", "SX", "SXM", "534"},
-	{"Bonaire, Sint Eustatius and Saba", "Bonaire, Saint-Eustache et Saba", "BQ", "BES", "535"},
-	{"New Caledonia", "Nouvelle-Calédonie (la)", "NC", "NCL", "540"},
-	{"Vanuatu", "Vanuatu (le)", "VU", "VUT", "548"},
-	{"New Zealand", "Nouvelle-Zélande (la)", "NZ", "NZL", "554"},
-	{"Nicaragua", "Nicaragua (le)", "NI", "NIC", "558"},
-	{"Niger (the)", "Niger (le)", "NE", "NER", "562"},
-	{"Nigeria", "Nigéria (le)", "NG", "NGA", "566"},
-	{"Niue", "Niue", "NU", "NIU", "570"},
-	{"Norfolk Island", "Norfolk (l'Île)", "NF", "NFK", "574"},
-	{"Norway", "Norvège (la)", "NO", "NOR", "578"},
-	{"Northern Mariana Islands (the)", "Mariannes du Nord (les Îles)", "MP", "MNP", "580"},
-	{"United States Minor Outlying Islands (the)", "Îles mineures éloignées des États-Unis (les)", "UM", "UMI", "581"},
-	{"Micronesia (Federated States of)", "Micronésie (États fédérés de)", "FM", "FSM", "583"},
-	{"Marshall Islands (the)", "Marshall (Îles)", "MH", "MHL", "584"},
-	{"Palau", "Palaos (les)", "PW", "PLW", "585"},
-	{"Pakistan", "Pakistan (le)", "PK", "PAK", "586"},
-	{"Panama", "Panama (le)", "PA", "PAN", "591"},
-	{"Papua New Guinea", "Papouasie-Nouvelle-Guinée (la)", "PG", "PNG", "598"},
-	{"Paraguay", "Paraguay (le)", "PY", "PRY", "600"},
-	{"Peru", "Pérou (le)", "PE", "PER", "604"},
-	{"Philippines (the)", "Philippines (les)", "PH", "PHL", "608"},
-	{"Pitcairn", "Pitcairn", "PN", "PCN", "612"},
-	{"Poland", "Pologne (la)", "PL", "POL", "616"},
-	{"Portugal", "Portugal (le)", "PT", "PRT", "620"},
-	{"Guinea-Bissau", "Guinée-Bissau (la)", "GW", "GNB", "624"},
-	{"Timor-Leste", "Timor-Leste (le)", "TL", "TLS", "626"},
-	{"Puerto Rico", "Porto Rico", "PR", "PRI", "630"},
-	{"Qatar", "Qatar (le)", "QA", "QAT", "634"},
-	{"Réunion", "Réunion (La)", "RE", "REU", "638"},
-	{"Romania", "Roumanie (la)", "RO", "ROU", "642"},
-	{"Russian Federation (the)", "Russie (la Fédération de)", "RU", "RUS", "643"},
-	{"Rwanda", "Rwanda (le)", "RW", "RWA", "646"},
-	{"Saint Barthélemy", "Saint-Barthélemy", "BL", "BLM", "652"},
-	{"Saint Helena, Ascension and Tristan da Cunha", "Sainte-Hélène, Ascension et Tristan da Cunha", "SH", "SHN", "654"},
-	{"Saint Kitts and Nevis", "Saint-Kitts-et-Nevis", "KN", "KNA", "659"},
-	{"Anguilla", "Anguilla", "AI", "AIA", "660"},
-	{"Saint Lucia", "Sainte-Lucie", "LC", "LCA", "662"},
-	{"Saint Martin (French part)", "Saint-Martin (partie française)", "MF", "MAF", "663"},
-	{"Saint Pierre and Miquelon", "Saint-Pierre-et-Miquelon", "PM", "SPM", "666"},
-	{"Saint Vincent and the Grenadines", "Saint-Vincent-et-les Grenadines", "VC", "VCT", "670"},
-	{"San Marino", "Saint-Marin", "SM", "SMR", "674"},
-	{"Sao Tome and Principe", "Sao Tomé-et-Principe", "ST", "STP", "678"},
-	{"Saudi Arabia", "Arabie saoudite (l')", "SA", "SAU", "682"},
-	{"Senegal", "Sénégal (le)", "SN", "SEN", "686"},
-	{"Serbia", "Serbie (la)", "RS", "SRB", "688"},
-	{"Seychelles", "Seychelles (les)", "SC", "SYC", "690"},
-	{"Sierra Leone", "Sierra Leone (la)", "SL", "SLE", "694"},
-	{"Singapore", "Singapour", "SG", "SGP", "702"},
-	{"Slovakia", "Slovaquie (la)", "SK", "SVK", "703"},
-	{"Viet Nam", "Viet Nam (le)", "VN", "VNM", "704"},
-	{"Slovenia", "Slovénie (la)", "SI", "SVN", "705"},
-	{"Somalia", "Somalie (la)", "SO", "SOM", "706"},
-	{"South Africa", "Afrique du Sud (l')", "ZA", "ZAF", "710"},
-	{"Zimbabwe", "Zimbabwe (le)", "ZW", "ZWE", "716"},
-	{"Spain", "Espagne (l')", "ES", "ESP", "724"},
-	{"South Sudan", "Soudan du Sud (le)", "SS", "SSD", "728"},
-	{"Sudan (the)", "Soudan (le)", "SD", "SDN", "729"},
-	{"Western Sahara*", "Sahara occidental (le)*", "EH", "ESH", "732"},
-	{"Suriname", "Suriname (le)", "SR", "SUR", "740"},
-	{"Svalbard and Jan Mayen", "Svalbard et l'Île Jan Mayen (le)", "SJ", "SJM", "744"},
-	{"Swaziland", "Swaziland (le)", "SZ", "SWZ", "748"},
-	{"Sweden", "Suède (la)", "SE", "SWE", "752"},
-	{"Switzerland", "Suisse (la)", "CH", "CHE", "756"},
-	{"Syrian Arab Republic", "République arabe syrienne (la)", "SY", "SYR", "760"},
-	{"Tajikistan", "Tadjikistan (le)", "TJ", "TJK", "762"},
-	{"Thailand", "Thaïlande (la)", "TH", "THA", "764"},
-	{"Togo", "Togo (le)", "TG", "TGO", "768"},
-	{"Tokelau", "Tokelau (les)", "TK", "TKL", "772"},
-	{"Tonga", "Tonga (les)", "TO", "TON", "776"},
-	{"Trinidad and Tobago", "Trinité-et-Tobago (la)", "TT", "TTO", "780"},
-	{"United Arab Emirates (the)", "Émirats arabes unis (les)", "AE", "ARE", "784"},
-	{"Tunisia", "Tunisie (la)", "TN", "TUN", "788"},
-	{"Turkey", "Turquie (la)", "TR", "TUR", "792"},
-	{"Turkmenistan", "Turkménistan (le)", "TM", "TKM", "795"},
-	{"Turks and Caicos Islands (the)", "Turks-et-Caïcos (les Îles)", "TC", "TCA", "796"},
-	{"Tuvalu", "Tuvalu (les)", "TV", "TUV", "798"},
-	{"Uganda", "Ouganda (l')", "UG", "UGA", "800"},
-	{"Ukraine", "Ukraine (l')", "UA", "UKR", "804"},
-	{"Macedonia (the former Yugoslav Republic of)", "Macédoine (l'ex‑République yougoslave de)", "MK", "MKD", "807"},
-	{"Egypt", "Égypte (l')", "EG", "EGY", "818"},
-	{"United Kingdom of Great Britain and Northern Ireland (the)", "Royaume-Uni de Grande-Bretagne et d'Irlande du Nord (le)", "GB", "GBR", "826"},
-	{"Guernsey", "Guernesey", "GG", "GGY", "831"},
-	{"Jersey", "Jersey", "JE", "JEY", "832"},
-	{"Isle of Man", "Île de Man", "IM", "IMN", "833"},
-	{"Tanzania, United Republic of", "Tanzanie, République-Unie de", "TZ", "TZA", "834"},
-	{"United States of America (the)", "États-Unis d'Amérique (les)", "US", "USA", "840"},
-	{"Virgin Islands (U.S.)", "Vierges des États-Unis (les Îles)", "VI", "VIR", "850"},
-	{"Burkina Faso", "Burkina Faso (le)", "BF", "BFA", "854"},
-	{"Uruguay", "Uruguay (l')", "UY", "URY", "858"},
-	{"Uzbekistan", "Ouzbékistan (l')", "UZ", "UZB", "860"},
-	{"Venezuela (Bolivarian Republic of)", "Venezuela (République bolivarienne du)", "VE", "VEN", "862"},
-	{"Wallis and Futuna", "Wallis-et-Futuna", "WF", "WLF", "876"},
-	{"Samoa", "Samoa (le)", "WS", "WSM", "882"},
-	{"Yemen", "Yémen (le)", "YE", "YEM", "887"},
-	{"Zambia", "Zambie (la)", "ZM", "ZMB", "894"},
-}
-
-// ISO4217List is the list of ISO currency codes
-var ISO4217List = []string{
-	"AED", "AFN", "ALL", "AMD", "ANG", "AOA", "ARS", "AUD", "AWG", "AZN",
-	"BAM", "BBD", "BDT", "BGN", "BHD", "BIF", "BMD", "BND", "BOB", "BOV", "BRL", "BSD", "BTN", "BWP", "BYN", "BZD",
-	"CAD", "CDF", "CHE", "CHF", "CHW", "CLF", "CLP", "CNY", "COP", "COU", "CRC", "CUC", "CUP", "CVE", "CZK",
-	"DJF", "DKK", "DOP", "DZD",
-	"EGP", "ERN", "ETB", "EUR",
-	"FJD", "FKP",
-	"GBP", "GEL", "GHS", "GIP", "GMD", "GNF", "GTQ", "GYD",
-	"HKD", "HNL", "HRK", "HTG", "HUF",
-	"IDR", "ILS", "INR", "IQD", "IRR", "ISK",
-	"JMD", "JOD", "JPY",
-	"KES", "KGS", "KHR", "KMF", "KPW", "KRW", "KWD", "KYD", "KZT",
-	"LAK", "LBP", "LKR", "LRD", "LSL", "LYD",
-	"MAD", "MDL", "MGA", "MKD", "MMK", "MNT", "MOP", "MRO", "MUR", "MVR", "MWK", "MXN", "MXV", "MYR", "MZN",
-	"NAD", "NGN", "NIO", "NOK", "NPR", "NZD",
-	"OMR",
-	"PAB", "PEN", "PGK", "PHP", "PKR", "PLN", "PYG",
-	"QAR",
-	"RON", "RSD", "RUB", "RWF",
-	"SAR", "SBD", "SCR", "SDG", "SEK", "SGD", "SHP", "SLL", "SOS", "SRD", "SSP", "STD", "STN", "SVC", "SYP", "SZL",
-	"THB", "TJS", "TMT", "TND", "TOP", "TRY", "TTD", "TWD", "TZS",
-	"UAH", "UGX", "USD", "USN", "UYI", "UYU", "UYW", "UZS",
-	"VEF", "VES", "VND", "VUV",
-	"WST",
-	"XAF", "XAG", "XAU", "XBA", "XBB", "XBC", "XBD", "XCD", "XDR", "XOF", "XPD", "XPF", "XPT", "XSU", "XTS", "XUA", "XXX",
-	"YER",
-	"ZAR", "ZMW", "ZWL",
-}
-
-// ISO693Entry stores ISO language codes
-type ISO693Entry struct {
-	Alpha3bCode string
-	Alpha2Code  string
-	English     string
-}
-
-//ISO693List based on http://data.okfn.org/data/core/language-codes/r/language-codes-3b2.json
-var ISO693List = []ISO693Entry{
-	{Alpha3bCode: "aar", Alpha2Code: "aa", English: "Afar"},
-	{Alpha3bCode: "abk", Alpha2Code: "ab", English: "Abkhazian"},
-	{Alpha3bCode: "afr", Alpha2Code: "af", English: "Afrikaans"},
-	{Alpha3bCode: "aka", Alpha2Code: "ak", English: "Akan"},
-	{Alpha3bCode: "alb", Alpha2Code: "sq", English: "Albanian"},
-	{Alpha3bCode: "amh", Alpha2Code: "am", English: "Amharic"},
-	{Alpha3bCode: "ara", Alpha2Code: "ar", English: "Arabic"},
-	{Alpha3bCode: "arg", Alpha2Code: "an", English: "Aragonese"},
-	{Alpha3bCode: "arm", Alpha2Code: "hy", English: "Armenian"},
-	{Alpha3bCode: "asm", Alpha2Code: "as", English: "Assamese"},
-	{Alpha3bCode: "ava", Alpha2Code: "av", English: "Avaric"},
-	{Alpha3bCode: "ave", Alpha2Code: "ae", English: "Avestan"},
-	{Alpha3bCode: "aym", Alpha2Code: "ay", English: "Aymara"},
-	{Alpha3bCode: "aze", Alpha2Code: "az", English: "Azerbaijani"},
-	{Alpha3bCode: "bak", Alpha2Code: "ba", English: "Bashkir"},
-	{Alpha3bCode: "bam", Alpha2Code: "bm", English: "Bambara"},
-	{Alpha3bCode: "baq", Alpha2Code: "eu", English: "Basque"},
-	{Alpha3bCode: "bel", Alpha2Code: "be", English: "Belarusian"},
-	{Alpha3bCode: "ben", Alpha2Code: "bn", English: "Bengali"},
-	{Alpha3bCode: "bih", Alpha2Code: "bh", English: "Bihari languages"},
-	{Alpha3bCode: "bis", Alpha2Code: "bi", English: "Bislama"},
-	{Alpha3bCode: "bos", Alpha2Code: "bs", English: "Bosnian"},
-	{Alpha3bCode: "bre", Alpha2Code: "br", English: "Breton"},
-	{Alpha3bCode: "bul", Alpha2Code: "bg", English: "Bulgarian"},
-	{Alpha3bCode: "bur", Alpha2Code: "my", English: "Burmese"},
-	{Alpha3bCode: "cat", Alpha2Code: "ca", English: "Catalan; Valencian"},
-	{Alpha3bCode: "cha", Alpha2Code: "ch", English: "Chamorro"},
-	{Alpha3bCode: "che", Alpha2Code: "ce", English: "Chechen"},
-	{Alpha3bCode: "chi", Alpha2Code: "zh", English: "Chinese"},
-	{Alpha3bCode: "chu", Alpha2Code: "cu", English: "Church Slavic; Old Slavonic; Church Slavonic; Old Bulgarian; Old Church Slavonic"},
-	{Alpha3bCode: "chv", Alpha2Code: "cv", English: "Chuvash"},
-	{Alpha3bCode: "cor", Alpha2Code: "kw", English: "Cornish"},
-	{Alpha3bCode: "cos", Alpha2Code: "co", English: "Corsican"},
-	{Alpha3bCode: "cre", Alpha2Code: "cr", English: "Cree"},
-	{Alpha3bCode: "cze", Alpha2Code: "cs", English: "Czech"},
-	{Alpha3bCode: "dan", Alpha2Code: "da", English: "Danish"},
-	{Alpha3bCode: "div", Alpha2Code: "dv", English: "Divehi; Dhivehi; Maldivian"},
-	{Alpha3bCode: "dut", Alpha2Code: "nl", English: "Dutch; Flemish"},
-	{Alpha3bCode: "dzo", Alpha2Code: "dz", English: "Dzongkha"},
-	{Alpha3bCode: "eng", Alpha2Code: "en", English: "English"},
-	{Alpha3bCode: "epo", Alpha2Code: "eo", English: "Esperanto"},
-	{Alpha3bCode: "est", Alpha2Code: "et", English: "Estonian"},
-	{Alpha3bCode: "ewe", Alpha2Code: "ee", English: "Ewe"},
