diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
index 7fe478c56..e0c6975ee 100644
--- a/.github/workflows/go-test.yaml
+++ b/.github/workflows/go-test.yaml
@@ -9,6 +9,13 @@ permissions:
   contents: read
 
 jobs:
+  e2e-build-test:
+    name: e2e-build-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: e2e-build-test
+        run: make containerized-build TARGET=e2e.test
   go-test:
     name: go-test
     runs-on: ubuntu-latest
diff --git a/go.mod b/go.mod
index 0e065be1a..f6d7f07f8 100644
--- a/go.mod
+++ b/go.mod
@@ -3,9 +3,9 @@ module github.com/ceph/ceph-csi
 go 1.22.0
 
 require (
-	github.com/IBM/keyprotect-go-client v0.12.2
-	github.com/aws/aws-sdk-go v1.53.14
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
+	github.com/IBM/keyprotect-go-client v0.14.1
+	github.com/aws/aws-sdk-go v1.54.6
+	github.com/aws/aws-sdk-go-v2/service/sts v1.29.1
 	github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
 	github.com/ceph/go-ceph v0.28.0
 	github.com/container-storage-interface/spec v1.9.0
@@ -16,14 +16,14 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/hashicorp/vault/api v1.12.0
-	github.com/kubernetes-csi/csi-lib-utils v0.17.0
+	github.com/hashicorp/vault/api v1.14.0
+	github.com/kubernetes-csi/csi-lib-utils v0.18.1
 	github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0
 	github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1
-	github.com/onsi/ginkgo/v2 v2.17.1
-	github.com/onsi/gomega v1.32.0
+	github.com/onsi/ginkgo/v2 v2.19.0
+	github.com/onsi/gomega v1.33.1
 	github.com/pkg/xattr v0.4.9
-	github.com/prometheus/client_golang v1.18.0
+	github.com/prometheus/client_golang v1.19.1
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/crypto v0.24.0
 	golang.org/x/net v0.26.0
@@ -46,7 +46,7 @@ require (
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
 )
 
@@ -60,12 +60,12 @@ require (
 	github.com/ansel1/merry/v2 v2.0.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
-	github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect
-	github.com/aws/smithy-go v1.20.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
@@ -82,13 +82,13 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gemalto/flume v0.13.0 // indirect
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -96,7 +96,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
+	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -119,7 +119,6 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -135,8 +134,8 @@ require (
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
@@ -158,14 +157,13 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/exp v0.0.0-20220827204233-334a2380cb91 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/oauth2 v0.19.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/term v0.21.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
@@ -194,7 +192,15 @@ replace (
 
 	// Required for kubernetes 1.26
 	github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
+
+	// k8s.io/component-base/metrics/testutil depends on v0.47
+	// client_golang v1.18.0 is the last version compatible with common v0.47
+	github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.18.0
+	github.com/prometheus/common => github.com/prometheus/common v0.47.0
+
+	// FIXME: why is this required?
 	gomodules.xyz/jsonpatch/v2 => github.com/gomodules/jsonpatch/v2 v2.2.0
+
 	//
 	// k8s.io/kubernetes depends on these k8s.io packages, but unversioned
 	//
diff --git a/go.sum b/go.sum
index c3ad05fa3..c01e4ecff 100644
--- a/go.sum
+++ b/go.sum
@@ -761,8 +761,8 @@ git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3p
 github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA=
@@ -786,8 +786,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
-github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ=
-github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
+github.com/IBM/keyprotect-go-client v0.14.1 h1:FSBJ3l6GKCuB3CoQPvVy94lOzYTKpjov8WdSDt5Ercs=
+github.com/IBM/keyprotect-go-client v0.14.1/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q=
 github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
 github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
 github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@@ -801,13 +801,7 @@ github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm
 github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
-github.com/alecthomas/kingpin/v2 v2.3.1/go.mod h1:oYL5vtsvEHZGHxU7DMp32Dvx+qL+ptGn6lWaot2vCNE=
-github.com/alecthomas/kingpin/v2 v2.3.2/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
 github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/ansel1/merry v1.5.0/go.mod h1:wUy/yW0JX0ix9GYvUbciq+bi3jW/vlKPlbpI7qdZpOw=
@@ -834,25 +828,24 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go v1.53.14 h1:SzhkC2Pzag0iRW8WBb80RzKdGXDydJR9LAMs2GyKJ2M=
-github.com/aws/aws-sdk-go v1.53.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w=
-github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 h1:bNo4LagzUKbjdxE0tIcR9pMzLR2U/Tgie1Hq1HQ3iH8=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2/go.mod h1:wRQv0nN6v9wDXuWThpovGQjqF1HFdcgWjporw14lS8k=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 h1:EtOU5jsPdIQNP+6Q2C5e3d65NKT1PeCiQk+9OdzO12Q=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2/go.mod h1:tyF5sKccmDz0Bv4NrstEr+/9YkSPJHrcO7UsUKf7pWM=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 h1:5ffmXjPtwRExp1zc7gENLgCPyHFbhEPwVTkTiH9niSk=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2/go.mod h1:Ru7vg1iQ7cR4i7SZ/JTLYN9kaXtbL69UdgG0OQWQxW0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 h1:3I2cBEYgKhrWlwyZgfpSO2BpaMY1LHPqXYk/QGlu2ew=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.1/go.mod h1:uQ7YYKZt3adCRrdCBREm1CD3efFLOUNH77MrUCvx5oA=
-github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
-github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g=
+github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
+github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI=
+github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@@ -875,7 +868,6 @@ github.com/ceph/go-ceph v0.28.0 h1:ZjlDV9XiVmBQIe9bKbT5j2Ft/bse3Jm+Ui65yE/oFFU=
 github.com/ceph/go-ceph v0.28.0/go.mod h1:EwEITEDpuFCMnFrPLbV+/Vyi59jUihgCxBKvlTWGot0=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -925,7 +917,6 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
@@ -1000,16 +991,13 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
 github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
@@ -1043,8 +1031,9 @@ github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO
 github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
 github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@@ -1165,8 +1154,9 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
+github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
 github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
@@ -1268,8 +1258,8 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
-github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
-github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
+github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
+github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk=
 github.com/hashicorp/vault/api/auth/approle v0.5.0 h1:a1TK6VGwYqSAfkmX4y4dJ4WBxMU5dStIZqScW4EPXR8=
 github.com/hashicorp/vault/api/auth/approle v0.5.0/go.mod h1:CHOQIA1AZACfjTzHggmyfiOZ+xCSKNRFqe48FTCzH0k=
 github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 h1:CXO0fD7M3iCGovP/UApeHhPcH4paDFKcu7AjEXi94rI=
@@ -1298,14 +1288,12 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
@@ -1333,8 +1321,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubernetes-csi/csi-lib-utils v0.17.0 h1:xEpJ3WYgMyyYF6fvcKHh4cDRtknuTkBS9rG8bYoLTCU=
-github.com/kubernetes-csi/csi-lib-utils v0.17.0/go.mod h1:2Ba5/aQgUjbpqyC2uCcFwMF3rnPVs5jhZXm8jAzcT9Q=
+github.com/kubernetes-csi/csi-lib-utils v0.18.1 h1:vpg1kbQ6lFVCz7mY71zcqVE7W0GAQXXBoFfHvbW3gdw=
+github.com/kubernetes-csi/csi-lib-utils v0.18.1/go.mod h1:PIcn27zmbY0KBue4JDdZVfDF56tjcS3jKroZPi+pMoY=
 github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0/go.mod h1:YBCo4DoEeDndqvAn6eeu0vWM7QdXmHEeI9cFWplmBys=
 github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 h1:j3YK74myEQRxR/srciTpOrm221SAvz6J5OVWbyfeXFo=
 github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0/go.mod h1:FlyYFe32mPxKEPaRXKNxfX576d1AoCzstYDoOOnyMA4=
@@ -1375,7 +1363,6 @@ github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4
 github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -1411,7 +1398,6 @@ github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwd
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
@@ -1419,7 +1405,6 @@ github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uY
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
@@ -1442,8 +1427,8 @@ github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7
 github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
 github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
-github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
-github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
+github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
+github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -1465,8 +1450,8 @@ github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3ev
 github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk=
-github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
-github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
+github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
@@ -1490,7 +1475,6 @@ github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFu
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -1511,52 +1495,23 @@ github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQ
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.44.1/go.mod h1:3WYi4xqXxGGXWDdQIITnLNmuDzO5n6wYva9spVhR4fg=
 github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.46.0/go.mod h1:3WYi4xqXxGGXWDdQIITnLNmuDzO5n6wYva9spVhR4fg=
 github.com/prometheus-operator/prometheus-operator/pkg/client v0.46.0/go.mod h1:k4BrWlVQQsvBiTcDnKEMgyh/euRxyxgrHdur/ZX/sdA=
-github.com/prometheus/client_golang v0.9.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
-github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
-github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
 github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
 github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
 github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
-github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
-github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
-github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.47.0 h1:p5Cz0FNHo7SnWOmWmoRozVcjEp0bIVU8cV7OShpjL1k=
+github.com/prometheus/common v0.47.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
-github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
 github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
@@ -1579,7 +1534,6 @@ github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkB
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -1633,7 +1587,6 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/xhit/go-str2duration v1.2.0/go.mod h1:3cPSlfZlUHVlneIVfePFWcJZsuwf+P1v2SRTV4cUmp4=
 github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
@@ -1733,7 +1686,6 @@ go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
 go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -1758,6 +1710,7 @@ golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98y
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
@@ -1835,7 +1788,6 @@ golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1845,7 +1797,6 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -1877,7 +1828,6 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1911,6 +1861,7 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
@@ -1947,8 +1898,10 @@ golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw
 golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
-golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
-golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
+golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4=
+golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
+golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
+golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1974,11 +1927,9 @@ golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1997,7 +1948,6 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -2011,8 +1961,6 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -2034,7 +1982,6 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2049,7 +1996,6 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -2084,6 +2030,7 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
@@ -2106,6 +2053,7 @@ golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
@@ -2316,8 +2264,6 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -2557,10 +2503,10 @@ google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -2587,7 +2533,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
diff --git a/internal/liveness/liveness.go b/internal/liveness/liveness.go
index 778010e34..2c2fea4cd 100644
--- a/internal/liveness/liveness.go
+++ b/internal/liveness/liveness.go
@@ -67,7 +67,7 @@ func recordLiveness(endpoint, drivername string, pollTime, timeout time.Duration
 		log.FatalLogMsg(err.Error())
 	}
 
-	csiConn, err := connlib.Connect(endpoint, liveMetricsManager)
+	csiConn, err := connlib.Connect(context.Background(), endpoint, liveMetricsManager)
 	if err != nil {
 		// connlib should retry forever so a returned error should mean
 		// the grpc client is misconfigured rather than an error on the network
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index 6d4b6feb8..a8c2feb6d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,5 +1,29 @@
 # Release History
 
+## 1.7.0 (2024-06-20)
+
+### Features Added
+* `AzurePipelinesCredential` authenticates an Azure Pipelines service connection with
+  workload identity federation
+
+### Breaking Changes
+> These changes affect only code written against a beta version such as v1.7.0-beta.1
+* Removed the persistent token caching API. It will return in v1.8.0-beta.1
+
+## 1.7.0-beta.1 (2024-06-10)
+
+### Features Added
+* Restored `AzurePipelinesCredential` and persistent token caching API
+
+## Breaking Changes
+> These changes affect only code written against a beta version such as v1.6.0-beta.4
+* Values which `NewAzurePipelinesCredential` read from environment variables in
+  prior versions are now parameters
+* Renamed `AzurePipelinesServiceConnectionCredentialOptions` to `AzurePipelinesCredentialOptions`
+
+### Bugs Fixed
+* Managed identity bug fixes
+
 ## 1.6.0 (2024-06-10)
 
 ### Features Added
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
index b5acff0e6..7e201ea2f 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
@@ -140,6 +140,7 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
 
 |Credential|Usage
 |-|-
+|[AzurePipelinesCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzurePipelinesCredential)|Authenticate an Azure Pipelines [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml)
 |[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
 |[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
 |[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
index f9cc48943..fbaa29220 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD
@@ -57,6 +57,7 @@ The following table indicates the state of in-memory and persistent caching in e
 |--------------------------------|---------------------------------------------------------------------|--------------------------|
 | `AzureCLICredential`           | Not Supported                                                       | Not Supported            |
 | `AzureDeveloperCLICredential`  | Not Supported                                                       | Not Supported            |
+| `AzurePipelinesCredential`     | Supported                                                           | Supported                |
 | `ClientAssertionCredential`    | Supported                                                           | Supported                |
 | `ClientCertificateCredential`  | Supported                                                           | Supported                |
 | `ClientSecretCredential`       | Supported                                                           | Supported                |
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 3564e685e..54016a070 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -10,6 +10,7 @@ This troubleshooting guide covers failure investigation techniques, common error
 - [Enable and configure logging](#enable-and-configure-logging)
 - [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
 - [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues)
+- [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
 - [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
 - [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
 - [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
@@ -226,6 +227,15 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
 |---|---|---|
 |no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
 
+<a id="apc"></a>
+## Troubleshoot AzurePipelinesCredential authentication issues
+
+| Error Message |Description| Mitigation |
+|---|---|---|
+| AADSTS900023: Specified tenant identifier 'some tenant ID' is neither a valid DNS name, nor a valid external domain.|The `tenantID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the tenant ID. It must identify the tenant of the user-assigned managed identity or service principal configured for the service connection.|
+| No service connection found with identifier |The `serviceConnectionID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the service connection ID. This parameter refers to the `resourceId` of the Azure Service Connection. It can also be found in the query string of the service connection's configuration in Azure DevOps. [Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml) has more information about service connections.|
+|302 (Found) response from OIDC endpoint|The `systemAccessToken` argument to `NewAzurePipelinesCredential` is incorrect|Check pipeline configuration. This value comes from the predefined variable `System.AccessToken` [as described in Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken).|
+
 ## Get additional help
 
 Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
index 2655543ae..80c1806bb 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go
@@ -19,21 +19,20 @@ import (
 const (
 	credNameAzurePipelines = "AzurePipelinesCredential"
 	oidcAPIVersion         = "7.1"
-	systemAccessToken      = "SYSTEM_ACCESSTOKEN"
 	systemOIDCRequestURI   = "SYSTEM_OIDCREQUESTURI"
 )
 
-// azurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
+// AzurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
 // [Azure Pipelines documentation] for more information.
 //
 // [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation
-type azurePipelinesCredential struct {
+type AzurePipelinesCredential struct {
 	connectionID, oidcURI, systemAccessToken string
 	cred                                     *ClientAssertionCredential
 }
 
-// azurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
-type azurePipelinesCredentialOptions struct {
+// AzurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
+type AzurePipelinesCredentialOptions struct {
 	azcore.ClientOptions
 
 	// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
@@ -48,28 +47,39 @@ type azurePipelinesCredentialOptions struct {
 	DisableInstanceDiscovery bool
 }
 
-// newAzurePipelinesCredential is the constructor for AzurePipelinesCredential. In addition to its required arguments,
-// it reads a security token for the running build, which is required to authenticate the service connection, from the
-// environment variable SYSTEM_ACCESSTOKEN. See the [Azure Pipelines documentation] for an example showing how to set
-// this variable in build job YAML.
+// NewAzurePipelinesCredential is the constructor for AzurePipelinesCredential.
+//
+//   - tenantID: tenant ID of the service principal federated with the service connection
+//   - clientID: client ID of that service principal
+//   - serviceConnectionID: ID of the service connection to authenticate
+//   - systemAccessToken: security token for the running build. See [Azure Pipelines documentation] for
+//     an example showing how to get this value.
 //
 // [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
-func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string, options *azurePipelinesCredentialOptions) (*azurePipelinesCredential, error) {
-	if options == nil {
-		options = &azurePipelinesCredentialOptions{}
+func NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken string, options *AzurePipelinesCredentialOptions) (*AzurePipelinesCredential, error) {
+	if !validTenantID(tenantID) {
+		return nil, errInvalidTenantID
+	}
+	if clientID == "" {
+		return nil, errors.New("no client ID specified")
+	}
+	if serviceConnectionID == "" {
+		return nil, errors.New("no service connection ID specified")
+	}
+	if systemAccessToken == "" {
+		return nil, errors.New("no system access token specified")
 	}
 	u := os.Getenv(systemOIDCRequestURI)
 	if u == "" {
 		return nil, fmt.Errorf("no value for environment variable %s. This should be set by Azure Pipelines", systemOIDCRequestURI)
 	}
-	sat := os.Getenv(systemAccessToken)
-	if sat == "" {
-		return nil, errors.New("no value for environment variable " + systemAccessToken)
-	}
-	a := azurePipelinesCredential{
+	a := AzurePipelinesCredential{
 		connectionID:      serviceConnectionID,
 		oidcURI:           u,
-		systemAccessToken: sat,
+		systemAccessToken: systemAccessToken,
+	}
+	if options == nil {
+		options = &AzurePipelinesCredentialOptions{}
 	}
 	caco := ClientAssertionCredentialOptions{
 		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
@@ -86,7 +96,7 @@ func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string,
 }
 
 // GetToken requests an access token from Microsoft Entra ID. Azure SDK clients call this method automatically.
-func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
+func (a *AzurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
 	var err error
 	ctx, endSpan := runtime.StartSpan(ctx, credNameAzurePipelines+"."+traceOpGetToken, a.cred.client.azClient.Tracer(), nil)
 	defer func() { endSpan(err) }()
@@ -94,7 +104,7 @@ func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.Tok
 	return tk, err
 }
 
-func (a *azurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
+func (a *AzurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
 	url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID
 	url, err := runtime.EncodeQueryParams(url)
 	if err != nil {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index 698650bbb..35fa01d13 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -83,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
 		anchor = "azure-cli"
 	case credNameAzureDeveloperCLI:
 		anchor = "azd"
+	case credNameAzurePipelines:
+		anchor = "apc"
 	case credNameCert:
 		anchor = "client-cert"
 	case credNameSecret:
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 459ef64c6..4305b5d3d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -14,5 +14,5 @@ const (
 	module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	version = "v1.6.0"
+	version = "v1.7.0"
 )
diff --git a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml
index 617e89bf1..cd1e42aa3 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/.travis.yml
+++ b/vendor/github.com/IBM/keyprotect-go-client/.travis.yml
@@ -1,6 +1,6 @@
 language: go
 
-dist: bionic
+dist: jammy
 
 go:
 - 1.17.x
@@ -13,7 +13,6 @@ env:
 
 before_install:
   - sudo apt-get update
-  - pyenv global 3.8
 
 before_script:
   - GO111MODULE=off go get -u github.com/haya14busa/goverage
@@ -27,6 +26,9 @@ script:
   - $GOPATH/bin/goverage -v -race -coverprofile=cover.out $(go list ./... | grep -v '/vendor|/scripts')
   - go tool cover -func=cover.out
   - go tool cover -html=cover.out -o=cover.html
+ # these steps are to make sure that node will properly install for semantic release.
+  - nvm install node
+  - npm install -g npm
 
 # To enable semantic-release, uncomment these sections.
 before_deploy:
diff --git a/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md b/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md
index 3f9ac45dc..26698bbd7 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md
+++ b/vendor/github.com/IBM/keyprotect-go-client/CONTRIBUTING.md
@@ -11,6 +11,10 @@ please open a [Github Issue](https://github.com/IBM/keyprotect-go-client/issues)
 
 For your pull request to be merged, it must meet the criteria of a "correct patch", and also
 be fully reviewed and approved by two Maintainer level contributors.
+The PR should be named with the proper prefix to satisfy the semantic release. 
+- `fix(build):` for patch version bump (0.0.x)
+- `feat(build):` for minor version bump (0.x.0)
+- `perf(build):` for major version bump (x.0.0)
 
 A correct patch is defined as the following:
 
diff --git a/vendor/github.com/IBM/keyprotect-go-client/instances.go b/vendor/github.com/IBM/keyprotect-go-client/instances.go
index 598de0909..f83fcf233 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/instances.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/instances.go
@@ -61,14 +61,14 @@ type PolicyData struct {
 
 // Attributes contains the details of an instance policy
 type Attributes struct {
-	AllowedNetwork    *string     `json:"allowed_network,omitempty"`
-	AllowedIP         IPAddresses `json:"allowed_ip,omitempty"`
-	CreateRootKey     *bool       `json:"create_root_key,omitempty"`
-	CreateStandardKey *bool       `json:"create_standard_key,omitempty"`
-	ImportRootKey     *bool       `json:"import_root_key,omitempty"`
-	ImportStandardKey *bool       `json:"import_standard_key,omitempty"`
-	EnforceToken      *bool       `json:"enforce_token,omitempty"`
-	IntervalMonth     *int        `json:"interval_month,omitempty"`
+	AllowedNetwork    *string      `json:"allowed_network,omitempty"`
+	AllowedIP         *IPAddresses `json:"allowed_ip,omitempty"`
+	CreateRootKey     *bool        `json:"create_root_key,omitempty"`
+	CreateStandardKey *bool        `json:"create_standard_key,omitempty"`
+	ImportRootKey     *bool        `json:"import_root_key,omitempty"`
+	ImportStandardKey *bool        `json:"import_standard_key,omitempty"`
+	EnforceToken      *bool        `json:"enforce_token,omitempty"`
+	IntervalMonth     *int         `json:"interval_month,omitempty"`
 }
 
 // IPAddresses ...
@@ -313,7 +313,8 @@ func (c *Client) SetAllowedIPInstancePolicy(ctx context.Context, enable bool, al
 	// The IP address validation is performed by the key protect service.
 	if enable && len(allowedIPs) != 0 {
 		policy.PolicyData.Attributes = &Attributes{}
-		policy.PolicyData.Attributes.AllowedIP = allowedIPs
+		ips := IPAddresses(allowedIPs)
+		policy.PolicyData.Attributes.AllowedIP = &ips
 	} else if enable && len(allowedIPs) == 0 {
 		return fmt.Errorf("Please provide at least 1 IP subnet specified with CIDR notation")
 	} else if !enable && len(allowedIPs) != 0 {
@@ -445,17 +446,21 @@ type AllowedNetworkPolicyData struct {
 // AllowedIPPolicyData defines the attribute input for the Allowed IP instance policy
 type AllowedIPPolicyData struct {
 	Enabled     bool
-	IPAddresses IPAddresses
+	IPAddresses *IPAddresses
 }
 
 // KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy
 type KeyCreateImportAccessInstancePolicy struct {
-	Enabled           bool
-	CreateRootKey     bool
-	CreateStandardKey bool
-	ImportRootKey     bool
-	ImportStandardKey bool
-	EnforceToken      bool
+	Enabled    bool
+	Attributes *KeyCreateImportAccessInstancePolicyAttributes
+}
+
+type KeyCreateImportAccessInstancePolicyAttributes struct {
+	CreateRootKey     *bool
+	CreateStandardKey *bool
+	ImportRootKey     *bool
+	ImportStandardKey *bool
+	EnforceToken      *bool
 }
 
 type RotationPolicyData struct {
@@ -492,6 +497,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
 			PolicyType: AllowedNetwork,
 			PolicyData: PolicyData{
 				Enabled: &(policies.AllowedNetwork.Enabled),
+				// due to legacy reasons, the allowed_network policy requires attribute to always be specified
 				Attributes: &Attributes{
 					AllowedNetwork: &(policies.AllowedNetwork.Network),
 				},
@@ -527,16 +533,19 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
 		policy := InstancePolicy{
 			PolicyType: KeyCreateImportAccess,
 			PolicyData: PolicyData{
-				Enabled:    &(policies.KeyCreateImportAccess.Enabled),
-				Attributes: &Attributes{},
+				Enabled: &(policies.KeyCreateImportAccess.Enabled),
 			},
 		}
 
-		policy.PolicyData.Attributes.CreateRootKey = &policies.KeyCreateImportAccess.CreateRootKey
-		policy.PolicyData.Attributes.CreateStandardKey = &policies.KeyCreateImportAccess.CreateStandardKey
-		policy.PolicyData.Attributes.ImportRootKey = &policies.KeyCreateImportAccess.ImportRootKey
-		policy.PolicyData.Attributes.ImportStandardKey = &policies.KeyCreateImportAccess.ImportStandardKey
-		policy.PolicyData.Attributes.EnforceToken = &policies.KeyCreateImportAccess.EnforceToken
+		if attr := policies.KeyCreateImportAccess.Attributes; attr != nil {
+			policy.PolicyData.Attributes = &Attributes{
+				CreateRootKey:     attr.CreateRootKey,
+				CreateStandardKey: attr.CreateStandardKey,
+				ImportRootKey:     attr.ImportRootKey,
+				ImportStandardKey: attr.ImportStandardKey,
+				EnforceToken:      attr.EnforceToken,
+			}
+		}
 
 		resPolicies = append(resPolicies, policy)
 	}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/key_rings.go b/vendor/github.com/IBM/keyprotect-go-client/key_rings.go
index a88961c9a..3e5f3ecb0 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/key_rings.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/key_rings.go
@@ -9,7 +9,7 @@ import (
 )
 
 const (
-	path = "key_rings"
+	keyRingPath = "key_rings"
 )
 
 type KeyRing struct {
@@ -28,7 +28,7 @@ type KeyRings struct {
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#create-key-ring-api
 func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
 
-	req, err := c.newRequest("POST", fmt.Sprintf(path+"/%s", id), nil)
+	req, err := c.newRequest("POST", fmt.Sprintf(keyRingPath+"/%s", id), nil)
 	if err != nil {
 		return err
 	}
@@ -46,7 +46,7 @@ func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#list-key-ring-api
 func (c *Client) GetKeyRings(ctx context.Context) (*KeyRings, error) {
 	rings := KeyRings{}
-	req, err := c.newRequest("GET", path, nil)
+	req, err := c.newRequest("GET", keyRingPath, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +73,7 @@ func WithForce(force bool) DeleteKeyRingQueryOption {
 // For information please refer to the link below:
 // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#delete-key-ring-api
 func (c *Client) DeleteKeyRing(ctx context.Context, id string, opts ...DeleteKeyRingQueryOption) error {
-	req, err := c.newRequest("DELETE", fmt.Sprintf(path+"/%s", id), nil)
+	req, err := c.newRequest("DELETE", fmt.Sprintf(keyRingPath+"/%s", id), nil)
 	for _, opt := range opts {
 		opt(req)
 	}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_adapters.go b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_adapters.go
new file mode 100644
index 000000000..4a85a868a
--- /dev/null
+++ b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_adapters.go
@@ -0,0 +1,164 @@
+package kp
+
+import (
+	"context"
+	"fmt"
+	"time"
+)
+
+const (
+	kmipAdapterPath = "kmip_adapters"
+	kmipAdapterType = "application/vnd.ibm.kms.kmip_adapter+json"
+)
+
+type KMIPAdapter struct {
+	ID          string            `json:"id,omitempty"`
+	Profile     string            `json:"profile,omitempty"`
+	ProfileData map[string]string `json:"profile_data,omitempty"`
+	Name        string            `json:"name,omitempty"`
+	Description string            `json:"description"`
+	CreatedBy   string            `json:"created_by,omitempty"`
+	CreatedAt   *time.Time        `json:"created_at,omitempty"`
+	UpdatedBy   string            `json:"updated_by,omitempty"`
+	UpdatedAt   *time.Time        `json:"updated_at,omitempty"`
+}
+
+type KMIPAdapters struct {
+	Metadata CollectionMetadata `json:"metadata"`
+	Adapters []KMIPAdapter      `json:"resources"`
+}
+
+const (
+	KMIP_Profile_Native = "native_1.0"
+)
+
+// CreateKMIPAdapter method creates a KMIP Adapter with the specified profile.
+func (c *Client) CreateKMIPAdapter(ctx context.Context, profileOpt CreateKMIPAdapterProfile, options ...CreateKMIPAdapterOption) (*KMIPAdapter, error) {
+	newAdapter := &KMIPAdapter{}
+	profileOpt(newAdapter)
+	for _, opt := range options {
+		opt(newAdapter)
+	}
+	req, err := c.newRequest("POST", kmipAdapterPath, wrapKMIPAdapter(*newAdapter))
+	if err != nil {
+		return nil, err
+	}
+
+	create_resp := &KMIPAdapters{}
+	_, err = c.do(ctx, req, create_resp)
+	if err != nil {
+		return nil, err
+	}
+	return unwrapKMIPAdapterResp(create_resp), nil
+}
+
+// Functions to be passed into the CreateKMIPAdapter() method to specify specific fields.
+type CreateKMIPAdapterOption func(*KMIPAdapter)
+type CreateKMIPAdapterProfile func(*KMIPAdapter)
+
+func WithKMIPAdapterName(name string) CreateKMIPAdapterOption {
+	return func(adapter *KMIPAdapter) {
+		adapter.Name = name
+	}
+}
+
+func WithKMIPAdapterDescription(description string) CreateKMIPAdapterOption {
+	return func(adapter *KMIPAdapter) {
+		adapter.Description = description
+	}
+}
+
+func WithNativeProfile(crkID string) CreateKMIPAdapterProfile {
+	return func(adapter *KMIPAdapter) {
+		adapter.Profile = KMIP_Profile_Native
+
+		adapter.ProfileData = map[string]string{
+			"crk_id": crkID,
+		}
+	}
+}
+
+type ListKmipAdaptersOptions struct {
+	Limit      *uint32
+	Offset     *uint32
+	TotalCount *bool
+	CrkID      *string
+}
+
+// GetKMIPAdapters method lists KMIP Adapters associated with a specific KP instance.
+func (c *Client) GetKMIPAdapters(ctx context.Context, listOpts *ListKmipAdaptersOptions) (*KMIPAdapters, error) {
+	adapters := KMIPAdapters{}
+	req, err := c.newRequest("GET", kmipAdapterPath, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if listOpts != nil {
+		values := req.URL.Query()
+		if listOpts.Limit != nil {
+			values.Set("limit", fmt.Sprint(*listOpts.Limit))
+		}
+		if listOpts.Offset != nil {
+			values.Set("offset", fmt.Sprint(*listOpts.Offset))
+		}
+		if listOpts.TotalCount != nil {
+			values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
+		}
+		if listOpts.CrkID != nil {
+			values.Set("crk_id", *listOpts.CrkID)
+		}
+		req.URL.RawQuery = values.Encode()
+	}
+
+	_, err = c.do(ctx, req, &adapters)
+	if err != nil {
+		return nil, err
+	}
+
+	return &adapters, nil
+}
+
+// GetKMIPAdapter method retrieves a single KMIP Adapter by name or ID.
+func (c *Client) GetKMIPAdapter(ctx context.Context, nameOrID string) (*KMIPAdapter, error) {
+	adapters := KMIPAdapters{}
+	req, err := c.newRequest("GET", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = c.do(ctx, req, &adapters)
+	if err != nil {
+		return nil, err
+	}
+
+	return unwrapKMIPAdapterResp(&adapters), nil
+}
+
+// DeletesKMIPAdapter method deletes a single KMIP Adapter by name or ID.
+func (c *Client) DeleteKMIPAdapter(ctx context.Context, nameOrID string) error {
+	req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.do(ctx, req, nil)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func wrapKMIPAdapter(adapter KMIPAdapter) KMIPAdapters {
+	return KMIPAdapters{
+		Metadata: CollectionMetadata{
+			CollectionType:  kmipAdapterType,
+			CollectionTotal: 1,
+		},
+		Adapters: []KMIPAdapter{adapter},
+	}
+}
+
+func unwrapKMIPAdapterResp(resp *KMIPAdapters) *KMIPAdapter {
+	return &resp.Adapters[0]
+}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_certs.go b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_certs.go
new file mode 100644
index 000000000..06cf9afc9
--- /dev/null
+++ b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_certs.go
@@ -0,0 +1,136 @@
+package kp
+
+import (
+	"context"
+	"fmt"
+	"time"
+)
+
+const (
+	kmipClientCertSubPath = "certificates"
+	kmipClientCertType    = "application/vnd.ibm.kms.kmip_client_certificate+json"
+)
+
+type KMIPClientCertificate struct {
+	ID          string     `json:"id,omitempty"`
+	Name        string     `json:"name,omitempty"`
+	Certificate string     `json:"certificate,omitempty"`
+	CreatedBy   string     `json:"created_by,omitempty"`
+	CreatedAt   *time.Time `json:"created_at,omitempty"`
+}
+
+type KMIPClientCertificates struct {
+	Metadata     CollectionMetadata      `json:"metadata"`
+	Certificates []KMIPClientCertificate `json:"resources"`
+}
+
+// CreateKMIPClientCertificate registers/creates a KMIP PEM format certificate
+// for use with a specific KMIP adapter.
+// cert_payload is the string representation of
+// the certificate to be associated with the KMIP Adapter in PEM format.
+// It should explicitly have the BEGIN CERTIFICATE and END CERTIFICATE tags.
+// Regex: ^\s*-----BEGIN CERTIFICATE-----[A-Za-z0-9+\/\=\r\n]+-----END CERTIFICATE-----\s*$
+func (c *Client) CreateKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_payload string, opts ...CreateKMIPClientCertOption) (*KMIPClientCertificate, error) {
+	newCert := &KMIPClientCertificate{
+		Certificate: cert_payload,
+	}
+	for _, opt := range opts {
+		opt(newCert)
+	}
+	req, err := c.newRequest("POST", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), wrapKMIPClientCert(*newCert))
+	if err != nil {
+		return nil, err
+	}
+	certResp := &KMIPClientCertificates{}
+	_, err = c.do(ctx, req, certResp)
+	if err != nil {
+		return nil, err
+	}
+
+	return unwrapKMIPClientCert(certResp), nil
+}
+
+type CreateKMIPClientCertOption func(*KMIPClientCertificate)
+
+func WithKMIPClientCertName(name string) CreateKMIPClientCertOption {
+	return func(cert *KMIPClientCertificate) {
+		cert.Name = name
+	}
+}
+
+// GetKMIPClientCertificates lists all certificates associated with a KMIP adapter
+func (c *Client) GetKMIPClientCertificates(ctx context.Context, adapter_nameOrID string, listOpts *ListOptions) (*KMIPClientCertificates, error) {
+	certs := KMIPClientCertificates{}
+	req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if listOpts != nil {
+		values := req.URL.Query()
+		if listOpts.Limit != nil {
+			values.Set("limit", fmt.Sprint(*listOpts.Limit))
+		}
+		if listOpts.Offset != nil {
+			values.Set("offset", fmt.Sprint(*listOpts.Offset))
+		}
+		if listOpts.TotalCount != nil {
+			values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
+		}
+		req.URL.RawQuery = values.Encode()
+	}
+
+	_, err = c.do(ctx, req, &certs)
+	if err != nil {
+		return nil, err
+	}
+
+	return &certs, nil
+}
+
+// GetKMIPClientCertificate gets a single certificate associated with a KMIP adapter
+func (c *Client) GetKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) (*KMIPClientCertificate, error) {
+	certs := &KMIPClientCertificates{}
+	req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
+		kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = c.do(ctx, req, certs)
+	if err != nil {
+		return nil, err
+	}
+
+	return unwrapKMIPClientCert(certs), nil
+}
+
+// DeleteKMIPClientCertificate deletes a single certificate
+func (c *Client) DeleteKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) error {
+	req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
+		kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.do(ctx, req, nil)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func wrapKMIPClientCert(cert KMIPClientCertificate) KMIPClientCertificates {
+	return KMIPClientCertificates{
+		Metadata: CollectionMetadata{
+			CollectionType:  kmipClientCertType,
+			CollectionTotal: 1,
+		},
+		Certificates: []KMIPClientCertificate{cert},
+	}
+}
+
+func unwrapKMIPClientCert(certs *KMIPClientCertificates) *KMIPClientCertificate {
+	return &certs.Certificates[0]
+}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_objects.go b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_objects.go
new file mode 100644
index 000000000..11c5cdfe5
--- /dev/null
+++ b/vendor/github.com/IBM/keyprotect-go-client/kmip_mgmt_objects.go
@@ -0,0 +1,122 @@
+package kp
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	kmipObjectSubPath = "kmip_objects"
+	kmipObjectType    = "application/vnd.ibm.kms.kmip_object+json"
+)
+
+type KMIPObject struct {
+	ID                string     `json:"id,omitempty"`
+	KMIPObjectType    int        `json:"kmip_object_type,omitempty"`
+	ObjectState       int        `json:"state,omitempty"`
+	CreatedByCertID   string     `json:"created_by_kmip_client_cert_id,omitempty"`
+	CreatedBy         string     `json:"created_by,omitempty"`
+	CreatedAt         *time.Time `json:"created_at,omitempty"`
+	UpdatedByCertID   string     `json:"updated_by_kmip_client_cert_id,omitempty"`
+	UpdatedBy         string     `json:"updated_by,omitempty"`
+	UpdatedAt         *time.Time `json:"updated_at,omitempty"`
+	DestroyedByCertID string     `json:"destroyed_by_kmip_client_cert_id,omitempty"`
+	DestroyedBy       string     `json:"destroyed_by,omitempty"`
+	DestroyedAt       *time.Time `json:"destroyed_at,omitempty"`
+}
+
+type KMIPObjects struct {
+	Metadata CollectionMetadata `json:"metadata"`
+	Objects  []KMIPObject       `json:"resources"`
+}
+
+type ListKmipObjectsOptions struct {
+	Limit             *uint32
+	Offset            *uint32
+	TotalCount        *bool
+	ObjectStateFilter *[]int32
+}
+
+func (c *Client) GetKMIPObjects(ctx context.Context, adapter_id string, listOpts *ListKmipObjectsOptions) (*KMIPObjects, error) {
+	objects := KMIPObjects{}
+	req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_id, kmipObjectSubPath), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if listOpts != nil {
+		values := req.URL.Query()
+		if listOpts.Limit != nil {
+			values.Set("limit", fmt.Sprint(*listOpts.Limit))
+		}
+		if listOpts.Offset != nil {
+			values.Set("offset", fmt.Sprint(*listOpts.Offset))
+		}
+		if listOpts.TotalCount != nil {
+			values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
+		}
+		if listOpts.ObjectStateFilter != nil {
+			var stateStrs []string
+			for _, i := range *listOpts.ObjectStateFilter {
+				stateStrs = append(stateStrs, strconv.FormatInt(int64(i), 10))
+			}
+			values.Set("state", strings.Join(stateStrs, ","))
+		}
+		req.URL.RawQuery = values.Encode()
+	}
+
+	_, err = c.do(ctx, req, &objects)
+	if err != nil {
+		return nil, err
+	}
+
+	return &objects, nil
+}
+
+func (c *Client) GetKMIPObject(ctx context.Context, adapter_id, object_id string) (*KMIPObject, error) {
+	objects := &KMIPObjects{}
+	req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
+		kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = c.do(ctx, req, objects)
+	if err != nil {
+		return nil, err
+	}
+
+	return unwrapKMIPObject(objects), nil
+}
+
+func (c *Client) DeleteKMIPObject(ctx context.Context, adapter_id, object_id string) error {
+	req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
+		kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.do(ctx, req, nil)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func wrapKMIPObject(object KMIPObject) KMIPObjects {
+	return KMIPObjects{
+		Metadata: CollectionMetadata{
+			CollectionType:  kmipObjectType,
+			CollectionTotal: 1,
+		},
+		Objects: []KMIPObject{object},
+	}
+}
+
+func unwrapKMIPObject(objects *KMIPObjects) *KMIPObject {
+	return &objects.Objects[0]
+}
diff --git a/vendor/github.com/IBM/keyprotect-go-client/kp.go b/vendor/github.com/IBM/keyprotect-go-client/kp.go
index 976324f62..bae2e62ca 100644
--- a/vendor/github.com/IBM/keyprotect-go-client/kp.go
+++ b/vendor/github.com/IBM/keyprotect-go-client/kp.go
@@ -23,7 +23,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -276,7 +275,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, res interface{}) (*h
 	}
 	defer response.Body.Close()
 
-	resBody, err := ioutil.ReadAll(response.Body)
+	resBody, err := io.ReadAll(response.Body)
 	redact := []string{c.Config.APIKey, req.Header.Get("authorization")}
 	c.Dump(req, response, []byte{}, resBody, c.Logger, redact)
 	if err != nil {
@@ -515,3 +514,17 @@ func redact(s string, redactStrings []string) string {
 func noredact(s string, redactStrings []string) string {
 	return s
 }
+
+// Collection Metadata is generic and can be shared between multiple resource types
+type CollectionMetadata struct {
+	CollectionType  string `json:"collectionType"`
+	CollectionTotal int    `json:"collectionTotal"`
+	TotalCount      int    `json:"totalCount,omitempty"`
+}
+
+// ListsOptions struct to add the query parameters for list functions. Extensible.
+type ListOptions struct {
+	Limit      *uint32
+	Offset     *uint32
+	TotalCount *bool
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go
new file mode 100644
index 000000000..6504a2186
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/accountid_endpoint_mode.go
@@ -0,0 +1,18 @@
+package aws
+
+// AccountIDEndpointMode controls how a resolved AWS account ID is handled for endpoint routing.
+type AccountIDEndpointMode string
+
+const (
+	// AccountIDEndpointModeUnset indicates the AWS account ID will not be used for endpoint routing
+	AccountIDEndpointModeUnset AccountIDEndpointMode = ""
+
+	// AccountIDEndpointModePreferred indicates the AWS account ID will be used for endpoint routing if present
+	AccountIDEndpointModePreferred = "preferred"
+
+	// AccountIDEndpointModeRequired indicates an error will be returned if the AWS account ID is not resolved from identity
+	AccountIDEndpointModeRequired = "required"
+
+	// AccountIDEndpointModeDisabled indicates the AWS account ID will be ignored during endpoint routing
+	AccountIDEndpointModeDisabled = "disabled"
+)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
index 2264200c1..16000d792 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/config.go
@@ -162,6 +162,9 @@ type Config struct {
 	// This variable is sourced from environment variable AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES or
 	// the shared config profile attribute request_min_compression_size_bytes
 	RequestMinCompressSizeBytes int64
+
+	// Controls how a resolved AWS account ID is handled for endpoint routing.
+	AccountIDEndpointMode AccountIDEndpointMode
 }
 
 // NewConfig returns a new Config pointer that can be chained with builder
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
index 714d4ad85..98ba77056 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/credentials.go
@@ -90,6 +90,9 @@ type Credentials struct {
 	// The time the credentials will expire at. Should be ignored if CanExpire
 	// is false.
 	Expires time.Time
+
+	// The ID of the account for the credentials.
+	AccountID string
 }
 
 // Expired returns if the credentials have expired.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
index aa10a9b40..99edbf3ee 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/endpoints.go
@@ -70,6 +70,10 @@ func GetUseFIPSEndpoint(options ...interface{}) (value FIPSEndpointState, found
 // The SDK will automatically resolve these endpoints per API client using an
 // internal endpoint resolvers. If you'd like to provide custom endpoint
 // resolving behavior you can implement the EndpointResolver interface.
+//
+// Deprecated: This structure was used with the global [EndpointResolver]
+// interface, which has been deprecated in favor of service-specific endpoint
+// resolution. See the deprecation docs on that interface for more information.
 type Endpoint struct {
 	// The base URL endpoint the SDK API clients will use to make API calls to.
 	// The SDK will suffix URI path and query elements to this endpoint.
@@ -124,6 +128,8 @@ type Endpoint struct {
 }
 
 // EndpointSource is the endpoint source type.
+//
+// Deprecated: The global [Endpoint] structure is deprecated.
 type EndpointSource int
 
 const (
@@ -161,19 +167,25 @@ func (e *EndpointNotFoundError) Unwrap() error {
 // API clients will fallback to attempting to resolve the endpoint using its
 // internal default endpoint resolver.
 //
-// Deprecated: See EndpointResolverWithOptions
+// Deprecated: The global endpoint resolution interface is deprecated. The API
+// for endpoint resolution is now unique to each service and is set via the
+// EndpointResolverV2 field on service client options. Setting a value for
+// EndpointResolver on aws.Config or service client options will prevent you
+// from using any endpoint-related service features released after the
+// introduction of EndpointResolverV2. You may also encounter broken or
+// unexpected behavior when using the old global interface with services that
+// use many endpoint-related customizations such as S3.
 type EndpointResolver interface {
 	ResolveEndpoint(service, region string) (Endpoint, error)
 }
 
 // EndpointResolverFunc wraps a function to satisfy the EndpointResolver interface.
 //
-// Deprecated: See EndpointResolverWithOptionsFunc
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
 type EndpointResolverFunc func(service, region string) (Endpoint, error)
 
 // ResolveEndpoint calls the wrapped function and returns the results.
-//
-// Deprecated: See EndpointResolverWithOptions.ResolveEndpoint
 func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint, error) {
 	return e(service, region)
 }
@@ -184,11 +196,17 @@ func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint,
 // available. If the EndpointResolverWithOptions returns an EndpointNotFoundError error,
 // API clients will fallback to attempting to resolve the endpoint using its
 // internal default endpoint resolver.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
 type EndpointResolverWithOptions interface {
 	ResolveEndpoint(service, region string, options ...interface{}) (Endpoint, error)
 }
 
 // EndpointResolverWithOptionsFunc wraps a function to satisfy the EndpointResolverWithOptions interface.
+//
+// Deprecated: The global endpoint resolution interface is deprecated. See
+// deprecation docs on [EndpointResolver].
 type EndpointResolverWithOptionsFunc func(service, region string, options ...interface{}) (Endpoint, error)
 
 // ResolveEndpoint calls the wrapped function and returns the results.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
index 12a331499..51a396ba7 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go
@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.25.2"
+const goModuleVersion = "1.30.0"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go
index b0133f4c8..19d6107c4 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go
@@ -112,6 +112,8 @@ type MetricData struct {
 	ResolveEndpointStartTime   time.Time
 	ResolveEndpointEndTime     time.Time
 	EndpointResolutionDuration time.Duration
+	GetIdentityStartTime       time.Time
+	GetIdentityEndTime         time.Time
 	InThroughput               float64
 	OutThroughput              float64
 	RetryCount                 int
@@ -122,6 +124,7 @@ type MetricData struct {
 	OperationName              string
 	PartitionID                string
 	Region                     string
+	UserAgent                  string
 	RequestContentLength       int64
 	Stream                     StreamMetrics
 	Attempts                   []AttemptMetrics
@@ -144,8 +147,6 @@ type AttemptMetrics struct {
 	ConnRequestedTime          time.Time
 	ConnObtainedTime           time.Time
 	ConcurrencyAcquireDuration time.Duration
-	CredentialFetchStartTime   time.Time
-	CredentialFetchEndTime     time.Time
 	SignStartTime              time.Time
 	SignEndTime                time.Time
 	SigningDuration            time.Duration
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
index db7cda42d..ff0bc921f 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"sort"
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -30,6 +31,7 @@ const (
 	FrameworkMetadata
 	AdditionalMetadata
 	ApplicationIdentifier
+	FeatureMetadata2
 )
 
 func (k SDKAgentKeyType) string() string {
@@ -50,6 +52,8 @@ func (k SDKAgentKeyType) string() string {
 		return "lib"
 	case ApplicationIdentifier:
 		return "app"
+	case FeatureMetadata2:
+		return "m"
 	case AdditionalMetadata:
 		fallthrough
 	default:
@@ -64,9 +68,29 @@ var validChars = map[rune]bool{
 	'-': true, '.': true, '^': true, '_': true, '`': true, '|': true, '~': true,
 }
 
+// UserAgentFeature enumerates tracked SDK features.
+type UserAgentFeature string
+
+// Enumerates UserAgentFeature.
+const (
+	UserAgentFeatureResourceModel          UserAgentFeature = "A" // n/a (we don't generate separate resource types)
+	UserAgentFeatureWaiter                                  = "B"
+	UserAgentFeaturePaginator                               = "C"
+	UserAgentFeatureRetryModeLegacy                         = "D" // n/a (equivalent to standard)
+	UserAgentFeatureRetryModeStandard                       = "E"
+	UserAgentFeatureRetryModeAdaptive                       = "F"
+	UserAgentFeatureS3Transfer                              = "G"
+	UserAgentFeatureS3CryptoV1N                             = "H" // n/a (crypto client is external)
+	UserAgentFeatureS3CryptoV2                              = "I" // n/a
+	UserAgentFeatureS3ExpressBucket                         = "J"
+	UserAgentFeatureS3AccessGrants                          = "K" // not yet implemented
+	UserAgentFeatureGZIPRequestCompression                  = "L"
+)
+
 // RequestUserAgent is a build middleware that set the User-Agent for the request.
 type RequestUserAgent struct {
 	sdkAgent, userAgent *smithyhttp.UserAgentBuilder
+	features            map[UserAgentFeature]struct{}
 }
 
 // NewRequestUserAgent returns a new requestUserAgent which will set the User-Agent and X-Amz-User-Agent for the
@@ -87,6 +111,7 @@ func NewRequestUserAgent() *RequestUserAgent {
 	r := &RequestUserAgent{
 		sdkAgent:  sdkAgent,
 		userAgent: userAgent,
+		features:  map[UserAgentFeature]struct{}{},
 	}
 
 	addSDKMetadata(r)
@@ -191,6 +216,12 @@ func (u *RequestUserAgent) AddUserAgentKeyValue(key, value string) {
 	u.userAgent.AddKeyValue(strings.Map(rules, key), strings.Map(rules, value))
 }
 
+// AddUserAgentFeature adds the feature ID to the tracking list to be emitted
+// in the final User-Agent string.
+func (u *RequestUserAgent) AddUserAgentFeature(feature UserAgentFeature) {
+	u.features[feature] = struct{}{}
+}
+
 // AddSDKAgentKey adds the component identified by name to the User-Agent string.
 func (u *RequestUserAgent) AddSDKAgentKey(keyType SDKAgentKeyType, key string) {
 	// TODO: should target sdkAgent
@@ -227,6 +258,9 @@ func (u *RequestUserAgent) HandleBuild(ctx context.Context, in middleware.BuildI
 func (u *RequestUserAgent) addHTTPUserAgent(request *smithyhttp.Request) {
 	const userAgent = "User-Agent"
 	updateHTTPHeader(request, userAgent, u.userAgent.Build())
+	if len(u.features) > 0 {
+		updateHTTPHeader(request, userAgent, buildFeatureMetrics(u.features))
+	}
 }
 
 func (u *RequestUserAgent) addHTTPSDKAgent(request *smithyhttp.Request) {
@@ -259,3 +293,13 @@ func rules(r rune) rune {
 		return '-'
 	}
 }
+
+func buildFeatureMetrics(features map[UserAgentFeature]struct{}) string {
+	fs := make([]string, 0, len(features))
+	for f := range features {
+		fs = append(fs, string(f))
+	}
+
+	sort.Strings(fs)
+	return fmt.Sprintf("%s/%s", FeatureMetadata2.string(), strings.Join(fs, ","))
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go
new file mode 100644
index 000000000..8c7836410
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/ratelimit/none.go
@@ -0,0 +1,20 @@
+package ratelimit
+
+import "context"
+
+// None implements a no-op rate limiter which effectively disables client-side
+// rate limiting (also known as "retry quotas").
+//
+// GetToken does nothing and always returns a nil error. The returned
+// token-release function does nothing, and always returns a nil error.
+//
+// AddTokens does nothing and always returns a nil error.
+var None = &none{}
+
+type none struct{}
+
+func (*none) GetToken(ctx context.Context, cost uint) (func() error, error) {
+	return func() error { return nil }, nil
+}
+
+func (*none) AddTokens(v uint) error { return nil }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
index dc703d482..b645fbdf1 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go
@@ -2,12 +2,15 @@ package retry
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsmiddle "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
@@ -39,6 +42,10 @@ type Attempt struct {
 	requestCloner RequestCloner
 }
 
+// define the threshold at which we will consider certain kind of errors to be probably
+// caused by clock skew
+const skewThreshold = 4 * time.Minute
+
 // NewAttemptMiddleware returns a new Attempt retry middleware.
 func NewAttemptMiddleware(retryer aws.Retryer, requestCloner RequestCloner, optFns ...func(*Attempt)) *Attempt {
 	m := &Attempt{
@@ -86,6 +93,9 @@ func (r *Attempt) HandleFinalize(ctx context.Context, in smithymiddle.FinalizeIn
 			AttemptClockSkew: attemptClockSkew,
 		})
 
+		// Setting clock skew to be used on other context (like signing)
+		ctx = internalcontext.SetAttemptSkewContext(ctx, attemptClockSkew)
+
 		var attemptResult AttemptResult
 		out, attemptResult, releaseRetryToken, err = r.handleAttempt(attemptCtx, attemptInput, releaseRetryToken, next)
 		attemptClockSkew, _ = awsmiddle.GetAttemptSkew(attemptResult.ResponseMetadata)
@@ -185,6 +195,8 @@ func (r *Attempt) handleAttempt(
 		return out, attemptResult, nopRelease, err
 	}
 
+	err = wrapAsClockSkew(ctx, err)
+
 	//------------------------------
 	// Is Retryable and Should Retry
 	//------------------------------
@@ -247,6 +259,37 @@ func (r *Attempt) handleAttempt(
 	return out, attemptResult, releaseRetryToken, err
 }
 
+// errors that, if detected when we know there's a clock skew,
+// can be retried and have a high chance of success
+var possibleSkewCodes = map[string]struct{}{
+	"InvalidSignatureException": {},
+	"SignatureDoesNotMatch":     {},
+	"AuthFailure":               {},
+}
+
+var definiteSkewCodes = map[string]struct{}{
+	"RequestExpired":       {},
+	"RequestInTheFuture":   {},
+	"RequestTimeTooSkewed": {},
+}
+
+// wrapAsClockSkew checks if this error could be related to a clock skew
+// error and if so, wrap the error.
+func wrapAsClockSkew(ctx context.Context, err error) error {
+	var v interface{ ErrorCode() string }
+	if !errors.As(err, &v) {
+		return err
+	}
+	if _, ok := definiteSkewCodes[v.ErrorCode()]; ok {
+		return &retryableClockSkewError{Err: err}
+	}
+	_, isPossibleSkewCode := possibleSkewCodes[v.ErrorCode()]
+	if skew := internalcontext.GetAttemptSkewContext(ctx); skew > skewThreshold && isPossibleSkewCode {
+		return &retryableClockSkewError{Err: err}
+	}
+	return err
+}
+
 // MetricsHeader attaches SDK request metric header for retries to the transport
 type MetricsHeader struct{}
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
index 987affdde..acd8d1cc3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go
@@ -2,6 +2,7 @@ package retry
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"strings"
@@ -199,3 +200,23 @@ func (r RetryableErrorCode) IsErrorRetryable(err error) aws.Ternary {
 
 	return aws.TrueTernary
 }
+
+// retryableClockSkewError marks errors that can be caused by clock skew
+// (difference between server time and client time).
+// This is returned when there's certain confidence that adjusting the client time
+// could allow a retry to succeed
+type retryableClockSkewError struct{ Err error }
+
+func (e *retryableClockSkewError) Error() string {
+	return fmt.Sprintf("Probable clock skew error: %v", e.Err)
+}
+
+// Unwrap returns the wrapped error.
+func (e *retryableClockSkewError) Unwrap() error {
+	return e.Err
+}
+
+// RetryableError allows the retryer to retry this request
+func (e *retryableClockSkewError) RetryableError() bool {
+	return true
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
index 25abffc81..d5ea93222 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/retry/standard.go
@@ -123,6 +123,17 @@ type StandardOptions struct {
 
 	// Provides the rate limiting strategy for rate limiting attempt retries
 	// across all attempts the retryer is being used with.
+	//
+	// A RateLimiter operates as a token bucket with a set capacity, where
+	// attempt failures events consume tokens. A retry attempt that attempts to
+	// consume more tokens than what's available results in operation failure.
+	// The default implementation is parameterized as follows:
+	//   - a capacity of 500 (DefaultRetryRateTokens)
+	//   - a retry caused by a timeout costs 10 tokens (DefaultRetryCost)
+	//   - a retry caused by other errors costs 5 tokens (DefaultRetryTimeoutCost)
+	//   - an operation that succeeds on the 1st attempt adds 1 token (DefaultNoRetryIncrement)
+	//
+	// You can disable rate limiting by setting this field to ratelimit.None.
 	RateLimiter RateLimiter
 
 	// The cost to deduct from the RateLimiter's token bucket per retry.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
index ca738f234..71b1a3521 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go
@@ -38,7 +38,6 @@ var RequiredSignedHeaders = Rules{
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
-			"X-Amz-Expected-Bucket-Owner":                                 struct{}{},
 			"X-Amz-Grant-Full-control":                                    struct{}{},
 			"X-Amz-Grant-Read":                                            struct{}{},
 			"X-Amz-Grant-Read-Acp":                                        struct{}{},
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go
index febeb0482..a9db6433d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
-	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
 	v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4"
 	internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
@@ -301,22 +300,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
 		return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
 	}
 
-	mctx := metrics.Context(ctx)
-
-	if mctx != nil {
-		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
-			attempt.CredentialFetchStartTime = sdk.NowTime()
-		}
-	}
-
 	credentials, err := s.credentialsProvider.Retrieve(ctx)
-
-	if mctx != nil {
-		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
-			attempt.CredentialFetchEndTime = sdk.NowTime()
-		}
-	}
-
 	if err != nil {
 		return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)}
 	}
@@ -337,20 +321,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
 		})
 	}
 
-	if mctx != nil {
-		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
-			attempt.SignStartTime = sdk.NowTime()
-		}
-	}
-
 	err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...)
-
-	if mctx != nil {
-		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
-			attempt.SignEndTime = sdk.NowTime()
-		}
-	}
-
 	if err != nil {
 		return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
index bb61904e1..dcd896a9b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go
@@ -1,48 +1,41 @@
-// Package v4 implements signing for AWS V4 signer
+// Package v4 implements the AWS signature version 4 algorithm (commonly known
+// as SigV4).
 //
-// Provides request signing for request that need to be signed with
-// AWS V4 Signatures.
+// For more information about SigV4, see [Signing AWS API requests] in the IAM
+// user guide.
 //
-// # Standalone Signer
+// While this implementation CAN work in an external context, it is developed
+// primarily for SDK use and you may encounter fringe behaviors around header
+// canonicalization.
 //
-// Generally using the signer outside of the SDK should not require any additional
+// # Pre-escaping a request URI
 //
-//	The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires
+// AWS v4 signature validation requires that the canonical string's URI path
+// component must be the escaped form of the HTTP request's path.
 //
-// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent
-// to the service as.
+// The Go HTTP client will perform escaping automatically on the HTTP request.
+// This may cause signature validation errors because the request differs from
+// the URI path or query from which the signature was generated.
 //
-// The signer will first check the URL.Opaque field, and use its value if set.
-// The signer does require the URL.Opaque field to be set in the form of:
+// Because of this, we recommend that you explicitly escape the request when
+// using this signer outside of the SDK to prevent possible signature mismatch.
+// This can be done by setting URL.Opaque on the request. The signer will
+// prefer that value, falling back to the return of URL.EscapedPath if unset.
+//
+// When setting URL.Opaque you must do so in the form of:
 //
 //	"//<hostname>/<path>"
 //
 //	// e.g.
 //	"//example.com/some/path"
 //
-// The leading "//" and hostname are required or the URL.Opaque escaping will
-// not work correctly.
+// The leading "//" and hostname are required or the escaping will not work
+// correctly.
 //
-// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath()
-// method and using the returned value.
+// The TestStandaloneSign unit test provides a complete example of using the
+// signer outside of the SDK and pre-escaping the URI path.
 //
-// AWS v4 signature validation requires that the canonical string's URI path
-// element must be the URI escaped form of the HTTP request's path.
-// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
-//
-// The Go HTTP client will perform escaping automatically on the request. Some
-// of these escaping may cause signature validation errors because the HTTP
-// request differs from the URI path or query that the signature was generated.
-// https://golang.org/pkg/net/url/#URL.EscapedPath
-//
-// Because of this, it is recommended that when using the signer outside of the
-// SDK that explicitly escaping the request prior to being signed is preferable,
-// and will help prevent signature validation errors. This can be done by setting
-// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then
-// call URL.EscapedPath() if Opaque is not set.
-//
-// Test `TestStandaloneSign` provides a complete example of using the signer
-// outside of the SDK and pre-escaping the URI path.
+// [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
 package v4
 
 import (
@@ -402,6 +395,12 @@ func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header)
 	query := url.Values{}
 	unsignedHeaders := http.Header{}
 	for k, h := range header {
+		// literally just this header has this constraint for some stupid reason,
+		// see #2508
+		if k == "X-Amz-Expected-Bucket-Owner" {
+			k = "x-amz-expected-bucket-owner"
+		}
+
 		if r.IsValid(k) {
 			query[k] = h
 		} else {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
index 0c5a2d40c..24db8e144 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/auth/smithy/v4signer_adapter.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
 	"github.com/aws/smithy-go"
 	"github.com/aws/smithy-go/auth"
@@ -39,7 +40,10 @@ func (v *V4SignerAdapter) SignRequest(ctx context.Context, r *smithyhttp.Request
 	}
 
 	hash := v4.GetPayloadHash(ctx)
-	err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, sdk.NowTime(), func(o *v4.SignerOptions) {
+	signingTime := sdk.NowTime()
+	skew := internalcontext.GetAttemptSkewContext(ctx)
+	signingTime = signingTime.Add(skew)
+	err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, signingTime, func(o *v4.SignerOptions) {
 		o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props)
 
 		o.Logger = v.Logger
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
index b62d57cb5..2d5e63007 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md
@@ -1,3 +1,43 @@
+# v1.3.12 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.11 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.10 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.5 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.4 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.3.3 (2024-03-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.3.2 (2024-02-23)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
index a99e10d8a..1c96ca6de 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go
@@ -3,4 +3,4 @@
 package configsources
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.3.2"
+const goModuleVersion = "1.3.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
new file mode 100644
index 000000000..f0c283d39
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/context/context.go
@@ -0,0 +1,52 @@
+package context
+
+import (
+	"context"
+	"time"
+
+	"github.com/aws/smithy-go/middleware"
+)
+
+type s3BackendKey struct{}
+type checksumInputAlgorithmKey struct{}
+type clockSkew struct{}
+
+const (
+	// S3BackendS3Express identifies the S3Express backend
+	S3BackendS3Express = "S3Express"
+)
+
+// SetS3Backend stores the resolved endpoint backend within the request
+// context, which is required for a variety of custom S3 behaviors.
+func SetS3Backend(ctx context.Context, typ string) context.Context {
+	return middleware.WithStackValue(ctx, s3BackendKey{}, typ)
+}
+
+// GetS3Backend retrieves the stored endpoint backend within the context.
+func GetS3Backend(ctx context.Context) string {
+	v, _ := middleware.GetStackValue(ctx, s3BackendKey{}).(string)
+	return v
+}
+
+// SetChecksumInputAlgorithm sets the request checksum algorithm on the
+// context.
+func SetChecksumInputAlgorithm(ctx context.Context, value string) context.Context {
+	return middleware.WithStackValue(ctx, checksumInputAlgorithmKey{}, value)
+}
+
+// GetChecksumInputAlgorithm returns the checksum algorithm from the context.
+func GetChecksumInputAlgorithm(ctx context.Context) string {
+	v, _ := middleware.GetStackValue(ctx, checksumInputAlgorithmKey{}).(string)
+	return v
+}
+
+// SetAttemptSkewContext sets the clock skew value on the context
+func SetAttemptSkewContext(ctx context.Context, v time.Duration) context.Context {
+	return middleware.WithStackValue(ctx, clockSkew{}, v)
+}
+
+// GetAttemptSkewContext gets the clock skew value from the context
+func GetAttemptSkewContext(ctx context.Context) time.Duration {
+	x, _ := middleware.GetStackValue(ctx, clockSkew{}).(time.Duration)
+	return x
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go
index ba6032758..91414afe8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partition.go
@@ -12,11 +12,12 @@ type Partition struct {
 
 // PartitionConfig provides the endpoint metadata for an AWS region or partition.
 type PartitionConfig struct {
-	Name               string `json:"name"`
-	DnsSuffix          string `json:"dnsSuffix"`
-	DualStackDnsSuffix string `json:"dualStackDnsSuffix"`
-	SupportsFIPS       bool   `json:"supportsFIPS"`
-	SupportsDualStack  bool   `json:"supportsDualStack"`
+	Name                 string `json:"name"`
+	DnsSuffix            string `json:"dnsSuffix"`
+	DualStackDnsSuffix   string `json:"dualStackDnsSuffix"`
+	SupportsFIPS         bool   `json:"supportsFIPS"`
+	SupportsDualStack    bool   `json:"supportsDualStack"`
+	ImplicitGlobalRegion string `json:"implicitGlobalRegion"`
 }
 
 type RegionOverrides struct {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
index 849beffd7..5f0779997 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.go
@@ -13,11 +13,12 @@ var partitions = []Partition{
 		ID:          "aws",
 		RegionRegex: "^(us|eu|ap|sa|ca|me|af|il)\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws",
-			DnsSuffix:          "amazonaws.com",
-			DualStackDnsSuffix: "api.aws",
-			SupportsFIPS:       true,
-			SupportsDualStack:  true,
+			Name:                 "aws",
+			DnsSuffix:            "amazonaws.com",
+			DualStackDnsSuffix:   "api.aws",
+			SupportsFIPS:         true,
+			SupportsDualStack:    true,
+			ImplicitGlobalRegion: "us-east-1",
 		},
 		Regions: map[string]RegionOverrides{
 			"af-south-1": {
@@ -111,6 +112,13 @@ var partitions = []Partition{
 				SupportsFIPS:       nil,
 				SupportsDualStack:  nil,
 			},
+			"ca-west-1": {
+				Name:               nil,
+				DnsSuffix:          nil,
+				DualStackDnsSuffix: nil,
+				SupportsFIPS:       nil,
+				SupportsDualStack:  nil,
+			},
 			"eu-central-1": {
 				Name:               nil,
 				DnsSuffix:          nil,
@@ -229,11 +237,12 @@ var partitions = []Partition{
 		ID:          "aws-cn",
 		RegionRegex: "^cn\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws-cn",
-			DnsSuffix:          "amazonaws.com.cn",
-			DualStackDnsSuffix: "api.amazonwebservices.com.cn",
-			SupportsFIPS:       true,
-			SupportsDualStack:  true,
+			Name:                 "aws-cn",
+			DnsSuffix:            "amazonaws.com.cn",
+			DualStackDnsSuffix:   "api.amazonwebservices.com.cn",
+			SupportsFIPS:         true,
+			SupportsDualStack:    true,
+			ImplicitGlobalRegion: "cn-northwest-1",
 		},
 		Regions: map[string]RegionOverrides{
 			"aws-cn-global": {
@@ -263,11 +272,12 @@ var partitions = []Partition{
 		ID:          "aws-us-gov",
 		RegionRegex: "^us\\-gov\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws-us-gov",
-			DnsSuffix:          "amazonaws.com",
-			DualStackDnsSuffix: "api.aws",
-			SupportsFIPS:       true,
-			SupportsDualStack:  true,
+			Name:                 "aws-us-gov",
+			DnsSuffix:            "amazonaws.com",
+			DualStackDnsSuffix:   "api.aws",
+			SupportsFIPS:         true,
+			SupportsDualStack:    true,
+			ImplicitGlobalRegion: "us-gov-west-1",
 		},
 		Regions: map[string]RegionOverrides{
 			"aws-us-gov-global": {
@@ -297,11 +307,12 @@ var partitions = []Partition{
 		ID:          "aws-iso",
 		RegionRegex: "^us\\-iso\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws-iso",
-			DnsSuffix:          "c2s.ic.gov",
-			DualStackDnsSuffix: "c2s.ic.gov",
-			SupportsFIPS:       true,
-			SupportsDualStack:  false,
+			Name:                 "aws-iso",
+			DnsSuffix:            "c2s.ic.gov",
+			DualStackDnsSuffix:   "c2s.ic.gov",
+			SupportsFIPS:         true,
+			SupportsDualStack:    false,
+			ImplicitGlobalRegion: "us-iso-east-1",
 		},
 		Regions: map[string]RegionOverrides{
 			"aws-iso-global": {
@@ -331,11 +342,12 @@ var partitions = []Partition{
 		ID:          "aws-iso-b",
 		RegionRegex: "^us\\-isob\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws-iso-b",
-			DnsSuffix:          "sc2s.sgov.gov",
-			DualStackDnsSuffix: "sc2s.sgov.gov",
-			SupportsFIPS:       true,
-			SupportsDualStack:  false,
+			Name:                 "aws-iso-b",
+			DnsSuffix:            "sc2s.sgov.gov",
+			DualStackDnsSuffix:   "sc2s.sgov.gov",
+			SupportsFIPS:         true,
+			SupportsDualStack:    false,
+			ImplicitGlobalRegion: "us-isob-east-1",
 		},
 		Regions: map[string]RegionOverrides{
 			"aws-iso-b-global": {
@@ -358,23 +370,33 @@ var partitions = []Partition{
 		ID:          "aws-iso-e",
 		RegionRegex: "^eu\\-isoe\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws-iso-e",
-			DnsSuffix:          "cloud.adc-e.uk",
-			DualStackDnsSuffix: "cloud.adc-e.uk",
-			SupportsFIPS:       true,
-			SupportsDualStack:  false,
+			Name:                 "aws-iso-e",
+			DnsSuffix:            "cloud.adc-e.uk",
+			DualStackDnsSuffix:   "cloud.adc-e.uk",
+			SupportsFIPS:         true,
+			SupportsDualStack:    false,
+			ImplicitGlobalRegion: "eu-isoe-west-1",
+		},
+		Regions: map[string]RegionOverrides{
+			"eu-isoe-west-1": {
+				Name:               nil,
+				DnsSuffix:          nil,
+				DualStackDnsSuffix: nil,
+				SupportsFIPS:       nil,
+				SupportsDualStack:  nil,
+			},
 		},
-		Regions: map[string]RegionOverrides{},
 	},
 	{
 		ID:          "aws-iso-f",
 		RegionRegex: "^us\\-isof\\-\\w+\\-\\d+$",
 		DefaultConfig: PartitionConfig{
-			Name:               "aws-iso-f",
-			DnsSuffix:          "csp.hci.ic.gov",
-			DualStackDnsSuffix: "csp.hci.ic.gov",
-			SupportsFIPS:       true,
-			SupportsDualStack:  false,
+			Name:                 "aws-iso-f",
+			DnsSuffix:            "csp.hci.ic.gov",
+			DualStackDnsSuffix:   "csp.hci.ic.gov",
+			SupportsFIPS:         true,
+			SupportsDualStack:    false,
+			ImplicitGlobalRegion: "us-isof-south-1",
 		},
 		Regions: map[string]RegionOverrides{},
 	},
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
index f376f6908..7a28569c3 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn/partitions.json
@@ -198,7 +198,11 @@
       "supportsFIPS" : true
     },
     "regionRegex" : "^eu\\-isoe\\-\\w+\\-\\d+$",
-    "regions" : { }
+    "regions" : {
+      "eu-isoe-west-1" : {
+        "description" : "EU ISOE West"
+      }
+    }
   }, {
     "id" : "aws-iso-f",
     "outputs" : {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
index b95cd39f4..c0db4db58 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md
@@ -1,3 +1,44 @@
+# v2.6.12 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.11 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.10 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.9 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.8 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.7 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.6 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.5 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.4 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v2.6.3 (2024-03-07)
+
+* **Bug Fix**: Remove dependency on go-cmp.
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v2.6.2 (2024-02-23)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
index 833b91157..7be8b1ae8 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go
@@ -3,4 +3,4 @@
 package endpoints
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "2.6.2"
+const goModuleVersion = "2.6.12"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go b/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go
new file mode 100644
index 000000000..8e24a3f0a
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go-v2/internal/middleware/middleware.go
@@ -0,0 +1,42 @@
+package middleware
+
+import (
+	"context"
+	"sync/atomic"
+	"time"
+
+	internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
+	"github.com/aws/smithy-go/middleware"
+)
+
+// AddTimeOffsetMiddleware sets a value representing clock skew on the request context.
+// This can be read by other operations (such as signing) to correct the date value they send
+// on the request
+type AddTimeOffsetMiddleware struct {
+	Offset *atomic.Int64
+}
+
+// ID the identifier for AddTimeOffsetMiddleware
+func (m *AddTimeOffsetMiddleware) ID() string { return "AddTimeOffsetMiddleware" }
+
+// HandleBuild sets a value for attemptSkew on the request context if one is set on the client.
+func (m AddTimeOffsetMiddleware) HandleBuild(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
+	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+) {
+	if m.Offset != nil {
+		offset := time.Duration(m.Offset.Load())
+		ctx = internalcontext.SetAttemptSkewContext(ctx, offset)
+	}
+	return next.HandleBuild(ctx, in)
+}
+
+// HandleDeserialize gets the clock skew context from the context, and if set, sets it on the pointer
+// held by AddTimeOffsetMiddleware
+func (m *AddTimeOffsetMiddleware) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
+	out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
+) {
+	if v := internalcontext.GetAttemptSkewContext(ctx); v != 0 {
+		m.Offset.Store(v.Nanoseconds())
+	}
+	return next.HandleDeserialize(ctx, in)
+}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
index cac6f926e..9cf6cf22b 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/CHANGELOG.md
@@ -1,3 +1,7 @@
+# v1.11.2 (2024-03-29)
+
+* No change notes available for this release.
+
 # v1.11.1 (2024-02-21)
 
 * No change notes available for this release.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
index c5ae0f873..6339b5419 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding/go_module_metadata.go
@@ -3,4 +3,4 @@
 package acceptencoding
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.1"
+const goModuleVersion = "1.11.2"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
index 38b0de284..b29f09399 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md
@@ -1,3 +1,52 @@
+# v1.11.14 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.13 (2024-06-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.12 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.11 (2024-06-07)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.10 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.9 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.8 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.7 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.6 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.5 (2024-03-07)
+
+* **Bug Fix**: Remove dependency on go-cmp.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.11.4 (2024-03-05)
+
+* **Bug Fix**: Restore typo'd API `AddAsIsInternalPresigingMiddleware` as an alias for backwards compatibility.
+
+# v1.11.3 (2024-03-04)
+
+* **Bug Fix**: Correct a typo in internal AddAsIsPresigningMiddleware API.
+
 # v1.11.2 (2024-02-23)
 
 * **Dependency Update**: Updated to the latest SDK module versions
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go
index cc919701a..5d5286f92 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/context.go
@@ -27,13 +27,21 @@ func GetIsPresigning(ctx context.Context) bool {
 
 type isPresigningKey struct{}
 
-// AddAsIsPresigingMiddleware adds a middleware to the head of the stack that
+// AddAsIsPresigningMiddleware adds a middleware to the head of the stack that
 // will update the stack's context to be flagged as being invoked for the
 // purpose of presigning.
-func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
+func AddAsIsPresigningMiddleware(stack *middleware.Stack) error {
 	return stack.Initialize.Add(asIsPresigningMiddleware{}, middleware.Before)
 }
 
+// AddAsIsPresigingMiddleware is an alias for backwards compatibility.
+//
+// Deprecated: This API was released with a typo. Use
+// [AddAsIsPresigningMiddleware] instead.
+func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
+	return AddAsIsPresigningMiddleware(stack)
+}
+
 type asIsPresigningMiddleware struct{}
 
 func (asIsPresigningMiddleware) ID() string { return "AsIsPresigningMiddleware" }
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
index 0af263c5e..f31114ec2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go
@@ -3,4 +3,4 @@
 package presignedurl
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.11.2"
+const goModuleVersion = "1.11.14"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
index 0f4845a52..8c9717a56 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md
@@ -1,3 +1,63 @@
+# v1.29.1 (2024-06-19)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.29.0 (2024-06-18)
+
+* **Feature**: Track usage of various AWS SDK features in user-agent string.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.13 (2024-06-17)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.12 (2024-06-07)
+
+* **Bug Fix**: Add clock skew correction on all service clients
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.11 (2024-06-03)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.10 (2024-05-23)
+
+* No change notes available for this release.
+
+# v1.28.9 (2024-05-16)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.8 (2024-05-15)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.7 (2024-05-08)
+
+* **Bug Fix**: GoDoc improvement
+
+# v1.28.6 (2024-03-29)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.5 (2024-03-18)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.4 (2024-03-07)
+
+* **Bug Fix**: Remove dependency on go-cmp.
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.3 (2024-03-05)
+
+* **Dependency Update**: Updated to the latest SDK module versions
+
+# v1.28.2 (2024-03-04)
+
+* **Bug Fix**: Update internal/presigned-url dependency for corrected API name.
+* **Dependency Update**: Updated to the latest SDK module versions
+
 # v1.28.1 (2024-02-23)
 
 * **Bug Fix**: Move all common, SDK-side middleware stack ops into the service client module to prevent cross-module compatibility issues in the future.
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
index 8b38a505c..acd2b8e7a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_client.go
@@ -15,15 +15,18 @@ import (
 	internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
 	internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
 	internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
+	internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
 	acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding"
 	presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url"
 	smithy "github.com/aws/smithy-go"
+	smithyauth "github.com/aws/smithy-go/auth"
 	smithydocument "github.com/aws/smithy-go/document"
 	"github.com/aws/smithy-go/logging"
 	"github.com/aws/smithy-go/middleware"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"net"
 	"net/http"
+	"sync/atomic"
 	"time"
 )
 
@@ -34,6 +37,9 @@ const ServiceAPIVersion = "2011-06-15"
 // Service.
 type Client struct {
 	options Options
+
+	// Difference between the time reported by the server and the client
+	timeOffset *atomic.Int64
 }
 
 // New returns an initialized Client based on the functional options. Provide
@@ -72,6 +78,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
 		options: options,
 	}
 
+	initializeTimeOffsetResolver(client)
+
 	return client
 }
 
@@ -233,15 +241,16 @@ func setResolvedDefaultsMode(o *Options) {
 // NewFromConfig returns a new client from the provided config.
 func NewFromConfig(cfg aws.Config, optFns ...func(*Options)) *Client {
 	opts := Options{
-		Region:             cfg.Region,
-		DefaultsMode:       cfg.DefaultsMode,
-		RuntimeEnvironment: cfg.RuntimeEnvironment,
-		HTTPClient:         cfg.HTTPClient,
-		Credentials:        cfg.Credentials,
-		APIOptions:         cfg.APIOptions,
-		Logger:             cfg.Logger,
-		ClientLogMode:      cfg.ClientLogMode,
-		AppID:              cfg.AppID,
+		Region:                cfg.Region,
+		DefaultsMode:          cfg.DefaultsMode,
+		RuntimeEnvironment:    cfg.RuntimeEnvironment,
+		HTTPClient:            cfg.HTTPClient,
+		Credentials:           cfg.Credentials,
+		APIOptions:            cfg.APIOptions,
+		Logger:                cfg.Logger,
+		ClientLogMode:         cfg.ClientLogMode,
+		AppID:                 cfg.AppID,
+		AccountIDEndpointMode: cfg.AccountIDEndpointMode,
 	}
 	resolveAWSRetryerProvider(cfg, &opts)
 	resolveAWSRetryMaxAttempts(cfg, &opts)
@@ -445,6 +454,30 @@ func addContentSHA256Header(stack *middleware.Stack) error {
 	return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
 }
 
+func addIsWaiterUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
+		return nil
+	})
+}
+
+func addIsPaginatorUserAgent(o *Options) {
+	o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
+		ua, err := getOrAddRequestUserAgent(stack)
+		if err != nil {
+			return err
+		}
+
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
+		return nil
+	})
+}
+
 func addRetry(stack *middleware.Stack, o Options) error {
 	attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
 		m.LogAttempts = o.ClientLogMode.IsRetries()
@@ -488,6 +521,63 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
 	return nil
 }
 
+func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
+	if mode == aws.AccountIDEndpointModeDisabled {
+		return nil
+	}
+
+	if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
+		return aws.String(ca.Credentials.AccountID)
+	}
+
+	return nil
+}
+
+func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
+	mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
+	if err := stack.Build.Add(&mw, middleware.After); err != nil {
+		return err
+	}
+	return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
+}
+func initializeTimeOffsetResolver(c *Client) {
+	c.timeOffset = new(atomic.Int64)
+}
+
+func checkAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) error {
+	switch mode {
+	case aws.AccountIDEndpointModeUnset:
+	case aws.AccountIDEndpointModePreferred:
+	case aws.AccountIDEndpointModeDisabled:
+	case aws.AccountIDEndpointModeRequired:
+		if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); !ok {
+			return fmt.Errorf("accountID is required but not set")
+		} else if ca.Credentials.AccountID == "" {
+			return fmt.Errorf("accountID is required but not set")
+		}
+	// default check in case invalid mode is configured through request config
+	default:
+		return fmt.Errorf("invalid accountID endpoint mode %s, must be preferred/required/disabled", mode)
+	}
+
+	return nil
+}
+
+func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
+	ua, err := getOrAddRequestUserAgent(stack)
+	if err != nil {
+		return err
+	}
+
+	switch options.Retryer.(type) {
+	case *retry.Standard:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
+	case *retry.AdaptiveMode:
+		ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
+	}
+	return nil
+}
+
 func addRecursionDetection(stack *middleware.Stack) error {
 	return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
 }
@@ -643,7 +733,7 @@ func (c presignConverter) convertToPresignMiddleware(stack *middleware.Stack, op
 	if err != nil {
 		return err
 	}
-	err = presignedurlcust.AddAsIsPresigingMiddleware(stack)
+	err = presignedurlcust.AddAsIsPresigningMiddleware(stack)
 	if err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
index e0e2c9c2e..e74fc8ba9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go
@@ -16,69 +16,99 @@ import (
 // Amazon Web Services resources. These temporary credentials consist of an access
 // key ID, a secret access key, and a security token. Typically, you use AssumeRole
 // within your account or for cross-account access. For a comparison of AssumeRole
-// with other API operations that produce temporary credentials, see Requesting
-// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. Permissions The temporary security credentials created by
-// AssumeRole can be used to make API calls to any Amazon Web Services service
-// with the following exception: You cannot call the Amazon Web Services STS
-// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
-// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
-// Passing policies to this operation returns new temporary credentials. The
-// resulting session's permissions are the intersection of the role's
-// identity-based policy and the session policies. You can use the role's temporary
-// credentials in subsequent Amazon Web Services API calls to access resources in
-// the account that owns the role. You cannot use session policies to grant more
-// permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. When you create a role, you create two policies: a role
-// trust policy that specifies who can assume the role, and a permissions policy
-// that specifies what can be done with the role. You specify the trusted principal
-// that is allowed to assume the role in the role trust policy. To assume a role
-// from a different account, your Amazon Web Services account must be trusted by
-// the role. The trust relationship is defined in the role's trust policy when the
-// role is created. That trust policy states which accounts are allowed to delegate
-// that access to users in the account. A user who wants to access a role in a
-// different account must also have permissions that are delegated from the account
-// administrator. The administrator must attach a policy that allows the user to
-// call AssumeRole for the ARN of the role in the other account. To allow a user
-// to assume a role in the same account, you can do either of the following:
+// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
+// IAM User Guide.
+//
+// # Permissions
+//
+// The temporary security credentials created by AssumeRole can be used to make
+// API calls to any Amazon Web Services service with the following exception: You
+// cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
+// API operations.
+//
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
+// single JSON policy document to use as an inline session policy. You can also
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+// session policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters. Passing policies to this operation
+// returns new temporary credentials. The resulting session's permissions are the
+// intersection of the role's identity-based policy and the session policies. You
+// can use the role's temporary credentials in subsequent Amazon Web Services API
+// calls to access resources in the account that owns the role. You cannot use
+// session policies to grant more permissions than those allowed by the
+// identity-based policy of the role that is being assumed. For more information,
+// see [Session Policies]in the IAM User Guide.
+//
+// When you create a role, you create two policies: a role trust policy that
+// specifies who can assume the role, and a permissions policy that specifies what
+// can be done with the role. You specify the trusted principal that is allowed to
+// assume the role in the role trust policy.
+//
+// To assume a role from a different account, your Amazon Web Services account
+// must be trusted by the role. The trust relationship is defined in the role's
+// trust policy when the role is created. That trust policy states which accounts
+// are allowed to delegate that access to users in the account.
+//
+// A user who wants to access a role in a different account must also have
+// permissions that are delegated from the account administrator. The administrator
+// must attach a policy that allows the user to call AssumeRole for the ARN of the
+// role in the other account.
+//
+// To allow a user to assume a role in the same account, you can do either of the
+// following:
+//
 //   - Attach a policy to the user that allows the user to call AssumeRole (as long
 //     as the role's trust policy trusts the account).
+//
 //   - Add the user as a principal directly in the role's trust policy.
 //
 // You can do either because the role’s trust policy acts as an IAM resource-based
 // policy. When a resource-based policy grants access to a principal in the same
 // account, no additional identity-based policy is required. For more information
-// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
-// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
-// session. These tags are called session tags. For more information about session
-// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. An administrator must grant you the permissions necessary
-// to pass session tags. The administrator can also create granular permissions to
-// allow you to pass only specific session tags. For more information, see
-// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
-// multi-factor authentication (MFA) information when you call AssumeRole . This is
-// useful for cross-account scenarios to ensure that the user that assumes the role
-// has been authenticated with an Amazon Web Services MFA device. In that scenario,
-// the trust policy of the role being assumed includes a condition that tests for
-// MFA authentication. If the caller does not include valid MFA information, the
-// request to assume the role is denied. The condition in a trust policy that tests
-// for MFA authentication might look like the following example. "Condition":
-// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
-// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
-// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for
-// the SerialNumber and TokenCode parameters. The SerialNumber value identifies
-// the user's hardware or virtual MFA device. The TokenCode is the time-based
-// one-time password (TOTP) that the MFA device produces.
+// about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide.
+//
+// # Tags
+//
+// (Optional) You can pass tag key-value pairs to your session. These tags are
+// called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM
+// User Guide.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # Using MFA with AssumeRole
+//
+// (Optional) You can include multi-factor authentication (MFA) information when
+// you call AssumeRole . This is useful for cross-account scenarios to ensure that
+// the user that assumes the role has been authenticated with an Amazon Web
+// Services MFA device. In that scenario, the trust policy of the role being
+// assumed includes a condition that tests for MFA authentication. If the caller
+// does not include valid MFA information, the request to assume the role is
+// denied. The condition in a trust policy that tests for MFA authentication might
+// look like the following example.
+//
+//	"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
+//
+// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide.
+//
+// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode
+// parameters. The SerialNumber value identifies the user's hardware or virtual
+// MFA device. The TokenCode is the time-based one-time password (TOTP) that the
+// MFA device produces.
+//
+// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
 	if params == nil {
 		params = &AssumeRoleInput{}
@@ -101,17 +131,19 @@ type AssumeRoleInput struct {
 	// This member is required.
 	RoleArn *string
 
-	// An identifier for the assumed role session. Use the role session name to
-	// uniquely identify a session when the same role is assumed by different
-	// principals or for different reasons. In cross-account scenarios, the role
-	// session name is visible to, and can be logged by the account that owns the role.
-	// The role session name is also used in the ARN of the assumed role principal.
-	// This means that subsequent cross-account API requests that use the temporary
-	// security credentials will expose the role session name to the external account
-	// in their CloudTrail logs. The regex used to validate this parameter is a string
-	// of characters consisting of upper- and lower-case alphanumeric characters with
-	// no spaces. You can also include underscores or any of the following characters:
-	// =,.@-
+	// An identifier for the assumed role session.
+	//
+	// Use the role session name to uniquely identify a session when the same role is
+	// assumed by different principals or for different reasons. In cross-account
+	// scenarios, the role session name is visible to, and can be logged by the account
+	// that owns the role. The role session name is also used in the ARN of the assumed
+	// role principal. This means that subsequent cross-account API requests that use
+	// the temporary security credentials will expose the role session name to the
+	// external account in their CloudTrail logs.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	//
 	// This member is required.
 	RoleSessionName *string
@@ -122,23 +154,27 @@ type AssumeRoleInput struct {
 	// hours. If you specify a value higher than this setting or the administrator
 	// setting (whichever is lower), the operation fails. For example, if you specify a
 	// session duration of 12 hours, but your administrator set the maximum session
-	// duration to 6 hours, your operation fails. Role chaining limits your Amazon Web
-	// Services CLI or Amazon Web Services API role session to a maximum of one hour.
-	// When you use the AssumeRole API operation to assume a role, you can specify the
-	// duration of your role session with the DurationSeconds parameter. You can
-	// specify a parameter value of up to 43200 seconds (12 hours), depending on the
-	// maximum session duration setting for your role. However, if you assume a role
-	// using role chaining and provide a DurationSeconds parameter value greater than
-	// one hour, the operation fails. To learn how to view the maximum value for your
-	// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
-	// DurationSeconds parameter is separate from the duration of a console session
-	// that you might request using the returned credentials. The request to the
-	// federation endpoint for a console sign-in token takes a SessionDuration
+	// duration to 6 hours, your operation fails.
+	//
+	// Role chaining limits your Amazon Web Services CLI or Amazon Web Services API
+	// role session to a maximum of one hour. When you use the AssumeRole API
+	// operation to assume a role, you can specify the duration of your role session
+	// with the DurationSeconds parameter. You can specify a parameter value of up to
+	// 43200 seconds (12 hours), depending on the maximum session duration setting for
+	// your role. However, if you assume a role using role chaining and provide a
+	// DurationSeconds parameter value greater than one hour, the operation fails. To
+	// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+	//
+	// By default, the value is set to 3600 seconds.
+	//
+	// The DurationSeconds parameter is separate from the duration of a console
+	// session that you might request using the returned credentials. The request to
+	// the federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
-	// information, see Creating a URL that Enables Federated Users to Access the
-	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-	// in the IAM User Guide.
+	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
+	//
+	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
 	// A unique identifier that might be required when you assume a role in another
@@ -149,63 +185,79 @@ type AssumeRoleInput struct {
 	// the administrator of the trusting account might send an external ID to the
 	// administrator of the trusted account. That way, only someone with the ID can
 	// assume the role, rather than everyone in the account. For more information about
-	// the external ID, see How to Use an External ID When Granting Access to Your
-	// Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
-	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// spaces. You can also include underscores or any of the following characters:
-	// =,.@:/-
+	// the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@:/-
+	//
+	// [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
 	ExternalId *string
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
+	//
 	// This parameter is optional. Passing policies to this operation returns new
 	// temporary credentials. The resulting session's permissions are the intersection
 	// of the role's identity-based policy and the session policies. You can use the
 	// role's temporary credentials in subsequent Amazon Web Services API calls to
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
-	// policy of the role that is being assumed. For more information, see Session
-	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide. The plaintext that you use for both inline and managed
-	// session policies can't exceed 2,048 characters. The JSON policy characters can
-	// be any ASCII character from the space character to the end of the valid
-	// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
-	// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
-	// Services conversion compresses the passed inline session policy, managed policy
-	// ARNs, and session tags into a packed binary format that has a separate limit.
-	// Your request can fail for this limit even if your plaintext meets the other
-	// requirements. The PackedPolicySize response element indicates by percentage how
-	// close the policies and tags for your request are to the upper size limit.
+	// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
+	// User Guide.
+	//
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as managed session policies. The policies must exist in the same account as
-	// the role. This parameter is optional. You can provide up to 10 managed policy
-	// ARNs. However, the plaintext that you use for both inline and managed session
-	// policies can't exceed 2,048 characters. For more information about ARNs, see
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
-	// compresses the passed inline session policy, managed policy ARNs, and session
-	// tags into a packed binary format that has a separate limit. Your request can
-	// fail for this limit even if your plaintext meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit. Passing policies to this
-	// operation returns new temporary credentials. The resulting session's permissions
-	// are the intersection of the role's identity-based policy and the session
-	// policies. You can use the role's temporary credentials in subsequent Amazon Web
-	// Services API calls to access resources in the account that owns the role. You
-	// cannot use session policies to grant more permissions than those allowed by the
-	// identity-based policy of the role that is being assumed. For more information,
-	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide.
+	// the role.
+	//
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
+	// However, the plaintext that you use for both inline and managed session policies
+	// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
+	// Amazon Web Services General Reference.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// Passing policies to this operation returns new temporary credentials. The
+	// resulting session's permissions are the intersection of the role's
+	// identity-based policy and the session policies. You can use the role's temporary
+	// credentials in subsequent Amazon Web Services API calls to access resources in
+	// the account that owns the role. You cannot use session policies to grant more
+	// permissions than those allowed by the identity-based policy of the role that is
+	// being assumed. For more information, see [Session Policies]in the IAM User Guide.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	// A list of previously acquired trusted context assertions in the format of a
 	// JSON array. The trusted context assertion is signed and encrypted by Amazon Web
-	// Services STS. The following is an example of a ProvidedContext value that
-	// includes a single trusted context assertion and the ARN of the context provider
-	// from which the trusted context assertion was generated.
-	// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
+	// Services STS.
+	//
+	// The following is an example of a ProvidedContext value that includes a single
+	// trusted context assertion and the ARN of the context provider from which the
+	// trusted context assertion was generated.
+	//
+	//     [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
 	ProvidedContexts []types.ProvidedContext
 
 	// The identification number of the MFA device that is associated with the user
@@ -213,79 +265,97 @@ type AssumeRoleInput struct {
 	// the role being assumed includes a condition that requires MFA authentication.
 	// The value is either the serial number for a hardware device (such as
 	// GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
-	// arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter
-	// is a string of characters consisting of upper- and lower-case alphanumeric
-	// characters with no spaces. You can also include underscores or any of the
-	// following characters: =,.@-
+	// arn:aws:iam::123456789012:mfa/user ).
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	SerialNumber *string
 
 	// The source identity specified by the principal that is calling the AssumeRole
-	// operation. You can require users to specify a source identity when they assume a
-	// role. You do this by using the sts:SourceIdentity condition key in a role trust
-	// policy. You can use source identity information in CloudTrail logs to determine
-	// who took actions with a role. You can use the aws:SourceIdentity condition key
-	// to further control access to Amazon Web Services resources based on the value of
-	// source identity. For more information about using source identity, see Monitor
-	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
-	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// spaces. You can also include underscores or any of the following characters:
-	// =,.@-. You cannot use a value that begins with the text aws: . This prefix is
-	// reserved for Amazon Web Services internal use.
+	// operation.
+	//
+	// You can require users to specify a source identity when they assume a role. You
+	// do this by using the sts:SourceIdentity condition key in a role trust policy.
+	// You can use source identity information in CloudTrail logs to determine who took
+	// actions with a role. You can use the aws:SourceIdentity condition key to
+	// further control access to Amazon Web Services resources based on the value of
+	// source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
+	// IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-. You cannot use a
+	// value that begins with the text aws: . This prefix is reserved for Amazon Web
+	// Services internal use.
+	//
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
 	// A list of session tags that you want to pass. Each session tag consists of a
-	// key name and an associated value. For more information about session tags, see
-	// Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-	// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
-	// tags. The plaintext session tag keys can’t exceed 128 characters, and the values
-	// can’t exceed 256 characters. For these and additional limits, see IAM and STS
-	// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-	// inline session policy, managed policy ARNs, and session tags into a packed
-	// binary format that has a separate limit. Your request can fail for this limit
-	// even if your plaintext meets the other requirements. The PackedPolicySize
-	// response element indicates by percentage how close the policies and tags for
-	// your request are to the upper size limit. You can pass a session tag with the
-	// same key as a tag that is already attached to the role. When you do, session
-	// tags override a role tag with the same key. Tag key–value pairs are not case
-	// sensitive, but case is preserved. This means that you cannot have separate
-	// Department and department tag keys. Assume that the role has the Department =
-	// Marketing tag and you pass the department = engineering session tag. Department
-	// and department are not saved as separate tags, and the session tag passed in
-	// the request takes precedence over the role tag. Additionally, if you used
-	// temporary credentials to perform this operation, the new session inherits any
-	// transitive session tags from the calling session. If you pass a session tag with
-	// the same key as an inherited tag, the operation fails. To view the inherited
-	// tags for a session, see the CloudTrail logs. For more information, see Viewing
-	// Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
+	// key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions]
 	// in the IAM User Guide.
+	//
+	// This parameter is optional. You can pass up to 50 session tags. The plaintext
+	// session tag keys can’t exceed 128 characters, and the values can’t exceed 256
+	// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// You can pass a session tag with the same key as a tag that is already attached
+	// to the role. When you do, session tags override a role tag with the same key.
+	//
+	// Tag key–value pairs are not case sensitive, but case is preserved. This means
+	// that you cannot have separate Department and department tag keys. Assume that
+	// the role has the Department = Marketing tag and you pass the department =
+	// engineering session tag. Department and department are not saved as separate
+	// tags, and the session tag passed in the request takes precedence over the role
+	// tag.
+	//
+	// Additionally, if you used temporary credentials to perform this operation, the
+	// new session inherits any transitive session tags from the calling session. If
+	// you pass a session tag with the same key as an inherited tag, the operation
+	// fails. To view the inherited tags for a session, see the CloudTrail logs. For
+	// more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide.
+	//
+	// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+	// [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
 	Tags []types.Tag
 
 	// The value provided by the MFA device, if the trust policy of the role being
 	// assumed requires MFA. (In other words, if the policy includes a condition that
 	// tests for MFA). If the role being assumed requires MFA and if the TokenCode
 	// value is missing or expired, the AssumeRole call returns an "access denied"
-	// error. The format for this parameter, as described by its regex pattern, is a
-	// sequence of six numeric digits.
+	// error.
+	//
+	// The format for this parameter, as described by its regex pattern, is a sequence
+	// of six numeric digits.
 	TokenCode *string
 
 	// A list of keys for session tags that you want to set as transitive. If you set
 	// a tag key as transitive, the corresponding key and value passes to subsequent
-	// sessions in a role chain. For more information, see Chaining Roles with Session
-	// Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-	// in the IAM User Guide. This parameter is optional. When you set session tags as
-	// transitive, the session policy and session tags packed binary limit is not
-	// affected. If you choose not to specify a transitive tag key, then no tags are
-	// passed from this session to any subsequent sessions.
+	// sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+	//
+	// This parameter is optional. When you set session tags as transitive, the
+	// session policy and session tags packed binary limit is not affected.
+	//
+	// If you choose not to specify a transitive tag key, then no tags are passed from
+	// this session to any subsequent sessions.
+	//
+	// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
 	TransitiveTagKeys []string
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful AssumeRole request, including temporary
-// Amazon Web Services credentials that can be used to make Amazon Web Services
-// requests.
+// Contains the response to a successful AssumeRole request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
 type AssumeRoleOutput struct {
 
 	// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@@ -296,9 +366,10 @@ type AssumeRoleOutput struct {
 	AssumedRoleUser *types.AssumedRoleUser
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
-	// that STS API operations return is not fixed. We strongly recommend that you make
-	// no assumptions about the maximum size.
+	// access key, and a security (or session) token.
+	//
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -308,17 +379,21 @@ type AssumeRoleOutput struct {
 	PackedPolicySize *int32
 