-	{Alpha3bCode: "fao", Alpha2Code: "fo", English: "Faroese"},
-	{Alpha3bCode: "fij", Alpha2Code: "fj", English: "Fijian"},
-	{Alpha3bCode: "fin", Alpha2Code: "fi", English: "Finnish"},
-	{Alpha3bCode: "fre", Alpha2Code: "fr", English: "French"},
-	{Alpha3bCode: "fry", Alpha2Code: "fy", English: "Western Frisian"},
-	{Alpha3bCode: "ful", Alpha2Code: "ff", English: "Fulah"},
-	{Alpha3bCode: "geo", Alpha2Code: "ka", English: "Georgian"},
-	{Alpha3bCode: "ger", Alpha2Code: "de", English: "German"},
-	{Alpha3bCode: "gla", Alpha2Code: "gd", English: "Gaelic; Scottish Gaelic"},
-	{Alpha3bCode: "gle", Alpha2Code: "ga", English: "Irish"},
-	{Alpha3bCode: "glg", Alpha2Code: "gl", English: "Galician"},
-	{Alpha3bCode: "glv", Alpha2Code: "gv", English: "Manx"},
-	{Alpha3bCode: "gre", Alpha2Code: "el", English: "Greek, Modern (1453-)"},
-	{Alpha3bCode: "grn", Alpha2Code: "gn", English: "Guarani"},
-	{Alpha3bCode: "guj", Alpha2Code: "gu", English: "Gujarati"},
-	{Alpha3bCode: "hat", Alpha2Code: "ht", English: "Haitian; Haitian Creole"},
-	{Alpha3bCode: "hau", Alpha2Code: "ha", English: "Hausa"},
-	{Alpha3bCode: "heb", Alpha2Code: "he", English: "Hebrew"},
-	{Alpha3bCode: "her", Alpha2Code: "hz", English: "Herero"},
-	{Alpha3bCode: "hin", Alpha2Code: "hi", English: "Hindi"},
-	{Alpha3bCode: "hmo", Alpha2Code: "ho", English: "Hiri Motu"},
-	{Alpha3bCode: "hrv", Alpha2Code: "hr", English: "Croatian"},
-	{Alpha3bCode: "hun", Alpha2Code: "hu", English: "Hungarian"},
-	{Alpha3bCode: "ibo", Alpha2Code: "ig", English: "Igbo"},
-	{Alpha3bCode: "ice", Alpha2Code: "is", English: "Icelandic"},
-	{Alpha3bCode: "ido", Alpha2Code: "io", English: "Ido"},
-	{Alpha3bCode: "iii", Alpha2Code: "ii", English: "Sichuan Yi; Nuosu"},
-	{Alpha3bCode: "iku", Alpha2Code: "iu", English: "Inuktitut"},
-	{Alpha3bCode: "ile", Alpha2Code: "ie", English: "Interlingue; Occidental"},
-	{Alpha3bCode: "ina", Alpha2Code: "ia", English: "Interlingua (International Auxiliary Language Association)"},
-	{Alpha3bCode: "ind", Alpha2Code: "id", English: "Indonesian"},
-	{Alpha3bCode: "ipk", Alpha2Code: "ik", English: "Inupiaq"},
-	{Alpha3bCode: "ita", Alpha2Code: "it", English: "Italian"},
-	{Alpha3bCode: "jav", Alpha2Code: "jv", English: "Javanese"},
-	{Alpha3bCode: "jpn", Alpha2Code: "ja", English: "Japanese"},
-	{Alpha3bCode: "kal", Alpha2Code: "kl", English: "Kalaallisut; Greenlandic"},
-	{Alpha3bCode: "kan", Alpha2Code: "kn", English: "Kannada"},
-	{Alpha3bCode: "kas", Alpha2Code: "ks", English: "Kashmiri"},
-	{Alpha3bCode: "kau", Alpha2Code: "kr", English: "Kanuri"},
-	{Alpha3bCode: "kaz", Alpha2Code: "kk", English: "Kazakh"},
-	{Alpha3bCode: "khm", Alpha2Code: "km", English: "Central Khmer"},
-	{Alpha3bCode: "kik", Alpha2Code: "ki", English: "Kikuyu; Gikuyu"},
-	{Alpha3bCode: "kin", Alpha2Code: "rw", English: "Kinyarwanda"},
-	{Alpha3bCode: "kir", Alpha2Code: "ky", English: "Kirghiz; Kyrgyz"},
-	{Alpha3bCode: "kom", Alpha2Code: "kv", English: "Komi"},
-	{Alpha3bCode: "kon", Alpha2Code: "kg", English: "Kongo"},
-	{Alpha3bCode: "kor", Alpha2Code: "ko", English: "Korean"},
-	{Alpha3bCode: "kua", Alpha2Code: "kj", English: "Kuanyama; Kwanyama"},
-	{Alpha3bCode: "kur", Alpha2Code: "ku", English: "Kurdish"},
-	{Alpha3bCode: "lao", Alpha2Code: "lo", English: "Lao"},
-	{Alpha3bCode: "lat", Alpha2Code: "la", English: "Latin"},
-	{Alpha3bCode: "lav", Alpha2Code: "lv", English: "Latvian"},
-	{Alpha3bCode: "lim", Alpha2Code: "li", English: "Limburgan; Limburger; Limburgish"},
-	{Alpha3bCode: "lin", Alpha2Code: "ln", English: "Lingala"},
-	{Alpha3bCode: "lit", Alpha2Code: "lt", English: "Lithuanian"},
-	{Alpha3bCode: "ltz", Alpha2Code: "lb", English: "Luxembourgish; Letzeburgesch"},
-	{Alpha3bCode: "lub", Alpha2Code: "lu", English: "Luba-Katanga"},
-	{Alpha3bCode: "lug", Alpha2Code: "lg", English: "Ganda"},
-	{Alpha3bCode: "mac", Alpha2Code: "mk", English: "Macedonian"},
-	{Alpha3bCode: "mah", Alpha2Code: "mh", English: "Marshallese"},
-	{Alpha3bCode: "mal", Alpha2Code: "ml", English: "Malayalam"},
-	{Alpha3bCode: "mao", Alpha2Code: "mi", English: "Maori"},
-	{Alpha3bCode: "mar", Alpha2Code: "mr", English: "Marathi"},
-	{Alpha3bCode: "may", Alpha2Code: "ms", English: "Malay"},
-	{Alpha3bCode: "mlg", Alpha2Code: "mg", English: "Malagasy"},
-	{Alpha3bCode: "mlt", Alpha2Code: "mt", English: "Maltese"},
-	{Alpha3bCode: "mon", Alpha2Code: "mn", English: "Mongolian"},
-	{Alpha3bCode: "nau", Alpha2Code: "na", English: "Nauru"},
-	{Alpha3bCode: "nav", Alpha2Code: "nv", English: "Navajo; Navaho"},
-	{Alpha3bCode: "nbl", Alpha2Code: "nr", English: "Ndebele, South; South Ndebele"},
-	{Alpha3bCode: "nde", Alpha2Code: "nd", English: "Ndebele, North; North Ndebele"},
-	{Alpha3bCode: "ndo", Alpha2Code: "ng", English: "Ndonga"},
-	{Alpha3bCode: "nep", Alpha2Code: "ne", English: "Nepali"},
-	{Alpha3bCode: "nno", Alpha2Code: "nn", English: "Norwegian Nynorsk; Nynorsk, Norwegian"},
-	{Alpha3bCode: "nob", Alpha2Code: "nb", English: "Bokmål, Norwegian; Norwegian Bokmål"},
-	{Alpha3bCode: "nor", Alpha2Code: "no", English: "Norwegian"},
-	{Alpha3bCode: "nya", Alpha2Code: "ny", English: "Chichewa; Chewa; Nyanja"},
-	{Alpha3bCode: "oci", Alpha2Code: "oc", English: "Occitan (post 1500); Provençal"},
-	{Alpha3bCode: "oji", Alpha2Code: "oj", English: "Ojibwa"},
-	{Alpha3bCode: "ori", Alpha2Code: "or", English: "Oriya"},
-	{Alpha3bCode: "orm", Alpha2Code: "om", English: "Oromo"},
-	{Alpha3bCode: "oss", Alpha2Code: "os", English: "Ossetian; Ossetic"},
-	{Alpha3bCode: "pan", Alpha2Code: "pa", English: "Panjabi; Punjabi"},
-	{Alpha3bCode: "per", Alpha2Code: "fa", English: "Persian"},
-	{Alpha3bCode: "pli", Alpha2Code: "pi", English: "Pali"},
-	{Alpha3bCode: "pol", Alpha2Code: "pl", English: "Polish"},
-	{Alpha3bCode: "por", Alpha2Code: "pt", English: "Portuguese"},
-	{Alpha3bCode: "pus", Alpha2Code: "ps", English: "Pushto; Pashto"},
-	{Alpha3bCode: "que", Alpha2Code: "qu", English: "Quechua"},
-	{Alpha3bCode: "roh", Alpha2Code: "rm", English: "Romansh"},
-	{Alpha3bCode: "rum", Alpha2Code: "ro", English: "Romanian; Moldavian; Moldovan"},
-	{Alpha3bCode: "run", Alpha2Code: "rn", English: "Rundi"},
-	{Alpha3bCode: "rus", Alpha2Code: "ru", English: "Russian"},
-	{Alpha3bCode: "sag", Alpha2Code: "sg", English: "Sango"},
-	{Alpha3bCode: "san", Alpha2Code: "sa", English: "Sanskrit"},
-	{Alpha3bCode: "sin", Alpha2Code: "si", English: "Sinhala; Sinhalese"},
-	{Alpha3bCode: "slo", Alpha2Code: "sk", English: "Slovak"},
-	{Alpha3bCode: "slv", Alpha2Code: "sl", English: "Slovenian"},
-	{Alpha3bCode: "sme", Alpha2Code: "se", English: "Northern Sami"},
-	{Alpha3bCode: "smo", Alpha2Code: "sm", English: "Samoan"},
-	{Alpha3bCode: "sna", Alpha2Code: "sn", English: "Shona"},
-	{Alpha3bCode: "snd", Alpha2Code: "sd", English: "Sindhi"},
-	{Alpha3bCode: "som", Alpha2Code: "so", English: "Somali"},
-	{Alpha3bCode: "sot", Alpha2Code: "st", English: "Sotho, Southern"},
-	{Alpha3bCode: "spa", Alpha2Code: "es", English: "Spanish; Castilian"},
-	{Alpha3bCode: "srd", Alpha2Code: "sc", English: "Sardinian"},
-	{Alpha3bCode: "srp", Alpha2Code: "sr", English: "Serbian"},
-	{Alpha3bCode: "ssw", Alpha2Code: "ss", English: "Swati"},
-	{Alpha3bCode: "sun", Alpha2Code: "su", English: "Sundanese"},
-	{Alpha3bCode: "swa", Alpha2Code: "sw", English: "Swahili"},
-	{Alpha3bCode: "swe", Alpha2Code: "sv", English: "Swedish"},
-	{Alpha3bCode: "tah", Alpha2Code: "ty", English: "Tahitian"},
-	{Alpha3bCode: "tam", Alpha2Code: "ta", English: "Tamil"},
-	{Alpha3bCode: "tat", Alpha2Code: "tt", English: "Tatar"},
-	{Alpha3bCode: "tel", Alpha2Code: "te", English: "Telugu"},
-	{Alpha3bCode: "tgk", Alpha2Code: "tg", English: "Tajik"},
-	{Alpha3bCode: "tgl", Alpha2Code: "tl", English: "Tagalog"},
-	{Alpha3bCode: "tha", Alpha2Code: "th", English: "Thai"},
-	{Alpha3bCode: "tib", Alpha2Code: "bo", English: "Tibetan"},
-	{Alpha3bCode: "tir", Alpha2Code: "ti", English: "Tigrinya"},
-	{Alpha3bCode: "ton", Alpha2Code: "to", English: "Tonga (Tonga Islands)"},
-	{Alpha3bCode: "tsn", Alpha2Code: "tn", English: "Tswana"},
-	{Alpha3bCode: "tso", Alpha2Code: "ts", English: "Tsonga"},
-	{Alpha3bCode: "tuk", Alpha2Code: "tk", English: "Turkmen"},
-	{Alpha3bCode: "tur", Alpha2Code: "tr", English: "Turkish"},
-	{Alpha3bCode: "twi", Alpha2Code: "tw", English: "Twi"},
-	{Alpha3bCode: "uig", Alpha2Code: "ug", English: "Uighur; Uyghur"},
-	{Alpha3bCode: "ukr", Alpha2Code: "uk", English: "Ukrainian"},
-	{Alpha3bCode: "urd", Alpha2Code: "ur", English: "Urdu"},
-	{Alpha3bCode: "uzb", Alpha2Code: "uz", English: "Uzbek"},
-	{Alpha3bCode: "ven", Alpha2Code: "ve", English: "Venda"},
-	{Alpha3bCode: "vie", Alpha2Code: "vi", English: "Vietnamese"},
-	{Alpha3bCode: "vol", Alpha2Code: "vo", English: "Volapük"},
-	{Alpha3bCode: "wel", Alpha2Code: "cy", English: "Welsh"},
-	{Alpha3bCode: "wln", Alpha2Code: "wa", English: "Walloon"},
-	{Alpha3bCode: "wol", Alpha2Code: "wo", English: "Wolof"},
-	{Alpha3bCode: "xho", Alpha2Code: "xh", English: "Xhosa"},
-	{Alpha3bCode: "yid", Alpha2Code: "yi", English: "Yiddish"},
-	{Alpha3bCode: "yor", Alpha2Code: "yo", English: "Yoruba"},
-	{Alpha3bCode: "zha", Alpha2Code: "za", English: "Zhuang; Chuang"},
-	{Alpha3bCode: "zul", Alpha2Code: "zu", English: "Zulu"},
-}
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/utils.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/utils.go
@@ -1,270 +0,0 @@
-package govalidator
-
-import (
-	"errors"
-	"fmt"
-	"html"
-	"math"
-	"path"
-	"regexp"
-	"strings"
-	"unicode"
-	"unicode/utf8"
-)
-
-// Contains checks if the string contains the substring.
-func Contains(str, substring string) bool {
-	return strings.Contains(str, substring)
-}
-
-// Matches checks if string matches the pattern (pattern is regular expression)
-// In case of error return false
-func Matches(str, pattern string) bool {
-	match, _ := regexp.MatchString(pattern, str)
-	return match
-}
-
-// LeftTrim trims characters from the left side of the input.
-// If second argument is empty, it will remove leading spaces.
-func LeftTrim(str, chars string) string {
-	if chars == "" {
-		return strings.TrimLeftFunc(str, unicode.IsSpace)
-	}
-	r, _ := regexp.Compile("^[" + chars + "]+")
-	return r.ReplaceAllString(str, "")
-}
-
-// RightTrim trims characters from the right side of the input.
-// If second argument is empty, it will remove trailing spaces.
-func RightTrim(str, chars string) string {
-	if chars == "" {
-		return strings.TrimRightFunc(str, unicode.IsSpace)
-	}
-	r, _ := regexp.Compile("[" + chars + "]+$")