 	// The source identity specified by the principal that is calling the AssumeRole
-	// operation. You can require users to specify a source identity when they assume a
-	// role. You do this by using the sts:SourceIdentity condition key in a role trust
-	// policy. You can use source identity information in CloudTrail logs to determine
-	// who took actions with a role. You can use the aws:SourceIdentity condition key
-	// to further control access to Amazon Web Services resources based on the value of
-	// source identity. For more information about using source identity, see Monitor
-	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
-	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// spaces. You can also include underscores or any of the following characters:
-	// =,.@-
+	// operation.
+	//
+	// You can require users to specify a source identity when they assume a role. You
+	// do this by using the sts:SourceIdentity condition key in a role trust policy.
+	// You can use source identity information in CloudTrail logs to determine who took
+	// actions with a role. You can use the aws:SourceIdentity condition key to
+	// further control access to Amazon Web Services resources based on the value of
+	// source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
+	// IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
+	//
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
 	// Metadata pertaining to the operation's result.
@@ -382,6 +457,12 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
index 2a57b72ac..4c685abd5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go
@@ -16,92 +16,132 @@ import (
 // mechanism for tying an enterprise identity store or directory to role-based
 // Amazon Web Services access without user-specific credentials or configuration.
 // For a comparison of AssumeRoleWithSAML with the other API operations that
-// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. The temporary security credentials returned by this
-// operation consist of an access key ID, a secret access key, and a security
-// token. Applications can use these temporary security credentials to sign calls
-// to Amazon Web Services services. Session Duration By default, the temporary
-// security credentials created by AssumeRoleWithSAML last for one hour. However,
-// you can use the optional DurationSeconds parameter to specify the duration of
-// your session. Your role session lasts for the duration that you specify, or
-// until the time specified in the SAML authentication response's
-// SessionNotOnOrAfter value, whichever is shorter. You can provide a
-// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
-// duration setting for the role. This setting can have a value from 1 hour to 12
-// hours. To learn how to view the maximum value for your role, see View the
-// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-// in the IAM User Guide. The maximum session duration limit applies when you use
-// the AssumeRole* API operations or the assume-role* CLI commands. However the
-// limit does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
-// limits your CLI or Amazon Web Services API role session to a maximum of one
+// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// The temporary security credentials returned by this operation consist of an
+// access key ID, a secret access key, and a security token. Applications can use
+// these temporary security credentials to sign calls to Amazon Web Services
+// services.
+//
+// # Session Duration
+//
+// By default, the temporary security credentials created by AssumeRoleWithSAML
+// last for one hour. However, you can use the optional DurationSeconds parameter
+// to specify the duration of your session. Your role session lasts for the
+// duration that you specify, or until the time specified in the SAML
+// authentication response's SessionNotOnOrAfter value, whichever is shorter. You
+// can provide a DurationSeconds value from 900 seconds (15 minutes) up to the
+// maximum session duration setting for the role. This setting can have a value
+// from 1 hour to 12 hours. To learn how to view the maximum value for your role,
+// see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. The maximum session duration limit applies when you
+// use the AssumeRole* API operations or the assume-role* CLI commands. However
+// the limit does not apply when you use those operations to create a console URL.
+// For more information, see [Using IAM Roles]in the IAM User Guide.
+//
+// [Role chaining]limits your CLI or Amazon Web Services API role session to a maximum of one
 // hour. When you use the AssumeRole API operation to assume a role, you can
 // specify the duration of your role session with the DurationSeconds parameter.
 // You can specify a parameter value of up to 43200 seconds (12 hours), depending
 // on the maximum session duration setting for your role. However, if you assume a
 // role using role chaining and provide a DurationSeconds parameter value greater
-// than one hour, the operation fails. Permissions The temporary security
-// credentials created by AssumeRoleWithSAML can be used to make API calls to any
-// Amazon Web Services service with the following exception: you cannot call the
-// STS GetFederationToken or GetSessionToken API operations. (Optional) You can
-// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
-// Passing policies to this operation returns new temporary credentials. The
-// resulting session's permissions are the intersection of the role's
-// identity-based policy and the session policies. You can use the role's temporary
-// credentials in subsequent Amazon Web Services API calls to access resources in
-// the account that owns the role. You cannot use session policies to grant more
-// permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
-// Amazon Web Services security credentials. The identity of the caller is
-// validated by using keys in the metadata document that is uploaded for the SAML
-// provider entity for your identity provider. Calling AssumeRoleWithSAML can
-// result in an entry in your CloudTrail logs. The entry includes the value in the
-// NameID element of the SAML assertion. We recommend that you use a NameIDType
-// that is not associated with any personally identifiable information (PII). For
-// example, you could instead use the persistent identifier (
-// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can
-// configure your IdP to pass attributes into your SAML assertion as session tags.
-// Each session tag consists of a key name and an associated value. For more
-// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
-// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
-// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-// inline session policy, managed policy ARNs, and session tags into a packed
-// binary format that has a separate limit. Your request can fail for this limit
-// even if your plaintext meets the other requirements. The PackedPolicySize
-// response element indicates by percentage how close the policies and tags for
-// your request are to the upper size limit. You can pass a session tag with the
-// same key as a tag that is attached to the role. When you do, session tags
-// override the role's tags with the same key. An administrator must grant you the
-// permissions necessary to pass session tags. The administrator can also create
-// granular permissions to allow you to pass only specific session tags. For more
-// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// in the IAM User Guide. SAML Configuration Before your application can call
-// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to
-// issue the claims required by Amazon Web Services. Additionally, you must use
-// Identity and Access Management (IAM) to create a SAML provider entity in your
-// Amazon Web Services account that represents your identity provider. You must
-// also create an IAM role that specifies this SAML provider in its trust policy.
+// than one hour, the operation fails.
+//
+// # Permissions
+//
+// The temporary security credentials created by AssumeRoleWithSAML can be used to
+// make API calls to any Amazon Web Services service with the following exception:
+// you cannot call the STS GetFederationToken or GetSessionToken API operations.
+//
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
+// single JSON policy document to use as an inline session policy. You can also
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+// session policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters. Passing policies to this operation
+// returns new temporary credentials. The resulting session's permissions are the
+// intersection of the role's identity-based policy and the session policies. You
+// can use the role's temporary credentials in subsequent Amazon Web Services API
+// calls to access resources in the account that owns the role. You cannot use
+// session policies to grant more permissions than those allowed by the
+// identity-based policy of the role that is being assumed. For more information,
+// see [Session Policies]in the IAM User Guide.
+//
+// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
+// security credentials. The identity of the caller is validated by using keys in
+// the metadata document that is uploaded for the SAML provider entity for your
+// identity provider.
+//
+// Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The
+// entry includes the value in the NameID element of the SAML assertion. We
+// recommend that you use a NameIDType that is not associated with any personally
+// identifiable information (PII). For example, you could instead use the
+// persistent identifier ( urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ).
+//
+// # Tags
+//
+// (Optional) You can configure your IdP to pass attributes into your SAML
+// assertion as session tags. Each session tag consists of a key name and an
+// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
+// Guide.
+//
+// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed
+// 128 characters and the values can’t exceed 256 characters. For these and
+// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+//
+// An Amazon Web Services conversion compresses the passed inline session policy,
+// managed policy ARNs, and session tags into a packed binary format that has a
+// separate limit. Your request can fail for this limit even if your plaintext
+// meets the other requirements. The PackedPolicySize response element indicates
+// by percentage how close the policies and tags for your request are to the upper
+// size limit.
+//
+// You can pass a session tag with the same key as a tag that is attached to the
+// role. When you do, session tags override the role's tags with the same key.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # SAML Configuration
+//
+// Before your application can call AssumeRoleWithSAML , you must configure your
+// SAML identity provider (IdP) to issue the claims required by Amazon Web
+// Services. Additionally, you must use Identity and Access Management (IAM) to
+// create a SAML provider entity in your Amazon Web Services account that
+// represents your identity provider. You must also create an IAM role that
+// specifies this SAML provider in its trust policy.
+//
 // For more information, see the following resources:
-//   - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
-//     in the IAM User Guide.
-//   - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
-//     in the IAM User Guide.
-//   - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
-//     in the IAM User Guide.
-//   - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
-//     in the IAM User Guide.
+//
+// [About SAML 2.0-based Federation]
+//   - in the IAM User Guide.
+//
+// [Creating SAML Identity Providers]
+//   - in the IAM User Guide.
+//
+// [Configuring a Relying Party and Claims]
+//   - in the IAM User Guide.
+//
+// [Creating a Role for SAML 2.0 Federation]
+//   - in the IAM User Guide.
+//
+// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+// [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
+// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+// [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
+// [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
+// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [About SAML 2.0-based Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
 func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
 	if params == nil {
 		params = &AssumeRoleWithSAMLInput{}
@@ -130,9 +170,11 @@ type AssumeRoleWithSAMLInput struct {
 	// This member is required.
 	RoleArn *string
 
-	// The base64 encoded SAML authentication response provided by the IdP. For more
-	// information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
-	// in the IAM User Guide.
+	// The base64 encoded SAML authentication response provided by the IdP.
+	//
+	// For more information, see [Configuring a Relying Party and Adding Claims] in the IAM User Guide.
+	//
+	// [Configuring a Relying Party and Adding Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
 	//
 	// This member is required.
 	SAMLAssertion *string
@@ -146,92 +188,114 @@ type AssumeRoleWithSAMLInput struct {
 	// than this setting, the operation fails. For example, if you specify a session
 	// duration of 12 hours, but your administrator set the maximum session duration to
 	// 6 hours, your operation fails. To learn how to view the maximum value for your
-	// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
-	// DurationSeconds parameter is separate from the duration of a console session
-	// that you might request using the returned credentials. The request to the
-	// federation endpoint for a console sign-in token takes a SessionDuration
+	// role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+	//
+	// By default, the value is set to 3600 seconds.
+	//
+	// The DurationSeconds parameter is separate from the duration of a console
+	// session that you might request using the returned credentials. The request to
+	// the federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
-	// information, see Creating a URL that Enables Federated Users to Access the
-	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-	// in the IAM User Guide.
+	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
+	//
+	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
+	//
 	// This parameter is optional. Passing policies to this operation returns new
 	// temporary credentials. The resulting session's permissions are the intersection
 	// of the role's identity-based policy and the session policies. You can use the
 	// role's temporary credentials in subsequent Amazon Web Services API calls to
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
-	// policy of the role that is being assumed. For more information, see Session
-	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide. The plaintext that you use for both inline and managed
-	// session policies can't exceed 2,048 characters. The JSON policy characters can
-	// be any ASCII character from the space character to the end of the valid
-	// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
-	// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
-	// Services conversion compresses the passed inline session policy, managed policy
-	// ARNs, and session tags into a packed binary format that has a separate limit.
-	// Your request can fail for this limit even if your plaintext meets the other
-	// requirements. The PackedPolicySize response element indicates by percentage how
-	// close the policies and tags for your request are to the upper size limit.
+	// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
+	// User Guide.
+	//
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as managed session policies. The policies must exist in the same account as
-	// the role. This parameter is optional. You can provide up to 10 managed policy
-	// ARNs. However, the plaintext that you use for both inline and managed session
-	// policies can't exceed 2,048 characters. For more information about ARNs, see
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
-	// compresses the passed inline session policy, managed policy ARNs, and session
-	// tags into a packed binary format that has a separate limit. Your request can
-	// fail for this limit even if your plaintext meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit. Passing policies to this
-	// operation returns new temporary credentials. The resulting session's permissions
-	// are the intersection of the role's identity-based policy and the session
-	// policies. You can use the role's temporary credentials in subsequent Amazon Web
-	// Services API calls to access resources in the account that owns the role. You
-	// cannot use session policies to grant more permissions than those allowed by the
-	// identity-based policy of the role that is being assumed. For more information,
-	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide.
+	// the role.
+	//
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
+	// However, the plaintext that you use for both inline and managed session policies
+	// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
+	// Amazon Web Services General Reference.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// Passing policies to this operation returns new temporary credentials. The
+	// resulting session's permissions are the intersection of the role's
+	// identity-based policy and the session policies. You can use the role's temporary
+	// credentials in subsequent Amazon Web Services API calls to access resources in
+	// the account that owns the role. You cannot use session policies to grant more
+	// permissions than those allowed by the identity-based policy of the role that is
+	// being assumed. For more information, see [Session Policies]in the IAM User Guide.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful AssumeRoleWithSAML request, including
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
-// Services requests.
+// Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
 type AssumeRoleWithSAMLOutput struct {
 
 	// The identifiers for the temporary security credentials that the operation
 	// returns.
 	AssumedRoleUser *types.AssumedRoleUser
 
-	// The value of the Recipient attribute of the SubjectConfirmationData element of
+	//  The value of the Recipient attribute of the SubjectConfirmationData element of
 	// the SAML assertion.
 	Audience *string
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
-	// that STS API operations return is not fixed. We strongly recommend that you make
-	// no assumptions about the maximum size.
+	// access key, and a security (or session) token.
+	//
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// The value of the Issuer element of the SAML assertion.
 	Issuer *string
 
 	// A hash value based on the concatenation of the following:
+	//
 	//   - The Issuer response value.
+	//
 	//   - The Amazon Web Services account ID.
+	//
 	//   - The friendly name (the last part of the ARN) of the SAML provider in IAM.
+	//
 	// The combination of NameQualifier and Subject can be used to uniquely identify a
-	// user. The following pseudocode shows how the hash value is calculated: BASE64 (
-	// SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
+	// user.
+	//
+	// The following pseudocode shows how the hash value is calculated:
+	//
+	//     BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
 	NameQualifier *string
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -240,31 +304,36 @@ type AssumeRoleWithSAMLOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The value in the SourceIdentity attribute in the SAML assertion. You can
-	// require users to set a source identity value when they assume a role. You do
-	// this by using the sts:SourceIdentity condition key in a role trust policy. That
-	// way, actions that are taken with the role are associated with that user. After
-	// the source identity is set, the value cannot be changed. It is present in the
-	// request for all actions that are taken by the role and persists across chained
-	// role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
-	// sessions. You can configure your SAML identity provider to use an attribute
-	// associated with your users, like user name or email, as the source identity when
-	// calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML
-	// assertion. For more information about using source identity, see Monitor and
-	// control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
-	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// spaces. You can also include underscores or any of the following characters:
-	// =,.@-
+	// The value in the SourceIdentity attribute in the SAML assertion.
+	//
+	// You can require users to set a source identity value when they assume a role.
+	// You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. That way, actions that are taken with the role are associated with that
+	// user. After the source identity is set, the value cannot be changed. It is
+	// present in the request for all actions that are taken by the role and persists
+	// across [chained role]sessions. You can configure your SAML identity provider to use an
+	// attribute associated with your users, like user name or email, as the source
+	// identity when calling AssumeRoleWithSAML . You do this by adding an attribute to
+	// the SAML assertion. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in
+	// the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
+	//
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
 	SourceIdentity *string
 
 	// The value of the NameID element in the Subject element of the SAML assertion.
 	Subject *string
 
-	// The format of the name ID, as defined by the Format attribute in the NameID
+	//  The format of the name ID, as defined by the Format attribute in the NameID
 	// element of the SAML assertion. Typical examples of the format are transient or
-	// persistent . If the format includes the prefix
-	// urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example,
+	// persistent .
+	//
+	// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format ,
+	// that prefix is removed. For example,
 	// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
 	// If the format includes any other prefix, the format is returned with no
 	// modifications.
@@ -328,6 +397,12 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
index 98108ce6a..0b5e5a377 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go
@@ -14,105 +14,143 @@ import (
 // Returns a set of temporary security credentials for users who have been
 // authenticated in a mobile or web application with a web identity provider.
 // Example providers include the OAuth 2.0 providers Login with Amazon and
-// Facebook, or any OpenID Connect-compatible identity provider such as Google or
-// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
-// . For mobile applications, we recommend that you use Amazon Cognito. You can use
-// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
-// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
-// to uniquely identify a user. You can also supply the user with a consistent
-// identity throughout the lifetime of an application. To learn more about Amazon
-// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
-// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not
-// require the use of Amazon Web Services security credentials. Therefore, you can
-// distribute an application (for example, on mobile devices) that requests
-// temporary security credentials without including long-term Amazon Web Services
-// credentials in the application. You also don't need to deploy server-based proxy
-// services that use long-term Amazon Web Services credentials. Instead, the
-// identity of the caller is validated by using a token from the web identity
-// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
-// operations that produce temporary credentials, see Requesting Temporary
-// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. The temporary security credentials returned by this API
-// consist of an access key ID, a secret access key, and a security token.
-// Applications can use these temporary security credentials to sign calls to
-// Amazon Web Services service API operations. Session Duration By default, the
-// temporary security credentials created by AssumeRoleWithWebIdentity last for
-// one hour. However, you can use the optional DurationSeconds parameter to
-// specify the duration of your session. You can provide a value from 900 seconds
-// (15 minutes) up to the maximum session duration setting for the role. This
-// setting can have a value from 1 hour to 12 hours. To learn how to view the
-// maximum value for your role, see View the Maximum Session Duration Setting for
-// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-// in the IAM User Guide. The maximum session duration limit applies when you use
-// the AssumeRole* API operations or the assume-role* CLI commands. However the
-// limit does not apply when you use those operations to create a console URL. For
-// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
-// in the IAM User Guide. Permissions The temporary security credentials created by
-// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
-// Services service with the following exception: you cannot call the STS
-// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
-// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
-// Passing policies to this operation returns new temporary credentials. The
-// resulting session's permissions are the intersection of the role's
-// identity-based policy and the session policies. You can use the role's temporary
-// credentials in subsequent Amazon Web Services API calls to access resources in
-// the account that owns the role. You cannot use session policies to grant more
-// permissions than those allowed by the identity-based policy of the role that is
-// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
-// attributes into your web identity token as session tags. Each session tag
-// consists of a key name and an associated value. For more information about
-// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
-// tag keys can’t exceed 128 characters and the values can’t exceed 256 characters.
-// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-// inline session policy, managed policy ARNs, and session tags into a packed
-// binary format that has a separate limit. Your request can fail for this limit
-// even if your plaintext meets the other requirements. The PackedPolicySize
-// response element indicates by percentage how close the policies and tags for
-// your request are to the upper size limit. You can pass a session tag with the
-// same key as a tag that is attached to the role. When you do, the session tag
-// overrides the role tag with the same key. An administrator must grant you the
-// permissions necessary to pass session tags. The administrator can also create
-// granular permissions to allow you to pass only specific session tags. For more
-// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. You can set the session tags as transitive. Transitive
-// tags persist during role chaining. For more information, see Chaining Roles
-// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
-// in the IAM User Guide. Identities Before your application can call
-// AssumeRoleWithWebIdentity , you must have an identity token from a supported
-// identity provider and create a role that the application can assume. The role
-// that your application assumes must trust the identity provider that is
-// associated with the identity token. In other words, the identity provider must
-// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
-// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
-// of the provided web identity token. We recommend that you avoid using any
-// personally identifiable information (PII) in this field. For example, you could
-// instead use a GUID or a pairwise identifier, as suggested in the OIDC
-// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
-// . For more information about how to use web identity federation and the
+// Facebook, or any OpenID Connect-compatible identity provider such as Google or [Amazon Cognito federated identities].
+//
+// For mobile applications, we recommend that you use Amazon Cognito. You can use
+// Amazon Cognito with the [Amazon Web Services SDK for iOS Developer Guide]and the [Amazon Web Services SDK for Android Developer Guide] to uniquely identify a user. You can also
+// supply the user with a consistent identity throughout the lifetime of an
+// application.
+//
+// To learn more about Amazon Cognito, see [Amazon Cognito identity pools] in Amazon Cognito Developer Guide.
+//
+// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
+// Services security credentials. Therefore, you can distribute an application (for
+// example, on mobile devices) that requests temporary security credentials without
+// including long-term Amazon Web Services credentials in the application. You also
+// don't need to deploy server-based proxy services that use long-term Amazon Web
+// Services credentials. Instead, the identity of the caller is validated by using
+// a token from the web identity provider. For a comparison of
+// AssumeRoleWithWebIdentity with the other API operations that produce temporary
+// credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// The temporary security credentials returned by this API consist of an access
+// key ID, a secret access key, and a security token. Applications can use these
+// temporary security credentials to sign calls to Amazon Web Services service API
+// operations.
+//
+// # Session Duration
+//
+// By default, the temporary security credentials created by
+// AssumeRoleWithWebIdentity last for one hour. However, you can use the optional
+// DurationSeconds parameter to specify the duration of your session. You can
+// provide a value from 900 seconds (15 minutes) up to the maximum session duration
+// setting for the role. This setting can have a value from 1 hour to 12 hours. To
+// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+// The maximum session duration limit applies when you use the AssumeRole* API
+// operations or the assume-role* CLI commands. However the limit does not apply
+// when you use those operations to create a console URL. For more information, see
+// [Using IAM Roles]in the IAM User Guide.
+//
+// # Permissions
+//
+// The temporary security credentials created by AssumeRoleWithWebIdentity can be
+// used to make API calls to any Amazon Web Services service with the following
+// exception: you cannot call the STS GetFederationToken or GetSessionToken API
+// operations.
+//
+// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
+// single JSON policy document to use as an inline session policy. You can also
+// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
+// session policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters. Passing policies to this operation
+// returns new temporary credentials. The resulting session's permissions are the
+// intersection of the role's identity-based policy and the session policies. You
+// can use the role's temporary credentials in subsequent Amazon Web Services API
+// calls to access resources in the account that owns the role. You cannot use
+// session policies to grant more permissions than those allowed by the
+// identity-based policy of the role that is being assumed. For more information,
+// see [Session Policies]in the IAM User Guide.
+//
+// # Tags
+//
+// (Optional) You can configure your IdP to pass attributes into your web identity
+// token as session tags. Each session tag consists of a key name and an associated
+// value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User Guide.
+//
+// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed
+// 128 characters and the values can’t exceed 256 characters. For these and
+// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+//
+// An Amazon Web Services conversion compresses the passed inline session policy,
+// managed policy ARNs, and session tags into a packed binary format that has a
+// separate limit. Your request can fail for this limit even if your plaintext
+// meets the other requirements. The PackedPolicySize response element indicates
+// by percentage how close the policies and tags for your request are to the upper
+// size limit.
+//
+// You can pass a session tag with the same key as a tag that is attached to the
+// role. When you do, the session tag overrides the role tag with the same key.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// You can set the session tags as transitive. Transitive tags persist during role
+// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
+//
+// # Identities
+//
+// Before your application can call AssumeRoleWithWebIdentity , you must have an
+// identity token from a supported identity provider and create a role that the
+// application can assume. The role that your application assumes must trust the
+// identity provider that is associated with the identity token. In other words,
+// the identity provider must be specified in the role's trust policy.
+//
+// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
+// logs. The entry includes the [Subject]of the provided web identity token. We recommend
+// that you avoid using any personally identifiable information (PII) in this
+// field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification].
+//
+// For more information about how to use web identity federation and the
 // AssumeRoleWithWebIdentity API, see the following resources:
-//   - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
-//     and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-//     .
-//   - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/)
-//     . Walk through the process of authenticating through Login with Amazon,
+//
+// [Using Web Identity Federation API Operations for Mobile Apps]
+//   - and [Federation Through a Web-based Identity Provider].
+//
+// [Web Identity Federation Playground]
+//   - . Walk through the process of authenticating through Login with Amazon,
 //     Facebook, or Google, getting temporary security credentials, and then using
 //     those credentials to make a request to Amazon Web Services.
-//   - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
-//     and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
-//     . These toolkits contain sample apps that show how to invoke the identity
-//     providers. The toolkits then show how to use the information from these
+//
+// [Amazon Web Services SDK for iOS Developer Guide]
+//   - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the
+//     identity providers. The toolkits then show how to use the information from these
 //     providers to get and use temporary security credentials.
-//   - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications)
-//     . This article discusses web identity federation and shows an example of how to
-//     use web identity federation to get access to content in Amazon S3.
+//
+// [Web Identity Federation with Mobile Applications]
+//   - . This article discusses web identity federation and shows an example of
+//     how to use web identity federation to get access to content in Amazon S3.
+//
+// [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/
+// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
+// [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/
+// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+// [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
+// [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+// [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
 func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
 	if params == nil {
 		params = &AssumeRoleWithWebIdentityInput{}
@@ -139,10 +177,11 @@ type AssumeRoleWithWebIdentityInput struct {
 	// identifier that is associated with the user who is using your application. That
 	// way, the temporary security credentials that your application will use are
 	// associated with that user. This session name is included as part of the ARN and
-	// assumed role ID in the AssumedRoleUser response element. The regex used to
-	// validate this parameter is a string of characters consisting of upper- and
-	// lower-case alphanumeric characters with no spaces. You can also include
-	// underscores or any of the following characters: =,.@-
+	// assumed role ID in the AssumedRoleUser response element.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	//
 	// This member is required.
 	RoleSessionName *string
@@ -162,73 +201,90 @@ type AssumeRoleWithWebIdentityInput struct {
 	// higher than this setting, the operation fails. For example, if you specify a
 	// session duration of 12 hours, but your administrator set the maximum session
 	// duration to 6 hours, your operation fails. To learn how to view the maximum
-	// value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
-	// in the IAM User Guide. By default, the value is set to 3600 seconds. The
-	// DurationSeconds parameter is separate from the duration of a console session
-	// that you might request using the returned credentials. The request to the
-	// federation endpoint for a console sign-in token takes a SessionDuration
+	// value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
+	//
+	// By default, the value is set to 3600 seconds.
+	//
+	// The DurationSeconds parameter is separate from the duration of a console
+	// session that you might request using the returned credentials. The request to
+	// the federation endpoint for a console sign-in token takes a SessionDuration
 	// parameter that specifies the maximum length of the console session. For more
-	// information, see Creating a URL that Enables Federated Users to Access the
-	// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-	// in the IAM User Guide.
+	// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
+	//
+	// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+	// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
+	//
 	// This parameter is optional. Passing policies to this operation returns new
 	// temporary credentials. The resulting session's permissions are the intersection
 	// of the role's identity-based policy and the session policies. You can use the
 	// role's temporary credentials in subsequent Amazon Web Services API calls to
 	// access resources in the account that owns the role. You cannot use session
 	// policies to grant more permissions than those allowed by the identity-based
-	// policy of the role that is being assumed. For more information, see Session
-	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide. The plaintext that you use for both inline and managed
-	// session policies can't exceed 2,048 characters. The JSON policy characters can
-	// be any ASCII character from the space character to the end of the valid
-	// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
-	// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
-	// Services conversion compresses the passed inline session policy, managed policy
-	// ARNs, and session tags into a packed binary format that has a separate limit.
-	// Your request can fail for this limit even if your plaintext meets the other
-	// requirements. The PackedPolicySize response element indicates by percentage how
-	// close the policies and tags for your request are to the upper size limit.
+	// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
+	// User Guide.
+	//
+	// The plaintext that you use for both inline and managed session policies can't
+	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
+	// from the space character to the end of the valid character list (\u0020 through
+	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
+	// return (\u000D) characters.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
 	Policy *string
 
 	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
 	// use as managed session policies. The policies must exist in the same account as
-	// the role. This parameter is optional. You can provide up to 10 managed policy
-	// ARNs. However, the plaintext that you use for both inline and managed session
-	// policies can't exceed 2,048 characters. For more information about ARNs, see
-	// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// in the Amazon Web Services General Reference. An Amazon Web Services conversion
-	// compresses the passed inline session policy, managed policy ARNs, and session
-	// tags into a packed binary format that has a separate limit. Your request can
-	// fail for this limit even if your plaintext meets the other requirements. The
-	// PackedPolicySize response element indicates by percentage how close the policies
-	// and tags for your request are to the upper size limit. Passing policies to this
-	// operation returns new temporary credentials. The resulting session's permissions
-	// are the intersection of the role's identity-based policy and the session
-	// policies. You can use the role's temporary credentials in subsequent Amazon Web
-	// Services API calls to access resources in the account that owns the role. You
-	// cannot use session policies to grant more permissions than those allowed by the
-	// identity-based policy of the role that is being assumed. For more information,
-	// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide.
+	// the role.
+	//
+	// This parameter is optional. You can provide up to 10 managed policy ARNs.
+	// However, the plaintext that you use for both inline and managed session policies
+	// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
+	// Amazon Web Services General Reference.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// Passing policies to this operation returns new temporary credentials. The
+	// resulting session's permissions are the intersection of the role's
+	// identity-based policy and the session policies. You can use the role's temporary
+	// credentials in subsequent Amazon Web Services API calls to access resources in
+	// the account that owns the role. You cannot use session policies to grant more
+	// permissions than those allowed by the identity-based policy of the role that is
+	// being assumed. For more information, see [Session Policies]in the IAM User Guide.
+	//
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	// The fully qualified host component of the domain name of the OAuth 2.0 identity
 	// provider. Do not specify this value for an OpenID Connect identity provider.
+	//
 	// Currently www.amazon.com and graph.facebook.com are the only supported identity
 	// providers for OAuth 2.0 access tokens. Do not include URL schemes and port
-	// numbers. Do not specify this value for OpenID Connect ID tokens.
+	// numbers.
+	//
+	// Do not specify this value for OpenID Connect ID tokens.
 	ProviderId *string
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful AssumeRoleWithWebIdentity request,
-// including temporary Amazon Web Services credentials that can be used to make
-// Amazon Web Services requests.
+// Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
 type AssumeRoleWithWebIdentityOutput struct {
 
 	// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@@ -244,9 +300,10 @@ type AssumeRoleWithWebIdentityOutput struct {
 	Audience *string
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security token. The size of the security token that STS API
-	// operations return is not fixed. We strongly recommend that you make no
-	// assumptions about the maximum size.
+	// access key, and a security token.
+	//
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// A percentage value that indicates the packed size of the session policies and
@@ -255,30 +312,34 @@ type AssumeRoleWithWebIdentityOutput struct {
 	// allowed space.
 	PackedPolicySize *int32
 
-	// The issuing authority of the web identity token presented. For OpenID Connect
+	//  The issuing authority of the web identity token presented. For OpenID Connect
 	// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
 	// tokens, this contains the value of the ProviderId parameter that was passed in
 	// the AssumeRoleWithWebIdentity request.
 	Provider *string
 
 	// The value of the source identity that is returned in the JSON web token (JWT)
-	// from the identity provider. You can require users to set a source identity value
-	// when they assume a role. You do this by using the sts:SourceIdentity condition
-	// key in a role trust policy. That way, actions that are taken with the role are
-	// associated with that user. After the source identity is set, the value cannot be
-	// changed. It is present in the request for all actions that are taken by the role
-	// and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
-	// sessions. You can configure your identity provider to use an attribute
+	// from the identity provider.
+	//
+	// You can require users to set a source identity value when they assume a role.
+	// You do this by using the sts:SourceIdentity condition key in a role trust
+	// policy. That way, actions that are taken with the role are associated with that
+	// user. After the source identity is set, the value cannot be changed. It is
+	// present in the request for all actions that are taken by the role and persists
+	// across [chained role]sessions. You can configure your identity provider to use an attribute
 	// associated with your users, like user name or email, as the source identity when
 	// calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
-	// web token. To learn more about OIDC tokens and claims, see Using Tokens with
-	// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
-	// in the Amazon Cognito Developer Guide. For more information about using source
-	// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
-	// in the IAM User Guide. The regex used to validate this parameter is a string of
-	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// spaces. You can also include underscores or any of the following characters:
-	// =,.@-
+	// web token. To learn more about OIDC tokens and claims, see [Using Tokens with User Pools]in the Amazon
+	// Cognito Developer Guide. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
+	// in the IAM User Guide.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
+	//
+	// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+	// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+	// [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
 	SourceIdentity *string
 
 	// The unique user identifier that is returned by the identity provider. This
@@ -347,6 +408,12 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
index b4ad54ab2..b1f14d28c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_DecodeAuthorizationMessage.go
@@ -11,28 +11,39 @@ import (
 )
 
 // Decodes additional information about the authorization status of a request from
-// an encoded message returned in response to an Amazon Web Services request. For
-// example, if a user is not authorized to perform an operation that he or she has
-// requested, the request returns a Client.UnauthorizedOperation response (an HTTP
-// 403 response). Some Amazon Web Services operations additionally return an
-// encoded message that can provide details about this authorization failure. Only
-// certain Amazon Web Services operations return an encoded authorization message.
-// The documentation for an individual operation indicates whether that operation
-// returns an encoded message in addition to returning an HTTP code. The message is
-// encoded because the details of the authorization status can contain privileged
-// information that the user who requested the operation should not see. To decode
-// an authorization status message, a user must be granted permissions through an
-// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
-// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage )
-// action. The decoded message includes the following type of information:
+// an encoded message returned in response to an Amazon Web Services request.
+//
+// For example, if a user is not authorized to perform an operation that he or she
+// has requested, the request returns a Client.UnauthorizedOperation response (an
+// HTTP 403 response). Some Amazon Web Services operations additionally return an
+// encoded message that can provide details about this authorization failure.
+//
+// Only certain Amazon Web Services operations return an encoded authorization
+// message. The documentation for an individual operation indicates whether that
+// operation returns an encoded message in addition to returning an HTTP code.
+//
+// The message is encoded because the details of the authorization status can
+// contain privileged information that the user who requested the operation should
+// not see. To decode an authorization status message, a user must be granted
+// permissions through an IAM [policy]to request the DecodeAuthorizationMessage (
+// sts:DecodeAuthorizationMessage ) action.
+//
+// The decoded message includes the following type of information:
+//
 //   - Whether the request was denied due to an explicit deny or due to the
-//     absence of an explicit allow. For more information, see Determining Whether a
-//     Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
-//     in the IAM User Guide.
+//     absence of an explicit allow. For more information, see [Determining Whether a Request is Allowed or Denied]in the IAM User
+//     Guide.
+//
 //   - The principal who made the request.
+//
 //   - The requested action.
+//
 //   - The requested resource.
+//
 //   - The values of condition keys in the context of the user's request.
+//
+// [Determining Whether a Request is Allowed or Denied]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+// [policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
 func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
 	if params == nil {
 		params = &DecodeAuthorizationMessageInput{}
@@ -127,6 +138,12 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
index 1f7cbcc2b..3ba00873d 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetAccessKeyInfo.go
@@ -10,23 +10,31 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-// Returns the account identifier for the specified access key ID. Access keys
-// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and
-// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ).
-// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
-// in the IAM User Guide. When you pass an access key ID to this operation, it
-// returns the ID of the Amazon Web Services account to which the keys belong.
-// Access key IDs beginning with AKIA are long-term credentials for an IAM user or
-// the Amazon Web Services account root user. Access key IDs beginning with ASIA
-// are temporary credentials that are created using STS operations. If the account
-// in the response belongs to you, you can sign in as the root user and review your
-// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
-// to learn which IAM user owns the keys. To learn who requested the temporary
-// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
-// in the IAM User Guide. This operation does not indicate the state of the access
-// key. The key might be active, inactive, or deleted. Active keys might not have
-// permissions to perform an operation. Providing a deleted access key might return
-// an error that the key doesn't exist.
+// Returns the account identifier for the specified access key ID.
+//
+// Access keys consist of two parts: an access key ID (for example,
+// AKIAIOSFODNN7EXAMPLE ) and a secret access key (for example,
+// wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). For more information about access
+// keys, see [Managing Access Keys for IAM Users]in the IAM User Guide.
+//
+// When you pass an access key ID to this operation, it returns the ID of the
+// Amazon Web Services account to which the keys belong. Access key IDs beginning
+// with AKIA are long-term credentials for an IAM user or the Amazon Web Services
+// account root user. Access key IDs beginning with ASIA are temporary credentials
+// that are created using STS operations. If the account in the response belongs to
+// you, you can sign in as the root user and review your root user access keys.
+// Then, you can pull a [credentials report]to learn which IAM user owns the keys. To learn who
+// requested the temporary credentials for an ASIA access key, view the STS events
+// in your [CloudTrail logs]in the IAM User Guide.
+//
+// This operation does not indicate the state of the access key. The key might be
+// active, inactive, or deleted. Active keys might not have permissions to perform
+// an operation. Providing a deleted access key might return an error that the key
+// doesn't exist.
+//
+// [credentials report]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
+// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
+// [Managing Access Keys for IAM Users]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
 func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) {
 	if params == nil {
 		params = &GetAccessKeyInfoInput{}
@@ -44,9 +52,10 @@ func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoI
 
 type GetAccessKeyInfoInput struct {
 
-	// The identifier of an access key. This parameter allows (through its regex
-	// pattern) a string of characters that can consist of any upper- or lowercase
-	// letter or digit.
+	// The identifier of an access key.
+	//
+	// This parameter allows (through its regex pattern) a string of characters that
+	// can consist of any upper- or lowercase letter or digit.
 	//
 	// This member is required.
 	AccessKeyId *string
@@ -120,6 +129,12 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
index acb7ede44..abac49ad2 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetCallerIdentity.go
@@ -12,13 +12,15 @@ import (
 )
 
 // Returns details about the IAM user or role whose credentials are used to call
-// the operation. No permissions are required to perform this operation. If an
-// administrator attaches a policy to your identity that explicitly denies access
-// to the sts:GetCallerIdentity action, you can still perform this operation.
-// Permissions are not required because the same information is returned when
-// access is denied. To view an example response, see I Am Not Authorized to
-// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
-// in the IAM User Guide.
+// the operation.
+//
+// No permissions are required to perform this operation. If an administrator
+// attaches a policy to your identity that explicitly denies access to the
+// sts:GetCallerIdentity action, you can still perform this operation. Permissions
+// are not required because the same information is returned when access is denied.
+// To view an example response, see [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]in the IAM User Guide.
+//
+// [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
 func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
 	if params == nil {
 		params = &GetCallerIdentityInput{}
@@ -38,8 +40,8 @@ type GetCallerIdentityInput struct {
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful GetCallerIdentity request, including
-// information about the entity making the request.
+// Contains the response to a successful GetCallerIdentity request, including information about the
+// entity making the request.
 type GetCallerIdentityOutput struct {
 
 	// The Amazon Web Services account ID number of the account that owns or contains
@@ -51,8 +53,10 @@ type GetCallerIdentityOutput struct {
 
 	// The unique identifier of the calling entity. The exact value depends on the
 	// type of entity that is making the call. The values returned are those listed in
-	// the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
-	// found on the Policy Variables reference page in the IAM User Guide.
+	// the aws:userid column in the [Principal table]found on the Policy Variables reference page in
+	// the IAM User Guide.
+	//
+	// [Principal table]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
 	UserId *string
 
 	// Metadata pertaining to the operation's result.
@@ -116,6 +120,12 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
index 3679618cb..2bae67429 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go
@@ -14,74 +14,100 @@ import (
 // Returns a set of temporary security credentials (consisting of an access key
 // ID, a secret access key, and a security token) for a user. A typical use is in a
 // proxy application that gets temporary security credentials on behalf of
-// distributed applications inside a corporate network. You must call the
-// GetFederationToken operation using the long-term security credentials of an IAM
-// user. As a result, this call is appropriate in contexts where those credentials
-// can be safeguarded, usually in a server-based application. For a comparison of
-// GetFederationToken with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. Although it is possible to call GetFederationToken using
-// the security credentials of an Amazon Web Services account root user rather than
-// an IAM user that you create for the purpose of a proxy application, we do not
-// recommend it. For more information, see Safeguard your root user credentials
-// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
-// in the IAM User Guide. You can create a mobile-based or browser-based app that
-// can authenticate users using a web identity provider like Login with Amazon,
-// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
-// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
-// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
-// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// in the IAM User Guide. Session duration The temporary credentials are valid for
-// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
-// seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
-// Temporary credentials obtained by using the root user credentials have a maximum
-// duration of 3,600 seconds (1 hour). Permissions You can use the temporary
-// credentials created by GetFederationToken in any Amazon Web Services service
-// with the following exceptions:
+// distributed applications inside a corporate network.
+//
+// You must call the GetFederationToken operation using the long-term security
+// credentials of an IAM user. As a result, this call is appropriate in contexts
+// where those credentials can be safeguarded, usually in a server-based
+// application. For a comparison of GetFederationToken with the other API
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// Although it is possible to call GetFederationToken using the security
+// credentials of an Amazon Web Services account root user rather than an IAM user
+// that you create for the purpose of a proxy application, we do not recommend it.
+// For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in the IAM User Guide.
+//
+// You can create a mobile-based or browser-based app that can authenticate users
+// using a web identity provider like Login with Amazon, Facebook, Google, or an
+// OpenID Connect-compatible identity provider. In this case, we recommend that you
+// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
+// Guide.
+//
+// # Session duration
+//
+// The temporary credentials are valid for the specified duration, from 900
+// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
+// session duration is 43,200 seconds (12 hours). Temporary credentials obtained by
+// using the root user credentials have a maximum duration of 3,600 seconds (1
+// hour).
+//
+// # Permissions
+//
+// You can use the temporary credentials created by GetFederationToken in any
+// Amazon Web Services service with the following exceptions:
+//
 //   - You cannot call any IAM operations using the CLI or the Amazon Web Services
 //     API. This limitation does not apply to console sessions.
+//
 //   - You cannot call any STS operations except GetCallerIdentity .
 //
-// You can use temporary credentials for single sign-on (SSO) to the console. You
-// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// to this operation. You can pass a single JSON policy document to use as an
-// inline session policy. You can also specify up to 10 managed policy Amazon
-// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-// use for both inline and managed session policies can't exceed 2,048 characters.
+// You can use temporary credentials for single sign-on (SSO) to the console.
+//
+// You must pass an inline or managed [session policy] to this operation. You can pass a single
+// JSON policy document to use as an inline session policy. You can also specify up
+// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+// policies. The plaintext that you use for both inline and managed session
+// policies can't exceed 2,048 characters.
+//
 // Though the session policy parameters are optional, if you do not pass a policy,
 // then the resulting federated user session has no permissions. When you pass
 // session policies, the session permissions are the intersection of the IAM user
 // policies and the session policies that you pass. This gives you a way to further
 // restrict the permissions for a federated user. You cannot use session policies
 // to grant more permissions than those that are defined in the permissions policy
-// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-// in the IAM User Guide. For information about using GetFederationToken to create
-// temporary security credentials, see GetFederationToken—Federation Through a
-// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)
-// . You can use the credentials to access a resource that has a resource-based
+// of the IAM user. For more information, see [Session Policies]in the IAM User Guide. For
+// information about using GetFederationToken to create temporary security
+// credentials, see [GetFederationToken—Federation Through a Custom Identity Broker].
+//
+// You can use the credentials to access a resource that has a resource-based
 // policy. If that policy specifically references the federated user session in the
 // Principal element of the policy, the session has the permissions allowed by the
 // policy. These permissions are granted in addition to the permissions granted by
-// the session policies. Tags (Optional) You can pass tag key-value pairs to your
-// session. These are called session tags. For more information about session tags,
-// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You can create a mobile-based or browser-based app that
-// can authenticate users using a web identity provider like Login with Amazon,
-// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
-// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
-// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
-// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
-// in the IAM User Guide. An administrator must grant you the permissions necessary
-// to pass session tags. The administrator can also create granular permissions to
-// allow you to pass only specific session tags. For more information, see
-// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
-// in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is
-// preserved. This means that you cannot have separate Department and department
-// tag keys. Assume that the user that you are federating has the Department =
-// Marketing tag and you pass the department = engineering session tag. Department
-// and department are not saved as separate tags, and the session tag passed in
-// the request takes precedence over the user tag.
+// the session policies.
+//
+// # Tags
+//
+// (Optional) You can pass tag key-value pairs to your session. These are called
+// session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
+// Guide.
+//
+// You can create a mobile-based or browser-based app that can authenticate users
+// using a web identity provider like Login with Amazon, Facebook, Google, or an
+// OpenID Connect-compatible identity provider. In this case, we recommend that you
+// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
+// Guide.
+//
+// An administrator must grant you the permissions necessary to pass session tags.
+// The administrator can also create granular permissions to allow you to pass only
+// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
+//
+// Tag key–value pairs are not case sensitive, but case is preserved. This means
+// that you cannot have separate Department and department tag keys. Assume that
+// the user that you are federating has the Department = Marketing tag and you
+// pass the department = engineering session tag. Department and department are
+// not saved as separate tags, and the session tag passed in the request takes
+// precedence over the user tag.
+//
+// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Amazon Cognito]: http://aws.amazon.com/cognito/
+// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
 func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
 	if params == nil {
 		params = &GetFederationTokenInput{}
@@ -102,10 +128,11 @@ type GetFederationTokenInput struct {
 	// The name of the federated user. The name is used as an identifier for the
 	// temporary security credentials (such as Bob ). For example, you can reference
 	// the federated user name in a resource-based policy, such as in an Amazon S3
-	// bucket policy. The regex used to validate this parameter is a string of
-	// characters consisting of upper- and lower-case alphanumeric characters with no
-	// spaces. You can also include underscores or any of the following characters:
-	// =,.@-
+	// bucket policy.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@-
 	//
 	// This member is required.
 	Name *string
@@ -119,99 +146,127 @@ type GetFederationTokenInput struct {
 	DurationSeconds *int32
 
 	// An IAM policy in JSON format that you want to use as an inline session policy.
-	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// to this operation. You can pass a single JSON policy document to use as an
-	// inline session policy. You can also specify up to 10 managed policy Amazon
-	// Resource Names (ARNs) to use as managed session policies. This parameter is
-	// optional. However, if you do not pass any session policies, then the resulting
-	// federated user session has no permissions. When you pass session policies, the
-	// session permissions are the intersection of the IAM user policies and the
-	// session policies that you pass. This gives you a way to further restrict the
-	// permissions for a federated user. You cannot use session policies to grant more
-	// permissions than those that are defined in the permissions policy of the IAM
-	// user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide. The resulting credentials can be used to access a
-	// resource that has a resource-based policy. If that policy specifically
-	// references the federated user session in the Principal element of the policy,
-	// the session has the permissions allowed by the policy. These permissions are
-	// granted in addition to the permissions that are granted by the session policies.
+	//
+	// You must pass an inline or managed [session policy] to this operation. You can pass a single
+	// JSON policy document to use as an inline session policy. You can also specify up
+	// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+	// policies.
+	//
+	// This parameter is optional. However, if you do not pass any session policies,
+	// then the resulting federated user session has no permissions.
+	//
+	// When you pass session policies, the session permissions are the intersection of
+	// the IAM user policies and the session policies that you pass. This gives you a
+	// way to further restrict the permissions for a federated user. You cannot use
+	// session policies to grant more permissions than those that are defined in the
+	// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
+	// Guide.
+	//
+	// The resulting credentials can be used to access a resource that has a
+	// resource-based policy. If that policy specifically references the federated user
+	// session in the Principal element of the policy, the session has the permissions
+	// allowed by the policy. These permissions are granted in addition to the
+	// permissions that are granted by the session policies.
+	//
 	// The plaintext that you use for both inline and managed session policies can't
 	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
 	// from the space character to the end of the valid character list (\u0020 through
 	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
-	// return (\u000D) characters. An Amazon Web Services conversion compresses the
-	// passed inline session policy, managed policy ARNs, and session tags into a
-	// packed binary format that has a separate limit. Your request can fail for this
-	// limit even if your plaintext meets the other requirements. The PackedPolicySize
-	// response element indicates by percentage how close the policies and tags for
-	// your request are to the upper size limit.
-	Policy *string
-
-	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
-	// use as a managed session policy. The policies must exist in the same account as
-	// the IAM user that is requesting federated access. You must pass an inline or
-	// managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// to this operation. You can pass a single JSON policy document to use as an
-	// inline session policy. You can also specify up to 10 managed policy Amazon
-	// Resource Names (ARNs) to use as managed session policies. The plaintext that you
-	// use for both inline and managed session policies can't exceed 2,048 characters.
-	// You can provide up to 10 managed policy ARNs. For more information about ARNs,
-	// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// in the Amazon Web Services General Reference. This parameter is optional.
-	// However, if you do not pass any session policies, then the resulting federated
-	// user session has no permissions. When you pass session policies, the session
-	// permissions are the intersection of the IAM user policies and the session
-	// policies that you pass. This gives you a way to further restrict the permissions
-	// for a federated user. You cannot use session policies to grant more permissions
-	// than those that are defined in the permissions policy of the IAM user. For more
-	// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
-	// in the IAM User Guide. The resulting credentials can be used to access a
-	// resource that has a resource-based policy. If that policy specifically
-	// references the federated user session in the Principal element of the policy,
-	// the session has the permissions allowed by the policy. These permissions are
-	// granted in addition to the permissions that are granted by the session policies.
+	// return (\u000D) characters.
+	//
 	// An Amazon Web Services conversion compresses the passed inline session policy,
 	// managed policy ARNs, and session tags into a packed binary format that has a
 	// separate limit. Your request can fail for this limit even if your plaintext
 	// meets the other requirements. The PackedPolicySize response element indicates
 	// by percentage how close the policies and tags for your request are to the upper
 	// size limit.
+	//
+	// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	Policy *string
+
+	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
+	// use as a managed session policy. The policies must exist in the same account as
+	// the IAM user that is requesting federated access.
+	//
+	// You must pass an inline or managed [session policy] to this operation. You can pass a single
+	// JSON policy document to use as an inline session policy. You can also specify up
+	// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
+	// policies. The plaintext that you use for both inline and managed session
+	// policies can't exceed 2,048 characters. You can provide up to 10 managed policy
+	// ARNs. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web Services General
+	// Reference.
+	//
+	// This parameter is optional. However, if you do not pass any session policies,
+	// then the resulting federated user session has no permissions.
+	//
+	// When you pass session policies, the session permissions are the intersection of
+	// the IAM user policies and the session policies that you pass. This gives you a
+	// way to further restrict the permissions for a federated user. You cannot use
+	// session policies to grant more permissions than those that are defined in the
+	// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
+	// Guide.
+	//
+	// The resulting credentials can be used to access a resource that has a
+	// resource-based policy. If that policy specifically references the federated user
+	// session in the Principal element of the policy, the session has the permissions
+	// allowed by the policy. These permissions are granted in addition to the
+	// permissions that are granted by the session policies.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	PolicyArns []types.PolicyDescriptorType
 
 	// A list of session tags. Each session tag consists of a key name and an
-	// associated value. For more information about session tags, see Passing Session
-	// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-	// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
-	// tags. The plaintext session tag keys can’t exceed 128 characters and the values
-	// can’t exceed 256 characters. For these and additional limits, see IAM and STS
-	// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
-	// inline session policy, managed policy ARNs, and session tags into a packed
-	// binary format that has a separate limit. Your request can fail for this limit
-	// even if your plaintext meets the other requirements. The PackedPolicySize
-	// response element indicates by percentage how close the policies and tags for
-	// your request are to the upper size limit. You can pass a session tag with the
-	// same key as a tag that is already attached to the user you are federating. When
-	// you do, session tags override a user tag with the same key. Tag key–value pairs
-	// are not case sensitive, but case is preserved. This means that you cannot have
-	// separate Department and department tag keys. Assume that the role has the
-	// Department = Marketing tag and you pass the department = engineering session
-	// tag. Department and department are not saved as separate tags, and the session
-	// tag passed in the request takes precedence over the role tag.
+	// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
+	// Guide.
+	//
+	// This parameter is optional. You can pass up to 50 session tags. The plaintext
+	// session tag keys can’t exceed 128 characters and the values can’t exceed 256
+	// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
+	//
+	// An Amazon Web Services conversion compresses the passed inline session policy,
+	// managed policy ARNs, and session tags into a packed binary format that has a
+	// separate limit. Your request can fail for this limit even if your plaintext
+	// meets the other requirements. The PackedPolicySize response element indicates
+	// by percentage how close the policies and tags for your request are to the upper
+	// size limit.
+	//
+	// You can pass a session tag with the same key as a tag that is already attached
+	// to the user you are federating. When you do, session tags override a user tag
+	// with the same key.
+	//
+	// Tag key–value pairs are not case sensitive, but case is preserved. This means
+	// that you cannot have separate Department and department tag keys. Assume that
+	// the role has the Department = Marketing tag and you pass the department =
+	// engineering session tag. Department and department are not saved as separate
+	// tags, and the session tag passed in the request takes precedence over the role
+	// tag.
+	//
+	// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
 	Tags []types.Tag
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful GetFederationToken request, including
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
-// Services requests.
+// Contains the response to a successful GetFederationToken request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
 type GetFederationTokenOutput struct {
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
-	// that STS API operations return is not fixed. We strongly recommend that you make
-	// no assumptions about the maximum size.
+	// access key, and a security (or session) token.
+	//
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// Identifiers for the federated user associated with the credentials (such as
@@ -287,6 +342,12 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
index 751fb147d..c73316a3c 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetSessionToken.go
@@ -15,43 +15,58 @@ import (
 // IAM user. The credentials consist of an access key ID, a secret access key, and
 // a security token. Typically, you use GetSessionToken if you want to use MFA to
 // protect programmatic calls to specific Amazon Web Services API operations like
-// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and
-// submit an MFA code that is associated with their MFA device. Using the temporary
-// security credentials that the call returns, IAM users can then make programmatic
-// calls to API operations that require MFA authentication. An incorrect MFA code
-// causes the API to return an access denied error. For a comparison of
-// GetSessionToken with the other API operations that produce temporary
-// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
-// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
-// in the IAM User Guide. No permissions are required for users to perform this
-// operation. The purpose of the sts:GetSessionToken operation is to authenticate
-// the user using MFA. You cannot use policies to control authentication
-// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
-// in the IAM User Guide. Session Duration The GetSessionToken operation must be
-// called by using the long-term Amazon Web Services security credentials of an IAM
-// user. Credentials that are created by IAM users are valid for the duration that
-// you specify. This duration can range from 900 seconds (15 minutes) up to a
-// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12
-// hours). Credentials based on account credentials can range from 900 seconds (15
-// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The
-// temporary security credentials created by GetSessionToken can be used to make
-// API calls to any Amazon Web Services service with the following exceptions:
+// Amazon EC2 StopInstances .
+//
+// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is
+// associated with their MFA device. Using the temporary security credentials that
+// the call returns, IAM users can then make programmatic calls to API operations
+// that require MFA authentication. An incorrect MFA code causes the API to return
+// an access denied error. For a comparison of GetSessionToken with the other API
+// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
+//
+// No permissions are required for users to perform this operation. The purpose of
+// the sts:GetSessionToken operation is to authenticate the user using MFA. You
+// cannot use policies to control authentication operations. For more information,
+// see [Permissions for GetSessionToken]in the IAM User Guide.
+//
+// # Session Duration
+//
+// The GetSessionToken operation must be called by using the long-term Amazon Web
+// Services security credentials of an IAM user. Credentials that are created by
+// IAM users are valid for the duration that you specify. This duration can range
+// from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours),
+// with a default of 43,200 seconds (12 hours). Credentials based on account
+// credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1
+// hour), with a default of 1 hour.
+//
+// # Permissions
+//
+// The temporary security credentials created by GetSessionToken can be used to
+// make API calls to any Amazon Web Services service with the following exceptions:
+//
 //   - You cannot call any IAM API operations unless MFA authentication
 //     information is included in the request.
+//
 //   - You cannot call any STS API except AssumeRole or GetCallerIdentity .
 //
 // The credentials that GetSessionToken returns are based on permissions
 // associated with the IAM user whose credentials were used to call the operation.
-// The temporary credentials have the same permissions as the IAM user. Although it
-// is possible to call GetSessionToken using the security credentials of an Amazon
-// Web Services account root user rather than an IAM user, we do not recommend it.
-// If GetSessionToken is called using root user credentials, the temporary
-// credentials have root user permissions. For more information, see Safeguard
-// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
-// in the IAM User Guide For more information about using GetSessionToken to
-// create temporary credentials, see Temporary Credentials for Users in Untrusted
-// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
-// in the IAM User Guide.
+// The temporary credentials have the same permissions as the IAM user.
+//
+// Although it is possible to call GetSessionToken using the security credentials
+// of an Amazon Web Services account root user rather than an IAM user, we do not
+// recommend it. If GetSessionToken is called using root user credentials, the
+// temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in
+// the IAM User Guide
+//
+// For more information about using GetSessionToken to create temporary
+// credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
+//
+// [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
+// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+// [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
+// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
+// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
 	if params == nil {
 		params = &GetSessionTokenInput{}
@@ -83,10 +98,11 @@ type GetSessionTokenInput struct {
 	// number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
 	// (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
 	// can find the device for an IAM user by going to the Amazon Web Services
-	// Management Console and viewing the user's security credentials. The regex used
-	// to validate this parameter is a string of characters consisting of upper- and
-	// lower-case alphanumeric characters with no spaces. You can also include
-	// underscores or any of the following characters: =,.@:/-
+	// Management Console and viewing the user's security credentials.
+	//
+	// The regex used to validate this parameter is a string of characters consisting
+	// of upper- and lower-case alphanumeric characters with no spaces. You can also
+	// include underscores or any of the following characters: =,.@:/-
 	SerialNumber *string
 
 	// The value provided by the MFA device, if MFA is required. If any policy
@@ -94,22 +110,24 @@ type GetSessionTokenInput struct {
 	// authentication is required, the user must provide a code when requesting a set
 	// of temporary security credentials. A user who fails to provide the code receives
 	// an "access denied" response when requesting resources that require MFA
-	// authentication. The format for this parameter, as described by its regex
-	// pattern, is a sequence of six numeric digits.
+	// authentication.
+	//
+	// The format for this parameter, as described by its regex pattern, is a sequence
+	// of six numeric digits.
 	TokenCode *string
 
 	noSmithyDocumentSerde
 }
 
-// Contains the response to a successful GetSessionToken request, including
-// temporary Amazon Web Services credentials that can be used to make Amazon Web
-// Services requests.
+// Contains the response to a successful GetSessionToken request, including temporary Amazon Web
+// Services credentials that can be used to make Amazon Web Services requests.
 type GetSessionTokenOutput struct {
 
 	// The temporary security credentials, which include an access key ID, a secret
-	// access key, and a security (or session) token. The size of the security token
-	// that STS API operations return is not fixed. We strongly recommend that you make
-	// no assumptions about the maximum size.
+	// access key, and a security (or session) token.
+	//
+	// The size of the security token that STS API operations return is not fixed. We
+	// strongly recommend that you make no assumptions about the maximum size.
 	Credentials *types.Credentials
 
 	// Metadata pertaining to the operation's result.
@@ -173,6 +191,12 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
 	if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
 		return err
 	}
+	if err = addTimeOffsetBuild(stack, c); err != nil {
+		return err
+	}
+	if err = addUserAgentRetryMode(stack, options); err != nil {
+		return err
+	}
 	if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
 		return err
 	}
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
index 9db5bfd43..e842a7f7e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/auth.go
@@ -12,7 +12,7 @@ import (
 	smithyhttp "github.com/aws/smithy-go/transport/http"
 )
 
-func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) {
+func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
 	params.Region = options.Region
 }
 
@@ -90,12 +90,12 @@ type AuthResolverParameters struct {
 	Region string
 }
 
-func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters {
+func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
 	params := &AuthResolverParameters{
 		Operation: operation,
 	}
 
-	bindAuthParamsRegion(params, input, options)
+	bindAuthParamsRegion(ctx, params, input, options)
 
 	return params
 }
@@ -157,7 +157,7 @@ func (*resolveAuthSchemeMiddleware) ID() string {
 func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options)
+	params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
 	options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
 	if err != nil {
 		return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
index 5d634ce35..7e4346ec9 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/deserializers.go
@@ -20,8 +20,17 @@ import (
 	"io"
 	"strconv"
 	"strings"
+	"time"
 )
 
+func deserializeS3Expires(v string) (*time.Time, error) {
+	t, err := smithytime.ParseHTTPDate(v)
+	if err != nil {
+		return nil, nil
+	}
+	return &t, nil
+}
+
 type awsAwsquery_deserializeOpAssumeRole struct {
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go
index d963fd8d1..cbb19c7f6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/doc.go
@@ -3,9 +3,11 @@
 // Package sts provides the API client, operations, and parameter types for AWS
 // Security Token Service.
 //
-// Security Token Service Security Token Service (STS) enables you to request
-// temporary, limited-privilege credentials for users. This guide provides
-// descriptions of the STS API. For more information about using this service, see
-// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-// .
+// # Security Token Service
+//
+// Security Token Service (STS) enables you to request temporary,
+// limited-privilege credentials for users. This guide provides descriptions of the
+// STS API. For more information about using this service, see [Temporary Security Credentials].
+//
+// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
 package sts
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
index 32e2d5435..c99982cb5 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/endpoints.go
@@ -1045,7 +1045,7 @@ type endpointParamsBinder interface {
 	bindEndpointParams(*EndpointParameters)
 }
 
-func bindEndpointParams(input interface{}, options Options) *EndpointParameters {
+func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
 	params := &EndpointParameters{}
 
 	params.Region = bindRegion(options.Region)
@@ -1075,6 +1075,10 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		return next.HandleFinalize(ctx, in)
 	}
 
+	if err := checkAccountID(getIdentity(ctx), m.options.AccountIDEndpointMode); err != nil {
+		return out, metadata, fmt.Errorf("invalid accountID set: %w", err)
+	}
+
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, fmt.Errorf("unknown transport type %T", in.Request)
@@ -1084,7 +1088,7 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
 		return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
 	}
 
-	params := bindEndpointParams(getOperationInput(ctx), m.options)
+	params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
 	endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
 	if err != nil {
 		return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
index 54fac4bd5..6b6e839e6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/generated.json
@@ -5,8 +5,7 @@
         "github.com/aws/aws-sdk-go-v2/internal/endpoints/v2": "v2.0.0-00010101000000-000000000000",
         "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding": "v1.0.5",
         "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url": "v1.0.7",
-        "github.com/aws/smithy-go": "v1.4.0",
-        "github.com/google/go-cmp": "v0.5.4"
+        "github.com/aws/smithy-go": "v1.4.0"
     },
     "files": [
         "api_client.go",
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
index 06957274a..37685a5e6 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go
@@ -3,4 +3,4 @@
 package sts
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.28.1"
+const goModuleVersion = "1.29.1"
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
index 5c1be79f8..a9a35881a 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/options.go
@@ -24,6 +24,9 @@ type Options struct {
 	// modify this list for per operation behavior.
 	APIOptions []func(*middleware.Stack) error
 
+	// Indicates how aws account ID is applied in endpoint2.0 routing
+	AccountIDEndpointMode aws.AccountIDEndpointMode
+
 	// The optional application specific identifier appended to the User-Agent header.
 	AppID string
 
@@ -50,8 +53,10 @@ type Options struct {
 	// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
 	// value for this field will likely prevent you from using any endpoint-related
 	// service features released after the introduction of EndpointResolverV2 and
-	// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
-	// endpoint, set the client option BaseEndpoint instead.
+	// BaseEndpoint.
+	//
+	// To migrate an EndpointResolver implementation that uses a custom endpoint, set
+	// the client option BaseEndpoint instead.
 	EndpointResolver EndpointResolver
 
 	// Resolves the endpoint used for a particular service operation. This should be
@@ -70,17 +75,20 @@ type Options struct {
 	// RetryMaxAttempts specifies the maximum number attempts an API client will call
 	// an operation that fails with a retryable error. A value of 0 is ignored, and
 	// will not be used to configure the API client created default retryer, or modify
-	// per operation call's retry max attempts. If specified in an operation call's
-	// functional options with a value that is different than the constructed client's
-	// Options, the Client's Retryer will be wrapped to use the operation's specific
-	// RetryMaxAttempts value.
+	// per operation call's retry max attempts.
+	//
+	// If specified in an operation call's functional options with a value that is
+	// different than the constructed client's Options, the Client's Retryer will be
+	// wrapped to use the operation's specific RetryMaxAttempts value.
 	RetryMaxAttempts int
 
 	// RetryMode specifies the retry mode the API client will be created with, if
-	// Retryer option is not also specified. When creating a new API Clients this
-	// member will only be used if the Retryer Options member is nil. This value will
-	// be ignored if Retryer is not nil. Currently does not support per operation call
-	// overrides, may in the future.
+	// Retryer option is not also specified.
+	//
+	// When creating a new API Clients this member will only be used if the Retryer
+	// Options member is nil. This value will be ignored if Retryer is not nil.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	RetryMode aws.RetryMode
 
 	// Retryer guides how HTTP requests should be retried in case of recoverable
@@ -97,8 +105,9 @@ type Options struct {
 
 	// The initial DefaultsMode used when the client options were constructed. If the
 	// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
-	// value was at that point in time. Currently does not support per operation call
-	// overrides, may in the future.
+	// value was at that point in time.
+	//
+	// Currently does not support per operation call overrides, may in the future.
 	resolvedDefaultsMode aws.DefaultsMode
 
 	// The HTTP client to invoke API calls with. Defaults to client's default HTTP
@@ -143,6 +152,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
 // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
 // this field will likely prevent you from using any endpoint-related service
 // features released after the introduction of EndpointResolverV2 and BaseEndpoint.
+//
 // To migrate an EndpointResolver implementation that uses a custom endpoint, set
 // the client option BaseEndpoint instead.
 func WithEndpointResolver(v EndpointResolver) func(*Options) {
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
index 097875b27..9573a4b64 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/errors.go
@@ -65,9 +65,10 @@ func (e *IDPCommunicationErrorException) ErrorCode() string {
 func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
 
 // The identity provider (IdP) reported that authentication failed. This might be
-// because the claim is invalid. If this error is returned for the
-// AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired
-// or has been explicitly revoked.
+// because the claim is invalid.
+//
+// If this error is returned for the AssumeRoleWithWebIdentity operation, it can
+// also mean that the claim has expired or has been explicitly revoked.
 type IDPRejectedClaimException struct {
 	Message *string
 
@@ -183,11 +184,13 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
 // compresses the session policy document, session policy ARNs, and session tags
 // into a packed binary format that has a separate limit. The error message
 // indicates by percentage how close the policies and tags are to the upper size
-// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide. You could receive this error even though you meet other
-// defined session policy and session tag limits. For more information, see IAM
-// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
-// in the IAM User Guide.
+// limit. For more information, see [Passing Session Tags in STS]in the IAM User Guide.
+//
+// You could receive this error even though you meet other defined session policy
+// and session tag limits. For more information, see [IAM and STS Entity Character Limits]in the IAM User Guide.
+//
+// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+// [IAM and STS Entity Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
 type PackedPolicyTooLargeException struct {
 	Message *string
 
@@ -215,9 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return
 
 // STS is not activated in the requested region for the account that is being
 // asked to generate credentials. The account administrator must use the IAM
-// console to activate STS in that region. For more information, see Activating
-// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
-// in the IAM User Guide.
+// console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM
+// User Guide.
+//
+// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
 type RegionDisabledException struct {
 	Message *string
 
diff --git a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go
index e3701d11d..dff7a3c2e 100644
--- a/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go
+++ b/vendor/github.com/aws/aws-sdk-go-v2/service/sts/types/types.go
@@ -11,10 +11,11 @@ import (
 // returns.
 type AssumedRoleUser struct {
 
-	// The ARN of the temporary security credentials that are returned from the
-	// AssumeRole action. For more information about ARNs and how to use them in
-	// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
-	// in the IAM User Guide.
+	// The ARN of the temporary security credentials that are returned from the AssumeRole
+	// action. For more information about ARNs and how to use them in policies, see [IAM Identifiers]in
+	// the IAM User Guide.
+	//
+	// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
 	//
 	// This member is required.
 	Arn *string
@@ -61,8 +62,9 @@ type FederatedUser struct {
 
 	// The ARN that specifies the federated user that is associated with the
 	// credentials. For more information about ARNs and how to use them in policies,
-	// see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
-	// in the IAM User Guide.
+	// see [IAM Identifiers]in the IAM User Guide.
+	//
+	// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
 	//
 	// This member is required.
 	Arn *string
@@ -81,9 +83,10 @@ type FederatedUser struct {
 type PolicyDescriptorType struct {
 
 	// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
-	// policy for the role. For more information about ARNs, see Amazon Resource Names
-	// (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
-	// in the Amazon Web Services General Reference.
+	// policy for the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web
+	// Services General Reference.
+	//
+	// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 	Arn *string
 
 	noSmithyDocumentSerde
@@ -107,23 +110,30 @@ type ProvidedContext struct {
 
 // You can pass custom key-value pair attributes when you assume a role or
 // federate a user. These are called session tags. You can then use the session
-// tags to control access to resources. For more information, see Tagging Amazon
-// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
-// in the IAM User Guide.
+// tags to control access to resources. For more information, see [Tagging Amazon Web Services STS Sessions]in the IAM User
+// Guide.
+//
+// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
 type Tag struct {
 
-	// The key for a session tag. You can pass up to 50 session tags. The plain text
-	// session tag keys can’t exceed 128 characters. For these and additional limits,
-	// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// in the IAM User Guide.
+	// The key for a session tag.
+	//
+	// You can pass up to 50 session tags. The plain text session tag keys can’t
+	// exceed 128 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
+	// Guide.
+	//
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
 	//
 	// This member is required.
 	Key *string
 
-	// The value for a session tag. You can pass up to 50 session tags. The plain text
-	// session tag values can’t exceed 256 characters. For these and additional limits,
-	// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
-	// in the IAM User Guide.
+	// The value for a session tag.
+	//
+	// You can pass up to 50 session tags. The plain text session tag values can’t
+	// exceed 256 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
+	// Guide.
+	//
+	// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
 	//
 	// This member is required.
 	Value *string
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
index fa5625df4..5eb8c0779 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
@@ -1079,6 +1079,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -1091,6 +1094,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
@@ -4583,91 +4589,6 @@ var awsPartition = partition{
 				}: endpoint{},
 			},
 		},
-		"backupstorage": service{
-			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "af-south-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-east-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-northeast-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-northeast-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-northeast-3",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-south-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-south-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-southeast-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-southeast-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-southeast-3",
-				}: endpoint{},
-				endpointKey{
-					Region: "ap-southeast-4",
-				}: endpoint{},
-				endpointKey{
-					Region: "ca-central-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-central-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-central-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-north-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-south-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-south-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-west-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-west-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "eu-west-3",
-				}: endpoint{},
-				endpointKey{
-					Region: "me-central-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "me-south-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "sa-east-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "us-east-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "us-east-2",
-				}: endpoint{},
-				endpointKey{
-					Region: "us-west-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "us-west-2",
-				}: endpoint{},
-			},
-		},
 		"batch": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{},
@@ -4873,6 +4794,14 @@ var awsPartition = partition{
 						Region: "ap-southeast-2",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-ca-central-1",
+				}: endpoint{
+					Hostname: "bedrock.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-eu-central-1",
 				}: endpoint{
@@ -4889,6 +4818,14 @@ var awsPartition = partition{
 						Region: "eu-west-1",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-eu-west-2",
+				}: endpoint{
+					Hostname: "bedrock.eu-west-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "eu-west-2",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-eu-west-3",
 				}: endpoint{
@@ -4897,6 +4834,14 @@ var awsPartition = partition{
 						Region: "eu-west-3",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-fips-ca-central-1",
+				}: endpoint{
+					Hostname: "bedrock-fips.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-fips-us-east-1",
 				}: endpoint{
@@ -4945,6 +4890,14 @@ var awsPartition = partition{
 						Region: "ap-southeast-2",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-runtime-ca-central-1",
+				}: endpoint{
+					Hostname: "bedrock-runtime.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-runtime-eu-central-1",
 				}: endpoint{
@@ -4961,6 +4914,14 @@ var awsPartition = partition{
 						Region: "eu-west-1",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-runtime-eu-west-2",
+				}: endpoint{
+					Hostname: "bedrock-runtime.eu-west-2.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "eu-west-2",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-runtime-eu-west-3",
 				}: endpoint{
@@ -4969,6 +4930,14 @@ var awsPartition = partition{
 						Region: "eu-west-3",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-runtime-fips-ca-central-1",
+				}: endpoint{
+					Hostname: "bedrock-runtime-fips.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-runtime-fips-us-east-1",
 				}: endpoint{
@@ -4985,6 +4954,14 @@ var awsPartition = partition{
 						Region: "us-west-2",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-runtime-sa-east-1",
+				}: endpoint{
+					Hostname: "bedrock-runtime.sa-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "sa-east-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-runtime-us-east-1",
 				}: endpoint{
@@ -5001,6 +4978,14 @@ var awsPartition = partition{
 						Region: "us-west-2",
 					},
 				},
+				endpointKey{
+					Region: "bedrock-sa-east-1",
+				}: endpoint{
+					Hostname: "bedrock.sa-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "sa-east-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-us-east-1",
 				}: endpoint{
@@ -5017,15 +5002,24 @@ var awsPartition = partition{
 						Region: "us-west-2",
 					},
 				},
+				endpointKey{
+					Region: "ca-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "sa-east-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
@@ -5083,6 +5077,12 @@ var awsPartition = partition{
 		},
 		"cases": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "ap-northeast-1",
+				}: endpoint{},
+				endpointKey{
+					Region: "ap-northeast-2",
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
@@ -5297,69 +5297,157 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "af-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "af-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-northeast-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-northeast-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ap-southeast-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ap-southeast-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-north-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-north-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region:  "eu-west-3",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "il-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "il-central-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "me-south-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "me-south-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "sa-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-east-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-1",
+					Variant: dualStackVariant,
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region:  "us-west-2",
+					Variant: dualStackVariant,
+				}: endpoint{},
 			},
 		},
 		"cloudcontrolapi": service{
@@ -9264,9 +9352,21 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "ca-west-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -9291,6 +9391,24 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-3",
 				}: endpoint{},
+				endpointKey{
+					Region: "fips-ca-central-1",
+				}: endpoint{
+					Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-ca-west-1",
+				}: endpoint{
+					Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "fips-us-east-1",
 				}: endpoint{
@@ -15561,6 +15679,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "ca-west-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -17465,12 +17586,27 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region:  "ca-central-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "kendra-fips.ca-central-1.amazonaws.com",
+				},
 				endpointKey{
 					Region: "eu-west-1",
 				}: endpoint{},
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "fips-ca-central-1",
+				}: endpoint{
+					Hostname: "kendra-fips.ca-central-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-central-1",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "fips-us-east-1",
 				}: endpoint{
@@ -21684,6 +21820,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "ca-central-1",
 				}: endpoint{},
+				endpointKey{
+					Region: "ca-west-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -25241,6 +25380,9 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "me-central-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
@@ -31870,6 +32012,24 @@ var awsPartition = partition{
 					},
 					Deprecated: boxedTrue,
 				},
+				endpointKey{
+					Region: "ca-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region:  "ca-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "ca-west-1-fips",
+				}: endpoint{
+					Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "ca-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
 				endpointKey{
 					Region: "eu-central-1",
 				}: endpoint{},
@@ -33793,6 +33953,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "eu-west-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "eu-west-3",
+				}: endpoint{},
 				endpointKey{
 					Region: "sa-east-1",
 				}: endpoint{},
@@ -33802,6 +33965,9 @@ var awsPartition = partition{
 				endpointKey{
 					Region: "us-east-2",
 				}: endpoint{},
+				endpointKey{
+					Region: "us-west-1",
+				}: endpoint{},
 				endpointKey{
 					Region: "us-west-2",
 				}: endpoint{},
@@ -36138,16 +36304,6 @@ var awscnPartition = partition{
 				}: endpoint{},
 			},
 		},
-		"backupstorage": service{
-			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "cn-north-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "cn-northwest-1",
-				}: endpoint{},
-			},
-		},
 		"batch": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -38917,16 +39073,6 @@ var awsusgovPartition = partition{
 				}: endpoint{},
 			},
 		},
-		"backupstorage": service{
-			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "us-gov-east-1",
-				}: endpoint{},
-				endpointKey{
-					Region: "us-gov-west-1",
-				}: endpoint{},
-			},
-		},
 		"batch": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{},
@@ -38977,6 +39123,22 @@ var awsusgovPartition = partition{
 		},
 		"bedrock": service{
 			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "bedrock-fips-us-gov-west-1",
+				}: endpoint{
+					Hostname: "bedrock-fips.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
+				endpointKey{
+					Region: "bedrock-runtime-fips-us-gov-west-1",
+				}: endpoint{
+					Hostname: "bedrock-runtime-fips.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
 				endpointKey{
 					Region: "bedrock-runtime-us-gov-west-1",
 				}: endpoint{
@@ -41821,6 +41983,62 @@ var awsusgovPartition = partition{
 				}: endpoint{},
 			},
 		},
+		"kinesisvideo": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "fips-us-gov-east-1",
+				}: endpoint{
+					Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-east-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "fips-us-gov-west-1",
+				}: endpoint{
+					Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "us-gov-east-1",
+				}: endpoint{
+					Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-east-1",
+					},
+				},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-east-1",
+					},
+				},
+				endpointKey{
+					Region: "us-gov-west-1",
+				}: endpoint{
+					Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
+			},
+		},
 		"kms": service{
 			Endpoints: serviceEndpoints{
 				endpointKey{
@@ -43562,6 +43780,46 @@ var awsusgovPartition = partition{
 				},
 			},
 		},
+		"securitylake": service{
+			Endpoints: serviceEndpoints{
+				endpointKey{
+					Region: "us-gov-east-1",
+				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-east-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "securitylake.us-gov-east-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "us-gov-east-1-fips",
+				}: endpoint{
+					Hostname: "securitylake.us-gov-east-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-east-1",
+					},
+					Deprecated: boxedTrue,
+				},
+				endpointKey{
+					Region: "us-gov-west-1",
+				}: endpoint{},
+				endpointKey{
+					Region:  "us-gov-west-1",
+					Variant: fipsVariant,
+				}: endpoint{
+					Hostname: "securitylake.us-gov-west-1.amazonaws.com",
+				},
+				endpointKey{
+					Region: "us-gov-west-1-fips",
+				}: endpoint{
+					Hostname: "securitylake.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+					Deprecated: boxedTrue,
+				},
+			},
+		},
 		"serverlessrepo": service{
 			Defaults: endpointDefaults{
 				defaultKey{}: endpoint{
@@ -45743,42 +46001,12 @@ var awsisoPartition = partition{
 		},
 		"ram": service{
 			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "fips-us-iso-east-1",
-				}: endpoint{
-					Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
-					CredentialScope: credentialScope{
-						Region: "us-iso-east-1",
-					},
-					Deprecated: boxedTrue,
-				},
-				endpointKey{
-					Region: "fips-us-iso-west-1",
-				}: endpoint{
-					Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
-					CredentialScope: credentialScope{
-						Region: "us-iso-west-1",
-					},
-					Deprecated: boxedTrue,
-				},
 				endpointKey{
 					Region: "us-iso-east-1",
 				}: endpoint{},
-				endpointKey{
-					Region:  "us-iso-east-1",
-					Variant: fipsVariant,
-				}: endpoint{
-					Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
-				},
 				endpointKey{
 					Region: "us-iso-west-1",
 				}: endpoint{},
-				endpointKey{
-					Region:  "us-iso-west-1",
-					Variant: fipsVariant,
-				}: endpoint{
-					Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
-				},
 			},
 		},
 		"rbin": service{
@@ -45823,37 +46051,10 @@ var awsisoPartition = partition{
 		},
 		"rds": service{
 			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "rds-fips.us-iso-east-1",
-				}: endpoint{
-					Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
-					CredentialScope: credentialScope{
-						Region: "us-iso-east-1",
-					},
-					Deprecated: boxedTrue,
-				},
-				endpointKey{
-					Region: "rds-fips.us-iso-west-1",
-				}: endpoint{
-					Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
-					CredentialScope: credentialScope{
-						Region: "us-iso-west-1",
-					},
-					Deprecated: boxedTrue,
-				},
 				endpointKey{
 					Region: "rds.us-iso-east-1",
 				}: endpoint{
-					CredentialScope: credentialScope{
-						Region: "us-iso-east-1",
-					},
-					Deprecated: boxedTrue,
-				},
-				endpointKey{
-					Region:  "rds.us-iso-east-1",
-					Variant: fipsVariant,
-				}: endpoint{
-					Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
+					Hostname: "rds.us-iso-east-1.c2s.ic.gov",
 					CredentialScope: credentialScope{
 						Region: "us-iso-east-1",
 					},
@@ -45862,16 +46063,7 @@ var awsisoPartition = partition{
 				endpointKey{
 					Region: "rds.us-iso-west-1",
 				}: endpoint{
-					CredentialScope: credentialScope{
-						Region: "us-iso-west-1",
-					},
-					Deprecated: boxedTrue,
-				},
-				endpointKey{
-					Region:  "rds.us-iso-west-1",
-					Variant: fipsVariant,
-				}: endpoint{
-					Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
+					Hostname: "rds.us-iso-west-1.c2s.ic.gov",
 					CredentialScope: credentialScope{
 						Region: "us-iso-west-1",
 					},
@@ -45884,12 +46076,12 @@ var awsisoPartition = partition{
 					Region:  "us-iso-east-1",
 					Variant: fipsVariant,
 				}: endpoint{
-					Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
+					Hostname: "rds.us-iso-east-1.c2s.ic.gov",
 				},
 				endpointKey{
 					Region: "us-iso-east-1-fips",
 				}: endpoint{
-					Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
+					Hostname: "rds.us-iso-east-1.c2s.ic.gov",
 					CredentialScope: credentialScope{
 						Region: "us-iso-east-1",
 					},
@@ -45902,12 +46094,12 @@ var awsisoPartition = partition{
 					Region:  "us-iso-west-1",
 					Variant: fipsVariant,
 				}: endpoint{
-					Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
+					Hostname: "rds.us-iso-west-1.c2s.ic.gov",
 				},
 				endpointKey{
 					Region: "us-iso-west-1-fips",
 				}: endpoint{
-					Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
+					Hostname: "rds.us-iso-west-1.c2s.ic.gov",
 					CredentialScope: credentialScope{
 						Region: "us-iso-west-1",
 					},
@@ -46866,24 +47058,9 @@ var awsisobPartition = partition{
 		},
 		"ram": service{
 			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "fips-us-isob-east-1",
-				}: endpoint{
-					Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
-					CredentialScope: credentialScope{
-						Region: "us-isob-east-1",
-					},
-					Deprecated: boxedTrue,
-				},
 				endpointKey{
 					Region: "us-isob-east-1",
 				}: endpoint{},
-				endpointKey{
-					Region:  "us-isob-east-1",
-					Variant: fipsVariant,
-				}: endpoint{
-					Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
-				},
 			},
 		},
 		"rbin": service{
@@ -46910,28 +47087,10 @@ var awsisobPartition = partition{
 		},
 		"rds": service{
 			Endpoints: serviceEndpoints{
-				endpointKey{
-					Region: "rds-fips.us-isob-east-1",
-				}: endpoint{
-					Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
-					CredentialScope: credentialScope{
-						Region: "us-isob-east-1",
-					},
-					Deprecated: boxedTrue,
-				},
 				endpointKey{
 					Region: "rds.us-isob-east-1",
 				}: endpoint{
-					CredentialScope: credentialScope{
-						Region: "us-isob-east-1",
-					},
-					Deprecated: boxedTrue,
-				},
-				endpointKey{
-					Region:  "rds.us-isob-east-1",
-					Variant: fipsVariant,
-				}: endpoint{
-					Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
+					Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
 					CredentialScope: credentialScope{
 						Region: "us-isob-east-1",
 					},
@@ -46944,12 +47103,12 @@ var awsisobPartition = partition{
 					Region:  "us-isob-east-1",
 					Variant: fipsVariant,
 				}: endpoint{
-					Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
+					Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
 				},
 				endpointKey{
 					Region: "us-isob-east-1-fips",
 				}: endpoint{
-					Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
+					Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
 					CredentialScope: credentialScope{
 						Region: "us-isob-east-1",
 					},
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go
index 60b9f8636..193f4be1a 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"
 
 // SDKVersion is the version of this SDK
-const SDKVersion = "1.53.14"
+const SDKVersion = "1.54.6"
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
index f25af3aaa..30d4752cd 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go
@@ -807,6 +807,7 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
 //     for Amazon VPC endpoint service connectivity for an external key store.
 //
 //   - XksProxyInvalidResponseException
+//
 //     KMS cannot interpret the response it received from the external key store
 //     proxy. The problem might be a poorly constructed response, but it could also
 //     be a transient network issue. If you see this error repeatedly, report it
@@ -1107,11 +1108,15 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
 // Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair,
 // or an SM2 key pair (China Regions only). The private key in an asymmetric
 // KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey
-// operation to download the public key so it can be used outside of KMS. KMS
-// keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or
-// sign and verify messages (but not both). KMS keys with ECC key pairs can
-// be used only to sign and verify messages. For information about asymmetric
-// KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
+// operation to download the public key so it can be used outside of KMS. Each
+// KMS key can have only one key usage. KMS keys with RSA key pairs can be used
+// to encrypt and decrypt data or sign and verify messages (but not both). KMS
+// keys with NIST-recommended ECC key pairs can be used to sign and verify messages
+// or derive shared secrets (but not both). KMS keys with ECC_SECG_P256K1 can
+// be used only to sign and verify messages. KMS keys with SM2 key pairs (China
+// Regions only) can be used to either encrypt and decrypt data, sign and verify
+// messages, or derive shared secrets (you must choose one key usage type).
+// For information about asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
 // in the Key Management Service Developer Guide.
 //
 // # HMAC KMS key
@@ -1554,7 +1559,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -2068,6 +2074,219 @@ func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *Delet
 	return out, req.Send()
 }
 
+const opDeriveSharedSecret = "DeriveSharedSecret"
+
+// DeriveSharedSecretRequest generates a "aws/request.Request" representing the
+// client's request for the DeriveSharedSecret operation. The "output" return
+// value will be populated with the request's response once the request completes
+// successfully.
+//
+// Use "Send" method on the returned Request to send the API call to the service.
+// the "output" return value is not valid until after Send returns without error.
+//
+// See DeriveSharedSecret for more information on using the DeriveSharedSecret
+// API call, and error handling.
+//
+// This method is useful when you want to inject custom logic or configuration
+// into the SDK's request lifecycle. Such as custom headers, or retry logic.
+//
+//	// Example sending a request using the DeriveSharedSecretRequest method.
+//	req, resp := client.DeriveSharedSecretRequest(params)
+//
+//	err := req.Send()
+//	if err == nil { // resp is now filled
+//	    fmt.Println(resp)
+//	}
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
+func (c *KMS) DeriveSharedSecretRequest(input *DeriveSharedSecretInput) (req *request.Request, output *DeriveSharedSecretOutput) {
+	op := &request.Operation{
+		Name:       opDeriveSharedSecret,
+		HTTPMethod: "POST",
+		HTTPPath:   "/",
+	}
+
+	if input == nil {
+		input = &DeriveSharedSecretInput{}
+	}
+
+	output = &DeriveSharedSecretOutput{}
+	req = c.newRequest(op, input, output)
+	return
+}
+
+// DeriveSharedSecret API operation for AWS Key Management Service.
+//
+// Derives a shared secret using a key agreement algorithm.
+//
+// You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China
+// Regions only) KMS key pair with a KeyUsage value of KEY_AGREEMENT to call
+// DeriveSharedSecret.
+//
+// DeriveSharedSecret uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman
+// Primitive (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60)
+// (ECDH) to establish a key agreement between two peers by deriving a shared
+// secret from their elliptic curve public-private key pairs. You can use the
+// raw shared secret that DeriveSharedSecret returns to derive a symmetric key
+// that can encrypt and decrypt data that is sent between the two peers, or
+// that can generate and verify HMACs. KMS recommends that you follow NIST recommendations
+// for key derivation (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf)
+// when using the raw shared secret to derive a symmetric key.
+//
+// The following workflow demonstrates how to establish key agreement over an
+// insecure communication channel using DeriveSharedSecret.
+//
+// Alice calls CreateKey to create an asymmetric KMS key pair with a KeyUsage
+// value of KEY_AGREEMENT.
+//
+// The asymmetric KMS key must use a NIST-recommended elliptic curve (ECC) or
+// SM2 (China Regions only) key spec.
+//
+// Bob creates an elliptic curve key pair.
+//
+// Bob can call CreateKey to create an asymmetric KMS key pair or generate a
+// key pair outside of KMS. Bob's key pair must use the same NIST-recommended
+// elliptic curve (ECC) or SM2 (China Regions ony) curve as Alice.
+//
+// Alice and Bob exchange their public keys through an insecure communication
+// channel (like the internet).
+//
+// Use GetPublicKey to download the public key of your asymmetric KMS key pair.
+//
+// KMS strongly recommends verifying that the public key you receive came from
+// the expected party before using it to derive a shared secret.
+//
+// Alice calls DeriveSharedSecret.
+//
+// KMS uses the private key from the KMS key pair generated in Step 1, Bob's
+// public key, and the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
+// to derive the shared secret. The private key in your KMS key pair never leaves
+// KMS unencrypted. DeriveSharedSecret returns the raw shared secret.
+//
+// Bob uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
+// to calculate the same raw secret using his private key and Alice's public
+// key.
+//
+// To derive a shared secret you must provide a key agreement algorithm, the
+// private key of the caller's asymmetric NIST-recommended elliptic curve or
+// SM2 (China Regions only) KMS key pair, and the public key from your peer's
+// NIST-recommended elliptic curve or SM2 (China Regions only) key pair. The
+// public key can be from another asymmetric KMS key pair or from a key pair
+// generated outside of KMS, but both key pairs must be on the same elliptic
+// curve.
+//
+// The KMS key that you use for this operation must be in a compatible key state.
+// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+// in the Key Management Service Developer Guide.
+//
+// Cross-account use: Yes. To perform this operation with a KMS key in a different
+// Amazon Web Services account, specify the key ARN or alias ARN in the value
+// of the KeyId parameter.
+//
+// Required permissions: kms:DeriveSharedSecret (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
+// (key policy)
+//
+// Related operations:
+//
+//   - CreateKey
+//
+//   - GetPublicKey
+//
+//   - DescribeKey
+//
+// Eventual consistency: The KMS API follows an eventual consistency model.
+// For more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html).
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Key Management Service's
+// API operation DeriveSharedSecret for usage and error information.
+//
+// Returned Error Types:
+//
+//   - NotFoundException
+//     The request was rejected because the specified entity or resource could not
+//     be found.
+//
+//   - DisabledException
+//     The request was rejected because the specified KMS key is not enabled.
+//
+//   - KeyUnavailableException
+//     The request was rejected because the specified KMS key was not available.
+//     You can retry the request.
+//
+//   - DependencyTimeoutException
+//     The system timed out while trying to fulfill the request. You can retry the
+//     request.
+//
+//   - InvalidGrantTokenException
+//     The request was rejected because the specified grant token is not valid.
+//
+//   - InvalidKeyUsageException
+//     The request was rejected for one of the following reasons:
+//
+//   - The KeyUsage value of the KMS key is incompatible with the API operation.
+//
+//   - The encryption algorithm or signing algorithm specified for the operation
+//     is incompatible with the type of key material in the KMS key (KeySpec).
+//
+//     For encrypting, decrypting, re-encrypting, and generating data keys, the
+//     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
+//     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
+//     of a KMS key, use the DescribeKey operation.
+//
+//     To find the encryption or signing algorithms supported for a particular KMS
+//     key, use the DescribeKey operation.
+//
+//   - InternalException
+//     The request was rejected because an internal exception occurred. The request
+//     can be retried.
+//
+//   - InvalidStateException
+//     The request was rejected because the state of the specified resource is not
+//     valid for this request.
+//
+//     This exceptions means one of the following:
+//
+//   - The key state of the KMS key is not compatible with the operation. To
+//     find the key state, use the DescribeKey operation. For more information
+//     about which key states are compatible with each KMS operation, see Key
+//     states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
+//     in the Key Management Service Developer Guide .
+//
+//   - For cryptographic operations on KMS keys in custom key stores, this
+//     exception represents a general failure with many possible causes. To identify
+//     the cause, see the error message that accompanies the exception.
+//
+//   - DryRunOperationException
+//     The request was rejected because the DryRun parameter was specified.
+//
+// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
+func (c *KMS) DeriveSharedSecret(input *DeriveSharedSecretInput) (*DeriveSharedSecretOutput, error) {
+	req, out := c.DeriveSharedSecretRequest(input)
+	return out, req.Send()
+}
+
+// DeriveSharedSecretWithContext is the same as DeriveSharedSecret with the addition of
+// the ability to pass a context and additional request options.
+//
+// See DeriveSharedSecret for details on how to use this API operation.
+//
+// The context must be non-nil and will be used for request cancellation. If
+// the context is nil a panic will occur. In the future the SDK may create
+// sub-contexts for http.Requests. See https://golang.org/pkg/context/
+// for more information on using Contexts.
+func (c *KMS) DeriveSharedSecretWithContext(ctx aws.Context, input *DeriveSharedSecretInput, opts ...request.Option) (*DeriveSharedSecretOutput, error) {
+	req, out := c.DeriveSharedSecretRequest(input)
+	req.SetContext(ctx)
+	req.ApplyOptions(opts...)
+	return out, req.Send()
+}
+
 const opDescribeCustomKeyStores = "DescribeCustomKeyStores"
 
 // DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the
@@ -3326,7 +3545,8 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -3554,7 +3774,8 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -3772,7 +3993,8 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -3969,7 +4191,8 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -4178,7 +4401,8 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -4343,7 +4567,8 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -4911,9 +5136,9 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
 // GetParametersForImport returns the items that you need to import your key
 // material.
 //
-//   - The public key (or "wrapping key") of an asymmetric key pair that KMS
-//     generates. You will use this public key to encrypt ("wrap") your key material
-//     while it's in transit to KMS.
+//   - The public key (or "wrapping key") of an RSA key pair that KMS generates.
+//     You will use this public key to encrypt ("wrap") your key material while
+//     it's in transit to KMS.
 //
 //   - A import token that ensures that KMS can decrypt your key material and
 //     associate it with the correct KMS key.
@@ -5089,7 +5314,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
 //     The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
 //
 //   - KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage):
-//     Whether the key is used for encryption or signing.
+//     Whether the key is used for encryption, signing, or deriving a shared
+//     secret.
 //
 //   - EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms)
 //     or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms):
@@ -5170,7 +5396,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -7082,7 +7309,8 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -8134,7 +8362,8 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -8939,6 +9168,7 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
 //     for Amazon VPC endpoint service connectivity for an external key store.
 //
 //   - XksProxyInvalidResponseException
+//
 //     KMS cannot interpret the response it received from the external key store
 //     proxy. The problem might be a poorly constructed response, but it could also
 //     be a transient network issue. If you see this error repeatedly, report it
@@ -9412,7 +9642,8 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -9576,7 +9807,8 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
 //     For encrypting, decrypting, re-encrypting, and generating data keys, the
 //     KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 //     KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+//     codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+//     agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 //     of a KMS key, use the DescribeKey operation.
 //
 //     To find the encryption or signing algorithms supported for a particular KMS
@@ -11140,15 +11372,18 @@ type CreateKeyInput struct {
 	//
 	//    * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512
 	//
-	//    * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096
+	//    * Asymmetric RSA key pairs (encryption and decryption -or- signing and
+	//    verification) RSA_2048 RSA_3072 RSA_4096
 	//
-	//    * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1)
-	//    ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1)
+	//    * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification
+	//    -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384
+	//    (secp384r1) ECC_NIST_P521 (secp521r1)
 	//
-	//    * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1),
-	//    commonly used for cryptocurrencies.
+	//    * Other asymmetric elliptic curve key pairs (signing and verification)
+	//    ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
 	//
-	//    * SM2 key pairs (China Regions only) SM2
+	//    * SM2 key pairs (encryption and decryption -or- signing and verification
+	//    -or- deriving shared secrets) SM2 (China Regions only)
 	KeySpec *string `type:"string" enum:"KeySpec"`
 
 	// Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
@@ -11163,13 +11398,16 @@ type CreateKeyInput struct {
 	//
 	//    * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
 	//
-	//    * For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT
+	//    * For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT
 	//    or SIGN_VERIFY.
 	//
-	//    * For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
+	//    * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs,
+	//    specify SIGN_VERIFY or KEY_AGREEMENT.
 	//
-	//    * For asymmetric KMS keys with SM2 key material (China Regions only),
-	//    specify ENCRYPT_DECRYPT or SIGN_VERIFY.
+	//    * For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY.
+	//
+	//    * For asymmetric KMS keys with SM2 key pairs (China Regions only), specify
+	//    ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT.
 	KeyUsage *string `type:"string" enum:"KeyUsageType"`
 
 	// Creates a multi-Region primary key that you can replicate into other Amazon
@@ -12555,6 +12793,282 @@ func (s *DependencyTimeoutException) RequestID() string {
 	return s.RespMetadata.RequestID
 }
 
+type DeriveSharedSecretInput struct {
+	_ struct{} `type:"structure"`
+
+	// Checks if your request will succeed. DryRun is an optional parameter.
+	//
+	// To learn more about how to use this parameter, see Testing your KMS API calls
+	// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
+	// in the Key Management Service Developer Guide.
+	DryRun *bool `type:"boolean"`
+
+	// A list of grant tokens.
+	//
+	// Use a grant token when your permission to call this operation comes from
+	// a new grant that has not yet achieved eventual consistency. For more information,
+	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
+	// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
+	// in the Key Management Service Developer Guide.
+	GrantTokens []*string `type:"list"`
+
+	// Specifies the key agreement algorithm used to derive the shared secret. The
+	// only valid value is ECDH.
+	//
+	// KeyAgreementAlgorithm is a required field
+	KeyAgreementAlgorithm *string `type:"string" required:"true" enum:"KeyAgreementAlgorithmSpec"`
+
+	// Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions only)
+	// KMS key. KMS uses the private key in the specified key pair to derive the
+	// shared secret. The key usage of the KMS key must be KEY_AGREEMENT. To find
+	// the KeyUsage of a KMS key, use the DescribeKey operation.
+	//
+	// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
+	// When using an alias name, prefix it with "alias/". To specify a KMS key in
+	// a different Amazon Web Services account, you must use the key ARN or alias
+	// ARN.
+	//
+	// For example:
+	//
+	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
+	//
+	//    * Alias name: alias/ExampleAlias
+	//
+	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
+	//
+	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
+	// To get the alias name and alias ARN, use ListAliases.
+	//
+	// KeyId is a required field
+	KeyId *string `min:"1" type:"string" required:"true"`
+
+	// Specifies the public key in your peer's NIST-recommended elliptic curve (ECC)
+	// or SM2 (China Regions only) key pair.
+	//
+	// The public key must be a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo
+	// (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280).
+	//
+	// GetPublicKey returns the public key of an asymmetric KMS key pair in the
+	// required DER-encoded format.
+	//
+	// If you use Amazon Web Services CLI version 1 (https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html),
+	// you must provide the DER-encoded X.509 public key in a file. Otherwise, the
+	// Amazon Web Services CLI Base64-encodes the public key a second time, resulting
+	// in a ValidationException.
+	//
+	// You can specify the public key as binary data in a file using fileb (fileb://<path-to-file>)
+	// or in-line using a Base64 encoded string.
+	// PublicKey is automatically base64 encoded/decoded by the SDK.
+	//
+	// PublicKey is a required field
+	PublicKey []byte `min:"1" type:"blob" required:"true"`
+
+	// A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc)
+	// from an Amazon Web Services Nitro enclave and the encryption algorithm to
+	// use with the enclave's public key. The only valid encryption algorithm is
+	// RSAES_OAEP_SHA_256.
+	//
+	// This parameter only supports attestation documents for Amazon Web Services
+	// Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
+	// Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
+	// to generate the attestation document and then use the Recipient parameter
+	// from any Amazon Web Services SDK to provide the attestation document for
+	// the enclave.
+	//
+	// When you use this parameter, instead of returning a plaintext copy of the
+	// shared secret, KMS encrypts the plaintext shared secret under the public
+	// key in the attestation document, and returns the resulting ciphertext in
+	// the CiphertextForRecipient field in the response. This ciphertext can be
+	// decrypted only with the private key in the enclave. The CiphertextBlob field
+	// in the response contains the encrypted shared secret derived from the KMS
+	// key specified by the KeyId parameter and public key specified by the PublicKey
+	// parameter. The SharedSecret field in the response is null or empty.
+	//
+	// For information about the interaction between KMS and Amazon Web Services
+	// Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
+	// in the Key Management Service Developer Guide.
+	Recipient *RecipientInfo `type:"structure"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretInput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretInput) GoString() string {
+	return s.String()
+}
+
+// Validate inspects the fields of the type to determine if they are valid.
+func (s *DeriveSharedSecretInput) Validate() error {
+	invalidParams := request.ErrInvalidParams{Context: "DeriveSharedSecretInput"}
+	if s.KeyAgreementAlgorithm == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyAgreementAlgorithm"))
+	}
+	if s.KeyId == nil {
+		invalidParams.Add(request.NewErrParamRequired("KeyId"))
+	}
+	if s.KeyId != nil && len(*s.KeyId) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
+	}
+	if s.PublicKey == nil {
+		invalidParams.Add(request.NewErrParamRequired("PublicKey"))
+	}
+	if s.PublicKey != nil && len(s.PublicKey) < 1 {
+		invalidParams.Add(request.NewErrParamMinLen("PublicKey", 1))
+	}
+	if s.Recipient != nil {
+		if err := s.Recipient.Validate(); err != nil {
+			invalidParams.AddNested("Recipient", err.(request.ErrInvalidParams))
+		}
+	}
+
+	if invalidParams.Len() > 0 {
+		return invalidParams
+	}
+	return nil
+}
+
+// SetDryRun sets the DryRun field's value.
+func (s *DeriveSharedSecretInput) SetDryRun(v bool) *DeriveSharedSecretInput {
+	s.DryRun = &v
+	return s
+}
+
+// SetGrantTokens sets the GrantTokens field's value.
+func (s *DeriveSharedSecretInput) SetGrantTokens(v []*string) *DeriveSharedSecretInput {
+	s.GrantTokens = v
+	return s
+}
+
+// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
+func (s *DeriveSharedSecretInput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretInput {
+	s.KeyAgreementAlgorithm = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DeriveSharedSecretInput) SetKeyId(v string) *DeriveSharedSecretInput {
+	s.KeyId = &v
+	return s
+}
+
+// SetPublicKey sets the PublicKey field's value.
+func (s *DeriveSharedSecretInput) SetPublicKey(v []byte) *DeriveSharedSecretInput {
+	s.PublicKey = v
+	return s
+}
+
+// SetRecipient sets the Recipient field's value.
+func (s *DeriveSharedSecretInput) SetRecipient(v *RecipientInfo) *DeriveSharedSecretInput {
+	s.Recipient = v
+	return s
+}
+
+type DeriveSharedSecretOutput struct {
+	_ struct{} `type:"structure"`
+
+	// The plaintext shared secret encrypted with the public key in the attestation
+	// document.
+	//
+	// This field is included in the response only when the Recipient parameter
+	// in the request includes a valid attestation document from an Amazon Web Services
+	// Nitro enclave. For information about the interaction between KMS and Amazon
+	// Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses
+	// KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
+	// in the Key Management Service Developer Guide.
+	// CiphertextForRecipient is automatically base64 encoded/decoded by the SDK.
+	CiphertextForRecipient []byte `min:"1" type:"blob"`
+
+	// Identifies the key agreement algorithm used to derive the shared secret.
+	KeyAgreementAlgorithm *string `type:"string" enum:"KeyAgreementAlgorithmSpec"`
+
+	// Identifies the KMS key used to derive the shared secret.
+	KeyId *string `min:"1" type:"string"`
+
+	// The source of the key material for the specified KMS key.
+	//
+	// When this value is AWS_KMS, KMS created the key material. When this value
+	// is EXTERNAL, the key material was imported or the KMS key doesn't have any
+	// key material.
+	//
+	// The only valid values for DeriveSharedSecret are AWS_KMS and EXTERNAL. DeriveSharedSecret
+	// does not support KMS keys with a KeyOrigin value of AWS_CLOUDHSM or EXTERNAL_KEY_STORE.
+	KeyOrigin *string `type:"string" enum:"OriginType"`
+
+	// The raw secret derived from the specified key agreement algorithm, private
+	// key in the asymmetric KMS key, and your peer's public key.
+	//
+	// If the response includes the CiphertextForRecipient field, the SharedSecret
+	// field is null or empty.
+	//
+	// SharedSecret is a sensitive parameter and its value will be
+	// replaced with "sensitive" in string returned by DeriveSharedSecretOutput's
+	// String and GoString methods.
+	//
+	// SharedSecret is automatically base64 encoded/decoded by the SDK.
+	SharedSecret []byte `min:"1" type:"blob" sensitive:"true"`
+}
+
+// String returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretOutput) String() string {
+	return awsutil.Prettify(s)
+}
+
+// GoString returns the string representation.
+//
+// API parameter values that are decorated as "sensitive" in the API will not
+// be included in the string output. The member name will be present, but the
+// value will be replaced with "sensitive".
+func (s DeriveSharedSecretOutput) GoString() string {
+	return s.String()
+}
+
+// SetCiphertextForRecipient sets the CiphertextForRecipient field's value.
+func (s *DeriveSharedSecretOutput) SetCiphertextForRecipient(v []byte) *DeriveSharedSecretOutput {
+	s.CiphertextForRecipient = v
+	return s
+}
+
+// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
+func (s *DeriveSharedSecretOutput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretOutput {
+	s.KeyAgreementAlgorithm = &v
+	return s
+}
+
+// SetKeyId sets the KeyId field's value.
+func (s *DeriveSharedSecretOutput) SetKeyId(v string) *DeriveSharedSecretOutput {
+	s.KeyId = &v
+	return s
+}
+
+// SetKeyOrigin sets the KeyOrigin field's value.
+func (s *DeriveSharedSecretOutput) SetKeyOrigin(v string) *DeriveSharedSecretOutput {
+	s.KeyOrigin = &v
+	return s
+}
+
+// SetSharedSecret sets the SharedSecret field's value.
+func (s *DeriveSharedSecretOutput) SetSharedSecret(v []byte) *DeriveSharedSecretOutput {
+	s.SharedSecret = v
+	return s
+}
+
 type DescribeCustomKeyStoresInput struct {
 	_ struct{} `type:"structure"`
 
@@ -14006,9 +14520,11 @@ type GenerateDataKeyPairInput struct {
 	// RSAES_OAEP_SHA_256.
 	//
 	// This parameter only supports attestation documents for Amazon Web Services
-	// Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro
-	// Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
-	// or any Amazon Web Services SDK.
+	// Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
+	// Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
+	// to generate the attestation document and then use the Recipient parameter
+	// from any Amazon Web Services SDK to provide the attestation document for
+	// the enclave.
 	//
 	// When you use this parameter, instead of returning a plaintext copy of the
 	// private data key, KMS encrypts the plaintext private data key under the public
@@ -15199,25 +15715,19 @@ type GetParametersForImportInput struct {
 	// KeyId is a required field
 	KeyId *string `min:"1" type:"string" required:"true"`
 
-	// The algorithm you will use with the asymmetric public key (PublicKey) in
-	// the response to protect your key material during import. For more information,
-	// see Select a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
+	// The algorithm you will use with the RSA public key (PublicKey) in the response
+	// to protect your key material during import. For more information, see Select
+	// a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
 	// in the Key Management Service Developer Guide.
 	//
 	// For RSA_AES wrapping algorithms, you encrypt your key material with an AES
 	// key that you generate, then encrypt your AES key with the RSA public key
 	// from KMS. For RSAES wrapping algorithms, you encrypt your key material directly
-	// with the RSA public key from KMS. For SM2PKE wrapping algorithms, you encrypt
-	// your key material directly with the SM2 public key from KMS.
+	// with the RSA public key from KMS.
 	//
 	// The wrapping algorithms that you can use depend on the type of key material
 	// that you are importing. To import an RSA private key, you must use an RSA_AES
-	// wrapping algorithm, except in China Regions, where you must use the SM2PKE
-	// wrapping algorithm to import an RSA private key.
-	//
-	// The SM2PKE wrapping algorithm is available only in China Regions. The RSA_AES_KEY_WRAP_SHA_256
-	// and RSA_AES_KEY_WRAP_SHA_1 wrapping algorithms are not supported in China
-	// Regions.
+	// wrapping algorithm.
 	//
 	//    * RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key
 	//    material.
@@ -15237,24 +15747,19 @@ type GetParametersForImportInput struct {
 	//    * RSAES_PKCS1_V1_5 (Deprecated) — As of October 10, 2023, KMS does not
 	//    support the RSAES_PKCS1_V1_5 wrapping algorithm.
 	//
-	//    * SM2PKE (China Regions only) — supported for wrapping RSA, ECC, and
-	//    SM2 key material.
-	//
 	// WrappingAlgorithm is a required field
 	WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"`
 
-	// The type of public key to return in the response. You will use this wrapping
+	// The type of RSA public key to return in the response. You will use this wrapping
 	// key with the specified wrapping algorithm to protect your key material during
 	// import.
 	//
-	// Use the longest wrapping key that is practical.
+	// Use the longest RSA wrapping key that is practical.
 	//
 	// You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private
 	// key. Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public
 	// key.
 	//
-	// The SM2 wrapping key spec is available only in China Regions.
-	//
 	// WrappingKeySpec is a required field
 	WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"`
 }
@@ -15490,6 +15995,10 @@ type GetPublicKeyOutput struct {
 	// is ENCRYPT_DECRYPT.
 	EncryptionAlgorithms []*string `type:"list" enum:"EncryptionAlgorithmSpec"`
 
+	// The key agreement algorithm used to derive a shared secret. This field is
+	// present only when the KMS key has a KeyUsage value of KEY_AGREEMENT.
+	KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
+
 	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
 	// of the asymmetric KMS key from which the public key was downloaded.
 	KeyId *string `min:"1" type:"string"`
@@ -15497,11 +16006,11 @@ type GetPublicKeyOutput struct {
 	// The type of the of the public key that was downloaded.
 	KeySpec *string `type:"string" enum:"KeySpec"`
 
-	// The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or
-	// SIGN_VERIFY.
+	// The permitted use of the public key. Valid values for asymmetric key pairs
+	// are ENCRYPT_DECRYPT, SIGN_VERIFY, and KEY_AGREEMENT.
 	//
-	// This information is critical. If a public key with SIGN_VERIFY key usage
-	// encrypts data outside of KMS, the ciphertext cannot be decrypted.
+	// This information is critical. For example, if a public key with SIGN_VERIFY
+	// key usage encrypts data outside of KMS, the ciphertext cannot be decrypted.
 	KeyUsage *string `type:"string" enum:"KeyUsageType"`
 
 	// The exported public key.
@@ -15550,6 +16059,12 @@ func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyO
 	return s
 }
 
+// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
+func (s *GetPublicKeyOutput) SetKeyAgreementAlgorithms(v []*string) *GetPublicKeyOutput {
+	s.KeyAgreementAlgorithms = v
+	return s
+}
+
 // SetKeyId sets the KeyId field's value.
 func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput {
 	s.KeyId = &v
@@ -16603,7 +17118,8 @@ func (s *InvalidImportTokenException) RequestID() string {
 // For encrypting, decrypting, re-encrypting, and generating data keys, the
 // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 // of a KMS key, use the DescribeKey operation.
 //
 // To find the encryption or signing algorithms supported for a particular KMS
@@ -17052,6 +17568,9 @@ type KeyMetadata struct {
 	// only when Origin is EXTERNAL, otherwise this value is omitted.
 	ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
 
+	// The key agreement algorithm used to derive a shared secret.
+	KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
+
 	// The globally unique identifier for the KMS key.
 	//
 	// KeyId is a required field
@@ -17232,6 +17751,12 @@ func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata {
 	return s
 }
 
+// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
+func (s *KeyMetadata) SetKeyAgreementAlgorithms(v []*string) *KeyMetadata {
+	s.KeyAgreementAlgorithms = v
+	return s
+}
+
 // SetKeyId sets the KeyId field's value.
 func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata {
 	s.KeyId = &v
@@ -23034,6 +23559,9 @@ const (
 
 	// GrantOperationVerifyMac is a GrantOperation enum value
 	GrantOperationVerifyMac = "VerifyMac"
+
+	// GrantOperationDeriveSharedSecret is a GrantOperation enum value
+	GrantOperationDeriveSharedSecret = "DeriveSharedSecret"
 )
 
 // GrantOperation_Values returns all elements of the GrantOperation enum
@@ -23055,6 +23583,19 @@ func GrantOperation_Values() []string {
 		GrantOperationGenerateDataKeyPairWithoutPlaintext,
 		GrantOperationGenerateMac,
 		GrantOperationVerifyMac,
+		GrantOperationDeriveSharedSecret,
+	}
+}
+
+const (
+	// KeyAgreementAlgorithmSpecEcdh is a KeyAgreementAlgorithmSpec enum value
+	KeyAgreementAlgorithmSpecEcdh = "ECDH"
+)
+
+// KeyAgreementAlgorithmSpec_Values returns all elements of the KeyAgreementAlgorithmSpec enum
+func KeyAgreementAlgorithmSpec_Values() []string {
+	return []string{
+		KeyAgreementAlgorithmSpecEcdh,
 	}
 }
 
@@ -23195,6 +23736,9 @@ const (
 
 	// KeyUsageTypeGenerateVerifyMac is a KeyUsageType enum value
 	KeyUsageTypeGenerateVerifyMac = "GENERATE_VERIFY_MAC"
+
+	// KeyUsageTypeKeyAgreement is a KeyUsageType enum value
+	KeyUsageTypeKeyAgreement = "KEY_AGREEMENT"
 )
 
 // KeyUsageType_Values returns all elements of the KeyUsageType enum
@@ -23203,6 +23747,7 @@ func KeyUsageType_Values() []string {
 		KeyUsageTypeSignVerify,
 		KeyUsageTypeEncryptDecrypt,
 		KeyUsageTypeGenerateVerifyMac,
+		KeyUsageTypeKeyAgreement,
 	}
 }
 
diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
index 170e2335d..993fd2386 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go
@@ -279,7 +279,8 @@ const (
 	// For encrypting, decrypting, re-encrypting, and generating data keys, the
 	// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
 	// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
-	// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
+	// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
+	// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
 	// of a KMS key, use the DescribeKey operation.
 	//
 	// To find the encryption or signing algorithms supported for a particular KMS
@@ -424,6 +425,7 @@ const (
 	// ErrCodeXksProxyInvalidResponseException for service response error code
 	// "XksProxyInvalidResponseException".
 	//
+	//
 	// KMS cannot interpret the response it received from the external key store
 	// proxy. The problem might be a poorly constructed response, but it could also
 	// be a transient network issue. If you see this error repeatedly, report it
diff --git a/vendor/github.com/aws/smithy-go/CHANGELOG.md b/vendor/github.com/aws/smithy-go/CHANGELOG.md
index b8d6561a4..39ffae999 100644
--- a/vendor/github.com/aws/smithy-go/CHANGELOG.md
+++ b/vendor/github.com/aws/smithy-go/CHANGELOG.md
@@ -1,3 +1,7 @@
+# Release (2024-03-29)
+
+* No change notes available for this release.
+
 # Release (2024-02-21)
 
 ## Module Highlights
diff --git a/vendor/github.com/aws/smithy-go/go_module_metadata.go b/vendor/github.com/aws/smithy-go/go_module_metadata.go
index 341392e10..a6b22f353 100644
--- a/vendor/github.com/aws/smithy-go/go_module_metadata.go
+++ b/vendor/github.com/aws/smithy-go/go_module_metadata.go
@@ -3,4 +3,4 @@
 package smithy
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.20.1"
+const goModuleVersion = "1.20.2"
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go b/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
deleted file mode 100644
index 8553fc50b..000000000
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
+++ /dev/null
@@ -1,133 +0,0 @@
-/*-
- * Copyright 2016 Zbigniew Mandziejewicz
- * Copyright 2016 Square, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jwt
-
-import (
-	"fmt"
-	"strings"
-
-	jose "github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/json"
-)
-
-// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
-type JSONWebToken struct {
-	payload           func(k interface{}) ([]byte, error)
-	unverifiedPayload func() []byte
-	Headers           []jose.Header
-}
-
-type NestedJSONWebToken struct {
-	enc     *jose.JSONWebEncryption
-	Headers []jose.Header
-}
-
-// Claims deserializes a JSONWebToken into dest using the provided key.
-func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
-	b, err := t.payload(key)
-	if err != nil {
-		return err
-	}
-
-	for _, d := range dest {
-		if err := json.Unmarshal(b, d); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-// UnsafeClaimsWithoutVerification deserializes the claims of a
-// JSONWebToken into the dests. For signed JWTs, the claims are not
-// verified. This function won't work for encrypted JWTs.
-func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
-	if t.unverifiedPayload == nil {
-		return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
-	}
-	claims := t.unverifiedPayload()
-	for _, d := range dest {
-		if err := json.Unmarshal(claims, d); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
-	b, err := t.enc.Decrypt(decryptionKey)
-	if err != nil {
-		return nil, err
-	}
-
-	sig, err := ParseSigned(string(b))
-	if err != nil {
-		return nil, err
-	}
-
-	return sig, nil
-}
-
-// ParseSigned parses token from JWS form.
-func ParseSigned(s string) (*JSONWebToken, error) {
-	sig, err := jose.ParseSigned(s)
-	if err != nil {
-		return nil, err
-	}
-	headers := make([]jose.Header, len(sig.Signatures))
-	for i, signature := range sig.Signatures {
-		headers[i] = signature.Header
-	}
-
-	return &JSONWebToken{
-		payload:           sig.Verify,
-		unverifiedPayload: sig.UnsafePayloadWithoutVerification,
-		Headers:           headers,
-	}, nil
-}
-
-// ParseEncrypted parses token from JWE form.
-func ParseEncrypted(s string) (*JSONWebToken, error) {
-	enc, err := jose.ParseEncrypted(s)
-	if err != nil {
-		return nil, err
-	}
-
-	return &JSONWebToken{
-		payload: enc.Decrypt,
-		Headers: []jose.Header{enc.Header},
-	}, nil
-}
-
-// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form.
-func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) {
-	enc, err := jose.ParseEncrypted(s)
-	if err != nil {
-		return nil, err
-	}
-
-	contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string)
-	if strings.ToUpper(contentType) != "JWT" {
-		return nil, ErrInvalidContentType
-	}
-
-	return &NestedJSONWebToken{
-		enc:     enc,
-		Headers: []jose.Header{enc.Header},
-	}, nil
-}
diff --git a/vendor/github.com/go-jose/go-jose/v3/.gitignore b/vendor/github.com/go-jose/go-jose/v4/.gitignore
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/.gitignore
rename to vendor/github.com/go-jose/go-jose/v4/.gitignore
diff --git a/vendor/github.com/go-jose/go-jose/v3/.golangci.yml b/vendor/github.com/go-jose/go-jose/v4/.golangci.yml
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/.golangci.yml
rename to vendor/github.com/go-jose/go-jose/v4/.golangci.yml
diff --git a/vendor/github.com/go-jose/go-jose/v3/.travis.yml b/vendor/github.com/go-jose/go-jose/v4/.travis.yml
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/.travis.yml
rename to vendor/github.com/go-jose/go-jose/v4/.travis.yml
diff --git a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
similarity index 96%
rename from vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
rename to vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
index ce2a54ebf..28bdd2fc0 100644
--- a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
+++ b/vendor/github.com/go-jose/go-jose/v4/CHANGELOG.md
@@ -45,12 +45,6 @@ token".
 
 [1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
 
-# v3.0.3
-
-## Fixed
-
- - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
-
 # v3.0.2
 
 ## Fixed
diff --git a/vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md b/vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md
rename to vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/LICENSE b/vendor/github.com/go-jose/go-jose/v4/LICENSE
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/LICENSE
rename to vendor/github.com/go-jose/go-jose/v4/LICENSE
diff --git a/vendor/github.com/go-jose/go-jose/v3/README.md b/vendor/github.com/go-jose/go-jose/v4/README.md
similarity index 82%
rename from vendor/github.com/go-jose/go-jose/v3/README.md
rename to vendor/github.com/go-jose/go-jose/v4/README.md
index 282cd9e13..79a7c5ecc 100644
--- a/vendor/github.com/go-jose/go-jose/v3/README.md
+++ b/vendor/github.com/go-jose/go-jose/v4/README.md
@@ -1,17 +1,9 @@
 # Go JOSE
 
-### Versions
-
-[Version 4](https://github.com/go-jose/go-jose)
-([branch](https://github.com/go-jose/go-jose/),
-[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
-
-    import "github.com/go-jose/go-jose/v4"
-
-The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
-are deprecated.
-
-### Summary
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
+[![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
+[![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions)
 
 Package jose aims to provide an implementation of the Javascript Object Signing
 and Encryption set of standards. This includes support for JSON Web Encryption,
@@ -43,6 +35,20 @@ of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/curren
 This is to avoid differences in interpretation of messages between go-jose and
 libraries in other languages.
 
+### Versions
+
+[Version 4](https://github.com/go-jose/go-jose)
+([branch](https://github.com/go-jose/go-jose/tree/main),
+[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
+
+    import "github.com/go-jose/go-jose/v4"
+
+The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
+are still useable but not actively developed anymore.
+
+Version 3, in this repo, is still receiving security fixes but not functionality
+updates.
+
 ### Supported algorithms
 
 See below for a table of supported algorithms. Algorithm identifiers match
@@ -98,11 +104,11 @@ allows attaching a key id.
 
 ## Examples
 
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3)
-[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt)
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
+[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
 
 Examples can be found in the Godoc
 reference for this package. The
-[`jose-util`](https://github.com/go-jose/go-jose/tree/v3/jose-util)
+[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
 subdirectory also contains a small command-line utility which might be useful
 as an example as well.
diff --git a/vendor/github.com/go-jose/go-jose/v3/SECURITY.md b/vendor/github.com/go-jose/go-jose/v4/SECURITY.md
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/SECURITY.md
rename to vendor/github.com/go-jose/go-jose/v4/SECURITY.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go b/vendor/github.com/go-jose/go-jose/v4/asymmetric.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/asymmetric.go
rename to vendor/github.com/go-jose/go-jose/v4/asymmetric.go
index d4d4961b2..f8d5774ef 100644
--- a/vendor/github.com/go-jose/go-jose/v3/asymmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v4/asymmetric.go
@@ -29,8 +29,8 @@ import (
 	"fmt"
 	"math/big"
 
-	josecipher "github.com/go-jose/go-jose/v3/cipher"
-	"github.com/go-jose/go-jose/v3/json"
+	josecipher "github.com/go-jose/go-jose/v4/cipher"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // A generic RSA-based encrypter/verifier
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go b/vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/concat_kdf.go b/vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/concat_kdf.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/ecdh_es.go b/vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/ecdh_es.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go b/vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go
rename to vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v4/crypter.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/crypter.go
rename to vendor/github.com/go-jose/go-jose/v4/crypter.go
index 8870e8905..aba08424c 100644
--- a/vendor/github.com/go-jose/go-jose/v3/crypter.go
+++ b/vendor/github.com/go-jose/go-jose/v4/crypter.go
@@ -22,7 +22,7 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // Encrypter represents an encrypter which produces an encrypted JWE object.
diff --git a/vendor/github.com/go-jose/go-jose/v3/doc.go b/vendor/github.com/go-jose/go-jose/v4/doc.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/doc.go
rename to vendor/github.com/go-jose/go-jose/v4/doc.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v4/encoding.go
similarity index 92%
rename from vendor/github.com/go-jose/go-jose/v3/encoding.go
rename to vendor/github.com/go-jose/go-jose/v4/encoding.go
index 9f07cfdcb..4f6e0d4a5 100644
--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
+++ b/vendor/github.com/go-jose/go-jose/v4/encoding.go
@@ -27,7 +27,7 @@ import (
 	"strings"
 	"unicode"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // Helper function to serialize known-good objects.
@@ -106,10 +106,7 @@ func inflate(input []byte) ([]byte, error) {
 	output := new(bytes.Buffer)
 	reader := flate.NewReader(bytes.NewBuffer(input))
 
-	maxCompressedSize := 10 * int64(len(input))
-	if maxCompressedSize < 250000 {
-		maxCompressedSize = 250000
-	}
+	maxCompressedSize := max(250_000, 10*int64(len(input)))
 
 	limit := maxCompressedSize + 1
 	n, err := io.CopyN(output, reader, limit)
@@ -167,7 +164,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error {
 		return nil
 	}
 
-	decoded, err := base64URLDecode(encoded)
+	decoded, err := base64.RawURLEncoding.DecodeString(encoded)
 	if err != nil {
 		return err
 	}
@@ -197,12 +194,6 @@ func (b byteBuffer) toInt() int {
 	return int(b.bigInt().Int64())
 }
 
-// base64URLDecode is implemented as defined in https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
-func base64URLDecode(value string) ([]byte, error) {
-	value = strings.TrimRight(value, "=")
-	return base64.RawURLEncoding.DecodeString(value)
-}
-
 func base64EncodeLen(sl []byte) int {
 	return base64.RawURLEncoding.EncodedLen(len(sl))
 }
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/LICENSE b/vendor/github.com/go-jose/go-jose/v4/json/LICENSE
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/LICENSE
rename to vendor/github.com/go-jose/go-jose/v4/json/LICENSE
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/README.md b/vendor/github.com/go-jose/go-jose/v4/json/README.md
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/README.md
rename to vendor/github.com/go-jose/go-jose/v4/json/README.md
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/decode.go b/vendor/github.com/go-jose/go-jose/v4/json/decode.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/decode.go
rename to vendor/github.com/go-jose/go-jose/v4/json/decode.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/encode.go b/vendor/github.com/go-jose/go-jose/v4/json/encode.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/encode.go
rename to vendor/github.com/go-jose/go-jose/v4/json/encode.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/indent.go b/vendor/github.com/go-jose/go-jose/v4/json/indent.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/indent.go
rename to vendor/github.com/go-jose/go-jose/v4/json/indent.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/scanner.go b/vendor/github.com/go-jose/go-jose/v4/json/scanner.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/scanner.go
rename to vendor/github.com/go-jose/go-jose/v4/json/scanner.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/stream.go b/vendor/github.com/go-jose/go-jose/v4/json/stream.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/stream.go
rename to vendor/github.com/go-jose/go-jose/v4/json/stream.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/json/tags.go b/vendor/github.com/go-jose/go-jose/v4/json/tags.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/json/tags.go
rename to vendor/github.com/go-jose/go-jose/v4/json/tags.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
similarity index 63%
rename from vendor/github.com/go-jose/go-jose/v3/jwe.go
rename to vendor/github.com/go-jose/go-jose/v4/jwe.go
index 4267ac750..89f03ee3e 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
@@ -18,10 +18,11 @@ package jose
 
 import (
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"strings"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
@@ -104,29 +105,75 @@ func (obj JSONWebEncryption) computeAuthData() []byte {
 	return output
 }
 
-// ParseEncrypted parses an encrypted message in compact or JWE JSON Serialization format.
-func ParseEncrypted(input string) (*JSONWebEncryption, error) {
-	input = stripWhitespace(input)
-	if strings.HasPrefix(input, "{") {
-		return parseEncryptedFull(input)
+func containsKeyAlgorithm(haystack []KeyAlgorithm, needle KeyAlgorithm) bool {
+	for _, algorithm := range haystack {
+		if algorithm == needle {
+			return true
+		}
 	}
-
-	return parseEncryptedCompact(input)
+	return false
 }
 
-// parseEncryptedFull parses a message in compact format.
-func parseEncryptedFull(input string) (*JSONWebEncryption, error) {
+func containsContentEncryption(haystack []ContentEncryption, needle ContentEncryption) bool {
+	for _, algorithm := range haystack {
+		if algorithm == needle {
+			return true
+		}
+	}
+	return false
+}
+
+// ParseEncrypted parses an encrypted message in JWE Compact or JWE JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
+//
+// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
+// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
+// parsed data must contain a value that is present in the corresponding parameter. That
+// includes the protected and unprotected headers as well as all recipients. To accept
+// multiple algorithms, pass a slice of all the algorithms you want to accept.
+func ParseEncrypted(input string,
+	keyEncryptionAlgorithms []KeyAlgorithm,
+	contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
+	input = stripWhitespace(input)
+	if strings.HasPrefix(input, "{") {
+		return ParseEncryptedJSON(input, keyEncryptionAlgorithms, contentEncryption)
+	}
+
+	return ParseEncryptedCompact(input, keyEncryptionAlgorithms, contentEncryption)
+}
+
+// ParseEncryptedJSON parses a message in JWE JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
+func ParseEncryptedJSON(
+	input string,
+	keyEncryptionAlgorithms []KeyAlgorithm,
+	contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
 	var parsed rawJSONWebEncryption
 	err := json.Unmarshal([]byte(input), &parsed)
 	if err != nil {
 		return nil, err
 	}
 
-	return parsed.sanitized()
+	return parsed.sanitized(keyEncryptionAlgorithms, contentEncryption)
 }
 
 // sanitized produces a cleaned-up JWE object from the raw JSON.
-func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
+func (parsed *rawJSONWebEncryption) sanitized(
+	keyEncryptionAlgorithms []KeyAlgorithm,
+	contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
+	if len(keyEncryptionAlgorithms) == 0 {
+		return nil, errors.New("go-jose/go-jose: no key algorithms provided")
+	}
+	if len(contentEncryption) == 0 {
+		return nil, errors.New("go-jose/go-jose: no content encryption algorithms provided")
+	}
+
 	obj := &JSONWebEncryption{
 		original:    parsed,
 		unprotected: parsed.Unprotected,
@@ -170,7 +217,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 	} else {
 		obj.recipients = make([]recipientInfo, len(parsed.Recipients))
 		for r := range parsed.Recipients {
-			encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey)
+			encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
 			if err != nil {
 				return nil, err
 			}
@@ -185,10 +232,31 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 		}
 	}
 
-	for _, recipient := range obj.recipients {
+	for i, recipient := range obj.recipients {
 		headers := obj.mergedHeaders(&recipient)
-		if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
-			return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
+		if headers.getAlgorithm() == "" {
+			return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "alg"`, i)
+		}
+		if headers.getEncryption() == "" {
+			return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "enc"`, i)
+		}
+		err := validateAlgEnc(headers, keyEncryptionAlgorithms, contentEncryption)
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: recipient %d: %s", i, err)
+		}
+
+	}
+
+	if obj.protected != nil {
+		err := validateAlgEnc(*obj.protected, keyEncryptionAlgorithms, contentEncryption)
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: protected header: %s", err)
+		}
+	}
+	if obj.unprotected != nil {
+		err := validateAlgEnc(*obj.unprotected, keyEncryptionAlgorithms, contentEncryption)
+		if err != nil {
+			return nil, fmt.Errorf("go-jose/go-jose: unprotected header: %s", err)
 		}
 	}
 
@@ -200,34 +268,52 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
 	return obj, nil
 }
 
-// parseEncryptedCompact parses a message in compact format.
-func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
+func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncryption []ContentEncryption) error {
+	alg := headers.getAlgorithm()
+	enc := headers.getEncryption()
+	if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
+		return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
+	}
+	if alg != "" && !containsContentEncryption(contentEncryption, enc) {
+		return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
+	}
+	return nil
+}
+
+// ParseEncryptedCompact parses a message in JWE Compact Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
+func ParseEncryptedCompact(
+	input string,
+	keyAlgorithms []KeyAlgorithm,
+	contentEncryption []ContentEncryption,
+) (*JSONWebEncryption, error) {
 	parts := strings.Split(input, ".")
 	if len(parts) != 5 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
 	}
 
-	rawProtected, err := base64URLDecode(parts[0])
+	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
 		return nil, err
 	}
 
-	encryptedKey, err := base64URLDecode(parts[1])
+	encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
 	if err != nil {
 		return nil, err
 	}
 
-	iv, err := base64URLDecode(parts[2])
+	iv, err := base64.RawURLEncoding.DecodeString(parts[2])
 	if err != nil {
 		return nil, err
 	}
 
-	ciphertext, err := base64URLDecode(parts[3])
+	ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
 	if err != nil {
 		return nil, err
 	}
 
-	tag, err := base64URLDecode(parts[4])
+	tag, err := base64.RawURLEncoding.DecodeString(parts[4])
 	if err != nil {
 		return nil, err
 	}
@@ -240,7 +326,7 @@ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
 		Tag:          newBuffer(tag),
 	}
 
-	return raw.sanitized()
+	return raw.sanitized(keyAlgorithms, contentEncryption)
 }
 
 // CompactSerialize serializes an object using the compact serialization format.
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwk.go b/vendor/github.com/go-jose/go-jose/v4/jwk.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/jwk.go
rename to vendor/github.com/go-jose/go-jose/v4/jwk.go
index e4021959a..a565aaab2 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwk.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwk.go
@@ -35,7 +35,7 @@ import (
 	"reflect"
 	"strings"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@@ -266,7 +266,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 
 	// x5t parameters are base64url-encoded SHA thumbprints
 	// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
-	x5tSHA1bytes, err := base64URLDecode(raw.X5tSHA1)
+	x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
 	if err != nil {
 		return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
 	}
@@ -286,7 +286,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
 
 	k.CertificateThumbprintSHA1 = x5tSHA1bytes
 
-	x5tSHA256bytes, err := base64URLDecode(raw.X5tSHA256)
+	x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
 	if err != nil {
 		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
 	}
diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
similarity index 80%
rename from vendor/github.com/go-jose/go-jose/v3/jws.go
rename to vendor/github.com/go-jose/go-jose/v4/jws.go
index e37007dbb..3a912301a 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
@@ -23,7 +23,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@@ -75,22 +75,41 @@ type Signature struct {
 	original  *rawSignatureInfo
 }
 
-// ParseSigned parses a signed message in compact or JWS JSON Serialization format.
-func ParseSigned(signature string) (*JSONWebSignature, error) {
+// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#section-7
+func ParseSigned(
+	signature string,
+	signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
 	signature = stripWhitespace(signature)
 	if strings.HasPrefix(signature, "{") {
-		return parseSignedFull(signature)
+		return ParseSignedJSON(signature, signatureAlgorithms)
 	}
 
-	return parseSignedCompact(signature, nil)
+	return parseSignedCompact(signature, nil, signatureAlgorithms)
+}
+
+// ParseSignedCompact parses a message in JWS Compact Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
+func ParseSignedCompact(
+	signature string,
+	signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
+	return parseSignedCompact(signature, nil, signatureAlgorithms)
 }
 
 // ParseDetached parses a signed message in compact serialization format with detached payload.
-func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
+func ParseDetached(
+	signature string,
+	payload []byte,
+	signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
 	if payload == nil {
 		return nil, errors.New("go-jose/go-jose: nil payload")
 	}
-	return parseSignedCompact(stripWhitespace(signature), payload)
+	return parseSignedCompact(stripWhitespace(signature), payload, signatureAlgorithms)
 }
 
 // Get a header value
@@ -137,19 +156,36 @@ func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature
 	return authData.Bytes(), nil
 }
 
-// parseSignedFull parses a message in full format.
-func parseSignedFull(input string) (*JSONWebSignature, error) {
+// ParseSignedJSON parses a message in JWS JSON Serialization.
+//
+// https://datatracker.ietf.org/doc/html/rfc7515#section-7.2
+func ParseSignedJSON(
+	input string,
+	signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
 	var parsed rawJSONWebSignature
 	err := json.Unmarshal([]byte(input), &parsed)
 	if err != nil {
 		return nil, err
 	}
 
-	return parsed.sanitized()
+	return parsed.sanitized(signatureAlgorithms)
+}
+
+func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureAlgorithm) bool {
+	for _, algorithm := range haystack {
+		if algorithm == needle {
+			return true
+		}
+	}
+	return false
 }
 
 // sanitized produces a cleaned-up JWS object from the raw JSON.
-func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
+func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
+	if len(signatureAlgorithms) == 0 {
+		return nil, errors.New("go-jose/go-jose: no signature algorithms specified")
+	}
 	if parsed.Payload == nil {
 		return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
 	}
@@ -198,6 +234,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 			return nil, err
 		}
 
+		alg := SignatureAlgorithm(signature.Header.Algorithm)
+		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
+			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
+				alg, signatureAlgorithms)
+		}
+
 		if signature.header != nil {
 			signature.Unprotected, err = signature.header.sanitized()
 			if err != nil {
@@ -241,6 +283,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 			return nil, err
 		}
 
+		alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
+		if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
+			return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
+				alg, signatureAlgorithms)
+		}
+
 		if obj.Signatures[i].header != nil {
 			obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
 			if err != nil {
@@ -274,7 +322,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 }
 
 // parseSignedCompact parses a message in compact format.
-func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
+func parseSignedCompact(
+	input string,
+	payload []byte,
+	signatureAlgorithms []SignatureAlgorithm,
+) (*JSONWebSignature, error) {
 	parts := strings.Split(input, ".")
 	if len(parts) != 3 {
 		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
@@ -284,19 +336,19 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
 		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
 	}
 
-	rawProtected, err := base64URLDecode(parts[0])
+	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
 	if err != nil {
 		return nil, err
 	}
 
 	if payload == nil {
-		payload, err = base64URLDecode(parts[1])
+		payload, err = base64.RawURLEncoding.DecodeString(parts[1])
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	signature, err := base64URLDecode(parts[2])
+	signature, err := base64.RawURLEncoding.DecodeString(parts[2])
 	if err != nil {
 		return nil, err
 	}
@@ -306,7 +358,7 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
 		Protected: newBuffer(rawProtected),
 		Signature: newBuffer(signature),
 	}
-	return raw.sanitized()
+	return raw.sanitized(signatureAlgorithms)
 }
 
 func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/builder.go b/vendor/github.com/go-jose/go-jose/v4/jwt/builder.go
similarity index 83%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/builder.go
index 7df270cc3..d68bb3725 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/builder.go
@@ -21,13 +21,13 @@ import (
 	"bytes"
 	"reflect"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 )
 
 // Builder is a utility for making JSON Web Tokens. Calls can be chained, and
-// errors are accumulated until the final call to CompactSerialize/FullSerialize.
+// errors are accumulated until the final call to Serialize.
 type Builder interface {
 	// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
 	// into single JSON object. If you are passing private claims, make sure to set
@@ -36,15 +36,13 @@ type Builder interface {
 	Claims(i interface{}) Builder
 	// Token builds a JSONWebToken from provided data.
 	Token() (*JSONWebToken, error)
-	// FullSerialize serializes a token using the JWS/JWE JSON Serialization format.
-	FullSerialize() (string, error)
-	// CompactSerialize serializes a token using the compact serialization format.
-	CompactSerialize() (string, error)
+	// Serialize serializes a token.
+	Serialize() (string, error)
 }
 
 // NestedBuilder is a utility for making Signed-Then-Encrypted JSON Web Tokens.
 // Calls can be chained, and errors are accumulated until final call to
-// CompactSerialize/FullSerialize.
+// Serialize.
 type NestedBuilder interface {
 	// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
 	// into single JSON object. If you are passing private claims, make sure to set
@@ -53,10 +51,8 @@ type NestedBuilder interface {
 	Claims(i interface{}) NestedBuilder
 	// Token builds a NestedJSONWebToken from provided data.
 	Token() (*NestedJSONWebToken, error)
-	// FullSerialize serializes a token using the JSON Serialization format.
-	FullSerialize() (string, error)
-	// CompactSerialize serializes a token using the compact serialization format.
-	CompactSerialize() (string, error)
+	// Serialize serializes a token.
+	Serialize() (string, error)
 }
 
 type builder struct {
@@ -194,7 +190,7 @@ func (b *signedBuilder) Token() (*JSONWebToken, error) {
 	return b.builder.token(sig.Verify, h)
 }
 
-func (b *signedBuilder) CompactSerialize() (string, error) {
+func (b *signedBuilder) Serialize() (string, error) {
 	sig, err := b.sign()
 	if err != nil {
 		return "", err
@@ -203,15 +199,6 @@ func (b *signedBuilder) CompactSerialize() (string, error) {
 	return sig.CompactSerialize()
 }
 
-func (b *signedBuilder) FullSerialize() (string, error) {
-	sig, err := b.sign()
-	if err != nil {
-		return "", err
-	}
-
-	return sig.FullSerialize(), nil
-}
-
 func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) {
 	if b.err != nil {
 		return nil, b.err
@@ -232,7 +219,7 @@ func (b *encryptedBuilder) Claims(i interface{}) Builder {
 	}
 }
 
-func (b *encryptedBuilder) CompactSerialize() (string, error) {
+func (b *encryptedBuilder) Serialize() (string, error) {
 	enc, err := b.encrypt()
 	if err != nil {
 		return "", err
@@ -241,15 +228,6 @@ func (b *encryptedBuilder) CompactSerialize() (string, error) {
 	return enc.CompactSerialize()
 }
 
-func (b *encryptedBuilder) FullSerialize() (string, error) {
-	enc, err := b.encrypt()
-	if err != nil {
-		return "", err
-	}
-
-	return enc.FullSerialize(), nil
-}
-
 func (b *encryptedBuilder) Token() (*JSONWebToken, error) {
 	enc, err := b.encrypt()
 	if err != nil {
@@ -280,6 +258,8 @@ func (b *nestedBuilder) Claims(i interface{}) NestedBuilder {
 	}
 }
 
+// Token produced a token suitable for serialization. It cannot be decrypted
+// without serializing and then deserializing.
 func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
 	enc, err := b.signAndEncrypt()
 	if err != nil {
@@ -287,12 +267,13 @@ func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
 	}
 
 	return &NestedJSONWebToken{
-		enc:     enc,
-		Headers: []jose.Header{enc.Header},
+		allowedSignatureAlgorithms: nil,
+		enc:                        enc,
+		Headers:                    []jose.Header{enc.Header},
 	}, nil
 }
 
-func (b *nestedBuilder) CompactSerialize() (string, error) {
+func (b *nestedBuilder) Serialize() (string, error) {
 	enc, err := b.signAndEncrypt()
 	if err != nil {
 		return "", err
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/claims.go b/vendor/github.com/go-jose/go-jose/v4/jwt/claims.go
similarity index 98%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/claims.go
index b2a8dc8d4..e73412a39 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/claims.go
@@ -21,7 +21,7 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // Claims represents public claim values (as specified in RFC 7519).
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/doc.go b/vendor/github.com/go-jose/go-jose/v4/jwt/doc.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/doc.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/doc.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/errors.go b/vendor/github.com/go-jose/go-jose/v4/jwt/errors.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/errors.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/errors.go
diff --git a/vendor/github.com/go-jose/go-jose/v4/jwt/jwt.go b/vendor/github.com/go-jose/go-jose/v4/jwt/jwt.go
new file mode 100644
index 000000000..c4998d787
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/jwt.go
@@ -0,0 +1,198 @@
+/*-
+ * Copyright 2016 Zbigniew Mandziejewicz
+ * Copyright 2016 Square, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jwt
+
+import (
+	"fmt"
+	"strings"
+
+	jose "github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/json"
+)
+
+// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
+type JSONWebToken struct {
+	payload           func(k interface{}) ([]byte, error)
+	unverifiedPayload func() []byte
+	Headers           []jose.Header
+}
+
+type NestedJSONWebToken struct {
+	enc     *jose.JSONWebEncryption
+	Headers []jose.Header
+	// Used when parsing and decrypting an input
+	allowedSignatureAlgorithms []jose.SignatureAlgorithm
+}
+
+// Claims deserializes a JSONWebToken into dest using the provided key.
+func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
+	b, err := t.payload(key)
+	if err != nil {
+		return err
+	}
+
+	for _, d := range dest {
+		if err := json.Unmarshal(b, d); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// UnsafeClaimsWithoutVerification deserializes the claims of a
+// JSONWebToken into the dests. For signed JWTs, the claims are not
+// verified. This function won't work for encrypted JWTs.
+func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
+	if t.unverifiedPayload == nil {
+		return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
+	}
+	claims := t.unverifiedPayload()
+	for _, d := range dest {
+		if err := json.Unmarshal(claims, d); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
+	b, err := t.enc.Decrypt(decryptionKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sig, err := ParseSigned(string(b), t.allowedSignatureAlgorithms)
+	if err != nil {
+		return nil, err
+	}
+
+	return sig, nil
+}
+
+// ParseSigned parses token from JWS form.
+func ParseSigned(s string, signatureAlgorithms []jose.SignatureAlgorithm) (*JSONWebToken, error) {
+	sig, err := jose.ParseSignedCompact(s, signatureAlgorithms)
+	if err != nil {
+		return nil, err
+	}
+	headers := make([]jose.Header, len(sig.Signatures))
+	for i, signature := range sig.Signatures {
+		headers[i] = signature.Header
+	}
+
+	return &JSONWebToken{
+		payload:           sig.Verify,
+		unverifiedPayload: sig.UnsafePayloadWithoutVerification,
+		Headers:           headers,
+	}, nil
+}
+
+func validateKeyEncryptionAlgorithm(algs []jose.KeyAlgorithm) error {
+	for _, alg := range algs {
+		switch alg {
+		case jose.ED25519,
+			jose.RSA1_5,
+			jose.RSA_OAEP,
+			jose.RSA_OAEP_256,
+			jose.ECDH_ES,
+			jose.ECDH_ES_A128KW,
+			jose.ECDH_ES_A192KW,
+			jose.ECDH_ES_A256KW:
+			return fmt.Errorf("asymmetric encryption algorithms not supported for JWT: "+
+				"invalid key encryption algorithm: %s", alg)
+		case jose.PBES2_HS256_A128KW,
+			jose.PBES2_HS384_A192KW,
+			jose.PBES2_HS512_A256KW:
+			return fmt.Errorf("password-based encryption not supported for JWT: "+
+				"invalid key encryption algorithm: %s", alg)
+		}
+	}
+	return nil
+}
+
+func parseEncryptedCompact(
+	s string,
+	keyAlgorithms []jose.KeyAlgorithm,
+	contentEncryption []jose.ContentEncryption,
+) (*jose.JSONWebEncryption, error) {
+	err := validateKeyEncryptionAlgorithm(keyAlgorithms)
+	if err != nil {
+		return nil, err
+	}
+	enc, err := jose.ParseEncryptedCompact(s, keyAlgorithms, contentEncryption)
+	if err != nil {
+		return nil, err
+	}
+	return enc, nil
+}
+
+// ParseEncrypted parses token from JWE form.
+//
+// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
+// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
+// parsed data must contain a value that is present in the corresponding parameter. That
+// includes the protected and unprotected headers as well as all recipients. To accept
+// multiple algorithms, pass a slice of all the algorithms you want to accept.
+func ParseEncrypted(s string,
+	keyAlgorithms []jose.KeyAlgorithm,
+	contentEncryption []jose.ContentEncryption,
+) (*JSONWebToken, error) {
+	enc, err := parseEncryptedCompact(s, keyAlgorithms, contentEncryption)
+	if err != nil {
+		return nil, err
+	}
+
+	return &JSONWebToken{
+		payload: enc.Decrypt,
+		Headers: []jose.Header{enc.Header},
+	}, nil
+}
+
+// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form.
+//
+// The encryptionKeyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
+// header parameters, respectively, of the outer JWE. They must be nonempty, and each "alg" or "enc"
+// header in parsed data must contain a value that is present in the corresponding parameter. That
+// includes the protected and unprotected headers as well as all recipients. To accept
+// multiple algorithms, pass a slice of all the algorithms you want to accept.
+//
+// The signatureAlgorithms parameter is used to validate the "alg" header parameter of the
+// inner JWS. It must be nonempty, and the "alg" header in the inner JWS must contain a value
+// that is present in the parameter.
+func ParseSignedAndEncrypted(s string,
+	encryptionKeyAlgorithms []jose.KeyAlgorithm,
+	contentEncryption []jose.ContentEncryption,
+	signatureAlgorithms []jose.SignatureAlgorithm,
+) (*NestedJSONWebToken, error) {
+	enc, err := parseEncryptedCompact(s, encryptionKeyAlgorithms, contentEncryption)
+	if err != nil {
+		return nil, err
+	}
+
+	contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string)
+	if strings.ToUpper(contentType) != "JWT" {
+		return nil, ErrInvalidContentType
+	}
+
+	return &NestedJSONWebToken{
+		allowedSignatureAlgorithms: signatureAlgorithms,
+		enc:                        enc,
+		Headers:                    []jose.Header{enc.Header},
+	}, nil
+}
diff --git a/vendor/github.com/go-jose/go-jose/v3/jwt/validation.go b/vendor/github.com/go-jose/go-jose/v4/jwt/validation.go
similarity index 91%
rename from vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
rename to vendor/github.com/go-jose/go-jose/v4/jwt/validation.go
index 09d8541f4..841a93eef 100644
--- a/vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwt/validation.go
@@ -33,8 +33,9 @@ type Expected struct {
 	Issuer string
 	// Subject matches the "sub" claim exactly.
 	Subject string
-	// Audience matches the values in "aud" claim, regardless of their order.
-	Audience Audience
+	// AnyAudience matches if there is a non-empty intersection between
+	// its values and the values in the "aud" claim.
+	AnyAudience Audience
 	// ID matches the "jti" claim exactly.
 	ID string
 	// Time matches the "exp", "nbf" and "iat" claims with leeway.
@@ -88,12 +89,18 @@ func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error {
 		return ErrInvalidID
 	}
 
-	if len(e.Audience) != 0 {
-		for _, v := range e.Audience {
-			if !c.Audience.Contains(v) {
-				return ErrInvalidAudience
+	if len(e.AnyAudience) != 0 {
+		var intersection bool
+		for _, v := range e.AnyAudience {
+			if c.Audience.Contains(v) {
+				intersection = true
+				break
 			}
 		}
+
+		if !intersection {
+			return ErrInvalidAudience
+		}
 	}
 
 	// validate using the e.Time, or time.Now if not provided
diff --git a/vendor/github.com/go-jose/go-jose/v3/opaque.go b/vendor/github.com/go-jose/go-jose/v4/opaque.go
similarity index 100%
rename from vendor/github.com/go-jose/go-jose/v3/opaque.go
rename to vendor/github.com/go-jose/go-jose/v4/opaque.go
diff --git a/vendor/github.com/go-jose/go-jose/v3/shared.go b/vendor/github.com/go-jose/go-jose/v4/shared.go
similarity index 99%
rename from vendor/github.com/go-jose/go-jose/v3/shared.go
rename to vendor/github.com/go-jose/go-jose/v4/shared.go
index 489a04e32..b485e43bd 100644
--- a/vendor/github.com/go-jose/go-jose/v3/shared.go
+++ b/vendor/github.com/go-jose/go-jose/v4/shared.go
@@ -23,7 +23,7 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // KeyAlgorithm represents a key management algorithm.
diff --git a/vendor/github.com/go-jose/go-jose/v3/signing.go b/vendor/github.com/go-jose/go-jose/v4/signing.go
similarity index 97%
rename from vendor/github.com/go-jose/go-jose/v3/signing.go
rename to vendor/github.com/go-jose/go-jose/v4/signing.go
index 52f3d8560..f0b0294f3 100644
--- a/vendor/github.com/go-jose/go-jose/v3/signing.go
+++ b/vendor/github.com/go-jose/go-jose/v4/signing.go
@@ -25,7 +25,7 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-jose/go-jose/v4/json"
 )
 
 // NonceSource represents a source of random nonces to go into JWS objects
@@ -49,6 +49,11 @@ type Signer interface {
 //   - JSONWebKey
 //   - []byte (an HMAC key)
 //   - Any type that satisfies the OpaqueSigner interface
+//
+// If the key is an HMAC key, it must have at least as many bytes as the relevant hash output:
+//   - HS256: 32 bytes
+//   - HS384: 48 bytes
+//   - HS512: 64 bytes
 type SigningKey struct {
 	Algorithm SignatureAlgorithm
 	Key       interface{}
@@ -355,6 +360,11 @@ func (ctx *genericSigner) Options() SignerOptions {
 //   - JSONWebKey
 //   - []byte (an HMAC key)
 //   - Any type that implements the OpaqueVerifier interface.
+//
+// If the key is an HMAC key, it must have at least as many bytes as the relevant hash output:
+//   - HS256: 32 bytes
+//   - HS384: 48 bytes
+//   - HS512: 64 bytes
 func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
 	err := obj.DetachedVerify(obj.payload, verificationKey)
 	if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v3/symmetric.go b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
similarity index 96%
rename from vendor/github.com/go-jose/go-jose/v3/symmetric.go
rename to vendor/github.com/go-jose/go-jose/v4/symmetric.go
index 10d8e19fd..a69103b08 100644
--- a/vendor/github.com/go-jose/go-jose/v3/symmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v4/symmetric.go
@@ -32,7 +32,7 @@ import (
 
 	"golang.org/x/crypto/pbkdf2"
 
-	josecipher "github.com/go-jose/go-jose/v3/cipher"
+	josecipher "github.com/go-jose/go-jose/v4/cipher"
 )
 
 // RandReader is a cryptographically secure random number generator (stubbed out in tests).
@@ -454,7 +454,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
 	mac, err := ctx.hmac(payload, alg)
 	if err != nil {
-		return Signature{}, errors.New("go-jose/go-jose: failed to compute hmac")
+		return Signature{}, err
 	}
 
 	return Signature{
@@ -486,12 +486,24 @@ func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureA
 func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
 	var hash func() hash.Hash
 
+	// https://datatracker.ietf.org/doc/html/rfc7518#section-3.2
+	// A key of the same size as the hash output (for instance, 256 bits for
+	// "HS256") or larger MUST be used
 	switch alg {
 	case HS256:
+		if len(ctx.key)*8 < 256 {
+			return nil, ErrInvalidKeySize
+		}
 		hash = sha256.New
 	case HS384:
+		if len(ctx.key)*8 < 384 {
+			return nil, ErrInvalidKeySize
+		}
 		hash = sha512.New384
 	case HS512:
+		if len(ctx.key)*8 < 512 {
+			return nil, ErrInvalidKeySize
+		}
 		hash = sha512.New
 	default:
 		return nil, ErrUnsupportedAlgorithm
diff --git a/vendor/github.com/go-task/slim-sprig/.editorconfig b/vendor/github.com/go-task/slim-sprig/v3/.editorconfig
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/.editorconfig
rename to vendor/github.com/go-task/slim-sprig/v3/.editorconfig
diff --git a/vendor/github.com/go-task/slim-sprig/.gitattributes b/vendor/github.com/go-task/slim-sprig/v3/.gitattributes
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/.gitattributes
rename to vendor/github.com/go-task/slim-sprig/v3/.gitattributes
diff --git a/vendor/github.com/go-task/slim-sprig/.gitignore b/vendor/github.com/go-task/slim-sprig/v3/.gitignore
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/.gitignore
rename to vendor/github.com/go-task/slim-sprig/v3/.gitignore
diff --git a/vendor/github.com/go-task/slim-sprig/CHANGELOG.md b/vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md
similarity index 95%
rename from vendor/github.com/go-task/slim-sprig/CHANGELOG.md
rename to vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md
index 61d8ebffc..2ce45dd4e 100644
--- a/vendor/github.com/go-task/slim-sprig/CHANGELOG.md
+++ b/vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Changelog
 
+## Release 3.2.3 (2022-11-29)
+
+### Changed
+
+- Updated docs (thanks @book987 @aJetHorn @neelayu @pellizzetti @apricote @SaigyoujiYuyuko233 @AlekSi)
+- #348: Updated huandu/xstrings which fixed a snake case bug (thanks @yxxhero)
+- #353: Updated masterminds/semver which included bug fixes
+- #354: Updated golang.org/x/crypto which included bug fixes
+
+## Release 3.2.2 (2021-02-04)
+
+This is a re-release of 3.2.1 to satisfy something with the Go module system.
+
+## Release 3.2.1 (2021-02-04)
+
+### Changed
+
+- Upgraded `Masterminds/goutils` to `v1.1.1`. see the [Security Advisory](https://github.com/Masterminds/goutils/security/advisories/GHSA-xg2h-wx96-xgxr)
+
 ## Release 3.2.0 (2020-12-14)
 
 ### Added
diff --git a/vendor/github.com/go-task/slim-sprig/LICENSE.txt b/vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/LICENSE.txt
rename to vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt
diff --git a/vendor/github.com/go-task/slim-sprig/README.md b/vendor/github.com/go-task/slim-sprig/v3/README.md
similarity index 88%
rename from vendor/github.com/go-task/slim-sprig/README.md
rename to vendor/github.com/go-task/slim-sprig/v3/README.md
index 72579471f..b5ab56425 100644
--- a/vendor/github.com/go-task/slim-sprig/README.md
+++ b/vendor/github.com/go-task/slim-sprig/v3/README.md
@@ -1,4 +1,4 @@
-# Slim-Sprig: Template functions for Go templates [![GoDoc](https://godoc.org/github.com/go-task/slim-sprig?status.svg)](https://godoc.org/github.com/go-task/slim-sprig) [![Go Report Card](https://goreportcard.com/badge/github.com/go-task/slim-sprig)](https://goreportcard.com/report/github.com/go-task/slim-sprig)
+# Slim-Sprig: Template functions for Go templates [![Go Reference](https://pkg.go.dev/badge/github.com/go-task/slim-sprig/v3.svg)](https://pkg.go.dev/github.com/go-task/slim-sprig/v3)
 
 Slim-Sprig is a fork of [Sprig](https://github.com/Masterminds/sprig), but with
 all functions that depend on external (non standard library) or crypto packages
diff --git a/vendor/github.com/go-task/slim-sprig/Taskfile.yml b/vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml
similarity index 89%
rename from vendor/github.com/go-task/slim-sprig/Taskfile.yml
rename to vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml
index cdcfd223b..8e6346bb1 100644
--- a/vendor/github.com/go-task/slim-sprig/Taskfile.yml
+++ b/vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml
@@ -1,6 +1,6 @@
 # https://taskfile.dev
 
-version: '2'
+version: '3'
 
 tasks:
   default:
diff --git a/vendor/github.com/go-task/slim-sprig/crypto.go b/vendor/github.com/go-task/slim-sprig/v3/crypto.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/crypto.go
rename to vendor/github.com/go-task/slim-sprig/v3/crypto.go
diff --git a/vendor/github.com/go-task/slim-sprig/date.go b/vendor/github.com/go-task/slim-sprig/v3/date.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/date.go
rename to vendor/github.com/go-task/slim-sprig/v3/date.go
diff --git a/vendor/github.com/go-task/slim-sprig/defaults.go b/vendor/github.com/go-task/slim-sprig/v3/defaults.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/defaults.go
rename to vendor/github.com/go-task/slim-sprig/v3/defaults.go
diff --git a/vendor/github.com/go-task/slim-sprig/dict.go b/vendor/github.com/go-task/slim-sprig/v3/dict.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/dict.go
rename to vendor/github.com/go-task/slim-sprig/v3/dict.go
diff --git a/vendor/github.com/go-task/slim-sprig/doc.go b/vendor/github.com/go-task/slim-sprig/v3/doc.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/doc.go
rename to vendor/github.com/go-task/slim-sprig/v3/doc.go
diff --git a/vendor/github.com/go-task/slim-sprig/functions.go b/vendor/github.com/go-task/slim-sprig/v3/functions.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/functions.go
rename to vendor/github.com/go-task/slim-sprig/v3/functions.go
diff --git a/vendor/github.com/go-task/slim-sprig/list.go b/vendor/github.com/go-task/slim-sprig/v3/list.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/list.go
rename to vendor/github.com/go-task/slim-sprig/v3/list.go
diff --git a/vendor/github.com/go-task/slim-sprig/network.go b/vendor/github.com/go-task/slim-sprig/v3/network.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/network.go
rename to vendor/github.com/go-task/slim-sprig/v3/network.go
diff --git a/vendor/github.com/go-task/slim-sprig/numeric.go b/vendor/github.com/go-task/slim-sprig/v3/numeric.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/numeric.go
rename to vendor/github.com/go-task/slim-sprig/v3/numeric.go
diff --git a/vendor/github.com/go-task/slim-sprig/reflect.go b/vendor/github.com/go-task/slim-sprig/v3/reflect.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/reflect.go
rename to vendor/github.com/go-task/slim-sprig/v3/reflect.go
diff --git a/vendor/github.com/go-task/slim-sprig/regex.go b/vendor/github.com/go-task/slim-sprig/v3/regex.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/regex.go
rename to vendor/github.com/go-task/slim-sprig/v3/regex.go
diff --git a/vendor/github.com/go-task/slim-sprig/strings.go b/vendor/github.com/go-task/slim-sprig/v3/strings.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/strings.go
rename to vendor/github.com/go-task/slim-sprig/v3/strings.go
diff --git a/vendor/github.com/go-task/slim-sprig/url.go b/vendor/github.com/go-task/slim-sprig/v3/url.go
similarity index 100%
rename from vendor/github.com/go-task/slim-sprig/url.go
rename to vendor/github.com/go-task/slim-sprig/v3/url.go
diff --git a/vendor/github.com/google/pprof/profile/encode.go b/vendor/github.com/google/pprof/profile/encode.go
index ab7f03ae2..860bb304c 100644
--- a/vendor/github.com/google/pprof/profile/encode.go
+++ b/vendor/github.com/google/pprof/profile/encode.go
@@ -17,6 +17,7 @@ package profile
 import (
 	"errors"
 	"sort"
+	"strings"
 )
 
 func (p *Profile) decoder() []decoder {
@@ -183,12 +184,13 @@ var profileDecoder = []decoder{
 	// repeated Location location = 4
 	func(b *buffer, m message) error {
 		x := new(Location)
-		x.Line = make([]Line, 0, 8) // Pre-allocate Line buffer
+		x.Line = b.tmpLines[:0] // Use shared space temporarily
 		pp := m.(*Profile)
 		pp.Location = append(pp.Location, x)
 		err := decodeMessage(b, x)
-		var tmp []Line
-		x.Line = append(tmp, x.Line...) // Shrink to allocated size
+		b.tmpLines = x.Line[:0]
+		// Copy to shrink size and detach from shared space.
+		x.Line = append([]Line(nil), x.Line...)
 		return err
 	},
 	// repeated Function function = 5
@@ -252,6 +254,14 @@ func (p *Profile) postDecode() error {
 		} else {
 			mappings[m.ID] = m
 		}
+
+		// If this a main linux kernel mapping with a relocation symbol suffix
+		// ("[kernel.kallsyms]_text"), extract said suffix.
+		// It is fairly hacky to handle at this level, but the alternatives appear even worse.
+		const prefix = "[kernel.kallsyms]"
+		if strings.HasPrefix(m.File, prefix) {
+			m.KernelRelocationSymbol = m.File[len(prefix):]
+		}
 	}
 
 	functions := make(map[uint64]*Function, len(p.Function))
@@ -298,41 +308,52 @@ func (p *Profile) postDecode() error {
 		st.Unit, err = getString(p.stringTable, &st.unitX, err)
 	}
 
+	// Pre-allocate space for all locations.
+	numLocations := 0
 	for _, s := range p.Sample {
-		labels := make(map[string][]string, len(s.labelX))
-		numLabels := make(map[string][]int64, len(s.labelX))
-		numUnits := make(map[string][]string, len(s.labelX))
-		for _, l := range s.labelX {
-			var key, value string
-			key, err = getString(p.stringTable, &l.keyX, err)
-			if l.strX != 0 {
-				value, err = getString(p.stringTable, &l.strX, err)
-				labels[key] = append(labels[key], value)
-			} else if l.numX != 0 || l.unitX != 0 {
-				numValues := numLabels[key]
-				units := numUnits[key]
-				if l.unitX != 0 {
-					var unit string
-					unit, err = getString(p.stringTable, &l.unitX, err)
-					units = padStringArray(units, len(numValues))
-					numUnits[key] = append(units, unit)
-				}
-				numLabels[key] = append(numLabels[key], l.numX)
-			}
-		}
-		if len(labels) > 0 {
-			s.Label = labels
-		}
-		if len(numLabels) > 0 {
-			s.NumLabel = numLabels
-			for key, units := range numUnits {
-				if len(units) > 0 {
-					numUnits[key] = padStringArray(units, len(numLabels[key]))
+		numLocations += len(s.locationIDX)
+	}
+	locBuffer := make([]*Location, numLocations)
+
+	for _, s := range p.Sample {
+		if len(s.labelX) > 0 {
+			labels := make(map[string][]string, len(s.labelX))
+			numLabels := make(map[string][]int64, len(s.labelX))
+			numUnits := make(map[string][]string, len(s.labelX))
+			for _, l := range s.labelX {
+				var key, value string
+				key, err = getString(p.stringTable, &l.keyX, err)
+				if l.strX != 0 {
+					value, err = getString(p.stringTable, &l.strX, err)
+					labels[key] = append(labels[key], value)
+				} else if l.numX != 0 || l.unitX != 0 {
+					numValues := numLabels[key]
+					units := numUnits[key]
+					if l.unitX != 0 {
+						var unit string
+						unit, err = getString(p.stringTable, &l.unitX, err)
+						units = padStringArray(units, len(numValues))
+						numUnits[key] = append(units, unit)
+					}
+					numLabels[key] = append(numLabels[key], l.numX)
 				}
 			}
-			s.NumUnit = numUnits
+			if len(labels) > 0 {
+				s.Label = labels
+			}
+			if len(numLabels) > 0 {
+				s.NumLabel = numLabels
+				for key, units := range numUnits {
+					if len(units) > 0 {
+						numUnits[key] = padStringArray(units, len(numLabels[key]))
+					}
+				}
+				s.NumUnit = numUnits
+			}
 		}
-		s.Location = make([]*Location, len(s.locationIDX))
+
+		s.Location = locBuffer[:len(s.locationIDX)]
+		locBuffer = locBuffer[len(s.locationIDX):]
 		for i, lid := range s.locationIDX {
 			if lid < uint64(len(locationIds)) {
 				s.Location[i] = locationIds[lid]
@@ -509,6 +530,7 @@ func (p *Line) decoder() []decoder {
 func (p *Line) encode(b *buffer) {
 	encodeUint64Opt(b, 1, p.functionIDX)
 	encodeInt64Opt(b, 2, p.Line)
+	encodeInt64Opt(b, 3, p.Column)
 }
 
 var lineDecoder = []decoder{
@@ -517,6 +539,8 @@ var lineDecoder = []decoder{
 	func(b *buffer, m message) error { return decodeUint64(b, &m.(*Line).functionIDX) },
 	// optional int64 line = 2
 	func(b *buffer, m message) error { return decodeInt64(b, &m.(*Line).Line) },
+	// optional int64 column = 3
+	func(b *buffer, m message) error { return decodeInt64(b, &m.(*Line).Column) },
 }
 
 func (p *Function) decoder() []decoder {
diff --git a/vendor/github.com/google/pprof/profile/filter.go b/vendor/github.com/google/pprof/profile/filter.go
index ea8e66c68..c794b9390 100644
--- a/vendor/github.com/google/pprof/profile/filter.go
+++ b/vendor/github.com/google/pprof/profile/filter.go
@@ -22,6 +22,10 @@ import "regexp"
 // samples where at least one frame matches focus but none match ignore.
 // Returns true is the corresponding regexp matched at least one sample.
 func (p *Profile) FilterSamplesByName(focus, ignore, hide, show *regexp.Regexp) (fm, im, hm, hnm bool) {
+	if focus == nil && ignore == nil && hide == nil && show == nil {
+		fm = true // Missing focus implies a match
+		return
+	}
 	focusOrIgnore := make(map[uint64]bool)
 	hidden := make(map[uint64]bool)
 	for _, l := range p.Location {
diff --git a/vendor/github.com/google/pprof/profile/legacy_java_profile.go b/vendor/github.com/google/pprof/profile/legacy_java_profile.go
index 91f45e53c..4580bab18 100644
--- a/vendor/github.com/google/pprof/profile/legacy_java_profile.go
+++ b/vendor/github.com/google/pprof/profile/legacy_java_profile.go
@@ -56,7 +56,7 @@ func javaCPUProfile(b []byte, period int64, parse func(b []byte) (uint64, []byte
 	}
 
 	// Strip out addresses for better merge.
-	if err = p.Aggregate(true, true, true, true, false); err != nil {
+	if err = p.Aggregate(true, true, true, true, false, false); err != nil {
 		return nil, err
 	}
 
@@ -99,7 +99,7 @@ func parseJavaProfile(b []byte) (*Profile, error) {
 	}
 
 	// Strip out addresses for better merge.
-	if err = p.Aggregate(true, true, true, true, false); err != nil {
+	if err = p.Aggregate(true, true, true, true, false, false); err != nil {
 		return nil, err
 	}
 
diff --git a/vendor/github.com/google/pprof/profile/legacy_profile.go b/vendor/github.com/google/pprof/profile/legacy_profile.go
index 0c8f3bb5b..8d07fd6c2 100644
--- a/vendor/github.com/google/pprof/profile/legacy_profile.go
+++ b/vendor/github.com/google/pprof/profile/legacy_profile.go
@@ -295,11 +295,12 @@ func get64b(b []byte) (uint64, []byte) {
 //
 // The general format for profilez samples is a sequence of words in
 // binary format. The first words are a header with the following data:
-//   1st word -- 0
-//   2nd word -- 3
-//   3rd word -- 0 if a c++ application, 1 if a java application.
-//   4th word -- Sampling period (in microseconds).
-//   5th word -- Padding.
+//
+//	1st word -- 0
+//	2nd word -- 3
+//	3rd word -- 0 if a c++ application, 1 if a java application.
+//	4th word -- Sampling period (in microseconds).
+//	5th word -- Padding.
 func parseCPU(b []byte) (*Profile, error) {
 	var parse func([]byte) (uint64, []byte)
 	var n1, n2, n3, n4, n5 uint64
@@ -403,15 +404,18 @@ func cleanupDuplicateLocations(p *Profile) {
 //
 // profilez samples are a repeated sequence of stack frames of the
 // form:
-//    1st word -- The number of times this stack was encountered.
-//    2nd word -- The size of the stack (StackSize).
-//    3rd word -- The first address on the stack.
-//    ...
-//    StackSize + 2 -- The last address on the stack
+//
+//	1st word -- The number of times this stack was encountered.
+//	2nd word -- The size of the stack (StackSize).
+//	3rd word -- The first address on the stack.
+//	...
+//	StackSize + 2 -- The last address on the stack
+//
 // The last stack trace is of the form:
-//   1st word -- 0
-//   2nd word -- 1
-//   3rd word -- 0
+//
+//	1st word -- 0
+//	2nd word -- 1
+//	3rd word -- 0
 //
 // Addresses from stack traces may point to the next instruction after
 // each call. Optionally adjust by -1 to land somewhere on the actual
@@ -861,7 +865,6 @@ func parseThread(b []byte) (*Profile, error) {
 	// Recognize each thread and populate profile samples.
 	for !isMemoryMapSentinel(line) {
 		if strings.HasPrefix(line, "---- no stack trace for") {
-			line = ""
 			break
 		}
 		if t := threadStartRE.FindStringSubmatch(line); len(t) != 4 {
diff --git a/vendor/github.com/google/pprof/profile/merge.go b/vendor/github.com/google/pprof/profile/merge.go
index 9978e7330..eee0132e7 100644
--- a/vendor/github.com/google/pprof/profile/merge.go
+++ b/vendor/github.com/google/pprof/profile/merge.go
@@ -15,6 +15,7 @@
 package profile
 
 import (
+	"encoding/binary"
 	"fmt"
 	"sort"
 	"strconv"
@@ -58,7 +59,7 @@ func Merge(srcs []*Profile) (*Profile, error) {
 
 	for _, src := range srcs {
 		// Clear the profile-specific hash tables
-		pm.locationsByID = make(map[uint64]*Location, len(src.Location))
+		pm.locationsByID = makeLocationIDMap(len(src.Location))
 		pm.functionsByID = make(map[uint64]*Function, len(src.Function))
 		pm.mappingsByID = make(map[uint64]mapInfo, len(src.Mapping))
 
@@ -136,7 +137,7 @@ type profileMerger struct {
 	p *Profile
 
 	// Memoization tables within a profile.
-	locationsByID map[uint64]*Location
+	locationsByID locationIDMap
 	functionsByID map[uint64]*Function
 	mappingsByID  map[uint64]mapInfo
 
@@ -153,6 +154,16 @@ type mapInfo struct {
 }
 
 func (pm *profileMerger) mapSample(src *Sample) *Sample {
+	// Check memoization table
+	k := pm.sampleKey(src)
+	if ss, ok := pm.samples[k]; ok {
+		for i, v := range src.Value {
+			ss.Value[i] += v
+		}
+		return ss
+	}
+
+	// Make new sample.
 	s := &Sample{
 		Location: make([]*Location, len(src.Location)),
 		Value:    make([]int64, len(src.Value)),
@@ -177,52 +188,98 @@ func (pm *profileMerger) mapSample(src *Sample) *Sample {
 		s.NumLabel[k] = vv
 		s.NumUnit[k] = uu
 	}
-	// Check memoization table. Must be done on the remapped location to
-	// account for the remapped mapping. Add current values to the
-	// existing sample.
-	k := s.key()
-	if ss, ok := pm.samples[k]; ok {
-		for i, v := range src.Value {
-			ss.Value[i] += v
-		}
-		return ss
-	}
 	copy(s.Value, src.Value)
 	pm.samples[k] = s
 	pm.p.Sample = append(pm.p.Sample, s)
 	return s
 }
 
-// key generates sampleKey to be used as a key for maps.
-func (sample *Sample) key() sampleKey {
-	ids := make([]string, len(sample.Location))
-	for i, l := range sample.Location {
-		ids[i] = strconv.FormatUint(l.ID, 16)
+func (pm *profileMerger) sampleKey(sample *Sample) sampleKey {
+	// Accumulate contents into a string.
+	var buf strings.Builder
+	buf.Grow(64) // Heuristic to avoid extra allocs
+
+	// encode a number
+	putNumber := func(v uint64) {
+		var num [binary.MaxVarintLen64]byte
+		n := binary.PutUvarint(num[:], v)
+		buf.Write(num[:n])
 	}
 
-	labels := make([]string, 0, len(sample.Label))
-	for k, v := range sample.Label {
-		labels = append(labels, fmt.Sprintf("%q%q", k, v))
+	// encode a string prefixed with its length.
+	putDelimitedString := func(s string) {
+		putNumber(uint64(len(s)))
+		buf.WriteString(s)
 	}
-	sort.Strings(labels)
 
-	numlabels := make([]string, 0, len(sample.NumLabel))
-	for k, v := range sample.NumLabel {
-		numlabels = append(numlabels, fmt.Sprintf("%q%x%x", k, v, sample.NumUnit[k]))
+	for _, l := range sample.Location {
+		// Get the location in the merged profile, which may have a different ID.
+		if loc := pm.mapLocation(l); loc != nil {
+			putNumber(loc.ID)
+		}
 	}
-	sort.Strings(numlabels)
+	putNumber(0) // Delimiter
 
-	return sampleKey{
-		strings.Join(ids, "|"),
-		strings.Join(labels, ""),
-		strings.Join(numlabels, ""),
+	for _, l := range sortedKeys1(sample.Label) {
+		putDelimitedString(l)
+		values := sample.Label[l]
+		putNumber(uint64(len(values)))
+		for _, v := range values {
+			putDelimitedString(v)
+		}
 	}
+
+	for _, l := range sortedKeys2(sample.NumLabel) {
+		putDelimitedString(l)
+		values := sample.NumLabel[l]
+		putNumber(uint64(len(values)))
+		for _, v := range values {
+			putNumber(uint64(v))
+		}
+		units := sample.NumUnit[l]
+		putNumber(uint64(len(units)))
+		for _, v := range units {
+			putDelimitedString(v)
+		}
+	}
+
+	return sampleKey(buf.String())
 }
 
-type sampleKey struct {
-	locations string
-	labels    string
-	numlabels string
+type sampleKey string
+
+// sortedKeys1 returns the sorted keys found in a string->[]string map.
+//
+// Note: this is currently non-generic since github pprof runs golint,
+// which does not support generics. When that issue is fixed, it can
+// be merged with sortedKeys2 and made into a generic function.
+func sortedKeys1(m map[string][]string) []string {
+	if len(m) == 0 {
+		return nil
+	}
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// sortedKeys2 returns the sorted keys found in a string->[]int64 map.
+//
+// Note: this is currently non-generic since github pprof runs golint,
+// which does not support generics. When that issue is fixed, it can
+// be merged with sortedKeys1 and made into a generic function.
+func sortedKeys2(m map[string][]int64) []string {
+	if len(m) == 0 {
+		return nil
+	}
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
 }
 
 func (pm *profileMerger) mapLocation(src *Location) *Location {
@@ -230,7 +287,7 @@ func (pm *profileMerger) mapLocation(src *Location) *Location {
 		return nil
 	}
 
-	if l, ok := pm.locationsByID[src.ID]; ok {
+	if l := pm.locationsByID.get(src.ID); l != nil {
 		return l
 	}
 
@@ -249,10 +306,10 @@ func (pm *profileMerger) mapLocation(src *Location) *Location {
 	// account for the remapped mapping ID.
 	k := l.key()
 	if ll, ok := pm.locations[k]; ok {
-		pm.locationsByID[src.ID] = ll
+		pm.locationsByID.set(src.ID, ll)
 		return ll
 	}
-	pm.locationsByID[src.ID] = l
+	pm.locationsByID.set(src.ID, l)
 	pm.locations[k] = l
 	pm.p.Location = append(pm.p.Location, l)
 	return l
@@ -269,12 +326,13 @@ func (l *Location) key() locationKey {
 		key.addr -= l.Mapping.Start
 		key.mappingID = l.Mapping.ID
 	}
-	lines := make([]string, len(l.Line)*2)
+	lines := make([]string, len(l.Line)*3)
 	for i, line := range l.Line {
 		if line.Function != nil {
 			lines[i*2] = strconv.FormatUint(line.Function.ID, 16)
 		}
 		lines[i*2+1] = strconv.FormatInt(line.Line, 16)
+		lines[i*2+2] = strconv.FormatInt(line.Column, 16)
 	}
 	key.lines = strings.Join(lines, "|")
 	return key
@@ -303,16 +361,17 @@ func (pm *profileMerger) mapMapping(src *Mapping) mapInfo {
 		return mi
 	}
 	m := &Mapping{
-		ID:              uint64(len(pm.p.Mapping) + 1),
-		Start:           src.Start,
-		Limit:           src.Limit,
-		Offset:          src.Offset,
-		File:            src.File,
-		BuildID:         src.BuildID,
-		HasFunctions:    src.HasFunctions,
-		HasFilenames:    src.HasFilenames,
-		HasLineNumbers:  src.HasLineNumbers,
-		HasInlineFrames: src.HasInlineFrames,
+		ID:                     uint64(len(pm.p.Mapping) + 1),
+		Start:                  src.Start,
+		Limit:                  src.Limit,
+		Offset:                 src.Offset,
+		File:                   src.File,
+		KernelRelocationSymbol: src.KernelRelocationSymbol,
+		BuildID:                src.BuildID,
+		HasFunctions:           src.HasFunctions,
+		HasFilenames:           src.HasFilenames,
+		HasLineNumbers:         src.HasLineNumbers,
+		HasInlineFrames:        src.HasInlineFrames,
 	}
 	pm.p.Mapping = append(pm.p.Mapping, m)
 
@@ -360,6 +419,7 @@ func (pm *profileMerger) mapLine(src Line) Line {
 	ln := Line{
 		Function: pm.mapFunction(src.Function),
 		Line:     src.Line,
+		Column:   src.Column,
 	}
 	return ln
 }
@@ -479,3 +539,131 @@ func (p *Profile) compatible(pb *Profile) error {
 func equalValueType(st1, st2 *ValueType) bool {
 	return st1.Type == st2.Type && st1.Unit == st2.Unit
 }
+
+// locationIDMap is like a map[uint64]*Location, but provides efficiency for
+// ids that are densely numbered, which is often the case.
+type locationIDMap struct {
+	dense  []*Location          // indexed by id for id < len(dense)
+	sparse map[uint64]*Location // indexed by id for id >= len(dense)
+}
+
+func makeLocationIDMap(n int) locationIDMap {
+	return locationIDMap{
+		dense:  make([]*Location, n),
+		sparse: map[uint64]*Location{},
+	}
+}
+
+func (lm locationIDMap) get(id uint64) *Location {
+	if id < uint64(len(lm.dense)) {
+		return lm.dense[int(id)]
+	}
+	return lm.sparse[id]
+}
+
+func (lm locationIDMap) set(id uint64, loc *Location) {
+	if id < uint64(len(lm.dense)) {
+		lm.dense[id] = loc
+		return
+	}
+	lm.sparse[id] = loc
+}
+
+// CompatibilizeSampleTypes makes profiles compatible to be compared/merged. It
+// keeps sample types that appear in all profiles only and drops/reorders the
+// sample types as necessary.
+//
+// In the case of sample types order is not the same for given profiles the
+// order is derived from the first profile.
+//
+// Profiles are modified in-place.
+//
+// It returns an error if the sample type's intersection is empty.
+func CompatibilizeSampleTypes(ps []*Profile) error {
+	sTypes := commonSampleTypes(ps)
+	if len(sTypes) == 0 {
+		return fmt.Errorf("profiles have empty common sample type list")
+	}
+	for _, p := range ps {
+		if err := compatibilizeSampleTypes(p, sTypes); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// commonSampleTypes returns sample types that appear in all profiles in the
+// order how they ordered in the first profile.
+func commonSampleTypes(ps []*Profile) []string {
+	if len(ps) == 0 {
+		return nil
+	}
+	sTypes := map[string]int{}
+	for _, p := range ps {
+		for _, st := range p.SampleType {
+			sTypes[st.Type]++
+		}
+	}
+	var res []string
+	for _, st := range ps[0].SampleType {
+		if sTypes[st.Type] == len(ps) {
+			res = append(res, st.Type)
+		}
+	}
+	return res
+}
+
+// compatibilizeSampleTypes drops sample types that are not present in sTypes
+// list and reorder them if needed.
+//
+// It sets DefaultSampleType to sType[0] if it is not in sType list.
+//
+// It assumes that all sample types from the sTypes list are present in the
+// given profile otherwise it returns an error.
+func compatibilizeSampleTypes(p *Profile, sTypes []string) error {
+	if len(sTypes) == 0 {
+		return fmt.Errorf("sample type list is empty")
+	}
+	defaultSampleType := sTypes[0]
+	reMap, needToModify := make([]int, len(sTypes)), false
+	for i, st := range sTypes {
+		if st == p.DefaultSampleType {
+			defaultSampleType = p.DefaultSampleType
+		}
+		idx := searchValueType(p.SampleType, st)
+		if idx < 0 {
+			return fmt.Errorf("%q sample type is not found in profile", st)
+		}
+		reMap[i] = idx
+		if idx != i {
+			needToModify = true
+		}
+	}
+	if !needToModify && len(sTypes) == len(p.SampleType) {
+		return nil
+	}
+	p.DefaultSampleType = defaultSampleType
+	oldSampleTypes := p.SampleType
+	p.SampleType = make([]*ValueType, len(sTypes))
+	for i, idx := range reMap {
+		p.SampleType[i] = oldSampleTypes[idx]
+	}
+	values := make([]int64, len(sTypes))
+	for _, s := range p.Sample {
+		for i, idx := range reMap {
+			values[i] = s.Value[idx]
+		}
+		s.Value = s.Value[:len(values)]
+		copy(s.Value, values)
+	}
+	return nil
+}
+
+func searchValueType(vts []*ValueType, s string) int {
+	for i, vt := range vts {
+		if vt.Type == s {
+			return i
+		}
+	}
+	return -1
+}
diff --git a/vendor/github.com/google/pprof/profile/profile.go b/vendor/github.com/google/pprof/profile/profile.go
index 2590c8ddb..62df80a55 100644
--- a/vendor/github.com/google/pprof/profile/profile.go
+++ b/vendor/github.com/google/pprof/profile/profile.go
@@ -21,7 +21,6 @@ import (
 	"compress/gzip"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math"
 	"path/filepath"
 	"regexp"
@@ -73,9 +72,23 @@ type ValueType struct {
 type Sample struct {
 	Location []*Location
 	Value    []int64
-	Label    map[string][]string
+	// Label is a per-label-key map to values for string labels.
+	//
+	// In general, having multiple values for the given label key is strongly
+	// discouraged - see docs for the sample label field in profile.proto.  The
+	// main reason this unlikely state is tracked here is to make the
+	// decoding->encoding roundtrip not lossy. But we expect that the value
+	// slices present in this map are always of length 1.
+	Label map[string][]string
+	// NumLabel is a per-label-key map to values for numeric labels. See a note
+	// above on handling multiple values for a label.
 	NumLabel map[string][]int64
-	NumUnit  map[string][]string
+	// NumUnit is a per-label-key map to the unit names of corresponding numeric
+	// label values. The unit info may be missing even if the label is in
+	// NumLabel, see the docs in profile.proto for details. When the value is
+	// slice is present and not nil, its length must be equal to the length of
+	// the corresponding value slice in NumLabel.
+	NumUnit map[string][]string
 
 	locationIDX []uint64
 	labelX      []label
@@ -106,6 +119,15 @@ type Mapping struct {
 
 	fileX    int64
 	buildIDX int64
+
+	// Name of the kernel relocation symbol ("_text" or "_stext"), extracted from File.
+	// For linux kernel mappings generated by some tools, correct symbolization depends
+	// on knowing which of the two possible relocation symbols was used for `Start`.
+	// This is given to us as a suffix in `File` (e.g. "[kernel.kallsyms]_stext").
+	//
+	// Note, this public field is not persisted in the proto. For the purposes of
+	// copying / merging / hashing profiles, it is considered subsumed by `File`.
+	KernelRelocationSymbol string
 }
 
 // Location corresponds to Profile.Location
@@ -123,6 +145,7 @@ type Location struct {
 type Line struct {
 	Function *Function
 	Line     int64
+	Column   int64
 
 	functionIDX uint64
 }
@@ -144,7 +167,7 @@ type Function struct {
 // may be a gzip-compressed encoded protobuf or one of many legacy
 // profile formats which may be unsupported in the future.
 func Parse(r io.Reader) (*Profile, error) {
-	data, err := ioutil.ReadAll(r)
+	data, err := io.ReadAll(r)
 	if err != nil {
 		return nil, err
 	}
@@ -159,7 +182,7 @@ func ParseData(data []byte) (*Profile, error) {
 	if len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b {
 		gz, err := gzip.NewReader(bytes.NewBuffer(data))
 		if err == nil {
-			data, err = ioutil.ReadAll(gz)
+			data, err = io.ReadAll(gz)
 		}
 		if err != nil {
 			return nil, fmt.Errorf("decompressing profile: %v", err)
@@ -414,7 +437,7 @@ func (p *Profile) CheckValid() error {
 // Aggregate merges the locations in the profile into equivalence
 // classes preserving the request attributes. It also updates the
 // samples to point to the merged locations.
-func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, address bool) error {
+func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, columnnumber, address bool) error {
 	for _, m := range p.Mapping {
 		m.HasInlineFrames = m.HasInlineFrames && inlineFrame
 		m.HasFunctions = m.HasFunctions && function
@@ -436,7 +459,7 @@ func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, address
 	}
 
 	// Aggregate locations
-	if !inlineFrame || !address || !linenumber {
+	if !inlineFrame || !address || !linenumber || !columnnumber {
 		for _, l := range p.Location {
 			if !inlineFrame && len(l.Line) > 1 {
 				l.Line = l.Line[len(l.Line)-1:]
@@ -444,6 +467,12 @@ func (p *Profile) Aggregate(inlineFrame, function, filename, linenumber, address
 			if !linenumber {
 				for i := range l.Line {
 					l.Line[i].Line = 0
+					l.Line[i].Column = 0
+				}
+			}
+			if !columnnumber {
+				for i := range l.Line {
+					l.Line[i].Column = 0
 				}
 			}
 			if !address {
@@ -605,10 +634,11 @@ func (l *Location) string() string {
 	for li := range l.Line {
 		lnStr := "??"
 		if fn := l.Line[li].Function; fn != nil {
-			lnStr = fmt.Sprintf("%s %s:%d s=%d",
+			lnStr = fmt.Sprintf("%s %s:%d:%d s=%d",
 				fn.Name,
 				fn.Filename,
 				l.Line[li].Line,
+				l.Line[li].Column,
 				fn.StartLine)
 			if fn.Name != fn.SystemName {
 				lnStr = lnStr + "(" + fn.SystemName + ")"
@@ -707,6 +737,35 @@ func (s *Sample) HasLabel(key, value string) bool {
 	return false
 }
 
+// SetNumLabel sets the specified key to the specified value for all samples in the
+// profile. "unit" is a slice that describes the units that each corresponding member
+// of "values" is measured in (e.g. bytes or seconds).  If there is no relevant
+// unit for a given value, that member of "unit" should be the empty string.
+// "unit" must either have the same length as "value", or be nil.
+func (p *Profile) SetNumLabel(key string, value []int64, unit []string) {
+	for _, sample := range p.Sample {
+		if sample.NumLabel == nil {
+			sample.NumLabel = map[string][]int64{key: value}
+		} else {
+			sample.NumLabel[key] = value
+		}
+		if sample.NumUnit == nil {
+			sample.NumUnit = map[string][]string{key: unit}
+		} else {
+			sample.NumUnit[key] = unit
+		}
+	}
+}
+
+// RemoveNumLabel removes all numerical labels associated with the specified key for all
+// samples in the profile.
+func (p *Profile) RemoveNumLabel(key string) {
+	for _, sample := range p.Sample {
+		delete(sample.NumLabel, key)
+		delete(sample.NumUnit, key)
+	}
+}
+
 // DiffBaseSample returns true if a sample belongs to the diff base and false
 // otherwise.
 func (s *Sample) DiffBaseSample() bool {
diff --git a/vendor/github.com/google/pprof/profile/proto.go b/vendor/github.com/google/pprof/profile/proto.go
index 539ad3ab3..a15696ba1 100644
--- a/vendor/github.com/google/pprof/profile/proto.go
+++ b/vendor/github.com/google/pprof/profile/proto.go
@@ -39,11 +39,12 @@ import (
 )
 
 type buffer struct {
-	field int // field tag
-	typ   int // proto wire type code for field
-	u64   uint64
-	data  []byte
-	tmp   [16]byte
+	field    int // field tag
+	typ      int // proto wire type code for field
+	u64      uint64
+	data     []byte
+	tmp      [16]byte
+	tmpLines []Line // temporary storage used while decoding "repeated Line".
 }
 
 type decoder func(*buffer, message) error
@@ -286,7 +287,6 @@ func decodeInt64s(b *buffer, x *[]int64) error {
 	if b.typ == 2 {
 		// Packed encoding
 		data := b.data
-		tmp := make([]int64, 0, len(data)) // Maximally sized
 		for len(data) > 0 {
 			var u uint64
 			var err error
@@ -294,9 +294,8 @@ func decodeInt64s(b *buffer, x *[]int64) error {
 			if u, data, err = decodeVarint(data); err != nil {
 				return err
 			}
-			tmp = append(tmp, int64(u))
+			*x = append(*x, int64(u))
 		}
-		*x = append(*x, tmp...)
 		return nil
 	}
 	var i int64
@@ -319,7 +318,6 @@ func decodeUint64s(b *buffer, x *[]uint64) error {
 	if b.typ == 2 {
 		data := b.data
 		// Packed encoding
-		tmp := make([]uint64, 0, len(data)) // Maximally sized
 		for len(data) > 0 {
 			var u uint64
 			var err error
@@ -327,9 +325,8 @@ func decodeUint64s(b *buffer, x *[]uint64) error {
 			if u, data, err = decodeVarint(data); err != nil {
 				return err
 			}
-			tmp = append(tmp, u)
+			*x = append(*x, u)
 		}
-		*x = append(*x, tmp...)
 		return nil
 	}
 	var u uint64
diff --git a/vendor/github.com/google/pprof/profile/prune.go b/vendor/github.com/google/pprof/profile/prune.go
index 02d21a818..b2f9fd546 100644
--- a/vendor/github.com/google/pprof/profile/prune.go
+++ b/vendor/github.com/google/pprof/profile/prune.go
@@ -62,15 +62,31 @@ func (p *Profile) Prune(dropRx, keepRx *regexp.Regexp) {
 	prune := make(map[uint64]bool)
 	pruneBeneath := make(map[uint64]bool)
 
+	// simplifyFunc can be expensive, so cache results.
+	// Note that the same function name can be encountered many times due
+	// different lines and addresses in the same function.
+	pruneCache := map[string]bool{} // Map from function to whether or not to prune
+	pruneFromHere := func(s string) bool {
+		if r, ok := pruneCache[s]; ok {
+			return r
+		}
+		funcName := simplifyFunc(s)
+		if dropRx.MatchString(funcName) {
+			if keepRx == nil || !keepRx.MatchString(funcName) {
+				pruneCache[s] = true
+				return true
+			}
+		}
+		pruneCache[s] = false
+		return false
+	}
+
 	for _, loc := range p.Location {
 		var i int
 		for i = len(loc.Line) - 1; i >= 0; i-- {
 			if fn := loc.Line[i].Function; fn != nil && fn.Name != "" {
-				funcName := simplifyFunc(fn.Name)
-				if dropRx.MatchString(funcName) {
-					if keepRx == nil || !keepRx.MatchString(funcName) {
-						break
-					}
+				if pruneFromHere(fn.Name) {
+					break
 				}
 			}
 		}
diff --git a/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go b/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go
index 5c060e5a1..4bc1390b9 100644
--- a/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go
+++ b/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go
@@ -6,6 +6,7 @@ package api
 import (
 	"errors"
 	"math/rand"
+	"strings"
 	"sync"
 	"time"
 
@@ -31,6 +32,7 @@ var (
 	DefaultRenewerRenewBuffer = 5
 )
 
+//go:generate enumer -type=RenewBehavior -trimprefix=RenewBehavior
 type RenewBehavior uint
 
 const (
@@ -288,12 +290,18 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 		switch {
 		case nonRenewable || r.renewBehavior == RenewBehaviorRenewDisabled:
 			// Can't or won't renew, just keep the same expiration so we exit
-			// when it's reauthentication time
+			// when it's re-authentication time
 			remainingLeaseDuration = fallbackLeaseDuration
 
 		default:
 			// Renew the token
 			renewal, err = renew(credString, r.increment)
+			if err != nil && strings.Contains(err.Error(), "permission denied") {
+				// We can't renew since the token doesn't have permission to. Fall back
+				// to the code path for non-renewable tokens.
+				nonRenewable = true
+				continue
+			}
 			if err != nil || renewal == nil || (tokenMode && renewal.Auth == nil) {
 				if r.renewBehavior == RenewBehaviorErrorOnErrors {
 					if err != nil {
@@ -349,8 +357,11 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 
 		if errorBackoff == nil {
 			sleepDuration = r.calculateSleepDuration(remainingLeaseDuration, priorDuration)
-		} else if errorBackoff.NextBackOff() == backoff.Stop {
-			return err
+		} else {
+			sleepDuration = errorBackoff.NextBackOff()
+			if sleepDuration == backoff.Stop {
+				return err
+			}
 		}
 
 		// remainingLeaseDuration becomes the priorDuration for the next loop
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
index 3705c7310..d330478f5 100644
--- a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
+++ b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
@@ -13,8 +13,8 @@ import (
 	"net/url"
 	"os"
 
-	"github.com/go-jose/go-jose/v3/jwt"
-
+	jose "github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/hashicorp/errwrap"
 )
 
@@ -41,6 +41,11 @@ const (
 	// PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the
 	// plugin.
 	PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
+
+	// CubbyHoleJWTSignatureAlgorithm is the signature algorithm used for
+	// the unwrap token that Vault passes to a plugin when auto-mTLS is
+	// not enabled.
+	CubbyHoleJWTSignatureAlgorithm = jose.ES512
 )
 
 // PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
@@ -103,7 +108,7 @@ func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig)
 	return func() (*tls.Config, error) {
 		unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
 
-		parsedJWT, err := jwt.ParseSigned(unwrapToken)
+		parsedJWT, err := jwt.ParseSigned(unwrapToken, []jose.SignatureAlgorithm{CubbyHoleJWTSignatureAlgorithm})
 		if err != nil {
 			return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
 		}
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go b/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
index d3acd0d00..2514f1279 100644
--- a/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
+++ b/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
@@ -9,11 +9,9 @@ package api
 
 import "fmt"
 
-var PluginRuntimeTypes = []PluginRuntimeType{
-	PluginRuntimeTypeUnsupported,
-	PluginRuntimeTypeContainer,
-}
+var PluginRuntimeTypes = _PluginRuntimeTypeValues
 
+//go:generate enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake
 type PluginRuntimeType uint32
 
 // This is a list of PluginRuntimeTypes used by Vault.
@@ -22,20 +20,11 @@ const (
 	PluginRuntimeTypeContainer
 )
 
-func (r PluginRuntimeType) String() string {
-	switch r {
-	case PluginRuntimeTypeContainer:
-		return "container"
-	default:
-		return "unsupported"
-	}
-}
-
+// ParsePluginRuntimeType is a wrapper around PluginRuntimeTypeString kept for backwards compatibility.
 func ParsePluginRuntimeType(PluginRuntimeType string) (PluginRuntimeType, error) {
-	switch PluginRuntimeType {
-	case "container":
-		return PluginRuntimeTypeContainer, nil
-	default:
+	t, err := PluginRuntimeTypeString(PluginRuntimeType)
+	if err != nil {
 		return PluginRuntimeTypeUnsupported, fmt.Errorf("%q is not a supported plugin runtime type", PluginRuntimeType)
 	}
+	return t, nil
 }
diff --git a/vendor/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go b/vendor/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go
new file mode 100644
index 000000000..663f440ff
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/pluginruntimetype_enumer.go
@@ -0,0 +1,49 @@
+// Code generated by "enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake"; DO NOT EDIT.
+
+package api
+
+import (
+	"fmt"
+)
+
+const _PluginRuntimeTypeName = "unsupportedcontainer"
+
+var _PluginRuntimeTypeIndex = [...]uint8{0, 11, 20}
+
+func (i PluginRuntimeType) String() string {
+	if i >= PluginRuntimeType(len(_PluginRuntimeTypeIndex)-1) {
+		return fmt.Sprintf("PluginRuntimeType(%d)", i)
+	}
+	return _PluginRuntimeTypeName[_PluginRuntimeTypeIndex[i]:_PluginRuntimeTypeIndex[i+1]]
+}
+
+var _PluginRuntimeTypeValues = []PluginRuntimeType{0, 1}
+
+var _PluginRuntimeTypeNameToValueMap = map[string]PluginRuntimeType{
+	_PluginRuntimeTypeName[0:11]:  0,
+	_PluginRuntimeTypeName[11:20]: 1,
+}
+
+// PluginRuntimeTypeString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func PluginRuntimeTypeString(s string) (PluginRuntimeType, error) {
+	if val, ok := _PluginRuntimeTypeNameToValueMap[s]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to PluginRuntimeType values", s)
+}
+
+// PluginRuntimeTypeValues returns all values of the enum
+func PluginRuntimeTypeValues() []PluginRuntimeType {
+	return _PluginRuntimeTypeValues
+}
+
+// IsAPluginRuntimeType returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i PluginRuntimeType) IsAPluginRuntimeType() bool {
+	for _, v := range _PluginRuntimeTypeValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/github.com/hashicorp/vault/api/renewbehavior_enumer.go b/vendor/github.com/hashicorp/vault/api/renewbehavior_enumer.go
new file mode 100644
index 000000000..9b272e3e0
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/renewbehavior_enumer.go
@@ -0,0 +1,50 @@
+// Code generated by "enumer -type=RenewBehavior -trimprefix=RenewBehavior"; DO NOT EDIT.
+
+package api
+
+import (
+	"fmt"
+)
+
+const _RenewBehaviorName = "IgnoreErrorsRenewDisabledErrorOnErrors"
+
+var _RenewBehaviorIndex = [...]uint8{0, 12, 25, 38}
+
+func (i RenewBehavior) String() string {
+	if i >= RenewBehavior(len(_RenewBehaviorIndex)-1) {
+		return fmt.Sprintf("RenewBehavior(%d)", i)
+	}
+	return _RenewBehaviorName[_RenewBehaviorIndex[i]:_RenewBehaviorIndex[i+1]]
+}
+
+var _RenewBehaviorValues = []RenewBehavior{0, 1, 2}
+
+var _RenewBehaviorNameToValueMap = map[string]RenewBehavior{
+	_RenewBehaviorName[0:12]:  0,
+	_RenewBehaviorName[12:25]: 1,
+	_RenewBehaviorName[25:38]: 2,
+}
+
+// RenewBehaviorString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func RenewBehaviorString(s string) (RenewBehavior, error) {
+	if val, ok := _RenewBehaviorNameToValueMap[s]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to RenewBehavior values", s)
+}
+
+// RenewBehaviorValues returns all values of the enum
+func RenewBehaviorValues() []RenewBehavior {
+	return _RenewBehaviorValues
+}
+
+// IsARenewBehavior returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i RenewBehavior) IsARenewBehavior() bool {
+	for _, v := range _RenewBehaviorValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}
diff --git a/vendor/github.com/hashicorp/vault/api/replication_status.go b/vendor/github.com/hashicorp/vault/api/replication_status.go
index 9bc02d539..d7224ff11 100644
--- a/vendor/github.com/hashicorp/vault/api/replication_status.go
+++ b/vendor/github.com/hashicorp/vault/api/replication_status.go
@@ -19,13 +19,14 @@ const (
 )
 
 type ClusterInfo struct {
-	APIAddr                     string `json:"api_address,omitempty" mapstructure:"api_address"`
-	ClusterAddress              string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
-	ConnectionStatus            string `json:"connection_status,omitempty" mapstructure:"connection_status"`
-	LastHeartBeat               string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
-	LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
-	ClockSkewMillis             string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
-	NodeID                      string `json:"node_id,omitempty" mapstructure:"node_id"`
+	APIAddr                           string `json:"api_address,omitempty" mapstructure:"api_address"`
+	ClusterAddress                    string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
+	ConnectionStatus                  string `json:"connection_status,omitempty" mapstructure:"connection_status"`
+	LastHeartBeat                     string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
+	LastHeartBeatDurationMillis       string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
+	ClockSkewMillis                   string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
+	NodeID                            string `json:"node_id,omitempty" mapstructure:"node_id"`
+	ReplicationPrimaryCanaryAgeMillis string `json:"replication_primary_canary_age_ms,omitempty" mapstructure:"replication_primary_canary_age_ms"`
 }
 
 type ReplicationStatusGenericResponse struct {
diff --git a/vendor/github.com/hashicorp/vault/api/sys_auth.go b/vendor/github.com/hashicorp/vault/api/sys_auth.go
index e81441219..67beb63db 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_auth.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_auth.go
@@ -12,6 +12,41 @@ import (
 	"github.com/mitchellh/mapstructure"
 )
 
+func (c *Sys) GetAuth(path string) (*AuthMount, error) {
+	return c.GetAuthWithContext(context.Background(), path)
+}
+
+func (c *Sys) GetAuthWithContext(ctx context.Context, path string) (*AuthMount, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	// use `sys/mounts/auth/:path` so we don't require sudo permissions
+	// historically, `sys/auth` doesn't require sudo, so we don't require it here either
+	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/auth/%s", path))
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	mount := AuthMount{}
+	err = mapstructure.Decode(secret.Data, &mount)
+	if err != nil {
+		return nil, err
+	}
+
+	return &mount, nil
+}
+
 func (c *Sys) ListAuth() (map[string]*AuthMount, error) {
 	return c.ListAuthWithContext(context.Background())
 }
diff --git a/vendor/github.com/hashicorp/vault/api/sys_hastatus.go b/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
index 58a73b89c..2e54651e1 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
@@ -35,14 +35,15 @@ type HAStatusResponse struct {
 }
 
 type HANode struct {
-	Hostname           string     `json:"hostname"`
-	APIAddress         string     `json:"api_address"`
-	ClusterAddress     string     `json:"cluster_address"`
-	ActiveNode         bool       `json:"active_node"`
-	LastEcho           *time.Time `json:"last_echo"`
-	EchoDurationMillis int64      `json:"echo_duration_ms"`
-	ClockSkewMillis    int64      `json:"clock_skew_ms"`
-	Version            string     `json:"version"`
-	UpgradeVersion     string     `json:"upgrade_version,omitempty"`
-	RedundancyZone     string     `json:"redundancy_zone,omitempty"`
+	Hostname                          string     `json:"hostname"`
+	APIAddress                        string     `json:"api_address"`
+	ClusterAddress                    string     `json:"cluster_address"`
+	ActiveNode                        bool       `json:"active_node"`
+	LastEcho                          *time.Time `json:"last_echo"`
+	EchoDurationMillis                int64      `json:"echo_duration_ms"`
+	ClockSkewMillis                   int64      `json:"clock_skew_ms"`
+	Version                           string     `json:"version"`
+	UpgradeVersion                    string     `json:"upgrade_version,omitempty"`
+	RedundancyZone                    string     `json:"redundancy_zone,omitempty"`
+	ReplicationPrimaryCanaryAgeMillis int64      `json:"replication_primary_canary_age_ms"`
 }
diff --git a/vendor/github.com/hashicorp/vault/api/sys_health.go b/vendor/github.com/hashicorp/vault/api/sys_health.go
index 0dc849885..6868b96d7 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_health.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_health.go
@@ -38,18 +38,19 @@ func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error) {
 }
 
 type HealthResponse struct {
-	Initialized                bool   `json:"initialized"`
-	Sealed                     bool   `json:"sealed"`
-	Standby                    bool   `json:"standby"`
-	PerformanceStandby         bool   `json:"performance_standby"`
-	ReplicationPerformanceMode string `json:"replication_performance_mode"`
-	ReplicationDRMode          string `json:"replication_dr_mode"`
-	ServerTimeUTC              int64  `json:"server_time_utc"`
-	Version                    string `json:"version"`
-	ClusterName                string `json:"cluster_name,omitempty"`
-	ClusterID                  string `json:"cluster_id,omitempty"`
-	LastWAL                    uint64 `json:"last_wal,omitempty"`
-	Enterprise                 bool   `json:"enterprise"`
-	EchoDurationMillis         int64  `json:"echo_duration_ms"`
-	ClockSkewMillis            int64  `json:"clock_skew_ms"`
+	Initialized                       bool   `json:"initialized"`
+	Sealed                            bool   `json:"sealed"`
+	Standby                           bool   `json:"standby"`
+	PerformanceStandby                bool   `json:"performance_standby"`
+	ReplicationPerformanceMode        string `json:"replication_performance_mode"`
+	ReplicationDRMode                 string `json:"replication_dr_mode"`
+	ServerTimeUTC                     int64  `json:"server_time_utc"`
+	Version                           string `json:"version"`
+	ClusterName                       string `json:"cluster_name,omitempty"`
+	ClusterID                         string `json:"cluster_id,omitempty"`
+	LastWAL                           uint64 `json:"last_wal,omitempty"`
+	Enterprise                        bool   `json:"enterprise"`
+	EchoDurationMillis                int64  `json:"echo_duration_ms"`
+	ClockSkewMillis                   int64  `json:"clock_skew_ms"`
+	ReplicationPrimaryCanaryAgeMillis int64  `json:"replication_primary_canary_age_ms"`
 }
diff --git a/vendor/github.com/hashicorp/vault/api/sys_mounts.go b/vendor/github.com/hashicorp/vault/api/sys_mounts.go
index b9f4f8f6f..64529986a 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_mounts.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_mounts.go
@@ -13,6 +13,39 @@ import (
 	"github.com/mitchellh/mapstructure"
 )
 
+func (c *Sys) GetMount(path string) (*MountOutput, error) {
+	return c.GetMountWithContext(context.Background(), path)
+}
+
+func (c *Sys) GetMountWithContext(ctx context.Context, path string) (*MountOutput, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("/v1/sys/mounts/%s", path))
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	mount := MountOutput{}
+	err = mapstructure.Decode(secret.Data, &mount)
+	if err != nil {
+		return nil, err
+	}
+
+	return &mount, nil
+}
+
 func (c *Sys) ListMounts() (map[string]*MountOutput, error) {
 	return c.ListMountsWithContext(context.Background())
 }
diff --git a/vendor/github.com/hashicorp/vault/api/sys_raft.go b/vendor/github.com/hashicorp/vault/api/sys_raft.go
index 4b9487c61..699f6e9fd 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_raft.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_raft.go
@@ -9,6 +9,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -100,6 +101,23 @@ type AutopilotState struct {
 	OptimisticFailureTolerance int                         `mapstructure:"optimistic_failure_tolerance,omitempty"`
 }
 
+func (a *AutopilotState) String() string {
+	var result string
+	result += fmt.Sprintf("Healthy: %t. FailureTolerance: %d. Leader: %s. OptimisticFailureTolerance: %d\n", a.Healthy, a.FailureTolerance, a.Leader, a.OptimisticFailureTolerance)
+	for _, s := range a.Servers {
+		result += fmt.Sprintf("Server: %s\n", s)
+	}
+	result += fmt.Sprintf("Voters: %v\n", a.Voters)
+	result += fmt.Sprintf("NonVoters: %v\n", a.NonVoters)
+
+	for name, zone := range a.RedundancyZones {
+		result += fmt.Sprintf("RedundancyZone %s: %s\n", name, &zone)
+	}
+
+	result += fmt.Sprintf("Upgrade: %s", a.Upgrade)
+	return result
+}
+
 // AutopilotServer represents the server blocks in the response of the raft
 // autopilot state API.
 type AutopilotServer struct {
@@ -119,12 +137,21 @@ type AutopilotServer struct {
 	NodeType       string `mapstructure:"node_type,omitempty"`
 }
 