-	return r.ReplaceAllString(str, "")
-}
-
-// Trim trims characters from both sides of the input.
-// If second argument is empty, it will remove spaces.
-func Trim(str, chars string) string {
-	return LeftTrim(RightTrim(str, chars), chars)
-}
-
-// WhiteList removes characters that do not appear in the whitelist.
-func WhiteList(str, chars string) string {
-	pattern := "[^" + chars + "]+"
-	r, _ := regexp.Compile(pattern)
-	return r.ReplaceAllString(str, "")
-}
-
-// BlackList removes characters that appear in the blacklist.
-func BlackList(str, chars string) string {
-	pattern := "[" + chars + "]+"
-	r, _ := regexp.Compile(pattern)
-	return r.ReplaceAllString(str, "")
-}
-
-// StripLow removes characters with a numerical value < 32 and 127, mostly control characters.
-// If keep_new_lines is true, newline characters are preserved (\n and \r, hex 0xA and 0xD).
-func StripLow(str string, keepNewLines bool) string {
-	chars := ""
-	if keepNewLines {
-		chars = "\x00-\x09\x0B\x0C\x0E-\x1F\x7F"
-	} else {
-		chars = "\x00-\x1F\x7F"
-	}
-	return BlackList(str, chars)
-}
-
-// ReplacePattern replaces regular expression pattern in string
-func ReplacePattern(str, pattern, replace string) string {
-	r, _ := regexp.Compile(pattern)
-	return r.ReplaceAllString(str, replace)
-}
-
-// Escape replaces <, >, & and " with HTML entities.
-var Escape = html.EscapeString
-
-func addSegment(inrune, segment []rune) []rune {
-	if len(segment) == 0 {
-		return inrune
-	}
-	if len(inrune) != 0 {
-		inrune = append(inrune, '_')
-	}
-	inrune = append(inrune, segment...)
-	return inrune
-}
-
-// UnderscoreToCamelCase converts from underscore separated form to camel case form.
-// Ex.: my_func => MyFunc
-func UnderscoreToCamelCase(s string) string {
-	return strings.Replace(strings.Title(strings.Replace(strings.ToLower(s), "_", " ", -1)), " ", "", -1)
-}
-
-// CamelCaseToUnderscore converts from camel case form to underscore separated form.
-// Ex.: MyFunc => my_func
-func CamelCaseToUnderscore(str string) string {
-	var output []rune
-	var segment []rune
-	for _, r := range str {
-
-		// not treat number as separate segment
-		if !unicode.IsLower(r) && string(r) != "_" && !unicode.IsNumber(r) {
-			output = addSegment(output, segment)
-			segment = nil
-		}
-		segment = append(segment, unicode.ToLower(r))
-	}
-	output = addSegment(output, segment)
-	return string(output)
-}
-
-// Reverse returns reversed string
-func Reverse(s string) string {
-	r := []rune(s)
-	for i, j := 0, len(r)-1; i < j; i, j = i+1, j-1 {
-		r[i], r[j] = r[j], r[i]
-	}
-	return string(r)
-}
-
-// GetLines splits string by "\n" and return array of lines
-func GetLines(s string) []string {
-	return strings.Split(s, "\n")
-}
-
-// GetLine returns specified line of multiline string
-func GetLine(s string, index int) (string, error) {
-	lines := GetLines(s)
-	if index < 0 || index >= len(lines) {
-		return "", errors.New("line index out of bounds")
-	}
-	return lines[index], nil
-}
-
-// RemoveTags removes all tags from HTML string
-func RemoveTags(s string) string {
-	return ReplacePattern(s, "<[^>]*>", "")
-}
-
-// SafeFileName returns safe string that can be used in file names
-func SafeFileName(str string) string {
-	name := strings.ToLower(str)
-	name = path.Clean(path.Base(name))
-	name = strings.Trim(name, " ")
-	separators, err := regexp.Compile(`[ &_=+:]`)
-	if err == nil {
-		name = separators.ReplaceAllString(name, "-")
-	}
-	legal, err := regexp.Compile(`[^[:alnum:]-.]`)
-	if err == nil {
-		name = legal.ReplaceAllString(name, "")
-	}
-	for strings.Contains(name, "--") {
-		name = strings.Replace(name, "--", "-", -1)
-	}
-	return name
-}
-
-// NormalizeEmail canonicalize an email address.
-// The local part of the email address is lowercased for all domains; the hostname is always lowercased and
-// the local part of the email address is always lowercased for hosts that are known to be case-insensitive (currently only GMail).
-// Normalization follows special rules for known providers: currently, GMail addresses have dots removed in the local part and
-// are stripped of tags (e.g. some.one+tag@gmail.com becomes someone@gmail.com) and all @googlemail.com addresses are
-// normalized to @gmail.com.
-func NormalizeEmail(str string) (string, error) {
-	if !IsEmail(str) {
-		return "", fmt.Errorf("%s is not an email", str)
-	}
-	parts := strings.Split(str, "@")
-	parts[0] = strings.ToLower(parts[0])
-	parts[1] = strings.ToLower(parts[1])
-	if parts[1] == "gmail.com" || parts[1] == "googlemail.com" {
-		parts[1] = "gmail.com"
-		parts[0] = strings.Split(ReplacePattern(parts[0], `\.`, ""), "+")[0]
-	}
-	return strings.Join(parts, "@"), nil
-}
-
-// Truncate a string to the closest length without breaking words.
-func Truncate(str string, length int, ending string) string {
-	var aftstr, befstr string
-	if len(str) > length {
-		words := strings.Fields(str)
-		before, present := 0, 0
-		for i := range words {
-			befstr = aftstr
-			before = present
-			aftstr = aftstr + words[i] + " "
-			present = len(aftstr)
-			if present > length && i != 0 {
-				if (length - before) < (present - length) {
-					return Trim(befstr, " /\\.,\"'#!?&@+-") + ending
-				}
-				return Trim(aftstr, " /\\.,\"'#!?&@+-") + ending
-			}
-		}
-	}
-
-	return str
-}
-
-// PadLeft pads left side of a string if size of string is less then indicated pad length
-func PadLeft(str string, padStr string, padLen int) string {
-	return buildPadStr(str, padStr, padLen, true, false)
-}
-
-// PadRight pads right side of a string if size of string is less then indicated pad length
-func PadRight(str string, padStr string, padLen int) string {
-	return buildPadStr(str, padStr, padLen, false, true)
-}
-
-// PadBoth pads both sides of a string if size of string is less then indicated pad length
-func PadBoth(str string, padStr string, padLen int) string {
-	return buildPadStr(str, padStr, padLen, true, true)
-}
-
-// PadString either left, right or both sides.
-// Note that padding string can be unicode and more then one character
-func buildPadStr(str string, padStr string, padLen int, padLeft bool, padRight bool) string {
-
-	// When padded length is less then the current string size
-	if padLen < utf8.RuneCountInString(str) {
-		return str
-	}
-
-	padLen -= utf8.RuneCountInString(str)
-
-	targetLen := padLen
-
-	targetLenLeft := targetLen
-	targetLenRight := targetLen
-	if padLeft && padRight {
-		targetLenLeft = padLen / 2
-		targetLenRight = padLen - targetLenLeft
-	}
-
-	strToRepeatLen := utf8.RuneCountInString(padStr)
-
-	repeatTimes := int(math.Ceil(float64(targetLen) / float64(strToRepeatLen)))
-	repeatedString := strings.Repeat(padStr, repeatTimes)
-
-	leftSide := ""
-	if padLeft {
-		leftSide = repeatedString[0:targetLenLeft]
-	}
-
-	rightSide := ""
-	if padRight {
-		rightSide = repeatedString[0:targetLenRight]
-	}
-
-	return leftSide + str + rightSide
-}
-
-// TruncatingErrorf removes extra args from fmt.Errorf if not formatted in the str object
-func TruncatingErrorf(str string, args ...interface{}) error {
-	n := strings.Count(str, "%s")
-	return fmt.Errorf(str, args[:n]...)
-}
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/validator.go
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/validator.go
--- a/src/runtime/vendor/github.com/asaskevich/govalidator/wercker.yml
+++ b/src/runtime/vendor/github.com/asaskevich/govalidator/wercker.yml
@@ -1,15 +0,0 @@
-box: golang
-build:
-  steps:
-    - setup-go-workspace
-
-    - script:
-        name: go get
-        code: |
-          go version
-          go get -t ./...
-
-    - script:
-        name: go test
-        code: |
-          go test -race -v ./...
--- a/src/runtime/vendor/github.com/go-openapi/analysis/.editorconfig
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/.editorconfig
@@ -0,0 +1,26 @@
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+
+# Set default charset
+[*.{js,py,go,scala,rb,java,html,css,less,sass,md}]
+charset = utf-8
+
+# Tab indentation (no size specified)
+[*.go]
+indent_style = tab
+
+[*.md]
+trim_trailing_whitespace = false
+
+# Matches the exact files either package.json or .travis.yml
+[{package.json,.travis.yml}]
+indent_style = space
+indent_size = 2
--- a/src/runtime/vendor/github.com/go-openapi/analysis/.gitignore
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/.gitignore
@@ -1,5 +1,6 @@
-secrets.yml
-coverage.out
-coverage.txt
+*.out
 *.cov
 .idea
+.env
+.mcp.json
+.claude/
--- a/src/runtime/vendor/github.com/go-openapi/analysis/.golangci.yml
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/.golangci.yml
@@ -1,61 +1,70 @@
-linters-settings:
-  govet:
-    check-shadowing: true
-  golint:
-    min-confidence: 0
-  gocyclo:
-    min-complexity: 45
-  maligned:
-    suggest-new: true
-  dupl:
-    threshold: 200
-  goconst:
-    min-len: 2
-    min-occurrences: 3
-
+version: "2"
 linters:
-  enable-all: true
+  default: all
  disable:
-    - maligned
-    - unparam
-    - lll
-    - gochecknoinits
-    - gochecknoglobals
+    - depguard
    - funlen
    - godox
-    - gocognit
-    - whitespace
-    - wsl
-    - wrapcheck
-    - testpackage
-    - nlreturn
-    - gomnd
-    - exhaustivestruct
-    - goerr113
-    - errorlint
-    - nestif
-    - godot
-    - gofumpt
-    - paralleltest
-    - tparallel
-    - thelper
-    - ifshort
+    - gomoddirectives
    - exhaustruct
-    - varnamelen
-    - gci
-    - depguard
-    - errchkjson
-    - inamedparam
+    - nlreturn
    - nonamedreturns
-    - musttag
-    - ireturn
-    - forcetypeassert
-    - cyclop
-    # deprecated linters
-    - deadcode
-    - interfacer
-    - scopelint
-    - varcheck
-    - structcheck
-    - golint
-    - nosnakecase
+    - noinlineerr
+    - paralleltest
+    - recvcheck
+    - testpackage
+    - thelper
+    - tparallel
+    - varnamelen
+    - whitespace
+    - wrapcheck
+    - wsl
+    - wsl_v5
+  settings:
+    dupl:
+      threshold: 200
+    goconst:
+      min-len: 2
+      min-occurrences: 3
+    cyclop:
+      max-complexity: 25
+    gocyclo:
+      min-complexity: 25
+    gocognit:
+      min-complexity: 35
+    exhaustive:
+      default-signifies-exhaustive: true
+      default-case-required: true
+    lll:
+      line-length: 180
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 0
--- a/src/runtime/vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md
@@ -23,7 +23,9 @@ include:
 Examples of unacceptable behavior by participants include:

 * The use of sexualized language or imagery and unwelcome sexual attention or
+
 advances
+
 * Trolling, insulting/derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic
@@ -55,7 +57,7 @@ further defined and clarified by project maintainers.
 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at ivan+abuse@flanders.co.nz. All
+reported by contacting the project team at <ivan+abuse@flanders.co.nz>. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -68,7 +70,7 @@ members of the project's leadership.
 ## Attribution

 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
+available at [<http://contributor-covenant.org/version/1/4>][version]

 [homepage]: http://contributor-covenant.org
 [version]: http://contributor-covenant.org/version/1/4/
--- a/src/runtime/vendor/github.com/go-openapi/analysis/CONTRIBUTORS.md
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/CONTRIBUTORS.md
@@ -0,0 +1,27 @@
+# Contributors
+
+- Repository: ['go-openapi/analysis']
+
+| Total Contributors | Total Contributions |
+| --- | --- |
+| 15  | 202  |
+
+| Username | All Time Contribution Count | All Commits |
+| --- | --- | --- |
+| @fredbi | 99 | <https://github.com/go-openapi/analysis/commits?author=fredbi> |
+| @casualjim | 70 | <https://github.com/go-openapi/analysis/commits?author=casualjim> |
+| @keramix | 9 | <https://github.com/go-openapi/analysis/commits?author=keramix> |
+| @youyuanwu | 8 | <https://github.com/go-openapi/analysis/commits?author=youyuanwu> |
+| @msample | 3 | <https://github.com/go-openapi/analysis/commits?author=msample> |
+| @kul-amr | 3 | <https://github.com/go-openapi/analysis/commits?author=kul-amr> |
+| @mbohlool | 2 | <https://github.com/go-openapi/analysis/commits?author=mbohlool> |
+| @Copilot | 1 | <https://github.com/go-openapi/analysis/commits?author=Copilot> |
+| @danielfbm | 1 | <https://github.com/go-openapi/analysis/commits?author=danielfbm> |
+| @gregmarr | 1 | <https://github.com/go-openapi/analysis/commits?author=gregmarr> |
+| @guillemj | 1 | <https://github.com/go-openapi/analysis/commits?author=guillemj> |
+| @knweiss | 1 | <https://github.com/go-openapi/analysis/commits?author=knweiss> |
+| @tklauser | 1 | <https://github.com/go-openapi/analysis/commits?author=tklauser> |
+| @cuishuang | 1 | <https://github.com/go-openapi/analysis/commits?author=cuishuang> |
+| @ujjwalsh | 1 | <https://github.com/go-openapi/analysis/commits?author=ujjwalsh> |
+
+ _this file was generated by the [Contributors GitHub Action](https://github.com/github/contributors)_
--- a/src/runtime/vendor/github.com/go-openapi/analysis/README.md
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/README.md
@@ -1,22 +1,46 @@
-# OpenAPI analysis [![Build Status](https://github.com/go-openapi/analysis/actions/workflows/go-test.yml/badge.svg)](https://github.com/go-openapi/analysis/actions?query=workflow%3A"go+test") [![codecov](https://codecov.io/gh/go-openapi/analysis/branch/master/graph/badge.svg)](https://codecov.io/gh/go-openapi/analysis)
+# analysis