+func (a *AutopilotServer) String() string {
+	return fmt.Sprintf("ID: %s. Name: %s. Address: %s. NodeStatus: %s. LastContact: %s. LastTerm: %d. LastIndex: %d. Healthy: %t. StableSince: %s. Status: %s. Version: %s. UpgradeVersion: %s. RedundancyZone: %s. NodeType: %s",
+		a.ID, a.Name, a.Address, a.NodeStatus, a.LastContact, a.LastTerm, a.LastIndex, a.Healthy, a.StableSince, a.Status, a.Version, a.UpgradeVersion, a.RedundancyZone, a.NodeType)
+}
+
 type AutopilotZone struct {
 	Servers          []string `mapstructure:"servers,omitempty"`
 	Voters           []string `mapstructure:"voters,omitempty"`
 	FailureTolerance int      `mapstructure:"failure_tolerance,omitempty"`
 }
 
+func (a *AutopilotZone) String() string {
+	return fmt.Sprintf("Servers: %v. Voters: %v. FailureTolerance: %d", a.Servers, a.Voters, a.FailureTolerance)
+}
+
 type AutopilotUpgrade struct {
 	Status                    string                                  `mapstructure:"status"`
 	TargetVersion             string                                  `mapstructure:"target_version,omitempty"`
@@ -137,6 +164,17 @@ type AutopilotUpgrade struct {
 	RedundancyZones           map[string]AutopilotZoneUpgradeVersions `mapstructure:"redundancy_zones,omitempty"`
 }
 
+func (a *AutopilotUpgrade) String() string {
+	result := fmt.Sprintf("Status: %s. TargetVersion: %s. TargetVersionVoters: %v. TargetVersionNonVoters: %v. TargetVersionReadReplicas: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v. OtherVersionReadReplicas: %v",
+		a.Status, a.TargetVersion, a.TargetVersionVoters, a.TargetVersionNonVoters, a.TargetVersionReadReplicas, a.OtherVersionVoters, a.OtherVersionNonVoters, a.OtherVersionReadReplicas)
+
+	for name, zone := range a.RedundancyZones {
+		result += fmt.Sprintf("Redundancy Zone %s: %s", name, zone)
+	}
+
+	return result
+}
+
 type AutopilotZoneUpgradeVersions struct {
 	TargetVersionVoters    []string `mapstructure:"target_version_voters,omitempty"`
 	TargetVersionNonVoters []string `mapstructure:"target_version_non_voters,omitempty"`
@@ -144,6 +182,11 @@ type AutopilotZoneUpgradeVersions struct {
 	OtherVersionNonVoters  []string `mapstructure:"other_version_non_voters,omitempty"`
 }
 
+func (a *AutopilotZoneUpgradeVersions) String() string {
+	return fmt.Sprintf("TargetVersionVoters: %v. TargetVersionNonVoters: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v",
+		a.TargetVersionVoters, a.TargetVersionNonVoters, a.OtherVersionVoters, a.OtherVersionNonVoters)
+}
+
 // RaftJoin wraps RaftJoinWithContext using context.Background.
 func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error) {
 	return c.RaftJoinWithContext(context.Background(), opts)
diff --git a/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go b/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go
index ee0388934..3efc871b5 100644
--- a/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go
+++ b/vendor/github.com/kubernetes-csi/csi-lib-utils/connection/connection.go
@@ -29,6 +29,8 @@ import (
 	"github.com/kubernetes-csi/csi-lib-utils/protosanitizer"
 	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
 	"k8s.io/klog/v2"
 )
 
@@ -73,21 +75,21 @@ func SetMaxGRPCLogLength(characterCount int) {
 //
 // For other connections, the default behavior from gRPC is used and
 // loss of connection is not detected reliably.
-func Connect(address string, metricsManager metrics.CSIMetricsManager, options ...Option) (*grpc.ClientConn, error) {
+func Connect(ctx context.Context, address string, metricsManager metrics.CSIMetricsManager, options ...Option) (*grpc.ClientConn, error) {
 	// Prepend default options
 	options = append([]Option{WithTimeout(time.Second * 30)}, options...)
 	if metricsManager != nil {
 		options = append([]Option{WithMetrics(metricsManager)}, options...)
 	}
-	return connect(address, options)
+	return connect(ctx, address, options)
 }
 
 // ConnectWithoutMetrics behaves exactly like Connect except no metrics are recorded.
 // This function is deprecated, prefer using Connect with `nil` as the metricsManager.
-func ConnectWithoutMetrics(address string, options ...Option) (*grpc.ClientConn, error) {
+func ConnectWithoutMetrics(ctx context.Context, address string, options ...Option) (*grpc.ClientConn, error) {
 	// Prepend default options
 	options = append([]Option{WithTimeout(time.Second * 30)}, options...)
-	return connect(address, options)
+	return connect(ctx, address, options)
 }
 
 // Option is the type of all optional parameters for Connect.
@@ -97,7 +99,7 @@ type Option func(o *options)
 // connection got lost. If that callback returns true, the connection
 // is reestablished. Otherwise the connection is left as it is and
 // all future gRPC calls using it will fail with status.Unavailable.
-func OnConnectionLoss(reconnect func() bool) Option {
+func OnConnectionLoss(reconnect func(context.Context) bool) Option {
 	return func(o *options) {
 		o.reconnect = reconnect
 	}
@@ -105,19 +107,25 @@ func OnConnectionLoss(reconnect func() bool) Option {
 
 // ExitOnConnectionLoss returns callback for OnConnectionLoss() that writes
 // an error to /dev/termination-log and exits.
-func ExitOnConnectionLoss() func() bool {
-	return func() bool {
+func ExitOnConnectionLoss() func(context.Context) bool {
+	return func(ctx context.Context) bool {
 		terminationMsg := "Lost connection to CSI driver, exiting"
 		if err := os.WriteFile(terminationLogPath, []byte(terminationMsg), 0644); err != nil {
-			klog.Errorf("%s: %s", terminationLogPath, err)
+			klog.FromContext(ctx).Error(err, "Failed to write a message to the termination logfile", "terminationLogPath", terminationLogPath)
 		}
-		klog.Exit(terminationMsg)
+		klog.FromContext(ctx).Error(nil, terminationMsg)
+		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 		// Not reached.
 		return false
 	}
 }
 
 // WithTimeout adds a configurable timeout on the gRPC calls.
+// Note that this timeout also prevents all attempts to reconnect
+// because it uses context.WithTimeout internally.
+//
+// For more details, see https://github.com/grpc/grpc-go/issues/133
+// and https://github.com/kubernetes-csi/csi-lib-utils/pull/149#discussion_r1574707477
 func WithTimeout(timeout time.Duration) Option {
 	return func(o *options) {
 		o.timeout = timeout
@@ -139,7 +147,7 @@ func WithOtelTracing() Option {
 }
 
 type options struct {
-	reconnect         func() bool
+	reconnect         func(context.Context) bool
 	timeout           time.Duration
 	metricsManager    metrics.CSIMetricsManager
 	enableOtelTracing bool
@@ -147,22 +155,28 @@ type options struct {
 
 // connect is the internal implementation of Connect. It has more options to enable testing.
 func connect(
+	ctx context.Context,
 	address string,
 	connectOptions []Option) (*grpc.ClientConn, error) {
+	logger := klog.FromContext(ctx)
 	var o options
 	for _, option := range connectOptions {
 		option(&o)
 	}
 
+	bc := backoff.DefaultConfig
+	bc.MaxDelay = time.Second
 	dialOptions := []grpc.DialOption{
-		grpc.WithInsecure(),                    // Don't use TLS, it's usually local Unix domain socket in a container.
-		grpc.WithBackoffMaxDelay(time.Second),  // Retry every second after failure.
+		grpc.WithTransportCredentials(insecure.NewCredentials()), // Don't use TLS, it's usually local Unix domain socket in a container.
+		grpc.WithConnectParams(grpc.ConnectParams{Backoff: bc}),  // Retry every second after failure.
 		grpc.WithBlock(),                       // Block until connection succeeds.
 		grpc.WithIdleTimeout(time.Duration(0)), // Never close connection because of inactivity.
 	}
 
 	if o.timeout > 0 {
-		dialOptions = append(dialOptions, grpc.WithTimeout(o.timeout))
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, o.timeout)
+		defer cancel()
 	}
 
 	interceptors := []grpc.UnaryClientInterceptor{LogGRPC}
@@ -186,20 +200,25 @@ func connect(
 		lostConnection := false
 		reconnect := true
 
-		dialOptions = append(dialOptions, grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) {
+		dialOptions = append(dialOptions, grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+			logger := klog.FromContext(ctx)
 			if haveConnected && !lostConnection {
 				// We have detected a loss of connection for the first time. Decide what to do...
 				// Record this once. TODO (?): log at regular time intervals.
-				klog.Errorf("Lost connection to %s.", address)
+				logger.Error(nil, "Lost connection", "address", address)
 				// Inform caller and let it decide? Default is to reconnect.
 				if o.reconnect != nil {
-					reconnect = o.reconnect()
+					reconnect = o.reconnect(ctx)
 				}
 				lostConnection = true
 			}
 			if !reconnect {
 				return nil, errors.New("connection lost, reconnecting disabled")
 			}
+			var timeout time.Duration
+			if deadline, ok := ctx.Deadline(); ok {
+				timeout = time.Until(deadline)
+			}
 			conn, err := net.DialTimeout("unix", address[len(unixPrefix):], timeout)
 			if err == nil {
 				// Connection reestablished.
@@ -212,14 +231,14 @@ func connect(
 		return nil, errors.New("OnConnectionLoss callback only supported for unix:// addresses")
 	}
 
-	klog.V(5).Infof("Connecting to %s", address)
+	logger.V(5).Info("Connecting", "address", address)
 
 	// Connect in background.
 	var conn *grpc.ClientConn
 	var err error
 	ready := make(chan bool)
 	go func() {
-		conn, err = grpc.Dial(address, dialOptions...)
+		conn, err = grpc.DialContext(ctx, address, dialOptions...)
 		close(ready)
 	}()
 
@@ -231,7 +250,7 @@ func connect(
 	for {
 		select {
 		case <-ticker.C:
-			klog.Warningf("Still connecting to %s", address)
+			logger.Info("Still connecting", "address", address)
 
 		case <-ready:
 			return conn, err
@@ -241,15 +260,14 @@ func connect(
 
 // LogGRPC is gPRC unary interceptor for logging of CSI messages at level 5. It removes any secrets from the message.
 func LogGRPC(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
-	klog.V(5).Infof("GRPC call: %s", method)
-	klog.V(5).Infof("GRPC request: %s", protosanitizer.StripSecrets(req))
+	logger := klog.FromContext(ctx)
+	logger.V(5).Info("GRPC call", "method", method, "request", protosanitizer.StripSecrets(req))
 	err := invoker(ctx, method, req, reply, cc, opts...)
 	cappedStr := protosanitizer.StripSecrets(reply).String()
 	if maxLogChar > 0 && len(cappedStr) > maxLogChar {
 		cappedStr = cappedStr[:maxLogChar] + fmt.Sprintf(" [response body too large, log capped to %d chars]", maxLogChar)
 	}
-	klog.V(5).Infof("GRPC response: %s", cappedStr)
-	klog.V(5).Infof("GRPC error: %v", err)
+	logger.V(5).Info("GRPC response", "response", cappedStr, "err", err)
 	return err
 }
 
@@ -286,14 +304,14 @@ func (cmm ExtendedCSIMetricsManager) RecordMetricsClientInterceptor(
 		if additionalInfo != nil {
 			additionalInfoVal, ok := additionalInfo.(AdditionalInfo)
 			if !ok {
-				klog.Errorf("Failed to record migrated status, cannot convert additional info %v", additionalInfo)
+				klog.FromContext(ctx).Error(nil, "Failed to record migrated status, cannot convert additional info", "additionalInfo", additionalInfo)
 				return err
 			}
 			migrated = additionalInfoVal.Migrated
 		}
 		cmmv, metricsErr := cmm.WithLabelValues(map[string]string{metrics.LabelMigrated: migrated})
 		if metricsErr != nil {
-			klog.Errorf("Failed to record migrated status, error: %v", metricsErr)
+			klog.FromContext(ctx).Error(metricsErr, "Failed to record migrated status")
 		} else {
 			cmmBase = cmmv
 		}
diff --git a/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go b/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go
index 263bfba37..f83a7f15c 100644
--- a/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go
+++ b/vendor/github.com/kubernetes-csi/csi-lib-utils/rpc/common.go
@@ -133,10 +133,15 @@ func GetGroupControllerCapabilities(ctx context.Context, conn *grpc.ClientConn)
 
 // ProbeForever calls Probe() of a CSI driver and waits until the driver becomes ready.
 // Any error other than timeout is returned.
-func ProbeForever(conn *grpc.ClientConn, singleProbeTimeout time.Duration) error {
+func ProbeForever(ctx context.Context, conn *grpc.ClientConn, singleProbeTimeout time.Duration) error {
+	logger := klog.FromContext(ctx)
+	ticker := time.NewTicker(probeInterval)
+	defer ticker.Stop()
+
 	for {
-		klog.Info("Probing CSI driver for readiness")
-		ready, err := probeOnce(conn, singleProbeTimeout)
+		// Run the probe once before waiting for the ticker
+		logger.Info("Probing CSI driver for readiness")
+		ready, err := probeOnce(ctx, conn, singleProbeTimeout)
 		if err != nil {
 			st, ok := status.FromError(err)
 			if !ok {
@@ -148,21 +153,25 @@ func ProbeForever(conn *grpc.ClientConn, singleProbeTimeout time.Duration) error
 				return fmt.Errorf("CSI driver probe failed: %s", err)
 			}
 			// Timeout -> driver is not ready. Fall through to sleep() below.
-			klog.Warning("CSI driver probe timed out")
+			logger.Info("CSI driver probe timed out")
 		} else {
 			if ready {
 				return nil
 			}
-			klog.Warning("CSI driver is not ready")
+			logger.Info("CSI driver is not ready")
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+			continue
 		}
-		// Timeout was returned or driver is not ready.
-		time.Sleep(probeInterval)
 	}
 }
 
 // probeOnce is a helper to simplify defer cancel()
-func probeOnce(conn *grpc.ClientConn, timeout time.Duration) (bool, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+func probeOnce(ctx context.Context, conn *grpc.ClientConn, timeout time.Duration) (bool, error) {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	return Probe(ctx, conn)
 }
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE
deleted file mode 100644
index 8dada3eda..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/LICENSE
+++ /dev/null
@@ -1,201 +0,0 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "{}"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright {yyyy} {name of copyright owner}
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE
deleted file mode 100644
index 5d8cb5b72..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/NOTICE
+++ /dev/null
@@ -1 +0,0 @@
-Copyright 2012 Matt T. Proud (matt.proud@gmail.com)
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore
deleted file mode 100644
index e16fb946b..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-cover.dat
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile
deleted file mode 100644
index 81be21437..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-all:
-
-cover:
-	go test -cover -v -coverprofile=cover.dat ./...
-	go tool cover -func cover.dat
-
-.PHONY: cover
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go
deleted file mode 100644
index 7c08e564f..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/decode.go
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright 2013 Matt T. Proud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package pbutil
-
-import (
-	"encoding/binary"
-	"errors"
-	"io"
-
-	"google.golang.org/protobuf/proto"
-)
-
-// TODO: Give error package name prefix in next minor release.
-var errInvalidVarint = errors.New("invalid varint32 encountered")
-
-// ReadDelimited decodes a message from the provided length-delimited stream,
-// where the length is encoded as 32-bit varint prefix to the message body.
-// It returns the total number of bytes read and any applicable error.  This is
-// roughly equivalent to the companion Java API's
-// MessageLite#parseDelimitedFrom.  As per the reader contract, this function
-// calls r.Read repeatedly as required until exactly one message including its
-// prefix is read and decoded (or an error has occurred).  The function never
-// reads more bytes from the stream than required.  The function never returns
-// an error if a message has been read and decoded correctly, even if the end
-// of the stream has been reached in doing so.  In that case, any subsequent
-// calls return (0, io.EOF).
-func ReadDelimited(r io.Reader, m proto.Message) (n int, err error) {
-	// TODO: Consider allowing the caller to specify a decode buffer in the
-	// next major version.
-
-	// TODO: Consider using error wrapping to annotate error state in pass-
-	// through cases in the next minor version.
-
-	// Per AbstractParser#parsePartialDelimitedFrom with
-	// CodedInputStream#readRawVarint32.
-	var headerBuf [binary.MaxVarintLen32]byte
-	var bytesRead, varIntBytes int
-	var messageLength uint64
-	for varIntBytes == 0 { // i.e. no varint has been decoded yet.
-		if bytesRead >= len(headerBuf) {
-			return bytesRead, errInvalidVarint
-		}
-		// We have to read byte by byte here to avoid reading more bytes
-		// than required. Each read byte is appended to what we have
-		// read before.
-		newBytesRead, err := r.Read(headerBuf[bytesRead : bytesRead+1])
-		if newBytesRead == 0 {
-			if err != nil {
-				return bytesRead, err
-			}
-			// A Reader should not return (0, nil); but if it does, it should
-			// be treated as no-op according to the Reader contract.
-			continue
-		}
-		bytesRead += newBytesRead
-		// Now present everything read so far to the varint decoder and
-		// see if a varint can be decoded already.
-		messageLength, varIntBytes = binary.Uvarint(headerBuf[:bytesRead])
-	}
-
-	messageBuf := make([]byte, messageLength)
-	newBytesRead, err := io.ReadFull(r, messageBuf)
-	bytesRead += newBytesRead
-	if err != nil {
-		return bytesRead, err
-	}
-
-	return bytesRead, proto.Unmarshal(messageBuf, m)
-}
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go
deleted file mode 100644
index c318385cb..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/doc.go
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2013 Matt T. Proud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package pbutil provides record length-delimited Protocol Buffer streaming.
-package pbutil
diff --git a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go b/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go
deleted file mode 100644
index e58dd9d29..000000000
--- a/vendor/github.com/matttproud/golang_protobuf_extensions/v2/pbutil/encode.go
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright 2013 Matt T. Proud
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package pbutil
-
-import (
-	"encoding/binary"
-	"io"
-
-	"google.golang.org/protobuf/proto"
-)
-
-// WriteDelimited encodes and dumps a message to the provided writer prefixed
-// with a 32-bit varint indicating the length of the encoded message, producing
-// a length-delimited record stream, which can be used to chain together
-// encoded messages of the same type together in a file.  It returns the total
-// number of bytes written and any applicable error.  This is roughly
-// equivalent to the companion Java API's MessageLite#writeDelimitedTo.
-func WriteDelimited(w io.Writer, m proto.Message) (n int, err error) {
-	// TODO: Consider allowing the caller to specify an encode buffer in the
-	// next major version.
-
-	buffer, err := proto.Marshal(m)
-	if err != nil {
-		return 0, err
-	}
-
-	var buf [binary.MaxVarintLen32]byte
-	encodedLength := binary.PutUvarint(buf[:], uint64(len(buffer)))
-
-	sync, err := w.Write(buf[:encodedLength])
-	if err != nil {
-		return sync, err
-	}
-
-	n, err = w.Write(buffer)
-	return n + sync, err
-}
diff --git a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
index 44222220a..76577dc78 100644
--- a/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
+++ b/vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md
@@ -1,3 +1,48 @@
+## 2.19.0
+
+### Features
+
+[Label Sets](https://onsi.github.io/ginkgo/#label-sets) allow for more expressive and flexible label filtering.
+
+## 2.18.0
+
+### Features
+- Add --slience-skips and --force-newlines [f010b65]
+- fail when no tests were run and --fail-on-empty was set [d80eebe]
+
+### Fixes
+- Fix table entry context edge case [42013d6]
+
+### Maintenance
+- Bump golang.org/x/tools from 0.20.0 to 0.21.0 (#1406) [fcf1fd7]
+- Bump github.com/onsi/gomega from 1.33.0 to 1.33.1 (#1399) [8bb14fd]
+- Bump golang.org/x/net from 0.24.0 to 0.25.0 (#1407) [04bfad7]
+
+## 2.17.3
+
+### Fixes
+`ginkgo watch` now ignores hidden files [bde6e00]
+
+## 2.17.2
+
+### Fixes
+- fix: close files [32259c8]
+- fix github output log level for skipped specs [780e7a3]
+
+### Maintenance
+- Bump github.com/google/pprof [d91fe4e]
+- Bump github.com/go-task/slim-sprig to v3 [8cb662e]
+- Bump golang.org/x/net in /integration/_fixtures/version_mismatch_fixture (#1391) [3134422]
+- Bump github-pages from 230 to 231 in /docs (#1384) [eca81b4]
+- Bump golang.org/x/tools from 0.19.0 to 0.20.0 (#1383) [760def8]
+- Bump golang.org/x/net from 0.23.0 to 0.24.0 (#1381) [4ce33f4]
+- Fix test for gomega version bump [f2fcd97]
+- Bump github.com/onsi/gomega from 1.30.0 to 1.33.0 (#1390) [fd622d2]
+- Bump golang.org/x/tools from 0.17.0 to 0.19.0 (#1368) [5474a26]
+- Bump github-pages from 229 to 230 in /docs (#1359) [e6d1170]
+- Bump google.golang.org/protobuf from 1.28.0 to 1.33.0 (#1374) [7f447b2]
+- Bump golang.org/x/net from 0.20.0 to 0.23.0 (#1380) [f15239a]
+
 ## 2.17.1
 
 ### Fixes
diff --git a/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md b/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md
index 1da92fe7e..80de566a5 100644
--- a/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md
+++ b/vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md
@@ -6,8 +6,10 @@ Your contributions to Ginkgo are essential for its long-term maintenance and imp
 - Ensure adequate test coverage:
     - When adding to the Ginkgo library, add unit and/or integration tests (under the `integration` folder).
     - When adding to the Ginkgo CLI, note that there are very few unit tests.  Please add an integration test.
-- Make sure all the tests succeed via `ginkgo -r -p`
-- Vet your changes via `go vet ./...`
-- Update the documentation. Ginkgo uses `godoc` comments and documentation in `docs/index.md`.  You can run `bundle exec jekyll serve` in the `docs` directory to preview your changes.
+- Run `make` or:
+  - Install ginkgo locally via `go install ./...`
+  - Make sure all the tests succeed via `ginkgo -r -p`
+  - Vet your changes via `go vet ./...`
+- Update the documentation. Ginkgo uses `godoc` comments and documentation in `docs/index.md`.  You can run `bundle && bundle exec jekyll serve` in the `docs` directory to preview your changes.
 
-Thanks for supporting Ginkgo!
\ No newline at end of file
+Thanks for supporting Ginkgo!
diff --git a/vendor/github.com/onsi/ginkgo/v2/Makefile b/vendor/github.com/onsi/ginkgo/v2/Makefile
new file mode 100644
index 000000000..cb099aff9
--- /dev/null
+++ b/vendor/github.com/onsi/ginkgo/v2/Makefile
@@ -0,0 +1,11 @@
+# default task since it's first
+.PHONY: all
+all:  vet test
+
+.PHONY: test
+test:
+	go run github.com/onsi/ginkgo/v2/ginkgo -r -p
+
+.PHONY: vet
+vet:
+	go vet ./...
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go
index 73aff0b7a..b2dc59be6 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go
@@ -7,7 +7,7 @@ import (
 	"os"
 	"text/template"
 
-	sprig "github.com/go-task/slim-sprig"
+	sprig "github.com/go-task/slim-sprig/v3"
 	"github.com/onsi/ginkgo/v2/ginkgo/command"
 	"github.com/onsi/ginkgo/v2/ginkgo/internal"
 	"github.com/onsi/ginkgo/v2/types"
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go
index be01dec97..cf3b7cb6d 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go
@@ -10,7 +10,7 @@ import (
 	"strings"
 	"text/template"
 
-	sprig "github.com/go-task/slim-sprig"
+	sprig "github.com/go-task/slim-sprig/v3"
 	"github.com/onsi/ginkgo/v2/ginkgo/command"
 	"github.com/onsi/ginkgo/v2/ginkgo/internal"
 	"github.com/onsi/ginkgo/v2/types"
@@ -174,6 +174,7 @@ func moduleName(modRoot string) string {
 	if err != nil {
 		return ""
 	}
+	defer modFile.Close()
 
 	mod := make([]byte, 128)
 	_, err = modFile.Read(mod)
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
index 5f35864dd..8e16d2bb0 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go
@@ -161,6 +161,7 @@ func MergeAndCleanupCoverProfiles(profiles []string, destination string) error {
 	if err != nil {
 		return err
 	}
+	defer dst.Close()
 	err = DumpCoverProfiles(merged, dst)
 	if err != nil {
 		return err
@@ -196,6 +197,7 @@ func MergeProfiles(profilePaths []string, destination string) error {
 			return fmt.Errorf("Could not open profile: %s\n%s", profilePath, err.Error())
 		}
 		prof, err := profile.Parse(proFile)
+		_ = proFile.Close()
 		if err != nil {
 			return fmt.Errorf("Could not parse profile: %s\n%s", profilePath, err.Error())
 		}
diff --git a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go
index 17d052bdc..0e6ae1f29 100644
--- a/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go
+++ b/vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"strings"
 	"time"
 )
 
@@ -79,6 +80,10 @@ func (p *PackageHash) computeHashes() (codeHash string, codeModifiedTime time.Ti
 			continue
 		}
 
+		if isHiddenFile(info) {
+			continue
+		}
+
 		if goTestRegExp.MatchString(info.Name()) {
 			testHash += p.hashForFileInfo(info)
 			if info.ModTime().After(testModifiedTime) {
@@ -103,6 +108,10 @@ func (p *PackageHash) computeHashes() (codeHash string, codeModifiedTime time.Ti
 	return
 }
 
+func isHiddenFile(info os.FileInfo) bool {
+	return strings.HasPrefix(info.Name(), ".") || strings.HasPrefix(info.Name(), "_")
+}
+
 func (p *PackageHash) hashForFileInfo(info os.FileInfo) string {
 	return fmt.Sprintf("%s_%d_%d", info.Name(), info.Size(), info.ModTime().UnixNano())
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
index a994ee3d6..a3c9e6bf1 100644
--- a/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
+++ b/vendor/github.com/onsi/ginkgo/v2/internal/suite.go
@@ -489,10 +489,15 @@ func (suite *Suite) runSpecs(description string, suiteLabels Labels, suitePath s
 			newGroup(suite).run(specs.AtIndices(groupedSpecIndices[groupedSpecIdx]))
 		}
 
-		if specs.HasAnySpecsMarkedPending() && suite.config.FailOnPending {
+		if suite.config.FailOnPending && specs.HasAnySpecsMarkedPending() {
 			suite.report.SpecialSuiteFailureReasons = append(suite.report.SpecialSuiteFailureReasons, "Detected pending specs and --fail-on-pending is set")
 			suite.report.SuiteSucceeded = false
 		}
+
+		if suite.config.FailOnEmpty && specs.CountWithoutSkip() == 0 {
+			suite.report.SpecialSuiteFailureReasons = append(suite.report.SpecialSuiteFailureReasons, "Detected no specs ran and --fail-on-empty is set")
+			suite.report.SuiteSucceeded = false
+		}
 	}
 
 	if ranBeforeSuite {
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
index 4026859ec..480730486 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go
@@ -202,6 +202,11 @@ func (r *DefaultReporter) DidRun(report types.SpecReport) {
 	v := r.conf.Verbosity()
 	inParallel := report.RunningInParallel
 
+	//should we completely omit this spec?
+	if report.State.Is(types.SpecStateSkipped) && r.conf.SilenceSkips {
+		return
+	}
+
 	header := r.specDenoter
 	if report.LeafNodeType.Is(types.NodeTypesForSuiteLevelNodes) {
 		header = fmt.Sprintf("[%s]", report.LeafNodeType)
@@ -278,9 +283,12 @@ func (r *DefaultReporter) DidRun(report types.SpecReport) {
 		}
 	}
 
-	// If we have no content to show, jsut emit the header and return
+	// If we have no content to show, just emit the header and return
 	if !reportHasContent {
 		r.emit(r.f(highlightColor + header + "{{/}}"))
+		if r.conf.ForceNewlines {
+			r.emit("\n")
+		}
 		return
 	}
 
@@ -419,7 +427,11 @@ func (r *DefaultReporter) emitFailure(indent uint, state types.SpecState, failur
 	highlightColor := r.highlightColorForState(state)
 	r.emitBlock(r.fi(indent, highlightColor+"[%s] %s{{/}}", r.humanReadableState(state), failure.Message))
 	if r.conf.GithubOutput {
-		r.emitBlock(r.fi(indent, "::error file=%s,line=%d::%s %s", failure.Location.FileName, failure.Location.LineNumber, failure.FailureNodeType, failure.TimelineLocation.Time.Format(types.GINKGO_TIME_FORMAT)))
+		level := "error"
+		if state.Is(types.SpecStateSkipped) {
+			level = "notice"
+		}
+		r.emitBlock(r.fi(indent, "::%s file=%s,line=%d::%s %s", level, failure.Location.FileName, failure.Location.LineNumber, failure.FailureNodeType, failure.TimelineLocation.Time.Format(types.GINKGO_TIME_FORMAT)))
 	} else {
 		r.emitBlock(r.fi(indent, highlightColor+"In {{bold}}[%s]{{/}}"+highlightColor+" at: {{bold}}%s{{/}} {{gray}}@ %s{{/}}\n", failure.FailureNodeType, failure.Location, failure.TimelineLocation.Time.Format(types.GINKGO_TIME_FORMAT)))
 	}
diff --git a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
index 43244a9bd..562e0f62b 100644
--- a/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
+++ b/vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go
@@ -177,6 +177,7 @@ func GenerateJUnitReportWithConfig(report types.Report, dst string, config Junit
 				{"FocusFiles", strings.Join(report.SuiteConfig.FocusFiles, ";")},
 				{"SkipFiles", strings.Join(report.SuiteConfig.SkipFiles, ";")},
 				{"FailOnPending", fmt.Sprintf("%t", report.SuiteConfig.FailOnPending)},
+				{"FailOnEmpty", fmt.Sprintf("%t", report.SuiteConfig.FailOnEmpty)},
 				{"FailFast", fmt.Sprintf("%t", report.SuiteConfig.FailFast)},
 				{"FlakeAttempts", fmt.Sprintf("%d", report.SuiteConfig.FlakeAttempts)},
 				{"DryRun", fmt.Sprintf("%t", report.SuiteConfig.DryRun)},
@@ -324,6 +325,7 @@ func MergeAndCleanupJUnitReports(sources []string, dst string) ([]string, error)
 			continue
 		}
 		err = xml.NewDecoder(f).Decode(&report)
+		_ = f.Close()
 		if err != nil {
 			messages = append(messages, fmt.Sprintf("Could not decode %s:\n%s", source, err.Error()))
 			continue
diff --git a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
index a3aef821b..c7de7a8be 100644
--- a/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
+++ b/vendor/github.com/onsi/ginkgo/v2/table_dsl.go
@@ -269,11 +269,15 @@ func generateTable(description string, isSubtree bool, args ...interface{}) {
 			internalNodeArgs = append(internalNodeArgs, entry.decorations...)
 
 			hasContext := false
-			if internalBodyType.NumIn() > 0. {
+			if internalBodyType.NumIn() > 0 {
 				if internalBodyType.In(0).Implements(specContextType) {
 					hasContext = true
-				} else if internalBodyType.In(0).Implements(contextType) && (len(entry.parameters) == 0 || !reflect.TypeOf(entry.parameters[0]).Implements(contextType)) {
+				} else if internalBodyType.In(0).Implements(contextType) {
 					hasContext = true
+					if len(entry.parameters) > 0 && reflect.TypeOf(entry.parameters[0]) != nil && reflect.TypeOf(entry.parameters[0]).Implements(contextType) {
+						// we allow you to pass in a non-nil context
+						hasContext = false
+					}
 				}
 			}
 
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/config.go b/vendor/github.com/onsi/ginkgo/v2/types/config.go
index cef273ee1..66463cf5e 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/config.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/config.go
@@ -25,6 +25,7 @@ type SuiteConfig struct {
 	SkipFiles             []string
 	LabelFilter           string
 	FailOnPending         bool
+	FailOnEmpty           bool
 	FailFast              bool
 	FlakeAttempts         int
 	MustPassRepeatedly    int
@@ -90,6 +91,8 @@ type ReporterConfig struct {
 	FullTrace      bool
 	ShowNodeEvents bool
 	GithubOutput   bool
+	SilenceSkips   bool
+	ForceNewlines  bool
 
 	JSONReport     string
 	JUnitReport    string
@@ -275,6 +278,8 @@ var SuiteConfigFlags = GinkgoFlags{
 		Usage: "If set, ginkgo will stop running a test suite after a failure occurs."},
 	{KeyPath: "S.FlakeAttempts", Name: "flake-attempts", SectionKey: "failure", UsageDefaultValue: "0 - failed tests are not retried", DeprecatedName: "flakeAttempts", DeprecatedDocLink: "changed-command-line-flags",
 		Usage: "Make up to this many attempts to run each spec. If any of the attempts succeed, the suite will not be failed."},
+	{KeyPath: "S.FailOnEmpty", Name: "fail-on-empty", SectionKey: "failure",
+		Usage: "If set, ginkgo will mark the test suite as failed if no specs are run."},
 
 	{KeyPath: "S.DryRun", Name: "dry-run", SectionKey: "debug", DeprecatedName: "dryRun", DeprecatedDocLink: "changed-command-line-flags",
 		Usage: "If set, ginkgo will walk the test hierarchy without actually running anything.  Best paired with -v."},
@@ -334,6 +339,10 @@ var ReporterConfigFlags = GinkgoFlags{
 		Usage: "If set, default reporter prints node > Enter and < Exit events when specs fail"},
 	{KeyPath: "R.GithubOutput", Name: "github-output", SectionKey: "output",
 		Usage: "If set, default reporter prints easier to manage output in Github Actions."},
+	{KeyPath: "R.SilenceSkips", Name: "silence-skips", SectionKey: "output",
+		Usage: "If set, default reporter will not print out skipped tests."},
+	{KeyPath: "R.ForceNewlines", Name: "force-newlines", SectionKey: "output",
+		Usage: "If set, default reporter will ensure a newline appears after each test."},
 
 	{KeyPath: "R.JSONReport", Name: "json-report", UsageArgument: "filename.json", SectionKey: "output",
 		Usage: "If set, Ginkgo will generate a JSON-formatted test report at the specified location."},
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go b/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
index b0d3b651e..7fdc8aa23 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/label_filter.go
@@ -45,6 +45,83 @@ func orAction(a, b LabelFilter) LabelFilter {
 	return func(labels []string) bool { return a(labels) || b(labels) }
 }
 
+func labelSetFor(key string, labels []string) map[string]bool {
+	key = strings.ToLower(strings.TrimSpace(key))
+	out := map[string]bool{}
+	for _, label := range labels {
+		components := strings.SplitN(label, ":", 2)
+		if len(components) < 2 {
+			continue
+		}
+		if key == strings.ToLower(strings.TrimSpace(components[0])) {
+			out[strings.ToLower(strings.TrimSpace(components[1]))] = true
+		}
+	}
+
+	return out
+}
+
+func isEmptyLabelSetAction(key string) LabelFilter {
+	return func(labels []string) bool {
+		return len(labelSetFor(key, labels)) == 0
+	}
+}
+
+func containsAnyLabelSetAction(key string, expectedValues []string) LabelFilter {
+	return func(labels []string) bool {
+		set := labelSetFor(key, labels)
+		for _, value := range expectedValues {
+			if set[value] {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func containsAllLabelSetAction(key string, expectedValues []string) LabelFilter {
+	return func(labels []string) bool {
+		set := labelSetFor(key, labels)
+		for _, value := range expectedValues {
+			if !set[value] {
+				return false
+			}
+		}
+		return true
+	}
+}
+
+func consistsOfLabelSetAction(key string, expectedValues []string) LabelFilter {
+	return func(labels []string) bool {
+		set := labelSetFor(key, labels)
+		if len(set) != len(expectedValues) {
+			return false
+		}
+		for _, value := range expectedValues {
+			if !set[value] {
+				return false
+			}
+		}
+		return true
+	}
+}
+
+func isSubsetOfLabelSetAction(key string, expectedValues []string) LabelFilter {
+	expectedSet := map[string]bool{}
+	for _, value := range expectedValues {
+		expectedSet[value] = true
+	}
+	return func(labels []string) bool {
+		set := labelSetFor(key, labels)
+		for value := range set {
+			if !expectedSet[value] {
+				return false
+			}
+		}
+		return true
+	}
+}
+
 type lfToken uint
 
 const (
@@ -58,6 +135,9 @@ const (
 	lfTokenOr
 	lfTokenRegexp
 	lfTokenLabel
+	lfTokenSetKey
+	lfTokenSetOperation
+	lfTokenSetArgument
 	lfTokenEOF
 )
 
@@ -71,6 +151,8 @@ func (l lfToken) Precedence() int {
 		return 2
 	case lfTokenNot:
 		return 3
+	case lfTokenSetOperation:
+		return 4
 	}
 	return -1
 }
@@ -93,6 +175,12 @@ func (l lfToken) String() string {
 		return "/regexp/"
 	case lfTokenLabel:
 		return "label"
+	case lfTokenSetKey:
+		return "set_key"
+	case lfTokenSetOperation:
+		return "set_operation"
+	case lfTokenSetArgument:
+		return "set_argument"
 	case lfTokenEOF:
 		return "EOF"
 	}
@@ -148,6 +236,35 @@ func (tn *treeNode) constructLabelFilter(input string) (LabelFilter, error) {
 			return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.location, fmt.Sprintf("RegExp compilation error: %s", err))
 		}
 		return matchLabelRegexAction(re), nil
+	case lfTokenSetOperation:
+		tokenSetOperation := strings.ToLower(tn.value)
+		if tokenSetOperation == "isempty" {
+			return isEmptyLabelSetAction(tn.leftNode.value), nil
+		}
+		if tn.rightNode == nil {
+			return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.location, fmt.Sprintf("Set operation '%s' is missing an argument.", tn.value))
+		}
+
+		rawValues := strings.Split(tn.rightNode.value, ",")
+		values := make([]string, len(rawValues))
+		for i := range rawValues {
+			values[i] = strings.ToLower(strings.TrimSpace(rawValues[i]))
+			if strings.ContainsAny(values[i], "&|!,()/") {
+				return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.rightNode.location, fmt.Sprintf("Invalid label value '%s' in set operation argument.", values[i]))
+			} else if values[i] == "" {
+				return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, tn.rightNode.location, "Empty label value in set operation argument.")
+			}
+		}
+		switch tokenSetOperation {
+		case "containsany":
+			return containsAnyLabelSetAction(tn.leftNode.value, values), nil
+		case "containsall":
+			return containsAllLabelSetAction(tn.leftNode.value, values), nil
+		case "consistsof":
+			return consistsOfLabelSetAction(tn.leftNode.value, values), nil
+		case "issubsetof":
+			return isSubsetOfLabelSetAction(tn.leftNode.value, values), nil
+		}
 	}
 
 	if tn.rightNode == nil {
@@ -203,7 +320,17 @@ func (tn *treeNode) toString(indent int) string {
 	return out
 }
 
+var validSetOperations = map[string]string{
+	"containsany": "containsAny",
+	"containsall": "containsAll",
+	"consistsof":  "consistsOf",
+	"issubsetof":  "isSubsetOf",
+	"isempty":     "isEmpty",
+}
+
 func tokenize(input string) func() (*treeNode, error) {
+	lastToken := lfTokenInvalid
+	lastValue := ""
 	runes, i := []rune(input), 0
 
 	peekIs := func(r rune) bool {
@@ -233,6 +360,53 @@ func tokenize(input string) func() (*treeNode, error) {
 		}
 
 		node := &treeNode{location: i}
+		defer func() {
+			lastToken = node.token
+			lastValue = node.value
+		}()
+
+		if lastToken == lfTokenSetKey {
+			//we should get a valid set operation next
+			value, n := consumeUntil(" )")
+			if validSetOperations[strings.ToLower(value)] == "" {
+				return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i, fmt.Sprintf("Invalid set operation '%s'.", value))
+			}
+			i += n
+			node.token, node.value = lfTokenSetOperation, value
+			return node, nil
+		}
+		if lastToken == lfTokenSetOperation {
+			//we should get an argument next, if we aren't isempty
+			var arg = ""
+			origI := i
+			if runes[i] == '{' {
+				i += 1
+				value, n := consumeUntil("}")
+				if i+n >= len(runes) {
+					return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i-1, "Missing closing '}' in set operation argument?")
+				}
+				i += n + 1
+				arg = value
+			} else {
+				value, n := consumeUntil("&|!,()/")
+				i += n
+				arg = strings.TrimSpace(value)
+			}
+			if strings.ToLower(lastValue) == "isempty" && arg != "" {
+				return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, origI, fmt.Sprintf("isEmpty does not take arguments, was passed '%s'.", arg))
+			}
+			if arg == "" && strings.ToLower(lastValue) != "isempty" {
+				if i < len(runes) && runes[i] == '/' {
+					return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, origI, "Set operations do not support regular expressions.")
+				} else {
+					return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, origI, fmt.Sprintf("Set operation '%s' requires an argument.", lastValue))
+				}
+			}
+			// note that we sent an empty SetArgument token if we are isempty
+			node.token, node.value = lfTokenSetArgument, arg
+			return node, nil
+		}
+
 		switch runes[i] {
 		case '&':
 			if !peekIs('&') {
@@ -264,8 +438,38 @@ func tokenize(input string) func() (*treeNode, error) {
 			i += n + 1
 			node.token, node.value = lfTokenRegexp, value
 		default:
-			value, n := consumeUntil("&|!,()/")
+			value, n := consumeUntil("&|!,()/:")
 			i += n
+			value = strings.TrimSpace(value)
+
+			//are we the beginning of a set operation?
+			if i < len(runes) && runes[i] == ':' {
+				if peekIs(' ') {
+					if value == "" {
+						return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i, "Missing set key.")
+					}
+					i += 1
+					//we are the beginning of a set operation
+					node.token, node.value = lfTokenSetKey, value
+					return node, nil
+				}
+				additionalValue, n := consumeUntil("&|!,()/")
+				additionalValue = strings.TrimSpace(additionalValue)
+				if additionalValue == ":" {
+					return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i, "Missing set operation.")
+				}
+				i += n
+				value += additionalValue
+			}
+
+			valueToCheckForSetOperation := strings.ToLower(value)
+			for setOperation := range validSetOperations {
+				idx := strings.Index(valueToCheckForSetOperation, " "+setOperation)
+				if idx > 0 {
+					return &treeNode{}, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, i-n+idx+1, fmt.Sprintf("Looks like you are using the set operator '%s' but did not provide a set key.  Did you forget the ':'?", validSetOperations[setOperation]))
+				}
+			}
+
 			node.token, node.value = lfTokenLabel, strings.TrimSpace(value)
 		}
 		return node, nil
@@ -307,7 +511,7 @@ LOOP:
 		switch node.token {
 		case lfTokenEOF:
 			break LOOP
-		case lfTokenLabel, lfTokenRegexp:
+		case lfTokenLabel, lfTokenRegexp, lfTokenSetKey:
 			if current.rightNode != nil {
 				return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, node.location, "Found two adjacent labels.  You need an operator between them.")
 			}
@@ -326,6 +530,18 @@ LOOP:
 			node.setLeftNode(nodeToStealFrom.rightNode)
 			nodeToStealFrom.setRightNode(node)
 			current = node
+		case lfTokenSetOperation:
+			if current.rightNode == nil {
+				return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, node.location, fmt.Sprintf("Set operation '%s' missing left hand operand.", node.value))
+			}
+			node.setLeftNode(current.rightNode)
+			current.setRightNode(node)
+			current = node
+		case lfTokenSetArgument:
+			if current.rightNode != nil {
+				return nil, GinkgoErrors.SyntaxErrorParsingLabelFilter(input, node.location, fmt.Sprintf("Unexpected set argument '%s'.", node.token))
+			}
+			current.setRightNode(node)
 		case lfTokenCloseGroup:
 			firstUnmatchedOpenNode := current.firstUnmatchedOpenNode()
 			if firstUnmatchedOpenNode == nil {
@@ -354,5 +570,14 @@ func ValidateAndCleanupLabel(label string, cl CodeLocation) (string, error) {
 	if strings.ContainsAny(out, "&|!,()/") {
 		return "", GinkgoErrors.InvalidLabel(label, cl)
 	}
+	if out[0] == ':' {
+		return "", GinkgoErrors.InvalidLabel(label, cl)
+	}
+	if strings.Contains(out, ":") {
+		components := strings.SplitN(out, ":", 2)
+		if len(components) < 2 || components[1] == "" {
+			return "", GinkgoErrors.InvalidLabel(label, cl)
+		}
+	}
 	return out, nil
 }
diff --git a/vendor/github.com/onsi/ginkgo/v2/types/version.go b/vendor/github.com/onsi/ginkgo/v2/types/version.go
index 851d42b45..acab03492 100644
--- a/vendor/github.com/onsi/ginkgo/v2/types/version.go
+++ b/vendor/github.com/onsi/ginkgo/v2/types/version.go
@@ -1,3 +1,3 @@
 package types
 
-const VERSION = "2.17.1"
+const VERSION = "2.19.0"
diff --git a/vendor/github.com/onsi/gomega/CHANGELOG.md b/vendor/github.com/onsi/gomega/CHANGELOG.md
index 01ec5245c..62af14ad2 100644
--- a/vendor/github.com/onsi/gomega/CHANGELOG.md
+++ b/vendor/github.com/onsi/gomega/CHANGELOG.md
@@ -1,3 +1,22 @@
+## 1.33.1
+
+### Fixes
+- fix confusing eventually docs [3a66379]
+
+### Maintenance
+- Bump github.com/onsi/ginkgo/v2 from 2.17.1 to 2.17.2 [e9bc35a]
+
+## 1.33.0
+
+### Features
+
+`Receive` not accepts `Receive(<POINTER>, MATCHER>)`, allowing you to pick out a specific value on the channel that satisfies the provided matcher and is stored in the provided pointer.
+
+### Maintenance
+- Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.17.1 (#745) [9999deb]
+- Bump github-pages from 229 to 230 in /docs (#735) [cb5ff21]
+- Bump golang.org/x/net from 0.20.0 to 0.23.0 (#746) [bac6596]
+
 ## 1.32.0
 
 ### Maintenance
diff --git a/vendor/github.com/onsi/gomega/gomega_dsl.go b/vendor/github.com/onsi/gomega/gomega_dsl.go
index ffb81b1fe..9697d5134 100644
--- a/vendor/github.com/onsi/gomega/gomega_dsl.go
+++ b/vendor/github.com/onsi/gomega/gomega_dsl.go
@@ -22,7 +22,7 @@ import (
 	"github.com/onsi/gomega/types"
 )
 
-const GOMEGA_VERSION = "1.32.0"
+const GOMEGA_VERSION = "1.33.1"
 
 const nilGomegaPanic = `You are trying to make an assertion, but haven't registered Gomega's fail handler.
 If you're using Ginkgo then you probably forgot to put your assertion in an It().
@@ -372,11 +372,11 @@ You can ensure that you get a number of consecutive successful tries before succ
 
 Finally, in addition to passing timeouts and a context to Eventually you can be more explicit with Eventually's chaining configuration methods:
 
-	Eventually(..., "1s", "2s", ctx).Should(...)
+	Eventually(..., "10s", "2s", ctx).Should(...)
 
 is equivalent to
 
-	Eventually(...).WithTimeout(time.Second).WithPolling(2*time.Second).WithContext(ctx).Should(...)
+	Eventually(...).WithTimeout(10*time.Second).WithPolling(2*time.Second).WithContext(ctx).Should(...)
 */
 func Eventually(actualOrCtx interface{}, args ...interface{}) AsyncAssertion {
 	ensureDefaultGomegaIsConfigured()
diff --git a/vendor/github.com/onsi/gomega/matchers.go b/vendor/github.com/onsi/gomega/matchers.go
index 8860d677f..7ef27dc9c 100644
--- a/vendor/github.com/onsi/gomega/matchers.go
+++ b/vendor/github.com/onsi/gomega/matchers.go
@@ -194,20 +194,21 @@ func BeClosed() types.GomegaMatcher {
 //
 // will repeatedly attempt to pull values out of `c` until a value matching "bar" is received.
 //
-// Finally, if you want to have a reference to the value *sent* to the channel you can pass the `Receive` matcher a pointer to a variable of the appropriate type:
+// Furthermore, if you want to have a reference to the value *sent* to the channel you can pass the `Receive` matcher a pointer to a variable of the appropriate type:
 //
 //	var myThing thing
 //	Eventually(thingChan).Should(Receive(&myThing))
 //	Expect(myThing.Sprocket).Should(Equal("foo"))
 //	Expect(myThing.IsValid()).Should(BeTrue())
+//
+// Finally, if you want to match the received object as well as get the actual received value into a variable, so you can reason further about the value received,
+// you can pass a pointer to a variable of the approriate type first, and second a matcher:
+//
+//	var myThing thing
+//	Eventually(thingChan).Should(Receive(&myThing, ContainSubstring("bar")))
 func Receive(args ...interface{}) types.GomegaMatcher {
-	var arg interface{}
-	if len(args) > 0 {
-		arg = args[0]
-	}
-
 	return &matchers.ReceiveMatcher{
-		Arg: arg,
+		Args: args,
 	}
 }
 
diff --git a/vendor/github.com/onsi/gomega/matchers/receive_matcher.go b/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
index 1936a2ba5..948164eaf 100644
--- a/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
+++ b/vendor/github.com/onsi/gomega/matchers/receive_matcher.go
@@ -3,6 +3,7 @@
 package matchers
 
 import (
+	"errors"
 	"fmt"
 	"reflect"
 
@@ -10,7 +11,7 @@ import (
 )
 
 type ReceiveMatcher struct {
-	Arg           interface{}
+	Args          []interface{}
 	receivedValue reflect.Value
 	channelClosed bool
 }
@@ -29,16 +30,39 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
 
 	var subMatcher omegaMatcher
 	var hasSubMatcher bool
+	var resultReference interface{}
 
-	if matcher.Arg != nil {
-		subMatcher, hasSubMatcher = (matcher.Arg).(omegaMatcher)
-		if !hasSubMatcher {
-			argType := reflect.TypeOf(matcher.Arg)
-			if argType.Kind() != reflect.Ptr {
-				return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nTo:\n%s\nYou need to pass a pointer!", format.Object(actual, 1), format.Object(matcher.Arg, 1))
-			}
+	// Valid arg formats are as follows, always with optional POINTER before
+	// optional MATCHER:
+	//   - Receive()
+	//   - Receive(POINTER)
+	//   - Receive(MATCHER)
+	//   - Receive(POINTER, MATCHER)
+	args := matcher.Args
+	if len(args) > 0 {
+		arg := args[0]
+		_, isSubMatcher := arg.(omegaMatcher)
+		if !isSubMatcher && reflect.ValueOf(arg).Kind() == reflect.Ptr {
+			// Consume optional POINTER arg first, if it ain't no matcher ;)
+			resultReference = arg
+			args = args[1:]
 		}
 	}
+	if len(args) > 0 {
+		arg := args[0]
+		subMatcher, hasSubMatcher = arg.(omegaMatcher)
+		if !hasSubMatcher {
+			// At this point we assume the dev user wanted to assign a received
+			// value, so [POINTER,]MATCHER.
+			return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nTo:\n%s\nYou need to pass a pointer!", format.Object(actual, 1), format.Object(arg, 1))
+		}
+		// Consume optional MATCHER arg.
+		args = args[1:]
+	}
+	if len(args) > 0 {
+		// If there are still args present, reject all.
+		return false, errors.New("Receive matcher expects at most an optional pointer and/or an optional matcher")
+	}
 
 	winnerIndex, value, open := reflect.Select([]reflect.SelectCase{
 		{Dir: reflect.SelectRecv, Chan: channelValue},
@@ -58,16 +82,20 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
 	}
 
 	if hasSubMatcher {
-		if didReceive {
-			matcher.receivedValue = value
-			return subMatcher.Match(matcher.receivedValue.Interface())
+		if !didReceive {
+			return false, nil
 		}
-		return false, nil
+		matcher.receivedValue = value
+		if match, err := subMatcher.Match(matcher.receivedValue.Interface()); err != nil || !match {
+			return match, err
+		}
+		// if we received a match, then fall through in order to handle an
+		// optional assignment of the received value to the specified reference.
 	}
 
 	if didReceive {
-		if matcher.Arg != nil {
-			outValue := reflect.ValueOf(matcher.Arg)
+		if resultReference != nil {
+			outValue := reflect.ValueOf(resultReference)
 
 			if value.Type().AssignableTo(outValue.Elem().Type()) {
 				outValue.Elem().Set(value)
@@ -77,7 +105,7 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
 				outValue.Elem().Set(value.Elem())
 				return true, nil
 			} else {
-				return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nType:\n%s\nTo:\n%s", format.Object(actual, 1), format.Object(value.Interface(), 1), format.Object(matcher.Arg, 1))
+				return false, fmt.Errorf("Cannot assign a value from the channel:\n%s\nType:\n%s\nTo:\n%s", format.Object(actual, 1), format.Object(value.Interface(), 1), format.Object(resultReference, 1))
 			}
 
 		}
@@ -88,7 +116,11 @@ func (matcher *ReceiveMatcher) Match(actual interface{}) (success bool, err erro
 }
 
 func (matcher *ReceiveMatcher) FailureMessage(actual interface{}) (message string) {
-	subMatcher, hasSubMatcher := (matcher.Arg).(omegaMatcher)
+	var matcherArg interface{}
+	if len(matcher.Args) > 0 {
+		matcherArg = matcher.Args[len(matcher.Args)-1]
+	}
+	subMatcher, hasSubMatcher := (matcherArg).(omegaMatcher)
 
 	closedAddendum := ""
 	if matcher.channelClosed {
@@ -105,7 +137,11 @@ func (matcher *ReceiveMatcher) FailureMessage(actual interface{}) (message strin
 }
 
 func (matcher *ReceiveMatcher) NegatedFailureMessage(actual interface{}) (message string) {
-	subMatcher, hasSubMatcher := (matcher.Arg).(omegaMatcher)
+	var matcherArg interface{}
+	if len(matcher.Args) > 0 {
+		matcherArg = matcher.Args[len(matcher.Args)-1]
+	}
+	subMatcher, hasSubMatcher := (matcherArg).(omegaMatcher)
 
 	closedAddendum := ""
 	if matcher.channelClosed {
diff --git a/vendor/github.com/prometheus/client_model/go/metrics.pb.go b/vendor/github.com/prometheus/client_model/go/metrics.pb.go
index cee360db7..2f1549075 100644
--- a/vendor/github.com/prometheus/client_model/go/metrics.pb.go
+++ b/vendor/github.com/prometheus/client_model/go/metrics.pb.go
@@ -483,6 +483,8 @@ type Histogram struct {
 	// histograms.
 	PositiveDelta []int64   `protobuf:"zigzag64,13,rep,name=positive_delta,json=positiveDelta" json:"positive_delta,omitempty"` // Count delta of each bucket compared to previous one (or to zero for 1st bucket).
 	PositiveCount []float64 `protobuf:"fixed64,14,rep,name=positive_count,json=positiveCount" json:"positive_count,omitempty"`  // Absolute count of each bucket.
+	// Only used for native histograms. These exemplars MUST have a timestamp.
+	Exemplars []*Exemplar `protobuf:"bytes,16,rep,name=exemplars" json:"exemplars,omitempty"`
 }
 
 func (x *Histogram) Reset() {
@@ -622,6 +624,13 @@ func (x *Histogram) GetPositiveCount() []float64 {
 	return nil
 }
 
+func (x *Histogram) GetExemplars() []*Exemplar {
+	if x != nil {
+		return x.Exemplars
+	}
+	return nil
+}
+
 // A Bucket of a conventional histogram, each of which is treated as
 // an individual counter-like time series by Prometheus.
 type Bucket struct {
@@ -923,6 +932,7 @@ type MetricFamily struct {
 	Help   *string     `protobuf:"bytes,2,opt,name=help" json:"help,omitempty"`
 	Type   *MetricType `protobuf:"varint,3,opt,name=type,enum=io.prometheus.client.MetricType" json:"type,omitempty"`
 	Metric []*Metric   `protobuf:"bytes,4,rep,name=metric" json:"metric,omitempty"`
+	Unit   *string     `protobuf:"bytes,5,opt,name=unit" json:"unit,omitempty"`
 }
 
 func (x *MetricFamily) Reset() {
@@ -985,6 +995,13 @@ func (x *MetricFamily) GetMetric() []*Metric {
 	return nil
 }
 
+func (x *MetricFamily) GetUnit() string {
+	if x != nil && x.Unit != nil {
+		return *x.Unit
+	}
+	return ""
+}
+
 var File_io_prometheus_client_metrics_proto protoreflect.FileDescriptor
 
 var file_io_prometheus_client_metrics_proto_rawDesc = []byte{
@@ -1028,7 +1045,7 @@ var file_io_prometheus_client_metrics_proto_rawDesc = []byte{
 	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x10, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64,
 	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x1f, 0x0a, 0x07, 0x55, 0x6e, 0x74,
 	0x79, 0x70, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xac, 0x05, 0x0a, 0x09, 0x48,
+	0x01, 0x28, 0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xea, 0x05, 0x0a, 0x09, 0x48,
 	0x69, 0x73, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x61, 0x6d, 0x70,
 	0x6c, 0x65, 0x5f, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0b,
 	0x73, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x2c, 0x0a, 0x12, 0x73,
@@ -1071,79 +1088,84 @@ var file_io_prometheus_client_metrics_proto_rawDesc = []byte{
 	0x03, 0x28, 0x12, 0x52, 0x0d, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x44, 0x65, 0x6c,
 	0x74, 0x61, 0x12, 0x25, 0x0a, 0x0e, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x63,
 	0x6f, 0x75, 0x6e, 0x74, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x01, 0x52, 0x0d, 0x70, 0x6f, 0x73, 0x69,
-	0x74, 0x69, 0x76, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0xc6, 0x01, 0x0a, 0x06, 0x42, 0x75,
-	0x63, 0x6b, 0x65, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x63, 0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69,
-	0x76, 0x65, 0x5f, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0f,
-	0x63, 0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12,
-	0x34, 0x0a, 0x16, 0x63, 0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x63, 0x6f,
-	0x75, 0x6e, 0x74, 0x5f, 0x66, 0x6c, 0x6f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52,
-	0x14, 0x63, 0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74,
-	0x46, 0x6c, 0x6f, 0x61, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x75, 0x70, 0x70, 0x65, 0x72, 0x5f, 0x62,
-	0x6f, 0x75, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x01, 0x52, 0x0a, 0x75, 0x70, 0x70, 0x65,
-	0x72, 0x42, 0x6f, 0x75, 0x6e, 0x64, 0x12, 0x3a, 0x0a, 0x08, 0x65, 0x78, 0x65, 0x6d, 0x70, 0x6c,
-	0x61, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72,
-	0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x78, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72, 0x52, 0x08, 0x65, 0x78, 0x65, 0x6d, 0x70, 0x6c,
-	0x61, 0x72, 0x22, 0x3c, 0x0a, 0x0a, 0x42, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x53, 0x70, 0x61, 0x6e,
-	0x12, 0x16, 0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x11,
-	0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67,
-	0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68,
-	0x22, 0x91, 0x01, 0x0a, 0x08, 0x45, 0x78, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72, 0x12, 0x35, 0x0a,
+	0x74, 0x69, 0x76, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x3c, 0x0a, 0x09, 0x65, 0x78, 0x65,
+	0x6d, 0x70, 0x6c, 0x61, 0x72, 0x73, 0x18, 0x10, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x69,
+	0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x78, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72, 0x52, 0x09, 0x65, 0x78,
+	0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72, 0x73, 0x22, 0xc6, 0x01, 0x0a, 0x06, 0x42, 0x75, 0x63, 0x6b,
+	0x65, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x63, 0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65,
+	0x5f, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0f, 0x63, 0x75,
+	0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x34, 0x0a,
+	0x16, 0x63, 0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x63, 0x6f, 0x75, 0x6e,
+	0x74, 0x5f, 0x66, 0x6c, 0x6f, 0x61, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52, 0x14, 0x63,
+	0x75, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x69, 0x76, 0x65, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x46, 0x6c,
+	0x6f, 0x61, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x75, 0x70, 0x70, 0x65, 0x72, 0x5f, 0x62, 0x6f, 0x75,
+	0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x01, 0x52, 0x0a, 0x75, 0x70, 0x70, 0x65, 0x72, 0x42,
+	0x6f, 0x75, 0x6e, 0x64, 0x12, 0x3a, 0x0a, 0x08, 0x65, 0x78, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d,
+	0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x78,
+	0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72, 0x52, 0x08, 0x65, 0x78, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72,
+	0x22, 0x3c, 0x0a, 0x0a, 0x42, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x53, 0x70, 0x61, 0x6e, 0x12, 0x16,
+	0x0a, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x11, 0x52, 0x06,
+	0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x91,
+	0x01, 0x0a, 0x08, 0x45, 0x78, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x72, 0x12, 0x35, 0x0a, 0x05, 0x6c,
+	0x61, 0x62, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69, 0x6f, 0x2e,
+	0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e,
+	0x74, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x50, 0x61, 0x69, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x62,
+	0x65, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+	0x6d, 0x70, 0x22, 0xff, 0x02, 0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x35, 0x0a,
 	0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69,
 	0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69,
 	0x65, 0x6e, 0x74, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x50, 0x61, 0x69, 0x72, 0x52, 0x05, 0x6c,
-	0x61, 0x62, 0x65, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x01, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x38, 0x0a, 0x09, 0x74, 0x69,
-	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x74, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x22, 0xff, 0x02, 0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12,
-	0x35, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f,
-	0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63,
-	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x50, 0x61, 0x69, 0x72, 0x52,
-	0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x31, 0x0a, 0x05, 0x67, 0x61, 0x75, 0x67, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65,
-	0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x61, 0x75,
-	0x67, 0x65, 0x52, 0x05, 0x67, 0x61, 0x75, 0x67, 0x65, 0x12, 0x37, 0x0a, 0x07, 0x63, 0x6f, 0x75,
-	0x6e, 0x74, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x69, 0x6f, 0x2e,
+	0x61, 0x62, 0x65, 0x6c, 0x12, 0x31, 0x0a, 0x05, 0x67, 0x61, 0x75, 0x67, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68,
+	0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x61, 0x75, 0x67, 0x65,
+	0x52, 0x05, 0x67, 0x61, 0x75, 0x67, 0x65, 0x12, 0x37, 0x0a, 0x07, 0x63, 0x6f, 0x75, 0x6e, 0x74,
+	0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72,
+	0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e,
+	0x43, 0x6f, 0x75, 0x6e, 0x74, 0x65, 0x72, 0x52, 0x07, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x65, 0x72,
+	0x12, 0x37, 0x0a, 0x07, 0x73, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x1d, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75,
+	0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79,
+	0x52, 0x07, 0x73, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x37, 0x0a, 0x07, 0x75, 0x6e, 0x74,
+	0x79, 0x70, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x69, 0x6f, 0x2e,
 	0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e,
-	0x74, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x65, 0x72, 0x52, 0x07, 0x63, 0x6f, 0x75, 0x6e, 0x74,
-	0x65, 0x72, 0x12, 0x37, 0x0a, 0x07, 0x73, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x04, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68,
-	0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x75, 0x6d, 0x6d, 0x61,
-	0x72, 0x79, 0x52, 0x07, 0x73, 0x75, 0x6d, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x37, 0x0a, 0x07, 0x75,
-	0x6e, 0x74, 0x79, 0x70, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x69,
-	0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69,
-	0x65, 0x6e, 0x74, 0x2e, 0x55, 0x6e, 0x74, 0x79, 0x70, 0x65, 0x64, 0x52, 0x07, 0x75, 0x6e, 0x74,
-	0x79, 0x70, 0x65, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x68, 0x69, 0x73, 0x74, 0x6f, 0x67, 0x72, 0x61,
-	0x6d, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f,
-	0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x48,
-	0x69, 0x73, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x52, 0x09, 0x68, 0x69, 0x73, 0x74, 0x6f, 0x67,
-	0x72, 0x61, 0x6d, 0x12, 0x21, 0x0a, 0x0c, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
-	0x5f, 0x6d, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x74, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x4d, 0x73, 0x22, 0xa2, 0x01, 0x0a, 0x0c, 0x4d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x46, 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x68,
-	0x65, 0x6c, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x65, 0x6c, 0x70, 0x12,
-	0x34, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e,
-	0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c,
-	0x69, 0x65, 0x6e, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x54, 0x79, 0x70, 0x65, 0x52,
-	0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x34, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18,
-	0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65,
-	0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x4d, 0x65, 0x74,
-	0x72, 0x69, 0x63, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x2a, 0x62, 0x0a, 0x0a, 0x4d,
-	0x65, 0x74, 0x72, 0x69, 0x63, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x43, 0x4f, 0x55,
-	0x4e, 0x54, 0x45, 0x52, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x47, 0x41, 0x55, 0x47, 0x45, 0x10,
-	0x01, 0x12, 0x0b, 0x0a, 0x07, 0x53, 0x55, 0x4d, 0x4d, 0x41, 0x52, 0x59, 0x10, 0x02, 0x12, 0x0b,
-	0x0a, 0x07, 0x55, 0x4e, 0x54, 0x59, 0x50, 0x45, 0x44, 0x10, 0x03, 0x12, 0x0d, 0x0a, 0x09, 0x48,
-	0x49, 0x53, 0x54, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x47, 0x41,
-	0x55, 0x47, 0x45, 0x5f, 0x48, 0x49, 0x53, 0x54, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x10, 0x05, 0x42,
-	0x52, 0x0a, 0x14, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73,
-	0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
-	0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2f, 0x63,
-	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x2f, 0x67, 0x6f, 0x3b, 0x69,
-	0x6f, 0x5f, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x5f, 0x63, 0x6c, 0x69,
-	0x65, 0x6e, 0x74,
+	0x74, 0x2e, 0x55, 0x6e, 0x74, 0x79, 0x70, 0x65, 0x64, 0x52, 0x07, 0x75, 0x6e, 0x74, 0x79, 0x70,
+	0x65, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x68, 0x69, 0x73, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x18,
+	0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65,
+	0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x69, 0x73,
+	0x74, 0x6f, 0x67, 0x72, 0x61, 0x6d, 0x52, 0x09, 0x68, 0x69, 0x73, 0x74, 0x6f, 0x67, 0x72, 0x61,
+	0x6d, 0x12, 0x21, 0x0a, 0x0c, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, 0x6d,
+	0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+	0x6d, 0x70, 0x4d, 0x73, 0x22, 0xb6, 0x01, 0x0a, 0x0c, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x46,
+	0x61, 0x6d, 0x69, 0x6c, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x65, 0x6c,
+	0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x65, 0x6c, 0x70, 0x12, 0x34, 0x0a,
+	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x69, 0x6f,
+	0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74,
+	0x79, 0x70, 0x65, 0x12, 0x34, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x04, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68,
+	0x65, 0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69,
+	0x63, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x6e, 0x69,
+	0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x74, 0x2a, 0x62, 0x0a,
+	0x0a, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x43,
+	0x4f, 0x55, 0x4e, 0x54, 0x45, 0x52, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x47, 0x41, 0x55, 0x47,
+	0x45, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x53, 0x55, 0x4d, 0x4d, 0x41, 0x52, 0x59, 0x10, 0x02,
+	0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x54, 0x59, 0x50, 0x45, 0x44, 0x10, 0x03, 0x12, 0x0d, 0x0a,
+	0x09, 0x48, 0x49, 0x53, 0x54, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f,
+	0x47, 0x41, 0x55, 0x47, 0x45, 0x5f, 0x48, 0x49, 0x53, 0x54, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x10,
+	0x05, 0x42, 0x52, 0x0a, 0x14, 0x69, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65,
+	0x75, 0x73, 0x2e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75,
+	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73,
+	0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x6c, 0x2f, 0x67, 0x6f,
+	0x3b, 0x69, 0x6f, 0x5f, 0x70, 0x72, 0x6f, 0x6d, 0x65, 0x74, 0x68, 0x65, 0x75, 0x73, 0x5f, 0x63,
+	0x6c, 0x69, 0x65, 0x6e, 0x74,
 }
 
 var (
@@ -1185,22 +1207,23 @@ var file_io_prometheus_client_metrics_proto_depIdxs = []int32{
 	13, // 5: io.prometheus.client.Histogram.created_timestamp:type_name -> google.protobuf.Timestamp
 	9,  // 6: io.prometheus.client.Histogram.negative_span:type_name -> io.prometheus.client.BucketSpan
 	9,  // 7: io.prometheus.client.Histogram.positive_span:type_name -> io.prometheus.client.BucketSpan
-	10, // 8: io.prometheus.client.Bucket.exemplar:type_name -> io.prometheus.client.Exemplar
-	1,  // 9: io.prometheus.client.Exemplar.label:type_name -> io.prometheus.client.LabelPair
-	13, // 10: io.prometheus.client.Exemplar.timestamp:type_name -> google.protobuf.Timestamp
-	1,  // 11: io.prometheus.client.Metric.label:type_name -> io.prometheus.client.LabelPair
-	2,  // 12: io.prometheus.client.Metric.gauge:type_name -> io.prometheus.client.Gauge
-	3,  // 13: io.prometheus.client.Metric.counter:type_name -> io.prometheus.client.Counter
-	5,  // 14: io.prometheus.client.Metric.summary:type_name -> io.prometheus.client.Summary
-	6,  // 15: io.prometheus.client.Metric.untyped:type_name -> io.prometheus.client.Untyped
-	7,  // 16: io.prometheus.client.Metric.histogram:type_name -> io.prometheus.client.Histogram
-	0,  // 17: io.prometheus.client.MetricFamily.type:type_name -> io.prometheus.client.MetricType
-	11, // 18: io.prometheus.client.MetricFamily.metric:type_name -> io.prometheus.client.Metric
-	19, // [19:19] is the sub-list for method output_type
-	19, // [19:19] is the sub-list for method input_type
-	19, // [19:19] is the sub-list for extension type_name
-	19, // [19:19] is the sub-list for extension extendee
-	0,  // [0:19] is the sub-list for field type_name
+	10, // 8: io.prometheus.client.Histogram.exemplars:type_name -> io.prometheus.client.Exemplar
+	10, // 9: io.prometheus.client.Bucket.exemplar:type_name -> io.prometheus.client.Exemplar
+	1,  // 10: io.prometheus.client.Exemplar.label:type_name -> io.prometheus.client.LabelPair
+	13, // 11: io.prometheus.client.Exemplar.timestamp:type_name -> google.protobuf.Timestamp
+	1,  // 12: io.prometheus.client.Metric.label:type_name -> io.prometheus.client.LabelPair
+	2,  // 13: io.prometheus.client.Metric.gauge:type_name -> io.prometheus.client.Gauge
+	3,  // 14: io.prometheus.client.Metric.counter:type_name -> io.prometheus.client.Counter
+	5,  // 15: io.prometheus.client.Metric.summary:type_name -> io.prometheus.client.Summary
+	6,  // 16: io.prometheus.client.Metric.untyped:type_name -> io.prometheus.client.Untyped
+	7,  // 17: io.prometheus.client.Metric.histogram:type_name -> io.prometheus.client.Histogram
+	0,  // 18: io.prometheus.client.MetricFamily.type:type_name -> io.prometheus.client.MetricType
+	11, // 19: io.prometheus.client.MetricFamily.metric:type_name -> io.prometheus.client.Metric
+	20, // [20:20] is the sub-list for method output_type
+	20, // [20:20] is the sub-list for method input_type
+	20, // [20:20] is the sub-list for extension type_name
+	20, // [20:20] is the sub-list for extension extendee
+	0,  // [0:20] is the sub-list for field type_name
 }
 
 func init() { file_io_prometheus_client_metrics_proto_init() }
diff --git a/vendor/github.com/prometheus/common/expfmt/decode.go b/vendor/github.com/prometheus/common/expfmt/decode.go
index 0ca86a3dc..3597bfd93 100644
--- a/vendor/github.com/prometheus/common/expfmt/decode.go
+++ b/vendor/github.com/prometheus/common/expfmt/decode.go
@@ -14,6 +14,7 @@
 package expfmt
 
 import (
+	"bufio"
 	"fmt"
 	"io"
 	"math"
@@ -21,8 +22,8 @@ import (
 	"net/http"
 
 	dto "github.com/prometheus/client_model/go"
+	"google.golang.org/protobuf/encoding/protodelim"
 
-	"github.com/matttproud/golang_protobuf_extensions/v2/pbutil"
 	"github.com/prometheus/common/model"
 )
 
@@ -72,8 +73,8 @@ func ResponseFormat(h http.Header) Format {
 // NewDecoder returns a new decoder based on the given input format.
 // If the input format does not imply otherwise, a text format decoder is returned.
 func NewDecoder(r io.Reader, format Format) Decoder {
-	switch format {
-	case FmtProtoDelim:
+	switch format.FormatType() {
+	case TypeProtoDelim:
 		return &protoDecoder{r: r}
 	}
 	return &textDecoder{r: r}
@@ -86,8 +87,10 @@ type protoDecoder struct {
 
 // Decode implements the Decoder interface.
 func (d *protoDecoder) Decode(v *dto.MetricFamily) error {
-	_, err := pbutil.ReadDelimited(d.r, v)
-	if err != nil {
+	opts := protodelim.UnmarshalOptions{
+		MaxSize: -1,
+	}
+	if err := opts.UnmarshalFrom(bufio.NewReader(d.r), v); err != nil {
 		return err
 	}
 	if !model.IsValidMetricName(model.LabelValue(v.GetName())) {
diff --git a/vendor/github.com/prometheus/common/expfmt/encode.go b/vendor/github.com/prometheus/common/expfmt/encode.go
index ca2140600..97ee673d9 100644
--- a/vendor/github.com/prometheus/common/expfmt/encode.go
+++ b/vendor/github.com/prometheus/common/expfmt/encode.go
@@ -18,10 +18,12 @@ import (
 	"io"
 	"net/http"
 
-	"github.com/matttproud/golang_protobuf_extensions/v2/pbutil"
-	"github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg"
+	"google.golang.org/protobuf/encoding/protodelim"
 	"google.golang.org/protobuf/encoding/prototext"
 
+	"github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg"
+	"github.com/prometheus/common/model"
+
 	dto "github.com/prometheus/client_model/go"
 )
 
@@ -60,23 +62,32 @@ func (ec encoderCloser) Close() error {
 // as the support is still experimental. To include the option to negotiate
 // FmtOpenMetrics, use NegotiateOpenMetrics.
 func Negotiate(h http.Header) Format {
+	escapingScheme := Format(fmt.Sprintf("; escaping=%s", Format(model.NameEscapingScheme.String())))
 	for _, ac := range goautoneg.ParseAccept(h.Get(hdrAccept)) {
+		if escapeParam := ac.Params[model.EscapingKey]; escapeParam != "" {
+			switch Format(escapeParam) {
+			case model.AllowUTF8, model.EscapeUnderscores, model.EscapeDots, model.EscapeValues:
+				escapingScheme = Format(fmt.Sprintf("; escaping=%s", escapeParam))
+			default:
+				// If the escaping parameter is unknown, ignore it.
+			}
+		}
 		ver := ac.Params["version"]
 		if ac.Type+"/"+ac.SubType == ProtoType && ac.Params["proto"] == ProtoProtocol {
 			switch ac.Params["encoding"] {
 			case "delimited":
-				return FmtProtoDelim
+				return FmtProtoDelim + escapingScheme
 			case "text":
-				return FmtProtoText
+				return FmtProtoText + escapingScheme
 			case "compact-text":
-				return FmtProtoCompact
+				return FmtProtoCompact + escapingScheme
 			}
 		}
 		if ac.Type == "text" && ac.SubType == "plain" && (ver == TextVersion || ver == "") {
-			return FmtText
+			return FmtText + escapingScheme
 		}
 	}
-	return FmtText
+	return FmtText + escapingScheme
 }
 
 // NegotiateIncludingOpenMetrics works like Negotiate but includes
@@ -84,29 +95,40 @@ func Negotiate(h http.Header) Format {
 // temporary and will disappear once FmtOpenMetrics is fully supported and as
 // such may be negotiated by the normal Negotiate function.
 func NegotiateIncludingOpenMetrics(h http.Header) Format {
+	escapingScheme := Format(fmt.Sprintf("; escaping=%s", Format(model.NameEscapingScheme.String())))
 	for _, ac := range goautoneg.ParseAccept(h.Get(hdrAccept)) {
+		if escapeParam := ac.Params[model.EscapingKey]; escapeParam != "" {
+			switch Format(escapeParam) {
+			case model.AllowUTF8, model.EscapeUnderscores, model.EscapeDots, model.EscapeValues:
+				escapingScheme = Format(fmt.Sprintf("; escaping=%s", escapeParam))
+			default:
+				// If the escaping parameter is unknown, ignore it.
+			}
+		}
 		ver := ac.Params["version"]
 		if ac.Type+"/"+ac.SubType == ProtoType && ac.Params["proto"] == ProtoProtocol {
 			switch ac.Params["encoding"] {
 			case "delimited":
-				return FmtProtoDelim
+				return FmtProtoDelim + escapingScheme
 			case "text":
-				return FmtProtoText
+				return FmtProtoText + escapingScheme
 			case "compact-text":
-				return FmtProtoCompact
+				return FmtProtoCompact + escapingScheme
 			}
 		}
 		if ac.Type == "text" && ac.SubType == "plain" && (ver == TextVersion || ver == "") {
-			return FmtText
+			return FmtText + escapingScheme
 		}
 		if ac.Type+"/"+ac.SubType == OpenMetricsType && (ver == OpenMetricsVersion_0_0_1 || ver == OpenMetricsVersion_1_0_0 || ver == "") {
-			if ver == OpenMetricsVersion_1_0_0 {
-				return FmtOpenMetrics_1_0_0
+			switch ver {
+			case OpenMetricsVersion_1_0_0:
+				return FmtOpenMetrics_1_0_0 + escapingScheme
+			default:
+				return FmtOpenMetrics_0_0_1 + escapingScheme
 			}
-			return FmtOpenMetrics_0_0_1
 		}
 	}
-	return FmtText
+	return FmtText + escapingScheme
 }
 
 // NewEncoder returns a new encoder based on content type negotiation. All
@@ -115,44 +137,48 @@ func NegotiateIncludingOpenMetrics(h http.Header) Format {
 // for FmtOpenMetrics, but a future (breaking) release will add the Close method
 // to the Encoder interface directly. The current version of the Encoder
 // interface is kept for backwards compatibility.
+// In cases where the Format does not allow for UTF-8 names, the global
+// NameEscapingScheme will be applied.
 func NewEncoder(w io.Writer, format Format) Encoder {
-	switch format {
-	case FmtProtoDelim:
+	escapingScheme := format.ToEscapingScheme()
+
+	switch format.FormatType() {
+	case TypeProtoDelim:
 		return encoderCloser{
 			encode: func(v *dto.MetricFamily) error {
-				_, err := pbutil.WriteDelimited(w, v)
+				_, err := protodelim.MarshalTo(w, v)
 				return err
 			},
 			close: func() error { return nil },
 		}
-	case FmtProtoCompact:
+	case TypeProtoCompact:
 		return encoderCloser{
 			encode: func(v *dto.MetricFamily) error {
-				_, err := fmt.Fprintln(w, v.String())
+				_, err := fmt.Fprintln(w, model.EscapeMetricFamily(v, escapingScheme).String())
 				return err
 			},
 			close: func() error { return nil },
 		}
-	case FmtProtoText:
+	case TypeProtoText:
 		return encoderCloser{
 			encode: func(v *dto.MetricFamily) error {
-				_, err := fmt.Fprintln(w, prototext.Format(v))
+				_, err := fmt.Fprintln(w, prototext.Format(model.EscapeMetricFamily(v, escapingScheme)))
 				return err
 			},
 			close: func() error { return nil },
 		}
-	case FmtText:
+	case TypeTextPlain:
 		return encoderCloser{
 			encode: func(v *dto.MetricFamily) error {
-				_, err := MetricFamilyToText(w, v)
+				_, err := MetricFamilyToText(w, model.EscapeMetricFamily(v, escapingScheme))
 				return err
 			},
 			close: func() error { return nil },
 		}
-	case FmtOpenMetrics_0_0_1, FmtOpenMetrics_1_0_0:
+	case TypeOpenMetrics:
 		return encoderCloser{
 			encode: func(v *dto.MetricFamily) error {
-				_, err := MetricFamilyToOpenMetrics(w, v)
+				_, err := MetricFamilyToOpenMetrics(w, model.EscapeMetricFamily(v, escapingScheme))
 				return err
 			},
 			close: func() error {
diff --git a/vendor/github.com/prometheus/common/expfmt/expfmt.go b/vendor/github.com/prometheus/common/expfmt/expfmt.go
index c4cb20f0d..f9b6f70fe 100644
--- a/vendor/github.com/prometheus/common/expfmt/expfmt.go
+++ b/vendor/github.com/prometheus/common/expfmt/expfmt.go
@@ -14,10 +14,22 @@
 // Package expfmt contains tools for reading and writing Prometheus metrics.
 package expfmt
 
+import (
+	"strings"
+
+	"github.com/prometheus/common/model"
+)
+
 // Format specifies the HTTP content type of the different wire protocols.
 type Format string
 
-// Constants to assemble the Content-Type values for the different wire protocols.
+// Constants to assemble the Content-Type values for the different wire
+// protocols. The Content-Type strings here are all for the legacy exposition
+// formats, where valid characters for metric names and label names are limited.
+// Support for arbitrary UTF-8 characters in those names is already partially
+// implemented in this module (see model.ValidationScheme), but to actually use
+// it on the wire, new content-type strings will have to be agreed upon and
+// added here.
 const (
 	TextVersion              = "0.0.4"
 	ProtoType                = `application/vnd.google.protobuf`
@@ -27,7 +39,8 @@ const (
 	OpenMetricsVersion_0_0_1 = "0.0.1"
 	OpenMetricsVersion_1_0_0 = "1.0.0"
 
-	// The Content-Type values for the different wire protocols.
+	// The Content-Type values for the different wire protocols. Do not do direct
+	// comparisons to these constants, instead use the comparison functions.
 	FmtUnknown           Format = `<unknown>`
 	FmtText              Format = `text/plain; version=` + TextVersion + `; charset=utf-8`
 	FmtProtoDelim        Format = ProtoFmt + ` encoding=delimited`
@@ -41,3 +54,93 @@ const (
 	hdrContentType = "Content-Type"
 	hdrAccept      = "Accept"
 )
+
+// FormatType is a Go enum representing the overall category for the given
+// Format. As the number of Format permutations increases, doing basic string
+// comparisons are not feasible, so this enum captures the most useful
+// high-level attribute of the Format string.
+type FormatType int
+
+const (
+	TypeUnknown = iota
+	TypeProtoCompact
+	TypeProtoDelim
+	TypeProtoText
+	TypeTextPlain
+	TypeOpenMetrics
+)
+
+// FormatType deduces an overall FormatType for the given format.
+func (f Format) FormatType() FormatType {
+	toks := strings.Split(string(f), ";")
+	if len(toks) < 2 {
+		return TypeUnknown
+	}
+
+	params := make(map[string]string)
+	for i, t := range toks {
+		if i == 0 {
+			continue
+		}
+		args := strings.Split(t, "=")
+		if len(args) != 2 {
+			continue
+		}
+		params[strings.TrimSpace(args[0])] = strings.TrimSpace(args[1])
+	}
+
+	switch strings.TrimSpace(toks[0]) {
+	case ProtoType:
+		if params["proto"] != ProtoProtocol {
+			return TypeUnknown
+		}
+		switch params["encoding"] {
+		case "delimited":
+			return TypeProtoDelim
+		case "text":
+			return TypeProtoText
+		case "compact-text":
+			return TypeProtoCompact
+		default:
+			return TypeUnknown
+		}
+	case OpenMetricsType:
+		if params["charset"] != "utf-8" {
+			return TypeUnknown
+		}
+		return TypeOpenMetrics
+	case "text/plain":
+		v, ok := params["version"]
+		if !ok {
+			return TypeTextPlain
+		}
+		if v == TextVersion {
+			return TypeTextPlain
+		}
+		return TypeUnknown
+	default:
+		return TypeUnknown
+	}
+}
+
+// ToEscapingScheme returns an EscapingScheme depending on the Format. Iff the
+// Format contains a escaping=allow-utf-8 term, it will select NoEscaping. If a valid
+// "escaping" term exists, that will be used. Otherwise, the global default will
+// be returned.
+func (format Format) ToEscapingScheme() model.EscapingScheme {
+	for _, p := range strings.Split(string(format), ";") {
+		toks := strings.Split(p, "=")
+		if len(toks) != 2 {
+			continue
+		}
+		key, value := strings.TrimSpace(toks[0]), strings.TrimSpace(toks[1])
+		if key == model.EscapingKey {
+			scheme, err := model.ToEscapingScheme(value)
+			if err != nil {
+				return model.NameEscapingScheme
+			}
+			return scheme
+		}
+	}
+	return model.NameEscapingScheme
+}
diff --git a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
index 21cdddcf0..5622578ed 100644
--- a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go
@@ -35,6 +35,18 @@ import (
 // sanity checks. If the input contains duplicate metrics or invalid metric or
 // label names, the conversion will result in invalid text format output.
 //
+// If metric names conform to the legacy validation pattern, they will be placed
+// outside the brackets in the traditional way, like `foo{}`. If the metric name
+// fails the legacy validation check, it will be placed quoted inside the
+// brackets: `{"foo"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
+// Similar to metric names, if label names conform to the legacy validation
+// pattern, they will be unquoted as normal, like `foo{bar="baz"}`. If the label
+// name fails the legacy validation check, it will be quoted:
+// `foo{"bar"="baz"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
 // This function fulfills the type 'expfmt.encoder'.
 //
 // Note that OpenMetrics requires a final `# EOF` line. Since this function acts
@@ -98,7 +110,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily) (written int
 		if err != nil {
 			return
 		}
-		n, err = w.WriteString(shortName)
+		n, err = writeName(w, shortName)
 		written += n
 		if err != nil {
 			return
@@ -124,7 +136,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily) (written int
 	if err != nil {
 		return
 	}
-	n, err = w.WriteString(shortName)
+	n, err = writeName(w, shortName)
 	written += n
 	if err != nil {
 		return
@@ -303,21 +315,9 @@ func writeOpenMetricsSample(
 	floatValue float64, intValue uint64, useIntValue bool,
 	exemplar *dto.Exemplar,
 ) (int, error) {
-	var written int
-	n, err := w.WriteString(name)
-	written += n
-	if err != nil {
-		return written, err
-	}
-	if suffix != "" {
-		n, err = w.WriteString(suffix)
-		written += n
-		if err != nil {
-			return written, err
-		}
-	}
-	n, err = writeOpenMetricsLabelPairs(
-		w, metric.Label, additionalLabelName, additionalLabelValue,
+	written := 0
+	n, err := writeOpenMetricsNameAndLabelPairs(
+		w, name+suffix, metric.Label, additionalLabelName, additionalLabelValue,
 	)
 	written += n
 	if err != nil {
@@ -365,27 +365,58 @@ func writeOpenMetricsSample(
 	return written, nil
 }
 
-// writeOpenMetricsLabelPairs works like writeOpenMetrics but formats the float
-// in OpenMetrics style.
-func writeOpenMetricsLabelPairs(
+// writeOpenMetricsNameAndLabelPairs works like writeOpenMetricsSample but
+// formats the float in OpenMetrics style.
+func writeOpenMetricsNameAndLabelPairs(
 	w enhancedWriter,
+	name string,
 	in []*dto.LabelPair,
 	additionalLabelName string, additionalLabelValue float64,
 ) (int, error) {
-	if len(in) == 0 && additionalLabelName == "" {
-		return 0, nil
-	}
 	var (
-		written   int
-		separator byte = '{'
+		written            int
+		separator          byte = '{'
+		metricInsideBraces      = false
 	)
+
+	if name != "" {
+		// If the name does not pass the legacy validity check, we must put the
+		// metric name inside the braces, quoted.
+		if !model.IsValidLegacyMetricName(model.LabelValue(name)) {
+			metricInsideBraces = true
+			err := w.WriteByte(separator)
+			written++
+			if err != nil {
+				return written, err
+			}
+			separator = ','
+		}
+
+		n, err := writeName(w, name)
+		written += n
+		if err != nil {
+			return written, err
+		}
+	}
+
+	if len(in) == 0 && additionalLabelName == "" {
+		if metricInsideBraces {
+			err := w.WriteByte('}')
+			written++
+			if err != nil {
+				return written, err
+			}
+		}
+		return written, nil
+	}
+
 	for _, lp := range in {
 		err := w.WriteByte(separator)
 		written++
 		if err != nil {
 			return written, err
 		}
-		n, err := w.WriteString(lp.GetName())
+		n, err := writeName(w, lp.GetName())
 		written += n
 		if err != nil {
 			return written, err
@@ -451,7 +482,7 @@ func writeExemplar(w enhancedWriter, e *dto.Exemplar) (int, error) {
 	if err != nil {
 		return written, err
 	}
-	n, err = writeOpenMetricsLabelPairs(w, e.Label, "", 0)
+	n, err = writeOpenMetricsNameAndLabelPairs(w, "", e.Label, "", 0)
 	written += n
 	if err != nil {
 		return written, err
diff --git a/vendor/github.com/prometheus/common/expfmt/text_create.go b/vendor/github.com/prometheus/common/expfmt/text_create.go
index 2946b8f1a..f9b8265a9 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_create.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_create.go
@@ -62,6 +62,18 @@ var (
 // contains duplicate metrics or invalid metric or label names, the conversion
 // will result in invalid text format output.
 //
+// If metric names conform to the legacy validation pattern, they will be placed
+// outside the brackets in the traditional way, like `foo{}`. If the metric name
+// fails the legacy validation check, it will be placed quoted inside the
+// brackets: `{"foo"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
+// Similar to metric names, if label names conform to the legacy validation
+// pattern, they will be unquoted as normal, like `foo{bar="baz"}`. If the label
+// name fails the legacy validation check, it will be quoted:
+// `foo{"bar"="baz"}`. As stated above, the input is assumed to be santized and
+// no error will be thrown in this case.
+//
 // This method fulfills the type 'prometheus.encoder'.
 func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err error) {
 	// Fail-fast checks.
@@ -98,7 +110,7 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 		if err != nil {
 			return
 		}
-		n, err = w.WriteString(name)
+		n, err = writeName(w, name)
 		written += n
 		if err != nil {
 			return
@@ -124,7 +136,7 @@ func MetricFamilyToText(out io.Writer, in *dto.MetricFamily) (written int, err e
 	if err != nil {
 		return
 	}
-	n, err = w.WriteString(name)
+	n, err = writeName(w, name)
 	written += n
 	if err != nil {
 		return
@@ -280,21 +292,9 @@ func writeSample(
 	additionalLabelName string, additionalLabelValue float64,
 	value float64,
 ) (int, error) {
-	var written int
-	n, err := w.WriteString(name)
-	written += n
-	if err != nil {
-		return written, err
-	}
-	if suffix != "" {
-		n, err = w.WriteString(suffix)
-		written += n
-		if err != nil {
-			return written, err
-		}
-	}
-	n, err = writeLabelPairs(
-		w, metric.Label, additionalLabelName, additionalLabelValue,
+	written := 0
+	n, err := writeNameAndLabelPairs(
+		w, name+suffix, metric.Label, additionalLabelName, additionalLabelValue,
 	)
 	written += n
 	if err != nil {
@@ -330,32 +330,64 @@ func writeSample(
 	return written, nil
 }
 
-// writeLabelPairs converts a slice of LabelPair proto messages plus the
-// explicitly given additional label pair into text formatted as required by the
-// text format and writes it to 'w'. An empty slice in combination with an empty
-// string 'additionalLabelName' results in nothing being written. Otherwise, the
-// label pairs are written, escaped as required by the text format, and enclosed
-// in '{...}'. The function returns the number of bytes written and any error
-// encountered.
-func writeLabelPairs(
+// writeNameAndLabelPairs converts a slice of LabelPair proto messages plus the
+// explicitly given metric name and additional label pair into text formatted as
+// required by the text format and writes it to 'w'. An empty slice in
+// combination with an empty string 'additionalLabelName' results in nothing
+// being written. Otherwise, the label pairs are written, escaped as required by
+// the text format, and enclosed in '{...}'. The function returns the number of
+// bytes written and any error encountered. If the metric name is not
+// legacy-valid, it will be put inside the brackets as well. Legacy-invalid
+// label names will also be quoted.
+func writeNameAndLabelPairs(
 	w enhancedWriter,
+	name string,
 	in []*dto.LabelPair,
 	additionalLabelName string, additionalLabelValue float64,
 ) (int, error) {
-	if len(in) == 0 && additionalLabelName == "" {
-		return 0, nil
-	}
 	var (
-		written   int
-		separator byte = '{'
+		written            int
+		separator          byte = '{'
+		metricInsideBraces      = false
 	)
+
+	if name != "" {
+		// If the name does not pass the legacy validity check, we must put the
+		// metric name inside the braces.
+		if !model.IsValidLegacyMetricName(model.LabelValue(name)) {
+			metricInsideBraces = true
+			err := w.WriteByte(separator)
+			written++
+			if err != nil {
+				return written, err
+			}
+			separator = ','
+		}
+		n, err := writeName(w, name)
+		written += n
+		if err != nil {
+			return written, err
+		}
+	}
+
+	if len(in) == 0 && additionalLabelName == "" {
+		if metricInsideBraces {
+			err := w.WriteByte('}')
+			written++
+			if err != nil {
+				return written, err
+			}
+		}
+		return written, nil
+	}
+
 	for _, lp := range in {
 		err := w.WriteByte(separator)
 		written++
 		if err != nil {
 			return written, err
 		}
-		n, err := w.WriteString(lp.GetName())
+		n, err := writeName(w, lp.GetName())
 		written += n
 		if err != nil {
 			return written, err
@@ -462,3 +494,27 @@ func writeInt(w enhancedWriter, i int64) (int, error) {
 	numBufPool.Put(bp)
 	return written, err
 }
+
+// writeName writes a string as-is if it complies with the legacy naming
+// scheme, or escapes it in double quotes if not.
+func writeName(w enhancedWriter, name string) (int, error) {
+	if model.IsValidLegacyMetricName(model.LabelValue(name)) {
+		return w.WriteString(name)
+	}
+	var written int
+	var err error
+	err = w.WriteByte('"')
+	written++
+	if err != nil {
+		return written, err
+	}
+	var n int
+	n, err = writeEscapedString(w, name, true)
+	written += n
+	if err != nil {
+		return written, err
+	}
+	err = w.WriteByte('"')
+	written++
+	return written, err
+}
diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go
index 35db1cc9d..26490211a 100644
--- a/vendor/github.com/prometheus/common/expfmt/text_parse.go
+++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go
@@ -16,6 +16,7 @@ package expfmt
 import (
 	"bufio"
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"math"
@@ -24,8 +25,9 @@ import (
 
 	dto "github.com/prometheus/client_model/go"
 
-	"github.com/prometheus/common/model"
 	"google.golang.org/protobuf/proto"
+
+	"github.com/prometheus/common/model"
 )
 
 // A stateFn is a function that represents a state in a state machine. By
@@ -112,7 +114,7 @@ func (p *TextParser) TextToMetricFamilies(in io.Reader) (map[string]*dto.MetricF
 	// stream. Turn this error into something nicer and more
 	// meaningful. (io.EOF is often used as a signal for the legitimate end
 	// of an input stream.)
-	if p.err == io.EOF {
+	if p.err != nil && errors.Is(p.err, io.EOF) {
 		p.parseError("unexpected end of input stream")
 	}
 	return p.metricFamiliesByName, p.err
@@ -146,7 +148,7 @@ func (p *TextParser) startOfLine() stateFn {
 		// which is not an error but the signal that we are done.
 		// Any other error that happens to align with the start of
 		// a line is still an error.
-		if p.err == io.EOF {
+		if errors.Is(p.err, io.EOF) {
 			p.err = nil
 		}
 		return nil
diff --git a/vendor/github.com/prometheus/common/model/alert.go b/vendor/github.com/prometheus/common/model/alert.go
index 35e739c7a..178fdbaf6 100644
--- a/vendor/github.com/prometheus/common/model/alert.go
+++ b/vendor/github.com/prometheus/common/model/alert.go
@@ -90,13 +90,13 @@ func (a *Alert) Validate() error {
 		return fmt.Errorf("start time must be before end time")
 	}
 	if err := a.Labels.Validate(); err != nil {
-		return fmt.Errorf("invalid label set: %s", err)
+		return fmt.Errorf("invalid label set: %w", err)
 	}
 	if len(a.Labels) == 0 {
 		return fmt.Errorf("at least one label pair required")
 	}
 	if err := a.Annotations.Validate(); err != nil {
-		return fmt.Errorf("invalid annotations: %s", err)
+		return fmt.Errorf("invalid annotations: %w", err)
 	}
 	return nil
 }
diff --git a/vendor/github.com/prometheus/common/model/labels.go b/vendor/github.com/prometheus/common/model/labels.go
index ef8956335..3317ce22f 100644
--- a/vendor/github.com/prometheus/common/model/labels.go
+++ b/vendor/github.com/prometheus/common/model/labels.go
@@ -97,17 +97,25 @@ var LabelNameRE = regexp.MustCompile("^[a-zA-Z_][a-zA-Z0-9_]*$")
 // therewith.
 type LabelName string
 
-// IsValid is true iff the label name matches the pattern of LabelNameRE. This
-// method, however, does not use LabelNameRE for the check but a much faster
-// hardcoded implementation.
+// IsValid returns true iff name matches the pattern of LabelNameRE for legacy
+// names, and iff it's valid UTF-8 if NameValidationScheme is set to
+// UTF8Validation. For the legacy matching, it does not use LabelNameRE for the
+// check but a much faster hardcoded implementation.
 func (ln LabelName) IsValid() bool {
 	if len(ln) == 0 {
 		return false
 	}
-	for i, b := range ln {
-		if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) {
-			return false
+	switch NameValidationScheme {
+	case LegacyValidation:
+		for i, b := range ln {
+			if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) {
+				return false
+			}
 		}
+	case UTF8Validation:
+		return utf8.ValidString(string(ln))
+	default:
+		panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme))
 	}
 	return true
 }
@@ -164,7 +172,7 @@ func (l LabelNames) String() string {
 // A LabelValue is an associated value for a LabelName.
 type LabelValue string
 
-// IsValid returns true iff the string is a valid UTF8.
+// IsValid returns true iff the string is a valid UTF-8.
 func (lv LabelValue) IsValid() bool {
 	return utf8.ValidString(string(lv))
 }
diff --git a/vendor/github.com/prometheus/common/model/metadata.go b/vendor/github.com/prometheus/common/model/metadata.go
new file mode 100644
index 000000000..447ab8ad6
--- /dev/null
+++ b/vendor/github.com/prometheus/common/model/metadata.go
@@ -0,0 +1,28 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package model
+
+// MetricType represents metric type values.
+type MetricType string
+
+const (
+	MetricTypeCounter        = MetricType("counter")
+	MetricTypeGauge          = MetricType("gauge")
+	MetricTypeHistogram      = MetricType("histogram")
+	MetricTypeGaugeHistogram = MetricType("gaugehistogram")
+	MetricTypeSummary        = MetricType("summary")
+	MetricTypeInfo           = MetricType("info")
+	MetricTypeStateset       = MetricType("stateset")
+	MetricTypeUnknown        = MetricType("unknown")
+)
diff --git a/vendor/github.com/prometheus/common/model/metric.go b/vendor/github.com/prometheus/common/model/metric.go
index 00804b7fe..0bd29b3a3 100644
--- a/vendor/github.com/prometheus/common/model/metric.go
+++ b/vendor/github.com/prometheus/common/model/metric.go
@@ -18,15 +18,84 @@ import (
 	"regexp"
 	"sort"
 	"strings"
+	"unicode/utf8"
+
+	dto "github.com/prometheus/client_model/go"
+	"google.golang.org/protobuf/proto"
 )
 
 var (
-	// MetricNameRE is a regular expression matching valid metric
-	// names. Note that the IsValidMetricName function performs the same
-	// check but faster than a match with this regular expression.
-	MetricNameRE = regexp.MustCompile(`^[a-zA-Z_:][a-zA-Z0-9_:]*$`)
+	// NameValidationScheme determines the method of name validation to be used by
+	// all calls to IsValidMetricName() and LabelName IsValid(). Setting UTF-8 mode
+	// in isolation from other components that don't support UTF-8 may result in
+	// bugs or other undefined behavior. This value is intended to be set by
+	// UTF-8-aware binaries as part of their startup. To avoid need for locking,
+	// this value should be set once, ideally in an init(), before multiple
+	// goroutines are started.
+	NameValidationScheme = LegacyValidation
+
+	// NameEscapingScheme defines the default way that names will be
+	// escaped when presented to systems that do not support UTF-8 names. If the
+	// Content-Type "escaping" term is specified, that will override this value.
+	NameEscapingScheme = ValueEncodingEscaping
 )
 
+// ValidationScheme is a Go enum for determining how metric and label names will
+// be validated by this library.
+type ValidationScheme int
+
+const (
+	// LegacyValidation is a setting that requirets that metric and label names
+	// conform to the original Prometheus character requirements described by
+	// MetricNameRE and LabelNameRE.
+	LegacyValidation ValidationScheme = iota
+
+	// UTF8Validation only requires that metric and label names be valid UTF-8
+	// strings.
+	UTF8Validation
+)
+
+type EscapingScheme int
+
+const (
+	// NoEscaping indicates that a name will not be escaped. Unescaped names that
+	// do not conform to the legacy validity check will use a new exposition
+	// format syntax that will be officially standardized in future versions.
+	NoEscaping EscapingScheme = iota
+
+	// UnderscoreEscaping replaces all legacy-invalid characters with underscores.
+	UnderscoreEscaping
+
+	// DotsEscaping is similar to UnderscoreEscaping, except that dots are
+	// converted to `_dot_` and pre-existing underscores are converted to `__`.
+	DotsEscaping
+
+	// ValueEncodingEscaping prepends the name with `U__` and replaces all invalid
+	// characters with the unicode value, surrounded by underscores. Single
+	// underscores are replaced with double underscores.
+	ValueEncodingEscaping
+)
+
+const (
+	// EscapingKey is the key in an Accept or Content-Type header that defines how
+	// metric and label names that do not conform to the legacy character
+	// requirements should be escaped when being scraped by a legacy prometheus
+	// system. If a system does not explicitly pass an escaping parameter in the
+	// Accept header, the default NameEscapingScheme will be used.
+	EscapingKey = "escaping"
+
+	// Possible values for Escaping Key:
+	AllowUTF8         = "allow-utf-8" // No escaping required.
+	EscapeUnderscores = "underscores"
+	EscapeDots        = "dots"
+	EscapeValues      = "values"
+)
+
+// MetricNameRE is a regular expression matching valid metric
+// names. Note that the IsValidMetricName function performs the same
+// check but faster than a match with this regular expression.
+var MetricNameRE = regexp.MustCompile(`^[a-zA-Z_:][a-zA-Z0-9_:]*$`)
+
 // A Metric is similar to a LabelSet, but the key difference is that a Metric is
 // a singleton and refers to one and only one stream of samples.
 type Metric LabelSet
@@ -86,17 +155,302 @@ func (m Metric) FastFingerprint() Fingerprint {
 	return LabelSet(m).FastFingerprint()
 }
 
-// IsValidMetricName returns true iff name matches the pattern of MetricNameRE.
+// IsValidMetricName returns true iff name matches the pattern of MetricNameRE
+// for legacy names, and iff it's valid UTF-8 if the UTF8Validation scheme is
+// selected.
+func IsValidMetricName(n LabelValue) bool {
+	switch NameValidationScheme {
+	case LegacyValidation:
+		return IsValidLegacyMetricName(n)
+	case UTF8Validation:
+		if len(n) == 0 {
+			return false
+		}
+		return utf8.ValidString(string(n))
+	default:
+		panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme))
+	}
+}
+
+// IsValidLegacyMetricName is similar to IsValidMetricName but always uses the
+// legacy validation scheme regardless of the value of NameValidationScheme.
 // This function, however, does not use MetricNameRE for the check but a much
 // faster hardcoded implementation.
-func IsValidMetricName(n LabelValue) bool {
+func IsValidLegacyMetricName(n LabelValue) bool {
 	if len(n) == 0 {
 		return false
 	}
 	for i, b := range n {
-		if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || b == ':' || (b >= '0' && b <= '9' && i > 0)) {
+		if !isValidLegacyRune(b, i) {
 			return false
 		}
 	}
 	return true
 }
+
+// EscapeMetricFamily escapes the given metric names and labels with the given
+// escaping scheme. Returns a new object that uses the same pointers to fields
+// when possible and creates new escaped versions so as not to mutate the
+// input.
+func EscapeMetricFamily(v *dto.MetricFamily, scheme EscapingScheme) *dto.MetricFamily {
+	if v == nil {
+		return nil
+	}
+
+	if scheme == NoEscaping {
+		return v
+	}
+
+	out := &dto.MetricFamily{
+		Help: v.Help,
+		Type: v.Type,
+	}
+
+	// If the name is nil, copy as-is, don't try to escape.
+	if v.Name == nil || IsValidLegacyMetricName(LabelValue(v.GetName())) {
+		out.Name = v.Name
+	} else {
+		out.Name = proto.String(EscapeName(v.GetName(), scheme))
+	}
+	for _, m := range v.Metric {
+		if !metricNeedsEscaping(m) {
+			out.Metric = append(out.Metric, m)
+			continue
+		}
+
+		escaped := &dto.Metric{
+			Gauge:       m.Gauge,
+			Counter:     m.Counter,
+			Summary:     m.Summary,
+			Untyped:     m.Untyped,
+			Histogram:   m.Histogram,
+			TimestampMs: m.TimestampMs,
+		}
+
+		for _, l := range m.Label {
+			if l.GetName() == MetricNameLabel {
+				if l.Value == nil || IsValidLegacyMetricName(LabelValue(l.GetValue())) {
+					escaped.Label = append(escaped.Label, l)
+					continue
+				}
+				escaped.Label = append(escaped.Label, &dto.LabelPair{
+					Name:  proto.String(MetricNameLabel),
+					Value: proto.String(EscapeName(l.GetValue(), scheme)),
+				})
+				continue
+			}
+			if l.Name == nil || IsValidLegacyMetricName(LabelValue(l.GetName())) {
+				escaped.Label = append(escaped.Label, l)
+				continue
+			}
+			escaped.Label = append(escaped.Label, &dto.LabelPair{
+				Name:  proto.String(EscapeName(l.GetName(), scheme)),
+				Value: l.Value,
+			})
+		}
+		out.Metric = append(out.Metric, escaped)
+	}
+	return out
+}
+
+func metricNeedsEscaping(m *dto.Metric) bool {
+	for _, l := range m.Label {
+		if l.GetName() == MetricNameLabel && !IsValidLegacyMetricName(LabelValue(l.GetValue())) {
+			return true
+		}
+		if !IsValidLegacyMetricName(LabelValue(l.GetName())) {
+			return true
+		}
+	}
+	return false
+}
+
+const (
+	lowerhex = "0123456789abcdef"
+)
+
+// EscapeName escapes the incoming name according to the provided escaping
+// scheme. Depending on the rules of escaping, this may cause no change in the
+// string that is returned. (Especially NoEscaping, which by definition is a
+// noop). This function does not do any validation of the name.
+func EscapeName(name string, scheme EscapingScheme) string {
+	if len(name) == 0 {
+		return name
+	}
+	var escaped strings.Builder
+	switch scheme {
+	case NoEscaping:
+		return name
+	case UnderscoreEscaping:
+		if IsValidLegacyMetricName(LabelValue(name)) {
+			return name
+		}
+		for i, b := range name {
+			if isValidLegacyRune(b, i) {
+				escaped.WriteRune(b)
+			} else {
+				escaped.WriteRune('_')
+			}
+		}
+		return escaped.String()
+	case DotsEscaping:
+		// Do not early return for legacy valid names, we still escape underscores.
+		for i, b := range name {
+			if b == '_' {
+				escaped.WriteString("__")
+			} else if b == '.' {
+				escaped.WriteString("_dot_")
+			} else if isValidLegacyRune(b, i) {
+				escaped.WriteRune(b)
+			} else {
+				escaped.WriteRune('_')
+			}
+		}
+		return escaped.String()
+	case ValueEncodingEscaping:
+		if IsValidLegacyMetricName(LabelValue(name)) {
+			return name
+		}
+		escaped.WriteString("U__")
+		for i, b := range name {
+			if isValidLegacyRune(b, i) {
+				escaped.WriteRune(b)
+			} else if !utf8.ValidRune(b) {
+				escaped.WriteString("_FFFD_")
+			} else if b < 0x100 {
+				escaped.WriteRune('_')
+				for s := 4; s >= 0; s -= 4 {
+					escaped.WriteByte(lowerhex[b>>uint(s)&0xF])
+				}
+				escaped.WriteRune('_')
+			} else if b < 0x10000 {
+				escaped.WriteRune('_')
+				for s := 12; s >= 0; s -= 4 {
+					escaped.WriteByte(lowerhex[b>>uint(s)&0xF])
+				}
+				escaped.WriteRune('_')
+			}
+		}
+		return escaped.String()
+	default:
+		panic(fmt.Sprintf("invalid escaping scheme %d", scheme))
+	}
+}
+
+// lower function taken from strconv.atoi
+func lower(c byte) byte {
+	return c | ('x' - 'X')
+}
+
+// UnescapeName unescapes the incoming name according to the provided escaping
+// scheme if possible. Some schemes are partially or totally non-roundtripable.
+// If any error is enountered, returns the original input.
+func UnescapeName(name string, scheme EscapingScheme) string {
+	if len(name) == 0 {
+		return name
+	}
+	switch scheme {
+	case NoEscaping:
+		return name
+	case UnderscoreEscaping:
+		// It is not possible to unescape from underscore replacement.
+		return name
+	case DotsEscaping:
+		name = strings.ReplaceAll(name, "_dot_", ".")
+		name = strings.ReplaceAll(name, "__", "_")
+		return name
+	case ValueEncodingEscaping:
+		escapedName, found := strings.CutPrefix(name, "U__")
+		if !found {
+			return name
+		}
+
+		var unescaped strings.Builder
+	TOP:
+		for i := 0; i < len(escapedName); i++ {
+			// All non-underscores are treated normally.
+			if escapedName[i] != '_' {
+				unescaped.WriteByte(escapedName[i])
+				continue
+			}
+			i++
+			if i >= len(escapedName) {
+				return name
+			}
+			// A double underscore is a single underscore.
+			if escapedName[i] == '_' {
+				unescaped.WriteByte('_')
+				continue
+			}
+			// We think we are in a UTF-8 code, process it.
+			var utf8Val uint
+			for j := 0; i < len(escapedName); j++ {
+				// This is too many characters for a utf8 value.
+				if j > 4 {
+					return name
+				}
+				// Found a closing underscore, convert to a rune, check validity, and append.
+				if escapedName[i] == '_' {
+					utf8Rune := rune(utf8Val)
+					if !utf8.ValidRune(utf8Rune) {
+						return name
+					}
+					unescaped.WriteRune(utf8Rune)
+					continue TOP
+				}
+				r := lower(escapedName[i])
+				utf8Val *= 16
+				if r >= '0' && r <= '9' {
+					utf8Val += uint(r) - '0'
+				} else if r >= 'a' && r <= 'f' {
+					utf8Val += uint(r) - 'a' + 10
+				} else {
+					return name
+				}
+				i++
+			}
+			// Didn't find closing underscore, invalid.
+			return name
+		}
+		return unescaped.String()
+	default:
+		panic(fmt.Sprintf("invalid escaping scheme %d", scheme))
+	}
+}
+
+func isValidLegacyRune(b rune, i int) bool {
+	return (b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || b == ':' || (b >= '0' && b <= '9' && i > 0)
+}
+
+func (e EscapingScheme) String() string {
+	switch e {
+	case NoEscaping:
+		return AllowUTF8
+	case UnderscoreEscaping:
+		return EscapeUnderscores
+	case DotsEscaping:
+		return EscapeDots
+	case ValueEncodingEscaping:
+		return EscapeValues
+	default:
+		panic(fmt.Sprintf("unknown format scheme %d", e))
+	}
+}
+
+func ToEscapingScheme(s string) (EscapingScheme, error) {
+	if s == "" {
+		return NoEscaping, fmt.Errorf("got empty string instead of escaping scheme")
+	}
+	switch s {
+	case AllowUTF8:
+		return NoEscaping, nil
+	case EscapeUnderscores:
+		return UnderscoreEscaping, nil
+	case EscapeDots:
+		return DotsEscaping, nil
+	case EscapeValues:
+		return ValueEncodingEscaping, nil
+	default:
+		return NoEscaping, fmt.Errorf("unknown format scheme " + s)
+	}
+}
diff --git a/vendor/github.com/prometheus/common/model/signature.go b/vendor/github.com/prometheus/common/model/signature.go
index 8762b13c6..dc8a0026c 100644
--- a/vendor/github.com/prometheus/common/model/signature.go
+++ b/vendor/github.com/prometheus/common/model/signature.go
@@ -22,10 +22,8 @@ import (
 // when calculating their combined hash value (aka signature aka fingerprint).
 const SeparatorByte byte = 255
 
-var (
-	// cache the signature of an empty label set.
-	emptyLabelSignature = hashNew()
-)
+// cache the signature of an empty label set.
+var emptyLabelSignature = hashNew()
 
 // LabelsToSignature returns a quasi-unique signature (i.e., fingerprint) for a
 // given label set. (Collisions are possible but unlikely if the number of label
diff --git a/vendor/github.com/prometheus/common/model/silence.go b/vendor/github.com/prometheus/common/model/silence.go
index bb99889d2..910b0b71f 100644
--- a/vendor/github.com/prometheus/common/model/silence.go
+++ b/vendor/github.com/prometheus/common/model/silence.go
@@ -81,7 +81,7 @@ func (s *Silence) Validate() error {
 	}
 	for _, m := range s.Matchers {
 		if err := m.Validate(); err != nil {
-			return fmt.Errorf("invalid matcher: %s", err)
+			return fmt.Errorf("invalid matcher: %w", err)
 		}
 	}
 	if s.StartsAt.IsZero() {
diff --git a/vendor/github.com/prometheus/common/model/value.go b/vendor/github.com/prometheus/common/model/value.go
index 9eb440413..8050637d8 100644
--- a/vendor/github.com/prometheus/common/model/value.go
+++ b/vendor/github.com/prometheus/common/model/value.go
@@ -21,14 +21,12 @@ import (
 	"strings"
 )
 
-var (
-	// ZeroSample is the pseudo zero-value of Sample used to signal a
-	// non-existing sample. It is a Sample with timestamp Earliest, value 0.0,
-	// and metric nil. Note that the natural zero value of Sample has a timestamp
-	// of 0, which is possible to appear in a real Sample and thus not suitable
-	// to signal a non-existing Sample.
-	ZeroSample = Sample{Timestamp: Earliest}
-)
+// ZeroSample is the pseudo zero-value of Sample used to signal a
+// non-existing sample. It is a Sample with timestamp Earliest, value 0.0,
+// and metric nil. Note that the natural zero value of Sample has a timestamp
+// of 0, which is possible to appear in a real Sample and thus not suitable
+// to signal a non-existing Sample.
+var ZeroSample = Sample{Timestamp: Earliest}
 
 // Sample is a sample pair associated with a metric. A single sample must either
 // define Value or Histogram but not both. Histogram == nil implies the Value
@@ -274,7 +272,7 @@ func (s *Scalar) UnmarshalJSON(b []byte) error {
 
 	value, err := strconv.ParseFloat(f, 64)
 	if err != nil {
-		return fmt.Errorf("error parsing sample value: %s", err)
+		return fmt.Errorf("error parsing sample value: %w", err)
 	}
 	s.Value = SampleValue(value)
 	return nil
diff --git a/vendor/github.com/prometheus/common/model/value_float.go b/vendor/github.com/prometheus/common/model/value_float.go
index 0f615a705..ae35cc2ab 100644
--- a/vendor/github.com/prometheus/common/model/value_float.go
+++ b/vendor/github.com/prometheus/common/model/value_float.go
@@ -20,14 +20,12 @@ import (
 	"strconv"
 )
 
-var (
-	// ZeroSamplePair is the pseudo zero-value of SamplePair used to signal a
-	// non-existing sample pair. It is a SamplePair with timestamp Earliest and
-	// value 0.0. Note that the natural zero value of SamplePair has a timestamp
-	// of 0, which is possible to appear in a real SamplePair and thus not
-	// suitable to signal a non-existing SamplePair.
-	ZeroSamplePair = SamplePair{Timestamp: Earliest}
-)
+// ZeroSamplePair is the pseudo zero-value of SamplePair used to signal a
+// non-existing sample pair. It is a SamplePair with timestamp Earliest and
+// value 0.0. Note that the natural zero value of SamplePair has a timestamp
+// of 0, which is possible to appear in a real SamplePair and thus not
+// suitable to signal a non-existing SamplePair.
+var ZeroSamplePair = SamplePair{Timestamp: Earliest}
 
 // A SampleValue is a representation of a value for a given sample at a given
 // time.
diff --git a/vendor/golang.org/x/oauth2/internal/client_appengine.go b/vendor/golang.org/x/oauth2/internal/client_appengine.go
deleted file mode 100644
index d28140f78..000000000
--- a/vendor/golang.org/x/oauth2/internal/client_appengine.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build appengine
-
-package internal
-
-import "google.golang.org/appengine/urlfetch"
-
-func init() {
-	appengineClientHook = urlfetch.Client
-}
diff --git a/vendor/golang.org/x/oauth2/internal/transport.go b/vendor/golang.org/x/oauth2/internal/transport.go
index 572074a63..b9db01ddf 100644
--- a/vendor/golang.org/x/oauth2/internal/transport.go
+++ b/vendor/golang.org/x/oauth2/internal/transport.go
@@ -18,16 +18,11 @@ var HTTPClient ContextKey
 // because nobody else can create a ContextKey, being unexported.
 type ContextKey struct{}
 