-[![Slack Status](https://slackin.goswagger.io/badge.svg)](https://slackin.goswagger.io)
-[![license](http://img.shields.io/badge/license-Apache%20v2-orange.svg)](https://raw.githubusercontent.com/go-openapi/analysis/master/LICENSE)
-[![Go Reference](https://pkg.go.dev/badge/github.com/go-openapi/analysis.svg)](https://pkg.go.dev/github.com/go-openapi/analysis)
-[![Go Report Card](https://goreportcard.com/badge/github.com/go-openapi/analysis)](https://goreportcard.com/report/github.com/go-openapi/analysis)
+<!-- Badges: status  -->
+[![Tests][test-badge]][test-url] [![Coverage][cov-badge]][cov-url] [![CI vuln scan][vuln-scan-badge]][vuln-scan-url] [![CodeQL][codeql-badge]][codeql-url]
+<!-- Badges: release & docker images  -->
+<!-- Badges: code quality  -->
+<!-- Badges: license & compliance -->
+[![Release][release-badge]][release-url] [![Go Report Card][gocard-badge]][gocard-url] [![CodeFactor Grade][codefactor-badge]][codefactor-url] [![License][license-badge]][license-url]
+<!-- Badges: documentation & support -->
+<!-- Badges: others & stats -->
+[![GoDoc][godoc-badge]][godoc-url] [![Discord Channel][discord-badge]][discord-url] [![go version][goversion-badge]][goversion-url] ![Top language][top-badge] ![Commits since latest release][commits-badge]

+---

 A foundational library to analyze an OAI specification document for easier reasoning about the content.

-## What's inside?
+## Announcements
+
+* **2025-12-19** : new community chat on discord
+  * a new discord community channel is available to be notified of changes and support users
+  * our venerable Slack channel remains open, and will be eventually discontinued on **2026-03-31**
+
+You may join the discord community by clicking the invite link on the discord badge (also above). [![Discord Channel][discord-badge]][discord-url]
+
+Or join our Slack channel: [![Slack Channel][slack-logo]![slack-badge]][slack-url]
+
+## Status
+
+API is stable.
+
+## Import this library in your project
+
+```cmd
+go get github.com/go-openapi/analysis
+```
+
+## What's inside

 * An analyzer providing methods to walk the functional content of a specification
 * A spec flattener producing a self-contained document bundle, while preserving `$ref`s
 * A spec merger ("mixin") to merge several spec documents into a primary spec
 * A spec "fixer" ensuring that response descriptions are non empty

-[Documentation](https://pkg.go.dev/github.com/go-openapi/analysis)
-
 ## FAQ

 * Does this library support OpenAPI 3?
@@ -25,3 +49,79 @@ A foundational library to analyze an OAI specification document for easier reaso
 > This package currently only supports OpenAPI 2.0 (aka Swagger 2.0).
 > There is no plan to make it evolve toward supporting OpenAPI 3.x.
 > This [discussion thread](https://github.com/go-openapi/spec/issues/21) relates the full story.
+
+## Change log
+
+See <https://github.com/go-openapi/analysis/releases>
+
+<!--
+
+## References
+
+-->
+
+## Licensing
+
+This library ships under the [SPDX-License-Identifier: Apache-2.0](./LICENSE).
+
+<!--
+See the license NOTICE, which recalls the licensing terms of all the pieces of software
+on top of which it has been built.
+-->
+
+<!--
+
+## Limitations
+
+-->
+
+## Other documentation
+
+* [All-time contributors](./CONTRIBUTORS.md)
+* [Contributing guidelines](.github/CONTRIBUTING.md)
+* [Maintainers documentation](docs/MAINTAINERS.md)
+* [Code style](docs/STYLE.md)
+
+## Cutting a new release
+
+Maintainers can cut a new release by either:
+
+* running [this workflow](https://github.com/go-openapi/analysis/actions/workflows/bump-release.yml)
+* or pushing a semver tag
+  * signed tags are preferred
+  * The tag message is prepended to release notes
+
+<!-- Badges: status  -->
+[test-badge]: https://github.com/go-openapi/analysis/actions/workflows/go-test.yml/badge.svg
+[test-url]: https://github.com/go-openapi/analysis/actions/workflows/go-test.yml
+[cov-badge]: https://codecov.io/gh/go-openapi/analysis/branch/master/graph/badge.svg
+[cov-url]: https://codecov.io/gh/go-openapi/analysis
+[vuln-scan-badge]: https://github.com/go-openapi/analysis/actions/workflows/scanner.yml/badge.svg
+[vuln-scan-url]: https://github.com/go-openapi/analysis/actions/workflows/scanner.yml
+[codeql-badge]: https://github.com/go-openapi/analysis/actions/workflows/codeql.yml/badge.svg
+[codeql-url]: https://github.com/go-openapi/analysis/actions/workflows/codeql.yml
+<!-- Badges: release & docker images  -->
+[release-badge]: https://badge.fury.io/gh/go-openapi%2Fanalysis.svg
+[release-url]: https://badge.fury.io/gh/go-openapi%2Fanalysis
+<!-- Badges: code quality  -->
+[gocard-badge]: https://goreportcard.com/badge/github.com/go-openapi/analysis
+[gocard-url]: https://goreportcard.com/report/github.com/go-openapi/analysis
+[codefactor-badge]: https://img.shields.io/codefactor/grade/github/go-openapi/analysis
+[codefactor-url]: https://www.codefactor.io/repository/github/go-openapi/analysis
+<!-- Badges: documentation & support -->
+[godoc-badge]: https://pkg.go.dev/badge/github.com/go-openapi/analysis
+[godoc-url]: http://pkg.go.dev/github.com/go-openapi/analysis
+[slack-logo]: https://a.slack-edge.com/e6a93c1/img/icons/favicon-32.png
+[slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM
+[slack-url]: https://goswagger.slack.com/archives/C04R30YMU
+[discord-badge]: https://img.shields.io/discord/1446918742398341256?logo=discord&label=discord&color=blue
+[discord-url]: https://discord.gg/twZ9BwT3
+
+<!-- Badges: license & compliance -->
+[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg
+[license-url]: https://github.com/go-openapi/analysis/?tab=Apache-2.0-1-ov-file#readme
+<!-- Badges: others & stats -->
+[goversion-badge]: https://img.shields.io/github/go-mod/go-version/go-openapi/analysis
+[goversion-url]: https://github.com/go-openapi/analysis/blob/master/go.mod
+[top-badge]: https://img.shields.io/github/languages/top/go-openapi/analysis
+[commits-badge]: https://img.shields.io/github/commits-since/go-openapi/analysis/latest
--- a/src/runtime/vendor/github.com/go-openapi/analysis/SECURITY.md
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/SECURITY.md
@@ -0,0 +1,37 @@
+# Security Policy
+
+This policy outlines the commitment and practices of the go-openapi maintainers regarding security.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.x     | :white_check_mark: |
+
+## Vulnerability checks in place
+
+This repository uses automated vulnerability scans, at every merged commit and at least once a week.
+
+We use:
+
+* [`GitHub CodeQL`][codeql-url]
+* [`trivy`][trivy-url]
+* [`govulncheck`][govulncheck-url]
+
+Reports are centralized in github security reports and visible only to the maintainers.
+
+## Reporting a vulnerability
+
+If you become aware of a security vulnerability that affects the current repository,
+**please report it privately to the maintainers**
+rather than opening a publicly visible GitHub issue.
+
+Please follow the instructions provided by github to [Privately report a security vulnerability][github-guidance-url].
+
+> [!NOTE]
+> On Github, navigate to the project's "Security" tab then click on "Report a vulnerability".
+
+[codeql-url]: https://github.com/github/codeql
+[trivy-url]: https://trivy.dev/docs/latest/getting-started
+[govulncheck-url]: https://go.dev/blog/govulncheck
+[github-guidance-url]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability
--- a/src/runtime/vendor/github.com/go-openapi/analysis/analyzer.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/analyzer.go
--- a/src/runtime/vendor/github.com/go-openapi/analysis/debug.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/debug.go
@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0