-var appengineClientHook func(context.Context) *http.Client
-
 func ContextClient(ctx context.Context) *http.Client {
 	if ctx != nil {
 		if hc, ok := ctx.Value(HTTPClient).(*http.Client); ok {
 			return hc
 		}
 	}
-	if appengineClientHook != nil {
-		return appengineClientHook(ctx)
-	}
 	return http.DefaultClient
 }
diff --git a/vendor/google.golang.org/appengine/LICENSE b/vendor/google.golang.org/appengine/LICENSE
deleted file mode 100644
index d64569567..000000000
--- a/vendor/google.golang.org/appengine/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/vendor/google.golang.org/appengine/internal/api.go b/vendor/google.golang.org/appengine/internal/api.go
deleted file mode 100644
index 0569f5dd4..000000000
--- a/vendor/google.golang.org/appengine/internal/api.go
+++ /dev/null
@@ -1,653 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build !appengine
-// +build !appengine
-
-package internal
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/golang/protobuf/proto"
-
-	basepb "google.golang.org/appengine/internal/base"
-	logpb "google.golang.org/appengine/internal/log"
-	remotepb "google.golang.org/appengine/internal/remote_api"
-)
-
-const (
-	apiPath = "/rpc_http"
-)
-
-var (
-	// Incoming headers.
-	ticketHeader       = http.CanonicalHeaderKey("X-AppEngine-API-Ticket")
-	dapperHeader       = http.CanonicalHeaderKey("X-Google-DapperTraceInfo")
-	traceHeader        = http.CanonicalHeaderKey("X-Cloud-Trace-Context")
-	curNamespaceHeader = http.CanonicalHeaderKey("X-AppEngine-Current-Namespace")
-	userIPHeader       = http.CanonicalHeaderKey("X-AppEngine-User-IP")
-	remoteAddrHeader   = http.CanonicalHeaderKey("X-AppEngine-Remote-Addr")
-	devRequestIdHeader = http.CanonicalHeaderKey("X-Appengine-Dev-Request-Id")
-
-	// Outgoing headers.
-	apiEndpointHeader      = http.CanonicalHeaderKey("X-Google-RPC-Service-Endpoint")
-	apiEndpointHeaderValue = []string{"app-engine-apis"}
-	apiMethodHeader        = http.CanonicalHeaderKey("X-Google-RPC-Service-Method")
-	apiMethodHeaderValue   = []string{"/VMRemoteAPI.CallRemoteAPI"}
-	apiDeadlineHeader      = http.CanonicalHeaderKey("X-Google-RPC-Service-Deadline")
-	apiContentType         = http.CanonicalHeaderKey("Content-Type")
-	apiContentTypeValue    = []string{"application/octet-stream"}
-	logFlushHeader         = http.CanonicalHeaderKey("X-AppEngine-Log-Flush-Count")
-
-	apiHTTPClient = &http.Client{
-		Transport: &http.Transport{
-			Proxy:               http.ProxyFromEnvironment,
-			Dial:                limitDial,
-			MaxIdleConns:        1000,
-			MaxIdleConnsPerHost: 10000,
-			IdleConnTimeout:     90 * time.Second,
-		},
-	}
-)
-
-func apiURL(ctx context.Context) *url.URL {
-	host, port := "appengine.googleapis.internal", "10001"
-	if h := os.Getenv("API_HOST"); h != "" {
-		host = h
-	}
-	if hostOverride := ctx.Value(apiHostOverrideKey); hostOverride != nil {
-		host = hostOverride.(string)
-	}
-	if p := os.Getenv("API_PORT"); p != "" {
-		port = p
-	}
-	if portOverride := ctx.Value(apiPortOverrideKey); portOverride != nil {
-		port = portOverride.(string)
-	}
-	return &url.URL{
-		Scheme: "http",
-		Host:   host + ":" + port,
-		Path:   apiPath,
-	}
-}
-
-// Middleware wraps an http handler so that it can make GAE API calls
-func Middleware(next http.Handler) http.Handler {
-	return handleHTTPMiddleware(executeRequestSafelyMiddleware(next))
-}
-
-func handleHTTPMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		c := &aeContext{
-			req:       r,
-			outHeader: w.Header(),
-		}
-		r = r.WithContext(withContext(r.Context(), c))
-		c.req = r
-
-		stopFlushing := make(chan int)
-
-		// Patch up RemoteAddr so it looks reasonable.
-		if addr := r.Header.Get(userIPHeader); addr != "" {
-			r.RemoteAddr = addr
-		} else if addr = r.Header.Get(remoteAddrHeader); addr != "" {
-			r.RemoteAddr = addr
-		} else {
-			// Should not normally reach here, but pick a sensible default anyway.
-			r.RemoteAddr = "127.0.0.1"
-		}
-		// The address in the headers will most likely be of these forms:
-		//	123.123.123.123
-		//	2001:db8::1
-		// net/http.Request.RemoteAddr is specified to be in "IP:port" form.
-		if _, _, err := net.SplitHostPort(r.RemoteAddr); err != nil {
-			// Assume the remote address is only a host; add a default port.
-			r.RemoteAddr = net.JoinHostPort(r.RemoteAddr, "80")
-		}
-
-		if logToLogservice() {
-			// Start goroutine responsible for flushing app logs.
-			// This is done after adding c to ctx.m (and stopped before removing it)
-			// because flushing logs requires making an API call.
-			go c.logFlusher(stopFlushing)
-		}
-
-		next.ServeHTTP(c, r)
-		c.outHeader = nil // make sure header changes aren't respected any more
-
-		flushed := make(chan struct{})
-		if logToLogservice() {
-			stopFlushing <- 1 // any logging beyond this point will be dropped
-
-			// Flush any pending logs asynchronously.
-			c.pendingLogs.Lock()
-			flushes := c.pendingLogs.flushes
-			if len(c.pendingLogs.lines) > 0 {
-				flushes++
-			}
-			c.pendingLogs.Unlock()
-			go func() {
-				defer close(flushed)
-				// Force a log flush, because with very short requests we
-				// may not ever flush logs.
-				c.flushLog(true)
-			}()
-			w.Header().Set(logFlushHeader, strconv.Itoa(flushes))
-		}
-
-		// Avoid nil Write call if c.Write is never called.
-		if c.outCode != 0 {
-			w.WriteHeader(c.outCode)
-		}
-		if c.outBody != nil {
-			w.Write(c.outBody)
-		}
-		if logToLogservice() {
-			// Wait for the last flush to complete before returning,
-			// otherwise the security ticket will not be valid.
-			<-flushed
-		}
-	})
-}
-
-func executeRequestSafelyMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer func() {
-			if x := recover(); x != nil {
-				c := w.(*aeContext)
-				logf(c, 4, "%s", renderPanic(x)) // 4 == critical
-				c.outCode = 500
-			}
-		}()
-
-		next.ServeHTTP(w, r)
-	})
-}
-
-func renderPanic(x interface{}) string {
-	buf := make([]byte, 16<<10) // 16 KB should be plenty
-	buf = buf[:runtime.Stack(buf, false)]
-
-	// Remove the first few stack frames:
-	//   this func
-	//   the recover closure in the caller
-	// That will root the stack trace at the site of the panic.
-	const (
-		skipStart  = "internal.renderPanic"
-		skipFrames = 2
-	)
-	start := bytes.Index(buf, []byte(skipStart))
-	p := start
-	for i := 0; i < skipFrames*2 && p+1 < len(buf); i++ {
-		p = bytes.IndexByte(buf[p+1:], '\n') + p + 1
-		if p < 0 {
-			break
-		}
-	}
-	if p >= 0 {
-		// buf[start:p+1] is the block to remove.
-		// Copy buf[p+1:] over buf[start:] and shrink buf.
-		copy(buf[start:], buf[p+1:])
-		buf = buf[:len(buf)-(p+1-start)]
-	}
-
-	// Add panic heading.
-	head := fmt.Sprintf("panic: %v\n\n", x)
-	if len(head) > len(buf) {
-		// Extremely unlikely to happen.
-		return head
-	}
-	copy(buf[len(head):], buf)
-	copy(buf, head)
-
-	return string(buf)
-}
-
-// aeContext represents the aeContext of an in-flight HTTP request.
-// It implements the appengine.Context and http.ResponseWriter interfaces.
-type aeContext struct {
-	req *http.Request
-
-	outCode   int
-	outHeader http.Header
-	outBody   []byte
-
-	pendingLogs struct {
-		sync.Mutex
-		lines   []*logpb.UserAppLogLine
-		flushes int
-	}
-}
-
-var contextKey = "holds a *context"
-
-// jointContext joins two contexts in a superficial way.
-// It takes values and timeouts from a base context, and only values from another context.
-type jointContext struct {
-	base       context.Context
-	valuesOnly context.Context
-}
-
-func (c jointContext) Deadline() (time.Time, bool) {
-	return c.base.Deadline()
-}
-
-func (c jointContext) Done() <-chan struct{} {
-	return c.base.Done()
-}
-
-func (c jointContext) Err() error {
-	return c.base.Err()
-}
-
-func (c jointContext) Value(key interface{}) interface{} {
-	if val := c.base.Value(key); val != nil {
-		return val
-	}
-	return c.valuesOnly.Value(key)
-}
-
-// fromContext returns the App Engine context or nil if ctx is not
-// derived from an App Engine context.
-func fromContext(ctx context.Context) *aeContext {
-	c, _ := ctx.Value(&contextKey).(*aeContext)
-	return c
-}
-
-func withContext(parent context.Context, c *aeContext) context.Context {
-	ctx := context.WithValue(parent, &contextKey, c)
-	if ns := c.req.Header.Get(curNamespaceHeader); ns != "" {
-		ctx = withNamespace(ctx, ns)
-	}
-	return ctx
-}
-
-func toContext(c *aeContext) context.Context {
-	return withContext(context.Background(), c)
-}
-
-func IncomingHeaders(ctx context.Context) http.Header {
-	if c := fromContext(ctx); c != nil {
-		return c.req.Header
-	}
-	return nil
-}
-
-func ReqContext(req *http.Request) context.Context {
-	return req.Context()
-}
-
-func WithContext(parent context.Context, req *http.Request) context.Context {
-	return jointContext{
-		base:       parent,
-		valuesOnly: req.Context(),
-	}
-}
-
-// RegisterTestRequest registers the HTTP request req for testing, such that
-// any API calls are sent to the provided URL.
-// It should only be used by aetest package.
-func RegisterTestRequest(req *http.Request, apiURL *url.URL, appID string) *http.Request {
-	ctx := req.Context()
-	ctx = withAPIHostOverride(ctx, apiURL.Hostname())
-	ctx = withAPIPortOverride(ctx, apiURL.Port())
-	ctx = WithAppIDOverride(ctx, appID)
-
-	// use the unregistered request as a placeholder so that withContext can read the headers
-	c := &aeContext{req: req}
-	c.req = req.WithContext(withContext(ctx, c))
-	return c.req
-}
-
-var errTimeout = &CallError{
-	Detail:  "Deadline exceeded",
-	Code:    int32(remotepb.RpcError_CANCELLED),
-	Timeout: true,
-}
-
-func (c *aeContext) Header() http.Header { return c.outHeader }
-
-// Copied from $GOROOT/src/pkg/net/http/transfer.go. Some response status
-// codes do not permit a response body (nor response entity headers such as
-// Content-Length, Content-Type, etc).
-func bodyAllowedForStatus(status int) bool {
-	switch {
-	case status >= 100 && status <= 199:
-		return false
-	case status == 204:
-		return false
-	case status == 304:
-		return false
-	}
-	return true
-}
-
-func (c *aeContext) Write(b []byte) (int, error) {
-	if c.outCode == 0 {
-		c.WriteHeader(http.StatusOK)
-	}
-	if len(b) > 0 && !bodyAllowedForStatus(c.outCode) {
-		return 0, http.ErrBodyNotAllowed
-	}
-	c.outBody = append(c.outBody, b...)
-	return len(b), nil
-}
-
-func (c *aeContext) WriteHeader(code int) {
-	if c.outCode != 0 {
-		logf(c, 3, "WriteHeader called multiple times on request.") // error level
-		return
-	}
-	c.outCode = code
-}
-
-func post(ctx context.Context, body []byte, timeout time.Duration) (b []byte, err error) {
-	apiURL := apiURL(ctx)
-	hreq := &http.Request{
-		Method: "POST",
-		URL:    apiURL,
-		Header: http.Header{
-			apiEndpointHeader: apiEndpointHeaderValue,
-			apiMethodHeader:   apiMethodHeaderValue,
-			apiContentType:    apiContentTypeValue,
-			apiDeadlineHeader: []string{strconv.FormatFloat(timeout.Seconds(), 'f', -1, 64)},
-		},
-		Body:          ioutil.NopCloser(bytes.NewReader(body)),
-		ContentLength: int64(len(body)),
-		Host:          apiURL.Host,
-	}
-	c := fromContext(ctx)
-	if c != nil {
-		if info := c.req.Header.Get(dapperHeader); info != "" {
-			hreq.Header.Set(dapperHeader, info)
-		}
-		if info := c.req.Header.Get(traceHeader); info != "" {
-			hreq.Header.Set(traceHeader, info)
-		}
-	}
-
-	tr := apiHTTPClient.Transport.(*http.Transport)
-
-	var timedOut int32 // atomic; set to 1 if timed out
-	t := time.AfterFunc(timeout, func() {
-		atomic.StoreInt32(&timedOut, 1)
-		tr.CancelRequest(hreq)
-	})
-	defer t.Stop()
-	defer func() {
-		// Check if timeout was exceeded.
-		if atomic.LoadInt32(&timedOut) != 0 {
-			err = errTimeout
-		}
-	}()
-
-	hresp, err := apiHTTPClient.Do(hreq)
-	if err != nil {
-		return nil, &CallError{
-			Detail: fmt.Sprintf("service bridge HTTP failed: %v", err),
-			Code:   int32(remotepb.RpcError_UNKNOWN),
-		}
-	}
-	defer hresp.Body.Close()
-	hrespBody, err := ioutil.ReadAll(hresp.Body)
-	if hresp.StatusCode != 200 {
-		return nil, &CallError{
-			Detail: fmt.Sprintf("service bridge returned HTTP %d (%q)", hresp.StatusCode, hrespBody),
-			Code:   int32(remotepb.RpcError_UNKNOWN),
-		}
-	}
-	if err != nil {
-		return nil, &CallError{
-			Detail: fmt.Sprintf("service bridge response bad: %v", err),
-			Code:   int32(remotepb.RpcError_UNKNOWN),
-		}
-	}
-	return hrespBody, nil
-}
-
-func Call(ctx context.Context, service, method string, in, out proto.Message) error {
-	if ns := NamespaceFromContext(ctx); ns != "" {
-		if fn, ok := NamespaceMods[service]; ok {
-			fn(in, ns)
-		}
-	}
-
-	if f, ctx, ok := callOverrideFromContext(ctx); ok {
-		return f(ctx, service, method, in, out)
-	}
-
-	// Handle already-done contexts quickly.
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	default:
-	}
-
-	c := fromContext(ctx)
-
-	// Apply transaction modifications if we're in a transaction.
-	if t := transactionFromContext(ctx); t != nil {
-		if t.finished {
-			return errors.New("transaction aeContext has expired")
-		}
-		applyTransaction(in, &t.transaction)
-	}
-
-	// Default RPC timeout is 60s.
-	timeout := 60 * time.Second
-	if deadline, ok := ctx.Deadline(); ok {
-		timeout = deadline.Sub(time.Now())
-	}
-
-	data, err := proto.Marshal(in)
-	if err != nil {
-		return err
-	}
-
-	ticket := ""
-	if c != nil {
-		ticket = c.req.Header.Get(ticketHeader)
-		if dri := c.req.Header.Get(devRequestIdHeader); IsDevAppServer() && dri != "" {
-			ticket = dri
-		}
-	}
-	req := &remotepb.Request{
-		ServiceName: &service,
-		Method:      &method,
-		Request:     data,
-		RequestId:   &ticket,
-	}
-	hreqBody, err := proto.Marshal(req)
-	if err != nil {
-		return err
-	}
-
-	hrespBody, err := post(ctx, hreqBody, timeout)
-	if err != nil {
-		return err
-	}
-
-	res := &remotepb.Response{}
-	if err := proto.Unmarshal(hrespBody, res); err != nil {
-		return err
-	}
-	if res.RpcError != nil {
-		ce := &CallError{
-			Detail: res.RpcError.GetDetail(),
-			Code:   *res.RpcError.Code,
-		}
-		switch remotepb.RpcError_ErrorCode(ce.Code) {
-		case remotepb.RpcError_CANCELLED, remotepb.RpcError_DEADLINE_EXCEEDED:
-			ce.Timeout = true
-		}
-		return ce
-	}
-	if res.ApplicationError != nil {
-		return &APIError{
-			Service: *req.ServiceName,
-			Detail:  res.ApplicationError.GetDetail(),
-			Code:    *res.ApplicationError.Code,
-		}
-	}
-	if res.Exception != nil || res.JavaException != nil {
-		// This shouldn't happen, but let's be defensive.
-		return &CallError{
-			Detail: "service bridge returned exception",
-			Code:   int32(remotepb.RpcError_UNKNOWN),
-		}
-	}
-	return proto.Unmarshal(res.Response, out)
-}
-
-func (c *aeContext) Request() *http.Request {
-	return c.req
-}
-
-func (c *aeContext) addLogLine(ll *logpb.UserAppLogLine) {
-	// Truncate long log lines.
-	// TODO(dsymonds): Check if this is still necessary.
-	const lim = 8 << 10
-	if len(*ll.Message) > lim {
-		suffix := fmt.Sprintf("...(length %d)", len(*ll.Message))
-		ll.Message = proto.String((*ll.Message)[:lim-len(suffix)] + suffix)
-	}
-
-	c.pendingLogs.Lock()
-	c.pendingLogs.lines = append(c.pendingLogs.lines, ll)
-	c.pendingLogs.Unlock()
-}
-
-var logLevelName = map[int64]string{
-	0: "DEBUG",
-	1: "INFO",
-	2: "WARNING",
-	3: "ERROR",
-	4: "CRITICAL",
-}
-
-func logf(c *aeContext, level int64, format string, args ...interface{}) {
-	if c == nil {
-		panic("not an App Engine aeContext")
-	}
-	s := fmt.Sprintf(format, args...)
-	s = strings.TrimRight(s, "\n") // Remove any trailing newline characters.
-	if logToLogservice() {
-		c.addLogLine(&logpb.UserAppLogLine{
-			TimestampUsec: proto.Int64(time.Now().UnixNano() / 1e3),
-			Level:         &level,
-			Message:       &s,
-		})
-	}
-	// Log to stdout if not deployed
-	if !IsSecondGen() {
-		log.Print(logLevelName[level] + ": " + s)
-	}
-}
-
-// flushLog attempts to flush any pending logs to the appserver.
-// It should not be called concurrently.
-func (c *aeContext) flushLog(force bool) (flushed bool) {
-	c.pendingLogs.Lock()
-	// Grab up to 30 MB. We can get away with up to 32 MB, but let's be cautious.
-	n, rem := 0, 30<<20
-	for ; n < len(c.pendingLogs.lines); n++ {
-		ll := c.pendingLogs.lines[n]
-		// Each log line will require about 3 bytes of overhead.
-		nb := proto.Size(ll) + 3
-		if nb > rem {
-			break
-		}
-		rem -= nb
-	}
-	lines := c.pendingLogs.lines[:n]
-	c.pendingLogs.lines = c.pendingLogs.lines[n:]
-	c.pendingLogs.Unlock()
-
-	if len(lines) == 0 && !force {
-		// Nothing to flush.
-		return false
-	}
-
-	rescueLogs := false
-	defer func() {
-		if rescueLogs {
-			c.pendingLogs.Lock()
-			c.pendingLogs.lines = append(lines, c.pendingLogs.lines...)
-			c.pendingLogs.Unlock()
-		}
-	}()
-
-	buf, err := proto.Marshal(&logpb.UserAppLogGroup{
-		LogLine: lines,
-	})
-	if err != nil {
-		log.Printf("internal.flushLog: marshaling UserAppLogGroup: %v", err)
-		rescueLogs = true
-		return false
-	}
-
-	req := &logpb.FlushRequest{
-		Logs: buf,
-	}
-	res := &basepb.VoidProto{}
-	c.pendingLogs.Lock()
-	c.pendingLogs.flushes++
-	c.pendingLogs.Unlock()
-	if err := Call(toContext(c), "logservice", "Flush", req, res); err != nil {
-		log.Printf("internal.flushLog: Flush RPC: %v", err)
-		rescueLogs = true
-		return false
-	}
-	return true
-}
-
-const (
-	// Log flushing parameters.
-	flushInterval      = 1 * time.Second
-	forceFlushInterval = 60 * time.Second
-)
-
-func (c *aeContext) logFlusher(stop <-chan int) {
-	lastFlush := time.Now()
-	tick := time.NewTicker(flushInterval)
-	for {
-		select {
-		case <-stop:
-			// Request finished.
-			tick.Stop()
-			return
-		case <-tick.C:
-			force := time.Now().Sub(lastFlush) > forceFlushInterval
-			if c.flushLog(force) {
-				lastFlush = time.Now()
-			}
-		}
-	}
-}
-
-func ContextForTesting(req *http.Request) context.Context {
-	return toContext(&aeContext{req: req})
-}
-
-func logToLogservice() bool {
-	// TODO: replace logservice with json structured logs to $LOG_DIR/app.log.json
-	// where $LOG_DIR is /var/log in prod and some tmpdir in dev
-	return os.Getenv("LOG_TO_LOGSERVICE") != "0"
-}
diff --git a/vendor/google.golang.org/appengine/internal/api_classic.go b/vendor/google.golang.org/appengine/internal/api_classic.go
deleted file mode 100644
index 87c33c798..000000000
--- a/vendor/google.golang.org/appengine/internal/api_classic.go
+++ /dev/null
@@ -1,170 +0,0 @@
-// Copyright 2015 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build appengine
-// +build appengine
-
-package internal
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-	"time"
-
-	"appengine"
-	"appengine_internal"
-	basepb "appengine_internal/base"
-
-	"github.com/golang/protobuf/proto"
-)
-
-var contextKey = "holds an appengine.Context"
-
-// fromContext returns the App Engine context or nil if ctx is not
-// derived from an App Engine context.
-func fromContext(ctx context.Context) appengine.Context {
-	c, _ := ctx.Value(&contextKey).(appengine.Context)
-	return c
-}
-
-// This is only for classic App Engine adapters.
-func ClassicContextFromContext(ctx context.Context) (appengine.Context, error) {
-	c := fromContext(ctx)
-	if c == nil {
-		return nil, errNotAppEngineContext
-	}
-	return c, nil
-}
-
-func withContext(parent context.Context, c appengine.Context) context.Context {
-	ctx := context.WithValue(parent, &contextKey, c)
-
-	s := &basepb.StringProto{}
-	c.Call("__go__", "GetNamespace", &basepb.VoidProto{}, s, nil)
-	if ns := s.GetValue(); ns != "" {
-		ctx = NamespacedContext(ctx, ns)
-	}
-
-	return ctx
-}
-
-func IncomingHeaders(ctx context.Context) http.Header {
-	if c := fromContext(ctx); c != nil {
-		if req, ok := c.Request().(*http.Request); ok {
-			return req.Header
-		}
-	}
-	return nil
-}
-
-func ReqContext(req *http.Request) context.Context {
-	return WithContext(context.Background(), req)
-}
-
-func WithContext(parent context.Context, req *http.Request) context.Context {
-	c := appengine.NewContext(req)
-	return withContext(parent, c)
-}
-
-type testingContext struct {
-	appengine.Context
-
-	req *http.Request
-}
-
-func (t *testingContext) FullyQualifiedAppID() string { return "dev~testcontext" }
-func (t *testingContext) Call(service, method string, _, _ appengine_internal.ProtoMessage, _ *appengine_internal.CallOptions) error {
-	if service == "__go__" && method == "GetNamespace" {
-		return nil
-	}
-	return fmt.Errorf("testingContext: unsupported Call")
-}
-func (t *testingContext) Request() interface{} { return t.req }
-
-func ContextForTesting(req *http.Request) context.Context {
-	return withContext(context.Background(), &testingContext{req: req})
-}
-
-func Call(ctx context.Context, service, method string, in, out proto.Message) error {
-	if ns := NamespaceFromContext(ctx); ns != "" {
-		if fn, ok := NamespaceMods[service]; ok {
-			fn(in, ns)
-		}
-	}
-
-	if f, ctx, ok := callOverrideFromContext(ctx); ok {
-		return f(ctx, service, method, in, out)
-	}
-
-	// Handle already-done contexts quickly.
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	default:
-	}
-
-	c := fromContext(ctx)
-	if c == nil {
-		// Give a good error message rather than a panic lower down.
-		return errNotAppEngineContext
-	}
-
-	// Apply transaction modifications if we're in a transaction.
-	if t := transactionFromContext(ctx); t != nil {
-		if t.finished {
-			return errors.New("transaction context has expired")
-		}
-		applyTransaction(in, &t.transaction)
-	}
-
-	var opts *appengine_internal.CallOptions
-	if d, ok := ctx.Deadline(); ok {
-		opts = &appengine_internal.CallOptions{
-			Timeout: d.Sub(time.Now()),
-		}
-	}
-
-	err := c.Call(service, method, in, out, opts)
-	switch v := err.(type) {
-	case *appengine_internal.APIError:
-		return &APIError{
-			Service: v.Service,
-			Detail:  v.Detail,
-			Code:    v.Code,
-		}
-	case *appengine_internal.CallError:
-		return &CallError{
-			Detail:  v.Detail,
-			Code:    v.Code,
-			Timeout: v.Timeout,
-		}
-	}
-	return err
-}
-
-func Middleware(next http.Handler) http.Handler {
-	panic("Middleware called; this should be impossible")
-}
-
-func logf(c appengine.Context, level int64, format string, args ...interface{}) {
-	var fn func(format string, args ...interface{})
-	switch level {
-	case 0:
-		fn = c.Debugf
-	case 1:
-		fn = c.Infof
-	case 2:
-		fn = c.Warningf
-	case 3:
-		fn = c.Errorf
-	case 4:
-		fn = c.Criticalf
-	default:
-		// This shouldn't happen.
-		fn = c.Criticalf
-	}
-	fn(format, args...)
-}
diff --git a/vendor/google.golang.org/appengine/internal/api_common.go b/vendor/google.golang.org/appengine/internal/api_common.go
deleted file mode 100644
index 5b95c13d9..000000000
--- a/vendor/google.golang.org/appengine/internal/api_common.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2015 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package internal
-
-import (
-	"context"
-	"errors"
-	"os"
-
-	"github.com/golang/protobuf/proto"
-)
-
-type ctxKey string
-
-func (c ctxKey) String() string {
-	return "appengine context key: " + string(c)
-}
-
-var errNotAppEngineContext = errors.New("not an App Engine context")
-
-type CallOverrideFunc func(ctx context.Context, service, method string, in, out proto.Message) error
-
-var callOverrideKey = "holds []CallOverrideFunc"
-
-func WithCallOverride(ctx context.Context, f CallOverrideFunc) context.Context {
-	// We avoid appending to any existing call override
-	// so we don't risk overwriting a popped stack below.
-	var cofs []CallOverrideFunc
-	if uf, ok := ctx.Value(&callOverrideKey).([]CallOverrideFunc); ok {
-		cofs = append(cofs, uf...)
-	}
-	cofs = append(cofs, f)
-	return context.WithValue(ctx, &callOverrideKey, cofs)
-}
-
-func callOverrideFromContext(ctx context.Context) (CallOverrideFunc, context.Context, bool) {
-	cofs, _ := ctx.Value(&callOverrideKey).([]CallOverrideFunc)
-	if len(cofs) == 0 {
-		return nil, nil, false
-	}
-	// We found a list of overrides; grab the last, and reconstitute a
-	// context that will hide it.
-	f := cofs[len(cofs)-1]
-	ctx = context.WithValue(ctx, &callOverrideKey, cofs[:len(cofs)-1])
-	return f, ctx, true
-}
-
-type logOverrideFunc func(level int64, format string, args ...interface{})
-
-var logOverrideKey = "holds a logOverrideFunc"
-
-func WithLogOverride(ctx context.Context, f logOverrideFunc) context.Context {
-	return context.WithValue(ctx, &logOverrideKey, f)
-}
-
-var appIDOverrideKey = "holds a string, being the full app ID"
-
-func WithAppIDOverride(ctx context.Context, appID string) context.Context {
-	return context.WithValue(ctx, &appIDOverrideKey, appID)
-}
-
-var apiHostOverrideKey = ctxKey("holds a string, being the alternate API_HOST")
-
-func withAPIHostOverride(ctx context.Context, apiHost string) context.Context {
-	return context.WithValue(ctx, apiHostOverrideKey, apiHost)
-}
-
-var apiPortOverrideKey = ctxKey("holds a string, being the alternate API_PORT")
-
-func withAPIPortOverride(ctx context.Context, apiPort string) context.Context {
-	return context.WithValue(ctx, apiPortOverrideKey, apiPort)
-}
-
-var namespaceKey = "holds the namespace string"
-
-func withNamespace(ctx context.Context, ns string) context.Context {
-	return context.WithValue(ctx, &namespaceKey, ns)
-}
-
-func NamespaceFromContext(ctx context.Context) string {
-	// If there's no namespace, return the empty string.
-	ns, _ := ctx.Value(&namespaceKey).(string)
-	return ns
-}
-
-// FullyQualifiedAppID returns the fully-qualified application ID.
-// This may contain a partition prefix (e.g. "s~" for High Replication apps),
-// or a domain prefix (e.g. "example.com:").
-func FullyQualifiedAppID(ctx context.Context) string {
-	if id, ok := ctx.Value(&appIDOverrideKey).(string); ok {
-		return id
-	}
-	return fullyQualifiedAppID(ctx)
-}
-
-func Logf(ctx context.Context, level int64, format string, args ...interface{}) {
-	if f, ok := ctx.Value(&logOverrideKey).(logOverrideFunc); ok {
-		f(level, format, args...)
-		return
-	}
-	c := fromContext(ctx)
-	if c == nil {
-		panic(errNotAppEngineContext)
-	}
-	logf(c, level, format, args...)
-}
-
-// NamespacedContext wraps a Context to support namespaces.
-func NamespacedContext(ctx context.Context, namespace string) context.Context {
-	return withNamespace(ctx, namespace)
-}
-
-// SetTestEnv sets the env variables for testing background ticket in Flex.
-func SetTestEnv() func() {
-	var environ = []struct {
-		key, value string
-	}{
-		{"GAE_LONG_APP_ID", "my-app-id"},
-		{"GAE_MINOR_VERSION", "067924799508853122"},
-		{"GAE_MODULE_INSTANCE", "0"},
-		{"GAE_MODULE_NAME", "default"},
-		{"GAE_MODULE_VERSION", "20150612t184001"},
-	}
-
-	for _, v := range environ {
-		old := os.Getenv(v.key)
-		os.Setenv(v.key, v.value)
-		v.value = old
-	}
-	return func() { // Restore old environment after the test completes.
-		for _, v := range environ {
-			if v.value == "" {
-				os.Unsetenv(v.key)
-				continue
-			}
-			os.Setenv(v.key, v.value)
-		}
-	}
-}
diff --git a/vendor/google.golang.org/appengine/internal/app_id.go b/vendor/google.golang.org/appengine/internal/app_id.go
deleted file mode 100644
index 11df8c07b..000000000
--- a/vendor/google.golang.org/appengine/internal/app_id.go
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package internal
-
-import (
-	"strings"
-)
-
-func parseFullAppID(appid string) (partition, domain, displayID string) {
-	if i := strings.Index(appid, "~"); i != -1 {
-		partition, appid = appid[:i], appid[i+1:]
-	}
-	if i := strings.Index(appid, ":"); i != -1 {
-		domain, appid = appid[:i], appid[i+1:]
-	}
-	return partition, domain, appid
-}
-
-// appID returns "appid" or "domain.com:appid".
-func appID(fullAppID string) string {
-	_, dom, dis := parseFullAppID(fullAppID)
-	if dom != "" {
-		return dom + ":" + dis
-	}
-	return dis
-}
diff --git a/vendor/google.golang.org/appengine/internal/base/api_base.pb.go b/vendor/google.golang.org/appengine/internal/base/api_base.pb.go
deleted file mode 100644
index db4777e68..000000000
--- a/vendor/google.golang.org/appengine/internal/base/api_base.pb.go
+++ /dev/null
@@ -1,308 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// source: google.golang.org/appengine/internal/base/api_base.proto
-
-package base
-
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
-
-type StringProto struct {
-	Value                *string  `protobuf:"bytes,1,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *StringProto) Reset()         { *m = StringProto{} }
-func (m *StringProto) String() string { return proto.CompactTextString(m) }
-func (*StringProto) ProtoMessage()    {}
-func (*StringProto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{0}
-}
-func (m *StringProto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_StringProto.Unmarshal(m, b)
-}
-func (m *StringProto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_StringProto.Marshal(b, m, deterministic)
-}
-func (dst *StringProto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_StringProto.Merge(dst, src)
-}
-func (m *StringProto) XXX_Size() int {
-	return xxx_messageInfo_StringProto.Size(m)
-}
-func (m *StringProto) XXX_DiscardUnknown() {
-	xxx_messageInfo_StringProto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_StringProto proto.InternalMessageInfo
-
-func (m *StringProto) GetValue() string {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return ""
-}
-
-type Integer32Proto struct {
-	Value                *int32   `protobuf:"varint,1,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Integer32Proto) Reset()         { *m = Integer32Proto{} }
-func (m *Integer32Proto) String() string { return proto.CompactTextString(m) }
-func (*Integer32Proto) ProtoMessage()    {}
-func (*Integer32Proto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{1}
-}
-func (m *Integer32Proto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Integer32Proto.Unmarshal(m, b)
-}
-func (m *Integer32Proto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Integer32Proto.Marshal(b, m, deterministic)
-}
-func (dst *Integer32Proto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Integer32Proto.Merge(dst, src)
-}
-func (m *Integer32Proto) XXX_Size() int {
-	return xxx_messageInfo_Integer32Proto.Size(m)
-}
-func (m *Integer32Proto) XXX_DiscardUnknown() {
-	xxx_messageInfo_Integer32Proto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Integer32Proto proto.InternalMessageInfo
-
-func (m *Integer32Proto) GetValue() int32 {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return 0
-}
-
-type Integer64Proto struct {
-	Value                *int64   `protobuf:"varint,1,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Integer64Proto) Reset()         { *m = Integer64Proto{} }
-func (m *Integer64Proto) String() string { return proto.CompactTextString(m) }
-func (*Integer64Proto) ProtoMessage()    {}
-func (*Integer64Proto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{2}
-}
-func (m *Integer64Proto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Integer64Proto.Unmarshal(m, b)
-}
-func (m *Integer64Proto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Integer64Proto.Marshal(b, m, deterministic)
-}
-func (dst *Integer64Proto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Integer64Proto.Merge(dst, src)
-}
-func (m *Integer64Proto) XXX_Size() int {
-	return xxx_messageInfo_Integer64Proto.Size(m)
-}
-func (m *Integer64Proto) XXX_DiscardUnknown() {
-	xxx_messageInfo_Integer64Proto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Integer64Proto proto.InternalMessageInfo
-
-func (m *Integer64Proto) GetValue() int64 {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return 0
-}
-
-type BoolProto struct {
-	Value                *bool    `protobuf:"varint,1,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *BoolProto) Reset()         { *m = BoolProto{} }
-func (m *BoolProto) String() string { return proto.CompactTextString(m) }
-func (*BoolProto) ProtoMessage()    {}
-func (*BoolProto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{3}
-}
-func (m *BoolProto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_BoolProto.Unmarshal(m, b)
-}
-func (m *BoolProto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_BoolProto.Marshal(b, m, deterministic)
-}
-func (dst *BoolProto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BoolProto.Merge(dst, src)
-}
-func (m *BoolProto) XXX_Size() int {
-	return xxx_messageInfo_BoolProto.Size(m)
-}
-func (m *BoolProto) XXX_DiscardUnknown() {
-	xxx_messageInfo_BoolProto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BoolProto proto.InternalMessageInfo
-
-func (m *BoolProto) GetValue() bool {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return false
-}
-
-type DoubleProto struct {
-	Value                *float64 `protobuf:"fixed64,1,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *DoubleProto) Reset()         { *m = DoubleProto{} }
-func (m *DoubleProto) String() string { return proto.CompactTextString(m) }
-func (*DoubleProto) ProtoMessage()    {}
-func (*DoubleProto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{4}
-}
-func (m *DoubleProto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_DoubleProto.Unmarshal(m, b)
-}
-func (m *DoubleProto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_DoubleProto.Marshal(b, m, deterministic)
-}
-func (dst *DoubleProto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DoubleProto.Merge(dst, src)
-}
-func (m *DoubleProto) XXX_Size() int {
-	return xxx_messageInfo_DoubleProto.Size(m)
-}
-func (m *DoubleProto) XXX_DiscardUnknown() {
-	xxx_messageInfo_DoubleProto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DoubleProto proto.InternalMessageInfo
-
-func (m *DoubleProto) GetValue() float64 {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return 0
-}
-
-type BytesProto struct {
-	Value                []byte   `protobuf:"bytes,1,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *BytesProto) Reset()         { *m = BytesProto{} }
-func (m *BytesProto) String() string { return proto.CompactTextString(m) }
-func (*BytesProto) ProtoMessage()    {}
-func (*BytesProto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{5}
-}
-func (m *BytesProto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_BytesProto.Unmarshal(m, b)
-}
-func (m *BytesProto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_BytesProto.Marshal(b, m, deterministic)
-}
-func (dst *BytesProto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BytesProto.Merge(dst, src)
-}
-func (m *BytesProto) XXX_Size() int {
-	return xxx_messageInfo_BytesProto.Size(m)
-}
-func (m *BytesProto) XXX_DiscardUnknown() {
-	xxx_messageInfo_BytesProto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BytesProto proto.InternalMessageInfo
-
-func (m *BytesProto) GetValue() []byte {
-	if m != nil {
-		return m.Value
-	}
-	return nil
-}
-
-type VoidProto struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *VoidProto) Reset()         { *m = VoidProto{} }
-func (m *VoidProto) String() string { return proto.CompactTextString(m) }
-func (*VoidProto) ProtoMessage()    {}
-func (*VoidProto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_api_base_9d49f8792e0c1140, []int{6}
-}
-func (m *VoidProto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_VoidProto.Unmarshal(m, b)
-}
-func (m *VoidProto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_VoidProto.Marshal(b, m, deterministic)
-}
-func (dst *VoidProto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_VoidProto.Merge(dst, src)
-}
-func (m *VoidProto) XXX_Size() int {
-	return xxx_messageInfo_VoidProto.Size(m)
-}
-func (m *VoidProto) XXX_DiscardUnknown() {
-	xxx_messageInfo_VoidProto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_VoidProto proto.InternalMessageInfo
-
-func init() {
-	proto.RegisterType((*StringProto)(nil), "appengine.base.StringProto")
-	proto.RegisterType((*Integer32Proto)(nil), "appengine.base.Integer32Proto")
-	proto.RegisterType((*Integer64Proto)(nil), "appengine.base.Integer64Proto")
-	proto.RegisterType((*BoolProto)(nil), "appengine.base.BoolProto")
-	proto.RegisterType((*DoubleProto)(nil), "appengine.base.DoubleProto")
-	proto.RegisterType((*BytesProto)(nil), "appengine.base.BytesProto")
-	proto.RegisterType((*VoidProto)(nil), "appengine.base.VoidProto")
-}
-
-func init() {
-	proto.RegisterFile("google.golang.org/appengine/internal/base/api_base.proto", fileDescriptor_api_base_9d49f8792e0c1140)
-}
-
-var fileDescriptor_api_base_9d49f8792e0c1140 = []byte{
-	// 199 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0xcf, 0x3f, 0x4b, 0xc6, 0x30,
-	0x10, 0x06, 0x70, 0x5a, 0xad, 0xb4, 0x57, 0xe9, 0x20, 0x0e, 0x1d, 0xb5, 0x05, 0x71, 0x4a, 0x40,
-	0x45, 0x9c, 0x83, 0x8b, 0x9b, 0x28, 0x38, 0xb8, 0x48, 0x8a, 0xc7, 0x11, 0x08, 0xb9, 0x90, 0xa6,
-	0x82, 0xdf, 0x5e, 0xda, 0xd2, 0xfa, 0xc2, 0x9b, 0xed, 0xfe, 0xfc, 0xe0, 0xe1, 0x81, 0x27, 0x62,
-	0x26, 0x8b, 0x82, 0xd8, 0x6a, 0x47, 0x82, 0x03, 0x49, 0xed, 0x3d, 0x3a, 0x32, 0x0e, 0xa5, 0x71,
-	0x11, 0x83, 0xd3, 0x56, 0x0e, 0x7a, 0x44, 0xa9, 0xbd, 0xf9, 0x9a, 0x07, 0xe1, 0x03, 0x47, 0xbe,
-	0x68, 0x76, 0x27, 0xe6, 0x6b, 0xd7, 0x43, 0xfd, 0x1e, 0x83, 0x71, 0xf4, 0xba, 0xbc, 0x2f, 0xa1,
-	0xf8, 0xd1, 0x76, 0xc2, 0x36, 0xbb, 0xca, 0x6f, 0xab, 0xb7, 0x75, 0xe9, 0x6e, 0xa0, 0x79, 0x71,
-	0x11, 0x09, 0xc3, 0xfd, 0x5d, 0xc2, 0x15, 0xc7, 0xee, 0xf1, 0x21, 0xe1, 0x4e, 0x36, 0x77, 0x0d,
-	0x95, 0x62, 0xb6, 0x09, 0x52, 0x6e, 0xa4, 0x87, 0xfa, 0x99, 0xa7, 0xc1, 0x62, 0x02, 0x65, 0xff,
-	0x79, 0xa0, 0x7e, 0x23, 0x8e, 0xab, 0x69, 0x0f, 0xcd, 0xb9, 0xca, 0xcb, 0xdd, 0xd5, 0x50, 0x7d,
-	0xb0, 0xf9, 0x5e, 0x98, 0x3a, 0xfb, 0x3c, 0x9d, 0x9b, 0xff, 0x05, 0x00, 0x00, 0xff, 0xff, 0xba,
-	0x37, 0x25, 0xea, 0x44, 0x01, 0x00, 0x00,
-}
diff --git a/vendor/google.golang.org/appengine/internal/base/api_base.proto b/vendor/google.golang.org/appengine/internal/base/api_base.proto
deleted file mode 100644
index 56cd7a3ca..000000000
--- a/vendor/google.golang.org/appengine/internal/base/api_base.proto
+++ /dev/null
@@ -1,33 +0,0 @@
-// Built-in base types for API calls. Primarily useful as return types.
-
-syntax = "proto2";
-option go_package = "base";
-
-package appengine.base;
-
-message StringProto {
-  required string value = 1;
-}
-
-message Integer32Proto {
-  required int32 value = 1;
-}
-
-message Integer64Proto {
-  required int64 value = 1;
-}
-
-message BoolProto {
-  required bool value = 1;
-}
-
-message DoubleProto {
-  required double value = 1;
-}
-
-message BytesProto {
-  required bytes value = 1 [ctype=CORD];
-}
-
-message VoidProto {
-}
diff --git a/vendor/google.golang.org/appengine/internal/datastore/datastore_v3.pb.go b/vendor/google.golang.org/appengine/internal/datastore/datastore_v3.pb.go
deleted file mode 100644
index 2fb748289..000000000
--- a/vendor/google.golang.org/appengine/internal/datastore/datastore_v3.pb.go
+++ /dev/null
@@ -1,4367 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// source: google.golang.org/appengine/internal/datastore/datastore_v3.proto
-
-package datastore
-
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
-
-type Property_Meaning int32
-
-const (
-	Property_NO_MEANING       Property_Meaning = 0
-	Property_BLOB             Property_Meaning = 14
-	Property_TEXT             Property_Meaning = 15
-	Property_BYTESTRING       Property_Meaning = 16
-	Property_ATOM_CATEGORY    Property_Meaning = 1
-	Property_ATOM_LINK        Property_Meaning = 2
-	Property_ATOM_TITLE       Property_Meaning = 3
-	Property_ATOM_CONTENT     Property_Meaning = 4
-	Property_ATOM_SUMMARY     Property_Meaning = 5
-	Property_ATOM_AUTHOR      Property_Meaning = 6
-	Property_GD_WHEN          Property_Meaning = 7
-	Property_GD_EMAIL         Property_Meaning = 8
-	Property_GEORSS_POINT     Property_Meaning = 9
-	Property_GD_IM            Property_Meaning = 10
-	Property_GD_PHONENUMBER   Property_Meaning = 11
-	Property_GD_POSTALADDRESS Property_Meaning = 12
-	Property_GD_RATING        Property_Meaning = 13
-	Property_BLOBKEY          Property_Meaning = 17
-	Property_ENTITY_PROTO     Property_Meaning = 19
-	Property_INDEX_VALUE      Property_Meaning = 18
-)
-
-var Property_Meaning_name = map[int32]string{
-	0:  "NO_MEANING",
-	14: "BLOB",
-	15: "TEXT",
-	16: "BYTESTRING",
-	1:  "ATOM_CATEGORY",
-	2:  "ATOM_LINK",
-	3:  "ATOM_TITLE",
-	4:  "ATOM_CONTENT",
-	5:  "ATOM_SUMMARY",
-	6:  "ATOM_AUTHOR",
-	7:  "GD_WHEN",
-	8:  "GD_EMAIL",
-	9:  "GEORSS_POINT",
-	10: "GD_IM",
-	11: "GD_PHONENUMBER",
-	12: "GD_POSTALADDRESS",
-	13: "GD_RATING",
-	17: "BLOBKEY",
-	19: "ENTITY_PROTO",
-	18: "INDEX_VALUE",
-}
-var Property_Meaning_value = map[string]int32{
-	"NO_MEANING":       0,
-	"BLOB":             14,
-	"TEXT":             15,
-	"BYTESTRING":       16,
-	"ATOM_CATEGORY":    1,
-	"ATOM_LINK":        2,
-	"ATOM_TITLE":       3,
-	"ATOM_CONTENT":     4,
-	"ATOM_SUMMARY":     5,
-	"ATOM_AUTHOR":      6,
-	"GD_WHEN":          7,
-	"GD_EMAIL":         8,
-	"GEORSS_POINT":     9,
-	"GD_IM":            10,
-	"GD_PHONENUMBER":   11,
-	"GD_POSTALADDRESS": 12,
-	"GD_RATING":        13,
-	"BLOBKEY":          17,
-	"ENTITY_PROTO":     19,
-	"INDEX_VALUE":      18,
-}
-
-func (x Property_Meaning) Enum() *Property_Meaning {
-	p := new(Property_Meaning)
-	*p = x
-	return p
-}
-func (x Property_Meaning) String() string {
-	return proto.EnumName(Property_Meaning_name, int32(x))
-}
-func (x *Property_Meaning) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Property_Meaning_value, data, "Property_Meaning")
-	if err != nil {
-		return err
-	}
-	*x = Property_Meaning(value)
-	return nil
-}
-func (Property_Meaning) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{2, 0}
-}
-
-type Property_FtsTokenizationOption int32
-
-const (
-	Property_HTML Property_FtsTokenizationOption = 1
-	Property_ATOM Property_FtsTokenizationOption = 2
-)
-
-var Property_FtsTokenizationOption_name = map[int32]string{
-	1: "HTML",
-	2: "ATOM",
-}
-var Property_FtsTokenizationOption_value = map[string]int32{
-	"HTML": 1,
-	"ATOM": 2,
-}
-
-func (x Property_FtsTokenizationOption) Enum() *Property_FtsTokenizationOption {
-	p := new(Property_FtsTokenizationOption)
-	*p = x
-	return p
-}
-func (x Property_FtsTokenizationOption) String() string {
-	return proto.EnumName(Property_FtsTokenizationOption_name, int32(x))
-}
-func (x *Property_FtsTokenizationOption) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Property_FtsTokenizationOption_value, data, "Property_FtsTokenizationOption")
-	if err != nil {
-		return err
-	}
-	*x = Property_FtsTokenizationOption(value)
-	return nil
-}
-func (Property_FtsTokenizationOption) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{2, 1}
-}
-
-type EntityProto_Kind int32
-
-const (
-	EntityProto_GD_CONTACT EntityProto_Kind = 1
-	EntityProto_GD_EVENT   EntityProto_Kind = 2
-	EntityProto_GD_MESSAGE EntityProto_Kind = 3
-)
-
-var EntityProto_Kind_name = map[int32]string{
-	1: "GD_CONTACT",
-	2: "GD_EVENT",
-	3: "GD_MESSAGE",
-}
-var EntityProto_Kind_value = map[string]int32{
-	"GD_CONTACT": 1,
-	"GD_EVENT":   2,
-	"GD_MESSAGE": 3,
-}
-
-func (x EntityProto_Kind) Enum() *EntityProto_Kind {
-	p := new(EntityProto_Kind)
-	*p = x
-	return p
-}
-func (x EntityProto_Kind) String() string {
-	return proto.EnumName(EntityProto_Kind_name, int32(x))
-}
-func (x *EntityProto_Kind) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(EntityProto_Kind_value, data, "EntityProto_Kind")
-	if err != nil {
-		return err
-	}
-	*x = EntityProto_Kind(value)
-	return nil
-}
-func (EntityProto_Kind) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{6, 0}
-}
-
-type Index_Property_Direction int32
-
-const (
-	Index_Property_ASCENDING  Index_Property_Direction = 1
-	Index_Property_DESCENDING Index_Property_Direction = 2
-)
-
-var Index_Property_Direction_name = map[int32]string{
-	1: "ASCENDING",
-	2: "DESCENDING",
-}
-var Index_Property_Direction_value = map[string]int32{
-	"ASCENDING":  1,
-	"DESCENDING": 2,
-}
-
-func (x Index_Property_Direction) Enum() *Index_Property_Direction {
-	p := new(Index_Property_Direction)
-	*p = x
-	return p
-}
-func (x Index_Property_Direction) String() string {
-	return proto.EnumName(Index_Property_Direction_name, int32(x))
-}
-func (x *Index_Property_Direction) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Index_Property_Direction_value, data, "Index_Property_Direction")
-	if err != nil {
-		return err
-	}
-	*x = Index_Property_Direction(value)
-	return nil
-}
-func (Index_Property_Direction) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{8, 0, 0}
-}
-
-type CompositeIndex_State int32
-
-const (
-	CompositeIndex_WRITE_ONLY CompositeIndex_State = 1
-	CompositeIndex_READ_WRITE CompositeIndex_State = 2
-	CompositeIndex_DELETED    CompositeIndex_State = 3
-	CompositeIndex_ERROR      CompositeIndex_State = 4
-)
-
-var CompositeIndex_State_name = map[int32]string{
-	1: "WRITE_ONLY",
-	2: "READ_WRITE",
-	3: "DELETED",
-	4: "ERROR",
-}
-var CompositeIndex_State_value = map[string]int32{
-	"WRITE_ONLY": 1,
-	"READ_WRITE": 2,
-	"DELETED":    3,
-	"ERROR":      4,
-}
-
-func (x CompositeIndex_State) Enum() *CompositeIndex_State {
-	p := new(CompositeIndex_State)
-	*p = x
-	return p
-}
-func (x CompositeIndex_State) String() string {
-	return proto.EnumName(CompositeIndex_State_name, int32(x))
-}
-func (x *CompositeIndex_State) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(CompositeIndex_State_value, data, "CompositeIndex_State")
-	if err != nil {
-		return err
-	}
-	*x = CompositeIndex_State(value)
-	return nil
-}
-func (CompositeIndex_State) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{9, 0}
-}
-
-type Snapshot_Status int32
-
-const (
-	Snapshot_INACTIVE Snapshot_Status = 0
-	Snapshot_ACTIVE   Snapshot_Status = 1
-)
-
-var Snapshot_Status_name = map[int32]string{
-	0: "INACTIVE",
-	1: "ACTIVE",
-}
-var Snapshot_Status_value = map[string]int32{
-	"INACTIVE": 0,
-	"ACTIVE":   1,
-}
-
-func (x Snapshot_Status) Enum() *Snapshot_Status {
-	p := new(Snapshot_Status)
-	*p = x
-	return p
-}
-func (x Snapshot_Status) String() string {
-	return proto.EnumName(Snapshot_Status_name, int32(x))
-}
-func (x *Snapshot_Status) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Snapshot_Status_value, data, "Snapshot_Status")
-	if err != nil {
-		return err
-	}
-	*x = Snapshot_Status(value)
-	return nil
-}
-func (Snapshot_Status) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{12, 0}
-}
-
-type Query_Hint int32
-
-const (
-	Query_ORDER_FIRST    Query_Hint = 1
-	Query_ANCESTOR_FIRST Query_Hint = 2
-	Query_FILTER_FIRST   Query_Hint = 3
-)
-
-var Query_Hint_name = map[int32]string{
-	1: "ORDER_FIRST",
-	2: "ANCESTOR_FIRST",
-	3: "FILTER_FIRST",
-}
-var Query_Hint_value = map[string]int32{
-	"ORDER_FIRST":    1,
-	"ANCESTOR_FIRST": 2,
-	"FILTER_FIRST":   3,
-}
-
-func (x Query_Hint) Enum() *Query_Hint {
-	p := new(Query_Hint)
-	*p = x
-	return p
-}
-func (x Query_Hint) String() string {
-	return proto.EnumName(Query_Hint_name, int32(x))
-}
-func (x *Query_Hint) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Query_Hint_value, data, "Query_Hint")
-	if err != nil {
-		return err
-	}
-	*x = Query_Hint(value)
-	return nil
-}
-func (Query_Hint) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{15, 0}
-}
-
-type Query_Filter_Operator int32
-
-const (
-	Query_Filter_LESS_THAN             Query_Filter_Operator = 1
-	Query_Filter_LESS_THAN_OR_EQUAL    Query_Filter_Operator = 2
-	Query_Filter_GREATER_THAN          Query_Filter_Operator = 3
-	Query_Filter_GREATER_THAN_OR_EQUAL Query_Filter_Operator = 4
-	Query_Filter_EQUAL                 Query_Filter_Operator = 5
-	Query_Filter_IN                    Query_Filter_Operator = 6
-	Query_Filter_EXISTS                Query_Filter_Operator = 7
-)
-
-var Query_Filter_Operator_name = map[int32]string{
-	1: "LESS_THAN",
-	2: "LESS_THAN_OR_EQUAL",
-	3: "GREATER_THAN",
-	4: "GREATER_THAN_OR_EQUAL",
-	5: "EQUAL",
-	6: "IN",
-	7: "EXISTS",
-}
-var Query_Filter_Operator_value = map[string]int32{
-	"LESS_THAN":             1,
-	"LESS_THAN_OR_EQUAL":    2,
-	"GREATER_THAN":          3,
-	"GREATER_THAN_OR_EQUAL": 4,
-	"EQUAL":                 5,
-	"IN":                    6,
-	"EXISTS":                7,
-}
-
-func (x Query_Filter_Operator) Enum() *Query_Filter_Operator {
-	p := new(Query_Filter_Operator)
-	*p = x
-	return p
-}
-func (x Query_Filter_Operator) String() string {
-	return proto.EnumName(Query_Filter_Operator_name, int32(x))
-}
-func (x *Query_Filter_Operator) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Query_Filter_Operator_value, data, "Query_Filter_Operator")
-	if err != nil {
-		return err
-	}
-	*x = Query_Filter_Operator(value)
-	return nil
-}
-func (Query_Filter_Operator) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{15, 0, 0}
-}
-
-type Query_Order_Direction int32
-
-const (
-	Query_Order_ASCENDING  Query_Order_Direction = 1
-	Query_Order_DESCENDING Query_Order_Direction = 2
-)
-
-var Query_Order_Direction_name = map[int32]string{
-	1: "ASCENDING",
-	2: "DESCENDING",
-}
-var Query_Order_Direction_value = map[string]int32{
-	"ASCENDING":  1,
-	"DESCENDING": 2,
-}
-
-func (x Query_Order_Direction) Enum() *Query_Order_Direction {
-	p := new(Query_Order_Direction)
-	*p = x
-	return p
-}
-func (x Query_Order_Direction) String() string {
-	return proto.EnumName(Query_Order_Direction_name, int32(x))
-}
-func (x *Query_Order_Direction) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Query_Order_Direction_value, data, "Query_Order_Direction")
-	if err != nil {
-		return err
-	}
-	*x = Query_Order_Direction(value)
-	return nil
-}
-func (Query_Order_Direction) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{15, 1, 0}
-}
-
-type Error_ErrorCode int32
-
-const (
-	Error_BAD_REQUEST                  Error_ErrorCode = 1
-	Error_CONCURRENT_TRANSACTION       Error_ErrorCode = 2
-	Error_INTERNAL_ERROR               Error_ErrorCode = 3
-	Error_NEED_INDEX                   Error_ErrorCode = 4
-	Error_TIMEOUT                      Error_ErrorCode = 5
-	Error_PERMISSION_DENIED            Error_ErrorCode = 6
-	Error_BIGTABLE_ERROR               Error_ErrorCode = 7
-	Error_COMMITTED_BUT_STILL_APPLYING Error_ErrorCode = 8
-	Error_CAPABILITY_DISABLED          Error_ErrorCode = 9
-	Error_TRY_ALTERNATE_BACKEND        Error_ErrorCode = 10
-	Error_SAFE_TIME_TOO_OLD            Error_ErrorCode = 11
-)
-
-var Error_ErrorCode_name = map[int32]string{
-	1:  "BAD_REQUEST",
-	2:  "CONCURRENT_TRANSACTION",
-	3:  "INTERNAL_ERROR",
-	4:  "NEED_INDEX",
-	5:  "TIMEOUT",
-	6:  "PERMISSION_DENIED",
-	7:  "BIGTABLE_ERROR",
-	8:  "COMMITTED_BUT_STILL_APPLYING",
-	9:  "CAPABILITY_DISABLED",
-	10: "TRY_ALTERNATE_BACKEND",
-	11: "SAFE_TIME_TOO_OLD",
-}
-var Error_ErrorCode_value = map[string]int32{
-	"BAD_REQUEST":                  1,
-	"CONCURRENT_TRANSACTION":       2,
-	"INTERNAL_ERROR":               3,
-	"NEED_INDEX":                   4,
-	"TIMEOUT":                      5,
-	"PERMISSION_DENIED":            6,
-	"BIGTABLE_ERROR":               7,
-	"COMMITTED_BUT_STILL_APPLYING": 8,
-	"CAPABILITY_DISABLED":          9,
-	"TRY_ALTERNATE_BACKEND":        10,
-	"SAFE_TIME_TOO_OLD":            11,
-}
-
-func (x Error_ErrorCode) Enum() *Error_ErrorCode {
-	p := new(Error_ErrorCode)
-	*p = x
-	return p
-}
-func (x Error_ErrorCode) String() string {
-	return proto.EnumName(Error_ErrorCode_name, int32(x))
-}
-func (x *Error_ErrorCode) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(Error_ErrorCode_value, data, "Error_ErrorCode")
-	if err != nil {
-		return err
-	}
-	*x = Error_ErrorCode(value)
-	return nil
-}
-func (Error_ErrorCode) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{19, 0}
-}
-
-type PutRequest_AutoIdPolicy int32
-
-const (
-	PutRequest_CURRENT    PutRequest_AutoIdPolicy = 0
-	PutRequest_SEQUENTIAL PutRequest_AutoIdPolicy = 1
-)
-
-var PutRequest_AutoIdPolicy_name = map[int32]string{
-	0: "CURRENT",
-	1: "SEQUENTIAL",
-}
-var PutRequest_AutoIdPolicy_value = map[string]int32{
-	"CURRENT":    0,
-	"SEQUENTIAL": 1,
-}
-
-func (x PutRequest_AutoIdPolicy) Enum() *PutRequest_AutoIdPolicy {
-	p := new(PutRequest_AutoIdPolicy)
-	*p = x
-	return p
-}
-func (x PutRequest_AutoIdPolicy) String() string {
-	return proto.EnumName(PutRequest_AutoIdPolicy_name, int32(x))
-}
-func (x *PutRequest_AutoIdPolicy) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(PutRequest_AutoIdPolicy_value, data, "PutRequest_AutoIdPolicy")
-	if err != nil {
-		return err
-	}
-	*x = PutRequest_AutoIdPolicy(value)
-	return nil
-}
-func (PutRequest_AutoIdPolicy) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{23, 0}
-}
-
-type BeginTransactionRequest_TransactionMode int32
-
-const (
-	BeginTransactionRequest_UNKNOWN    BeginTransactionRequest_TransactionMode = 0
-	BeginTransactionRequest_READ_ONLY  BeginTransactionRequest_TransactionMode = 1
-	BeginTransactionRequest_READ_WRITE BeginTransactionRequest_TransactionMode = 2
-)
-
-var BeginTransactionRequest_TransactionMode_name = map[int32]string{
-	0: "UNKNOWN",
-	1: "READ_ONLY",
-	2: "READ_WRITE",
-}
-var BeginTransactionRequest_TransactionMode_value = map[string]int32{
-	"UNKNOWN":    0,
-	"READ_ONLY":  1,
-	"READ_WRITE": 2,
-}
-
-func (x BeginTransactionRequest_TransactionMode) Enum() *BeginTransactionRequest_TransactionMode {
-	p := new(BeginTransactionRequest_TransactionMode)
-	*p = x
-	return p
-}
-func (x BeginTransactionRequest_TransactionMode) String() string {
-	return proto.EnumName(BeginTransactionRequest_TransactionMode_name, int32(x))
-}
-func (x *BeginTransactionRequest_TransactionMode) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(BeginTransactionRequest_TransactionMode_value, data, "BeginTransactionRequest_TransactionMode")
-	if err != nil {
-		return err
-	}
-	*x = BeginTransactionRequest_TransactionMode(value)
-	return nil
-}
-func (BeginTransactionRequest_TransactionMode) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{36, 0}
-}
-
-type Action struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Action) Reset()         { *m = Action{} }
-func (m *Action) String() string { return proto.CompactTextString(m) }
-func (*Action) ProtoMessage()    {}
-func (*Action) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{0}
-}
-func (m *Action) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Action.Unmarshal(m, b)
-}
-func (m *Action) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Action.Marshal(b, m, deterministic)
-}
-func (dst *Action) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Action.Merge(dst, src)
-}
-func (m *Action) XXX_Size() int {
-	return xxx_messageInfo_Action.Size(m)
-}
-func (m *Action) XXX_DiscardUnknown() {
-	xxx_messageInfo_Action.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Action proto.InternalMessageInfo
-
-type PropertyValue struct {
-	Int64Value           *int64                        `protobuf:"varint,1,opt,name=int64Value" json:"int64Value,omitempty"`
-	BooleanValue         *bool                         `protobuf:"varint,2,opt,name=booleanValue" json:"booleanValue,omitempty"`
-	StringValue          *string                       `protobuf:"bytes,3,opt,name=stringValue" json:"stringValue,omitempty"`
-	DoubleValue          *float64                      `protobuf:"fixed64,4,opt,name=doubleValue" json:"doubleValue,omitempty"`
-	Pointvalue           *PropertyValue_PointValue     `protobuf:"group,5,opt,name=PointValue,json=pointvalue" json:"pointvalue,omitempty"`
-	Uservalue            *PropertyValue_UserValue      `protobuf:"group,8,opt,name=UserValue,json=uservalue" json:"uservalue,omitempty"`
-	Referencevalue       *PropertyValue_ReferenceValue `protobuf:"group,12,opt,name=ReferenceValue,json=referencevalue" json:"referencevalue,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                      `json:"-"`
-	XXX_unrecognized     []byte                        `json:"-"`
-	XXX_sizecache        int32                         `json:"-"`
-}
-
-func (m *PropertyValue) Reset()         { *m = PropertyValue{} }
-func (m *PropertyValue) String() string { return proto.CompactTextString(m) }
-func (*PropertyValue) ProtoMessage()    {}
-func (*PropertyValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{1}
-}
-func (m *PropertyValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PropertyValue.Unmarshal(m, b)
-}
-func (m *PropertyValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PropertyValue.Marshal(b, m, deterministic)
-}
-func (dst *PropertyValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PropertyValue.Merge(dst, src)
-}
-func (m *PropertyValue) XXX_Size() int {
-	return xxx_messageInfo_PropertyValue.Size(m)
-}
-func (m *PropertyValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_PropertyValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PropertyValue proto.InternalMessageInfo
-
-func (m *PropertyValue) GetInt64Value() int64 {
-	if m != nil && m.Int64Value != nil {
-		return *m.Int64Value
-	}
-	return 0
-}
-
-func (m *PropertyValue) GetBooleanValue() bool {
-	if m != nil && m.BooleanValue != nil {
-		return *m.BooleanValue
-	}
-	return false
-}
-
-func (m *PropertyValue) GetStringValue() string {
-	if m != nil && m.StringValue != nil {
-		return *m.StringValue
-	}
-	return ""
-}
-
-func (m *PropertyValue) GetDoubleValue() float64 {
-	if m != nil && m.DoubleValue != nil {
-		return *m.DoubleValue
-	}
-	return 0
-}
-
-func (m *PropertyValue) GetPointvalue() *PropertyValue_PointValue {
-	if m != nil {
-		return m.Pointvalue
-	}
-	return nil
-}
-
-func (m *PropertyValue) GetUservalue() *PropertyValue_UserValue {
-	if m != nil {
-		return m.Uservalue
-	}
-	return nil
-}
-
-func (m *PropertyValue) GetReferencevalue() *PropertyValue_ReferenceValue {
-	if m != nil {
-		return m.Referencevalue
-	}
-	return nil
-}
-
-type PropertyValue_PointValue struct {
-	X                    *float64 `protobuf:"fixed64,6,req,name=x" json:"x,omitempty"`
-	Y                    *float64 `protobuf:"fixed64,7,req,name=y" json:"y,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *PropertyValue_PointValue) Reset()         { *m = PropertyValue_PointValue{} }
-func (m *PropertyValue_PointValue) String() string { return proto.CompactTextString(m) }
-func (*PropertyValue_PointValue) ProtoMessage()    {}
-func (*PropertyValue_PointValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{1, 0}
-}
-func (m *PropertyValue_PointValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PropertyValue_PointValue.Unmarshal(m, b)
-}
-func (m *PropertyValue_PointValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PropertyValue_PointValue.Marshal(b, m, deterministic)
-}
-func (dst *PropertyValue_PointValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PropertyValue_PointValue.Merge(dst, src)
-}
-func (m *PropertyValue_PointValue) XXX_Size() int {
-	return xxx_messageInfo_PropertyValue_PointValue.Size(m)
-}
-func (m *PropertyValue_PointValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_PropertyValue_PointValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PropertyValue_PointValue proto.InternalMessageInfo
-
-func (m *PropertyValue_PointValue) GetX() float64 {
-	if m != nil && m.X != nil {
-		return *m.X
-	}
-	return 0
-}
-
-func (m *PropertyValue_PointValue) GetY() float64 {
-	if m != nil && m.Y != nil {
-		return *m.Y
-	}
-	return 0
-}
-
-type PropertyValue_UserValue struct {
-	Email                *string  `protobuf:"bytes,9,req,name=email" json:"email,omitempty"`
-	AuthDomain           *string  `protobuf:"bytes,10,req,name=auth_domain,json=authDomain" json:"auth_domain,omitempty"`
-	Nickname             *string  `protobuf:"bytes,11,opt,name=nickname" json:"nickname,omitempty"`
-	FederatedIdentity    *string  `protobuf:"bytes,21,opt,name=federated_identity,json=federatedIdentity" json:"federated_identity,omitempty"`
-	FederatedProvider    *string  `protobuf:"bytes,22,opt,name=federated_provider,json=federatedProvider" json:"federated_provider,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *PropertyValue_UserValue) Reset()         { *m = PropertyValue_UserValue{} }
-func (m *PropertyValue_UserValue) String() string { return proto.CompactTextString(m) }
-func (*PropertyValue_UserValue) ProtoMessage()    {}
-func (*PropertyValue_UserValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{1, 1}
-}
-func (m *PropertyValue_UserValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PropertyValue_UserValue.Unmarshal(m, b)
-}
-func (m *PropertyValue_UserValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PropertyValue_UserValue.Marshal(b, m, deterministic)
-}
-func (dst *PropertyValue_UserValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PropertyValue_UserValue.Merge(dst, src)
-}
-func (m *PropertyValue_UserValue) XXX_Size() int {
-	return xxx_messageInfo_PropertyValue_UserValue.Size(m)
-}
-func (m *PropertyValue_UserValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_PropertyValue_UserValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PropertyValue_UserValue proto.InternalMessageInfo
-
-func (m *PropertyValue_UserValue) GetEmail() string {
-	if m != nil && m.Email != nil {
-		return *m.Email
-	}
-	return ""
-}
-
-func (m *PropertyValue_UserValue) GetAuthDomain() string {
-	if m != nil && m.AuthDomain != nil {
-		return *m.AuthDomain
-	}
-	return ""
-}
-
-func (m *PropertyValue_UserValue) GetNickname() string {
-	if m != nil && m.Nickname != nil {
-		return *m.Nickname
-	}
-	return ""
-}
-
-func (m *PropertyValue_UserValue) GetFederatedIdentity() string {
-	if m != nil && m.FederatedIdentity != nil {
-		return *m.FederatedIdentity
-	}
-	return ""
-}
-
-func (m *PropertyValue_UserValue) GetFederatedProvider() string {
-	if m != nil && m.FederatedProvider != nil {
-		return *m.FederatedProvider
-	}
-	return ""
-}
-
-type PropertyValue_ReferenceValue struct {
-	App                  *string                                     `protobuf:"bytes,13,req,name=app" json:"app,omitempty"`
-	NameSpace            *string                                     `protobuf:"bytes,20,opt,name=name_space,json=nameSpace" json:"name_space,omitempty"`
-	Pathelement          []*PropertyValue_ReferenceValue_PathElement `protobuf:"group,14,rep,name=PathElement,json=pathelement" json:"pathelement,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                                    `json:"-"`
-	XXX_unrecognized     []byte                                      `json:"-"`
-	XXX_sizecache        int32                                       `json:"-"`
-}
-
-func (m *PropertyValue_ReferenceValue) Reset()         { *m = PropertyValue_ReferenceValue{} }
-func (m *PropertyValue_ReferenceValue) String() string { return proto.CompactTextString(m) }
-func (*PropertyValue_ReferenceValue) ProtoMessage()    {}
-func (*PropertyValue_ReferenceValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{1, 2}
-}
-func (m *PropertyValue_ReferenceValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PropertyValue_ReferenceValue.Unmarshal(m, b)
-}
-func (m *PropertyValue_ReferenceValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PropertyValue_ReferenceValue.Marshal(b, m, deterministic)
-}
-func (dst *PropertyValue_ReferenceValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PropertyValue_ReferenceValue.Merge(dst, src)
-}
-func (m *PropertyValue_ReferenceValue) XXX_Size() int {
-	return xxx_messageInfo_PropertyValue_ReferenceValue.Size(m)
-}
-func (m *PropertyValue_ReferenceValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_PropertyValue_ReferenceValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PropertyValue_ReferenceValue proto.InternalMessageInfo
-
-func (m *PropertyValue_ReferenceValue) GetApp() string {
-	if m != nil && m.App != nil {
-		return *m.App
-	}
-	return ""
-}
-
-func (m *PropertyValue_ReferenceValue) GetNameSpace() string {
-	if m != nil && m.NameSpace != nil {
-		return *m.NameSpace
-	}
-	return ""
-}
-
-func (m *PropertyValue_ReferenceValue) GetPathelement() []*PropertyValue_ReferenceValue_PathElement {
-	if m != nil {
-		return m.Pathelement
-	}
-	return nil
-}
-
-type PropertyValue_ReferenceValue_PathElement struct {
-	Type                 *string  `protobuf:"bytes,15,req,name=type" json:"type,omitempty"`
-	Id                   *int64   `protobuf:"varint,16,opt,name=id" json:"id,omitempty"`
-	Name                 *string  `protobuf:"bytes,17,opt,name=name" json:"name,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *PropertyValue_ReferenceValue_PathElement) Reset() {
-	*m = PropertyValue_ReferenceValue_PathElement{}
-}
-func (m *PropertyValue_ReferenceValue_PathElement) String() string { return proto.CompactTextString(m) }
-func (*PropertyValue_ReferenceValue_PathElement) ProtoMessage()    {}
-func (*PropertyValue_ReferenceValue_PathElement) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{1, 2, 0}
-}
-func (m *PropertyValue_ReferenceValue_PathElement) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PropertyValue_ReferenceValue_PathElement.Unmarshal(m, b)
-}
-func (m *PropertyValue_ReferenceValue_PathElement) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PropertyValue_ReferenceValue_PathElement.Marshal(b, m, deterministic)
-}
-func (dst *PropertyValue_ReferenceValue_PathElement) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PropertyValue_ReferenceValue_PathElement.Merge(dst, src)
-}
-func (m *PropertyValue_ReferenceValue_PathElement) XXX_Size() int {
-	return xxx_messageInfo_PropertyValue_ReferenceValue_PathElement.Size(m)
-}
-func (m *PropertyValue_ReferenceValue_PathElement) XXX_DiscardUnknown() {
-	xxx_messageInfo_PropertyValue_ReferenceValue_PathElement.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PropertyValue_ReferenceValue_PathElement proto.InternalMessageInfo
-
-func (m *PropertyValue_ReferenceValue_PathElement) GetType() string {
-	if m != nil && m.Type != nil {
-		return *m.Type
-	}
-	return ""
-}
-
-func (m *PropertyValue_ReferenceValue_PathElement) GetId() int64 {
-	if m != nil && m.Id != nil {
-		return *m.Id
-	}
-	return 0
-}
-
-func (m *PropertyValue_ReferenceValue_PathElement) GetName() string {
-	if m != nil && m.Name != nil {
-		return *m.Name
-	}
-	return ""
-}
-
-type Property struct {
-	Meaning               *Property_Meaning               `protobuf:"varint,1,opt,name=meaning,enum=appengine.Property_Meaning,def=0" json:"meaning,omitempty"`
-	MeaningUri            *string                         `protobuf:"bytes,2,opt,name=meaning_uri,json=meaningUri" json:"meaning_uri,omitempty"`
-	Name                  *string                         `protobuf:"bytes,3,req,name=name" json:"name,omitempty"`
-	Value                 *PropertyValue                  `protobuf:"bytes,5,req,name=value" json:"value,omitempty"`
-	Multiple              *bool                           `protobuf:"varint,4,req,name=multiple" json:"multiple,omitempty"`
-	Searchable            *bool                           `protobuf:"varint,6,opt,name=searchable,def=0" json:"searchable,omitempty"`
-	FtsTokenizationOption *Property_FtsTokenizationOption `protobuf:"varint,8,opt,name=fts_tokenization_option,json=ftsTokenizationOption,enum=appengine.Property_FtsTokenizationOption" json:"fts_tokenization_option,omitempty"`
-	Locale                *string                         `protobuf:"bytes,9,opt,name=locale,def=en" json:"locale,omitempty"`
-	XXX_NoUnkeyedLiteral  struct{}                        `json:"-"`
-	XXX_unrecognized      []byte                          `json:"-"`
-	XXX_sizecache         int32                           `json:"-"`
-}
-
-func (m *Property) Reset()         { *m = Property{} }
-func (m *Property) String() string { return proto.CompactTextString(m) }
-func (*Property) ProtoMessage()    {}
-func (*Property) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{2}
-}
-func (m *Property) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Property.Unmarshal(m, b)
-}
-func (m *Property) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Property.Marshal(b, m, deterministic)
-}
-func (dst *Property) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Property.Merge(dst, src)
-}
-func (m *Property) XXX_Size() int {
-	return xxx_messageInfo_Property.Size(m)
-}
-func (m *Property) XXX_DiscardUnknown() {
-	xxx_messageInfo_Property.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Property proto.InternalMessageInfo
-
-const Default_Property_Meaning Property_Meaning = Property_NO_MEANING
-const Default_Property_Searchable bool = false
-const Default_Property_Locale string = "en"
-
-func (m *Property) GetMeaning() Property_Meaning {
-	if m != nil && m.Meaning != nil {
-		return *m.Meaning
-	}
-	return Default_Property_Meaning
-}
-
-func (m *Property) GetMeaningUri() string {
-	if m != nil && m.MeaningUri != nil {
-		return *m.MeaningUri
-	}
-	return ""
-}
-
-func (m *Property) GetName() string {
-	if m != nil && m.Name != nil {
-		return *m.Name
-	}
-	return ""
-}
-
-func (m *Property) GetValue() *PropertyValue {
-	if m != nil {
-		return m.Value
-	}
-	return nil
-}
-
-func (m *Property) GetMultiple() bool {
-	if m != nil && m.Multiple != nil {
-		return *m.Multiple
-	}
-	return false
-}
-
-func (m *Property) GetSearchable() bool {
-	if m != nil && m.Searchable != nil {
-		return *m.Searchable
-	}
-	return Default_Property_Searchable
-}
-
-func (m *Property) GetFtsTokenizationOption() Property_FtsTokenizationOption {
-	if m != nil && m.FtsTokenizationOption != nil {
-		return *m.FtsTokenizationOption
-	}
-	return Property_HTML
-}
-
-func (m *Property) GetLocale() string {
-	if m != nil && m.Locale != nil {
-		return *m.Locale
-	}
-	return Default_Property_Locale
-}
-
-type Path struct {
-	Element              []*Path_Element `protobuf:"group,1,rep,name=Element,json=element" json:"element,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *Path) Reset()         { *m = Path{} }
-func (m *Path) String() string { return proto.CompactTextString(m) }
-func (*Path) ProtoMessage()    {}
-func (*Path) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{3}
-}
-func (m *Path) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Path.Unmarshal(m, b)
-}
-func (m *Path) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Path.Marshal(b, m, deterministic)
-}
-func (dst *Path) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Path.Merge(dst, src)
-}
-func (m *Path) XXX_Size() int {
-	return xxx_messageInfo_Path.Size(m)
-}
-func (m *Path) XXX_DiscardUnknown() {
-	xxx_messageInfo_Path.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Path proto.InternalMessageInfo
-
-func (m *Path) GetElement() []*Path_Element {
-	if m != nil {
-		return m.Element
-	}
-	return nil
-}
-
-type Path_Element struct {
-	Type                 *string  `protobuf:"bytes,2,req,name=type" json:"type,omitempty"`
-	Id                   *int64   `protobuf:"varint,3,opt,name=id" json:"id,omitempty"`
-	Name                 *string  `protobuf:"bytes,4,opt,name=name" json:"name,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Path_Element) Reset()         { *m = Path_Element{} }
-func (m *Path_Element) String() string { return proto.CompactTextString(m) }
-func (*Path_Element) ProtoMessage()    {}
-func (*Path_Element) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{3, 0}
-}
-func (m *Path_Element) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Path_Element.Unmarshal(m, b)
-}
-func (m *Path_Element) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Path_Element.Marshal(b, m, deterministic)
-}
-func (dst *Path_Element) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Path_Element.Merge(dst, src)
-}
-func (m *Path_Element) XXX_Size() int {
-	return xxx_messageInfo_Path_Element.Size(m)
-}
-func (m *Path_Element) XXX_DiscardUnknown() {
-	xxx_messageInfo_Path_Element.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Path_Element proto.InternalMessageInfo
-
-func (m *Path_Element) GetType() string {
-	if m != nil && m.Type != nil {
-		return *m.Type
-	}
-	return ""
-}
-
-func (m *Path_Element) GetId() int64 {
-	if m != nil && m.Id != nil {
-		return *m.Id
-	}
-	return 0
-}
-
-func (m *Path_Element) GetName() string {
-	if m != nil && m.Name != nil {
-		return *m.Name
-	}
-	return ""
-}
-
-type Reference struct {
-	App                  *string  `protobuf:"bytes,13,req,name=app" json:"app,omitempty"`
-	NameSpace            *string  `protobuf:"bytes,20,opt,name=name_space,json=nameSpace" json:"name_space,omitempty"`
-	Path                 *Path    `protobuf:"bytes,14,req,name=path" json:"path,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Reference) Reset()         { *m = Reference{} }
-func (m *Reference) String() string { return proto.CompactTextString(m) }
-func (*Reference) ProtoMessage()    {}
-func (*Reference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{4}
-}
-func (m *Reference) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Reference.Unmarshal(m, b)
-}
-func (m *Reference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Reference.Marshal(b, m, deterministic)
-}
-func (dst *Reference) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Reference.Merge(dst, src)
-}
-func (m *Reference) XXX_Size() int {
-	return xxx_messageInfo_Reference.Size(m)
-}
-func (m *Reference) XXX_DiscardUnknown() {
-	xxx_messageInfo_Reference.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Reference proto.InternalMessageInfo
-
-func (m *Reference) GetApp() string {
-	if m != nil && m.App != nil {
-		return *m.App
-	}
-	return ""
-}
-
-func (m *Reference) GetNameSpace() string {
-	if m != nil && m.NameSpace != nil {
-		return *m.NameSpace
-	}
-	return ""
-}
-
-func (m *Reference) GetPath() *Path {
-	if m != nil {
-		return m.Path
-	}
-	return nil
-}
-
-type User struct {
-	Email                *string  `protobuf:"bytes,1,req,name=email" json:"email,omitempty"`
-	AuthDomain           *string  `protobuf:"bytes,2,req,name=auth_domain,json=authDomain" json:"auth_domain,omitempty"`
-	Nickname             *string  `protobuf:"bytes,3,opt,name=nickname" json:"nickname,omitempty"`
-	FederatedIdentity    *string  `protobuf:"bytes,6,opt,name=federated_identity,json=federatedIdentity" json:"federated_identity,omitempty"`
-	FederatedProvider    *string  `protobuf:"bytes,7,opt,name=federated_provider,json=federatedProvider" json:"federated_provider,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *User) Reset()         { *m = User{} }
-func (m *User) String() string { return proto.CompactTextString(m) }
-func (*User) ProtoMessage()    {}
-func (*User) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{5}
-}
-func (m *User) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_User.Unmarshal(m, b)
-}
-func (m *User) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_User.Marshal(b, m, deterministic)
-}
-func (dst *User) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_User.Merge(dst, src)
-}
-func (m *User) XXX_Size() int {
-	return xxx_messageInfo_User.Size(m)
-}
-func (m *User) XXX_DiscardUnknown() {
-	xxx_messageInfo_User.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_User proto.InternalMessageInfo
-
-func (m *User) GetEmail() string {
-	if m != nil && m.Email != nil {
-		return *m.Email
-	}
-	return ""
-}
-
-func (m *User) GetAuthDomain() string {
-	if m != nil && m.AuthDomain != nil {
-		return *m.AuthDomain
-	}
-	return ""
-}
-
-func (m *User) GetNickname() string {
-	if m != nil && m.Nickname != nil {
-		return *m.Nickname
-	}
-	return ""
-}
-
-func (m *User) GetFederatedIdentity() string {
-	if m != nil && m.FederatedIdentity != nil {
-		return *m.FederatedIdentity
-	}
-	return ""
-}
-
-func (m *User) GetFederatedProvider() string {
-	if m != nil && m.FederatedProvider != nil {
-		return *m.FederatedProvider
-	}
-	return ""
-}
-
-type EntityProto struct {
-	Key                  *Reference        `protobuf:"bytes,13,req,name=key" json:"key,omitempty"`
-	EntityGroup          *Path             `protobuf:"bytes,16,req,name=entity_group,json=entityGroup" json:"entity_group,omitempty"`
-	Owner                *User             `protobuf:"bytes,17,opt,name=owner" json:"owner,omitempty"`
-	Kind                 *EntityProto_Kind `protobuf:"varint,4,opt,name=kind,enum=appengine.EntityProto_Kind" json:"kind,omitempty"`
-	KindUri              *string           `protobuf:"bytes,5,opt,name=kind_uri,json=kindUri" json:"kind_uri,omitempty"`
-	Property             []*Property       `protobuf:"bytes,14,rep,name=property" json:"property,omitempty"`
-	RawProperty          []*Property       `protobuf:"bytes,15,rep,name=raw_property,json=rawProperty" json:"raw_property,omitempty"`
-	Rank                 *int32            `protobuf:"varint,18,opt,name=rank" json:"rank,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *EntityProto) Reset()         { *m = EntityProto{} }
-func (m *EntityProto) String() string { return proto.CompactTextString(m) }
-func (*EntityProto) ProtoMessage()    {}
-func (*EntityProto) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{6}
-}
-func (m *EntityProto) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_EntityProto.Unmarshal(m, b)
-}
-func (m *EntityProto) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_EntityProto.Marshal(b, m, deterministic)
-}
-func (dst *EntityProto) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_EntityProto.Merge(dst, src)
-}
-func (m *EntityProto) XXX_Size() int {
-	return xxx_messageInfo_EntityProto.Size(m)
-}
-func (m *EntityProto) XXX_DiscardUnknown() {
-	xxx_messageInfo_EntityProto.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_EntityProto proto.InternalMessageInfo
-
-func (m *EntityProto) GetKey() *Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *EntityProto) GetEntityGroup() *Path {
-	if m != nil {
-		return m.EntityGroup
-	}
-	return nil
-}
-
-func (m *EntityProto) GetOwner() *User {
-	if m != nil {
-		return m.Owner
-	}
-	return nil
-}
-
-func (m *EntityProto) GetKind() EntityProto_Kind {
-	if m != nil && m.Kind != nil {
-		return *m.Kind
-	}
-	return EntityProto_GD_CONTACT
-}
-
-func (m *EntityProto) GetKindUri() string {
-	if m != nil && m.KindUri != nil {
-		return *m.KindUri
-	}
-	return ""
-}
-
-func (m *EntityProto) GetProperty() []*Property {
-	if m != nil {
-		return m.Property
-	}
-	return nil
-}
-
-func (m *EntityProto) GetRawProperty() []*Property {
-	if m != nil {
-		return m.RawProperty
-	}
-	return nil
-}
-
-func (m *EntityProto) GetRank() int32 {
-	if m != nil && m.Rank != nil {
-		return *m.Rank
-	}
-	return 0
-}
-
-type CompositeProperty struct {
-	IndexId              *int64   `protobuf:"varint,1,req,name=index_id,json=indexId" json:"index_id,omitempty"`
-	Value                []string `protobuf:"bytes,2,rep,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *CompositeProperty) Reset()         { *m = CompositeProperty{} }
-func (m *CompositeProperty) String() string { return proto.CompactTextString(m) }
-func (*CompositeProperty) ProtoMessage()    {}
-func (*CompositeProperty) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{7}
-}
-func (m *CompositeProperty) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompositeProperty.Unmarshal(m, b)
-}
-func (m *CompositeProperty) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompositeProperty.Marshal(b, m, deterministic)
-}
-func (dst *CompositeProperty) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompositeProperty.Merge(dst, src)
-}
-func (m *CompositeProperty) XXX_Size() int {
-	return xxx_messageInfo_CompositeProperty.Size(m)
-}
-func (m *CompositeProperty) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompositeProperty.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompositeProperty proto.InternalMessageInfo
-
-func (m *CompositeProperty) GetIndexId() int64 {
-	if m != nil && m.IndexId != nil {
-		return *m.IndexId
-	}
-	return 0
-}
-
-func (m *CompositeProperty) GetValue() []string {
-	if m != nil {
-		return m.Value
-	}
-	return nil
-}
-
-type Index struct {
-	EntityType           *string           `protobuf:"bytes,1,req,name=entity_type,json=entityType" json:"entity_type,omitempty"`
-	Ancestor             *bool             `protobuf:"varint,5,req,name=ancestor" json:"ancestor,omitempty"`
-	Property             []*Index_Property `protobuf:"group,2,rep,name=Property,json=property" json:"property,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *Index) Reset()         { *m = Index{} }
-func (m *Index) String() string { return proto.CompactTextString(m) }
-func (*Index) ProtoMessage()    {}
-func (*Index) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{8}
-}
-func (m *Index) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Index.Unmarshal(m, b)
-}
-func (m *Index) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Index.Marshal(b, m, deterministic)
-}
-func (dst *Index) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Index.Merge(dst, src)
-}
-func (m *Index) XXX_Size() int {
-	return xxx_messageInfo_Index.Size(m)
-}
-func (m *Index) XXX_DiscardUnknown() {
-	xxx_messageInfo_Index.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Index proto.InternalMessageInfo
-
-func (m *Index) GetEntityType() string {
-	if m != nil && m.EntityType != nil {
-		return *m.EntityType
-	}
-	return ""
-}
-
-func (m *Index) GetAncestor() bool {
-	if m != nil && m.Ancestor != nil {
-		return *m.Ancestor
-	}
-	return false
-}
-
-func (m *Index) GetProperty() []*Index_Property {
-	if m != nil {
-		return m.Property
-	}
-	return nil
-}
-
-type Index_Property struct {
-	Name                 *string                   `protobuf:"bytes,3,req,name=name" json:"name,omitempty"`
-	Direction            *Index_Property_Direction `protobuf:"varint,4,opt,name=direction,enum=appengine.Index_Property_Direction,def=1" json:"direction,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                  `json:"-"`
-	XXX_unrecognized     []byte                    `json:"-"`
-	XXX_sizecache        int32                     `json:"-"`
-}
-
-func (m *Index_Property) Reset()         { *m = Index_Property{} }
-func (m *Index_Property) String() string { return proto.CompactTextString(m) }
-func (*Index_Property) ProtoMessage()    {}
-func (*Index_Property) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{8, 0}
-}
-func (m *Index_Property) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Index_Property.Unmarshal(m, b)
-}
-func (m *Index_Property) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Index_Property.Marshal(b, m, deterministic)
-}
-func (dst *Index_Property) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Index_Property.Merge(dst, src)
-}
-func (m *Index_Property) XXX_Size() int {
-	return xxx_messageInfo_Index_Property.Size(m)
-}
-func (m *Index_Property) XXX_DiscardUnknown() {
-	xxx_messageInfo_Index_Property.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Index_Property proto.InternalMessageInfo
-
-const Default_Index_Property_Direction Index_Property_Direction = Index_Property_ASCENDING
-
-func (m *Index_Property) GetName() string {
-	if m != nil && m.Name != nil {
-		return *m.Name
-	}
-	return ""
-}
-
-func (m *Index_Property) GetDirection() Index_Property_Direction {
-	if m != nil && m.Direction != nil {
-		return *m.Direction
-	}
-	return Default_Index_Property_Direction
-}
-
-type CompositeIndex struct {
-	AppId                *string               `protobuf:"bytes,1,req,name=app_id,json=appId" json:"app_id,omitempty"`
-	Id                   *int64                `protobuf:"varint,2,req,name=id" json:"id,omitempty"`
-	Definition           *Index                `protobuf:"bytes,3,req,name=definition" json:"definition,omitempty"`
-	State                *CompositeIndex_State `protobuf:"varint,4,req,name=state,enum=appengine.CompositeIndex_State" json:"state,omitempty"`
-	OnlyUseIfRequired    *bool                 `protobuf:"varint,6,opt,name=only_use_if_required,json=onlyUseIfRequired,def=0" json:"only_use_if_required,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}              `json:"-"`
-	XXX_unrecognized     []byte                `json:"-"`
-	XXX_sizecache        int32                 `json:"-"`
-}
-
-func (m *CompositeIndex) Reset()         { *m = CompositeIndex{} }
-func (m *CompositeIndex) String() string { return proto.CompactTextString(m) }
-func (*CompositeIndex) ProtoMessage()    {}
-func (*CompositeIndex) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{9}
-}
-func (m *CompositeIndex) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompositeIndex.Unmarshal(m, b)
-}
-func (m *CompositeIndex) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompositeIndex.Marshal(b, m, deterministic)
-}
-func (dst *CompositeIndex) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompositeIndex.Merge(dst, src)
-}
-func (m *CompositeIndex) XXX_Size() int {
-	return xxx_messageInfo_CompositeIndex.Size(m)
-}
-func (m *CompositeIndex) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompositeIndex.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompositeIndex proto.InternalMessageInfo
-
-const Default_CompositeIndex_OnlyUseIfRequired bool = false
-
-func (m *CompositeIndex) GetAppId() string {
-	if m != nil && m.AppId != nil {
-		return *m.AppId
-	}
-	return ""
-}
-
-func (m *CompositeIndex) GetId() int64 {
-	if m != nil && m.Id != nil {
-		return *m.Id
-	}
-	return 0
-}
-
-func (m *CompositeIndex) GetDefinition() *Index {
-	if m != nil {
-		return m.Definition
-	}
-	return nil
-}
-
-func (m *CompositeIndex) GetState() CompositeIndex_State {
-	if m != nil && m.State != nil {
-		return *m.State
-	}
-	return CompositeIndex_WRITE_ONLY
-}
-
-func (m *CompositeIndex) GetOnlyUseIfRequired() bool {
-	if m != nil && m.OnlyUseIfRequired != nil {
-		return *m.OnlyUseIfRequired
-	}
-	return Default_CompositeIndex_OnlyUseIfRequired
-}
-
-type IndexPostfix struct {
-	IndexValue           []*IndexPostfix_IndexValue `protobuf:"bytes,1,rep,name=index_value,json=indexValue" json:"index_value,omitempty"`
-	Key                  *Reference                 `protobuf:"bytes,2,opt,name=key" json:"key,omitempty"`
-	Before               *bool                      `protobuf:"varint,3,opt,name=before,def=1" json:"before,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                   `json:"-"`
-	XXX_unrecognized     []byte                     `json:"-"`
-	XXX_sizecache        int32                      `json:"-"`
-}
-
-func (m *IndexPostfix) Reset()         { *m = IndexPostfix{} }
-func (m *IndexPostfix) String() string { return proto.CompactTextString(m) }
-func (*IndexPostfix) ProtoMessage()    {}
-func (*IndexPostfix) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{10}
-}
-func (m *IndexPostfix) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_IndexPostfix.Unmarshal(m, b)
-}
-func (m *IndexPostfix) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_IndexPostfix.Marshal(b, m, deterministic)
-}
-func (dst *IndexPostfix) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IndexPostfix.Merge(dst, src)
-}
-func (m *IndexPostfix) XXX_Size() int {
-	return xxx_messageInfo_IndexPostfix.Size(m)
-}
-func (m *IndexPostfix) XXX_DiscardUnknown() {
-	xxx_messageInfo_IndexPostfix.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IndexPostfix proto.InternalMessageInfo
-
-const Default_IndexPostfix_Before bool = true
-
-func (m *IndexPostfix) GetIndexValue() []*IndexPostfix_IndexValue {
-	if m != nil {
-		return m.IndexValue
-	}
-	return nil
-}
-
-func (m *IndexPostfix) GetKey() *Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *IndexPostfix) GetBefore() bool {
-	if m != nil && m.Before != nil {
-		return *m.Before
-	}
-	return Default_IndexPostfix_Before
-}
-
-type IndexPostfix_IndexValue struct {
-	PropertyName         *string        `protobuf:"bytes,1,req,name=property_name,json=propertyName" json:"property_name,omitempty"`
-	Value                *PropertyValue `protobuf:"bytes,2,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
-	XXX_unrecognized     []byte         `json:"-"`
-	XXX_sizecache        int32          `json:"-"`
-}
-
-func (m *IndexPostfix_IndexValue) Reset()         { *m = IndexPostfix_IndexValue{} }
-func (m *IndexPostfix_IndexValue) String() string { return proto.CompactTextString(m) }
-func (*IndexPostfix_IndexValue) ProtoMessage()    {}
-func (*IndexPostfix_IndexValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{10, 0}
-}
-func (m *IndexPostfix_IndexValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_IndexPostfix_IndexValue.Unmarshal(m, b)
-}
-func (m *IndexPostfix_IndexValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_IndexPostfix_IndexValue.Marshal(b, m, deterministic)
-}
-func (dst *IndexPostfix_IndexValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IndexPostfix_IndexValue.Merge(dst, src)
-}
-func (m *IndexPostfix_IndexValue) XXX_Size() int {
-	return xxx_messageInfo_IndexPostfix_IndexValue.Size(m)
-}
-func (m *IndexPostfix_IndexValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_IndexPostfix_IndexValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IndexPostfix_IndexValue proto.InternalMessageInfo
-
-func (m *IndexPostfix_IndexValue) GetPropertyName() string {
-	if m != nil && m.PropertyName != nil {
-		return *m.PropertyName
-	}
-	return ""
-}
-
-func (m *IndexPostfix_IndexValue) GetValue() *PropertyValue {
-	if m != nil {
-		return m.Value
-	}
-	return nil
-}
-
-type IndexPosition struct {
-	Key                  *string  `protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
-	Before               *bool    `protobuf:"varint,2,opt,name=before,def=1" json:"before,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *IndexPosition) Reset()         { *m = IndexPosition{} }
-func (m *IndexPosition) String() string { return proto.CompactTextString(m) }
-func (*IndexPosition) ProtoMessage()    {}
-func (*IndexPosition) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{11}
-}
-func (m *IndexPosition) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_IndexPosition.Unmarshal(m, b)
-}
-func (m *IndexPosition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_IndexPosition.Marshal(b, m, deterministic)
-}
-func (dst *IndexPosition) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_IndexPosition.Merge(dst, src)
-}
-func (m *IndexPosition) XXX_Size() int {
-	return xxx_messageInfo_IndexPosition.Size(m)
-}
-func (m *IndexPosition) XXX_DiscardUnknown() {
-	xxx_messageInfo_IndexPosition.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_IndexPosition proto.InternalMessageInfo
-
-const Default_IndexPosition_Before bool = true
-
-func (m *IndexPosition) GetKey() string {
-	if m != nil && m.Key != nil {
-		return *m.Key
-	}
-	return ""
-}
-
-func (m *IndexPosition) GetBefore() bool {
-	if m != nil && m.Before != nil {
-		return *m.Before
-	}
-	return Default_IndexPosition_Before
-}
-
-type Snapshot struct {
-	Ts                   *int64   `protobuf:"varint,1,req,name=ts" json:"ts,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Snapshot) Reset()         { *m = Snapshot{} }
-func (m *Snapshot) String() string { return proto.CompactTextString(m) }
-func (*Snapshot) ProtoMessage()    {}
-func (*Snapshot) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{12}
-}
-func (m *Snapshot) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Snapshot.Unmarshal(m, b)
-}
-func (m *Snapshot) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Snapshot.Marshal(b, m, deterministic)
-}
-func (dst *Snapshot) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Snapshot.Merge(dst, src)
-}
-func (m *Snapshot) XXX_Size() int {
-	return xxx_messageInfo_Snapshot.Size(m)
-}
-func (m *Snapshot) XXX_DiscardUnknown() {
-	xxx_messageInfo_Snapshot.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Snapshot proto.InternalMessageInfo
-
-func (m *Snapshot) GetTs() int64 {
-	if m != nil && m.Ts != nil {
-		return *m.Ts
-	}
-	return 0
-}
-
-type InternalHeader struct {
-	Qos                  *string  `protobuf:"bytes,1,opt,name=qos" json:"qos,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *InternalHeader) Reset()         { *m = InternalHeader{} }
-func (m *InternalHeader) String() string { return proto.CompactTextString(m) }
-func (*InternalHeader) ProtoMessage()    {}
-func (*InternalHeader) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{13}
-}
-func (m *InternalHeader) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_InternalHeader.Unmarshal(m, b)
-}
-func (m *InternalHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_InternalHeader.Marshal(b, m, deterministic)
-}
-func (dst *InternalHeader) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_InternalHeader.Merge(dst, src)
-}
-func (m *InternalHeader) XXX_Size() int {
-	return xxx_messageInfo_InternalHeader.Size(m)
-}
-func (m *InternalHeader) XXX_DiscardUnknown() {
-	xxx_messageInfo_InternalHeader.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_InternalHeader proto.InternalMessageInfo
-
-func (m *InternalHeader) GetQos() string {
-	if m != nil && m.Qos != nil {
-		return *m.Qos
-	}
-	return ""
-}
-
-type Transaction struct {
-	Header               *InternalHeader `protobuf:"bytes,4,opt,name=header" json:"header,omitempty"`
-	Handle               *uint64         `protobuf:"fixed64,1,req,name=handle" json:"handle,omitempty"`
-	App                  *string         `protobuf:"bytes,2,req,name=app" json:"app,omitempty"`
-	MarkChanges          *bool           `protobuf:"varint,3,opt,name=mark_changes,json=markChanges,def=0" json:"mark_changes,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *Transaction) Reset()         { *m = Transaction{} }
-func (m *Transaction) String() string { return proto.CompactTextString(m) }
-func (*Transaction) ProtoMessage()    {}
-func (*Transaction) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{14}
-}
-func (m *Transaction) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Transaction.Unmarshal(m, b)
-}
-func (m *Transaction) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Transaction.Marshal(b, m, deterministic)
-}
-func (dst *Transaction) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Transaction.Merge(dst, src)
-}
-func (m *Transaction) XXX_Size() int {
-	return xxx_messageInfo_Transaction.Size(m)
-}
-func (m *Transaction) XXX_DiscardUnknown() {
-	xxx_messageInfo_Transaction.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Transaction proto.InternalMessageInfo
-
-const Default_Transaction_MarkChanges bool = false
-
-func (m *Transaction) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *Transaction) GetHandle() uint64 {
-	if m != nil && m.Handle != nil {
-		return *m.Handle
-	}
-	return 0
-}
-
-func (m *Transaction) GetApp() string {
-	if m != nil && m.App != nil {
-		return *m.App
-	}
-	return ""
-}
-
-func (m *Transaction) GetMarkChanges() bool {
-	if m != nil && m.MarkChanges != nil {
-		return *m.MarkChanges
-	}
-	return Default_Transaction_MarkChanges
-}
-
-type Query struct {
-	Header               *InternalHeader   `protobuf:"bytes,39,opt,name=header" json:"header,omitempty"`
-	App                  *string           `protobuf:"bytes,1,req,name=app" json:"app,omitempty"`
-	NameSpace            *string           `protobuf:"bytes,29,opt,name=name_space,json=nameSpace" json:"name_space,omitempty"`
-	Kind                 *string           `protobuf:"bytes,3,opt,name=kind" json:"kind,omitempty"`
-	Ancestor             *Reference        `protobuf:"bytes,17,opt,name=ancestor" json:"ancestor,omitempty"`
-	Filter               []*Query_Filter   `protobuf:"group,4,rep,name=Filter,json=filter" json:"filter,omitempty"`
-	SearchQuery          *string           `protobuf:"bytes,8,opt,name=search_query,json=searchQuery" json:"search_query,omitempty"`
-	Order                []*Query_Order    `protobuf:"group,9,rep,name=Order,json=order" json:"order,omitempty"`
-	Hint                 *Query_Hint       `protobuf:"varint,18,opt,name=hint,enum=appengine.Query_Hint" json:"hint,omitempty"`
-	Count                *int32            `protobuf:"varint,23,opt,name=count" json:"count,omitempty"`
-	Offset               *int32            `protobuf:"varint,12,opt,name=offset,def=0" json:"offset,omitempty"`
-	Limit                *int32            `protobuf:"varint,16,opt,name=limit" json:"limit,omitempty"`
-	CompiledCursor       *CompiledCursor   `protobuf:"bytes,30,opt,name=compiled_cursor,json=compiledCursor" json:"compiled_cursor,omitempty"`
-	EndCompiledCursor    *CompiledCursor   `protobuf:"bytes,31,opt,name=end_compiled_cursor,json=endCompiledCursor" json:"end_compiled_cursor,omitempty"`
-	CompositeIndex       []*CompositeIndex `protobuf:"bytes,19,rep,name=composite_index,json=compositeIndex" json:"composite_index,omitempty"`
-	RequirePerfectPlan   *bool             `protobuf:"varint,20,opt,name=require_perfect_plan,json=requirePerfectPlan,def=0" json:"require_perfect_plan,omitempty"`
-	KeysOnly             *bool             `protobuf:"varint,21,opt,name=keys_only,json=keysOnly,def=0" json:"keys_only,omitempty"`
-	Transaction          *Transaction      `protobuf:"bytes,22,opt,name=transaction" json:"transaction,omitempty"`
-	Compile              *bool             `protobuf:"varint,25,opt,name=compile,def=0" json:"compile,omitempty"`
-	FailoverMs           *int64            `protobuf:"varint,26,opt,name=failover_ms,json=failoverMs" json:"failover_ms,omitempty"`
-	Strong               *bool             `protobuf:"varint,32,opt,name=strong" json:"strong,omitempty"`
-	PropertyName         []string          `protobuf:"bytes,33,rep,name=property_name,json=propertyName" json:"property_name,omitempty"`
-	GroupByPropertyName  []string          `protobuf:"bytes,34,rep,name=group_by_property_name,json=groupByPropertyName" json:"group_by_property_name,omitempty"`
-	Distinct             *bool             `protobuf:"varint,24,opt,name=distinct" json:"distinct,omitempty"`
-	MinSafeTimeSeconds   *int64            `protobuf:"varint,35,opt,name=min_safe_time_seconds,json=minSafeTimeSeconds" json:"min_safe_time_seconds,omitempty"`
-	SafeReplicaName      []string          `protobuf:"bytes,36,rep,name=safe_replica_name,json=safeReplicaName" json:"safe_replica_name,omitempty"`
-	PersistOffset        *bool             `protobuf:"varint,37,opt,name=persist_offset,json=persistOffset,def=0" json:"persist_offset,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *Query) Reset()         { *m = Query{} }
-func (m *Query) String() string { return proto.CompactTextString(m) }
-func (*Query) ProtoMessage()    {}
-func (*Query) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{15}
-}
-func (m *Query) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Query.Unmarshal(m, b)
-}
-func (m *Query) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Query.Marshal(b, m, deterministic)
-}
-func (dst *Query) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Query.Merge(dst, src)
-}
-func (m *Query) XXX_Size() int {
-	return xxx_messageInfo_Query.Size(m)
-}
-func (m *Query) XXX_DiscardUnknown() {
-	xxx_messageInfo_Query.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Query proto.InternalMessageInfo
-
-const Default_Query_Offset int32 = 0
-const Default_Query_RequirePerfectPlan bool = false
-const Default_Query_KeysOnly bool = false
-const Default_Query_Compile bool = false
-const Default_Query_PersistOffset bool = false
-
-func (m *Query) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *Query) GetApp() string {
-	if m != nil && m.App != nil {
-		return *m.App
-	}
-	return ""
-}
-
-func (m *Query) GetNameSpace() string {
-	if m != nil && m.NameSpace != nil {
-		return *m.NameSpace
-	}
-	return ""
-}
-
-func (m *Query) GetKind() string {
-	if m != nil && m.Kind != nil {
-		return *m.Kind
-	}
-	return ""
-}
-
-func (m *Query) GetAncestor() *Reference {
-	if m != nil {
-		return m.Ancestor
-	}
-	return nil
-}
-
-func (m *Query) GetFilter() []*Query_Filter {
-	if m != nil {
-		return m.Filter
-	}
-	return nil
-}
-
-func (m *Query) GetSearchQuery() string {
-	if m != nil && m.SearchQuery != nil {
-		return *m.SearchQuery
-	}
-	return ""
-}
-
-func (m *Query) GetOrder() []*Query_Order {
-	if m != nil {
-		return m.Order
-	}
-	return nil
-}
-
-func (m *Query) GetHint() Query_Hint {
-	if m != nil && m.Hint != nil {
-		return *m.Hint
-	}
-	return Query_ORDER_FIRST
-}
-
-func (m *Query) GetCount() int32 {
-	if m != nil && m.Count != nil {
-		return *m.Count
-	}
-	return 0
-}
-
-func (m *Query) GetOffset() int32 {
-	if m != nil && m.Offset != nil {
-		return *m.Offset
-	}
-	return Default_Query_Offset
-}
-
-func (m *Query) GetLimit() int32 {
-	if m != nil && m.Limit != nil {
-		return *m.Limit
-	}
-	return 0
-}
-
-func (m *Query) GetCompiledCursor() *CompiledCursor {
-	if m != nil {
-		return m.CompiledCursor
-	}
-	return nil
-}
-
-func (m *Query) GetEndCompiledCursor() *CompiledCursor {
-	if m != nil {
-		return m.EndCompiledCursor
-	}
-	return nil
-}
-
-func (m *Query) GetCompositeIndex() []*CompositeIndex {
-	if m != nil {
-		return m.CompositeIndex
-	}
-	return nil
-}
-
-func (m *Query) GetRequirePerfectPlan() bool {
-	if m != nil && m.RequirePerfectPlan != nil {
-		return *m.RequirePerfectPlan
-	}
-	return Default_Query_RequirePerfectPlan
-}
-
-func (m *Query) GetKeysOnly() bool {
-	if m != nil && m.KeysOnly != nil {
-		return *m.KeysOnly
-	}
-	return Default_Query_KeysOnly
-}
-
-func (m *Query) GetTransaction() *Transaction {
-	if m != nil {
-		return m.Transaction
-	}
-	return nil
-}
-
-func (m *Query) GetCompile() bool {
-	if m != nil && m.Compile != nil {
-		return *m.Compile
-	}
-	return Default_Query_Compile
-}
-
-func (m *Query) GetFailoverMs() int64 {
-	if m != nil && m.FailoverMs != nil {
-		return *m.FailoverMs
-	}
-	return 0
-}
-
-func (m *Query) GetStrong() bool {
-	if m != nil && m.Strong != nil {
-		return *m.Strong
-	}
-	return false
-}
-
-func (m *Query) GetPropertyName() []string {
-	if m != nil {
-		return m.PropertyName
-	}
-	return nil
-}
-
-func (m *Query) GetGroupByPropertyName() []string {
-	if m != nil {
-		return m.GroupByPropertyName
-	}
-	return nil
-}
-
-func (m *Query) GetDistinct() bool {
-	if m != nil && m.Distinct != nil {
-		return *m.Distinct
-	}
-	return false
-}
-
-func (m *Query) GetMinSafeTimeSeconds() int64 {
-	if m != nil && m.MinSafeTimeSeconds != nil {
-		return *m.MinSafeTimeSeconds
-	}
-	return 0
-}
-
-func (m *Query) GetSafeReplicaName() []string {
-	if m != nil {
-		return m.SafeReplicaName
-	}
-	return nil
-}
-
-func (m *Query) GetPersistOffset() bool {
-	if m != nil && m.PersistOffset != nil {
-		return *m.PersistOffset
-	}
-	return Default_Query_PersistOffset
-}
-
-type Query_Filter struct {
-	Op                   *Query_Filter_Operator `protobuf:"varint,6,req,name=op,enum=appengine.Query_Filter_Operator" json:"op,omitempty"`
-	Property             []*Property            `protobuf:"bytes,14,rep,name=property" json:"property,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
-	XXX_unrecognized     []byte                 `json:"-"`
-	XXX_sizecache        int32                  `json:"-"`
-}
-
-func (m *Query_Filter) Reset()         { *m = Query_Filter{} }
-func (m *Query_Filter) String() string { return proto.CompactTextString(m) }
-func (*Query_Filter) ProtoMessage()    {}
-func (*Query_Filter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{15, 0}
-}
-func (m *Query_Filter) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Query_Filter.Unmarshal(m, b)
-}
-func (m *Query_Filter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Query_Filter.Marshal(b, m, deterministic)
-}
-func (dst *Query_Filter) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Query_Filter.Merge(dst, src)
-}
-func (m *Query_Filter) XXX_Size() int {
-	return xxx_messageInfo_Query_Filter.Size(m)
-}
-func (m *Query_Filter) XXX_DiscardUnknown() {
-	xxx_messageInfo_Query_Filter.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Query_Filter proto.InternalMessageInfo
-
-func (m *Query_Filter) GetOp() Query_Filter_Operator {
-	if m != nil && m.Op != nil {
-		return *m.Op
-	}
-	return Query_Filter_LESS_THAN
-}
-
-func (m *Query_Filter) GetProperty() []*Property {
-	if m != nil {
-		return m.Property
-	}
-	return nil
-}
-
-type Query_Order struct {
-	Property             *string                `protobuf:"bytes,10,req,name=property" json:"property,omitempty"`
-	Direction            *Query_Order_Direction `protobuf:"varint,11,opt,name=direction,enum=appengine.Query_Order_Direction,def=1" json:"direction,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
-	XXX_unrecognized     []byte                 `json:"-"`
-	XXX_sizecache        int32                  `json:"-"`
-}
-
-func (m *Query_Order) Reset()         { *m = Query_Order{} }
-func (m *Query_Order) String() string { return proto.CompactTextString(m) }
-func (*Query_Order) ProtoMessage()    {}
-func (*Query_Order) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{15, 1}
-}
-func (m *Query_Order) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Query_Order.Unmarshal(m, b)
-}
-func (m *Query_Order) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Query_Order.Marshal(b, m, deterministic)
-}
-func (dst *Query_Order) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Query_Order.Merge(dst, src)
-}
-func (m *Query_Order) XXX_Size() int {
-	return xxx_messageInfo_Query_Order.Size(m)
-}
-func (m *Query_Order) XXX_DiscardUnknown() {
-	xxx_messageInfo_Query_Order.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Query_Order proto.InternalMessageInfo
-
-const Default_Query_Order_Direction Query_Order_Direction = Query_Order_ASCENDING
-
-func (m *Query_Order) GetProperty() string {
-	if m != nil && m.Property != nil {
-		return *m.Property
-	}
-	return ""
-}
-
-func (m *Query_Order) GetDirection() Query_Order_Direction {
-	if m != nil && m.Direction != nil {
-		return *m.Direction
-	}
-	return Default_Query_Order_Direction
-}
-
-type CompiledQuery struct {
-	Primaryscan          *CompiledQuery_PrimaryScan     `protobuf:"group,1,req,name=PrimaryScan,json=primaryscan" json:"primaryscan,omitempty"`
-	Mergejoinscan        []*CompiledQuery_MergeJoinScan `protobuf:"group,7,rep,name=MergeJoinScan,json=mergejoinscan" json:"mergejoinscan,omitempty"`
-	IndexDef             *Index                         `protobuf:"bytes,21,opt,name=index_def,json=indexDef" json:"index_def,omitempty"`
-	Offset               *int32                         `protobuf:"varint,10,opt,name=offset,def=0" json:"offset,omitempty"`
-	Limit                *int32                         `protobuf:"varint,11,opt,name=limit" json:"limit,omitempty"`
-	KeysOnly             *bool                          `protobuf:"varint,12,req,name=keys_only,json=keysOnly" json:"keys_only,omitempty"`
-	PropertyName         []string                       `protobuf:"bytes,24,rep,name=property_name,json=propertyName" json:"property_name,omitempty"`
-	DistinctInfixSize    *int32                         `protobuf:"varint,25,opt,name=distinct_infix_size,json=distinctInfixSize" json:"distinct_infix_size,omitempty"`
-	Entityfilter         *CompiledQuery_EntityFilter    `protobuf:"group,13,opt,name=EntityFilter,json=entityfilter" json:"entityfilter,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                       `json:"-"`
-	XXX_unrecognized     []byte                         `json:"-"`
-	XXX_sizecache        int32                          `json:"-"`
-}
-
-func (m *CompiledQuery) Reset()         { *m = CompiledQuery{} }
-func (m *CompiledQuery) String() string { return proto.CompactTextString(m) }
-func (*CompiledQuery) ProtoMessage()    {}
-func (*CompiledQuery) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{16}
-}
-func (m *CompiledQuery) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledQuery.Unmarshal(m, b)
-}