 package analysis

@@ -20,4 +9,4 @@ import (
 	"github.com/go-openapi/analysis/internal/debug"
 )

-var debugLog = debug.GetLogger("analysis", os.Getenv("SWAGGER_DEBUG") != "")
+var debugLog = debug.GetLogger("analysis", os.Getenv("SWAGGER_DEBUG") != "") //nolint:gochecknoglobals // it's okay to use a private global for logging
--- a/src/runtime/vendor/github.com/go-openapi/analysis/doc.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/doc.go
@@ -1,43 +1,31 @@
-// Copyright 2015 go-swagger maintainers
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+// Package analysis provides methods to work with a Swagger specification document from
+// package go-openapi/spec.
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
+// # Analyzing a specification
 //
-//    http://www.apache.org/licenses/LICENSE-2.0
+// An analysed specification object (type Spec) provides methods to work with swagger definition.
 //
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-/*
-Package analysis provides methods to work with a Swagger specification document from
-package go-openapi/spec.
-
-## Analyzing a specification
-
-An analysed specification object (type Spec) provides methods to work with swagger definition.
-
-## Flattening or expanding a specification
-
-Flattening a specification bundles all remote $ref in the main spec document.
-Depending on flattening options, additional preprocessing may take place:
-  - full flattening: replacing all inline complex constructs by a named entry in #/definitions
-  - expand: replace all $ref's in the document by their expanded content
-
-## Merging several specifications
-
-Mixin several specifications merges all Swagger constructs, and warns about found conflicts.
-
-## Fixing a specification
-
-Unmarshalling a specification with golang json unmarshalling may lead to
-some unwanted result on present but empty fields.
-
-## Analyzing a Swagger schema
-
-Swagger schemas are analyzed to determine their complexity and qualify their content.
-*/
+// # Flattening or expanding a specification
+//
+// Flattening a specification bundles all remote $ref in the main spec document.
+// Depending on flattening options, additional preprocessing may take place:
+//
+//   - full flattening: replacing all inline complex constructs by a named entry in #/definitions
+//   - expand: replace all $ref's in the document by their expanded content
+//
+// # Merging several specifications
+//
+// [Mixin] several specifications merges all Swagger constructs, and warns about found conflicts.
+//
+// # Fixing a specification
+//
+// Unmarshalling a specification with golang [json] unmarshalling may lead to
+// some unwanted result on present but empty fields.
+//
+// # Analyzing a Swagger schema
+//
+// Swagger schemas are analyzed to determine their complexity and qualify their content.
 package analysis
--- a/src/runtime/vendor/github.com/go-openapi/analysis/errors.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/errors.go
@@ -0,0 +1,56 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package analysis
+
+import (
+	"errors"
+	"fmt"
+)
+
+type analysisError string
+
+const (
+	ErrAnalysis analysisError = "analysis error"
+	ErrNoSchema analysisError = "no schema to analyze"
+)
+
+func (e analysisError) Error() string {
+	return string(e)
+}
+
+func ErrAtKey(key string, err error) error {
+	return errors.Join(
+		fmt.Errorf("key %s: %w", key, err),
+		ErrAnalysis,
+	)
+}
+
+func ErrInvalidRef(key string) error {
+	return fmt.Errorf("invalid reference: %q: %w", key, ErrAnalysis)
+}
+
+func ErrInvalidParameterRef(key string) error {
+	return fmt.Errorf("resolved reference is not a parameter: %q: %w", key, ErrAnalysis)
+}
+
+func ErrResolveSchema(err error) error {
+	return errors.Join(
+		fmt.Errorf("could not resolve schema: %w", err),
+		ErrAnalysis,
+	)
+}
+
+func ErrRewriteRef(key string, target any, err error) error {
+	return errors.Join(
+		fmt.Errorf("failed to rewrite ref for key %q at %v: %w", key, target, err),
+		ErrAnalysis,
+	)
+}
+
+func ErrInlineDefinition(key string, err error) error {
+	return errors.Join(
+		fmt.Errorf("error while creating definition %q from inline schema: %w", key, err),
+		ErrAnalysis,
+	)
+}
--- a/src/runtime/vendor/github.com/go-openapi/analysis/fixer.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/fixer.go
@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0

 package analysis

@@ -72,7 +61,7 @@ func FixEmptyDescs(rs *spec.Responses) {
 // Response object if it doesn't already have one and isn't a
 // ref. No-op on nil input.
 func FixEmptyDesc(rs *spec.Response) {
-	if rs == nil || rs.Description != "" || rs.Ref.Ref.GetURL() != nil {
+	if rs == nil || rs.Description != "" || rs.Ref.GetURL() != nil {
 		return
 	}
 	rs.Description = "(empty)"
--- a/src/runtime/vendor/github.com/go-openapi/analysis/flatten.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/flatten.go
@@ -1,23 +1,12 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0

 package analysis

 import (
-	"fmt"
 	"log"
 	"path"
+	"slices"
 	"sort"
 	"strings"

@@ -32,7 +21,7 @@ import (

 const definitionsPath = "#/definitions"

-// newRef stores information about refs created during the flattening process
+// newRef stores information about refs created during the flattening process.
 type newRef struct {
 	key      string
 	newName  string
@@ -43,7 +32,7 @@ type newRef struct {
 	parents  []string
 }

-// context stores intermediary results from flatten
+// context stores intermediary results from flatten.
 type context struct {
 	newRefs  map[string]*newRef
 	warnings []string
@@ -52,9 +41,9 @@ type context struct {

 func newContext() *context {
 	return &context{
-		newRefs:  make(map[string]*newRef, 150),
+		newRefs:  make(map[string]*newRef, allocMediumMap),
 		warnings: make([]string, 0),
-		resolved: make(map[string]string, 50),
+		resolved: make(map[string]string, allocMediumMap),
 	}
 }

@@ -63,13 +52,15 @@ func newContext() *context {
 // There is a minimal and a full flattening mode.
 //
 // Minimally flattening a spec means:
+//
 //   - Expanding parameters, responses, path items, parameter items and header items (references to schemas are left
 //     unscathed)
-//   - Importing external (http, file) references so they become internal to the document
+//   - Importing external ([http], file) references so they become internal to the document
 //   - Moving every JSON pointer to a $ref to a named definition (i.e. the reworked spec does not contain pointers
 //     like "$ref": "#/definitions/myObject/allOfs/1")
 //
 // A minimally flattened spec thus guarantees the following properties:
+//
 //   - all $refs point to a local definition (i.e. '#/definitions/...')
 //   - definitions are unique
 //
@@ -81,6 +72,7 @@ func newContext() *context {
 // Minimal flattening is necessary and sufficient for codegen rendering using go-swagger.
 //
 // Fully flattening a spec means:
+//
 //   - Moving every complex inline schema to be a definition with an auto-generated name in a depth-first fashion.
 //
 // By complex, we mean every JSON object with some properties.
@@ -91,6 +83,7 @@ func newContext() *context {
 // have been created.
 //
 // Available flattening options:
+//
 //   - Minimal: stops flattening after minimal $ref processing, leaving schema constructs untouched
 //   - Expand: expand all $ref's in the document (inoperant if Minimal set to true)
 //   - Verbose: croaks about name conflicts detected
@@ -98,8 +91,9 @@ func newContext() *context {
 //
 // NOTE: expansion removes all $ref save circular $ref, which remain in place
 //
-// TODO: additional options
-//   - ProgagateNameExtensions: ensure that created entries properly follow naming rules when their parent have set a
+// Desirable future additions: additional options.
+//
+//   - PropagateNameExtensions: ensure that created entries properly follow naming rules when their parent have set a
 //     x-go-name extension
 //   - LiftAllOfs:
 //   - limit the flattening of allOf members when simple objects
@@ -180,7 +174,7 @@ func expand(opts *FlattenOpts) error {
 }

 // normalizeRef strips the current file from any absolute file $ref. This works around issue go-openapi/spec#76:
-// leading absolute file in $ref is stripped
+// leading absolute file in $ref is stripped.
 func normalizeRef(opts *FlattenOpts) error {
 	debugLog("normalizeRef")

@@ -251,7 +245,7 @@ func nameInlinedSchemas(opts *FlattenOpts) error {

 		asch, err := Schema(SchemaOpts{Schema: sch.Schema, Root: opts.Swagger(), BasePath: opts.BasePath})
 		if err != nil {
-			return fmt.Errorf("schema analysis [%s]: %w", key, err)
+			return ErrAtKey(key, err)
 		}

 		if asch.isAnalyzedAsComplex() { // move complex schemas to definitions
@@ -320,7 +314,7 @@ func importNewRef(entry sortref.RefRevIdx, refStr string, opts *FlattenOpts) err

 	sch, err := spec.ResolveRefWithBase(opts.Swagger(), &entry.Ref, opts.ExpandOpts(false))
 	if err != nil {
-		return fmt.Errorf("could not resolve schema: %w", err)
+		return ErrResolveSchema(err)
 	}

 	// at this stage only $ref analysis matters
@@ -335,7 +329,7 @@ func importNewRef(entry sortref.RefRevIdx, refStr string, opts *FlattenOpts) err
 	// now rewrite those refs with rebase
 	for key, ref := range partialAnalyzer.references.allRefs {
 		if err := replace.UpdateRef(sch, key, spec.MustCreateRef(normalize.RebaseRef(entry.Ref.String(), ref.String()))); err != nil {
-			return fmt.Errorf("failed to rewrite ref for key %q at %s: %w", key, entry.Ref.String(), err)
+			return ErrRewriteRef(key, entry.Ref.String(), err)
 		}
 	}

@@ -429,7 +423,7 @@ func importExternalReferences(opts *FlattenOpts) (bool, error) {
 			ref := spec.MustCreateRef(r.path)
 			sch, err := spec.ResolveRefWithBase(opts.Swagger(), &ref, opts.ExpandOpts(false))
 			if err != nil {
-				return false, fmt.Errorf("could not resolve schema: %w", err)
+				return false, ErrResolveSchema(err)
 			}

 			r.schema = sch
@@ -502,14 +496,25 @@ func stripPointersAndOAIGen(opts *FlattenOpts) error {
 // pointer and name resolution again.
 func stripOAIGen(opts *FlattenOpts) (bool, error) {
 	debugLog("stripOAIGen")
+	// Ensure the spec analysis is fresh, as previous steps (namePointers, etc.) might have modified refs.
+	opts.Spec.reload()
+
 	replacedWithComplex := false

 	// figure out referers of OAIGen definitions (doing it before the ref start mutating)
-	for _, r := range opts.flattenContext.newRefs {
+	// Sort keys to ensure deterministic processing order
+	sortedKeys := make([]string, 0, len(opts.flattenContext.newRefs))
+	for k := range opts.flattenContext.newRefs {
+		sortedKeys = append(sortedKeys, k)
+	}
+	sort.Strings(sortedKeys)
+
+	for _, k := range sortedKeys {
+		r := opts.flattenContext.newRefs[k]
 		updateRefParents(opts.Spec.references.allRefs, r)
 	}

-	for k := range opts.flattenContext.newRefs {
+	for _, k := range sortedKeys {
 		r := opts.flattenContext.newRefs[k]
 		debugLog("newRefs[%s]: isOAIGen: %t, resolved: %t, name: %s, path:%s, #parents: %d, parents: %v,  ref: %s",
 			k, r.isOAIGen, r.resolved, r.newName, r.path, len(r.parents), r.parents, r.schema.Ref.String())
@@ -532,7 +537,7 @@ func stripOAIGen(opts *FlattenOpts) (bool, error) {
 	return replacedWithComplex, nil
 }

-// updateRefParents updates all parents of an updated $ref
+// updateRefParents updates all parents of an updated $ref.
 func updateRefParents(allRefs map[string]spec.Ref, r *newRef) {
 	if !r.isOAIGen || r.resolved { // bail on already resolved entries (avoid looping)
 		return
@@ -542,14 +547,7 @@ func updateRefParents(allRefs map[string]spec.Ref, r *newRef) {
 			continue
 		}

-		found := false
-		for _, p := range r.parents {
-			if p == k {
-				found = true
-
-				break
-			}
-		}
+		found := slices.Contains(r.parents, k)
 		if !found {
 			r.parents = append(r.parents, k)
 		}
@@ -598,6 +596,19 @@ func stripOAIGenForRef(opts *FlattenOpts, k string, r *newRef) (bool, error) {
 				replacedWithComplex = true
 			}
 		}
+
+		// update parents of the target ref (pr[0]) if it is also a newRef (OAIGen)
+		// This ensures that if the target is later deleted/merged, it knows about these new referers.
+		for _, nr := range opts.flattenContext.newRefs {
+			if nr.path == pr[0] && nr.isOAIGen && !nr.resolved {
+				for _, p := range pr[1:] {
+					if !slices.Contains(nr.parents, p) {
+						nr.parents = append(nr.parents, p)
+					}
+				}
+				break
+			}
+		}
 	}

 	// remove OAIGen definition
@@ -605,7 +616,15 @@ func stripOAIGenForRef(opts *FlattenOpts, k string, r *newRef) (bool, error) {
 	delete(opts.Swagger().Definitions, path.Base(r.path))

 	// propagate changes in ref index for keys which have this one as a parent
-	for kk, value := range opts.flattenContext.newRefs {
+	// Sort keys to ensure deterministic update order
+	propagateKeys := make([]string, 0, len(opts.flattenContext.newRefs))
+	for k := range opts.flattenContext.newRefs {
+		propagateKeys = append(propagateKeys, k)
+	}
+	sort.Strings(propagateKeys)
+
+	for _, kk := range propagateKeys {
+		value := opts.flattenContext.newRefs[kk]
 		if kk == k || !value.isOAIGen || value.resolved {
 			continue
 		}
@@ -643,7 +662,7 @@ func stripOAIGenForRef(opts *FlattenOpts, k string, r *newRef) (bool, error) {
 		}

 		debugLog("re-inlined schema: parent: %s, %t", pr[0], asch.isAnalyzedAsComplex())
-		replacedWithComplex = replacedWithComplex || !(path.Dir(pr[0]) == definitionsPath) && asch.isAnalyzedAsComplex()
+		replacedWithComplex = replacedWithComplex || path.Dir(pr[0]) != definitionsPath && asch.isAnalyzedAsComplex()
 	}

 	return replacedWithComplex, nil
@@ -666,7 +685,7 @@ func namePointers(opts *FlattenOpts) error {

 		result, err := replace.DeepestRef(opts.Swagger(), opts.ExpandOpts(false), ref)
 		if err != nil {
-			return fmt.Errorf("at %s, %w", k, err)
+			return ErrAtKey(k, err)
 		}

 		replacingRef := result.Ref
@@ -697,7 +716,7 @@ func namePointers(opts *FlattenOpts) error {
 		// update current replacement, which may have been updated by previous changes of deeper elements
 		result, erd := replace.DeepestRef(opts.Swagger(), opts.ExpandOpts(false), v.Ref)
 		if erd != nil {
-			return fmt.Errorf("at %s, %w", key, erd)
+			return ErrAtKey(key, erd)
 		}

 		if opts.flattenContext != nil {
@@ -743,9 +762,9 @@ func flattenAnonPointer(key string, v SchemaRef, refsToReplace map[string]Schema
 	// qualify the expanded schema
 	asch, ers := Schema(SchemaOpts{Schema: v.Schema, Root: opts.Swagger(), BasePath: opts.BasePath})
 	if ers != nil {
-		return fmt.Errorf("schema analysis [%s]: %w", key, ers)
+		return ErrAtKey(key, ers)
 	}
-	callers := make([]string, 0, 64)
+	callers := make([]string, 0, allocMediumMap)

 	debugLog("looking for callers")

@@ -753,7 +772,7 @@ func flattenAnonPointer(key string, v SchemaRef, refsToReplace map[string]Schema
 	for k, w := range an.references.allRefs {
 		r, err := replace.DeepestRef(opts.Swagger(), opts.ExpandOpts(false), w)
 		if err != nil {
-			return fmt.Errorf("at %s, %w", key, err)
+			return ErrAtKey(key, err)
 		}

 		if opts.flattenContext != nil {
--- a/src/runtime/vendor/github.com/go-openapi/analysis/flatten_name.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/flatten_name.go
@@ -1,3 +1,6 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
 package analysis

 import (
@@ -11,10 +14,10 @@ import (
 	"github.com/go-openapi/analysis/internal/flatten/schutils"
 	"github.com/go-openapi/analysis/internal/flatten/sortref"
 	"github.com/go-openapi/spec"
-	"github.com/go-openapi/swag"
+	"github.com/go-openapi/swag/mangling"
 )

-// InlineSchemaNamer finds a new name for an inlined type
+// InlineSchemaNamer finds a new name for an inlined type.
 type InlineSchemaNamer struct {
 	Spec           *spec.Swagger
 	Operations     map[string]operations.OpRef
@@ -22,7 +25,7 @@ type InlineSchemaNamer struct {
 	opts           *FlattenOpts
 }

-// Name yields a new name for the inline schema
+// Name yields a new name for the inline schema.
 func (isn *InlineSchemaNamer) Name(key string, schema *spec.Schema, aschema *AnalyzedSchema) error {
 	debugLog("naming inlined schema at %s", key)

@@ -43,7 +46,7 @@ func (isn *InlineSchemaNamer) Name(key string, schema *spec.Schema, aschema *Ana
 		debugLog("rewriting schema to ref: key=%s with new name: %s", key, newName)
 		if err := replace.RewriteSchemaToRef(isn.Spec, key,
 			spec.MustCreateRef(path.Join(definitionsPath, newName))); err != nil {
-			return fmt.Errorf("error while creating definition %q from inline schema: %w", newName, err)
+			return ErrInlineDefinition(newName, err)
 		}

 		// rewrite any dependent $ref pointing to this place,
@@ -54,7 +57,7 @@ func (isn *InlineSchemaNamer) Name(key string, schema *spec.Schema, aschema *Ana
 		for k, v := range an.references.allRefs {
 			r, erd := replace.DeepestRef(isn.opts.Swagger(), isn.opts.ExpandOpts(false), v)
 			if erd != nil {
-				return fmt.Errorf("at %s, %w", k, erd)
+				return ErrAtKey(k, erd)
 			}

 			if isn.opts.flattenContext != nil {
@@ -105,7 +108,7 @@ func (isn *InlineSchemaNamer) Name(key string, schema *spec.Schema, aschema *Ana
 	return nil
 }

-// uniqifyName yields a unique name for a definition
+// uniqifyName yields a unique name for a definition.
 func uniqifyName(definitions spec.Definitions, name string) (string, bool) {
 	isOAIGen := false
 	if name == "" {
@@ -227,19 +230,24 @@ func namesForOperation(parts sortref.SplitKey, operations map[string]operations.
 	return baseNames, startIndex
 }