-func (m *CompiledQuery) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledQuery.Marshal(b, m, deterministic)
-}
-func (dst *CompiledQuery) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledQuery.Merge(dst, src)
-}
-func (m *CompiledQuery) XXX_Size() int {
-	return xxx_messageInfo_CompiledQuery.Size(m)
-}
-func (m *CompiledQuery) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledQuery.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledQuery proto.InternalMessageInfo
-
-const Default_CompiledQuery_Offset int32 = 0
-
-func (m *CompiledQuery) GetPrimaryscan() *CompiledQuery_PrimaryScan {
-	if m != nil {
-		return m.Primaryscan
-	}
-	return nil
-}
-
-func (m *CompiledQuery) GetMergejoinscan() []*CompiledQuery_MergeJoinScan {
-	if m != nil {
-		return m.Mergejoinscan
-	}
-	return nil
-}
-
-func (m *CompiledQuery) GetIndexDef() *Index {
-	if m != nil {
-		return m.IndexDef
-	}
-	return nil
-}
-
-func (m *CompiledQuery) GetOffset() int32 {
-	if m != nil && m.Offset != nil {
-		return *m.Offset
-	}
-	return Default_CompiledQuery_Offset
-}
-
-func (m *CompiledQuery) GetLimit() int32 {
-	if m != nil && m.Limit != nil {
-		return *m.Limit
-	}
-	return 0
-}
-
-func (m *CompiledQuery) GetKeysOnly() bool {
-	if m != nil && m.KeysOnly != nil {
-		return *m.KeysOnly
-	}
-	return false
-}
-
-func (m *CompiledQuery) GetPropertyName() []string {
-	if m != nil {
-		return m.PropertyName
-	}
-	return nil
-}
-
-func (m *CompiledQuery) GetDistinctInfixSize() int32 {
-	if m != nil && m.DistinctInfixSize != nil {
-		return *m.DistinctInfixSize
-	}
-	return 0
-}
-
-func (m *CompiledQuery) GetEntityfilter() *CompiledQuery_EntityFilter {
-	if m != nil {
-		return m.Entityfilter
-	}
-	return nil
-}
-
-type CompiledQuery_PrimaryScan struct {
-	IndexName                  *string  `protobuf:"bytes,2,opt,name=index_name,json=indexName" json:"index_name,omitempty"`
-	StartKey                   *string  `protobuf:"bytes,3,opt,name=start_key,json=startKey" json:"start_key,omitempty"`
-	StartInclusive             *bool    `protobuf:"varint,4,opt,name=start_inclusive,json=startInclusive" json:"start_inclusive,omitempty"`
-	EndKey                     *string  `protobuf:"bytes,5,opt,name=end_key,json=endKey" json:"end_key,omitempty"`
-	EndInclusive               *bool    `protobuf:"varint,6,opt,name=end_inclusive,json=endInclusive" json:"end_inclusive,omitempty"`
-	StartPostfixValue          []string `protobuf:"bytes,22,rep,name=start_postfix_value,json=startPostfixValue" json:"start_postfix_value,omitempty"`
-	EndPostfixValue            []string `protobuf:"bytes,23,rep,name=end_postfix_value,json=endPostfixValue" json:"end_postfix_value,omitempty"`
-	EndUnappliedLogTimestampUs *int64   `protobuf:"varint,19,opt,name=end_unapplied_log_timestamp_us,json=endUnappliedLogTimestampUs" json:"end_unapplied_log_timestamp_us,omitempty"`
-	XXX_NoUnkeyedLiteral       struct{} `json:"-"`
-	XXX_unrecognized           []byte   `json:"-"`
-	XXX_sizecache              int32    `json:"-"`
-}
-
-func (m *CompiledQuery_PrimaryScan) Reset()         { *m = CompiledQuery_PrimaryScan{} }
-func (m *CompiledQuery_PrimaryScan) String() string { return proto.CompactTextString(m) }
-func (*CompiledQuery_PrimaryScan) ProtoMessage()    {}
-func (*CompiledQuery_PrimaryScan) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{16, 0}
-}
-func (m *CompiledQuery_PrimaryScan) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledQuery_PrimaryScan.Unmarshal(m, b)
-}
-func (m *CompiledQuery_PrimaryScan) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledQuery_PrimaryScan.Marshal(b, m, deterministic)
-}
-func (dst *CompiledQuery_PrimaryScan) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledQuery_PrimaryScan.Merge(dst, src)
-}
-func (m *CompiledQuery_PrimaryScan) XXX_Size() int {
-	return xxx_messageInfo_CompiledQuery_PrimaryScan.Size(m)
-}
-func (m *CompiledQuery_PrimaryScan) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledQuery_PrimaryScan.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledQuery_PrimaryScan proto.InternalMessageInfo
-
-func (m *CompiledQuery_PrimaryScan) GetIndexName() string {
-	if m != nil && m.IndexName != nil {
-		return *m.IndexName
-	}
-	return ""
-}
-
-func (m *CompiledQuery_PrimaryScan) GetStartKey() string {
-	if m != nil && m.StartKey != nil {
-		return *m.StartKey
-	}
-	return ""
-}
-
-func (m *CompiledQuery_PrimaryScan) GetStartInclusive() bool {
-	if m != nil && m.StartInclusive != nil {
-		return *m.StartInclusive
-	}
-	return false
-}
-
-func (m *CompiledQuery_PrimaryScan) GetEndKey() string {
-	if m != nil && m.EndKey != nil {
-		return *m.EndKey
-	}
-	return ""
-}
-
-func (m *CompiledQuery_PrimaryScan) GetEndInclusive() bool {
-	if m != nil && m.EndInclusive != nil {
-		return *m.EndInclusive
-	}
-	return false
-}
-
-func (m *CompiledQuery_PrimaryScan) GetStartPostfixValue() []string {
-	if m != nil {
-		return m.StartPostfixValue
-	}
-	return nil
-}
-
-func (m *CompiledQuery_PrimaryScan) GetEndPostfixValue() []string {
-	if m != nil {
-		return m.EndPostfixValue
-	}
-	return nil
-}
-
-func (m *CompiledQuery_PrimaryScan) GetEndUnappliedLogTimestampUs() int64 {
-	if m != nil && m.EndUnappliedLogTimestampUs != nil {
-		return *m.EndUnappliedLogTimestampUs
-	}
-	return 0
-}
-
-type CompiledQuery_MergeJoinScan struct {
-	IndexName            *string  `protobuf:"bytes,8,req,name=index_name,json=indexName" json:"index_name,omitempty"`
-	PrefixValue          []string `protobuf:"bytes,9,rep,name=prefix_value,json=prefixValue" json:"prefix_value,omitempty"`
-	ValuePrefix          *bool    `protobuf:"varint,20,opt,name=value_prefix,json=valuePrefix,def=0" json:"value_prefix,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *CompiledQuery_MergeJoinScan) Reset()         { *m = CompiledQuery_MergeJoinScan{} }
-func (m *CompiledQuery_MergeJoinScan) String() string { return proto.CompactTextString(m) }
-func (*CompiledQuery_MergeJoinScan) ProtoMessage()    {}
-func (*CompiledQuery_MergeJoinScan) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{16, 1}
-}
-func (m *CompiledQuery_MergeJoinScan) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledQuery_MergeJoinScan.Unmarshal(m, b)
-}
-func (m *CompiledQuery_MergeJoinScan) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledQuery_MergeJoinScan.Marshal(b, m, deterministic)
-}
-func (dst *CompiledQuery_MergeJoinScan) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledQuery_MergeJoinScan.Merge(dst, src)
-}
-func (m *CompiledQuery_MergeJoinScan) XXX_Size() int {
-	return xxx_messageInfo_CompiledQuery_MergeJoinScan.Size(m)
-}
-func (m *CompiledQuery_MergeJoinScan) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledQuery_MergeJoinScan.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledQuery_MergeJoinScan proto.InternalMessageInfo
-
-const Default_CompiledQuery_MergeJoinScan_ValuePrefix bool = false
-
-func (m *CompiledQuery_MergeJoinScan) GetIndexName() string {
-	if m != nil && m.IndexName != nil {
-		return *m.IndexName
-	}
-	return ""
-}
-
-func (m *CompiledQuery_MergeJoinScan) GetPrefixValue() []string {
-	if m != nil {
-		return m.PrefixValue
-	}
-	return nil
-}
-
-func (m *CompiledQuery_MergeJoinScan) GetValuePrefix() bool {
-	if m != nil && m.ValuePrefix != nil {
-		return *m.ValuePrefix
-	}
-	return Default_CompiledQuery_MergeJoinScan_ValuePrefix
-}
-
-type CompiledQuery_EntityFilter struct {
-	Distinct             *bool      `protobuf:"varint,14,opt,name=distinct,def=0" json:"distinct,omitempty"`
-	Kind                 *string    `protobuf:"bytes,17,opt,name=kind" json:"kind,omitempty"`
-	Ancestor             *Reference `protobuf:"bytes,18,opt,name=ancestor" json:"ancestor,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
-	XXX_unrecognized     []byte     `json:"-"`
-	XXX_sizecache        int32      `json:"-"`
-}
-
-func (m *CompiledQuery_EntityFilter) Reset()         { *m = CompiledQuery_EntityFilter{} }
-func (m *CompiledQuery_EntityFilter) String() string { return proto.CompactTextString(m) }
-func (*CompiledQuery_EntityFilter) ProtoMessage()    {}
-func (*CompiledQuery_EntityFilter) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{16, 2}
-}
-func (m *CompiledQuery_EntityFilter) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledQuery_EntityFilter.Unmarshal(m, b)
-}
-func (m *CompiledQuery_EntityFilter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledQuery_EntityFilter.Marshal(b, m, deterministic)
-}
-func (dst *CompiledQuery_EntityFilter) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledQuery_EntityFilter.Merge(dst, src)
-}
-func (m *CompiledQuery_EntityFilter) XXX_Size() int {
-	return xxx_messageInfo_CompiledQuery_EntityFilter.Size(m)
-}
-func (m *CompiledQuery_EntityFilter) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledQuery_EntityFilter.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledQuery_EntityFilter proto.InternalMessageInfo
-
-const Default_CompiledQuery_EntityFilter_Distinct bool = false
-
-func (m *CompiledQuery_EntityFilter) GetDistinct() bool {
-	if m != nil && m.Distinct != nil {
-		return *m.Distinct
-	}
-	return Default_CompiledQuery_EntityFilter_Distinct
-}
-
-func (m *CompiledQuery_EntityFilter) GetKind() string {
-	if m != nil && m.Kind != nil {
-		return *m.Kind
-	}
-	return ""
-}
-
-func (m *CompiledQuery_EntityFilter) GetAncestor() *Reference {
-	if m != nil {
-		return m.Ancestor
-	}
-	return nil
-}
-
-type CompiledCursor struct {
-	Position             *CompiledCursor_Position `protobuf:"group,2,opt,name=Position,json=position" json:"position,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
-	XXX_unrecognized     []byte                   `json:"-"`
-	XXX_sizecache        int32                    `json:"-"`
-}
-
-func (m *CompiledCursor) Reset()         { *m = CompiledCursor{} }
-func (m *CompiledCursor) String() string { return proto.CompactTextString(m) }
-func (*CompiledCursor) ProtoMessage()    {}
-func (*CompiledCursor) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{17}
-}
-func (m *CompiledCursor) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledCursor.Unmarshal(m, b)
-}
-func (m *CompiledCursor) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledCursor.Marshal(b, m, deterministic)
-}
-func (dst *CompiledCursor) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledCursor.Merge(dst, src)
-}
-func (m *CompiledCursor) XXX_Size() int {
-	return xxx_messageInfo_CompiledCursor.Size(m)
-}
-func (m *CompiledCursor) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledCursor.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledCursor proto.InternalMessageInfo
-
-func (m *CompiledCursor) GetPosition() *CompiledCursor_Position {
-	if m != nil {
-		return m.Position
-	}
-	return nil
-}
-
-type CompiledCursor_Position struct {
-	StartKey             *string                               `protobuf:"bytes,27,opt,name=start_key,json=startKey" json:"start_key,omitempty"`
-	Indexvalue           []*CompiledCursor_Position_IndexValue `protobuf:"group,29,rep,name=IndexValue,json=indexvalue" json:"indexvalue,omitempty"`
-	Key                  *Reference                            `protobuf:"bytes,32,opt,name=key" json:"key,omitempty"`
-	StartInclusive       *bool                                 `protobuf:"varint,28,opt,name=start_inclusive,json=startInclusive,def=1" json:"start_inclusive,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                              `json:"-"`
-	XXX_unrecognized     []byte                                `json:"-"`
-	XXX_sizecache        int32                                 `json:"-"`
-}
-
-func (m *CompiledCursor_Position) Reset()         { *m = CompiledCursor_Position{} }
-func (m *CompiledCursor_Position) String() string { return proto.CompactTextString(m) }
-func (*CompiledCursor_Position) ProtoMessage()    {}
-func (*CompiledCursor_Position) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{17, 0}
-}
-func (m *CompiledCursor_Position) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledCursor_Position.Unmarshal(m, b)
-}
-func (m *CompiledCursor_Position) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledCursor_Position.Marshal(b, m, deterministic)
-}
-func (dst *CompiledCursor_Position) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledCursor_Position.Merge(dst, src)
-}
-func (m *CompiledCursor_Position) XXX_Size() int {
-	return xxx_messageInfo_CompiledCursor_Position.Size(m)
-}
-func (m *CompiledCursor_Position) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledCursor_Position.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledCursor_Position proto.InternalMessageInfo
-
-const Default_CompiledCursor_Position_StartInclusive bool = true
-
-func (m *CompiledCursor_Position) GetStartKey() string {
-	if m != nil && m.StartKey != nil {
-		return *m.StartKey
-	}
-	return ""
-}
-
-func (m *CompiledCursor_Position) GetIndexvalue() []*CompiledCursor_Position_IndexValue {
-	if m != nil {
-		return m.Indexvalue
-	}
-	return nil
-}
-
-func (m *CompiledCursor_Position) GetKey() *Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *CompiledCursor_Position) GetStartInclusive() bool {
-	if m != nil && m.StartInclusive != nil {
-		return *m.StartInclusive
-	}
-	return Default_CompiledCursor_Position_StartInclusive
-}
-
-type CompiledCursor_Position_IndexValue struct {
-	Property             *string        `protobuf:"bytes,30,opt,name=property" json:"property,omitempty"`
-	Value                *PropertyValue `protobuf:"bytes,31,req,name=value" json:"value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
-	XXX_unrecognized     []byte         `json:"-"`
-	XXX_sizecache        int32          `json:"-"`
-}
-
-func (m *CompiledCursor_Position_IndexValue) Reset()         { *m = CompiledCursor_Position_IndexValue{} }
-func (m *CompiledCursor_Position_IndexValue) String() string { return proto.CompactTextString(m) }
-func (*CompiledCursor_Position_IndexValue) ProtoMessage()    {}
-func (*CompiledCursor_Position_IndexValue) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{17, 0, 0}
-}
-func (m *CompiledCursor_Position_IndexValue) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompiledCursor_Position_IndexValue.Unmarshal(m, b)
-}
-func (m *CompiledCursor_Position_IndexValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompiledCursor_Position_IndexValue.Marshal(b, m, deterministic)
-}
-func (dst *CompiledCursor_Position_IndexValue) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompiledCursor_Position_IndexValue.Merge(dst, src)
-}
-func (m *CompiledCursor_Position_IndexValue) XXX_Size() int {
-	return xxx_messageInfo_CompiledCursor_Position_IndexValue.Size(m)
-}
-func (m *CompiledCursor_Position_IndexValue) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompiledCursor_Position_IndexValue.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompiledCursor_Position_IndexValue proto.InternalMessageInfo
-
-func (m *CompiledCursor_Position_IndexValue) GetProperty() string {
-	if m != nil && m.Property != nil {
-		return *m.Property
-	}
-	return ""
-}
-
-func (m *CompiledCursor_Position_IndexValue) GetValue() *PropertyValue {
-	if m != nil {
-		return m.Value
-	}
-	return nil
-}
-
-type Cursor struct {
-	Cursor               *uint64  `protobuf:"fixed64,1,req,name=cursor" json:"cursor,omitempty"`
-	App                  *string  `protobuf:"bytes,2,opt,name=app" json:"app,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Cursor) Reset()         { *m = Cursor{} }
-func (m *Cursor) String() string { return proto.CompactTextString(m) }
-func (*Cursor) ProtoMessage()    {}
-func (*Cursor) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{18}
-}
-func (m *Cursor) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Cursor.Unmarshal(m, b)
-}
-func (m *Cursor) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Cursor.Marshal(b, m, deterministic)
-}
-func (dst *Cursor) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Cursor.Merge(dst, src)
-}
-func (m *Cursor) XXX_Size() int {
-	return xxx_messageInfo_Cursor.Size(m)
-}
-func (m *Cursor) XXX_DiscardUnknown() {
-	xxx_messageInfo_Cursor.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Cursor proto.InternalMessageInfo
-
-func (m *Cursor) GetCursor() uint64 {
-	if m != nil && m.Cursor != nil {
-		return *m.Cursor
-	}
-	return 0
-}
-
-func (m *Cursor) GetApp() string {
-	if m != nil && m.App != nil {
-		return *m.App
-	}
-	return ""
-}
-
-type Error struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Error) Reset()         { *m = Error{} }
-func (m *Error) String() string { return proto.CompactTextString(m) }
-func (*Error) ProtoMessage()    {}
-func (*Error) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{19}
-}
-func (m *Error) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Error.Unmarshal(m, b)
-}
-func (m *Error) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Error.Marshal(b, m, deterministic)
-}
-func (dst *Error) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Error.Merge(dst, src)
-}
-func (m *Error) XXX_Size() int {
-	return xxx_messageInfo_Error.Size(m)
-}
-func (m *Error) XXX_DiscardUnknown() {
-	xxx_messageInfo_Error.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Error proto.InternalMessageInfo
-
-type Cost struct {
-	IndexWrites             *int32           `protobuf:"varint,1,opt,name=index_writes,json=indexWrites" json:"index_writes,omitempty"`
-	IndexWriteBytes         *int32           `protobuf:"varint,2,opt,name=index_write_bytes,json=indexWriteBytes" json:"index_write_bytes,omitempty"`
-	EntityWrites            *int32           `protobuf:"varint,3,opt,name=entity_writes,json=entityWrites" json:"entity_writes,omitempty"`
-	EntityWriteBytes        *int32           `protobuf:"varint,4,opt,name=entity_write_bytes,json=entityWriteBytes" json:"entity_write_bytes,omitempty"`
-	Commitcost              *Cost_CommitCost `protobuf:"group,5,opt,name=CommitCost,json=commitcost" json:"commitcost,omitempty"`
-	ApproximateStorageDelta *int32           `protobuf:"varint,8,opt,name=approximate_storage_delta,json=approximateStorageDelta" json:"approximate_storage_delta,omitempty"`
-	IdSequenceUpdates       *int32           `protobuf:"varint,9,opt,name=id_sequence_updates,json=idSequenceUpdates" json:"id_sequence_updates,omitempty"`
-	XXX_NoUnkeyedLiteral    struct{}         `json:"-"`
-	XXX_unrecognized        []byte           `json:"-"`
-	XXX_sizecache           int32            `json:"-"`
-}
-
-func (m *Cost) Reset()         { *m = Cost{} }
-func (m *Cost) String() string { return proto.CompactTextString(m) }
-func (*Cost) ProtoMessage()    {}
-func (*Cost) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{20}
-}
-func (m *Cost) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Cost.Unmarshal(m, b)
-}
-func (m *Cost) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Cost.Marshal(b, m, deterministic)
-}
-func (dst *Cost) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Cost.Merge(dst, src)
-}
-func (m *Cost) XXX_Size() int {
-	return xxx_messageInfo_Cost.Size(m)
-}
-func (m *Cost) XXX_DiscardUnknown() {
-	xxx_messageInfo_Cost.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Cost proto.InternalMessageInfo
-
-func (m *Cost) GetIndexWrites() int32 {
-	if m != nil && m.IndexWrites != nil {
-		return *m.IndexWrites
-	}
-	return 0
-}
-
-func (m *Cost) GetIndexWriteBytes() int32 {
-	if m != nil && m.IndexWriteBytes != nil {
-		return *m.IndexWriteBytes
-	}
-	return 0
-}
-
-func (m *Cost) GetEntityWrites() int32 {
-	if m != nil && m.EntityWrites != nil {
-		return *m.EntityWrites
-	}
-	return 0
-}
-
-func (m *Cost) GetEntityWriteBytes() int32 {
-	if m != nil && m.EntityWriteBytes != nil {
-		return *m.EntityWriteBytes
-	}
-	return 0
-}
-
-func (m *Cost) GetCommitcost() *Cost_CommitCost {
-	if m != nil {
-		return m.Commitcost
-	}
-	return nil
-}
-
-func (m *Cost) GetApproximateStorageDelta() int32 {
-	if m != nil && m.ApproximateStorageDelta != nil {
-		return *m.ApproximateStorageDelta
-	}
-	return 0
-}
-
-func (m *Cost) GetIdSequenceUpdates() int32 {
-	if m != nil && m.IdSequenceUpdates != nil {
-		return *m.IdSequenceUpdates
-	}
-	return 0
-}
-
-type Cost_CommitCost struct {
-	RequestedEntityPuts    *int32   `protobuf:"varint,6,opt,name=requested_entity_puts,json=requestedEntityPuts" json:"requested_entity_puts,omitempty"`
-	RequestedEntityDeletes *int32   `protobuf:"varint,7,opt,name=requested_entity_deletes,json=requestedEntityDeletes" json:"requested_entity_deletes,omitempty"`
-	XXX_NoUnkeyedLiteral   struct{} `json:"-"`
-	XXX_unrecognized       []byte   `json:"-"`
-	XXX_sizecache          int32    `json:"-"`
-}
-
-func (m *Cost_CommitCost) Reset()         { *m = Cost_CommitCost{} }
-func (m *Cost_CommitCost) String() string { return proto.CompactTextString(m) }
-func (*Cost_CommitCost) ProtoMessage()    {}
-func (*Cost_CommitCost) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{20, 0}
-}
-func (m *Cost_CommitCost) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Cost_CommitCost.Unmarshal(m, b)
-}
-func (m *Cost_CommitCost) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Cost_CommitCost.Marshal(b, m, deterministic)
-}
-func (dst *Cost_CommitCost) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Cost_CommitCost.Merge(dst, src)
-}
-func (m *Cost_CommitCost) XXX_Size() int {
-	return xxx_messageInfo_Cost_CommitCost.Size(m)
-}
-func (m *Cost_CommitCost) XXX_DiscardUnknown() {
-	xxx_messageInfo_Cost_CommitCost.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Cost_CommitCost proto.InternalMessageInfo
-
-func (m *Cost_CommitCost) GetRequestedEntityPuts() int32 {
-	if m != nil && m.RequestedEntityPuts != nil {
-		return *m.RequestedEntityPuts
-	}
-	return 0
-}
-
-func (m *Cost_CommitCost) GetRequestedEntityDeletes() int32 {
-	if m != nil && m.RequestedEntityDeletes != nil {
-		return *m.RequestedEntityDeletes
-	}
-	return 0
-}
-
-type GetRequest struct {
-	Header               *InternalHeader `protobuf:"bytes,6,opt,name=header" json:"header,omitempty"`
-	Key                  []*Reference    `protobuf:"bytes,1,rep,name=key" json:"key,omitempty"`
-	Transaction          *Transaction    `protobuf:"bytes,2,opt,name=transaction" json:"transaction,omitempty"`
-	FailoverMs           *int64          `protobuf:"varint,3,opt,name=failover_ms,json=failoverMs" json:"failover_ms,omitempty"`
-	Strong               *bool           `protobuf:"varint,4,opt,name=strong" json:"strong,omitempty"`
-	AllowDeferred        *bool           `protobuf:"varint,5,opt,name=allow_deferred,json=allowDeferred,def=0" json:"allow_deferred,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *GetRequest) Reset()         { *m = GetRequest{} }
-func (m *GetRequest) String() string { return proto.CompactTextString(m) }
-func (*GetRequest) ProtoMessage()    {}
-func (*GetRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{21}
-}
-func (m *GetRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_GetRequest.Unmarshal(m, b)
-}
-func (m *GetRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_GetRequest.Marshal(b, m, deterministic)
-}
-func (dst *GetRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GetRequest.Merge(dst, src)
-}
-func (m *GetRequest) XXX_Size() int {
-	return xxx_messageInfo_GetRequest.Size(m)
-}
-func (m *GetRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_GetRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GetRequest proto.InternalMessageInfo
-
-const Default_GetRequest_AllowDeferred bool = false
-
-func (m *GetRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *GetRequest) GetKey() []*Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *GetRequest) GetTransaction() *Transaction {
-	if m != nil {
-		return m.Transaction
-	}
-	return nil
-}
-
-func (m *GetRequest) GetFailoverMs() int64 {
-	if m != nil && m.FailoverMs != nil {
-		return *m.FailoverMs
-	}
-	return 0
-}
-
-func (m *GetRequest) GetStrong() bool {
-	if m != nil && m.Strong != nil {
-		return *m.Strong
-	}
-	return false
-}
-
-func (m *GetRequest) GetAllowDeferred() bool {
-	if m != nil && m.AllowDeferred != nil {
-		return *m.AllowDeferred
-	}
-	return Default_GetRequest_AllowDeferred
-}
-
-type GetResponse struct {
-	Entity               []*GetResponse_Entity `protobuf:"group,1,rep,name=Entity,json=entity" json:"entity,omitempty"`
-	Deferred             []*Reference          `protobuf:"bytes,5,rep,name=deferred" json:"deferred,omitempty"`
-	InOrder              *bool                 `protobuf:"varint,6,opt,name=in_order,json=inOrder,def=1" json:"in_order,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}              `json:"-"`
-	XXX_unrecognized     []byte                `json:"-"`
-	XXX_sizecache        int32                 `json:"-"`
-}
-
-func (m *GetResponse) Reset()         { *m = GetResponse{} }
-func (m *GetResponse) String() string { return proto.CompactTextString(m) }
-func (*GetResponse) ProtoMessage()    {}
-func (*GetResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{22}
-}
-func (m *GetResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_GetResponse.Unmarshal(m, b)
-}
-func (m *GetResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_GetResponse.Marshal(b, m, deterministic)
-}
-func (dst *GetResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GetResponse.Merge(dst, src)
-}
-func (m *GetResponse) XXX_Size() int {
-	return xxx_messageInfo_GetResponse.Size(m)
-}
-func (m *GetResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_GetResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GetResponse proto.InternalMessageInfo
-
-const Default_GetResponse_InOrder bool = true
-
-func (m *GetResponse) GetEntity() []*GetResponse_Entity {
-	if m != nil {
-		return m.Entity
-	}
-	return nil
-}
-
-func (m *GetResponse) GetDeferred() []*Reference {
-	if m != nil {
-		return m.Deferred
-	}
-	return nil
-}
-
-func (m *GetResponse) GetInOrder() bool {
-	if m != nil && m.InOrder != nil {
-		return *m.InOrder
-	}
-	return Default_GetResponse_InOrder
-}
-
-type GetResponse_Entity struct {
-	Entity               *EntityProto `protobuf:"bytes,2,opt,name=entity" json:"entity,omitempty"`
-	Key                  *Reference   `protobuf:"bytes,4,opt,name=key" json:"key,omitempty"`
-	Version              *int64       `protobuf:"varint,3,opt,name=version" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
-	XXX_unrecognized     []byte       `json:"-"`
-	XXX_sizecache        int32        `json:"-"`
-}
-
-func (m *GetResponse_Entity) Reset()         { *m = GetResponse_Entity{} }
-func (m *GetResponse_Entity) String() string { return proto.CompactTextString(m) }
-func (*GetResponse_Entity) ProtoMessage()    {}
-func (*GetResponse_Entity) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{22, 0}
-}
-func (m *GetResponse_Entity) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_GetResponse_Entity.Unmarshal(m, b)
-}
-func (m *GetResponse_Entity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_GetResponse_Entity.Marshal(b, m, deterministic)
-}
-func (dst *GetResponse_Entity) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GetResponse_Entity.Merge(dst, src)
-}
-func (m *GetResponse_Entity) XXX_Size() int {
-	return xxx_messageInfo_GetResponse_Entity.Size(m)
-}
-func (m *GetResponse_Entity) XXX_DiscardUnknown() {
-	xxx_messageInfo_GetResponse_Entity.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_GetResponse_Entity proto.InternalMessageInfo
-
-func (m *GetResponse_Entity) GetEntity() *EntityProto {
-	if m != nil {
-		return m.Entity
-	}
-	return nil
-}
-
-func (m *GetResponse_Entity) GetKey() *Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *GetResponse_Entity) GetVersion() int64 {
-	if m != nil && m.Version != nil {
-		return *m.Version
-	}
-	return 0
-}
-
-type PutRequest struct {
-	Header               *InternalHeader          `protobuf:"bytes,11,opt,name=header" json:"header,omitempty"`
-	Entity               []*EntityProto           `protobuf:"bytes,1,rep,name=entity" json:"entity,omitempty"`
-	Transaction          *Transaction             `protobuf:"bytes,2,opt,name=transaction" json:"transaction,omitempty"`
-	CompositeIndex       []*CompositeIndex        `protobuf:"bytes,3,rep,name=composite_index,json=compositeIndex" json:"composite_index,omitempty"`
-	Trusted              *bool                    `protobuf:"varint,4,opt,name=trusted,def=0" json:"trusted,omitempty"`
-	Force                *bool                    `protobuf:"varint,7,opt,name=force,def=0" json:"force,omitempty"`
-	MarkChanges          *bool                    `protobuf:"varint,8,opt,name=mark_changes,json=markChanges,def=0" json:"mark_changes,omitempty"`
-	Snapshot             []*Snapshot              `protobuf:"bytes,9,rep,name=snapshot" json:"snapshot,omitempty"`
-	AutoIdPolicy         *PutRequest_AutoIdPolicy `protobuf:"varint,10,opt,name=auto_id_policy,json=autoIdPolicy,enum=appengine.PutRequest_AutoIdPolicy,def=0" json:"auto_id_policy,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
-	XXX_unrecognized     []byte                   `json:"-"`
-	XXX_sizecache        int32                    `json:"-"`
-}
-
-func (m *PutRequest) Reset()         { *m = PutRequest{} }
-func (m *PutRequest) String() string { return proto.CompactTextString(m) }
-func (*PutRequest) ProtoMessage()    {}
-func (*PutRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{23}
-}
-func (m *PutRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PutRequest.Unmarshal(m, b)
-}
-func (m *PutRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PutRequest.Marshal(b, m, deterministic)
-}
-func (dst *PutRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PutRequest.Merge(dst, src)
-}
-func (m *PutRequest) XXX_Size() int {
-	return xxx_messageInfo_PutRequest.Size(m)
-}
-func (m *PutRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_PutRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PutRequest proto.InternalMessageInfo
-
-const Default_PutRequest_Trusted bool = false
-const Default_PutRequest_Force bool = false
-const Default_PutRequest_MarkChanges bool = false
-const Default_PutRequest_AutoIdPolicy PutRequest_AutoIdPolicy = PutRequest_CURRENT
-
-func (m *PutRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *PutRequest) GetEntity() []*EntityProto {
-	if m != nil {
-		return m.Entity
-	}
-	return nil
-}
-
-func (m *PutRequest) GetTransaction() *Transaction {
-	if m != nil {
-		return m.Transaction
-	}
-	return nil
-}
-
-func (m *PutRequest) GetCompositeIndex() []*CompositeIndex {
-	if m != nil {
-		return m.CompositeIndex
-	}
-	return nil
-}
-
-func (m *PutRequest) GetTrusted() bool {
-	if m != nil && m.Trusted != nil {
-		return *m.Trusted
-	}
-	return Default_PutRequest_Trusted
-}
-
-func (m *PutRequest) GetForce() bool {
-	if m != nil && m.Force != nil {
-		return *m.Force
-	}
-	return Default_PutRequest_Force
-}
-
-func (m *PutRequest) GetMarkChanges() bool {
-	if m != nil && m.MarkChanges != nil {
-		return *m.MarkChanges
-	}
-	return Default_PutRequest_MarkChanges
-}
-
-func (m *PutRequest) GetSnapshot() []*Snapshot {
-	if m != nil {
-		return m.Snapshot
-	}
-	return nil
-}
-
-func (m *PutRequest) GetAutoIdPolicy() PutRequest_AutoIdPolicy {
-	if m != nil && m.AutoIdPolicy != nil {
-		return *m.AutoIdPolicy
-	}
-	return Default_PutRequest_AutoIdPolicy
-}
-
-type PutResponse struct {
-	Key                  []*Reference `protobuf:"bytes,1,rep,name=key" json:"key,omitempty"`
-	Cost                 *Cost        `protobuf:"bytes,2,opt,name=cost" json:"cost,omitempty"`
-	Version              []int64      `protobuf:"varint,3,rep,name=version" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
-	XXX_unrecognized     []byte       `json:"-"`
-	XXX_sizecache        int32        `json:"-"`
-}
-
-func (m *PutResponse) Reset()         { *m = PutResponse{} }
-func (m *PutResponse) String() string { return proto.CompactTextString(m) }
-func (*PutResponse) ProtoMessage()    {}
-func (*PutResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{24}
-}
-func (m *PutResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PutResponse.Unmarshal(m, b)
-}
-func (m *PutResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PutResponse.Marshal(b, m, deterministic)
-}
-func (dst *PutResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PutResponse.Merge(dst, src)
-}
-func (m *PutResponse) XXX_Size() int {
-	return xxx_messageInfo_PutResponse.Size(m)
-}
-func (m *PutResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_PutResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_PutResponse proto.InternalMessageInfo
-
-func (m *PutResponse) GetKey() []*Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *PutResponse) GetCost() *Cost {
-	if m != nil {
-		return m.Cost
-	}
-	return nil
-}
-
-func (m *PutResponse) GetVersion() []int64 {
-	if m != nil {
-		return m.Version
-	}
-	return nil
-}
-
-type TouchRequest struct {
-	Header               *InternalHeader   `protobuf:"bytes,10,opt,name=header" json:"header,omitempty"`
-	Key                  []*Reference      `protobuf:"bytes,1,rep,name=key" json:"key,omitempty"`
-	CompositeIndex       []*CompositeIndex `protobuf:"bytes,2,rep,name=composite_index,json=compositeIndex" json:"composite_index,omitempty"`
-	Force                *bool             `protobuf:"varint,3,opt,name=force,def=0" json:"force,omitempty"`
-	Snapshot             []*Snapshot       `protobuf:"bytes,9,rep,name=snapshot" json:"snapshot,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *TouchRequest) Reset()         { *m = TouchRequest{} }
-func (m *TouchRequest) String() string { return proto.CompactTextString(m) }
-func (*TouchRequest) ProtoMessage()    {}
-func (*TouchRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{25}
-}
-func (m *TouchRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_TouchRequest.Unmarshal(m, b)
-}
-func (m *TouchRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_TouchRequest.Marshal(b, m, deterministic)
-}
-func (dst *TouchRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TouchRequest.Merge(dst, src)
-}
-func (m *TouchRequest) XXX_Size() int {
-	return xxx_messageInfo_TouchRequest.Size(m)
-}
-func (m *TouchRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_TouchRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TouchRequest proto.InternalMessageInfo
-
-const Default_TouchRequest_Force bool = false
-
-func (m *TouchRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *TouchRequest) GetKey() []*Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *TouchRequest) GetCompositeIndex() []*CompositeIndex {
-	if m != nil {
-		return m.CompositeIndex
-	}
-	return nil
-}
-
-func (m *TouchRequest) GetForce() bool {
-	if m != nil && m.Force != nil {
-		return *m.Force
-	}
-	return Default_TouchRequest_Force
-}
-
-func (m *TouchRequest) GetSnapshot() []*Snapshot {
-	if m != nil {
-		return m.Snapshot
-	}
-	return nil
-}
-
-type TouchResponse struct {
-	Cost                 *Cost    `protobuf:"bytes,1,opt,name=cost" json:"cost,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *TouchResponse) Reset()         { *m = TouchResponse{} }
-func (m *TouchResponse) String() string { return proto.CompactTextString(m) }
-func (*TouchResponse) ProtoMessage()    {}
-func (*TouchResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{26}
-}
-func (m *TouchResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_TouchResponse.Unmarshal(m, b)
-}
-func (m *TouchResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_TouchResponse.Marshal(b, m, deterministic)
-}
-func (dst *TouchResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TouchResponse.Merge(dst, src)
-}
-func (m *TouchResponse) XXX_Size() int {
-	return xxx_messageInfo_TouchResponse.Size(m)
-}
-func (m *TouchResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_TouchResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_TouchResponse proto.InternalMessageInfo
-
-func (m *TouchResponse) GetCost() *Cost {
-	if m != nil {
-		return m.Cost
-	}
-	return nil
-}
-
-type DeleteRequest struct {
-	Header               *InternalHeader `protobuf:"bytes,10,opt,name=header" json:"header,omitempty"`
-	Key                  []*Reference    `protobuf:"bytes,6,rep,name=key" json:"key,omitempty"`
-	Transaction          *Transaction    `protobuf:"bytes,5,opt,name=transaction" json:"transaction,omitempty"`
-	Trusted              *bool           `protobuf:"varint,4,opt,name=trusted,def=0" json:"trusted,omitempty"`
-	Force                *bool           `protobuf:"varint,7,opt,name=force,def=0" json:"force,omitempty"`
-	MarkChanges          *bool           `protobuf:"varint,8,opt,name=mark_changes,json=markChanges,def=0" json:"mark_changes,omitempty"`
-	Snapshot             []*Snapshot     `protobuf:"bytes,9,rep,name=snapshot" json:"snapshot,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *DeleteRequest) Reset()         { *m = DeleteRequest{} }
-func (m *DeleteRequest) String() string { return proto.CompactTextString(m) }
-func (*DeleteRequest) ProtoMessage()    {}
-func (*DeleteRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{27}
-}
-func (m *DeleteRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_DeleteRequest.Unmarshal(m, b)
-}
-func (m *DeleteRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_DeleteRequest.Marshal(b, m, deterministic)
-}
-func (dst *DeleteRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeleteRequest.Merge(dst, src)
-}
-func (m *DeleteRequest) XXX_Size() int {
-	return xxx_messageInfo_DeleteRequest.Size(m)
-}
-func (m *DeleteRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeleteRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeleteRequest proto.InternalMessageInfo
-
-const Default_DeleteRequest_Trusted bool = false
-const Default_DeleteRequest_Force bool = false
-const Default_DeleteRequest_MarkChanges bool = false
-
-func (m *DeleteRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *DeleteRequest) GetKey() []*Reference {
-	if m != nil {
-		return m.Key
-	}
-	return nil
-}
-
-func (m *DeleteRequest) GetTransaction() *Transaction {
-	if m != nil {
-		return m.Transaction
-	}
-	return nil
-}
-
-func (m *DeleteRequest) GetTrusted() bool {
-	if m != nil && m.Trusted != nil {
-		return *m.Trusted
-	}
-	return Default_DeleteRequest_Trusted
-}
-
-func (m *DeleteRequest) GetForce() bool {
-	if m != nil && m.Force != nil {
-		return *m.Force
-	}
-	return Default_DeleteRequest_Force
-}
-
-func (m *DeleteRequest) GetMarkChanges() bool {
-	if m != nil && m.MarkChanges != nil {
-		return *m.MarkChanges
-	}
-	return Default_DeleteRequest_MarkChanges
-}
-
-func (m *DeleteRequest) GetSnapshot() []*Snapshot {
-	if m != nil {
-		return m.Snapshot
-	}
-	return nil
-}
-
-type DeleteResponse struct {
-	Cost                 *Cost    `protobuf:"bytes,1,opt,name=cost" json:"cost,omitempty"`
-	Version              []int64  `protobuf:"varint,3,rep,name=version" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *DeleteResponse) Reset()         { *m = DeleteResponse{} }
-func (m *DeleteResponse) String() string { return proto.CompactTextString(m) }
-func (*DeleteResponse) ProtoMessage()    {}
-func (*DeleteResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{28}
-}
-func (m *DeleteResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_DeleteResponse.Unmarshal(m, b)
-}
-func (m *DeleteResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_DeleteResponse.Marshal(b, m, deterministic)
-}
-func (dst *DeleteResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_DeleteResponse.Merge(dst, src)
-}
-func (m *DeleteResponse) XXX_Size() int {
-	return xxx_messageInfo_DeleteResponse.Size(m)
-}
-func (m *DeleteResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_DeleteResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_DeleteResponse proto.InternalMessageInfo
-
-func (m *DeleteResponse) GetCost() *Cost {
-	if m != nil {
-		return m.Cost
-	}
-	return nil
-}
-
-func (m *DeleteResponse) GetVersion() []int64 {
-	if m != nil {
-		return m.Version
-	}
-	return nil
-}
-
-type NextRequest struct {
-	Header               *InternalHeader `protobuf:"bytes,5,opt,name=header" json:"header,omitempty"`
-	Cursor               *Cursor         `protobuf:"bytes,1,req,name=cursor" json:"cursor,omitempty"`
-	Count                *int32          `protobuf:"varint,2,opt,name=count" json:"count,omitempty"`
-	Offset               *int32          `protobuf:"varint,4,opt,name=offset,def=0" json:"offset,omitempty"`
-	Compile              *bool           `protobuf:"varint,3,opt,name=compile,def=0" json:"compile,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *NextRequest) Reset()         { *m = NextRequest{} }
-func (m *NextRequest) String() string { return proto.CompactTextString(m) }
-func (*NextRequest) ProtoMessage()    {}
-func (*NextRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{29}
-}
-func (m *NextRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_NextRequest.Unmarshal(m, b)
-}
-func (m *NextRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_NextRequest.Marshal(b, m, deterministic)
-}
-func (dst *NextRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_NextRequest.Merge(dst, src)
-}
-func (m *NextRequest) XXX_Size() int {
-	return xxx_messageInfo_NextRequest.Size(m)
-}
-func (m *NextRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_NextRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_NextRequest proto.InternalMessageInfo
-
-const Default_NextRequest_Offset int32 = 0
-const Default_NextRequest_Compile bool = false
-
-func (m *NextRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *NextRequest) GetCursor() *Cursor {
-	if m != nil {
-		return m.Cursor
-	}
-	return nil
-}
-
-func (m *NextRequest) GetCount() int32 {
-	if m != nil && m.Count != nil {
-		return *m.Count
-	}
-	return 0
-}
-
-func (m *NextRequest) GetOffset() int32 {
-	if m != nil && m.Offset != nil {
-		return *m.Offset
-	}
-	return Default_NextRequest_Offset
-}
-
-func (m *NextRequest) GetCompile() bool {
-	if m != nil && m.Compile != nil {
-		return *m.Compile
-	}
-	return Default_NextRequest_Compile
-}
-
-type QueryResult struct {
-	Cursor               *Cursor           `protobuf:"bytes,1,opt,name=cursor" json:"cursor,omitempty"`
-	Result               []*EntityProto    `protobuf:"bytes,2,rep,name=result" json:"result,omitempty"`
-	SkippedResults       *int32            `protobuf:"varint,7,opt,name=skipped_results,json=skippedResults" json:"skipped_results,omitempty"`
-	MoreResults          *bool             `protobuf:"varint,3,req,name=more_results,json=moreResults" json:"more_results,omitempty"`
-	KeysOnly             *bool             `protobuf:"varint,4,opt,name=keys_only,json=keysOnly" json:"keys_only,omitempty"`
-	IndexOnly            *bool             `protobuf:"varint,9,opt,name=index_only,json=indexOnly" json:"index_only,omitempty"`
-	SmallOps             *bool             `protobuf:"varint,10,opt,name=small_ops,json=smallOps" json:"small_ops,omitempty"`
-	CompiledQuery        *CompiledQuery    `protobuf:"bytes,5,opt,name=compiled_query,json=compiledQuery" json:"compiled_query,omitempty"`
-	CompiledCursor       *CompiledCursor   `protobuf:"bytes,6,opt,name=compiled_cursor,json=compiledCursor" json:"compiled_cursor,omitempty"`
-	Index                []*CompositeIndex `protobuf:"bytes,8,rep,name=index" json:"index,omitempty"`
-	Version              []int64           `protobuf:"varint,11,rep,name=version" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *QueryResult) Reset()         { *m = QueryResult{} }
-func (m *QueryResult) String() string { return proto.CompactTextString(m) }
-func (*QueryResult) ProtoMessage()    {}
-func (*QueryResult) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{30}
-}
-func (m *QueryResult) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_QueryResult.Unmarshal(m, b)
-}
-func (m *QueryResult) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_QueryResult.Marshal(b, m, deterministic)
-}
-func (dst *QueryResult) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_QueryResult.Merge(dst, src)
-}
-func (m *QueryResult) XXX_Size() int {
-	return xxx_messageInfo_QueryResult.Size(m)
-}
-func (m *QueryResult) XXX_DiscardUnknown() {
-	xxx_messageInfo_QueryResult.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_QueryResult proto.InternalMessageInfo
-
-func (m *QueryResult) GetCursor() *Cursor {
-	if m != nil {
-		return m.Cursor
-	}
-	return nil
-}
-
-func (m *QueryResult) GetResult() []*EntityProto {
-	if m != nil {
-		return m.Result
-	}
-	return nil
-}
-
-func (m *QueryResult) GetSkippedResults() int32 {
-	if m != nil && m.SkippedResults != nil {
-		return *m.SkippedResults
-	}
-	return 0
-}
-
-func (m *QueryResult) GetMoreResults() bool {
-	if m != nil && m.MoreResults != nil {
-		return *m.MoreResults
-	}
-	return false
-}
-
-func (m *QueryResult) GetKeysOnly() bool {
-	if m != nil && m.KeysOnly != nil {
-		return *m.KeysOnly
-	}
-	return false
-}
-
-func (m *QueryResult) GetIndexOnly() bool {
-	if m != nil && m.IndexOnly != nil {
-		return *m.IndexOnly
-	}
-	return false
-}
-
-func (m *QueryResult) GetSmallOps() bool {
-	if m != nil && m.SmallOps != nil {
-		return *m.SmallOps
-	}
-	return false
-}
-
-func (m *QueryResult) GetCompiledQuery() *CompiledQuery {
-	if m != nil {
-		return m.CompiledQuery
-	}
-	return nil
-}
-
-func (m *QueryResult) GetCompiledCursor() *CompiledCursor {
-	if m != nil {
-		return m.CompiledCursor
-	}
-	return nil
-}
-
-func (m *QueryResult) GetIndex() []*CompositeIndex {
-	if m != nil {
-		return m.Index
-	}
-	return nil
-}
-
-func (m *QueryResult) GetVersion() []int64 {
-	if m != nil {
-		return m.Version
-	}
-	return nil
-}
-
-type AllocateIdsRequest struct {
-	Header               *InternalHeader `protobuf:"bytes,4,opt,name=header" json:"header,omitempty"`
-	ModelKey             *Reference      `protobuf:"bytes,1,opt,name=model_key,json=modelKey" json:"model_key,omitempty"`
-	Size                 *int64          `protobuf:"varint,2,opt,name=size" json:"size,omitempty"`
-	Max                  *int64          `protobuf:"varint,3,opt,name=max" json:"max,omitempty"`
-	Reserve              []*Reference    `protobuf:"bytes,5,rep,name=reserve" json:"reserve,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *AllocateIdsRequest) Reset()         { *m = AllocateIdsRequest{} }
-func (m *AllocateIdsRequest) String() string { return proto.CompactTextString(m) }
-func (*AllocateIdsRequest) ProtoMessage()    {}
-func (*AllocateIdsRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{31}
-}
-func (m *AllocateIdsRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_AllocateIdsRequest.Unmarshal(m, b)
-}
-func (m *AllocateIdsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_AllocateIdsRequest.Marshal(b, m, deterministic)
-}
-func (dst *AllocateIdsRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocateIdsRequest.Merge(dst, src)
-}
-func (m *AllocateIdsRequest) XXX_Size() int {
-	return xxx_messageInfo_AllocateIdsRequest.Size(m)
-}
-func (m *AllocateIdsRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocateIdsRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocateIdsRequest proto.InternalMessageInfo
-
-func (m *AllocateIdsRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *AllocateIdsRequest) GetModelKey() *Reference {
-	if m != nil {
-		return m.ModelKey
-	}
-	return nil
-}
-
-func (m *AllocateIdsRequest) GetSize() int64 {
-	if m != nil && m.Size != nil {
-		return *m.Size
-	}
-	return 0
-}
-
-func (m *AllocateIdsRequest) GetMax() int64 {
-	if m != nil && m.Max != nil {
-		return *m.Max
-	}
-	return 0
-}
-
-func (m *AllocateIdsRequest) GetReserve() []*Reference {
-	if m != nil {
-		return m.Reserve
-	}
-	return nil
-}
-
-type AllocateIdsResponse struct {
-	Start                *int64   `protobuf:"varint,1,req,name=start" json:"start,omitempty"`
-	End                  *int64   `protobuf:"varint,2,req,name=end" json:"end,omitempty"`
-	Cost                 *Cost    `protobuf:"bytes,3,opt,name=cost" json:"cost,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *AllocateIdsResponse) Reset()         { *m = AllocateIdsResponse{} }
-func (m *AllocateIdsResponse) String() string { return proto.CompactTextString(m) }
-func (*AllocateIdsResponse) ProtoMessage()    {}
-func (*AllocateIdsResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{32}
-}
-func (m *AllocateIdsResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_AllocateIdsResponse.Unmarshal(m, b)
-}
-func (m *AllocateIdsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_AllocateIdsResponse.Marshal(b, m, deterministic)
-}
-func (dst *AllocateIdsResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AllocateIdsResponse.Merge(dst, src)
-}
-func (m *AllocateIdsResponse) XXX_Size() int {
-	return xxx_messageInfo_AllocateIdsResponse.Size(m)
-}
-func (m *AllocateIdsResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_AllocateIdsResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AllocateIdsResponse proto.InternalMessageInfo
-
-func (m *AllocateIdsResponse) GetStart() int64 {
-	if m != nil && m.Start != nil {
-		return *m.Start
-	}
-	return 0
-}
-
-func (m *AllocateIdsResponse) GetEnd() int64 {
-	if m != nil && m.End != nil {
-		return *m.End
-	}
-	return 0
-}
-
-func (m *AllocateIdsResponse) GetCost() *Cost {
-	if m != nil {
-		return m.Cost
-	}
-	return nil
-}
-
-type CompositeIndices struct {
-	Index                []*CompositeIndex `protobuf:"bytes,1,rep,name=index" json:"index,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *CompositeIndices) Reset()         { *m = CompositeIndices{} }
-func (m *CompositeIndices) String() string { return proto.CompactTextString(m) }
-func (*CompositeIndices) ProtoMessage()    {}
-func (*CompositeIndices) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{33}
-}
-func (m *CompositeIndices) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CompositeIndices.Unmarshal(m, b)
-}
-func (m *CompositeIndices) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CompositeIndices.Marshal(b, m, deterministic)
-}
-func (dst *CompositeIndices) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CompositeIndices.Merge(dst, src)
-}
-func (m *CompositeIndices) XXX_Size() int {
-	return xxx_messageInfo_CompositeIndices.Size(m)
-}
-func (m *CompositeIndices) XXX_DiscardUnknown() {
-	xxx_messageInfo_CompositeIndices.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CompositeIndices proto.InternalMessageInfo
-
-func (m *CompositeIndices) GetIndex() []*CompositeIndex {
-	if m != nil {
-		return m.Index
-	}
-	return nil
-}
-
-type AddActionsRequest struct {
-	Header               *InternalHeader `protobuf:"bytes,3,opt,name=header" json:"header,omitempty"`
-	Transaction          *Transaction    `protobuf:"bytes,1,req,name=transaction" json:"transaction,omitempty"`
-	Action               []*Action       `protobuf:"bytes,2,rep,name=action" json:"action,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
-	XXX_unrecognized     []byte          `json:"-"`
-	XXX_sizecache        int32           `json:"-"`
-}
-
-func (m *AddActionsRequest) Reset()         { *m = AddActionsRequest{} }
-func (m *AddActionsRequest) String() string { return proto.CompactTextString(m) }
-func (*AddActionsRequest) ProtoMessage()    {}
-func (*AddActionsRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{34}
-}
-func (m *AddActionsRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_AddActionsRequest.Unmarshal(m, b)
-}
-func (m *AddActionsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_AddActionsRequest.Marshal(b, m, deterministic)
-}
-func (dst *AddActionsRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AddActionsRequest.Merge(dst, src)
-}
-func (m *AddActionsRequest) XXX_Size() int {
-	return xxx_messageInfo_AddActionsRequest.Size(m)
-}
-func (m *AddActionsRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_AddActionsRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AddActionsRequest proto.InternalMessageInfo
-
-func (m *AddActionsRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *AddActionsRequest) GetTransaction() *Transaction {
-	if m != nil {
-		return m.Transaction
-	}
-	return nil
-}
-
-func (m *AddActionsRequest) GetAction() []*Action {
-	if m != nil {
-		return m.Action
-	}
-	return nil
-}
-
-type AddActionsResponse struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *AddActionsResponse) Reset()         { *m = AddActionsResponse{} }
-func (m *AddActionsResponse) String() string { return proto.CompactTextString(m) }
-func (*AddActionsResponse) ProtoMessage()    {}
-func (*AddActionsResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{35}
-}
-func (m *AddActionsResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_AddActionsResponse.Unmarshal(m, b)
-}
-func (m *AddActionsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_AddActionsResponse.Marshal(b, m, deterministic)
-}
-func (dst *AddActionsResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AddActionsResponse.Merge(dst, src)
-}
-func (m *AddActionsResponse) XXX_Size() int {
-	return xxx_messageInfo_AddActionsResponse.Size(m)
-}
-func (m *AddActionsResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_AddActionsResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AddActionsResponse proto.InternalMessageInfo
-
-type BeginTransactionRequest struct {
-	Header               *InternalHeader                          `protobuf:"bytes,3,opt,name=header" json:"header,omitempty"`
-	App                  *string                                  `protobuf:"bytes,1,req,name=app" json:"app,omitempty"`
-	AllowMultipleEg      *bool                                    `protobuf:"varint,2,opt,name=allow_multiple_eg,json=allowMultipleEg,def=0" json:"allow_multiple_eg,omitempty"`
-	DatabaseId           *string                                  `protobuf:"bytes,4,opt,name=database_id,json=databaseId" json:"database_id,omitempty"`
-	Mode                 *BeginTransactionRequest_TransactionMode `protobuf:"varint,5,opt,name=mode,enum=appengine.BeginTransactionRequest_TransactionMode,def=0" json:"mode,omitempty"`
-	PreviousTransaction  *Transaction                             `protobuf:"bytes,7,opt,name=previous_transaction,json=previousTransaction" json:"previous_transaction,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                                 `json:"-"`
-	XXX_unrecognized     []byte                                   `json:"-"`
-	XXX_sizecache        int32                                    `json:"-"`
-}
-
-func (m *BeginTransactionRequest) Reset()         { *m = BeginTransactionRequest{} }
-func (m *BeginTransactionRequest) String() string { return proto.CompactTextString(m) }
-func (*BeginTransactionRequest) ProtoMessage()    {}
-func (*BeginTransactionRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{36}
-}
-func (m *BeginTransactionRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_BeginTransactionRequest.Unmarshal(m, b)
-}
-func (m *BeginTransactionRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_BeginTransactionRequest.Marshal(b, m, deterministic)
-}
-func (dst *BeginTransactionRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_BeginTransactionRequest.Merge(dst, src)
-}
-func (m *BeginTransactionRequest) XXX_Size() int {
-	return xxx_messageInfo_BeginTransactionRequest.Size(m)
-}
-func (m *BeginTransactionRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_BeginTransactionRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_BeginTransactionRequest proto.InternalMessageInfo
-
-const Default_BeginTransactionRequest_AllowMultipleEg bool = false
-const Default_BeginTransactionRequest_Mode BeginTransactionRequest_TransactionMode = BeginTransactionRequest_UNKNOWN
-
-func (m *BeginTransactionRequest) GetHeader() *InternalHeader {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *BeginTransactionRequest) GetApp() string {
-	if m != nil && m.App != nil {
-		return *m.App
-	}
-	return ""
-}
-
-func (m *BeginTransactionRequest) GetAllowMultipleEg() bool {
-	if m != nil && m.AllowMultipleEg != nil {
-		return *m.AllowMultipleEg
-	}
-	return Default_BeginTransactionRequest_AllowMultipleEg
-}
-
-func (m *BeginTransactionRequest) GetDatabaseId() string {
-	if m != nil && m.DatabaseId != nil {
-		return *m.DatabaseId
-	}
-	return ""
-}
-
-func (m *BeginTransactionRequest) GetMode() BeginTransactionRequest_TransactionMode {
-	if m != nil && m.Mode != nil {
-		return *m.Mode
-	}
-	return Default_BeginTransactionRequest_Mode
-}
-
-func (m *BeginTransactionRequest) GetPreviousTransaction() *Transaction {
-	if m != nil {
-		return m.PreviousTransaction
-	}
-	return nil
-}
-
-type CommitResponse struct {
-	Cost                 *Cost                     `protobuf:"bytes,1,opt,name=cost" json:"cost,omitempty"`
-	Version              []*CommitResponse_Version `protobuf:"group,3,rep,name=Version,json=version" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}                  `json:"-"`
-	XXX_unrecognized     []byte                    `json:"-"`
-	XXX_sizecache        int32                     `json:"-"`
-}
-
-func (m *CommitResponse) Reset()         { *m = CommitResponse{} }
-func (m *CommitResponse) String() string { return proto.CompactTextString(m) }
-func (*CommitResponse) ProtoMessage()    {}
-func (*CommitResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{37}
-}
-func (m *CommitResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CommitResponse.Unmarshal(m, b)
-}
-func (m *CommitResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CommitResponse.Marshal(b, m, deterministic)
-}
-func (dst *CommitResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CommitResponse.Merge(dst, src)
-}
-func (m *CommitResponse) XXX_Size() int {
-	return xxx_messageInfo_CommitResponse.Size(m)
-}
-func (m *CommitResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_CommitResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CommitResponse proto.InternalMessageInfo
-
-func (m *CommitResponse) GetCost() *Cost {
-	if m != nil {
-		return m.Cost
-	}
-	return nil
-}
-
-func (m *CommitResponse) GetVersion() []*CommitResponse_Version {
-	if m != nil {
-		return m.Version
-	}
-	return nil
-}
-
-type CommitResponse_Version struct {
-	RootEntityKey        *Reference `protobuf:"bytes,4,req,name=root_entity_key,json=rootEntityKey" json:"root_entity_key,omitempty"`
-	Version              *int64     `protobuf:"varint,5,req,name=version" json:"version,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
-	XXX_unrecognized     []byte     `json:"-"`
-	XXX_sizecache        int32      `json:"-"`
-}
-
-func (m *CommitResponse_Version) Reset()         { *m = CommitResponse_Version{} }
-func (m *CommitResponse_Version) String() string { return proto.CompactTextString(m) }
-func (*CommitResponse_Version) ProtoMessage()    {}
-func (*CommitResponse_Version) Descriptor() ([]byte, []int) {
-	return fileDescriptor_datastore_v3_83b17b80c34f6179, []int{37, 0}
-}
-func (m *CommitResponse_Version) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_CommitResponse_Version.Unmarshal(m, b)
-}
-func (m *CommitResponse_Version) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_CommitResponse_Version.Marshal(b, m, deterministic)
-}
-func (dst *CommitResponse_Version) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CommitResponse_Version.Merge(dst, src)
-}
-func (m *CommitResponse_Version) XXX_Size() int {
-	return xxx_messageInfo_CommitResponse_Version.Size(m)
-}
-func (m *CommitResponse_Version) XXX_DiscardUnknown() {
-	xxx_messageInfo_CommitResponse_Version.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_CommitResponse_Version proto.InternalMessageInfo
-
-func (m *CommitResponse_Version) GetRootEntityKey() *Reference {
-	if m != nil {
-		return m.RootEntityKey
-	}
-	return nil
-}
-
-func (m *CommitResponse_Version) GetVersion() int64 {
-	if m != nil && m.Version != nil {
-		return *m.Version
-	}
-	return 0
-}
-
-func init() {
-	proto.RegisterType((*Action)(nil), "appengine.Action")
-	proto.RegisterType((*PropertyValue)(nil), "appengine.PropertyValue")
-	proto.RegisterType((*PropertyValue_PointValue)(nil), "appengine.PropertyValue.PointValue")
-	proto.RegisterType((*PropertyValue_UserValue)(nil), "appengine.PropertyValue.UserValue")
-	proto.RegisterType((*PropertyValue_ReferenceValue)(nil), "appengine.PropertyValue.ReferenceValue")
-	proto.RegisterType((*PropertyValue_ReferenceValue_PathElement)(nil), "appengine.PropertyValue.ReferenceValue.PathElement")
-	proto.RegisterType((*Property)(nil), "appengine.Property")
-	proto.RegisterType((*Path)(nil), "appengine.Path")
-	proto.RegisterType((*Path_Element)(nil), "appengine.Path.Element")
-	proto.RegisterType((*Reference)(nil), "appengine.Reference")
-	proto.RegisterType((*User)(nil), "appengine.User")
-	proto.RegisterType((*EntityProto)(nil), "appengine.EntityProto")
-	proto.RegisterType((*CompositeProperty)(nil), "appengine.CompositeProperty")
-	proto.RegisterType((*Index)(nil), "appengine.Index")
-	proto.RegisterType((*Index_Property)(nil), "appengine.Index.Property")
-	proto.RegisterType((*CompositeIndex)(nil), "appengine.CompositeIndex")
-	proto.RegisterType((*IndexPostfix)(nil), "appengine.IndexPostfix")
-	proto.RegisterType((*IndexPostfix_IndexValue)(nil), "appengine.IndexPostfix.IndexValue")
-	proto.RegisterType((*IndexPosition)(nil), "appengine.IndexPosition")
-	proto.RegisterType((*Snapshot)(nil), "appengine.Snapshot")
-	proto.RegisterType((*InternalHeader)(nil), "appengine.InternalHeader")
-	proto.RegisterType((*Transaction)(nil), "appengine.Transaction")
-	proto.RegisterType((*Query)(nil), "appengine.Query")
-	proto.RegisterType((*Query_Filter)(nil), "appengine.Query.Filter")
-	proto.RegisterType((*Query_Order)(nil), "appengine.Query.Order")
-	proto.RegisterType((*CompiledQuery)(nil), "appengine.CompiledQuery")
-	proto.RegisterType((*CompiledQuery_PrimaryScan)(nil), "appengine.CompiledQuery.PrimaryScan")
-	proto.RegisterType((*CompiledQuery_MergeJoinScan)(nil), "appengine.CompiledQuery.MergeJoinScan")
-	proto.RegisterType((*CompiledQuery_EntityFilter)(nil), "appengine.CompiledQuery.EntityFilter")
-	proto.RegisterType((*CompiledCursor)(nil), "appengine.CompiledCursor")
-	proto.RegisterType((*CompiledCursor_Position)(nil), "appengine.CompiledCursor.Position")
-	proto.RegisterType((*CompiledCursor_Position_IndexValue)(nil), "appengine.CompiledCursor.Position.IndexValue")
-	proto.RegisterType((*Cursor)(nil), "appengine.Cursor")
-	proto.RegisterType((*Error)(nil), "appengine.Error")
-	proto.RegisterType((*Cost)(nil), "appengine.Cost")
-	proto.RegisterType((*Cost_CommitCost)(nil), "appengine.Cost.CommitCost")
-	proto.RegisterType((*GetRequest)(nil), "appengine.GetRequest")
-	proto.RegisterType((*GetResponse)(nil), "appengine.GetResponse")
-	proto.RegisterType((*GetResponse_Entity)(nil), "appengine.GetResponse.Entity")
-	proto.RegisterType((*PutRequest)(nil), "appengine.PutRequest")
-	proto.RegisterType((*PutResponse)(nil), "appengine.PutResponse")
-	proto.RegisterType((*TouchRequest)(nil), "appengine.TouchRequest")
-	proto.RegisterType((*TouchResponse)(nil), "appengine.TouchResponse")
-	proto.RegisterType((*DeleteRequest)(nil), "appengine.DeleteRequest")
-	proto.RegisterType((*DeleteResponse)(nil), "appengine.DeleteResponse")
-	proto.RegisterType((*NextRequest)(nil), "appengine.NextRequest")
-	proto.RegisterType((*QueryResult)(nil), "appengine.QueryResult")
-	proto.RegisterType((*AllocateIdsRequest)(nil), "appengine.AllocateIdsRequest")
-	proto.RegisterType((*AllocateIdsResponse)(nil), "appengine.AllocateIdsResponse")
-	proto.RegisterType((*CompositeIndices)(nil), "appengine.CompositeIndices")
-	proto.RegisterType((*AddActionsRequest)(nil), "appengine.AddActionsRequest")
-	proto.RegisterType((*AddActionsResponse)(nil), "appengine.AddActionsResponse")
-	proto.RegisterType((*BeginTransactionRequest)(nil), "appengine.BeginTransactionRequest")
-	proto.RegisterType((*CommitResponse)(nil), "appengine.CommitResponse")
-	proto.RegisterType((*CommitResponse_Version)(nil), "appengine.CommitResponse.Version")
-}
-
-func init() {
-	proto.RegisterFile("google.golang.org/appengine/internal/datastore/datastore_v3.proto", fileDescriptor_datastore_v3_83b17b80c34f6179)
-}
-
-var fileDescriptor_datastore_v3_83b17b80c34f6179 = []byte{
-	// 4156 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x5a, 0xcd, 0x73, 0xe3, 0x46,
-	0x76, 0x37, 0xc1, 0xef, 0x47, 0x89, 0x82, 0x5a, 0xf3, 0xc1, 0xa1, 0x3f, 0x46, 0xc6, 0xac, 0x6d,
-	0xd9, 0x6b, 0x73, 0x6c, 0xf9, 0x23, 0x5b, 0x4a, 0x76, 0x1d, 0x4a, 0xc4, 0x68, 0x90, 0xa1, 0x48,
-	0xb9, 0x09, 0xd9, 0x9e, 0x5c, 0x50, 0x18, 0xa2, 0x29, 0x21, 0x43, 0x02, 0x30, 0x00, 0x6a, 0x46,
-	0x93, 0xe4, 0x90, 0x4b, 0x2a, 0x55, 0x5b, 0xa9, 0x1c, 0x92, 0x4a, 0x25, 0xf9, 0x07, 0x72, 0xc8,
-	0x39, 0x95, 0xaa, 0x54, 0xf6, 0x98, 0x5b, 0x0e, 0x7b, 0xc9, 0x31, 0x95, 0x73, 0xf2, 0x27, 0x24,
-	0x39, 0xa4, 0xfa, 0x75, 0x03, 0x02, 0x28, 0x4a, 0x23, 0x6d, 0xf6, 0x90, 0x13, 0xd1, 0xef, 0xfd,
-	0xba, 0xf1, 0xfa, 0xf5, 0xfb, 0x6c, 0x10, 0xba, 0xc7, 0xbe, 0x7f, 0x3c, 0x65, 0x9d, 0x63, 0x7f,
-	0x6a, 0x7b, 0xc7, 0x1d, 0x3f, 0x3c, 0x7e, 0x68, 0x07, 0x01, 0xf3, 0x8e, 0x5d, 0x8f, 0x3d, 0x74,
-	0xbd, 0x98, 0x85, 0x9e, 0x3d, 0x7d, 0xe8, 0xd8, 0xb1, 0x1d, 0xc5, 0x7e, 0xc8, 0xce, 0x9f, 0xac,
-	0xd3, 0xcf, 0x3b, 0x41, 0xe8, 0xc7, 0x3e, 0xa9, 0xa7, 0x13, 0xb4, 0x1a, 0x54, 0xba, 0xe3, 0xd8,
-	0xf5, 0x3d, 0xed, 0x1f, 0x2b, 0xb0, 0x7a, 0x18, 0xfa, 0x01, 0x0b, 0xe3, 0xb3, 0x6f, 0xed, 0xe9,
-	0x9c, 0x91, 0x77, 0x00, 0x5c, 0x2f, 0xfe, 0xea, 0x0b, 0x1c, 0xb5, 0x0a, 0x9b, 0x85, 0xad, 0x22,
-	0xcd, 0x50, 0x88, 0x06, 0x2b, 0xcf, 0x7c, 0x7f, 0xca, 0x6c, 0x4f, 0x20, 0x94, 0xcd, 0xc2, 0x56,
-	0x8d, 0xe6, 0x68, 0x64, 0x13, 0x1a, 0x51, 0x1c, 0xba, 0xde, 0xb1, 0x80, 0x14, 0x37, 0x0b, 0x5b,
-	0x75, 0x9a, 0x25, 0x71, 0x84, 0xe3, 0xcf, 0x9f, 0x4d, 0x99, 0x40, 0x94, 0x36, 0x0b, 0x5b, 0x05,
-	0x9a, 0x25, 0x91, 0x3d, 0x80, 0xc0, 0x77, 0xbd, 0xf8, 0x14, 0x01, 0xe5, 0xcd, 0xc2, 0x16, 0x6c,
-	0x3f, 0xe8, 0xa4, 0x7b, 0xe8, 0xe4, 0xa4, 0xee, 0x1c, 0x72, 0x28, 0x3e, 0xd2, 0xcc, 0x34, 0xf2,
-	0xdb, 0x50, 0x9f, 0x47, 0x2c, 0x14, 0x6b, 0xd4, 0x70, 0x0d, 0xed, 0xd2, 0x35, 0x8e, 0x22, 0x16,
-	0x8a, 0x25, 0xce, 0x27, 0x91, 0x21, 0x34, 0x43, 0x36, 0x61, 0x21, 0xf3, 0xc6, 0x4c, 0x2c, 0xb3,
-	0x82, 0xcb, 0x7c, 0x70, 0xe9, 0x32, 0x34, 0x81, 0x8b, 0xb5, 0x16, 0xa6, 0xb7, 0xb7, 0x00, 0xce,
-	0x85, 0x25, 0x2b, 0x50, 0x78, 0xd9, 0xaa, 0x6c, 0x2a, 0x5b, 0x05, 0x5a, 0x78, 0xc9, 0x47, 0x67,
-	0xad, 0xaa, 0x18, 0x9d, 0xb5, 0xff, 0xa9, 0x00, 0xf5, 0x54, 0x26, 0x72, 0x0b, 0xca, 0x6c, 0x66,
-	0xbb, 0xd3, 0x56, 0x7d, 0x53, 0xd9, 0xaa, 0x53, 0x31, 0x20, 0xf7, 0xa1, 0x61, 0xcf, 0xe3, 0x13,
-	0xcb, 0xf1, 0x67, 0xb6, 0xeb, 0xb5, 0x00, 0x79, 0xc0, 0x49, 0x3d, 0xa4, 0x90, 0x36, 0xd4, 0x3c,
-	0x77, 0xfc, 0xdc, 0xb3, 0x67, 0xac, 0xd5, 0xc0, 0x73, 0x48, 0xc7, 0xe4, 0x13, 0x20, 0x13, 0xe6,
-	0xb0, 0xd0, 0x8e, 0x99, 0x63, 0xb9, 0x0e, 0xf3, 0x62, 0x37, 0x3e, 0x6b, 0xdd, 0x46, 0xd4, 0x7a,
-	0xca, 0x31, 0x24, 0x23, 0x0f, 0x0f, 0x42, 0xff, 0xd4, 0x75, 0x58, 0xd8, 0xba, 0xb3, 0x00, 0x3f,
-	0x94, 0x8c, 0xf6, 0xbf, 0x17, 0xa0, 0x99, 0xd7, 0x05, 0x51, 0xa1, 0x68, 0x07, 0x41, 0x6b, 0x15,
-	0xa5, 0xe4, 0x8f, 0xe4, 0x6d, 0x00, 0x2e, 0x8a, 0x15, 0x05, 0xf6, 0x98, 0xb5, 0x6e, 0xe1, 0x5a,
-	0x75, 0x4e, 0x19, 0x71, 0x02, 0x39, 0x82, 0x46, 0x60, 0xc7, 0x27, 0x6c, 0xca, 0x66, 0xcc, 0x8b,
-	0x5b, 0xcd, 0xcd, 0xe2, 0x16, 0x6c, 0x7f, 0x7e, 0x4d, 0xd5, 0x77, 0x0e, 0xed, 0xf8, 0x44, 0x17,
-	0x53, 0x69, 0x76, 0x9d, 0xb6, 0x0e, 0x8d, 0x0c, 0x8f, 0x10, 0x28, 0xc5, 0x67, 0x01, 0x6b, 0xad,
-	0xa1, 0x5c, 0xf8, 0x4c, 0x9a, 0xa0, 0xb8, 0x4e, 0x4b, 0x45, 0xf3, 0x57, 0x5c, 0x87, 0x63, 0x50,
-	0x87, 0xeb, 0x28, 0x22, 0x3e, 0x6b, 0xff, 0x51, 0x86, 0x5a, 0x22, 0x00, 0xe9, 0x42, 0x75, 0xc6,
-	0x6c, 0xcf, 0xf5, 0x8e, 0xd1, 0x69, 0x9a, 0xdb, 0x6f, 0x2e, 0x11, 0xb3, 0x73, 0x20, 0x20, 0x3b,
-	0x30, 0x18, 0x5a, 0x07, 0x7a, 0x77, 0x60, 0x0c, 0xf6, 0x69, 0x32, 0x8f, 0x1f, 0xa6, 0x7c, 0xb4,
-	0xe6, 0xa1, 0x8b, 0x9e, 0x55, 0xa7, 0x20, 0x49, 0x47, 0xa1, 0x9b, 0x0a, 0x51, 0x14, 0x82, 0xe2,
-	0x21, 0x76, 0xa0, 0x9c, 0xb8, 0x88, 0xb2, 0xd5, 0xd8, 0x6e, 0x5d, 0xa6, 0x1c, 0x2a, 0x60, 0xdc,
-	0x20, 0x66, 0xf3, 0x69, 0xec, 0x06, 0x53, 0xee, 0x76, 0xca, 0x56, 0x8d, 0xa6, 0x63, 0xf2, 0x1e,
-	0x40, 0xc4, 0xec, 0x70, 0x7c, 0x62, 0x3f, 0x9b, 0xb2, 0x56, 0x85, 0x7b, 0xf6, 0x4e, 0x79, 0x62,
-	0x4f, 0x23, 0x46, 0x33, 0x0c, 0x62, 0xc3, 0xdd, 0x49, 0x1c, 0x59, 0xb1, 0xff, 0x9c, 0x79, 0xee,
-	0x2b, 0x9b, 0x07, 0x12, 0xcb, 0x0f, 0xf8, 0x0f, 0xfa, 0x58, 0x73, 0xfb, 0xc3, 0x65, 0x5b, 0x7f,
-	0x14, 0x47, 0x66, 0x66, 0xc6, 0x10, 0x27, 0xd0, 0xdb, 0x93, 0x65, 0x64, 0xd2, 0x86, 0xca, 0xd4,
-	0x1f, 0xdb, 0x53, 0xd6, 0xaa, 0x73, 0x2d, 0xec, 0x28, 0xcc, 0xa3, 0x92, 0xa2, 0xfd, 0xb3, 0x02,
-	0x55, 0xa9, 0x47, 0xd2, 0x84, 0x8c, 0x26, 0xd5, 0x37, 0x48, 0x0d, 0x4a, 0xbb, 0xfd, 0xe1, 0xae,
-	0xda, 0xe4, 0x4f, 0xa6, 0xfe, 0xbd, 0xa9, 0xae, 0x71, 0xcc, 0xee, 0x53, 0x53, 0x1f, 0x99, 0x94,
-	0x63, 0x54, 0xb2, 0x0e, 0xab, 0x5d, 0x73, 0x78, 0x60, 0xed, 0x75, 0x4d, 0x7d, 0x7f, 0x48, 0x9f,
-	0xaa, 0x05, 0xb2, 0x0a, 0x75, 0x24, 0xf5, 0x8d, 0xc1, 0x13, 0x55, 0xe1, 0x33, 0x70, 0x68, 0x1a,
-	0x66, 0x5f, 0x57, 0x8b, 0x44, 0x85, 0x15, 0x31, 0x63, 0x38, 0x30, 0xf5, 0x81, 0xa9, 0x96, 0x52,
-	0xca, 0xe8, 0xe8, 0xe0, 0xa0, 0x4b, 0x9f, 0xaa, 0x65, 0xb2, 0x06, 0x0d, 0xa4, 0x74, 0x8f, 0xcc,
-	0xc7, 0x43, 0xaa, 0x56, 0x48, 0x03, 0xaa, 0xfb, 0x3d, 0xeb, 0xbb, 0xc7, 0xfa, 0x40, 0xad, 0x92,
-	0x15, 0xa8, 0xed, 0xf7, 0x2c, 0xfd, 0xa0, 0x6b, 0xf4, 0xd5, 0x1a, 0x9f, 0xbd, 0xaf, 0x0f, 0xe9,
-	0x68, 0x64, 0x1d, 0x0e, 0x8d, 0x81, 0xa9, 0xd6, 0x49, 0x1d, 0xca, 0xfb, 0x3d, 0xcb, 0x38, 0x50,
-	0x81, 0x10, 0x68, 0xee, 0xf7, 0xac, 0xc3, 0xc7, 0xc3, 0x81, 0x3e, 0x38, 0x3a, 0xd8, 0xd5, 0xa9,
-	0xda, 0x20, 0xb7, 0x40, 0xe5, 0xb4, 0xe1, 0xc8, 0xec, 0xf6, 0xbb, 0xbd, 0x1e, 0xd5, 0x47, 0x23,
-	0x75, 0x85, 0x4b, 0xbd, 0xdf, 0xb3, 0x68, 0xd7, 0xe4, 0xfb, 0x5a, 0xe5, 0x2f, 0xe4, 0x7b, 0x7f,
-	0xa2, 0x3f, 0x55, 0xd7, 0xf9, 0x2b, 0xf4, 0x81, 0x69, 0x98, 0x4f, 0xad, 0x43, 0x3a, 0x34, 0x87,
-	0xea, 0x06, 0x17, 0xd0, 0x18, 0xf4, 0xf4, 0xef, 0xad, 0x6f, 0xbb, 0xfd, 0x23, 0x5d, 0x25, 0xda,
-	0x8f, 0xe1, 0xf6, 0xd2, 0x33, 0xe1, 0xaa, 0x7b, 0x6c, 0x1e, 0xf4, 0xd5, 0x02, 0x7f, 0xe2, 0x9b,
-	0x52, 0x15, 0xed, 0x0f, 0xa0, 0xc4, 0x5d, 0x86, 0x7c, 0x06, 0xd5, 0xc4, 0x1b, 0x0b, 0xe8, 0x8d,
-	0x77, 0xb3, 0x67, 0x6d, 0xc7, 0x27, 0x9d, 0xc4, 0xe3, 0x12, 0x5c, 0xbb, 0x0b, 0xd5, 0x45, 0x4f,
-	0x53, 0x2e, 0x78, 0x5a, 0xf1, 0x82, 0xa7, 0x95, 0x32, 0x9e, 0x66, 0x43, 0x3d, 0xf5, 0xed, 0x9b,
-	0x47, 0x91, 0x07, 0x50, 0xe2, 0xde, 0xdf, 0x6a, 0xa2, 0x87, 0xac, 0x2d, 0x08, 0x4c, 0x91, 0xa9,
-	0xfd, 0x43, 0x01, 0x4a, 0x3c, 0xda, 0x9e, 0x07, 0xda, 0xc2, 0x15, 0x81, 0x56, 0xb9, 0x32, 0xd0,
-	0x16, 0xaf, 0x15, 0x68, 0x2b, 0x37, 0x0b, 0xb4, 0xd5, 0x4b, 0x02, 0xad, 0xf6, 0x67, 0x45, 0x68,
-	0xe8, 0x38, 0xf3, 0x10, 0x13, 0xfd, 0xfb, 0x50, 0x7c, 0xce, 0xce, 0x50, 0x3f, 0x8d, 0xed, 0x5b,
-	0x99, 0xdd, 0xa6, 0x2a, 0xa4, 0x1c, 0x40, 0xb6, 0x61, 0x45, 0xbc, 0xd0, 0x3a, 0x0e, 0xfd, 0x79,
-	0xd0, 0x52, 0x97, 0xab, 0xa7, 0x21, 0x40, 0xfb, 0x1c, 0x43, 0xde, 0x83, 0xb2, 0xff, 0xc2, 0x63,
-	0x21, 0xc6, 0xc1, 0x3c, 0x98, 0x2b, 0x8f, 0x0a, 0x2e, 0x79, 0x08, 0xa5, 0xe7, 0xae, 0xe7, 0xe0,
-	0x19, 0xe6, 0x23, 0x61, 0x46, 0xd0, 0xce, 0x13, 0xd7, 0x73, 0x28, 0x02, 0xc9, 0x3d, 0xa8, 0xf1,
-	0x5f, 0x8c, 0x7b, 0x65, 0xdc, 0x68, 0x95, 0x8f, 0x79, 0xd0, 0x7b, 0x08, 0xb5, 0x40, 0xc6, 0x10,
-	0x4c, 0x00, 0x8d, 0xed, 0x8d, 0x25, 0xe1, 0x85, 0xa6, 0x20, 0xf2, 0x15, 0xac, 0x84, 0xf6, 0x0b,
-	0x2b, 0x9d, 0xb4, 0x76, 0xf9, 0xa4, 0x46, 0x68, 0xbf, 0x48, 0x23, 0x38, 0x81, 0x52, 0x68, 0x7b,
-	0xcf, 0x5b, 0x64, 0xb3, 0xb0, 0x55, 0xa6, 0xf8, 0xac, 0x7d, 0x01, 0x25, 0x2e, 0x25, 0x8f, 0x08,
-	0xfb, 0x3d, 0xf4, 0xff, 0xee, 0x9e, 0xa9, 0x16, 0x12, 0x7f, 0xfe, 0x96, 0x47, 0x03, 0x45, 0x72,
-	0x0f, 0xf4, 0xd1, 0xa8, 0xbb, 0xaf, 0xab, 0x45, 0xad, 0x07, 0xeb, 0x7b, 0xfe, 0x2c, 0xf0, 0x23,
-	0x37, 0x66, 0xe9, 0xf2, 0xf7, 0xa0, 0xe6, 0x7a, 0x0e, 0x7b, 0x69, 0xb9, 0x0e, 0x9a, 0x56, 0x91,
-	0x56, 0x71, 0x6c, 0x38, 0xdc, 0xe4, 0x4e, 0x65, 0x31, 0x55, 0xe4, 0x26, 0x87, 0x03, 0xed, 0x2f,
-	0x15, 0x28, 0x1b, 0x1c, 0xc1, 0x8d, 0x4f, 0x9e, 0x14, 0x7a, 0x8f, 0x30, 0x4c, 0x10, 0x24, 0x93,
-	0xfb, 0x50, 0x1b, 0x6a, 0xb6, 0x37, 0x66, 0xbc, 0xe2, 0xc3, 0x3c, 0x50, 0xa3, 0xe9, 0x98, 0x7c,
-	0x99, 0xd1, 0x9f, 0x82, 0x2e, 0x7b, 0x2f, 0xa3, 0x0a, 0x7c, 0xc1, 0x12, 0x2d, 0xb6, 0xff, 0xaa,
-	0x90, 0x49, 0x6e, 0xcb, 0x12, 0x4f, 0x1f, 0xea, 0x8e, 0x1b, 0x32, 0xac, 0x23, 0xe5, 0x41, 0x3f,
-	0xb8, 0x74, 0xe1, 0x4e, 0x2f, 0x81, 0xee, 0xd4, 0xbb, 0xa3, 0x3d, 0x7d, 0xd0, 0xe3, 0x99, 0xef,
-	0x7c, 0x01, 0xed, 0x23, 0xa8, 0xa7, 0x10, 0x0c, 0xc7, 0x09, 0x48, 0x2d, 0x70, 0xf5, 0xf6, 0xf4,
-	0x74, 0xac, 0x68, 0x7f, 0xad, 0x40, 0x33, 0xd5, 0xaf, 0xd0, 0xd0, 0x6d, 0xa8, 0xd8, 0x41, 0x90,
-	0xa8, 0xb6, 0x4e, 0xcb, 0x76, 0x10, 0x18, 0x8e, 0x8c, 0x2d, 0x0a, 0x6a, 0x9b, 0xc7, 0x96, 0x4f,
-	0x01, 0x1c, 0x36, 0x71, 0x3d, 0x17, 0x85, 0x2e, 0xa2, 0xc1, 0xab, 0x8b, 0x42, 0xd3, 0x0c, 0x86,
-	0x7c, 0x09, 0xe5, 0x28, 0xb6, 0x63, 0x91, 0x2b, 0x9b, 0xdb, 0xf7, 0x33, 0xe0, 0xbc, 0x08, 0x9d,
-	0x11, 0x87, 0x51, 0x81, 0x26, 0x5f, 0xc1, 0x2d, 0xdf, 0x9b, 0x9e, 0x59, 0xf3, 0x88, 0x59, 0xee,
-	0xc4, 0x0a, 0xd9, 0x0f, 0x73, 0x37, 0x64, 0x4e, 0x3e, 0xa7, 0xae, 0x73, 0xc8, 0x51, 0xc4, 0x8c,
-	0x09, 0x95, 0x7c, 0xed, 0x6b, 0x28, 0xe3, 0x3a, 0x7c, 0xcf, 0xdf, 0x51, 0xc3, 0xd4, 0xad, 0xe1,
-	0xa0, 0xff, 0x54, 0xe8, 0x80, 0xea, 0xdd, 0x9e, 0x85, 0x44, 0x55, 0xe1, 0xc1, 0xbe, 0xa7, 0xf7,
-	0x75, 0x53, 0xef, 0xa9, 0x45, 0x9e, 0x3d, 0x74, 0x4a, 0x87, 0x54, 0x2d, 0x69, 0xff, 0x53, 0x80,
-	0x15, 0x94, 0xe7, 0xd0, 0x8f, 0xe2, 0x89, 0xfb, 0x92, 0xec, 0x41, 0x43, 0x98, 0xdd, 0xa9, 0x2c,
-	0xe8, 0xb9, 0x33, 0x68, 0x8b, 0x7b, 0x96, 0x68, 0x31, 0x90, 0x75, 0xb4, 0x9b, 0x3e, 0x27, 0x21,
-	0x45, 0x41, 0xa7, 0xbf, 0x22, 0xa4, 0xbc, 0x05, 0x95, 0x67, 0x6c, 0xe2, 0x87, 0x22, 0x04, 0xd6,
-	0x76, 0x4a, 0x71, 0x38, 0x67, 0x54, 0xd2, 0xda, 0x36, 0xc0, 0xf9, 0xfa, 0xe4, 0x01, 0xac, 0x26,
-	0xc6, 0x66, 0xa1, 0x71, 0x89, 0x93, 0x5b, 0x49, 0x88, 0x83, 0x5c, 0x75, 0xa3, 0x5c, 0xab, 0xba,
-	0xd1, 0xbe, 0x86, 0xd5, 0x64, 0x3f, 0xe2, 0xfc, 0x54, 0x21, 0x79, 0x01, 0x63, 0xca, 0x82, 0x8c,
-	0xca, 0x45, 0x19, 0xb5, 0x9f, 0x41, 0x6d, 0xe4, 0xd9, 0x41, 0x74, 0xe2, 0xc7, 0xdc, 0x7a, 0xe2,
-	0x48, 0xfa, 0xaa, 0x12, 0x47, 0x9a, 0x06, 0x15, 0x7e, 0x38, 0xf3, 0x88, 0xbb, 0xbf, 0x31, 0xe8,
-	0xee, 0x99, 0xc6, 0xb7, 0xba, 0xfa, 0x06, 0x01, 0xa8, 0xc8, 0xe7, 0x82, 0xa6, 0x41, 0xd3, 0x90,
-	0xed, 0xd8, 0x63, 0x66, 0x3b, 0x2c, 0xe4, 0x12, 0xfc, 0xe0, 0x47, 0x89, 0x04, 0x3f, 0xf8, 0x91,
-	0xf6, 0x17, 0x05, 0x68, 0x98, 0xa1, 0xed, 0x45, 0xb6, 0x30, 0xf7, 0xcf, 0xa0, 0x72, 0x82, 0x58,
-	0x74, 0xa3, 0xc6, 0x82, 0x7f, 0x66, 0x17, 0xa3, 0x12, 0x48, 0xee, 0x40, 0xe5, 0xc4, 0xf6, 0x9c,
-	0xa9, 0xd0, 0x5a, 0x85, 0xca, 0x51, 0x92, 0x1b, 0x95, 0xf3, 0xdc, 0xb8, 0x05, 0x2b, 0x33, 0x3b,
-	0x7c, 0x6e, 0x8d, 0x4f, 0x6c, 0xef, 0x98, 0x45, 0xf2, 0x60, 0xa4, 0x05, 0x36, 0x38, 0x6b, 0x4f,
-	0x70, 0xb4, 0xbf, 0x5f, 0x81, 0xf2, 0x37, 0x73, 0x16, 0x9e, 0x65, 0x04, 0xfa, 0xe0, 0xba, 0x02,
-	0xc9, 0x17, 0x17, 0x2e, 0x4b, 0xca, 0x6f, 0x2f, 0x26, 0x65, 0x22, 0x53, 0x84, 0xc8, 0x95, 0x22,
-	0x0b, 0x7c, 0x9a, 0x09, 0x63, 0xeb, 0x57, 0xd8, 0xda, 0x79, 0x70, 0x7b, 0x08, 0x95, 0x89, 0x3b,
-	0x8d, 0x51, 0x75, 0x8b, 0xd5, 0x08, 0xee, 0xa5, 0xf3, 0x08, 0xd9, 0x54, 0xc2, 0xc8, 0xbb, 0xb0,
-	0x22, 0x2a, 0x59, 0xeb, 0x07, 0xce, 0xc6, 0x82, 0x95, 0xf7, 0xa6, 0x48, 0x13, 0xbb, 0xff, 0x18,
-	0xca, 0x7e, 0xc8, 0x37, 0x5f, 0xc7, 0x25, 0xef, 0x5c, 0x58, 0x72, 0xc8, 0xb9, 0x54, 0x80, 0xc8,
-	0x87, 0x50, 0x3a, 0x71, 0xbd, 0x18, 0xb3, 0x46, 0x73, 0xfb, 0xf6, 0x05, 0xf0, 0x63, 0xd7, 0x8b,
-	0x29, 0x42, 0x78, 0x98, 0x1f, 0xfb, 0x73, 0x2f, 0x6e, 0xdd, 0xc5, 0x0c, 0x23, 0x06, 0xe4, 0x1e,
-	0x54, 0xfc, 0xc9, 0x24, 0x62, 0x31, 0x76, 0x96, 0xe5, 0x9d, 0xc2, 0xa7, 0x54, 0x12, 0xf8, 0x84,
-	0xa9, 0x3b, 0x73, 0x63, 0xec, 0x43, 0xca, 0x54, 0x0c, 0xc8, 0x2e, 0xac, 0x8d, 0xfd, 0x59, 0xe0,
-	0x4e, 0x99, 0x63, 0x8d, 0xe7, 0x61, 0xe4, 0x87, 0xad, 0x77, 0x2e, 0x1c, 0xd3, 0x9e, 0x44, 0xec,
-	0x21, 0x80, 0x36, 0xc7, 0xb9, 0x31, 0x31, 0x60, 0x83, 0x79, 0x8e, 0xb5, 0xb8, 0xce, 0xfd, 0xd7,
-	0xad, 0xb3, 0xce, 0x3c, 0x27, 0x4f, 0x4a, 0xc4, 0xc1, 0x48, 0x68, 0x61, 0xcc, 0x68, 0x6d, 0x60,
-	0x90, 0xb9, 0x77, 0x69, 0xac, 0x14, 0xe2, 0x64, 0xc2, 0xf7, 0x6f, 0xc0, 0x2d, 0x19, 0x22, 0xad,
-	0x80, 0x85, 0x13, 0x36, 0x8e, 0xad, 0x60, 0x6a, 0x7b, 0x58, 0xca, 0xa5, 0xc6, 0x4a, 0x24, 0xe4,
-	0x50, 0x20, 0x0e, 0xa7, 0xb6, 0x47, 0x34, 0xa8, 0x3f, 0x67, 0x67, 0x91, 0xc5, 0x23, 0x29, 0x76,
-	0xae, 0x29, 0xba, 0xc6, 0xe9, 0x43, 0x6f, 0x7a, 0x46, 0x7e, 0x02, 0x8d, 0xf8, 0xdc, 0xdb, 0xb0,
-	0x61, 0x6d, 0xe4, 0x4e, 0x35, 0xe3, 0x8b, 0x34, 0x0b, 0x25, 0xf7, 0xa1, 0x2a, 0x35, 0xd4, 0xba,
-	0x97, 0x5d, 0x3b, 0xa1, 0xf2, 0xc4, 0x3c, 0xb1, 0xdd, 0xa9, 0x7f, 0xca, 0x42, 0x6b, 0x16, 0xb5,
-	0xda, 0xe2, 0xb6, 0x24, 0x21, 0x1d, 0x44, 0xdc, 0x4f, 0xa3, 0x38, 0xf4, 0xbd, 0xe3, 0xd6, 0x26,
-	0xde, 0x93, 0xc8, 0xd1, 0xc5, 0xe0, 0xf7, 0x2e, 0x66, 0xfe, 0x7c, 0xf0, 0xfb, 0x1c, 0xee, 0x60,
-	0x65, 0x66, 0x3d, 0x3b, 0xb3, 0xf2, 0x68, 0x0d, 0xd1, 0x1b, 0xc8, 0xdd, 0x3d, 0x3b, 0xcc, 0x4e,
-	0x6a, 0x43, 0xcd, 0x71, 0xa3, 0xd8, 0xf5, 0xc6, 0x71, 0xab, 0x85, 0xef, 0x4c, 0xc7, 0xe4, 0x33,
-	0xb8, 0x3d, 0x73, 0x3d, 0x2b, 0xb2, 0x27, 0xcc, 0x8a, 0x5d, 0xee, 0x9b, 0x6c, 0xec, 0x7b, 0x4e,
-	0xd4, 0x7a, 0x80, 0x82, 0x93, 0x99, 0xeb, 0x8d, 0xec, 0x09, 0x33, 0xdd, 0x19, 0x1b, 0x09, 0x0e,
-	0xf9, 0x08, 0xd6, 0x11, 0x1e, 0xb2, 0x60, 0xea, 0x8e, 0x6d, 0xf1, 0xfa, 0x1f, 0xe1, 0xeb, 0xd7,
-	0x38, 0x83, 0x0a, 0x3a, 0xbe, 0xfa, 0x63, 0x68, 0x06, 0x2c, 0x8c, 0xdc, 0x28, 0xb6, 0xa4, 0x45,
-	0xbf, 0x97, 0xd5, 0xda, 0xaa, 0x64, 0x0e, 0x91, 0xd7, 0xfe, 0xcf, 0x02, 0x54, 0x84, 0x73, 0x92,
-	0x4f, 0x41, 0xf1, 0x03, 0xbc, 0x06, 0x69, 0x6e, 0x6f, 0x5e, 0xe2, 0xc1, 0x9d, 0x61, 0xc0, 0xeb,
-	0x5e, 0x3f, 0xa4, 0x8a, 0x1f, 0xdc, 0xb8, 0x28, 0xd4, 0xfe, 0x10, 0x6a, 0xc9, 0x02, 0xbc, 0xbc,
-	0xe8, 0xeb, 0xa3, 0x91, 0x65, 0x3e, 0xee, 0x0e, 0xd4, 0x02, 0xb9, 0x03, 0x24, 0x1d, 0x5a, 0x43,
-	0x6a, 0xe9, 0xdf, 0x1c, 0x75, 0xfb, 0xaa, 0x82, 0x5d, 0x1a, 0xd5, 0xbb, 0xa6, 0x4e, 0x05, 0xb2,
-	0x48, 0xee, 0xc1, 0xed, 0x2c, 0xe5, 0x1c, 0x5c, 0xc2, 0x14, 0x8c, 0x8f, 0x65, 0x52, 0x01, 0xc5,
-	0x18, 0xa8, 0x15, 0x9e, 0x16, 0xf4, 0xef, 0x8d, 0x91, 0x39, 0x52, 0xab, 0xed, 0xbf, 0x29, 0x40,
-	0x19, 0xc3, 0x06, 0x3f, 0x9f, 0x54, 0x72, 0x71, 0x5d, 0x73, 0x5e, 0xb9, 0x1a, 0xd9, 0x92, 0xaa,
-	0x81, 0x01, 0x65, 0x73, 0x79, 0xf4, 0xf9, 0xb5, 0xd6, 0x53, 0x3f, 0x85, 0x12, 0x8f, 0x52, 0xbc,
-	0x43, 0x1c, 0xd2, 0x9e, 0x4e, 0xad, 0x47, 0x06, 0x1d, 0xf1, 0x2a, 0x97, 0x40, 0xb3, 0x3b, 0xd8,
-	0xd3, 0x47, 0xe6, 0x30, 0xa1, 0xa1, 0x56, 0x1e, 0x19, 0x7d, 0x33, 0x45, 0x15, 0xb5, 0x9f, 0xd7,
-	0x60, 0x35, 0x89, 0x09, 0x22, 0x82, 0x3e, 0x82, 0x46, 0x10, 0xba, 0x33, 0x3b, 0x3c, 0x8b, 0xc6,
-	0xb6, 0x87, 0x49, 0x01, 0xb6, 0x7f, 0xb4, 0x24, 0xaa, 0x88, 0x1d, 0x1d, 0x0a, 0xec, 0x68, 0x6c,
-	0x7b, 0x34, 0x3b, 0x91, 0xf4, 0x61, 0x75, 0xc6, 0xc2, 0x63, 0xf6, 0x7b, 0xbe, 0xeb, 0xe1, 0x4a,
-	0x55, 0x8c, 0xc8, 0xef, 0x5f, 0xba, 0xd2, 0x01, 0x47, 0xff, 0x8e, 0xef, 0x7a, 0xb8, 0x56, 0x7e,
-	0x32, 0xf9, 0x04, 0xea, 0xa2, 0x12, 0x72, 0xd8, 0x04, 0x63, 0xc5, 0xb2, 0xda, 0x4f, 0xd4, 0xe8,
-	0x3d, 0x36, 0xc9, 0xc4, 0x65, 0xb8, 0x34, 0x2e, 0x37, 0xb2, 0x71, 0xf9, 0xcd, 0x6c, 0x2c, 0x5a,
-	0x11, 0x55, 0x78, 0x1a, 0x84, 0x2e, 0x38, 0x7c, 0x6b, 0x89, 0xc3, 0x77, 0x60, 0x23, 0xf1, 0x55,
-	0xcb, 0xf5, 0x26, 0xee, 0x4b, 0x2b, 0x72, 0x5f, 0x89, 0xd8, 0x53, 0xa6, 0xeb, 0x09, 0xcb, 0xe0,
-	0x9c, 0x91, 0xfb, 0x8a, 0x11, 0x23, 0xe9, 0xe0, 0x64, 0x0e, 0x5c, 0xc5, 0xab, 0xc9, 0xf7, 0x2e,
-	0x55, 0x8f, 0x68, 0xbe, 0x64, 0x46, 0xcc, 0x4d, 0x6d, 0xff, 0x52, 0x81, 0x46, 0xe6, 0x1c, 0x78,
-	0xf6, 0x16, 0xca, 0x42, 0x61, 0xc5, 0x55, 0x94, 0x50, 0x1f, 0x4a, 0xfa, 0x26, 0xd4, 0xa3, 0xd8,
-	0x0e, 0x63, 0x8b, 0x17, 0x57, 0xb2, 0xdd, 0x45, 0xc2, 0x13, 0x76, 0x46, 0x3e, 0x80, 0x35, 0xc1,
-	0x74, 0xbd, 0xf1, 0x74, 0x1e, 0xb9, 0xa7, 0xa2, 0x99, 0xaf, 0xd1, 0x26, 0x92, 0x8d, 0x84, 0x4a,
-	0xee, 0x42, 0x95, 0x67, 0x21, 0xbe, 0x86, 0x68, 0xfa, 0x2a, 0xcc, 0x73, 0xf8, 0x0a, 0x0f, 0x60,
-	0x95, 0x33, 0xce, 0xe7, 0x57, 0xc4, 0x2d, 0x33, 0xf3, 0x9c, 0xf3, 0xd9, 0x1d, 0xd8, 0x10, 0xaf,
-	0x09, 0x44, 0xf1, 0x2a, 0x2b, 0xdc, 0x3b, 0xa8, 0xd8, 0x75, 0x64, 0xc9, 0xb2, 0x56, 0x14, 0x9c,
-	0x1f, 0x01, 0xcf, 0x5e, 0x0b, 0xe8, 0xbb, 0x22, 0x94, 0x31, 0xcf, 0xc9, 0x61, 0x77, 0xe1, 0x1d,
-	0x8e, 0x9d, 0x7b, 0x76, 0x10, 0x4c, 0x5d, 0xe6, 0x58, 0x53, 0xff, 0x18, 0x43, 0x66, 0x14, 0xdb,
-	0xb3, 0xc0, 0x9a, 0x47, 0xad, 0x0d, 0x0c, 0x99, 0x6d, 0xe6, 0x39, 0x47, 0x09, 0xa8, 0xef, 0x1f,
-	0x9b, 0x09, 0xe4, 0x28, 0x6a, 0xff, 0x3e, 0xac, 0xe6, 0xec, 0x71, 0x41, 0xa7, 0x35, 0x74, 0xfe,
-	0x8c, 0x4e, 0xdf, 0x85, 0x95, 0x20, 0x64, 0xe7, 0xa2, 0xd5, 0x51, 0xb4, 0x86, 0xa0, 0x09, 0xb1,
-	0xb6, 0x60, 0x05, 0x79, 0x96, 0x20, 0xe6, 0xf3, 0x63, 0x03, 0x59, 0x87, 0xc8, 0x69, 0xbf, 0x80,
-	0x95, 0xec, 0x69, 0x93, 0x77, 0x33, 0x69, 0xa1, 0x99, 0xcb, 0x93, 0x69, 0x76, 0x48, 0x2a, 0xb2,
-	0xf5, 0x4b, 0x2a, 0x32, 0x72, 0x9d, 0x8a, 0x4c, 0xfb, 0x2f, 0xd9, 0x9c, 0x65, 0x2a, 0x84, 0x9f,
-	0x41, 0x2d, 0x90, 0xf5, 0x38, 0x5a, 0x52, 0xfe, 0x12, 0x3e, 0x0f, 0xee, 0x24, 0x95, 0x3b, 0x4d,
-	0xe7, 0xb4, 0xff, 0x56, 0x81, 0x5a, 0x5a, 0xd0, 0xe7, 0x2c, 0xef, 0xcd, 0x05, 0xcb, 0x3b, 0x90,
-	0x1a, 0x16, 0x0a, 0x7c, 0x1b, 0xa3, 0xc5, 0x27, 0xaf, 0x7f, 0xd7, 0xc5, 0xb6, 0xe7, 0x34, 0xdb,
-	0xf6, 0x6c, 0xbe, 0xae, 0xed, 0xf9, 0xe4, 0xa2, 0xc1, 0xbf, 0x95, 0xe9, 0x2d, 0x16, 0xcc, 0xbe,
-	0xfd, 0x7d, 0xae, 0x0f, 0xca, 0x26, 0x84, 0x77, 0xc4, 0x7e, 0xd2, 0x84, 0x90, 0xb6, 0x3f, 0xf7,
-	0xaf, 0xd7, 0xfe, 0x6c, 0x43, 0x45, 0xea, 0xfc, 0x0e, 0x54, 0x64, 0x4d, 0x27, 0x1b, 0x04, 0x31,
-	0x3a, 0x6f, 0x10, 0x0a, 0xb2, 0x4e, 0xd7, 0x7e, 0xae, 0x40, 0x59, 0x0f, 0x43, 0x3f, 0xd4, 0xfe,
-	0x48, 0x81, 0x3a, 0x3e, 0xed, 0xf9, 0x0e, 0xe3, 0xd9, 0x60, 0xb7, 0xdb, 0xb3, 0xa8, 0xfe, 0xcd,
-	0x91, 0x8e, 0xd9, 0xa0, 0x0d, 0x77, 0xf6, 0x86, 0x83, 0xbd, 0x23, 0x4a, 0xf5, 0x81, 0x69, 0x99,
-	0xb4, 0x3b, 0x18, 0xf1, 0xb6, 0x67, 0x38, 0x50, 0x15, 0x9e, 0x29, 0x8c, 0x81, 0xa9, 0xd3, 0x41,
-	0xb7, 0x6f, 0x89, 0x56, 0xb4, 0x88, 0x77, 0xb3, 0xba, 0xde, 0xb3, 0xf0, 0xd6, 0x51, 0x2d, 0xf1,
-	0x96, 0xd5, 0x34, 0x0e, 0xf4, 0xe1, 0x91, 0xa9, 0x96, 0xc9, 0x6d, 0x58, 0x3f, 0xd4, 0xe9, 0x81,
-	0x31, 0x1a, 0x19, 0xc3, 0x81, 0xd5, 0xd3, 0x07, 0x86, 0xde, 0x53, 0x2b, 0x7c, 0x9d, 0x5d, 0x63,
-	0xdf, 0xec, 0xee, 0xf6, 0x75, 0xb9, 0x4e, 0x95, 0x6c, 0xc2, 0x5b, 0x7b, 0xc3, 0x83, 0x03, 0xc3,
-	0x34, 0xf5, 0x9e, 0xb5, 0x7b, 0x64, 0x5a, 0x23, 0xd3, 0xe8, 0xf7, 0xad, 0xee, 0xe1, 0x61, 0xff,
-	0x29, 0x4f, 0x60, 0x35, 0x72, 0x17, 0x36, 0xf6, 0xba, 0x87, 0xdd, 0x5d, 0xa3, 0x6f, 0x98, 0x4f,
-	0xad, 0x9e, 0x31, 0xe2, 0xf3, 0x7b, 0x6a, 0x9d, 0x27, 0x6c, 0x93, 0x3e, 0xb5, 0xba, 0x7d, 0x14,
-	0xcd, 0xd4, 0xad, 0xdd, 0xee, 0xde, 0x13, 0x7d, 0xd0, 0x53, 0x81, 0x0b, 0x30, 0xea, 0x3e, 0xd2,
-	0x2d, 0x2e, 0x92, 0x65, 0x0e, 0x87, 0xd6, 0xb0, 0xdf, 0x53, 0x1b, 0xda, 0xbf, 0x14, 0xa1, 0xb4,
-	0xe7, 0x47, 0x31, 0xf7, 0x46, 0xe1, 0xac, 0x2f, 0x42, 0x37, 0x66, 0xa2, 0x7f, 0x2b, 0x53, 0xd1,
-	0x4b, 0x7f, 0x87, 0x24, 0x1e, 0x50, 0x32, 0x10, 0xeb, 0xd9, 0x19, 0xc7, 0x29, 0x88, 0x5b, 0x3b,
-	0xc7, 0xed, 0x72, 0xb2, 0x88, 0x68, 0x78, 0x85, 0x23, 0xd7, 0x2b, 0x22, 0x4e, 0x06, 0x61, 0xb9,
-	0xe0, 0xc7, 0x40, 0xb2, 0x20, 0xb9, 0x62, 0x09, 0x91, 0x6a, 0x06, 0x29, 0x96, 0xdc, 0x01, 0x18,
-	0xfb, 0xb3, 0x99, 0x1b, 0x8f, 0xfd, 0x28, 0x96, 0x5f, 0xc8, 0xda, 0x39, 0x63, 0x8f, 0x62, 0x6e,
-	0xf1, 0x33, 0x37, 0xe6, 0x8f, 0x34, 0x83, 0x26, 0x3b, 0x70, 0xcf, 0x0e, 0x82, 0xd0, 0x7f, 0xe9,
-	0xce, 0xec, 0x98, 0x59, 0xdc, 0x73, 0xed, 0x63, 0x66, 0x39, 0x6c, 0x1a, 0xdb, 0xd8, 0x13, 0x95,
-	0xe9, 0xdd, 0x0c, 0x60, 0x24, 0xf8, 0x3d, 0xce, 0xe6, 0x71, 0xd7, 0x75, 0xac, 0x88, 0xfd, 0x30,
-	0xe7, 0x1e, 0x60, 0xcd, 0x03, 0xc7, 0xe6, 0x62, 0xd6, 0x45, 0x96, 0x72, 0x9d, 0x91, 0xe4, 0x1c,
-	0x09, 0x46, 0xfb, 0x15, 0xc0, 0xb9, 0x14, 0x64, 0x1b, 0x6e, 0xf3, 0x3a, 0x9e, 0x45, 0x31, 0x73,
-	0x2c, 0xb9, 0xdb, 0x60, 0x1e, 0x47, 0x18, 0xe2, 0xcb, 0x74, 0x23, 0x65, 0xca, 0x9b, 0xc2, 0x79,
-	0x1c, 0x91, 0x9f, 0x40, 0xeb, 0xc2, 0x1c, 0x87, 0x4d, 0x19, 0x7f, 0x6d, 0x15, 0xa7, 0xdd, 0x59,
-	0x98, 0xd6, 0x13, 0x5c, 0xed, 0x4f, 0x14, 0x80, 0x7d, 0x16, 0x53, 0xc1, 0xcd, 0x34, 0xb6, 0x95,
-	0xeb, 0x36, 0xb6, 0xef, 0x27, 0x17, 0x08, 0xc5, 0xab, 0x63, 0xc0, 0x42, 0x97, 0xa1, 0xdc, 0xa4,
-	0xcb, 0xc8, 0x35, 0x11, 0xc5, 0x2b, 0x9a, 0x88, 0x52, 0xae, 0x89, 0xf8, 0x18, 0x9a, 0xf6, 0x74,
-	0xea, 0xbf, 0xe0, 0x05, 0x0d, 0x0b, 0x43, 0xe6, 0xa0, 0x11, 0x9c, 0xd7, 0xdb, 0xc8, 0xec, 0x49,
-	0x9e, 0xf6, 0xe7, 0x0a, 0x34, 0x50, 0x15, 0x51, 0xe0, 0x7b, 0x11, 0x23, 0x5f, 0x42, 0x45, 0x5e,
-	0x44, 0x8b, 0x8b, 0xfc, 0xb7, 0x33, 0xb2, 0x66, 0x70, 0xb2, 0x68, 0xa0, 0x12, 0xcc, 0x33, 0x42,
-	0xe6, 0x75, 0x97, 0x2b, 0x25, 0x45, 0x91, 0xfb, 0x50, 0x73, 0x3d, 0x4b, 0xb4, 0xd4, 0x95, 0x4c,
-	0x58, 0xac, 0xba, 0x1e, 0xd6, 0xb2, 0xed, 0x57, 0x50, 0x11, 0x2f, 0x21, 0x9d, 0x54, 0xa6, 0x8b,
-	0xfa, 0xcb, 0xdc, 0x1c, 0xa7, 0xc2, 0xc8, 0xc3, 0x29, 0xbd, 0x2e, 0x40, 0xb7, 0xa0, 0x7a, 0xca,
-	0x9b, 0x0f, 0xbc, 0xf4, 0xe3, 0xea, 0x4d, 0x86, 0xda, 0x1f, 0x97, 0x00, 0x0e, 0xe7, 0x4b, 0x0c,
-	0xa4, 0x71, 0x5d, 0x03, 0xe9, 0xe4, 0xf4, 0xf8, 0x7a, 0x99, 0x7f, 0x75, 0x43, 0x59, 0xd2, 0x69,
-	0x17, 0x6f, 0xda, 0x69, 0xdf, 0x87, 0x6a, 0x1c, 0xce, 0xb9, 0xa3, 0x08, 0x63, 0x4a, 0x5b, 0x5a,
-	0x49, 0x25, 0x6f, 0x42, 0x79, 0xe2, 0x87, 0x63, 0x86, 0x8e, 0x95, 0xb2, 0x05, 0xed, 0xc2, 0x65,
-	0x52, 0xed, 0xb2, 0xcb, 0x24, 0xde, 0xa0, 0x45, 0xf2, 0x1e, 0x0d, 0x0b, 0x99, 0x7c, 0x83, 0x96,
-	0x5c, 0xb1, 0xd1, 0x14, 0x44, 0xbe, 0x81, 0xa6, 0x3d, 0x8f, 0x7d, 0xcb, 0xe5, 0x15, 0xda, 0xd4,
-	0x1d, 0x9f, 0x61, 0xd9, 0xdd, 0xcc, 0x7f, 0xaf, 0x4f, 0x0f, 0xaa, 0xd3, 0x9d, 0xc7, 0xbe, 0xe1,
-	0x1c, 0x22, 0x72, 0xa7, 0x2a, 0x93, 0x12, 0x5d, 0xb1, 0x33, 0x64, 0xed, 0xc7, 0xb0, 0x92, 0x85,
-	0xf1, 0x04, 0x24, 0x81, 0xea, 0x1b, 0x3c, 0x3b, 0x8d, 0x78, 0x6a, 0x1b, 0x98, 0x46, 0xb7, 0xaf,
-	0x16, 0xb4, 0x18, 0x1a, 0xb8, 0xbc, 0xf4, 0x8e, 0xeb, 0xba, 0xfd, 0x03, 0x28, 0x61, 0xf8, 0x55,
-	0x2e, 0x7c, 0x0f, 0xc1, 0x98, 0x8b, 0xcc, 0xbc, 0xf9, 0x15, 0xb3, 0xe6, 0xf7, 0xdf, 0x05, 0x58,
-	0x31, 0xfd, 0xf9, 0xf8, 0xe4, 0xa2, 0x01, 0xc2, 0xaf, 0x3b, 0x42, 0x2d, 0x31, 0x1f, 0xe5, 0xa6,
-	0xe6, 0x93, 0x5a, 0x47, 0x71, 0x89, 0x75, 0xdc, 0xf4, 0xcc, 0xb5, 0x2f, 0x60, 0x55, 0x6e, 0x5e,
-	0x6a, 0x3d, 0xd1, 0x66, 0xe1, 0x0a, 0x6d, 0x6a, 0xbf, 0x50, 0x60, 0x55, 0xc4, 0xf7, 0xff, 0xbb,
-	0xd2, 0x2a, 0x37, 0x0c, 0xeb, 0xe5, 0x1b, 0x5d, 0x1e, 0xfd, 0xbf, 0xf4, 0x34, 0x6d, 0x08, 0xcd,
-	0x44, 0x7d, 0x37, 0x50, 0xfb, 0x15, 0x46, 0xfc, 0x8b, 0x02, 0x34, 0x06, 0xec, 0xe5, 0x92, 0x20,
-	0x5a, 0xbe, 0xee, 0x71, 0x7c, 0x98, 0x2b, 0x57, 0x1b, 0xdb, 0xeb, 0x59, 0x19, 0xc4, 0xd5, 0x63,
-	0x52, 0xc1, 0xa6, 0xb7, 0xa8, 0xca, 0xf2, 0x5b, 0xd4, 0xd2, 0x62, 0xb7, 0x9e, 0xb9, 0xc5, 0x2b,
-	0x2e, 0xbb, 0xc5, 0xd3, 0xfe, 0xad, 0x08, 0x0d, 0x6c, 0x90, 0x29, 0x8b, 0xe6, 0xd3, 0x38, 0x27,
-	0x4c, 0xe1, 0x6a, 0x61, 0x3a, 0x50, 0x09, 0x71, 0x92, 0x74, 0xa5, 0x4b, 0x83, 0xbf, 0x40, 0x61,
-	0x6b, 0xfc, 0xdc, 0x0d, 0x02, 0xe6, 0x58, 0x82, 0x92, 0x14, 0x30, 0x4d, 0x49, 0x16, 0x22, 0x44,
-	0xbc, 0xfc, 0x9c, 0xf9, 0x21, 0x4b, 0x51, 0x45, 0xbc, 0x4f, 0x68, 0x70, 0x5a, 0x02, 0xc9, 0xdd,
-	0x37, 0x88, 0xca, 0xe0, 0xfc, 0xbe, 0x21, 0xed, 0x35, 0x91, 0x5b, 0x47, 0xae, 0xe8, 0x35, 0x91,
-	0xcd, 0xbb, 0xa8, 0x99, 0x3d, 0x9d, 0x5a, 0x7e, 0x10, 0xa1, 0xd3, 0xd4, 0x68, 0x0d, 0x09, 0xc3,
-	0x20, 0x22, 0x5f, 0x43, 0x7a, 0x5d, 0x2c, 0x6f, 0xc9, 0xc5, 0x39, 0xb6, 0x2e, 0xbb, 0x58, 0xa0,
-	0xab, 0xe3, 0xdc, 0xfd, 0xcf, 0x92, 0x1b, 0xea, 0xca, 0x4d, 0x6f, 0xa8, 0x1f, 0x42, 0x59, 0xc4,
-	0xa8, 0xda, 0xeb, 0x62, 0x94, 0xc0, 0x65, 0xed, 0xb3, 0x91, 0xb7, 0xcf, 0x5f, 0x16, 0x80, 0x74,
-	0xa7, 0x53, 0x7f, 0x6c, 0xc7, 0xcc, 0x70, 0xa2, 0x8b, 0x66, 0x7a, 0xed, 0xcf, 0x2e, 0x9f, 0x41,
-	0x7d, 0xe6, 0x3b, 0x6c, 0x6a, 0x25, 0xdf, 0x94, 0x2e, 0xad, 0x7e, 0x10, 0xc6, 0x5b, 0x52, 0x02,
-	0x25, 0xbc, 0xc4, 0x51, 0xb0, 0xee, 0xc0, 0x67, 0xde, 0x84, 0xcd, 0xec, 0x97, 0xb2, 0x14, 0xe1,
-	0x8f, 0xa4, 0x03, 0xd5, 0x90, 0x45, 0x2c, 0x3c, 0x65, 0x57, 0x16, 0x55, 0x09, 0x48, 0x7b, 0x06,
-	0x1b, 0xb9, 0x1d, 0x49, 0x47, 0xbe, 0x85, 0x5f, 0x2b, 0xc3, 0x58, 0x7e, 0xb4, 0x12, 0x03, 0xfe,
-	0x3a, 0xe6, 0x25, 0x9f, 0x41, 0xf9, 0x63, 0xea, 0xf0, 0xc5, 0xab, 0xe2, 0xec, 0x1e, 0xa8, 0x59,
-	0x4d, 0xbb, 0x63, 0x0c, 0x36, 0xf2, 0x54, 0x0a, 0xd7, 0x3b, 0x15, 0xed, 0xef, 0x0a, 0xb0, 0xde,
-	0x75, 0x1c, 0xf1, 0x77, 0xc3, 0x25, 0xaa, 0x2f, 0x5e, 0x57, 0xf5, 0x0b, 0x81, 0x58, 0x84, 0x89,
-	0x6b, 0x05, 0xe2, 0x0f, 0xa1, 0x92, 0xd6, 0x5a, 0xc5, 0x05, 0x77, 0x16, 0x72, 0x51, 0x09, 0xd0,
-	0x6e, 0x01, 0xc9, 0x0a, 0x2b, 0xb4, 0xaa, 0xfd, 0x69, 0x11, 0xee, 0xee, 0xb2, 0x63, 0xd7, 0xcb,
-	0xbe, 0xe2, 0x57, 0xdf, 0xc9, 0xc5, 0x4f, 0x65, 0x9f, 0xc1, 0xba, 0x28, 0xe4, 0x93, 0x7f, 0x62,
-	0x59, 0xec, 0x58, 0x7e, 0x9d, 0x94, 0xb1, 0x6a, 0x0d, 0xf9, 0x07, 0x92, 0xad, 0xe3, 0x7f, 0xc5,
-	0x1c, 0x3b, 0xb6, 0x9f, 0xd9, 0x11, 0xb3, 0x5c, 0x47, 0xfe, 0x59, 0x06, 0x12, 0x92, 0xe1, 0x90,
-	0x21, 0x94, 0xb8, 0x0d, 0xa2, 0xeb, 0x36, 0xb7, 0xb7, 0x33, 0x62, 0x5d, 0xb2, 0x95, 0xac, 0x02,
-	0x0f, 0x7c, 0x87, 0xed, 0x54, 0x8f, 0x06, 0x4f, 0x06, 0xc3, 0xef, 0x06, 0x14, 0x17, 0x22, 0x06,
-	0xdc, 0x0a, 0x42, 0x76, 0xea, 0xfa, 0xf3, 0xc8, 0xca, 0x9e, 0x44, 0xf5, 0xca, 0x94, 0xb8, 0x91,
-	0xcc, 0xc9, 0x10, 0xb5, 0x9f, 0xc2, 0xda, 0xc2, 0xcb, 0x78, 0x6d, 0x26, 0x5f, 0xa7, 0xbe, 0x41,
-	0x56, 0xa1, 0x8e, 0x1f, 0xbb, 0x97, 0x7f, 0xfb, 0xd6, 0xfe, 0xb5, 0x80, 0x57, 0x4c, 0x33, 0x37,
-	0xbe, 0x59, 0x06, 0xfb, 0xcd, 0x7c, 0x06, 0x83, 0xed, 0x77, 0xf3, 0xe6, 0x9b, 0x59, 0xb0, 0xf3,
-	0xad, 0x00, 0xa6, 0x41, 0xa4, 0x6d, 0x43, 0x55, 0xd2, 0xc8, 0x6f, 0xc1, 0x5a, 0xe8, 0xfb, 0x71,
-	0xd2, 0x89, 0x8a, 0x0e, 0xe4, 0xf2, 0x3f, 0xdb, 0xac, 0x72, 0xb0, 0x48, 0x06, 0x4f, 0xf2, 0xbd,
-	0x48, 0x59, 0xfc, 0x0d, 0x44, 0x0e, 0x77, 0x1b, 0xbf, 0x5b, 0x4f, 0xff, 0xb7, 0xfb, 0xbf, 0x01,
-	0x00, 0x00, 0xff, 0xff, 0x35, 0x9f, 0x30, 0x98, 0xf2, 0x2b, 0x00, 0x00,
-}
diff --git a/vendor/google.golang.org/appengine/internal/datastore/datastore_v3.proto b/vendor/google.golang.org/appengine/internal/datastore/datastore_v3.proto
deleted file mode 100644
index 497b4d9a9..000000000
--- a/vendor/google.golang.org/appengine/internal/datastore/datastore_v3.proto
+++ /dev/null
@@ -1,551 +0,0 @@
-syntax = "proto2";
-option go_package = "datastore";
-
-package appengine;
-
-message Action{}
-
-message PropertyValue {
-  optional int64 int64Value = 1;
-  optional bool booleanValue = 2;
-  optional string stringValue = 3;
-  optional double doubleValue = 4;
-
-  optional group PointValue = 5 {
-    required double x = 6;
-    required double y = 7;
-  }
-
-  optional group UserValue = 8 {
-    required string email = 9;
-    required string auth_domain = 10;
-    optional string nickname = 11;
-    optional string federated_identity = 21;
-    optional string federated_provider = 22;
-  }
-
-  optional group ReferenceValue = 12 {
-    required string app = 13;
-    optional string name_space = 20;
-    repeated group PathElement = 14 {
-      required string type = 15;
-      optional int64 id = 16;
-      optional string name = 17;
-    }
-  }
-}
-
-message Property {
-  enum Meaning {
-    NO_MEANING = 0;
-    BLOB = 14;
-    TEXT = 15;
-    BYTESTRING = 16;
-
-    ATOM_CATEGORY = 1;
-    ATOM_LINK = 2;
-    ATOM_TITLE = 3;
-    ATOM_CONTENT = 4;
-    ATOM_SUMMARY = 5;
-    ATOM_AUTHOR = 6;
-
-    GD_WHEN = 7;
-    GD_EMAIL = 8;
-    GEORSS_POINT = 9;
-    GD_IM = 10;
-
-    GD_PHONENUMBER = 11;
-    GD_POSTALADDRESS = 12;
-
-    GD_RATING = 13;
-
-    BLOBKEY = 17;
-    ENTITY_PROTO = 19;
-
-    INDEX_VALUE = 18;
-  };
-
-  optional Meaning meaning = 1 [default = NO_MEANING];
-  optional string meaning_uri = 2;
-
-  required string name = 3;
-
-  required PropertyValue value = 5;
-
-  required bool multiple = 4;
-
-  optional bool searchable = 6 [default=false];
-
-  enum FtsTokenizationOption {
-    HTML = 1;
-    ATOM = 2;
-  }
-
-  optional FtsTokenizationOption fts_tokenization_option = 8;
-
-  optional string locale = 9 [default = "en"];
-}
-
-message Path {
-  repeated group Element = 1 {
-    required string type = 2;
-    optional int64 id = 3;
-    optional string name = 4;
-  }
-}
-
-message Reference {
-  required string app = 13;
-  optional string name_space = 20;
-  required Path path = 14;
-}
-
-message User {
-  required string email = 1;
-  required string auth_domain = 2;
-  optional string nickname = 3;
-  optional string federated_identity = 6;
-  optional string federated_provider = 7;
-}
-
-message EntityProto {
-  required Reference key = 13;
-  required Path entity_group = 16;
-  optional User owner = 17;
-
-  enum Kind {
-    GD_CONTACT = 1;
-    GD_EVENT = 2;
-    GD_MESSAGE = 3;
-  }
-  optional Kind kind = 4;
-  optional string kind_uri = 5;
-
-  repeated Property property = 14;
-  repeated Property raw_property = 15;
-
-  optional int32 rank = 18;
-}
-
-message CompositeProperty {
-  required int64 index_id = 1;
-  repeated string value = 2;
-}
-
-message Index {
-  required string entity_type = 1;
-  required bool ancestor = 5;
-  repeated group Property = 2 {
-    required string name = 3;
-    enum Direction {
-      ASCENDING = 1;
-      DESCENDING = 2;
-    }
-    optional Direction direction = 4 [default = ASCENDING];
-  }
-}
-
-message CompositeIndex {
-  required string app_id = 1;
-  required int64 id = 2;
-  required Index definition = 3;
-
-  enum State {
-    WRITE_ONLY = 1;
-    READ_WRITE = 2;
-    DELETED = 3;
-    ERROR = 4;
-  }
-  required State state = 4;
-
-  optional bool only_use_if_required = 6 [default = false];
-}
-
-message IndexPostfix {
-  message IndexValue {
-    required string property_name = 1;
-    required PropertyValue value = 2;
-  }
-
-  repeated IndexValue index_value = 1;
-
-  optional Reference key = 2;
-
-  optional bool before = 3 [default=true];
-}
-
-message IndexPosition {
-  optional string key = 1;
-
-  optional bool before = 2 [default=true];
-}
-
-message Snapshot {
-  enum Status {
-    INACTIVE = 0;
-    ACTIVE = 1;
-  }
-
-  required int64 ts = 1;
-}
-
-message InternalHeader {
-  optional string qos = 1;
-}
-
-message Transaction {
-  optional InternalHeader header = 4;
-  required fixed64 handle = 1;
-  required string app = 2;
-  optional bool mark_changes = 3 [default = false];
-}
-
-message Query {
-  optional InternalHeader header = 39;
-
-  required string app = 1;
-  optional string name_space = 29;
-
-  optional string kind = 3;
-  optional Reference ancestor = 17;
-
-  repeated group Filter = 4 {
-    enum Operator {
-      LESS_THAN = 1;
-      LESS_THAN_OR_EQUAL = 2;
-      GREATER_THAN = 3;
-      GREATER_THAN_OR_EQUAL = 4;
-      EQUAL = 5;
-      IN = 6;
-      EXISTS = 7;
-    }
-
-    required Operator op = 6;
-    repeated Property property = 14;
-  }
-
-  optional string search_query = 8;
-
-  repeated group Order = 9 {
-    enum Direction {
-      ASCENDING = 1;
-      DESCENDING = 2;
-    }
-
-    required string property = 10;
-    optional Direction direction = 11 [default = ASCENDING];
-  }
-
-  enum Hint {
-    ORDER_FIRST = 1;
-    ANCESTOR_FIRST = 2;
-    FILTER_FIRST = 3;
-  }
-  optional Hint hint = 18;
-
-  optional int32 count = 23;
-
-  optional int32 offset = 12 [default = 0];
-
-  optional int32 limit = 16;
-
-  optional CompiledCursor compiled_cursor = 30;
-  optional CompiledCursor end_compiled_cursor = 31;
-
-  repeated CompositeIndex composite_index = 19;
-
-  optional bool require_perfect_plan = 20 [default = false];
-
-  optional bool keys_only = 21 [default = false];
-
-  optional Transaction transaction = 22;
-
-  optional bool compile = 25 [default = false];
-
-  optional int64 failover_ms = 26;
-
-  optional bool strong = 32;
-
-  repeated string property_name = 33;
-
-  repeated string group_by_property_name = 34;
-
-  optional bool distinct = 24;
-
-  optional int64 min_safe_time_seconds = 35;
-
-  repeated string safe_replica_name = 36;
-
-  optional bool persist_offset = 37 [default=false];
-}
-
-message CompiledQuery {
-  required group PrimaryScan = 1 {
-    optional string index_name = 2;
-
-    optional string start_key = 3;
-    optional bool start_inclusive = 4;
-    optional string end_key = 5;
-    optional bool end_inclusive = 6;
-
-    repeated string start_postfix_value = 22;
-    repeated string end_postfix_value = 23;
-
-    optional int64 end_unapplied_log_timestamp_us = 19;
-  }
-
-  repeated group MergeJoinScan = 7 {
-    required string index_name = 8;
-
-    repeated string prefix_value = 9;
-
-    optional bool value_prefix = 20 [default=false];
-  }
-
-  optional Index index_def = 21;
-
-  optional int32 offset = 10 [default = 0];
-
-  optional int32 limit = 11;
-
-  required bool keys_only = 12;
-
-  repeated string property_name = 24;
-
-  optional int32 distinct_infix_size = 25;
-
-  optional group EntityFilter = 13 {
-    optional bool distinct = 14 [default=false];
-
-    optional string kind = 17;
-    optional Reference ancestor = 18;
-  }
-}
-
-message CompiledCursor {
-  optional group Position = 2 {
-    optional string start_key = 27;
-
-    repeated group IndexValue = 29 {
-      optional string property = 30;
-      required PropertyValue value = 31;
-    }
-
-    optional Reference key = 32;
-
-    optional bool start_inclusive = 28 [default=true];
-  }
-}
-
-message Cursor {
-  required fixed64 cursor = 1;
-
-  optional string app = 2;
-}
-
-message Error {
-  enum ErrorCode {
-    BAD_REQUEST = 1;
-    CONCURRENT_TRANSACTION = 2;
-    INTERNAL_ERROR = 3;
-    NEED_INDEX = 4;
-    TIMEOUT = 5;
-    PERMISSION_DENIED = 6;
-    BIGTABLE_ERROR = 7;
-    COMMITTED_BUT_STILL_APPLYING = 8;
-    CAPABILITY_DISABLED = 9;
-    TRY_ALTERNATE_BACKEND = 10;
-    SAFE_TIME_TOO_OLD = 11;
-  }
-}
-
-message Cost {
-  optional int32 index_writes = 1;
-  optional int32 index_write_bytes = 2;
-  optional int32 entity_writes = 3;
-  optional int32 entity_write_bytes = 4;
-  optional group CommitCost = 5 {
-    optional int32 requested_entity_puts = 6;
-    optional int32 requested_entity_deletes = 7;
-  };
-  optional int32 approximate_storage_delta = 8;
-  optional int32 id_sequence_updates = 9;
-}
-
-message GetRequest {
-  optional InternalHeader header = 6;
-
-  repeated Reference key = 1;
-  optional Transaction transaction = 2;
-
-  optional int64 failover_ms = 3;
-
-  optional bool strong = 4;
-
-  optional bool allow_deferred = 5 [default=false];
-}
-
-message GetResponse {
-  repeated group Entity = 1 {
-    optional EntityProto entity = 2;
-    optional Reference key = 4;
-
-    optional int64 version = 3;
-  }
-
-  repeated Reference deferred = 5;
-
-  optional bool in_order = 6 [default=true];
-}
-
-message PutRequest {
-  optional InternalHeader header = 11;
-
-  repeated EntityProto entity = 1;
-  optional Transaction transaction = 2;
-  repeated CompositeIndex composite_index = 3;
-
-  optional bool trusted = 4 [default = false];
-
-  optional bool force = 7 [default = false];
-
-  optional bool mark_changes = 8 [default = false];
-  repeated Snapshot snapshot = 9;
-
-  enum AutoIdPolicy {
-    CURRENT = 0;
-    SEQUENTIAL = 1;
-  }
-  optional AutoIdPolicy auto_id_policy = 10 [default = CURRENT];
-}
-
-message PutResponse {
-  repeated Reference key = 1;
-  optional Cost cost = 2;
-  repeated int64 version = 3;
-}
-
-message TouchRequest {
-  optional InternalHeader header = 10;
-
-  repeated Reference key = 1;
-  repeated CompositeIndex composite_index = 2;
-  optional bool force = 3 [default = false];
-  repeated Snapshot snapshot = 9;
-}
-
-message TouchResponse {
-  optional Cost cost = 1;
-}
-
-message DeleteRequest {
-  optional InternalHeader header = 10;
-
-  repeated Reference key = 6;
-  optional Transaction transaction = 5;
-
-  optional bool trusted = 4 [default = false];
-
-  optional bool force = 7 [default = false];
-
-  optional bool mark_changes = 8 [default = false];
-  repeated Snapshot snapshot = 9;
-}
-
-message DeleteResponse {
-  optional Cost cost = 1;
-  repeated int64 version = 3;
-}
-
-message NextRequest {
-  optional InternalHeader header = 5;
-
-  required Cursor cursor = 1;
-  optional int32 count = 2;
-
-  optional int32 offset = 4 [default = 0];
-
-  optional bool compile = 3 [default = false];
-}
-
-message QueryResult {
-  optional Cursor cursor = 1;
-
-  repeated EntityProto result = 2;
-
-  optional int32 skipped_results = 7;
-
-  required bool more_results = 3;
-
-  optional bool keys_only = 4;
-
-  optional bool index_only = 9;
-
-  optional bool small_ops = 10;
-
-  optional CompiledQuery compiled_query = 5;
-
-  optional CompiledCursor compiled_cursor = 6;
-
-  repeated CompositeIndex index = 8;
-
-  repeated int64 version = 11;
-}
-
-message AllocateIdsRequest {
-  optional InternalHeader header = 4;
-
-  optional Reference model_key = 1;
-
-  optional int64 size = 2;
-
-  optional int64 max = 3;
-
-  repeated Reference reserve = 5;
-}
-
-message AllocateIdsResponse {
-  required int64 start = 1;
-  required int64 end = 2;
-  optional Cost cost = 3;
-}
-
-message CompositeIndices {
-  repeated CompositeIndex index = 1;
-}
-
-message AddActionsRequest {
-  optional InternalHeader header = 3;
-
-  required Transaction transaction = 1;
-  repeated Action action = 2;
-}
-
-message AddActionsResponse {
-}
-
-message BeginTransactionRequest {
-  optional InternalHeader header = 3;
-
-  required string app = 1;
-  optional bool allow_multiple_eg = 2 [default = false];
-  optional string database_id = 4;
-
-  enum TransactionMode {
-    UNKNOWN = 0;
-    READ_ONLY = 1;
-    READ_WRITE = 2;
-  }
-  optional TransactionMode mode = 5 [default = UNKNOWN];
-
-  optional Transaction previous_transaction = 7;
-}
-
-message CommitResponse {
-  optional Cost cost = 1;
-
-  repeated group Version = 3 {
-    required Reference root_entity_key = 4;
-    required int64 version = 5;
-  }
-}
diff --git a/vendor/google.golang.org/appengine/internal/identity.go b/vendor/google.golang.org/appengine/internal/identity.go
deleted file mode 100644
index 0f95aa91d..000000000
--- a/vendor/google.golang.org/appengine/internal/identity.go
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package internal
-
-import (
-	"context"
-	"os"
-)
-
-var (
-	// This is set to true in identity_classic.go, which is behind the appengine build tag.
-	// The appengine build tag is set for the first generation runtimes (<= Go 1.9) but not
-	// the second generation runtimes (>= Go 1.11), so this indicates whether we're on a
-	// first-gen runtime. See IsStandard below for the second-gen check.
-	appengineStandard bool
-
-	// This is set to true in identity_flex.go, which is behind the appenginevm build tag.
-	appengineFlex bool
-)
-
-// AppID is the implementation of the wrapper function of the same name in
-// ../identity.go. See that file for commentary.
-func AppID(c context.Context) string {
-	return appID(FullyQualifiedAppID(c))
-}
-
-// IsStandard is the implementation of the wrapper function of the same name in
-// ../appengine.go. See that file for commentary.
-func IsStandard() bool {
-	// appengineStandard will be true for first-gen runtimes (<= Go 1.9) but not
-	// second-gen (>= Go 1.11).
-	return appengineStandard || IsSecondGen()
-}
-
-// IsSecondGen is the implementation of the wrapper function of the same name in
-// ../appengine.go. See that file for commentary.
-func IsSecondGen() bool {
-	// Second-gen runtimes set $GAE_ENV so we use that to check if we're on a second-gen runtime.
-	return os.Getenv("GAE_ENV") == "standard"
-}
-
-// IsFlex is the implementation of the wrapper function of the same name in
-// ../appengine.go. See that file for commentary.
-func IsFlex() bool {
-	return appengineFlex
-}
-
-// IsAppEngine is the implementation of the wrapper function of the same name in
-// ../appengine.go. See that file for commentary.
-func IsAppEngine() bool {
-	return IsStandard() || IsFlex()
-}
diff --git a/vendor/google.golang.org/appengine/internal/identity_classic.go b/vendor/google.golang.org/appengine/internal/identity_classic.go
deleted file mode 100644
index 5ad3548bf..000000000
--- a/vendor/google.golang.org/appengine/internal/identity_classic.go
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2015 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build appengine
-// +build appengine
-
-package internal
-
-import (
-	"context"
-
-	"appengine"
-)
-
-func init() {
-	appengineStandard = true
-}
-
-func DefaultVersionHostname(ctx context.Context) string {
-	c := fromContext(ctx)
-	if c == nil {
-		panic(errNotAppEngineContext)
-	}
-	return appengine.DefaultVersionHostname(c)
-}
-
-func Datacenter(_ context.Context) string { return appengine.Datacenter() }
-func ServerSoftware() string              { return appengine.ServerSoftware() }
-func InstanceID() string                  { return appengine.InstanceID() }
-func IsDevAppServer() bool                { return appengine.IsDevAppServer() }
-
-func RequestID(ctx context.Context) string {
-	c := fromContext(ctx)
-	if c == nil {
-		panic(errNotAppEngineContext)
-	}
-	return appengine.RequestID(c)
-}
-
-func ModuleName(ctx context.Context) string {
-	c := fromContext(ctx)
-	if c == nil {
-		panic(errNotAppEngineContext)
-	}
-	return appengine.ModuleName(c)
-}
-func VersionID(ctx context.Context) string {
-	c := fromContext(ctx)
-	if c == nil {
-		panic(errNotAppEngineContext)
-	}
-	return appengine.VersionID(c)
-}
-
-func fullyQualifiedAppID(ctx context.Context) string {
-	c := fromContext(ctx)
-	if c == nil {
-		panic(errNotAppEngineContext)
-	}
-	return c.FullyQualifiedAppID()
-}
diff --git a/vendor/google.golang.org/appengine/internal/identity_flex.go b/vendor/google.golang.org/appengine/internal/identity_flex.go
deleted file mode 100644
index 4201b6b58..000000000
--- a/vendor/google.golang.org/appengine/internal/identity_flex.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright 2018 Google LLC. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build appenginevm
-// +build appenginevm
-
-package internal
-
-func init() {
-	appengineFlex = true
-}
diff --git a/vendor/google.golang.org/appengine/internal/identity_vm.go b/vendor/google.golang.org/appengine/internal/identity_vm.go
deleted file mode 100644
index 18ddda3a4..000000000
--- a/vendor/google.golang.org/appengine/internal/identity_vm.go
+++ /dev/null
@@ -1,134 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build !appengine
-// +build !appengine
-
-package internal
-
-import (
-	"context"
-	"log"
-	"net/http"
-	"os"
-	"strings"
-)
-
-// These functions are implementations of the wrapper functions
-// in ../appengine/identity.go. See that file for commentary.
-
-const (
-	hDefaultVersionHostname = "X-AppEngine-Default-Version-Hostname"
-	hRequestLogId           = "X-AppEngine-Request-Log-Id"
-	hDatacenter             = "X-AppEngine-Datacenter"
-)
-
-func ctxHeaders(ctx context.Context) http.Header {
-	c := fromContext(ctx)
-	if c == nil {
-		return nil
-	}
-	return c.Request().Header
-}
-
-func DefaultVersionHostname(ctx context.Context) string {
-	return ctxHeaders(ctx).Get(hDefaultVersionHostname)
-}
-
-func RequestID(ctx context.Context) string {
-	return ctxHeaders(ctx).Get(hRequestLogId)
-}
-
-func Datacenter(ctx context.Context) string {
-	if dc := ctxHeaders(ctx).Get(hDatacenter); dc != "" {
-		return dc
-	}
-	// If the header isn't set, read zone from the metadata service.
-	// It has the format projects/[NUMERIC_PROJECT_ID]/zones/[ZONE]
-	zone, err := getMetadata("instance/zone")
-	if err != nil {