+const (
+	minStartIndex = 2
+	minSegments   = 2
+)
+
 func namesForDefinition(parts sortref.SplitKey) ([][]string, int) {
 	nm := parts.DefinitionName()
 	if nm != "" {
-		return [][]string{{parts.DefinitionName()}}, 2
+		return [][]string{{parts.DefinitionName()}}, minStartIndex
 	}

 	return [][]string{}, 0
 }

-// partAdder knows how to interpret a schema when it comes to build a name from parts
+// partAdder knows how to interpret a schema when it comes to build a name from parts.
 func partAdder(aschema *AnalyzedSchema) sortref.PartAdder {
 	return func(part string) []string {
-		segments := make([]string, 0, 2)
+		segments := make([]string, 0, minSegments)

 		if part == "items" || part == "additionalItems" {
 			if aschema.IsTuple || aschema.IsTupleWithExtra {
@@ -265,8 +273,9 @@ func mangler(o *FlattenOpts) func(string) string {
 	if o.KeepNames {
 		return func(in string) string { return in }
 	}
+	mangler := mangling.NewNameMangler()

-	return swag.ToJSONName
+	return mangler.ToJSONName
 }

 func nameFromRef(ref spec.Ref, o *FlattenOpts) string {
--- a/src/runtime/vendor/github.com/go-openapi/analysis/flatten_options.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/flatten_options.go
@@ -1,3 +1,6 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
 package analysis

 import (
@@ -32,7 +35,7 @@ type FlattenOpts struct {
 	_ struct{} // require keys
 }

-// ExpandOpts creates a spec.ExpandOptions to configure expanding a specification document.
+// ExpandOpts creates a spec.[spec.ExpandOptions] to configure expanding a specification document.
 func (f *FlattenOpts) ExpandOpts(skipSchemas bool) *spec.ExpandOptions {
 	return &spec.ExpandOptions{
 		RelativeBase:    f.BasePath,
@@ -41,13 +44,13 @@ func (f *FlattenOpts) ExpandOpts(skipSchemas bool) *spec.ExpandOptions {
 	}
 }

-// Swagger gets the swagger specification for this flatten operation
+// Swagger gets the swagger specification for this flatten operation.
 func (f *FlattenOpts) Swagger() *spec.Swagger {
 	return f.Spec.spec
 }

 // croak logs notifications and warnings about valid, but possibly unwanted constructs resulting
-// from flattening a spec
+// from flattening a spec.
 func (f *FlattenOpts) croak() {
 	if !f.Verbose {
 		return
--- a/src/runtime/vendor/github.com/go-openapi/analysis/go.work
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/go.work
@@ -0,0 +1,6 @@
+go 1.24.0
+
+use (
+	.
+	./internal/testintegration
+)
--- a/src/runtime/vendor/github.com/go-openapi/analysis/go.work.sum
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/go.work.sum
@@ -0,0 +1,29 @@
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30 h1:BHT1/DKsYDGkUgQ2jmMaozVcdk+sVfz0+1ZJq4zkWgw=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss=
+go.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
--- a/src/runtime/vendor/github.com/go-openapi/analysis/internal/debug/debug.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/internal/debug/debug.go
@@ -1,16 +1,5 @@
-// Copyright 2015 go-swagger maintainers
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//    http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0

 package debug

@@ -22,20 +11,18 @@ import (
 	"runtime"
 )

-var (
-	output = os.Stdout
-)
+var output = os.Stdout //nolint:gochecknoglobals // this is on purpose to be overridable during tests

-// GetLogger provides a prefix debug logger
-func GetLogger(prefix string, debug bool) func(string, ...interface{}) {
+// GetLogger provides a prefix debug logger.
+func GetLogger(prefix string, debug bool) func(string, ...any) {
 	if debug {
 		logger := log.New(output, prefix+":", log.LstdFlags)

-		return func(msg string, args ...interface{}) {
+		return func(msg string, args ...any) {
 			_, file1, pos1, _ := runtime.Caller(1)
 			logger.Printf("%s:%d: %s", filepath.Base(file1), pos1, fmt.Sprintf(msg, args...))
 		}
 	}

-	return func(_ string, _ ...interface{}) {}
+	return func(_ string, _ ...any) {}
 }
--- a/src/runtime/vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go
@@ -1,3 +1,6 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
 package normalize

 import (
@@ -14,8 +17,9 @@ import (
 // NOTE: does not support JSONschema ID for $ref (we assume we are working with swagger specs here).
 //
 // NOTE(windows):
-// * refs are assumed to have been normalized with drive letter lower cased (from go-openapi/spec)
-// * "/ in paths may appear as escape sequences
+//
+//   - refs are assumed to have been normalized with drive letter lower cased (from go-openapi/spec)
+//   - "/ in paths may appear as escape sequences.
 func RebaseRef(baseRef string, ref string) string {
 	baseRef, _ = url.PathUnescape(baseRef)
 	ref, _ = url.PathUnescape(ref)
@@ -66,8 +70,9 @@ func RebaseRef(baseRef string, ref string) string {
 // Path renders absolute path on remote file refs
 //
 // NOTE(windows):
-// * refs are assumed to have been normalized with drive letter lower cased (from go-openapi/spec)
-// * "/ in paths may appear as escape sequences
+//
+//   - refs are assumed to have been normalized with drive letter lower cased (from go-openapi/spec)
+//   - "/ in paths may appear as escape sequences.
 func Path(ref spec.Ref, basePath string) string {
 	uri, _ := url.PathUnescape(ref.String())
 	if ref.HasFragmentOnly || filepath.IsAbs(uri) {
--- a/src/runtime/vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go
@@ -1,21 +1,25 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
 package operations

 import (
 	"path"
+	"slices"
 	"sort"
 	"strings"

 	"github.com/go-openapi/jsonpointer"
 	"github.com/go-openapi/spec"
-	"github.com/go-openapi/swag"
+	"github.com/go-openapi/swag/mangling"
 )

-// AllOpRefsByRef returns an index of sortable operations
+// AllOpRefsByRef returns an index of sortable operations.
 func AllOpRefsByRef(specDoc Provider, operationIDs []string) map[string]OpRef {
 	return OpRefsByRef(GatherOperations(specDoc, operationIDs))
 }

-// OpRefsByRef indexes a map of sortable operations
+// OpRefsByRef indexes a map of sortable operations.
 func OpRefsByRef(oprefs map[string]OpRef) map[string]OpRef {
 	result := make(map[string]OpRef, len(oprefs))
 	for _, v := range oprefs {
@@ -25,7 +29,7 @@ func OpRefsByRef(oprefs map[string]OpRef) map[string]OpRef {
 	return result
 }

-// OpRef is an indexable, sortable operation
+// OpRef is an indexable, sortable operation.
 type OpRef struct {
 	Method string
 	Path   string
@@ -35,27 +39,28 @@ type OpRef struct {
 	Ref    spec.Ref
 }

-// OpRefs is a sortable collection of operations
+// OpRefs is a sortable collection of operations.
 type OpRefs []OpRef

 func (o OpRefs) Len() int           { return len(o) }
 func (o OpRefs) Swap(i, j int)      { o[i], o[j] = o[j], o[i] }
 func (o OpRefs) Less(i, j int) bool { return o[i].Key < o[j].Key }

-// Provider knows how to collect operations from a spec
+// Provider knows how to collect operations from a spec.
 type Provider interface {
 	Operations() map[string]map[string]*spec.Operation
 }

-// GatherOperations builds a map of sorted operations from a spec
+// GatherOperations builds a map of sorted operations from a spec.
 func GatherOperations(specDoc Provider, operationIDs []string) map[string]OpRef {
 	var oprefs OpRefs
+	mangler := mangling.NewNameMangler()

 	for method, pathItem := range specDoc.Operations() {
 		for pth, operation := range pathItem {
 			vv := *operation
 			oprefs = append(oprefs, OpRef{
-				Key:    swag.ToGoName(strings.ToLower(method) + " " + pth),
+				Key:    mangler.ToGoName(strings.ToLower(method) + " " + pth),
 				Method: method,
 				Path:   pth,
 				ID:     vv.ID,
@@ -79,7 +84,7 @@ func GatherOperations(specDoc Provider, operationIDs []string) map[string]OpRef
 			nm = opr.Key
 		}

-		if len(operationIDs) == 0 || swag.ContainsStrings(operationIDs, opr.ID) || swag.ContainsStrings(operationIDs, nm) {
+		if len(operationIDs) == 0 || slices.Contains(operationIDs, opr.ID) || slices.Contains(operationIDs, nm) {
 			opr.ID = nm
 			opr.Op.ID = nm
 			operations[nm] = opr
--- a/src/runtime/vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go
+++ b/src/runtime/vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go
@@ -0,0 +1,64 @@
+// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers
+// SPDX-License-Identifier: Apache-2.0
+
+package replace
+
+import (
+	"errors"
+	"fmt"
+)
+
+type replaceError string
+
+const (
+	ErrReplace        replaceError = "flatten replace error"
+	ErrUnexpectedType replaceError = "unexpected type used in getPointerFromKey"
+)
+
+func (e replaceError) Error() string {
+	return string(e)
+}
+
+func ErrNoSchemaWithRef(key string, value any) error {
+	return fmt.Errorf("no schema with ref found at %s for %T: %w", key, value, ErrReplace)
+}
+
+func ErrNoSchema(key string) error {
+	return fmt.Errorf("no schema found at %s: %w", key, ErrReplace)
+}
+
+func ErrNotANumber(key string, err error) error {
+	return errors.Join(
+		ErrReplace,
+		fmt.Errorf("%s not a number: %w", key, err),
+	)
+}
+
+func ErrUnhandledParentRewrite(key string, value any) error {
+	return fmt.Errorf("unhandled parent schema rewrite %s: %T: %w", key, value, ErrReplace)
+}
+
+func ErrUnhandledParentType(key string, value any) error {
+	return fmt.Errorf("unhandled type for parent of %s: %T: %w", key, value, ErrReplace)
+}
+
+func ErrNoParent(key string, err error) error {
+	return errors.Join(
+		fmt.Errorf("can't get parent for %s: %w", key, err),
+		ErrReplace,
+	)
+}
+
+func ErrUnhandledContainerType(key string, value any) error {
+	return fmt.Errorf("unhandled container type at %s: %T: %w", key, value, ErrReplace)
+}
+
+func ErrCyclicChain(key string) error {
+	return fmt.Errorf("cannot resolve cyclic chain of pointers under %s: %w", key, ErrReplace)
+}
+
+func ErrInvalidPointerType(key string, value any, err error) error {
+	return fmt.Errorf("invalid type for resolved JSON pointer %s. Expected a schema a, got: %T (%w): %w",
+		key, value, err, ErrReplace,
+	)
+}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .27.0
 .28.0