-		log.Printf("Datacenter: %v", err)
-		return ""
-	}
-	parts := strings.Split(string(zone), "/")
-	if len(parts) == 0 {
-		return ""
-	}
-	return parts[len(parts)-1]
-}
-
-func ServerSoftware() string {
-	// TODO(dsymonds): Remove fallback when we've verified this.
-	if s := os.Getenv("SERVER_SOFTWARE"); s != "" {
-		return s
-	}
-	if s := os.Getenv("GAE_ENV"); s != "" {
-		return s
-	}
-	return "Google App Engine/1.x.x"
-}
-
-// TODO(dsymonds): Remove the metadata fetches.
-
-func ModuleName(_ context.Context) string {
-	if s := os.Getenv("GAE_MODULE_NAME"); s != "" {
-		return s
-	}
-	if s := os.Getenv("GAE_SERVICE"); s != "" {
-		return s
-	}
-	return string(mustGetMetadata("instance/attributes/gae_backend_name"))
-}
-
-func VersionID(_ context.Context) string {
-	if s1, s2 := os.Getenv("GAE_MODULE_VERSION"), os.Getenv("GAE_MINOR_VERSION"); s1 != "" && s2 != "" {
-		return s1 + "." + s2
-	}
-	if s1, s2 := os.Getenv("GAE_VERSION"), os.Getenv("GAE_DEPLOYMENT_ID"); s1 != "" && s2 != "" {
-		return s1 + "." + s2
-	}
-	return string(mustGetMetadata("instance/attributes/gae_backend_version")) + "." + string(mustGetMetadata("instance/attributes/gae_backend_minor_version"))
-}
-
-func InstanceID() string {
-	if s := os.Getenv("GAE_MODULE_INSTANCE"); s != "" {
-		return s
-	}
-	if s := os.Getenv("GAE_INSTANCE"); s != "" {
-		return s
-	}
-	return string(mustGetMetadata("instance/attributes/gae_backend_instance"))
-}
-
-func partitionlessAppID() string {
-	// gae_project has everything except the partition prefix.
-	if appID := os.Getenv("GAE_LONG_APP_ID"); appID != "" {
-		return appID
-	}
-	if project := os.Getenv("GOOGLE_CLOUD_PROJECT"); project != "" {
-		return project
-	}
-	return string(mustGetMetadata("instance/attributes/gae_project"))
-}
-
-func fullyQualifiedAppID(_ context.Context) string {
-	if s := os.Getenv("GAE_APPLICATION"); s != "" {
-		return s
-	}
-	appID := partitionlessAppID()
-
-	part := os.Getenv("GAE_PARTITION")
-	if part == "" {
-		part = string(mustGetMetadata("instance/attributes/gae_partition"))
-	}
-
-	if part != "" {
-		appID = part + "~" + appID
-	}
-	return appID
-}
-
-func IsDevAppServer() bool {
-	return os.Getenv("RUN_WITH_DEVAPPSERVER") != "" || os.Getenv("GAE_ENV") == "localdev"
-}
diff --git a/vendor/google.golang.org/appengine/internal/internal.go b/vendor/google.golang.org/appengine/internal/internal.go
deleted file mode 100644
index 051ea3980..000000000
--- a/vendor/google.golang.org/appengine/internal/internal.go
+++ /dev/null
@@ -1,110 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-// Package internal provides support for package appengine.
-//
-// Programs should not use this package directly. Its API is not stable.
-// Use packages appengine and appengine/* instead.
-package internal
-
-import (
-	"fmt"
-
-	"github.com/golang/protobuf/proto"
-
-	remotepb "google.golang.org/appengine/internal/remote_api"
-)
-
-// errorCodeMaps is a map of service name to the error code map for the service.
-var errorCodeMaps = make(map[string]map[int32]string)
-
-// RegisterErrorCodeMap is called from API implementations to register their
-// error code map. This should only be called from init functions.
-func RegisterErrorCodeMap(service string, m map[int32]string) {
-	errorCodeMaps[service] = m
-}
-
-type timeoutCodeKey struct {
-	service string
-	code    int32
-}
-
-// timeoutCodes is the set of service+code pairs that represent timeouts.
-var timeoutCodes = make(map[timeoutCodeKey]bool)
-
-func RegisterTimeoutErrorCode(service string, code int32) {
-	timeoutCodes[timeoutCodeKey{service, code}] = true
-}
-
-// APIError is the type returned by appengine.Context's Call method
-// when an API call fails in an API-specific way. This may be, for instance,
-// a taskqueue API call failing with TaskQueueServiceError::UNKNOWN_QUEUE.
-type APIError struct {
-	Service string
-	Detail  string
-	Code    int32 // API-specific error code
-}
-
-func (e *APIError) Error() string {
-	if e.Code == 0 {
-		if e.Detail == "" {
-			return "APIError <empty>"
-		}
-		return e.Detail
-	}
-	s := fmt.Sprintf("API error %d", e.Code)
-	if m, ok := errorCodeMaps[e.Service]; ok {
-		s += " (" + e.Service + ": " + m[e.Code] + ")"
-	} else {
-		// Shouldn't happen, but provide a bit more detail if it does.
-		s = e.Service + " " + s
-	}
-	if e.Detail != "" {
-		s += ": " + e.Detail
-	}
-	return s
-}
-
-func (e *APIError) IsTimeout() bool {
-	return timeoutCodes[timeoutCodeKey{e.Service, e.Code}]
-}
-
-// CallError is the type returned by appengine.Context's Call method when an
-// API call fails in a generic way, such as RpcError::CAPABILITY_DISABLED.
-type CallError struct {
-	Detail string
-	Code   int32
-	// TODO: Remove this if we get a distinguishable error code.
-	Timeout bool
-}
-
-func (e *CallError) Error() string {
-	var msg string
-	switch remotepb.RpcError_ErrorCode(e.Code) {
-	case remotepb.RpcError_UNKNOWN:
-		return e.Detail
-	case remotepb.RpcError_OVER_QUOTA:
-		msg = "Over quota"
-	case remotepb.RpcError_CAPABILITY_DISABLED:
-		msg = "Capability disabled"
-	case remotepb.RpcError_CANCELLED:
-		msg = "Canceled"
-	default:
-		msg = fmt.Sprintf("Call error %d", e.Code)
-	}
-	s := msg + ": " + e.Detail
-	if e.Timeout {
-		s += " (timeout)"
-	}
-	return s
-}
-
-func (e *CallError) IsTimeout() bool {
-	return e.Timeout
-}
-
-// NamespaceMods is a map from API service to a function that will mutate an RPC request to attach a namespace.
-// The function should be prepared to be called on the same message more than once; it should only modify the
-// RPC request the first time.
-var NamespaceMods = make(map[string]func(m proto.Message, namespace string))
diff --git a/vendor/google.golang.org/appengine/internal/log/log_service.pb.go b/vendor/google.golang.org/appengine/internal/log/log_service.pb.go
deleted file mode 100644
index 8545ac4ad..000000000
--- a/vendor/google.golang.org/appengine/internal/log/log_service.pb.go
+++ /dev/null
@@ -1,1313 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// source: google.golang.org/appengine/internal/log/log_service.proto
-
-package log
-
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
-
-type LogServiceError_ErrorCode int32
-
-const (
-	LogServiceError_OK              LogServiceError_ErrorCode = 0
-	LogServiceError_INVALID_REQUEST LogServiceError_ErrorCode = 1
-	LogServiceError_STORAGE_ERROR   LogServiceError_ErrorCode = 2
-)
-
-var LogServiceError_ErrorCode_name = map[int32]string{
-	0: "OK",
-	1: "INVALID_REQUEST",
-	2: "STORAGE_ERROR",
-}
-var LogServiceError_ErrorCode_value = map[string]int32{
-	"OK":              0,
-	"INVALID_REQUEST": 1,
-	"STORAGE_ERROR":   2,
-}
-
-func (x LogServiceError_ErrorCode) Enum() *LogServiceError_ErrorCode {
-	p := new(LogServiceError_ErrorCode)
-	*p = x
-	return p
-}
-func (x LogServiceError_ErrorCode) String() string {
-	return proto.EnumName(LogServiceError_ErrorCode_name, int32(x))
-}
-func (x *LogServiceError_ErrorCode) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(LogServiceError_ErrorCode_value, data, "LogServiceError_ErrorCode")
-	if err != nil {
-		return err
-	}
-	*x = LogServiceError_ErrorCode(value)
-	return nil
-}
-func (LogServiceError_ErrorCode) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{0, 0}
-}
-
-type LogServiceError struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *LogServiceError) Reset()         { *m = LogServiceError{} }
-func (m *LogServiceError) String() string { return proto.CompactTextString(m) }
-func (*LogServiceError) ProtoMessage()    {}
-func (*LogServiceError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{0}
-}
-func (m *LogServiceError) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogServiceError.Unmarshal(m, b)
-}
-func (m *LogServiceError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogServiceError.Marshal(b, m, deterministic)
-}
-func (dst *LogServiceError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogServiceError.Merge(dst, src)
-}
-func (m *LogServiceError) XXX_Size() int {
-	return xxx_messageInfo_LogServiceError.Size(m)
-}
-func (m *LogServiceError) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogServiceError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogServiceError proto.InternalMessageInfo
-
-type UserAppLogLine struct {
-	TimestampUsec        *int64   `protobuf:"varint,1,req,name=timestamp_usec,json=timestampUsec" json:"timestamp_usec,omitempty"`
-	Level                *int64   `protobuf:"varint,2,req,name=level" json:"level,omitempty"`
-	Message              *string  `protobuf:"bytes,3,req,name=message" json:"message,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *UserAppLogLine) Reset()         { *m = UserAppLogLine{} }
-func (m *UserAppLogLine) String() string { return proto.CompactTextString(m) }
-func (*UserAppLogLine) ProtoMessage()    {}
-func (*UserAppLogLine) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{1}
-}
-func (m *UserAppLogLine) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_UserAppLogLine.Unmarshal(m, b)
-}
-func (m *UserAppLogLine) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_UserAppLogLine.Marshal(b, m, deterministic)
-}
-func (dst *UserAppLogLine) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserAppLogLine.Merge(dst, src)
-}
-func (m *UserAppLogLine) XXX_Size() int {
-	return xxx_messageInfo_UserAppLogLine.Size(m)
-}
-func (m *UserAppLogLine) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserAppLogLine.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserAppLogLine proto.InternalMessageInfo
-
-func (m *UserAppLogLine) GetTimestampUsec() int64 {
-	if m != nil && m.TimestampUsec != nil {
-		return *m.TimestampUsec
-	}
-	return 0
-}
-
-func (m *UserAppLogLine) GetLevel() int64 {
-	if m != nil && m.Level != nil {
-		return *m.Level
-	}
-	return 0
-}
-
-func (m *UserAppLogLine) GetMessage() string {
-	if m != nil && m.Message != nil {
-		return *m.Message
-	}
-	return ""
-}
-
-type UserAppLogGroup struct {
-	LogLine              []*UserAppLogLine `protobuf:"bytes,2,rep,name=log_line,json=logLine" json:"log_line,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *UserAppLogGroup) Reset()         { *m = UserAppLogGroup{} }
-func (m *UserAppLogGroup) String() string { return proto.CompactTextString(m) }
-func (*UserAppLogGroup) ProtoMessage()    {}
-func (*UserAppLogGroup) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{2}
-}
-func (m *UserAppLogGroup) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_UserAppLogGroup.Unmarshal(m, b)
-}
-func (m *UserAppLogGroup) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_UserAppLogGroup.Marshal(b, m, deterministic)
-}
-func (dst *UserAppLogGroup) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_UserAppLogGroup.Merge(dst, src)
-}
-func (m *UserAppLogGroup) XXX_Size() int {
-	return xxx_messageInfo_UserAppLogGroup.Size(m)
-}
-func (m *UserAppLogGroup) XXX_DiscardUnknown() {
-	xxx_messageInfo_UserAppLogGroup.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_UserAppLogGroup proto.InternalMessageInfo
-
-func (m *UserAppLogGroup) GetLogLine() []*UserAppLogLine {
-	if m != nil {
-		return m.LogLine
-	}
-	return nil
-}
-
-type FlushRequest struct {
-	Logs                 []byte   `protobuf:"bytes,1,opt,name=logs" json:"logs,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *FlushRequest) Reset()         { *m = FlushRequest{} }
-func (m *FlushRequest) String() string { return proto.CompactTextString(m) }
-func (*FlushRequest) ProtoMessage()    {}
-func (*FlushRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{3}
-}
-func (m *FlushRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_FlushRequest.Unmarshal(m, b)
-}
-func (m *FlushRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_FlushRequest.Marshal(b, m, deterministic)
-}
-func (dst *FlushRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_FlushRequest.Merge(dst, src)
-}
-func (m *FlushRequest) XXX_Size() int {
-	return xxx_messageInfo_FlushRequest.Size(m)
-}
-func (m *FlushRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_FlushRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_FlushRequest proto.InternalMessageInfo
-
-func (m *FlushRequest) GetLogs() []byte {
-	if m != nil {
-		return m.Logs
-	}
-	return nil
-}
-
-type SetStatusRequest struct {
-	Status               *string  `protobuf:"bytes,1,req,name=status" json:"status,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *SetStatusRequest) Reset()         { *m = SetStatusRequest{} }
-func (m *SetStatusRequest) String() string { return proto.CompactTextString(m) }
-func (*SetStatusRequest) ProtoMessage()    {}
-func (*SetStatusRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{4}
-}
-func (m *SetStatusRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_SetStatusRequest.Unmarshal(m, b)
-}
-func (m *SetStatusRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_SetStatusRequest.Marshal(b, m, deterministic)
-}
-func (dst *SetStatusRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SetStatusRequest.Merge(dst, src)
-}
-func (m *SetStatusRequest) XXX_Size() int {
-	return xxx_messageInfo_SetStatusRequest.Size(m)
-}
-func (m *SetStatusRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_SetStatusRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_SetStatusRequest proto.InternalMessageInfo
-
-func (m *SetStatusRequest) GetStatus() string {
-	if m != nil && m.Status != nil {
-		return *m.Status
-	}
-	return ""
-}
-
-type LogOffset struct {
-	RequestId            []byte   `protobuf:"bytes,1,opt,name=request_id,json=requestId" json:"request_id,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *LogOffset) Reset()         { *m = LogOffset{} }
-func (m *LogOffset) String() string { return proto.CompactTextString(m) }
-func (*LogOffset) ProtoMessage()    {}
-func (*LogOffset) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{5}
-}
-func (m *LogOffset) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogOffset.Unmarshal(m, b)
-}
-func (m *LogOffset) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogOffset.Marshal(b, m, deterministic)
-}
-func (dst *LogOffset) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogOffset.Merge(dst, src)
-}
-func (m *LogOffset) XXX_Size() int {
-	return xxx_messageInfo_LogOffset.Size(m)
-}
-func (m *LogOffset) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogOffset.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogOffset proto.InternalMessageInfo
-
-func (m *LogOffset) GetRequestId() []byte {
-	if m != nil {
-		return m.RequestId
-	}
-	return nil
-}
-
-type LogLine struct {
-	Time                 *int64   `protobuf:"varint,1,req,name=time" json:"time,omitempty"`
-	Level                *int32   `protobuf:"varint,2,req,name=level" json:"level,omitempty"`
-	LogMessage           *string  `protobuf:"bytes,3,req,name=log_message,json=logMessage" json:"log_message,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *LogLine) Reset()         { *m = LogLine{} }
-func (m *LogLine) String() string { return proto.CompactTextString(m) }
-func (*LogLine) ProtoMessage()    {}
-func (*LogLine) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{6}
-}
-func (m *LogLine) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogLine.Unmarshal(m, b)
-}
-func (m *LogLine) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogLine.Marshal(b, m, deterministic)
-}
-func (dst *LogLine) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogLine.Merge(dst, src)
-}
-func (m *LogLine) XXX_Size() int {
-	return xxx_messageInfo_LogLine.Size(m)
-}
-func (m *LogLine) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogLine.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogLine proto.InternalMessageInfo
-
-func (m *LogLine) GetTime() int64 {
-	if m != nil && m.Time != nil {
-		return *m.Time
-	}
-	return 0
-}
-
-func (m *LogLine) GetLevel() int32 {
-	if m != nil && m.Level != nil {
-		return *m.Level
-	}
-	return 0
-}
-
-func (m *LogLine) GetLogMessage() string {
-	if m != nil && m.LogMessage != nil {
-		return *m.LogMessage
-	}
-	return ""
-}
-
-type RequestLog struct {
-	AppId                   *string    `protobuf:"bytes,1,req,name=app_id,json=appId" json:"app_id,omitempty"`
-	ModuleId                *string    `protobuf:"bytes,37,opt,name=module_id,json=moduleId,def=default" json:"module_id,omitempty"`
-	VersionId               *string    `protobuf:"bytes,2,req,name=version_id,json=versionId" json:"version_id,omitempty"`
-	RequestId               []byte     `protobuf:"bytes,3,req,name=request_id,json=requestId" json:"request_id,omitempty"`
-	Offset                  *LogOffset `protobuf:"bytes,35,opt,name=offset" json:"offset,omitempty"`
-	Ip                      *string    `protobuf:"bytes,4,req,name=ip" json:"ip,omitempty"`
-	Nickname                *string    `protobuf:"bytes,5,opt,name=nickname" json:"nickname,omitempty"`
-	StartTime               *int64     `protobuf:"varint,6,req,name=start_time,json=startTime" json:"start_time,omitempty"`
-	EndTime                 *int64     `protobuf:"varint,7,req,name=end_time,json=endTime" json:"end_time,omitempty"`
-	Latency                 *int64     `protobuf:"varint,8,req,name=latency" json:"latency,omitempty"`
-	Mcycles                 *int64     `protobuf:"varint,9,req,name=mcycles" json:"mcycles,omitempty"`
-	Method                  *string    `protobuf:"bytes,10,req,name=method" json:"method,omitempty"`
-	Resource                *string    `protobuf:"bytes,11,req,name=resource" json:"resource,omitempty"`
-	HttpVersion             *string    `protobuf:"bytes,12,req,name=http_version,json=httpVersion" json:"http_version,omitempty"`
-	Status                  *int32     `protobuf:"varint,13,req,name=status" json:"status,omitempty"`
-	ResponseSize            *int64     `protobuf:"varint,14,req,name=response_size,json=responseSize" json:"response_size,omitempty"`
-	Referrer                *string    `protobuf:"bytes,15,opt,name=referrer" json:"referrer,omitempty"`
-	UserAgent               *string    `protobuf:"bytes,16,opt,name=user_agent,json=userAgent" json:"user_agent,omitempty"`
-	UrlMapEntry             *string    `protobuf:"bytes,17,req,name=url_map_entry,json=urlMapEntry" json:"url_map_entry,omitempty"`
-	Combined                *string    `protobuf:"bytes,18,req,name=combined" json:"combined,omitempty"`
-	ApiMcycles              *int64     `protobuf:"varint,19,opt,name=api_mcycles,json=apiMcycles" json:"api_mcycles,omitempty"`
-	Host                    *string    `protobuf:"bytes,20,opt,name=host" json:"host,omitempty"`
-	Cost                    *float64   `protobuf:"fixed64,21,opt,name=cost" json:"cost,omitempty"`
-	TaskQueueName           *string    `protobuf:"bytes,22,opt,name=task_queue_name,json=taskQueueName" json:"task_queue_name,omitempty"`
-	TaskName                *string    `protobuf:"bytes,23,opt,name=task_name,json=taskName" json:"task_name,omitempty"`
-	WasLoadingRequest       *bool      `protobuf:"varint,24,opt,name=was_loading_request,json=wasLoadingRequest" json:"was_loading_request,omitempty"`
-	PendingTime             *int64     `protobuf:"varint,25,opt,name=pending_time,json=pendingTime" json:"pending_time,omitempty"`
-	ReplicaIndex            *int32     `protobuf:"varint,26,opt,name=replica_index,json=replicaIndex,def=-1" json:"replica_index,omitempty"`
-	Finished                *bool      `protobuf:"varint,27,opt,name=finished,def=1" json:"finished,omitempty"`
-	CloneKey                []byte     `protobuf:"bytes,28,opt,name=clone_key,json=cloneKey" json:"clone_key,omitempty"`
-	Line                    []*LogLine `protobuf:"bytes,29,rep,name=line" json:"line,omitempty"`
-	LinesIncomplete         *bool      `protobuf:"varint,36,opt,name=lines_incomplete,json=linesIncomplete" json:"lines_incomplete,omitempty"`
-	AppEngineRelease        []byte     `protobuf:"bytes,38,opt,name=app_engine_release,json=appEngineRelease" json:"app_engine_release,omitempty"`
-	ExitReason              *int32     `protobuf:"varint,30,opt,name=exit_reason,json=exitReason" json:"exit_reason,omitempty"`
-	WasThrottledForTime     *bool      `protobuf:"varint,31,opt,name=was_throttled_for_time,json=wasThrottledForTime" json:"was_throttled_for_time,omitempty"`
-	WasThrottledForRequests *bool      `protobuf:"varint,32,opt,name=was_throttled_for_requests,json=wasThrottledForRequests" json:"was_throttled_for_requests,omitempty"`
-	ThrottledTime           *int64     `protobuf:"varint,33,opt,name=throttled_time,json=throttledTime" json:"throttled_time,omitempty"`
-	ServerName              []byte     `protobuf:"bytes,34,opt,name=server_name,json=serverName" json:"server_name,omitempty"`
-	XXX_NoUnkeyedLiteral    struct{}   `json:"-"`
-	XXX_unrecognized        []byte     `json:"-"`
-	XXX_sizecache           int32      `json:"-"`
-}
-
-func (m *RequestLog) Reset()         { *m = RequestLog{} }
-func (m *RequestLog) String() string { return proto.CompactTextString(m) }
-func (*RequestLog) ProtoMessage()    {}
-func (*RequestLog) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{7}
-}
-func (m *RequestLog) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_RequestLog.Unmarshal(m, b)
-}
-func (m *RequestLog) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_RequestLog.Marshal(b, m, deterministic)
-}
-func (dst *RequestLog) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RequestLog.Merge(dst, src)
-}
-func (m *RequestLog) XXX_Size() int {
-	return xxx_messageInfo_RequestLog.Size(m)
-}
-func (m *RequestLog) XXX_DiscardUnknown() {
-	xxx_messageInfo_RequestLog.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RequestLog proto.InternalMessageInfo
-
-const Default_RequestLog_ModuleId string = "default"
-const Default_RequestLog_ReplicaIndex int32 = -1
-const Default_RequestLog_Finished bool = true
-
-func (m *RequestLog) GetAppId() string {
-	if m != nil && m.AppId != nil {
-		return *m.AppId
-	}
-	return ""
-}
-
-func (m *RequestLog) GetModuleId() string {
-	if m != nil && m.ModuleId != nil {
-		return *m.ModuleId
-	}
-	return Default_RequestLog_ModuleId
-}
-
-func (m *RequestLog) GetVersionId() string {
-	if m != nil && m.VersionId != nil {
-		return *m.VersionId
-	}
-	return ""
-}
-
-func (m *RequestLog) GetRequestId() []byte {
-	if m != nil {
-		return m.RequestId
-	}
-	return nil
-}
-
-func (m *RequestLog) GetOffset() *LogOffset {
-	if m != nil {
-		return m.Offset
-	}
-	return nil
-}
-
-func (m *RequestLog) GetIp() string {
-	if m != nil && m.Ip != nil {
-		return *m.Ip
-	}
-	return ""
-}
-
-func (m *RequestLog) GetNickname() string {
-	if m != nil && m.Nickname != nil {
-		return *m.Nickname
-	}
-	return ""
-}
-
-func (m *RequestLog) GetStartTime() int64 {
-	if m != nil && m.StartTime != nil {
-		return *m.StartTime
-	}
-	return 0
-}
-
-func (m *RequestLog) GetEndTime() int64 {
-	if m != nil && m.EndTime != nil {
-		return *m.EndTime
-	}
-	return 0
-}
-
-func (m *RequestLog) GetLatency() int64 {
-	if m != nil && m.Latency != nil {
-		return *m.Latency
-	}
-	return 0
-}
-
-func (m *RequestLog) GetMcycles() int64 {
-	if m != nil && m.Mcycles != nil {
-		return *m.Mcycles
-	}
-	return 0
-}
-
-func (m *RequestLog) GetMethod() string {
-	if m != nil && m.Method != nil {
-		return *m.Method
-	}
-	return ""
-}
-
-func (m *RequestLog) GetResource() string {
-	if m != nil && m.Resource != nil {
-		return *m.Resource
-	}
-	return ""
-}
-
-func (m *RequestLog) GetHttpVersion() string {
-	if m != nil && m.HttpVersion != nil {
-		return *m.HttpVersion
-	}
-	return ""
-}
-
-func (m *RequestLog) GetStatus() int32 {
-	if m != nil && m.Status != nil {
-		return *m.Status
-	}
-	return 0
-}
-
-func (m *RequestLog) GetResponseSize() int64 {
-	if m != nil && m.ResponseSize != nil {
-		return *m.ResponseSize
-	}
-	return 0
-}
-
-func (m *RequestLog) GetReferrer() string {
-	if m != nil && m.Referrer != nil {
-		return *m.Referrer
-	}
-	return ""
-}
-
-func (m *RequestLog) GetUserAgent() string {
-	if m != nil && m.UserAgent != nil {
-		return *m.UserAgent
-	}
-	return ""
-}
-
-func (m *RequestLog) GetUrlMapEntry() string {
-	if m != nil && m.UrlMapEntry != nil {
-		return *m.UrlMapEntry
-	}
-	return ""
-}
-
-func (m *RequestLog) GetCombined() string {
-	if m != nil && m.Combined != nil {
-		return *m.Combined
-	}
-	return ""
-}
-
-func (m *RequestLog) GetApiMcycles() int64 {
-	if m != nil && m.ApiMcycles != nil {
-		return *m.ApiMcycles
-	}
-	return 0
-}
-
-func (m *RequestLog) GetHost() string {
-	if m != nil && m.Host != nil {
-		return *m.Host
-	}
-	return ""
-}
-
-func (m *RequestLog) GetCost() float64 {
-	if m != nil && m.Cost != nil {
-		return *m.Cost
-	}
-	return 0
-}
-
-func (m *RequestLog) GetTaskQueueName() string {
-	if m != nil && m.TaskQueueName != nil {
-		return *m.TaskQueueName
-	}
-	return ""
-}
-
-func (m *RequestLog) GetTaskName() string {
-	if m != nil && m.TaskName != nil {
-		return *m.TaskName
-	}
-	return ""
-}
-
-func (m *RequestLog) GetWasLoadingRequest() bool {
-	if m != nil && m.WasLoadingRequest != nil {
-		return *m.WasLoadingRequest
-	}
-	return false
-}
-
-func (m *RequestLog) GetPendingTime() int64 {
-	if m != nil && m.PendingTime != nil {
-		return *m.PendingTime
-	}
-	return 0
-}
-
-func (m *RequestLog) GetReplicaIndex() int32 {
-	if m != nil && m.ReplicaIndex != nil {
-		return *m.ReplicaIndex
-	}
-	return Default_RequestLog_ReplicaIndex
-}
-
-func (m *RequestLog) GetFinished() bool {
-	if m != nil && m.Finished != nil {
-		return *m.Finished
-	}
-	return Default_RequestLog_Finished
-}
-
-func (m *RequestLog) GetCloneKey() []byte {
-	if m != nil {
-		return m.CloneKey
-	}
-	return nil
-}
-
-func (m *RequestLog) GetLine() []*LogLine {
-	if m != nil {
-		return m.Line
-	}
-	return nil
-}
-
-func (m *RequestLog) GetLinesIncomplete() bool {
-	if m != nil && m.LinesIncomplete != nil {
-		return *m.LinesIncomplete
-	}
-	return false
-}
-
-func (m *RequestLog) GetAppEngineRelease() []byte {
-	if m != nil {
-		return m.AppEngineRelease
-	}
-	return nil
-}
-
-func (m *RequestLog) GetExitReason() int32 {
-	if m != nil && m.ExitReason != nil {
-		return *m.ExitReason
-	}
-	return 0
-}
-
-func (m *RequestLog) GetWasThrottledForTime() bool {
-	if m != nil && m.WasThrottledForTime != nil {
-		return *m.WasThrottledForTime
-	}
-	return false
-}
-
-func (m *RequestLog) GetWasThrottledForRequests() bool {
-	if m != nil && m.WasThrottledForRequests != nil {
-		return *m.WasThrottledForRequests
-	}
-	return false
-}
-
-func (m *RequestLog) GetThrottledTime() int64 {
-	if m != nil && m.ThrottledTime != nil {
-		return *m.ThrottledTime
-	}
-	return 0
-}
-
-func (m *RequestLog) GetServerName() []byte {
-	if m != nil {
-		return m.ServerName
-	}
-	return nil
-}
-
-type LogModuleVersion struct {
-	ModuleId             *string  `protobuf:"bytes,1,opt,name=module_id,json=moduleId,def=default" json:"module_id,omitempty"`
-	VersionId            *string  `protobuf:"bytes,2,opt,name=version_id,json=versionId" json:"version_id,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *LogModuleVersion) Reset()         { *m = LogModuleVersion{} }
-func (m *LogModuleVersion) String() string { return proto.CompactTextString(m) }
-func (*LogModuleVersion) ProtoMessage()    {}
-func (*LogModuleVersion) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{8}
-}
-func (m *LogModuleVersion) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogModuleVersion.Unmarshal(m, b)
-}
-func (m *LogModuleVersion) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogModuleVersion.Marshal(b, m, deterministic)
-}
-func (dst *LogModuleVersion) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogModuleVersion.Merge(dst, src)
-}
-func (m *LogModuleVersion) XXX_Size() int {
-	return xxx_messageInfo_LogModuleVersion.Size(m)
-}
-func (m *LogModuleVersion) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogModuleVersion.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogModuleVersion proto.InternalMessageInfo
-
-const Default_LogModuleVersion_ModuleId string = "default"
-
-func (m *LogModuleVersion) GetModuleId() string {
-	if m != nil && m.ModuleId != nil {
-		return *m.ModuleId
-	}
-	return Default_LogModuleVersion_ModuleId
-}
-
-func (m *LogModuleVersion) GetVersionId() string {
-	if m != nil && m.VersionId != nil {
-		return *m.VersionId
-	}
-	return ""
-}
-
-type LogReadRequest struct {
-	AppId                *string             `protobuf:"bytes,1,req,name=app_id,json=appId" json:"app_id,omitempty"`
-	VersionId            []string            `protobuf:"bytes,2,rep,name=version_id,json=versionId" json:"version_id,omitempty"`
-	ModuleVersion        []*LogModuleVersion `protobuf:"bytes,19,rep,name=module_version,json=moduleVersion" json:"module_version,omitempty"`
-	StartTime            *int64              `protobuf:"varint,3,opt,name=start_time,json=startTime" json:"start_time,omitempty"`
-	EndTime              *int64              `protobuf:"varint,4,opt,name=end_time,json=endTime" json:"end_time,omitempty"`
-	Offset               *LogOffset          `protobuf:"bytes,5,opt,name=offset" json:"offset,omitempty"`
-	RequestId            [][]byte            `protobuf:"bytes,6,rep,name=request_id,json=requestId" json:"request_id,omitempty"`
-	MinimumLogLevel      *int32              `protobuf:"varint,7,opt,name=minimum_log_level,json=minimumLogLevel" json:"minimum_log_level,omitempty"`
-	IncludeIncomplete    *bool               `protobuf:"varint,8,opt,name=include_incomplete,json=includeIncomplete" json:"include_incomplete,omitempty"`
-	Count                *int64              `protobuf:"varint,9,opt,name=count" json:"count,omitempty"`
-	CombinedLogRegex     *string             `protobuf:"bytes,14,opt,name=combined_log_regex,json=combinedLogRegex" json:"combined_log_regex,omitempty"`
-	HostRegex            *string             `protobuf:"bytes,15,opt,name=host_regex,json=hostRegex" json:"host_regex,omitempty"`
-	ReplicaIndex         *int32              `protobuf:"varint,16,opt,name=replica_index,json=replicaIndex" json:"replica_index,omitempty"`
-	IncludeAppLogs       *bool               `protobuf:"varint,10,opt,name=include_app_logs,json=includeAppLogs" json:"include_app_logs,omitempty"`
-	AppLogsPerRequest    *int32              `protobuf:"varint,17,opt,name=app_logs_per_request,json=appLogsPerRequest" json:"app_logs_per_request,omitempty"`
-	IncludeHost          *bool               `protobuf:"varint,11,opt,name=include_host,json=includeHost" json:"include_host,omitempty"`
-	IncludeAll           *bool               `protobuf:"varint,12,opt,name=include_all,json=includeAll" json:"include_all,omitempty"`
-	CacheIterator        *bool               `protobuf:"varint,13,opt,name=cache_iterator,json=cacheIterator" json:"cache_iterator,omitempty"`
-	NumShards            *int32              `protobuf:"varint,18,opt,name=num_shards,json=numShards" json:"num_shards,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
-	XXX_unrecognized     []byte              `json:"-"`
-	XXX_sizecache        int32               `json:"-"`
-}
-
-func (m *LogReadRequest) Reset()         { *m = LogReadRequest{} }
-func (m *LogReadRequest) String() string { return proto.CompactTextString(m) }
-func (*LogReadRequest) ProtoMessage()    {}
-func (*LogReadRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{9}
-}
-func (m *LogReadRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogReadRequest.Unmarshal(m, b)
-}
-func (m *LogReadRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogReadRequest.Marshal(b, m, deterministic)
-}
-func (dst *LogReadRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogReadRequest.Merge(dst, src)
-}
-func (m *LogReadRequest) XXX_Size() int {
-	return xxx_messageInfo_LogReadRequest.Size(m)
-}
-func (m *LogReadRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogReadRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogReadRequest proto.InternalMessageInfo
-
-func (m *LogReadRequest) GetAppId() string {
-	if m != nil && m.AppId != nil {
-		return *m.AppId
-	}
-	return ""
-}
-
-func (m *LogReadRequest) GetVersionId() []string {
-	if m != nil {
-		return m.VersionId
-	}
-	return nil
-}
-
-func (m *LogReadRequest) GetModuleVersion() []*LogModuleVersion {
-	if m != nil {
-		return m.ModuleVersion
-	}
-	return nil
-}
-
-func (m *LogReadRequest) GetStartTime() int64 {
-	if m != nil && m.StartTime != nil {
-		return *m.StartTime
-	}
-	return 0
-}
-
-func (m *LogReadRequest) GetEndTime() int64 {
-	if m != nil && m.EndTime != nil {
-		return *m.EndTime
-	}
-	return 0
-}
-
-func (m *LogReadRequest) GetOffset() *LogOffset {
-	if m != nil {
-		return m.Offset
-	}
-	return nil
-}
-
-func (m *LogReadRequest) GetRequestId() [][]byte {
-	if m != nil {
-		return m.RequestId
-	}
-	return nil
-}
-
-func (m *LogReadRequest) GetMinimumLogLevel() int32 {
-	if m != nil && m.MinimumLogLevel != nil {
-		return *m.MinimumLogLevel
-	}
-	return 0
-}
-
-func (m *LogReadRequest) GetIncludeIncomplete() bool {
-	if m != nil && m.IncludeIncomplete != nil {
-		return *m.IncludeIncomplete
-	}
-	return false
-}
-
-func (m *LogReadRequest) GetCount() int64 {
-	if m != nil && m.Count != nil {
-		return *m.Count
-	}
-	return 0
-}
-
-func (m *LogReadRequest) GetCombinedLogRegex() string {
-	if m != nil && m.CombinedLogRegex != nil {
-		return *m.CombinedLogRegex
-	}
-	return ""
-}
-
-func (m *LogReadRequest) GetHostRegex() string {
-	if m != nil && m.HostRegex != nil {
-		return *m.HostRegex
-	}
-	return ""
-}
-
-func (m *LogReadRequest) GetReplicaIndex() int32 {
-	if m != nil && m.ReplicaIndex != nil {
-		return *m.ReplicaIndex
-	}
-	return 0
-}
-
-func (m *LogReadRequest) GetIncludeAppLogs() bool {
-	if m != nil && m.IncludeAppLogs != nil {
-		return *m.IncludeAppLogs
-	}
-	return false
-}
-
-func (m *LogReadRequest) GetAppLogsPerRequest() int32 {
-	if m != nil && m.AppLogsPerRequest != nil {
-		return *m.AppLogsPerRequest
-	}
-	return 0
-}
-
-func (m *LogReadRequest) GetIncludeHost() bool {
-	if m != nil && m.IncludeHost != nil {
-		return *m.IncludeHost
-	}
-	return false
-}
-
-func (m *LogReadRequest) GetIncludeAll() bool {
-	if m != nil && m.IncludeAll != nil {
-		return *m.IncludeAll
-	}
-	return false
-}
-
-func (m *LogReadRequest) GetCacheIterator() bool {
-	if m != nil && m.CacheIterator != nil {
-		return *m.CacheIterator
-	}
-	return false
-}
-
-func (m *LogReadRequest) GetNumShards() int32 {
-	if m != nil && m.NumShards != nil {
-		return *m.NumShards
-	}
-	return 0
-}
-
-type LogReadResponse struct {
-	Log                  []*RequestLog `protobuf:"bytes,1,rep,name=log" json:"log,omitempty"`
-	Offset               *LogOffset    `protobuf:"bytes,2,opt,name=offset" json:"offset,omitempty"`
-	LastEndTime          *int64        `protobuf:"varint,3,opt,name=last_end_time,json=lastEndTime" json:"last_end_time,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
-	XXX_unrecognized     []byte        `json:"-"`
-	XXX_sizecache        int32         `json:"-"`
-}
-
-func (m *LogReadResponse) Reset()         { *m = LogReadResponse{} }
-func (m *LogReadResponse) String() string { return proto.CompactTextString(m) }
-func (*LogReadResponse) ProtoMessage()    {}
-func (*LogReadResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{10}
-}
-func (m *LogReadResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogReadResponse.Unmarshal(m, b)
-}
-func (m *LogReadResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogReadResponse.Marshal(b, m, deterministic)
-}
-func (dst *LogReadResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogReadResponse.Merge(dst, src)
-}
-func (m *LogReadResponse) XXX_Size() int {
-	return xxx_messageInfo_LogReadResponse.Size(m)
-}
-func (m *LogReadResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogReadResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogReadResponse proto.InternalMessageInfo
-
-func (m *LogReadResponse) GetLog() []*RequestLog {
-	if m != nil {
-		return m.Log
-	}
-	return nil
-}
-
-func (m *LogReadResponse) GetOffset() *LogOffset {
-	if m != nil {
-		return m.Offset
-	}
-	return nil
-}
-
-func (m *LogReadResponse) GetLastEndTime() int64 {
-	if m != nil && m.LastEndTime != nil {
-		return *m.LastEndTime
-	}
-	return 0
-}
-
-type LogUsageRecord struct {
-	VersionId            *string  `protobuf:"bytes,1,opt,name=version_id,json=versionId" json:"version_id,omitempty"`
-	StartTime            *int32   `protobuf:"varint,2,opt,name=start_time,json=startTime" json:"start_time,omitempty"`
-	EndTime              *int32   `protobuf:"varint,3,opt,name=end_time,json=endTime" json:"end_time,omitempty"`
-	Count                *int64   `protobuf:"varint,4,opt,name=count" json:"count,omitempty"`
-	TotalSize            *int64   `protobuf:"varint,5,opt,name=total_size,json=totalSize" json:"total_size,omitempty"`
-	Records              *int32   `protobuf:"varint,6,opt,name=records" json:"records,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *LogUsageRecord) Reset()         { *m = LogUsageRecord{} }
-func (m *LogUsageRecord) String() string { return proto.CompactTextString(m) }
-func (*LogUsageRecord) ProtoMessage()    {}
-func (*LogUsageRecord) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{11}
-}
-func (m *LogUsageRecord) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogUsageRecord.Unmarshal(m, b)
-}
-func (m *LogUsageRecord) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogUsageRecord.Marshal(b, m, deterministic)
-}
-func (dst *LogUsageRecord) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogUsageRecord.Merge(dst, src)
-}
-func (m *LogUsageRecord) XXX_Size() int {
-	return xxx_messageInfo_LogUsageRecord.Size(m)
-}
-func (m *LogUsageRecord) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogUsageRecord.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogUsageRecord proto.InternalMessageInfo
-
-func (m *LogUsageRecord) GetVersionId() string {
-	if m != nil && m.VersionId != nil {
-		return *m.VersionId
-	}
-	return ""
-}
-
-func (m *LogUsageRecord) GetStartTime() int32 {
-	if m != nil && m.StartTime != nil {
-		return *m.StartTime
-	}
-	return 0
-}
-
-func (m *LogUsageRecord) GetEndTime() int32 {
-	if m != nil && m.EndTime != nil {
-		return *m.EndTime
-	}
-	return 0
-}
-
-func (m *LogUsageRecord) GetCount() int64 {
-	if m != nil && m.Count != nil {
-		return *m.Count
-	}
-	return 0
-}
-
-func (m *LogUsageRecord) GetTotalSize() int64 {
-	if m != nil && m.TotalSize != nil {
-		return *m.TotalSize
-	}
-	return 0
-}
-
-func (m *LogUsageRecord) GetRecords() int32 {
-	if m != nil && m.Records != nil {
-		return *m.Records
-	}
-	return 0
-}
-
-type LogUsageRequest struct {
-	AppId                *string  `protobuf:"bytes,1,req,name=app_id,json=appId" json:"app_id,omitempty"`
-	VersionId            []string `protobuf:"bytes,2,rep,name=version_id,json=versionId" json:"version_id,omitempty"`
-	StartTime            *int32   `protobuf:"varint,3,opt,name=start_time,json=startTime" json:"start_time,omitempty"`
-	EndTime              *int32   `protobuf:"varint,4,opt,name=end_time,json=endTime" json:"end_time,omitempty"`
-	ResolutionHours      *uint32  `protobuf:"varint,5,opt,name=resolution_hours,json=resolutionHours,def=1" json:"resolution_hours,omitempty"`
-	CombineVersions      *bool    `protobuf:"varint,6,opt,name=combine_versions,json=combineVersions" json:"combine_versions,omitempty"`
-	UsageVersion         *int32   `protobuf:"varint,7,opt,name=usage_version,json=usageVersion" json:"usage_version,omitempty"`
-	VersionsOnly         *bool    `protobuf:"varint,8,opt,name=versions_only,json=versionsOnly" json:"versions_only,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *LogUsageRequest) Reset()         { *m = LogUsageRequest{} }
-func (m *LogUsageRequest) String() string { return proto.CompactTextString(m) }
-func (*LogUsageRequest) ProtoMessage()    {}
-func (*LogUsageRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{12}
-}
-func (m *LogUsageRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogUsageRequest.Unmarshal(m, b)
-}
-func (m *LogUsageRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogUsageRequest.Marshal(b, m, deterministic)
-}
-func (dst *LogUsageRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogUsageRequest.Merge(dst, src)
-}
-func (m *LogUsageRequest) XXX_Size() int {
-	return xxx_messageInfo_LogUsageRequest.Size(m)
-}
-func (m *LogUsageRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogUsageRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogUsageRequest proto.InternalMessageInfo
-
-const Default_LogUsageRequest_ResolutionHours uint32 = 1
-
-func (m *LogUsageRequest) GetAppId() string {
-	if m != nil && m.AppId != nil {
-		return *m.AppId
-	}
-	return ""
-}
-
-func (m *LogUsageRequest) GetVersionId() []string {
-	if m != nil {
-		return m.VersionId
-	}
-	return nil
-}
-
-func (m *LogUsageRequest) GetStartTime() int32 {
-	if m != nil && m.StartTime != nil {
-		return *m.StartTime
-	}
-	return 0
-}
-
-func (m *LogUsageRequest) GetEndTime() int32 {
-	if m != nil && m.EndTime != nil {
-		return *m.EndTime
-	}
-	return 0
-}
-
-func (m *LogUsageRequest) GetResolutionHours() uint32 {
-	if m != nil && m.ResolutionHours != nil {
-		return *m.ResolutionHours
-	}
-	return Default_LogUsageRequest_ResolutionHours
-}
-
-func (m *LogUsageRequest) GetCombineVersions() bool {
-	if m != nil && m.CombineVersions != nil {
-		return *m.CombineVersions
-	}
-	return false
-}
-
-func (m *LogUsageRequest) GetUsageVersion() int32 {
-	if m != nil && m.UsageVersion != nil {
-		return *m.UsageVersion
-	}
-	return 0
-}
-
-func (m *LogUsageRequest) GetVersionsOnly() bool {
-	if m != nil && m.VersionsOnly != nil {
-		return *m.VersionsOnly
-	}
-	return false
-}
-
-type LogUsageResponse struct {
-	Usage                []*LogUsageRecord `protobuf:"bytes,1,rep,name=usage" json:"usage,omitempty"`
-	Summary              *LogUsageRecord   `protobuf:"bytes,2,opt,name=summary" json:"summary,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *LogUsageResponse) Reset()         { *m = LogUsageResponse{} }
-func (m *LogUsageResponse) String() string { return proto.CompactTextString(m) }
-func (*LogUsageResponse) ProtoMessage()    {}
-func (*LogUsageResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_log_service_f054fd4b5012319d, []int{13}
-}
-func (m *LogUsageResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogUsageResponse.Unmarshal(m, b)
-}
-func (m *LogUsageResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogUsageResponse.Marshal(b, m, deterministic)
-}
-func (dst *LogUsageResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogUsageResponse.Merge(dst, src)
-}
-func (m *LogUsageResponse) XXX_Size() int {
-	return xxx_messageInfo_LogUsageResponse.Size(m)
-}
-func (m *LogUsageResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogUsageResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_LogUsageResponse proto.InternalMessageInfo
-
-func (m *LogUsageResponse) GetUsage() []*LogUsageRecord {
-	if m != nil {
-		return m.Usage
-	}
-	return nil
-}
-
-func (m *LogUsageResponse) GetSummary() *LogUsageRecord {
-	if m != nil {
-		return m.Summary
-	}
-	return nil
-}
-
-func init() {
-	proto.RegisterType((*LogServiceError)(nil), "appengine.LogServiceError")
-	proto.RegisterType((*UserAppLogLine)(nil), "appengine.UserAppLogLine")
-	proto.RegisterType((*UserAppLogGroup)(nil), "appengine.UserAppLogGroup")
-	proto.RegisterType((*FlushRequest)(nil), "appengine.FlushRequest")
-	proto.RegisterType((*SetStatusRequest)(nil), "appengine.SetStatusRequest")
-	proto.RegisterType((*LogOffset)(nil), "appengine.LogOffset")
-	proto.RegisterType((*LogLine)(nil), "appengine.LogLine")
-	proto.RegisterType((*RequestLog)(nil), "appengine.RequestLog")
-	proto.RegisterType((*LogModuleVersion)(nil), "appengine.LogModuleVersion")
-	proto.RegisterType((*LogReadRequest)(nil), "appengine.LogReadRequest")
-	proto.RegisterType((*LogReadResponse)(nil), "appengine.LogReadResponse")
-	proto.RegisterType((*LogUsageRecord)(nil), "appengine.LogUsageRecord")
-	proto.RegisterType((*LogUsageRequest)(nil), "appengine.LogUsageRequest")
-	proto.RegisterType((*LogUsageResponse)(nil), "appengine.LogUsageResponse")
-}
-
-func init() {
-	proto.RegisterFile("google.golang.org/appengine/internal/log/log_service.proto", fileDescriptor_log_service_f054fd4b5012319d)
-}
-
-var fileDescriptor_log_service_f054fd4b5012319d = []byte{
-	// 1553 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0xdd, 0x72, 0xdb, 0xc6,
-	0x15, 0x2e, 0x48, 0x51, 0x24, 0x0f, 0x49, 0x91, 0x5a, 0xcb, 0xce, 0xda, 0xae, 0x6b, 0x1a, 0x4e,
-	0x1c, 0xd6, 0x93, 0x48, 0x93, 0xa4, 0x57, 0xca, 0x95, 0xd3, 0x2a, 0x8e, 0x26, 0xb4, 0xd5, 0x40,
-	0x72, 0x3a, 0xd3, 0x1b, 0x0c, 0x0a, 0x1c, 0x81, 0x18, 0x2f, 0xb1, 0xc8, 0xee, 0xc2, 0x91, 0x72,
-	0xdb, 0xdb, 0x3e, 0x46, 0x1f, 0xa2, 0xaf, 0xd2, 0xb7, 0xe9, 0xec, 0xd9, 0x05, 0x44, 0x2a, 0x4d,
-	0xc6, 0x33, 0xb9, 0xe0, 0x10, 0xfb, 0x9d, 0x83, 0xdd, 0xf3, 0xf3, 0x9d, 0x6f, 0x01, 0xc7, 0xb9,
-	0x94, 0xb9, 0xc0, 0xc3, 0x5c, 0x8a, 0xa4, 0xcc, 0x0f, 0xa5, 0xca, 0x8f, 0x92, 0xaa, 0xc2, 0x32,
-	0x2f, 0x4a, 0x3c, 0x2a, 0x4a, 0x83, 0xaa, 0x4c, 0xc4, 0x91, 0x90, 0xb9, 0xfd, 0xc5, 0x1a, 0xd5,
-	0xbb, 0x22, 0xc5, 0xc3, 0x4a, 0x49, 0x23, 0xd9, 0xb0, 0xf5, 0x0c, 0x5f, 0xc3, 0x74, 0x29, 0xf3,
-	0x73, 0x67, 0x3e, 0x51, 0x4a, 0xaa, 0xf0, 0x4b, 0x18, 0xd2, 0xc3, 0x9f, 0x65, 0x86, 0x6c, 0x17,
-	0x3a, 0x67, 0xdf, 0xce, 0x7e, 0xc7, 0xee, 0xc0, 0xf4, 0xf4, 0xf5, 0xf7, 0x2f, 0x96, 0xa7, 0x7f,
-	0x89, 0xa3, 0x93, 0xef, 0xde, 0x9c, 0x9c, 0x5f, 0xcc, 0x02, 0xb6, 0x0f, 0x93, 0xf3, 0x8b, 0xb3,
-	0xe8, 0xc5, 0xcb, 0x93, 0xf8, 0x24, 0x8a, 0xce, 0xa2, 0x59, 0x27, 0xcc, 0x61, 0xef, 0x8d, 0x46,
-	0xf5, 0xa2, 0xaa, 0x96, 0x32, 0x5f, 0x16, 0x25, 0xb2, 0x8f, 0x60, 0xcf, 0x14, 0x6b, 0xd4, 0x26,
-	0x59, 0x57, 0x71, 0xad, 0x31, 0xe5, 0xc1, 0xbc, 0xb3, 0xe8, 0x46, 0x93, 0x16, 0x7d, 0xa3, 0x31,
-	0x65, 0x07, 0xd0, 0x13, 0xf8, 0x0e, 0x05, 0xef, 0x90, 0xd5, 0x2d, 0x18, 0x87, 0xfe, 0x1a, 0xb5,
-	0x4e, 0x72, 0xe4, 0xdd, 0x79, 0x67, 0x31, 0x8c, 0x9a, 0x65, 0xf8, 0x12, 0xa6, 0x37, 0x07, 0xbd,
-	0x54, 0xb2, 0xae, 0xd8, 0x9f, 0x60, 0x60, 0x73, 0x15, 0x45, 0x89, 0xbc, 0x33, 0xef, 0x2e, 0x46,
-	0x9f, 0xdf, 0x3f, 0x6c, 0x33, 0x3d, 0xdc, 0x0e, 0x2b, 0xea, 0x0b, 0xf7, 0x10, 0x86, 0x30, 0xfe,
-	0x5a, 0xd4, 0x7a, 0x15, 0xe1, 0x0f, 0x35, 0x6a, 0xc3, 0x18, 0xec, 0x08, 0x99, 0x6b, 0x1e, 0xcc,
-	0x83, 0xc5, 0x38, 0xa2, 0xe7, 0xf0, 0x39, 0xcc, 0xce, 0xd1, 0x9c, 0x9b, 0xc4, 0xd4, 0xba, 0xf1,
-	0xbb, 0x07, 0xbb, 0x9a, 0x00, 0xca, 0x67, 0x18, 0xf9, 0x55, 0xf8, 0x1c, 0x86, 0x4b, 0x99, 0x9f,
-	0x5d, 0x5e, 0x6a, 0x34, 0xec, 0x11, 0x80, 0x72, 0xfe, 0x71, 0x91, 0xf9, 0x2d, 0x87, 0x1e, 0x39,
-	0xcd, 0xc2, 0x0b, 0xe8, 0x37, 0x65, 0x62, 0xb0, 0x63, 0x0b, 0xe2, 0x8b, 0x43, 0xcf, 0xdb, 0x35,
-	0xe9, 0x35, 0x35, 0x79, 0x0c, 0x23, 0x9b, 0xe6, 0x76, 0x5d, 0x40, 0xc8, 0xfc, 0x95, 0x2f, 0xcd,
-	0x3f, 0x01, 0xc0, 0x47, 0xb9, 0x94, 0x39, 0xbb, 0x0b, 0xbb, 0x49, 0x55, 0xb9, 0xf3, 0xad, 0x6b,
-	0x2f, 0xa9, 0xaa, 0xd3, 0x8c, 0x7d, 0x08, 0xc3, 0xb5, 0xcc, 0x6a, 0x81, 0xd6, 0xf2, 0xd1, 0x3c,
-	0x58, 0x0c, 0x8f, 0xfb, 0x19, 0x5e, 0x26, 0xb5, 0x30, 0xd1, 0xc0, 0x59, 0x4e, 0x33, 0x9b, 0xc0,
-	0x3b, 0x54, 0xba, 0x90, 0xa5, 0x75, 0xeb, 0xd0, 0x06, 0x43, 0x8f, 0x38, 0xf3, 0x46, 0x7e, 0x36,
-	0x94, 0xcd, 0xfc, 0xd8, 0x27, 0xb0, 0x2b, 0xa9, 0x10, 0xfc, 0xe9, 0x3c, 0x58, 0x8c, 0x3e, 0x3f,
-	0xd8, 0xe8, 0x47, 0x5b, 0xa4, 0xc8, 0xfb, 0xb0, 0x3d, 0xe8, 0x14, 0x15, 0xdf, 0xa1, 0x33, 0x3a,
-	0x45, 0xc5, 0x1e, 0xc0, 0xa0, 0x2c, 0xd2, 0xb7, 0x65, 0xb2, 0x46, 0xde, 0xb3, 0x01, 0x46, 0xed,
-	0xda, 0x1e, 0xac, 0x4d, 0xa2, 0x4c, 0x4c, 0x45, 0xdb, 0xa5, 0xa2, 0x0d, 0x09, 0xb9, 0xb0, 0x95,
-	0xbb, 0x0f, 0x03, 0x2c, 0x33, 0x67, 0xec, 0x93, 0xb1, 0x8f, 0x65, 0x46, 0x26, 0x0e, 0x7d, 0x91,
-	0x18, 0x2c, 0xd3, 0x6b, 0x3e, 0x70, 0x16, 0xbf, 0x24, 0xb2, 0xa5, 0xd7, 0xa9, 0x40, 0xcd, 0x87,
-	0xce, 0xe2, 0x97, 0xb6, 0xd7, 0x6b, 0x34, 0x2b, 0x99, 0x71, 0x70, 0xbd, 0x76, 0x2b, 0x1b, 0xa1,
-	0x42, 0x2d, 0x6b, 0x95, 0x22, 0x1f, 0x91, 0xa5, 0x5d, 0xb3, 0x27, 0x30, 0x5e, 0x19, 0x53, 0xc5,
-	0xbe, 0x58, 0x7c, 0x4c, 0xf6, 0x91, 0xc5, 0xbe, 0x77, 0xd0, 0x06, 0x85, 0x26, 0xd4, 0x60, 0xbf,
-	0x62, 0x4f, 0x61, 0xa2, 0x50, 0x57, 0xb2, 0xd4, 0x18, 0xeb, 0xe2, 0x27, 0xe4, 0x7b, 0x14, 0xce,
-	0xb8, 0x01, 0xcf, 0x8b, 0x9f, 0xd0, 0x9d, 0x7d, 0x89, 0x4a, 0xa1, 0xe2, 0x53, 0x57, 0x9d, 0x66,
-	0x6d, 0xab, 0x53, 0x6b, 0x54, 0x71, 0x92, 0x63, 0x69, 0xf8, 0x8c, 0xac, 0x43, 0x8b, 0xbc, 0xb0,
-	0x00, 0x0b, 0x61, 0x52, 0x2b, 0x11, 0xaf, 0x93, 0x2a, 0xc6, 0xd2, 0xa8, 0x6b, 0xbe, 0xef, 0x62,
-	0xab, 0x95, 0x78, 0x95, 0x54, 0x27, 0x16, 0xb2, 0xdb, 0xa7, 0x72, 0xfd, 0x8f, 0xa2, 0xc4, 0x8c,
-	0x33, 0x97, 0x5a, 0xb3, 0xb6, 0x0c, 0x4c, 0xaa, 0x22, 0x6e, 0x8a, 0x75, 0x67, 0x1e, 0x2c, 0xba,
-	0x11, 0x24, 0x55, 0xf1, 0xca, 0xd7, 0x8b, 0xc1, 0xce, 0x4a, 0x6a, 0xc3, 0x0f, 0xe8, 0x64, 0x7a,
-	0xb6, 0x58, 0x6a, 0xb1, 0xbb, 0xf3, 0x60, 0x11, 0x44, 0xf4, 0xcc, 0x9e, 0xc1, 0xd4, 0x24, 0xfa,
-	0x6d, 0xfc, 0x43, 0x8d, 0x35, 0xc6, 0xd4, 0xe8, 0x7b, 0xf4, 0xca, 0xc4, 0xc2, 0xdf, 0x59, 0xf4,
-	0xb5, 0xed, 0xf6, 0x43, 0x18, 0x92, 0x1f, 0x79, 0x7c, 0xe0, 0x92, 0xb5, 0x00, 0x19, 0x0f, 0xe1,
-	0xce, 0x8f, 0x89, 0x8e, 0x85, 0x4c, 0xb2, 0xa2, 0xcc, 0x63, 0xcf, 0x3e, 0xce, 0xe7, 0xc1, 0x62,
-	0x10, 0xed, 0xff, 0x98, 0xe8, 0xa5, 0xb3, 0x34, 0x83, 0xfb, 0x04, 0xc6, 0x15, 0x96, 0xe4, 0x4b,
-	0xfc, 0xb8, 0x4f, 0xe1, 0x8f, 0x3c, 0x46, 0x1c, 0xf9, 0xd8, 0x36, 0xa0, 0x12, 0x45, 0x9a, 0xc4,
-	0x45, 0x99, 0xe1, 0x15, 0x7f, 0x30, 0x0f, 0x16, 0xbd, 0xe3, 0xce, 0xa7, 0x9f, 0xd9, 0x26, 0x90,
-	0xe1, 0xd4, 0xe2, 0x6c, 0x0e, 0x83, 0xcb, 0xa2, 0x2c, 0xf4, 0x0a, 0x33, 0xfe, 0xd0, 0x1e, 0x78,
-	0xbc, 0x63, 0x54, 0x8d, 0x51, 0x8b, 0xda, 0xd0, 0x53, 0x21, 0x4b, 0x8c, 0xdf, 0xe2, 0x35, 0xff,
-	0x3d, 0x09, 0xc0, 0x80, 0x80, 0x6f, 0xf1, 0x9a, 0x3d, 0x83, 0x1d, 0x52, 0xab, 0x47, 0xa4, 0x56,
-	0x6c, 0x7b, 0x3a, 0x48, 0xa6, 0xc8, 0xce, 0xfe, 0x08, 0x33, 0xfb, 0xaf, 0xe3, 0xa2, 0x4c, 0xe5,
-	0xba, 0x12, 0x68, 0x90, 0x7f, 0x48, 0xf9, 0x4d, 0x09, 0x3f, 0x6d, 0x61, 0xf6, 0x09, 0x30, 0x3b,
-	0xed, 0x6e, 0x9b, 0x58, 0xa1, 0xc0, 0x44, 0x23, 0x7f, 0x46, 0x07, 0xcf, 0x92, 0xaa, 0x3a, 0x21,
-	0x43, 0xe4, 0x70, 0xdb, 0x49, 0xbc, 0x2a, 0x4c, 0xac, 0x30, 0xd1, 0xb2, 0xe4, 0x7f, 0xb0, 0x69,
-	0x46, 0x60, 0xa1, 0x88, 0x10, 0xf6, 0x05, 0xdc, 0xb3, 0xc5, 0x35, 0x2b, 0x25, 0x8d, 0x11, 0x98,
-	0xc5, 0x97, 0x52, 0xb9, 0xb2, 0x3d, 0xa6, 0xf3, 0x6d, 0xe9, 0x2f, 0x1a, 0xe3, 0xd7, 0x52, 0x51,
-	0xf9, 0xbe, 0x84, 0x07, 0x3f, 0x7f, 0xc9, 0xf7, 0x45, 0xf3, 0x39, 0xbd, 0xf8, 0xc1, 0xad, 0x17,
-	0x7d, 0x77, 0x34, 0xdd, 0x17, 0xed, 0x8b, 0x74, 0xd2, 0x13, 0x6a, 0xd0, 0xa4, 0x45, 0xe9, 0x8c,
-	0xc7, 0x30, 0xb2, 0x97, 0x1a, 0x2a, 0x47, 0x8a, 0x90, 0x12, 0x04, 0x07, 0x59, 0x5a, 0x84, 0x7f,
-	0x83, 0xd9, 0x52, 0xe6, 0xaf, 0x48, 0xc8, 0x9a, 0x81, 0xdb, 0xd2, 0xbc, 0xe0, 0x7d, 0x35, 0x2f,
-	0xd8, 0xd2, 0xbc, 0xf0, 0xbf, 0x3d, 0xd8, 0x5b, 0xca, 0x3c, 0xc2, 0x24, 0x6b, 0x28, 0xf5, 0x0b,
-	0x12, 0x7b, 0x7b, 0xa3, 0xee, 0xb6, 0x78, 0x7e, 0x05, 0x7b, 0x3e, 0x9a, 0x46, 0x23, 0xee, 0x10,
-	0x0f, 0x1e, 0x6e, 0xf3, 0x60, 0x2b, 0x85, 0x68, 0xb2, 0xde, 0xca, 0x68, 0x5b, 0x07, 0xbb, 0x54,
-	0xa9, 0x5f, 0xd0, 0xc1, 0x1d, 0x32, 0xb6, 0x3a, 0x78, 0xa3, 0xcd, 0xbd, 0xf7, 0xd0, 0xe6, 0x6d,
-	0xa1, 0xdf, 0x9d, 0x77, 0xb7, 0x85, 0xfe, 0x39, 0xec, 0xaf, 0x8b, 0xb2, 0x58, 0xd7, 0xeb, 0x98,
-	0xae, 0x60, 0xba, 0xb5, 0xfa, 0xc4, 0xa6, 0xa9, 0x37, 0x58, 0x46, 0xd3, 0xfd, 0xf5, 0x29, 0xb0,
-	0xa2, 0x4c, 0x45, 0x9d, 0xe1, 0x26, 0x9d, 0x07, 0x6e, 0x5c, 0xbd, 0x65, 0x83, 0xd0, 0x07, 0xd0,
-	0x4b, 0x65, 0x5d, 0x1a, 0x3e, 0xa4, 0xf8, 0xdd, 0xc2, 0xd2, 0xbc, 0x91, 0x23, 0x3a, 0x51, 0x61,
-	0x8e, 0x57, 0x7c, 0x8f, 0x7a, 0x35, 0x6b, 0x2c, 0xd4, 0xa5, 0x1c, 0xaf, 0x6c, 0xf4, 0x56, 0x83,
-	0xbc, 0x97, 0x53, 0xcb, 0xa1, 0x45, 0x9c, 0xf9, 0xe9, 0xed, 0x71, 0x9f, 0x51, 0xe4, 0xdb, 0xa3,
-	0xbe, 0x80, 0x59, 0x13, 0xb6, 0xed, 0x35, 0x7d, 0x23, 0x00, 0x05, 0xbd, 0xe7, 0x71, 0xf7, 0x75,
-	0xa1, 0xd9, 0x11, 0x1c, 0x34, 0x1e, 0x71, 0x85, 0x2d, 0xf3, 0xf9, 0x3e, 0xed, 0xba, 0x9f, 0x38,
-	0xb7, 0xbf, 0xa2, 0xda, 0x50, 0xa4, 0x66, 0x6b, 0x92, 0xcd, 0x11, 0x6d, 0x3b, 0xf2, 0xd8, 0x37,
-	0x56, 0x29, 0x1f, 0xc3, 0xa8, 0x3d, 0x5d, 0x08, 0x3e, 0x26, 0x0f, 0x68, 0x0e, 0x16, 0xc2, 0x8e,
-	0x4d, 0x9a, 0xa4, 0x2b, 0x8c, 0x0b, 0x83, 0x2a, 0x31, 0x52, 0xf1, 0x09, 0xf9, 0x4c, 0x08, 0x3d,
-	0xf5, 0xa0, 0xad, 0x44, 0x59, 0xaf, 0x63, 0xbd, 0x4a, 0x54, 0xa6, 0x39, 0xa3, 0x88, 0x86, 0x65,
-	0xbd, 0x3e, 0x27, 0x20, 0xfc, 0x57, 0x40, 0xdf, 0x83, 0x8e, 0xdb, 0xee, 0xb2, 0x61, 0x1f, 0x43,
-	0x57, 0xc8, 0x9c, 0x07, 0xc4, 0xcd, 0xbb, 0x1b, 0x2c, 0xb9, 0xf9, 0xc6, 0x88, 0xac, 0xc7, 0x06,
-	0xa3, 0x3a, 0xef, 0xc1, 0xa8, 0x10, 0x26, 0x22, 0xd1, 0x26, 0x6e, 0xf9, 0xe9, 0xc8, 0x3b, 0xb2,
-	0xe0, 0x89, 0xe3, 0x68, 0xf8, 0x9f, 0x80, 0x46, 0xed, 0x8d, 0xfd, 0xac, 0x89, 0x30, 0x95, 0xea,
-	0xf6, 0x4c, 0x05, 0xb7, 0x86, 0xf3, 0xd6, 0x3c, 0x74, 0x5c, 0x7e, 0xff, 0x7f, 0x1e, 0xba, 0x64,
-	0x6c, 0xe7, 0xa1, 0xe5, 0xd9, 0xce, 0x26, 0xcf, 0x1e, 0x01, 0x18, 0x69, 0x12, 0xe1, 0xee, 0xe1,
-	0x9e, 0x9b, 0x2f, 0x42, 0xe8, 0x12, 0xe6, 0xd0, 0x57, 0x14, 0x97, 0xe6, 0xbb, 0x6e, 0x3b, 0xbf,
-	0x0c, 0xff, 0xdd, 0xa1, 0x4a, 0xfa, 0xd0, 0x7f, 0x8b, 0x4c, 0xfc, 0x7c, 0xc4, 0x7b, 0xbf, 0x36,
-	0xe2, 0xbd, 0xcd, 0x11, 0x9f, 0xd9, 0xcf, 0x11, 0x51, 0x1b, 0xbb, 0xf7, 0x4a, 0xd6, 0x4a, 0x53,
-	0x0a, 0x93, 0xe3, 0xe0, 0xb3, 0x68, 0x7a, 0x63, 0xfa, 0xc6, 0x5a, 0xec, 0x25, 0xe3, 0x07, 0xa7,
-	0xd1, 0x23, 0x97, 0xd4, 0x20, 0x9a, 0x7a, 0xdc, 0x8b, 0x0e, 0x7d, 0xa0, 0xd4, 0x36, 0xb1, 0x56,
-	0xb8, 0xdc, 0xa8, 0x8f, 0x09, 0x6c, 0xa4, 0xe9, 0x29, 0x4c, 0x9a, 0x7d, 0x62, 0x59, 0x8a, 0x6b,
-	0x3f, 0xe2, 0xe3, 0x06, 0x3c, 0x2b, 0xc5, 0x75, 0x78, 0x45, 0x2a, 0xed, 0xab, 0xe4, 0x09, 0x77,
-	0x04, 0x3d, 0xda, 0xc8, 0x53, 0xee, 0xfe, 0x36, 0x8d, 0x36, 0xc8, 0x10, 0x39, 0x3f, 0xf6, 0x05,
-	0xf4, 0x75, 0xbd, 0x5e, 0x27, 0xea, 0xda, 0x33, 0xef, 0x57, 0x5e, 0x69, 0x3c, 0xbf, 0xea, 0xfd,
-	0xdd, 0x92, 0xf6, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x70, 0xd9, 0xa0, 0xf8, 0x48, 0x0d, 0x00,
-	0x00,
-}
diff --git a/vendor/google.golang.org/appengine/internal/log/log_service.proto b/vendor/google.golang.org/appengine/internal/log/log_service.proto
deleted file mode 100644
index 8981dc475..000000000
--- a/vendor/google.golang.org/appengine/internal/log/log_service.proto
+++ /dev/null
@@ -1,150 +0,0 @@
-syntax = "proto2";
-option go_package = "log";
-
-package appengine;
-
-message LogServiceError {
-  enum ErrorCode {
-    OK  = 0;
-    INVALID_REQUEST = 1;
-    STORAGE_ERROR = 2;
-  }
-}
-
-message UserAppLogLine {
-  required int64 timestamp_usec = 1;
-  required int64 level = 2;
-  required string message = 3;
-}
-
-message UserAppLogGroup {
-  repeated UserAppLogLine log_line = 2;
-}
-
-message FlushRequest {
-  optional bytes logs = 1;
-}
-
-message SetStatusRequest {
-  required string status = 1;
-}
-
-
-message LogOffset {
-  optional bytes request_id = 1;
-}
-
-message LogLine {
-  required int64 time = 1;
-  required int32 level = 2;
-  required string log_message = 3;
-}
-
-message RequestLog {
-  required string app_id = 1;
-  optional string module_id = 37 [default="default"];
-  required string version_id = 2;
-  required bytes request_id = 3;
-  optional LogOffset offset = 35;
-  required string ip = 4;
-  optional string nickname = 5;
-  required int64 start_time = 6;
-  required int64 end_time = 7;
-  required int64 latency = 8;
-  required int64 mcycles = 9;
-  required string method = 10;
-  required string resource = 11;
-  required string http_version = 12;
-  required int32 status = 13;
-  required int64 response_size = 14;
-  optional string referrer = 15;
-  optional string user_agent = 16;
-  required string url_map_entry = 17;
-  required string combined = 18;
-  optional int64 api_mcycles = 19;
-  optional string host = 20;
-  optional double cost = 21;
-
-  optional string task_queue_name = 22;
-  optional string task_name = 23;
-
-  optional bool was_loading_request = 24;
-  optional int64 pending_time = 25;
-  optional int32 replica_index = 26 [default = -1];
-  optional bool finished = 27 [default = true];
-  optional bytes clone_key = 28;
-
-  repeated LogLine line = 29;
-
-  optional bool lines_incomplete = 36;
-  optional bytes app_engine_release = 38;
-
-  optional int32 exit_reason = 30;
-  optional bool was_throttled_for_time = 31;
-  optional bool was_throttled_for_requests = 32;
-  optional int64 throttled_time = 33;
-
-  optional bytes server_name = 34;
-}
-
-message LogModuleVersion {
-  optional string module_id = 1 [default="default"];
-  optional string version_id = 2;
-}
-
-message LogReadRequest {
-  required string app_id = 1;
-  repeated string version_id = 2;
-  repeated LogModuleVersion module_version = 19;
-
-  optional int64 start_time = 3;
-  optional int64 end_time = 4;
-  optional LogOffset offset = 5;
-  repeated bytes request_id = 6;
-
-  optional int32 minimum_log_level = 7;
-  optional bool include_incomplete = 8;
-  optional int64 count = 9;
-
-  optional string combined_log_regex = 14;
-  optional string host_regex = 15;
-  optional int32 replica_index = 16;
-
-  optional bool include_app_logs = 10;
-  optional int32 app_logs_per_request = 17;
-  optional bool include_host = 11;
-  optional bool include_all = 12;
-  optional bool cache_iterator = 13;
-  optional int32 num_shards = 18;
-}
-
-message LogReadResponse {
-  repeated RequestLog log = 1;
-  optional LogOffset offset = 2;
-  optional int64 last_end_time = 3;
-}
-
-message LogUsageRecord {
-  optional string version_id = 1;
-  optional int32 start_time = 2;
-  optional int32 end_time = 3;
-  optional int64 count = 4;
-  optional int64 total_size = 5;
-  optional int32 records = 6;
-}
-
-message LogUsageRequest {
-  required string app_id = 1;
-  repeated string version_id = 2;
-  optional int32 start_time = 3;
-  optional int32 end_time = 4;
-  optional uint32 resolution_hours = 5 [default = 1];
-  optional bool combine_versions = 6;
-  optional int32 usage_version = 7;
-  optional bool versions_only = 8;
-}
-
-message LogUsageResponse {
-  repeated LogUsageRecord usage = 1;
-  optional LogUsageRecord summary = 2;
-}
diff --git a/vendor/google.golang.org/appengine/internal/main.go b/vendor/google.golang.org/appengine/internal/main.go
deleted file mode 100644
index afd0ae84f..000000000
--- a/vendor/google.golang.org/appengine/internal/main.go
+++ /dev/null
@@ -1,17 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build appengine
-// +build appengine
-
-package internal
-
-import (
-	"appengine_internal"
-)
-
-func Main() {
-	MainPath = ""
-	appengine_internal.Main()
-}
diff --git a/vendor/google.golang.org/appengine/internal/main_common.go b/vendor/google.golang.org/appengine/internal/main_common.go
deleted file mode 100644
index 357dce4dd..000000000
--- a/vendor/google.golang.org/appengine/internal/main_common.go
+++ /dev/null
@@ -1,7 +0,0 @@
-package internal
-
-// MainPath stores the file path of the main package. On App Engine Standard
-// using Go version 1.9 and below, this will be unset. On App Engine Flex and
-// App Engine Standard second-gen (Go 1.11 and above), this will be the
-// filepath to package main.
-var MainPath string
diff --git a/vendor/google.golang.org/appengine/internal/main_vm.go b/vendor/google.golang.org/appengine/internal/main_vm.go
deleted file mode 100644
index 86a8caf06..000000000
--- a/vendor/google.golang.org/appengine/internal/main_vm.go
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-//go:build !appengine
-// +build !appengine
-
-package internal
-
-import (
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"runtime"
-)
-
-func Main() {
-	MainPath = filepath.Dir(findMainPath())
-	installHealthChecker(http.DefaultServeMux)
-
-	port := "8080"
-	if s := os.Getenv("PORT"); s != "" {
-		port = s
-	}
-
-	host := ""
-	if IsDevAppServer() {
-		host = "127.0.0.1"
-	}
-	if err := http.ListenAndServe(host+":"+port, Middleware(http.DefaultServeMux)); err != nil {
-		log.Fatalf("http.ListenAndServe: %v", err)
-	}
-}
-
-// Find the path to package main by looking at the root Caller.
-func findMainPath() string {
-	pc := make([]uintptr, 100)
-	n := runtime.Callers(2, pc)
-	frames := runtime.CallersFrames(pc[:n])
-	for {
-		frame, more := frames.Next()
-		// Tests won't have package main, instead they have testing.tRunner
-		if frame.Function == "main.main" || frame.Function == "testing.tRunner" {
-			return frame.File
-		}
-		if !more {
-			break
-		}
-	}
-	return ""
-}
-
-func installHealthChecker(mux *http.ServeMux) {
-	// If no health check handler has been installed by this point, add a trivial one.
-	const healthPath = "/_ah/health"
-	hreq := &http.Request{
-		Method: "GET",
-		URL: &url.URL{
-			Path: healthPath,
-		},
-	}
-	if _, pat := mux.Handler(hreq); pat != healthPath {
-		mux.HandleFunc(healthPath, func(w http.ResponseWriter, r *http.Request) {
-			io.WriteString(w, "ok")
-		})
-	}
-}
diff --git a/vendor/google.golang.org/appengine/internal/metadata.go b/vendor/google.golang.org/appengine/internal/metadata.go
deleted file mode 100644
index c4ba63bb4..000000000
--- a/vendor/google.golang.org/appengine/internal/metadata.go
+++ /dev/null
@@ -1,60 +0,0 @@
-// Copyright 2014 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package internal
-
-// This file has code for accessing metadata.
-//
-// References:
-//	https://cloud.google.com/compute/docs/metadata
-
-import (
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-)
-
-const (
-	metadataHost = "metadata"
-	metadataPath = "/computeMetadata/v1/"
-)
-
-var (
-	metadataRequestHeaders = http.Header{
-		"Metadata-Flavor": []string{"Google"},
-	}
-)
-
-// TODO(dsymonds): Do we need to support default values, like Python?
-func mustGetMetadata(key string) []byte {
-	b, err := getMetadata(key)
-	if err != nil {
-		panic(fmt.Sprintf("Metadata fetch failed for '%s': %v", key, err))
-	}
-	return b
-}
-
-func getMetadata(key string) ([]byte, error) {
-	// TODO(dsymonds): May need to use url.Parse to support keys with query args.
-	req := &http.Request{
-		Method: "GET",
-		URL: &url.URL{
-			Scheme: "http",
-			Host:   metadataHost,
-			Path:   metadataPath + key,
-		},
-		Header: metadataRequestHeaders,
-		Host:   metadataHost,
-	}
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != 200 {
-		return nil, fmt.Errorf("metadata server returned HTTP %d", resp.StatusCode)
-	}
-	return ioutil.ReadAll(resp.Body)
-}
diff --git a/vendor/google.golang.org/appengine/internal/net.go b/vendor/google.golang.org/appengine/internal/net.go
deleted file mode 100644
index fe429720e..000000000
--- a/vendor/google.golang.org/appengine/internal/net.go
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright 2014 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package internal
-
-// This file implements a network dialer that limits the number of concurrent connections.
-// It is only used for API calls.
-
-import (
-	"log"
-	"net"
-	"runtime"
-	"sync"
-	"time"
-)
-
-var limitSem = make(chan int, 100) // TODO(dsymonds): Use environment variable.
-
-func limitRelease() {
-	// non-blocking
-	select {
-	case <-limitSem:
-	default:
-		// This should not normally happen.
-		log.Print("appengine: unbalanced limitSem release!")
-	}
-}
-
-func limitDial(network, addr string) (net.Conn, error) {
-	limitSem <- 1
-
-	// Dial with a timeout in case the API host is MIA.
-	// The connection should normally be very fast.
-	conn, err := net.DialTimeout(network, addr, 10*time.Second)
-	if err != nil {
-		limitRelease()
-		return nil, err
-	}
-	lc := &limitConn{Conn: conn}
-	runtime.SetFinalizer(lc, (*limitConn).Close) // shouldn't usually be required
-	return lc, nil
-}
-
-type limitConn struct {
-	close sync.Once
-	net.Conn
-}
-
-func (lc *limitConn) Close() error {
-	defer lc.close.Do(func() {
-		limitRelease()
-		runtime.SetFinalizer(lc, nil)
-	})
-	return lc.Conn.Close()
-}
diff --git a/vendor/google.golang.org/appengine/internal/regen.sh b/vendor/google.golang.org/appengine/internal/regen.sh
deleted file mode 100644
index 2fdb546a6..000000000
--- a/vendor/google.golang.org/appengine/internal/regen.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash -e
-#
-# This script rebuilds the generated code for the protocol buffers.
-# To run this you will need protoc and goprotobuf installed;
-# see https://github.com/golang/protobuf for instructions.
-
-PKG=google.golang.org/appengine
-
-function die() {
-	echo 1>&2 $*
-	exit 1
-}
-
-# Sanity check that the right tools are accessible.
-for tool in go protoc protoc-gen-go; do
-	q=$(which $tool) || die "didn't find $tool"
-	echo 1>&2 "$tool: $q"
-done
-
-echo -n 1>&2 "finding package dir... "
-pkgdir=$(go list -f '{{.Dir}}' $PKG)
-echo 1>&2 $pkgdir
-base=$(echo $pkgdir | sed "s,/$PKG\$,,")
-echo 1>&2 "base: $base"
-cd $base
-
-# Run protoc once per package.
-for dir in $(find $PKG/internal -name '*.proto' | xargs dirname | sort | uniq); do
-	echo 1>&2 "* $dir"
-	protoc --go_out=. $dir/*.proto
-done
-
-for f in $(find $PKG/internal -name '*.pb.go'); do
-  # Remove proto.RegisterEnum calls.
-  # These cause duplicate registration panics when these packages
-  # are used on classic App Engine. proto.RegisterEnum only affects
-  # parsing the text format; we don't care about that.
-  # https://code.google.com/p/googleappengine/issues/detail?id=11670#c17
-  sed -i '/proto.RegisterEnum/d' $f
-done
diff --git a/vendor/google.golang.org/appengine/internal/remote_api/remote_api.pb.go b/vendor/google.golang.org/appengine/internal/remote_api/remote_api.pb.go
deleted file mode 100644
index 8d782a38e..000000000
--- a/vendor/google.golang.org/appengine/internal/remote_api/remote_api.pb.go
+++ /dev/null
@@ -1,361 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// source: google.golang.org/appengine/internal/remote_api/remote_api.proto
-
-package remote_api
-
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
-
-type RpcError_ErrorCode int32
-
-const (
-	RpcError_UNKNOWN             RpcError_ErrorCode = 0
-	RpcError_CALL_NOT_FOUND      RpcError_ErrorCode = 1
-	RpcError_PARSE_ERROR         RpcError_ErrorCode = 2
-	RpcError_SECURITY_VIOLATION  RpcError_ErrorCode = 3
-	RpcError_OVER_QUOTA          RpcError_ErrorCode = 4
-	RpcError_REQUEST_TOO_LARGE   RpcError_ErrorCode = 5
-	RpcError_CAPABILITY_DISABLED RpcError_ErrorCode = 6
-	RpcError_FEATURE_DISABLED    RpcError_ErrorCode = 7
-	RpcError_BAD_REQUEST         RpcError_ErrorCode = 8
-	RpcError_RESPONSE_TOO_LARGE  RpcError_ErrorCode = 9
-	RpcError_CANCELLED           RpcError_ErrorCode = 10
-	RpcError_REPLAY_ERROR        RpcError_ErrorCode = 11
-	RpcError_DEADLINE_EXCEEDED   RpcError_ErrorCode = 12
-)
-
-var RpcError_ErrorCode_name = map[int32]string{
-	0:  "UNKNOWN",
-	1:  "CALL_NOT_FOUND",
-	2:  "PARSE_ERROR",
-	3:  "SECURITY_VIOLATION",
-	4:  "OVER_QUOTA",
-	5:  "REQUEST_TOO_LARGE",
-	6:  "CAPABILITY_DISABLED",
-	7:  "FEATURE_DISABLED",
-	8:  "BAD_REQUEST",
-	9:  "RESPONSE_TOO_LARGE",
-	10: "CANCELLED",
-	11: "REPLAY_ERROR",
-	12: "DEADLINE_EXCEEDED",
-}
-var RpcError_ErrorCode_value = map[string]int32{
-	"UNKNOWN":             0,
-	"CALL_NOT_FOUND":      1,
-	"PARSE_ERROR":         2,
-	"SECURITY_VIOLATION":  3,
-	"OVER_QUOTA":          4,
-	"REQUEST_TOO_LARGE":   5,
-	"CAPABILITY_DISABLED": 6,
-	"FEATURE_DISABLED":    7,
-	"BAD_REQUEST":         8,
-	"RESPONSE_TOO_LARGE":  9,
-	"CANCELLED":           10,
-	"REPLAY_ERROR":        11,
-	"DEADLINE_EXCEEDED":   12,
-}
-
-func (x RpcError_ErrorCode) Enum() *RpcError_ErrorCode {
-	p := new(RpcError_ErrorCode)
-	*p = x
-	return p
-}
-func (x RpcError_ErrorCode) String() string {
-	return proto.EnumName(RpcError_ErrorCode_name, int32(x))
-}
-func (x *RpcError_ErrorCode) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(RpcError_ErrorCode_value, data, "RpcError_ErrorCode")
-	if err != nil {
-		return err
-	}
-	*x = RpcError_ErrorCode(value)
-	return nil
-}
-func (RpcError_ErrorCode) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_remote_api_1978114ec33a273d, []int{2, 0}
-}
-
-type Request struct {
-	ServiceName          *string  `protobuf:"bytes,2,req,name=service_name,json=serviceName" json:"service_name,omitempty"`
-	Method               *string  `protobuf:"bytes,3,req,name=method" json:"method,omitempty"`
-	Request              []byte   `protobuf:"bytes,4,req,name=request" json:"request,omitempty"`
-	RequestId            *string  `protobuf:"bytes,5,opt,name=request_id,json=requestId" json:"request_id,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *Request) Reset()         { *m = Request{} }
-func (m *Request) String() string { return proto.CompactTextString(m) }
-func (*Request) ProtoMessage()    {}
-func (*Request) Descriptor() ([]byte, []int) {
-	return fileDescriptor_remote_api_1978114ec33a273d, []int{0}
-}
-func (m *Request) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Request.Unmarshal(m, b)
-}
-func (m *Request) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Request.Marshal(b, m, deterministic)
-}
-func (dst *Request) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Request.Merge(dst, src)
-}
-func (m *Request) XXX_Size() int {
-	return xxx_messageInfo_Request.Size(m)
-}
-func (m *Request) XXX_DiscardUnknown() {
-	xxx_messageInfo_Request.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Request proto.InternalMessageInfo
-
-func (m *Request) GetServiceName() string {
-	if m != nil && m.ServiceName != nil {
-		return *m.ServiceName
-	}
-	return ""
-}
-
-func (m *Request) GetMethod() string {
-	if m != nil && m.Method != nil {
-		return *m.Method
-	}
-	return ""
-}
-
-func (m *Request) GetRequest() []byte {
-	if m != nil {
-		return m.Request
-	}
-	return nil
-}
-
-func (m *Request) GetRequestId() string {
-	if m != nil && m.RequestId != nil {
-		return *m.RequestId
-	}
-	return ""
-}
-
-type ApplicationError struct {
-	Code                 *int32   `protobuf:"varint,1,req,name=code" json:"code,omitempty"`
-	Detail               *string  `protobuf:"bytes,2,req,name=detail" json:"detail,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *ApplicationError) Reset()         { *m = ApplicationError{} }
-func (m *ApplicationError) String() string { return proto.CompactTextString(m) }
-func (*ApplicationError) ProtoMessage()    {}
-func (*ApplicationError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_remote_api_1978114ec33a273d, []int{1}
-}
-func (m *ApplicationError) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_ApplicationError.Unmarshal(m, b)
-}
-func (m *ApplicationError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_ApplicationError.Marshal(b, m, deterministic)
-}
-func (dst *ApplicationError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ApplicationError.Merge(dst, src)
-}
-func (m *ApplicationError) XXX_Size() int {
-	return xxx_messageInfo_ApplicationError.Size(m)
-}
-func (m *ApplicationError) XXX_DiscardUnknown() {
-	xxx_messageInfo_ApplicationError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_ApplicationError proto.InternalMessageInfo
-
-func (m *ApplicationError) GetCode() int32 {
-	if m != nil && m.Code != nil {
-		return *m.Code
-	}
-	return 0
-}
-
-func (m *ApplicationError) GetDetail() string {
-	if m != nil && m.Detail != nil {
-		return *m.Detail
-	}
-	return ""
-}
-
-type RpcError struct {
-	Code                 *int32   `protobuf:"varint,1,req,name=code" json:"code,omitempty"`
-	Detail               *string  `protobuf:"bytes,2,opt,name=detail" json:"detail,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *RpcError) Reset()         { *m = RpcError{} }
-func (m *RpcError) String() string { return proto.CompactTextString(m) }
-func (*RpcError) ProtoMessage()    {}
-func (*RpcError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_remote_api_1978114ec33a273d, []int{2}
-}
-func (m *RpcError) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_RpcError.Unmarshal(m, b)
-}
-func (m *RpcError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_RpcError.Marshal(b, m, deterministic)
-}
-func (dst *RpcError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_RpcError.Merge(dst, src)
-}
-func (m *RpcError) XXX_Size() int {
-	return xxx_messageInfo_RpcError.Size(m)
-}
-func (m *RpcError) XXX_DiscardUnknown() {
-	xxx_messageInfo_RpcError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_RpcError proto.InternalMessageInfo
-
-func (m *RpcError) GetCode() int32 {
-	if m != nil && m.Code != nil {
-		return *m.Code
-	}
-	return 0
-}
-
-func (m *RpcError) GetDetail() string {
-	if m != nil && m.Detail != nil {
-		return *m.Detail
-	}
-	return ""
-}
-
-type Response struct {
-	Response             []byte            `protobuf:"bytes,1,opt,name=response" json:"response,omitempty"`
-	Exception            []byte            `protobuf:"bytes,2,opt,name=exception" json:"exception,omitempty"`
-	ApplicationError     *ApplicationError `protobuf:"bytes,3,opt,name=application_error,json=applicationError" json:"application_error,omitempty"`
-	JavaException        []byte            `protobuf:"bytes,4,opt,name=java_exception,json=javaException" json:"java_exception,omitempty"`
-	RpcError             *RpcError         `protobuf:"bytes,5,opt,name=rpc_error,json=rpcError" json:"rpc_error,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
-}
-
-func (m *Response) Reset()         { *m = Response{} }
-func (m *Response) String() string { return proto.CompactTextString(m) }
-func (*Response) ProtoMessage()    {}
-func (*Response) Descriptor() ([]byte, []int) {
-	return fileDescriptor_remote_api_1978114ec33a273d, []int{3}
-}
-func (m *Response) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Response.Unmarshal(m, b)
-}
-func (m *Response) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Response.Marshal(b, m, deterministic)
-}
-func (dst *Response) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Response.Merge(dst, src)
-}
-func (m *Response) XXX_Size() int {
-	return xxx_messageInfo_Response.Size(m)
-}
-func (m *Response) XXX_DiscardUnknown() {
-	xxx_messageInfo_Response.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_Response proto.InternalMessageInfo
-
-func (m *Response) GetResponse() []byte {
-	if m != nil {
-		return m.Response
-	}
-	return nil
-}
-
-func (m *Response) GetException() []byte {
-	if m != nil {
-		return m.Exception
-	}
-	return nil
-}
-
-func (m *Response) GetApplicationError() *ApplicationError {
-	if m != nil {
-		return m.ApplicationError
-	}
-	return nil
-}
-
-func (m *Response) GetJavaException() []byte {
-	if m != nil {
-		return m.JavaException
-	}
-	return nil
-}
-
-func (m *Response) GetRpcError() *RpcError {
-	if m != nil {
-		return m.RpcError
-	}
-	return nil
-}
-
-func init() {
-	proto.RegisterType((*Request)(nil), "remote_api.Request")
-	proto.RegisterType((*ApplicationError)(nil), "remote_api.ApplicationError")
-	proto.RegisterType((*RpcError)(nil), "remote_api.RpcError")
-	proto.RegisterType((*Response)(nil), "remote_api.Response")
-}
-
-func init() {
-	proto.RegisterFile("google.golang.org/appengine/internal/remote_api/remote_api.proto", fileDescriptor_remote_api_1978114ec33a273d)
-}
-
-var fileDescriptor_remote_api_1978114ec33a273d = []byte{
-	// 531 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x93, 0x51, 0x6e, 0xd3, 0x40,
-	0x10, 0x86, 0xb1, 0x9b, 0x34, 0xf1, 0xc4, 0x2d, 0xdb, 0xa5, 0x14, 0x0b, 0x15, 0x29, 0x44, 0x42,
-	0xca, 0x53, 0x2a, 0x38, 0x00, 0x62, 0x63, 0x6f, 0x91, 0x85, 0x65, 0xa7, 0x6b, 0xbb, 0x50, 0x5e,
-	0x56, 0x2b, 0x67, 0x65, 0x8c, 0x12, 0xaf, 0xd9, 0x98, 0x8a, 0x17, 0x6e, 0xc0, 0xb5, 0x38, 0x0c,
-	0xb7, 0x40, 0x36, 0x6e, 0x63, 0xf5, 0x89, 0xb7, 0x7f, 0x7e, 0x7b, 0xe6, 0x1b, 0xcd, 0xcc, 0xc2,
-	0xbb, 0x5c, 0xa9, 0x7c, 0x23, 0x17, 0xb9, 0xda, 0x88, 0x32, 0x5f, 0x28, 0x9d, 0x5f, 0x88, 0xaa,
-	0x92, 0x65, 0x5e, 0x94, 0xf2, 0xa2, 0x28, 0x6b, 0xa9, 0x4b, 0xb1, 0xb9, 0xd0, 0x72, 0xab, 0x6a,
-	0xc9, 0x45, 0x55, 0xf4, 0xe4, 0xa2, 0xd2, 0xaa, 0x56, 0x18, 0xf6, 0xce, 0xec, 0x27, 0x8c, 0x98,
-	0xfc, 0xf6, 0x5d, 0xee, 0x6a, 0xfc, 0x12, 0xec, 0x9d, 0xd4, 0xb7, 0x45, 0x26, 0x79, 0x29, 0xb6,
-	0xd2, 0x31, 0xa7, 0xe6, 0xdc, 0x62, 0x93, 0xce, 0x0b, 0xc5, 0x56, 0xe2, 0x33, 0x38, 0xdc, 0xca,
-	0xfa, 0x8b, 0x5a, 0x3b, 0x07, 0xed, 0xc7, 0x2e, 0xc2, 0x0e, 0x8c, 0xf4, 0xbf, 0x2a, 0xce, 0x60,
-	0x6a, 0xce, 0x6d, 0x76, 0x17, 0xe2, 0x17, 0x00, 0x9d, 0xe4, 0xc5, 0xda, 0x19, 0x4e, 0x8d, 0xb9,
-	0xc5, 0xac, 0xce, 0xf1, 0xd7, 0xb3, 0xb7, 0x80, 0x48, 0x55, 0x6d, 0x8a, 0x4c, 0xd4, 0x85, 0x2a,
-	0xa9, 0xd6, 0x4a, 0x63, 0x0c, 0x83, 0x4c, 0xad, 0xa5, 0x63, 0x4c, 0xcd, 0xf9, 0x90, 0xb5, 0xba,
-	0x01, 0xaf, 0x65, 0x2d, 0x8a, 0x4d, 0xd7, 0x55, 0x17, 0xcd, 0x7e, 0x9b, 0x30, 0x66, 0x55, 0xf6,
-	0x7f, 0x89, 0x46, 0x2f, 0xf1, 0x97, 0x09, 0x56, 0x9b, 0xe5, 0x36, 0x7f, 0x4d, 0x60, 0x94, 0x86,
-	0x1f, 0xc2, 0xe8, 0x63, 0x88, 0x1e, 0x61, 0x0c, 0xc7, 0x2e, 0x09, 0x02, 0x1e, 0x46, 0x09, 0xbf,
-	0x8c, 0xd2, 0xd0, 0x43, 0x06, 0x7e, 0x0c, 0x93, 0x15, 0x61, 0x31, 0xe5, 0x94, 0xb1, 0x88, 0x21,
-	0x13, 0x9f, 0x01, 0x8e, 0xa9, 0x9b, 0x32, 0x3f, 0xb9, 0xe1, 0xd7, 0x7e, 0x14, 0x90, 0xc4, 0x8f,
-	0x42, 0x74, 0x80, 0x8f, 0x01, 0xa2, 0x6b, 0xca, 0xf8, 0x55, 0x1a, 0x25, 0x04, 0x0d, 0xf0, 0x53,
-	0x38, 0x61, 0xf4, 0x2a, 0xa5, 0x71, 0xc2, 0x93, 0x28, 0xe2, 0x01, 0x61, 0xef, 0x29, 0x1a, 0xe2,
-	0x67, 0xf0, 0xc4, 0x25, 0x2b, 0xb2, 0xf4, 0x83, 0xa6, 0x80, 0xe7, 0xc7, 0x64, 0x19, 0x50, 0x0f,
-	0x1d, 0xe2, 0x53, 0x40, 0x97, 0x94, 0x24, 0x29, 0xa3, 0x7b, 0x77, 0xd4, 0xe0, 0x97, 0xc4, 0xe3,
-	0x5d, 0x25, 0x34, 0x6e, 0xf0, 0x8c, 0xc6, 0xab, 0x28, 0x8c, 0x69, 0xaf, 0xae, 0x85, 0x8f, 0xc0,
-	0x72, 0x49, 0xe8, 0xd2, 0xa0, 0xc9, 0x03, 0x8c, 0xc0, 0x66, 0x74, 0x15, 0x90, 0x9b, 0xae, 0xef,
-	0x49, 0xd3, 0x8f, 0x47, 0x89, 0x17, 0xf8, 0x21, 0xe5, 0xf4, 0x93, 0x4b, 0xa9, 0x47, 0x3d, 0x64,
-	0xcf, 0xfe, 0x18, 0x30, 0x66, 0x72, 0x57, 0xa9, 0x72, 0x27, 0xf1, 0x73, 0x18, 0xeb, 0x4e, 0x3b,
-	0xc6, 0xd4, 0x98, 0xdb, 0xec, 0x3e, 0xc6, 0xe7, 0x60, 0xc9, 0x1f, 0x99, 0xac, 0x9a, 0x75, 0xb5,
-	0x23, 0xb5, 0xd9, 0xde, 0xc0, 0x3e, 0x9c, 0x88, 0xfd, 0x3a, 0xb9, 0x6c, 0x06, 0xec, 0x1c, 0x4c,
-	0x8d, 0xf9, 0xe4, 0xcd, 0xf9, 0xa2, 0x77, 0x87, 0x0f, 0x77, 0xce, 0x90, 0x78, 0x78, 0x05, 0xaf,
-	0xe0, 0xf8, 0xab, 0xb8, 0x15, 0x7c, 0x4f, 0x1b, 0xb4, 0xb4, 0xa3, 0xc6, 0xa5, 0xf7, 0xc4, 0xd7,
-	0x60, 0xe9, 0x2a, 0xeb, 0x48, 0xc3, 0x96, 0x74, 0xda, 0x27, 0xdd, 0x1d, 0x07, 0x1b, 0xeb, 0x4e,
-	0x2d, 0xed, 0xcf, 0xbd, 0x07, 0xf0, 0x37, 0x00, 0x00, 0xff, 0xff, 0x38, 0xd1, 0x0f, 0x22, 0x4f,
-	0x03, 0x00, 0x00,
-}
diff --git a/vendor/google.golang.org/appengine/internal/remote_api/remote_api.proto b/vendor/google.golang.org/appengine/internal/remote_api/remote_api.proto
deleted file mode 100644
index f21763a4e..000000000
--- a/vendor/google.golang.org/appengine/internal/remote_api/remote_api.proto
+++ /dev/null
@@ -1,44 +0,0 @@
-syntax = "proto2";
-option go_package = "remote_api";
-
-package remote_api;
-
-message Request {
-  required string service_name = 2;
-  required string method = 3;
-  required bytes request = 4;
-  optional string request_id = 5;
-}
-
-message ApplicationError {
-  required int32 code = 1;
-  required string detail = 2;
-}
-
-message RpcError {
-  enum ErrorCode {
-    UNKNOWN = 0;
-    CALL_NOT_FOUND = 1;
-    PARSE_ERROR = 2;
-    SECURITY_VIOLATION = 3;
-    OVER_QUOTA = 4;
-    REQUEST_TOO_LARGE = 5;
-    CAPABILITY_DISABLED = 6;
-    FEATURE_DISABLED = 7;
-    BAD_REQUEST = 8;
-    RESPONSE_TOO_LARGE = 9;
-    CANCELLED = 10;
-    REPLAY_ERROR = 11;
-    DEADLINE_EXCEEDED = 12;
-  }
-  required int32 code = 1;
-  optional string detail = 2;
-}
-
-message Response {
-  optional bytes response = 1;
-  optional bytes exception = 2;
-  optional ApplicationError application_error = 3;
-  optional bytes java_exception = 4;
-  optional RpcError rpc_error = 5;
-}
diff --git a/vendor/google.golang.org/appengine/internal/transaction.go b/vendor/google.golang.org/appengine/internal/transaction.go
deleted file mode 100644
index 2ae8ab9fa..000000000
--- a/vendor/google.golang.org/appengine/internal/transaction.go
+++ /dev/null
@@ -1,115 +0,0 @@
-// Copyright 2014 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package internal
-
-// This file implements hooks for applying datastore transactions.
-
-import (
-	"context"
-	"errors"
-	"reflect"
-
-	"github.com/golang/protobuf/proto"
-
-	basepb "google.golang.org/appengine/internal/base"
-	pb "google.golang.org/appengine/internal/datastore"
-)
-
-var transactionSetters = make(map[reflect.Type]reflect.Value)
-
-// RegisterTransactionSetter registers a function that sets transaction information
-// in a protocol buffer message. f should be a function with two arguments,
-// the first being a protocol buffer type, and the second being *datastore.Transaction.
-func RegisterTransactionSetter(f interface{}) {
-	v := reflect.ValueOf(f)
-	transactionSetters[v.Type().In(0)] = v
-}
-
-// applyTransaction applies the transaction t to message pb
-// by using the relevant setter passed to RegisterTransactionSetter.
-func applyTransaction(pb proto.Message, t *pb.Transaction) {
-	v := reflect.ValueOf(pb)
-	if f, ok := transactionSetters[v.Type()]; ok {
-		f.Call([]reflect.Value{v, reflect.ValueOf(t)})
-	}
-}
-
-var transactionKey = "used for *Transaction"
-
-func transactionFromContext(ctx context.Context) *transaction {
-	t, _ := ctx.Value(&transactionKey).(*transaction)
-	return t
-}
-
-func withTransaction(ctx context.Context, t *transaction) context.Context {
-	return context.WithValue(ctx, &transactionKey, t)
-}
-
-type transaction struct {
-	transaction pb.Transaction
-	finished    bool
-}
-
-var ErrConcurrentTransaction = errors.New("internal: concurrent transaction")
-
-func RunTransactionOnce(c context.Context, f func(context.Context) error, xg bool, readOnly bool, previousTransaction *pb.Transaction) (*pb.Transaction, error) {
-	if transactionFromContext(c) != nil {
-		return nil, errors.New("nested transactions are not supported")
-	}
-
-	// Begin the transaction.
-	t := &transaction{}
-	req := &pb.BeginTransactionRequest{
-		App: proto.String(FullyQualifiedAppID(c)),
-	}
-	if xg {
-		req.AllowMultipleEg = proto.Bool(true)
-	}
-	if previousTransaction != nil {
-		req.PreviousTransaction = previousTransaction
-	}
-	if readOnly {
-		req.Mode = pb.BeginTransactionRequest_READ_ONLY.Enum()
-	} else {
-		req.Mode = pb.BeginTransactionRequest_READ_WRITE.Enum()
-	}
-	if err := Call(c, "datastore_v3", "BeginTransaction", req, &t.transaction); err != nil {
-		return nil, err
-	}
-
-	// Call f, rolling back the transaction if f returns a non-nil error, or panics.
-	// The panic is not recovered.
-	defer func() {
-		if t.finished {
-			return
-		}
-		t.finished = true
-		// Ignore the error return value, since we are already returning a non-nil
-		// error (or we're panicking).
-		Call(c, "datastore_v3", "Rollback", &t.transaction, &basepb.VoidProto{})
-	}()
-	if err := f(withTransaction(c, t)); err != nil {
-		return &t.transaction, err
-	}
-	t.finished = true
-
-	// Commit the transaction.
-	res := &pb.CommitResponse{}
-	err := Call(c, "datastore_v3", "Commit", &t.transaction, res)
-	if ae, ok := err.(*APIError); ok {
-		/* TODO: restore this conditional
-		if appengine.IsDevAppServer() {
-		*/
-		// The Python Dev AppServer raises an ApplicationError with error code 2 (which is
-		// Error.CONCURRENT_TRANSACTION) and message "Concurrency exception.".
-		if ae.Code == int32(pb.Error_BAD_REQUEST) && ae.Detail == "ApplicationError: 2 Concurrency exception." {
-			return &t.transaction, ErrConcurrentTransaction
-		}
-		if ae.Code == int32(pb.Error_CONCURRENT_TRANSACTION) {
-			return &t.transaction, ErrConcurrentTransaction
-		}
-	}
-	return &t.transaction, err
-}
diff --git a/vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.pb.go b/vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.pb.go
deleted file mode 100644
index 5f727750a..000000000
--- a/vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.pb.go
+++ /dev/null
@@ -1,527 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// source: google.golang.org/appengine/internal/urlfetch/urlfetch_service.proto
-
-package urlfetch
-
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
-
-type URLFetchServiceError_ErrorCode int32
-
-const (
-	URLFetchServiceError_OK                       URLFetchServiceError_ErrorCode = 0
-	URLFetchServiceError_INVALID_URL              URLFetchServiceError_ErrorCode = 1
-	URLFetchServiceError_FETCH_ERROR              URLFetchServiceError_ErrorCode = 2
-	URLFetchServiceError_UNSPECIFIED_ERROR        URLFetchServiceError_ErrorCode = 3
-	URLFetchServiceError_RESPONSE_TOO_LARGE       URLFetchServiceError_ErrorCode = 4
-	URLFetchServiceError_DEADLINE_EXCEEDED        URLFetchServiceError_ErrorCode = 5
-	URLFetchServiceError_SSL_CERTIFICATE_ERROR    URLFetchServiceError_ErrorCode = 6
-	URLFetchServiceError_DNS_ERROR                URLFetchServiceError_ErrorCode = 7
-	URLFetchServiceError_CLOSED                   URLFetchServiceError_ErrorCode = 8
-	URLFetchServiceError_INTERNAL_TRANSIENT_ERROR URLFetchServiceError_ErrorCode = 9
-	URLFetchServiceError_TOO_MANY_REDIRECTS       URLFetchServiceError_ErrorCode = 10
-	URLFetchServiceError_MALFORMED_REPLY          URLFetchServiceError_ErrorCode = 11
-	URLFetchServiceError_CONNECTION_ERROR         URLFetchServiceError_ErrorCode = 12
-)
-
-var URLFetchServiceError_ErrorCode_name = map[int32]string{
-	0:  "OK",
-	1:  "INVALID_URL",
-	2:  "FETCH_ERROR",
-	3:  "UNSPECIFIED_ERROR",
-	4:  "RESPONSE_TOO_LARGE",
-	5:  "DEADLINE_EXCEEDED",
-	6:  "SSL_CERTIFICATE_ERROR",
-	7:  "DNS_ERROR",
-	8:  "CLOSED",
-	9:  "INTERNAL_TRANSIENT_ERROR",
-	10: "TOO_MANY_REDIRECTS",
-	11: "MALFORMED_REPLY",
-	12: "CONNECTION_ERROR",
-}
-var URLFetchServiceError_ErrorCode_value = map[string]int32{
-	"OK":                       0,
-	"INVALID_URL":              1,
-	"FETCH_ERROR":              2,
-	"UNSPECIFIED_ERROR":        3,
-	"RESPONSE_TOO_LARGE":       4,
-	"DEADLINE_EXCEEDED":        5,
-	"SSL_CERTIFICATE_ERROR":    6,
-	"DNS_ERROR":                7,
-	"CLOSED":                   8,
-	"INTERNAL_TRANSIENT_ERROR": 9,
-	"TOO_MANY_REDIRECTS":       10,
-	"MALFORMED_REPLY":          11,
-	"CONNECTION_ERROR":         12,
-}
-
-func (x URLFetchServiceError_ErrorCode) Enum() *URLFetchServiceError_ErrorCode {
-	p := new(URLFetchServiceError_ErrorCode)
-	*p = x
-	return p
-}
-func (x URLFetchServiceError_ErrorCode) String() string {
-	return proto.EnumName(URLFetchServiceError_ErrorCode_name, int32(x))
-}
-func (x *URLFetchServiceError_ErrorCode) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(URLFetchServiceError_ErrorCode_value, data, "URLFetchServiceError_ErrorCode")
-	if err != nil {
-		return err
-	}
-	*x = URLFetchServiceError_ErrorCode(value)
-	return nil
-}
-func (URLFetchServiceError_ErrorCode) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{0, 0}
-}
-
-type URLFetchRequest_RequestMethod int32
-
-const (
-	URLFetchRequest_GET    URLFetchRequest_RequestMethod = 1
-	URLFetchRequest_POST   URLFetchRequest_RequestMethod = 2
-	URLFetchRequest_HEAD   URLFetchRequest_RequestMethod = 3
-	URLFetchRequest_PUT    URLFetchRequest_RequestMethod = 4
-	URLFetchRequest_DELETE URLFetchRequest_RequestMethod = 5
-	URLFetchRequest_PATCH  URLFetchRequest_RequestMethod = 6
-)
-
-var URLFetchRequest_RequestMethod_name = map[int32]string{
-	1: "GET",
-	2: "POST",
-	3: "HEAD",
-	4: "PUT",
-	5: "DELETE",
-	6: "PATCH",
-}
-var URLFetchRequest_RequestMethod_value = map[string]int32{
-	"GET":    1,
-	"POST":   2,
-	"HEAD":   3,
-	"PUT":    4,
-	"DELETE": 5,
-	"PATCH":  6,
-}
-
-func (x URLFetchRequest_RequestMethod) Enum() *URLFetchRequest_RequestMethod {
-	p := new(URLFetchRequest_RequestMethod)
-	*p = x
-	return p
-}
-func (x URLFetchRequest_RequestMethod) String() string {
-	return proto.EnumName(URLFetchRequest_RequestMethod_name, int32(x))
-}
-func (x *URLFetchRequest_RequestMethod) UnmarshalJSON(data []byte) error {
-	value, err := proto.UnmarshalJSONEnum(URLFetchRequest_RequestMethod_value, data, "URLFetchRequest_RequestMethod")
-	if err != nil {
-		return err
-	}
-	*x = URLFetchRequest_RequestMethod(value)
-	return nil
-}
-func (URLFetchRequest_RequestMethod) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{1, 0}
-}
-
-type URLFetchServiceError struct {
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *URLFetchServiceError) Reset()         { *m = URLFetchServiceError{} }
-func (m *URLFetchServiceError) String() string { return proto.CompactTextString(m) }
-func (*URLFetchServiceError) ProtoMessage()    {}
-func (*URLFetchServiceError) Descriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{0}
-}
-func (m *URLFetchServiceError) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_URLFetchServiceError.Unmarshal(m, b)
-}
-func (m *URLFetchServiceError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_URLFetchServiceError.Marshal(b, m, deterministic)
-}
-func (dst *URLFetchServiceError) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_URLFetchServiceError.Merge(dst, src)
-}
-func (m *URLFetchServiceError) XXX_Size() int {
-	return xxx_messageInfo_URLFetchServiceError.Size(m)
-}
-func (m *URLFetchServiceError) XXX_DiscardUnknown() {
-	xxx_messageInfo_URLFetchServiceError.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_URLFetchServiceError proto.InternalMessageInfo
-
-type URLFetchRequest struct {
-	Method                        *URLFetchRequest_RequestMethod `protobuf:"varint,1,req,name=Method,enum=appengine.URLFetchRequest_RequestMethod" json:"Method,omitempty"`
-	Url                           *string                        `protobuf:"bytes,2,req,name=Url" json:"Url,omitempty"`
-	Header                        []*URLFetchRequest_Header      `protobuf:"group,3,rep,name=Header,json=header" json:"header,omitempty"`
-	Payload                       []byte                         `protobuf:"bytes,6,opt,name=Payload" json:"Payload,omitempty"`
-	FollowRedirects               *bool                          `protobuf:"varint,7,opt,name=FollowRedirects,def=1" json:"FollowRedirects,omitempty"`
-	Deadline                      *float64                       `protobuf:"fixed64,8,opt,name=Deadline" json:"Deadline,omitempty"`
-	MustValidateServerCertificate *bool                          `protobuf:"varint,9,opt,name=MustValidateServerCertificate,def=1" json:"MustValidateServerCertificate,omitempty"`
-	XXX_NoUnkeyedLiteral          struct{}                       `json:"-"`
-	XXX_unrecognized              []byte                         `json:"-"`
-	XXX_sizecache                 int32                          `json:"-"`
-}
-
-func (m *URLFetchRequest) Reset()         { *m = URLFetchRequest{} }
-func (m *URLFetchRequest) String() string { return proto.CompactTextString(m) }
-func (*URLFetchRequest) ProtoMessage()    {}
-func (*URLFetchRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{1}
-}
-func (m *URLFetchRequest) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_URLFetchRequest.Unmarshal(m, b)
-}
-func (m *URLFetchRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_URLFetchRequest.Marshal(b, m, deterministic)
-}
-func (dst *URLFetchRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_URLFetchRequest.Merge(dst, src)
-}
-func (m *URLFetchRequest) XXX_Size() int {
-	return xxx_messageInfo_URLFetchRequest.Size(m)
-}
-func (m *URLFetchRequest) XXX_DiscardUnknown() {
-	xxx_messageInfo_URLFetchRequest.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_URLFetchRequest proto.InternalMessageInfo
-
-const Default_URLFetchRequest_FollowRedirects bool = true
-const Default_URLFetchRequest_MustValidateServerCertificate bool = true
-
-func (m *URLFetchRequest) GetMethod() URLFetchRequest_RequestMethod {
-	if m != nil && m.Method != nil {
-		return *m.Method
-	}
-	return URLFetchRequest_GET
-}
-
-func (m *URLFetchRequest) GetUrl() string {
-	if m != nil && m.Url != nil {
-		return *m.Url
-	}
-	return ""
-}
-
-func (m *URLFetchRequest) GetHeader() []*URLFetchRequest_Header {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *URLFetchRequest) GetPayload() []byte {
-	if m != nil {
-		return m.Payload
-	}
-	return nil
-}
-
-func (m *URLFetchRequest) GetFollowRedirects() bool {
-	if m != nil && m.FollowRedirects != nil {
-		return *m.FollowRedirects
-	}
-	return Default_URLFetchRequest_FollowRedirects
-}
-
-func (m *URLFetchRequest) GetDeadline() float64 {
-	if m != nil && m.Deadline != nil {
-		return *m.Deadline
-	}
-	return 0
-}
-
-func (m *URLFetchRequest) GetMustValidateServerCertificate() bool {
-	if m != nil && m.MustValidateServerCertificate != nil {
-		return *m.MustValidateServerCertificate
-	}
-	return Default_URLFetchRequest_MustValidateServerCertificate
-}
-
-type URLFetchRequest_Header struct {
-	Key                  *string  `protobuf:"bytes,4,req,name=Key" json:"Key,omitempty"`
-	Value                *string  `protobuf:"bytes,5,req,name=Value" json:"Value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *URLFetchRequest_Header) Reset()         { *m = URLFetchRequest_Header{} }
-func (m *URLFetchRequest_Header) String() string { return proto.CompactTextString(m) }
-func (*URLFetchRequest_Header) ProtoMessage()    {}
-func (*URLFetchRequest_Header) Descriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{1, 0}
-}
-func (m *URLFetchRequest_Header) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_URLFetchRequest_Header.Unmarshal(m, b)
-}
-func (m *URLFetchRequest_Header) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_URLFetchRequest_Header.Marshal(b, m, deterministic)
-}
-func (dst *URLFetchRequest_Header) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_URLFetchRequest_Header.Merge(dst, src)
-}
-func (m *URLFetchRequest_Header) XXX_Size() int {
-	return xxx_messageInfo_URLFetchRequest_Header.Size(m)
-}
-func (m *URLFetchRequest_Header) XXX_DiscardUnknown() {
-	xxx_messageInfo_URLFetchRequest_Header.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_URLFetchRequest_Header proto.InternalMessageInfo
-
-func (m *URLFetchRequest_Header) GetKey() string {
-	if m != nil && m.Key != nil {
-		return *m.Key
-	}
-	return ""
-}
-
-func (m *URLFetchRequest_Header) GetValue() string {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return ""
-}
-
-type URLFetchResponse struct {
-	Content               []byte                     `protobuf:"bytes,1,opt,name=Content" json:"Content,omitempty"`
-	StatusCode            *int32                     `protobuf:"varint,2,req,name=StatusCode" json:"StatusCode,omitempty"`
-	Header                []*URLFetchResponse_Header `protobuf:"group,3,rep,name=Header,json=header" json:"header,omitempty"`
-	ContentWasTruncated   *bool                      `protobuf:"varint,6,opt,name=ContentWasTruncated,def=0" json:"ContentWasTruncated,omitempty"`
-	ExternalBytesSent     *int64                     `protobuf:"varint,7,opt,name=ExternalBytesSent" json:"ExternalBytesSent,omitempty"`
-	ExternalBytesReceived *int64                     `protobuf:"varint,8,opt,name=ExternalBytesReceived" json:"ExternalBytesReceived,omitempty"`
-	FinalUrl              *string                    `protobuf:"bytes,9,opt,name=FinalUrl" json:"FinalUrl,omitempty"`
-	ApiCpuMilliseconds    *int64                     `protobuf:"varint,10,opt,name=ApiCpuMilliseconds,def=0" json:"ApiCpuMilliseconds,omitempty"`
-	ApiBytesSent          *int64                     `protobuf:"varint,11,opt,name=ApiBytesSent,def=0" json:"ApiBytesSent,omitempty"`
-	ApiBytesReceived      *int64                     `protobuf:"varint,12,opt,name=ApiBytesReceived,def=0" json:"ApiBytesReceived,omitempty"`
-	XXX_NoUnkeyedLiteral  struct{}                   `json:"-"`
-	XXX_unrecognized      []byte                     `json:"-"`
-	XXX_sizecache         int32                      `json:"-"`
-}
-
-func (m *URLFetchResponse) Reset()         { *m = URLFetchResponse{} }
-func (m *URLFetchResponse) String() string { return proto.CompactTextString(m) }
-func (*URLFetchResponse) ProtoMessage()    {}
-func (*URLFetchResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{2}
-}
-func (m *URLFetchResponse) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_URLFetchResponse.Unmarshal(m, b)
-}
-func (m *URLFetchResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_URLFetchResponse.Marshal(b, m, deterministic)
-}
-func (dst *URLFetchResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_URLFetchResponse.Merge(dst, src)
-}
-func (m *URLFetchResponse) XXX_Size() int {
-	return xxx_messageInfo_URLFetchResponse.Size(m)
-}
-func (m *URLFetchResponse) XXX_DiscardUnknown() {
-	xxx_messageInfo_URLFetchResponse.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_URLFetchResponse proto.InternalMessageInfo
-
-const Default_URLFetchResponse_ContentWasTruncated bool = false
-const Default_URLFetchResponse_ApiCpuMilliseconds int64 = 0
-const Default_URLFetchResponse_ApiBytesSent int64 = 0
-const Default_URLFetchResponse_ApiBytesReceived int64 = 0
-
-func (m *URLFetchResponse) GetContent() []byte {
-	if m != nil {
-		return m.Content
-	}
-	return nil
-}
-
-func (m *URLFetchResponse) GetStatusCode() int32 {
-	if m != nil && m.StatusCode != nil {
-		return *m.StatusCode
-	}
-	return 0
-}
-
-func (m *URLFetchResponse) GetHeader() []*URLFetchResponse_Header {
-	if m != nil {
-		return m.Header
-	}
-	return nil
-}
-
-func (m *URLFetchResponse) GetContentWasTruncated() bool {
-	if m != nil && m.ContentWasTruncated != nil {
-		return *m.ContentWasTruncated
-	}
-	return Default_URLFetchResponse_ContentWasTruncated
-}
-
-func (m *URLFetchResponse) GetExternalBytesSent() int64 {
-	if m != nil && m.ExternalBytesSent != nil {
-		return *m.ExternalBytesSent
-	}
-	return 0
-}
-
-func (m *URLFetchResponse) GetExternalBytesReceived() int64 {
-	if m != nil && m.ExternalBytesReceived != nil {
-		return *m.ExternalBytesReceived
-	}
-	return 0
-}
-
-func (m *URLFetchResponse) GetFinalUrl() string {
-	if m != nil && m.FinalUrl != nil {
-		return *m.FinalUrl
-	}
-	return ""
-}
-
-func (m *URLFetchResponse) GetApiCpuMilliseconds() int64 {
-	if m != nil && m.ApiCpuMilliseconds != nil {
-		return *m.ApiCpuMilliseconds
-	}
-	return Default_URLFetchResponse_ApiCpuMilliseconds
-}
-
-func (m *URLFetchResponse) GetApiBytesSent() int64 {
-	if m != nil && m.ApiBytesSent != nil {
-		return *m.ApiBytesSent
-	}
-	return Default_URLFetchResponse_ApiBytesSent
-}
-
-func (m *URLFetchResponse) GetApiBytesReceived() int64 {
-	if m != nil && m.ApiBytesReceived != nil {
-		return *m.ApiBytesReceived
-	}
-	return Default_URLFetchResponse_ApiBytesReceived
-}
-
-type URLFetchResponse_Header struct {
-	Key                  *string  `protobuf:"bytes,4,req,name=Key" json:"Key,omitempty"`
-	Value                *string  `protobuf:"bytes,5,req,name=Value" json:"Value,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *URLFetchResponse_Header) Reset()         { *m = URLFetchResponse_Header{} }
-func (m *URLFetchResponse_Header) String() string { return proto.CompactTextString(m) }
-func (*URLFetchResponse_Header) ProtoMessage()    {}
-func (*URLFetchResponse_Header) Descriptor() ([]byte, []int) {
-	return fileDescriptor_urlfetch_service_b245a7065f33bced, []int{2, 0}
-}
-func (m *URLFetchResponse_Header) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_URLFetchResponse_Header.Unmarshal(m, b)
-}
-func (m *URLFetchResponse_Header) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_URLFetchResponse_Header.Marshal(b, m, deterministic)
-}
-func (dst *URLFetchResponse_Header) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_URLFetchResponse_Header.Merge(dst, src)
-}
-func (m *URLFetchResponse_Header) XXX_Size() int {
-	return xxx_messageInfo_URLFetchResponse_Header.Size(m)
-}
-func (m *URLFetchResponse_Header) XXX_DiscardUnknown() {
-	xxx_messageInfo_URLFetchResponse_Header.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_URLFetchResponse_Header proto.InternalMessageInfo
-
-func (m *URLFetchResponse_Header) GetKey() string {
-	if m != nil && m.Key != nil {
-		return *m.Key
-	}
-	return ""
-}
-
-func (m *URLFetchResponse_Header) GetValue() string {
-	if m != nil && m.Value != nil {
-		return *m.Value
-	}
-	return ""
-}
-
-func init() {
-	proto.RegisterType((*URLFetchServiceError)(nil), "appengine.URLFetchServiceError")
-	proto.RegisterType((*URLFetchRequest)(nil), "appengine.URLFetchRequest")
-	proto.RegisterType((*URLFetchRequest_Header)(nil), "appengine.URLFetchRequest.Header")
-	proto.RegisterType((*URLFetchResponse)(nil), "appengine.URLFetchResponse")
-	proto.RegisterType((*URLFetchResponse_Header)(nil), "appengine.URLFetchResponse.Header")
-}
-
-func init() {
-	proto.RegisterFile("google.golang.org/appengine/internal/urlfetch/urlfetch_service.proto", fileDescriptor_urlfetch_service_b245a7065f33bced)
-}
-
-var fileDescriptor_urlfetch_service_b245a7065f33bced = []byte{
-	// 770 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x54, 0xdd, 0x6e, 0xe3, 0x54,
-	0x10, 0xc6, 0x76, 0x7e, 0xa7, 0x5d, 0x7a, 0x76, 0xb6, 0x45, 0x66, 0xb5, 0xa0, 0x10, 0x09, 0x29,
-	0x17, 0x90, 0x2e, 0x2b, 0x24, 0x44, 0xaf, 0x70, 0xed, 0x93, 0xad, 0xa9, 0x63, 0x47, 0xc7, 0x4e,
-	0x61, 0xb9, 0xb1, 0xac, 0x78, 0x9a, 0x5a, 0xb2, 0xec, 0x60, 0x9f, 0x2c, 0xf4, 0x35, 0x78, 0x0d,
-	0xde, 0x87, 0xa7, 0xe1, 0x02, 0x9d, 0xc4, 0xc9, 0x6e, 0xbb, 0xd1, 0x4a, 0x5c, 0x65, 0xe6, 0x9b,
-	0xef, 0xcc, 0x99, 0x7c, 0xdf, 0xf8, 0x80, 0xb3, 0x2c, 0xcb, 0x65, 0x4e, 0xe3, 0x65, 0x99, 0x27,
-	0xc5, 0x72, 0x5c, 0x56, 0xcb, 0xf3, 0x64, 0xb5, 0xa2, 0x62, 0x99, 0x15, 0x74, 0x9e, 0x15, 0x92,
-	0xaa, 0x22, 0xc9, 0xcf, 0xd7, 0x55, 0x7e, 0x4b, 0x72, 0x71, 0xb7, 0x0f, 0xe2, 0x9a, 0xaa, 0xb7,
-	0xd9, 0x82, 0xc6, 0xab, 0xaa, 0x94, 0x25, 0xf6, 0xf7, 0x67, 0x86, 0x7f, 0xeb, 0x70, 0x3a, 0x17,
-	0xde, 0x44, 0xb1, 0xc2, 0x2d, 0x89, 0x57, 0x55, 0x59, 0x0d, 0xff, 0xd2, 0xa1, 0xbf, 0x89, 0xec,
-	0x32, 0x25, 0xec, 0x80, 0x1e, 0x5c, 0xb3, 0x4f, 0xf0, 0x04, 0x8e, 0x5c, 0xff, 0xc6, 0xf2, 0x5c,
-	0x27, 0x9e, 0x0b, 0x8f, 0x69, 0x0a, 0x98, 0xf0, 0xc8, 0xbe, 0x8a, 0xb9, 0x10, 0x81, 0x60, 0x3a,
-	0x9e, 0xc1, 0xd3, 0xb9, 0x1f, 0xce, 0xb8, 0xed, 0x4e, 0x5c, 0xee, 0x34, 0xb0, 0x81, 0x9f, 0x01,
-	0x0a, 0x1e, 0xce, 0x02, 0x3f, 0xe4, 0x71, 0x14, 0x04, 0xb1, 0x67, 0x89, 0xd7, 0x9c, 0xb5, 0x14,
-	0xdd, 0xe1, 0x96, 0xe3, 0xb9, 0x3e, 0x8f, 0xf9, 0xaf, 0x36, 0xe7, 0x0e, 0x77, 0x58, 0x1b, 0x3f,
-	0x87, 0xb3, 0x30, 0xf4, 0x62, 0x9b, 0x8b, 0xc8, 0x9d, 0xb8, 0xb6, 0x15, 0xf1, 0xa6, 0x53, 0x07,
-	0x9f, 0x40, 0xdf, 0xf1, 0xc3, 0x26, 0xed, 0x22, 0x40, 0xc7, 0xf6, 0x82, 0x90, 0x3b, 0xac, 0x87,
-	0x2f, 0xc0, 0x74, 0xfd, 0x88, 0x0b, 0xdf, 0xf2, 0xe2, 0x48, 0x58, 0x7e, 0xe8, 0x72, 0x3f, 0x6a,
-	0x98, 0x7d, 0x35, 0x82, 0xba, 0x79, 0x6a, 0xf9, 0x6f, 0x62, 0xc1, 0x1d, 0x57, 0x70, 0x3b, 0x0a,
-	0x19, 0xe0, 0x33, 0x38, 0x99, 0x5a, 0xde, 0x24, 0x10, 0x53, 0xee, 0xc4, 0x82, 0xcf, 0xbc, 0x37,
-	0xec, 0x08, 0x4f, 0x81, 0xd9, 0x81, 0xef, 0x73, 0x3b, 0x72, 0x03, 0xbf, 0x69, 0x71, 0x3c, 0xfc,
-	0xc7, 0x80, 0x93, 0x9d, 0x5a, 0x82, 0x7e, 0x5f, 0x53, 0x2d, 0xf1, 0x27, 0xe8, 0x4c, 0x49, 0xde,
-	0x95, 0xa9, 0xa9, 0x0d, 0xf4, 0xd1, 0xa7, 0xaf, 0x46, 0xe3, 0xbd, 0xba, 0xe3, 0x47, 0xdc, 0x71,
-	0xf3, 0xbb, 0xe5, 0x8b, 0xe6, 0x1c, 0x32, 0x30, 0xe6, 0x55, 0x6e, 0xea, 0x03, 0x7d, 0xd4, 0x17,
-	0x2a, 0xc4, 0x1f, 0xa1, 0x73, 0x47, 0x49, 0x4a, 0x95, 0x69, 0x0c, 0x8c, 0x11, 0xbc, 0xfa, 0xea,
-	0x23, 0x3d, 0xaf, 0x36, 0x44, 0xd1, 0x1c, 0xc0, 0x17, 0xd0, 0x9d, 0x25, 0xf7, 0x79, 0x99, 0xa4,
-	0x66, 0x67, 0xa0, 0x8d, 0x8e, 0x2f, 0xf5, 0x9e, 0x26, 0x76, 0x10, 0x8e, 0xe1, 0x64, 0x52, 0xe6,
-	0x79, 0xf9, 0x87, 0xa0, 0x34, 0xab, 0x68, 0x21, 0x6b, 0xb3, 0x3b, 0xd0, 0x46, 0xbd, 0x8b, 0x96,
-	0xac, 0xd6, 0x24, 0x1e, 0x17, 0xf1, 0x39, 0xf4, 0x1c, 0x4a, 0xd2, 0x3c, 0x2b, 0xc8, 0xec, 0x0d,
-	0xb4, 0x91, 0x26, 0xf6, 0x39, 0xfe, 0x0c, 0x5f, 0x4c, 0xd7, 0xb5, 0xbc, 0x49, 0xf2, 0x2c, 0x4d,
-	0x24, 0xa9, 0xed, 0xa1, 0xca, 0xa6, 0x4a, 0x66, 0xb7, 0xd9, 0x22, 0x91, 0x64, 0xf6, 0xdf, 0xeb,
-	0xfc, 0x71, 0xea, 0xf3, 0x97, 0xd0, 0xd9, 0xfe, 0x0f, 0x25, 0xc6, 0x35, 0xdd, 0x9b, 0xad, 0xad,
-	0x18, 0xd7, 0x74, 0x8f, 0xa7, 0xd0, 0xbe, 0x49, 0xf2, 0x35, 0x99, 0xed, 0x0d, 0xb6, 0x4d, 0x86,
-	0x1e, 0x3c, 0x79, 0xa0, 0x26, 0x76, 0xc1, 0x78, 0xcd, 0x23, 0xa6, 0x61, 0x0f, 0x5a, 0xb3, 0x20,
-	0x8c, 0x98, 0xae, 0xa2, 0x2b, 0x6e, 0x39, 0xcc, 0x50, 0xc5, 0xd9, 0x3c, 0x62, 0x2d, 0xb5, 0x2e,
-	0x0e, 0xf7, 0x78, 0xc4, 0x59, 0x1b, 0xfb, 0xd0, 0x9e, 0x59, 0x91, 0x7d, 0xc5, 0x3a, 0xc3, 0x7f,
-	0x0d, 0x60, 0xef, 0x84, 0xad, 0x57, 0x65, 0x51, 0x13, 0x9a, 0xd0, 0xb5, 0xcb, 0x42, 0x52, 0x21,
-	0x4d, 0x4d, 0x49, 0x29, 0x76, 0x29, 0x7e, 0x09, 0x10, 0xca, 0x44, 0xae, 0x6b, 0xf5, 0x71, 0x6c,
-	0x8c, 0x6b, 0x8b, 0xf7, 0x10, 0xbc, 0x78, 0xe4, 0xdf, 0xf0, 0xa0, 0x7f, 0xdb, 0x6b, 0x1e, 0x1b,
-	0xf8, 0x03, 0x3c, 0x6b, 0xae, 0xf9, 0x25, 0xa9, 0xa3, 0x6a, 0x5d, 0x28, 0x81, 0xb6, 0x66, 0xf6,
-	0x2e, 0xda, 0xb7, 0x49, 0x5e, 0x93, 0x38, 0xc4, 0xc0, 0x6f, 0xe0, 0x29, 0xff, 0x73, 0xfb, 0x02,
-	0x5c, 0xde, 0x4b, 0xaa, 0x43, 0x35, 0xb8, 0x72, 0xd7, 0x10, 0x1f, 0x16, 0xf0, 0x7b, 0x38, 0x7b,
-	0x00, 0x0a, 0x5a, 0x50, 0xf6, 0x96, 0xd2, 0x8d, 0xcd, 0x86, 0x38, 0x5c, 0x54, 0xfb, 0x30, 0xc9,
-	0x8a, 0x24, 0x57, 0xfb, 0xaa, 0xec, 0xed, 0x8b, 0x7d, 0x8e, 0xdf, 0x01, 0x5a, 0xab, 0xcc, 0x5e,
-	0xad, 0xa7, 0x59, 0x9e, 0x67, 0x35, 0x2d, 0xca, 0x22, 0xad, 0x4d, 0x50, 0xed, 0x2e, 0xb4, 0x97,
-	0xe2, 0x40, 0x11, 0xbf, 0x86, 0x63, 0x6b, 0x95, 0xbd, 0x9b, 0xf6, 0x68, 0x47, 0x7e, 0x00, 0xe3,
-	0xb7, 0xc0, 0x76, 0xf9, 0x7e, 0xcc, 0xe3, 0x1d, 0xf5, 0x83, 0xd2, 0xff, 0x5f, 0xa6, 0x4b, 0xf8,
-	0xad, 0xb7, 0x7b, 0x2a, 0xff, 0x0b, 0x00, 0x00, 0xff, 0xff, 0x1d, 0x9f, 0x6d, 0x24, 0x63, 0x05,
-	0x00, 0x00,
-}
diff --git a/vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.proto b/vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.proto
deleted file mode 100644
index f695edf6a..000000000
--- a/vendor/google.golang.org/appengine/internal/urlfetch/urlfetch_service.proto
+++ /dev/null
@@ -1,64 +0,0 @@
-syntax = "proto2";
-option go_package = "urlfetch";
-
-package appengine;
-
-message URLFetchServiceError {
-  enum ErrorCode {
-    OK = 0;
-    INVALID_URL = 1;
-    FETCH_ERROR = 2;
-    UNSPECIFIED_ERROR = 3;
-    RESPONSE_TOO_LARGE = 4;
-    DEADLINE_EXCEEDED = 5;
-    SSL_CERTIFICATE_ERROR = 6;
-    DNS_ERROR = 7;
-    CLOSED = 8;
-    INTERNAL_TRANSIENT_ERROR = 9;
-    TOO_MANY_REDIRECTS = 10;
-    MALFORMED_REPLY = 11;
-    CONNECTION_ERROR = 12;
-  }
-}
-
-message URLFetchRequest {
-  enum RequestMethod {
-    GET = 1;
-    POST = 2;
-    HEAD = 3;
-    PUT = 4;
-    DELETE = 5;
-    PATCH = 6;
-  }
-  required RequestMethod Method = 1;
-  required string Url = 2;
-  repeated group Header = 3 {
-    required string Key = 4;
-    required string Value = 5;
-  }
-  optional bytes Payload = 6 [ctype=CORD];
-
-  optional bool FollowRedirects = 7 [default=true];
-
-  optional double Deadline = 8;
-
-  optional bool MustValidateServerCertificate = 9 [default=true];
-}
-
-message URLFetchResponse {
-  optional bytes Content = 1;
-  required int32 StatusCode = 2;
-  repeated group Header = 3 {
-    required string Key = 4;
-    required string Value = 5;
-  }
-  optional bool ContentWasTruncated = 6 [default=false];
-  optional int64 ExternalBytesSent = 7;
-  optional int64 ExternalBytesReceived = 8;
-
-  optional string FinalUrl = 9;
-
-  optional int64 ApiCpuMilliseconds = 10 [default=0];
-  optional int64 ApiBytesSent = 11 [default=0];
-  optional int64 ApiBytesReceived = 12 [default=0];
-}
diff --git a/vendor/google.golang.org/appengine/urlfetch/urlfetch.go b/vendor/google.golang.org/appengine/urlfetch/urlfetch.go
deleted file mode 100644
index 6c0d72418..000000000
--- a/vendor/google.golang.org/appengine/urlfetch/urlfetch.go
+++ /dev/null
@@ -1,209 +0,0 @@
-// Copyright 2011 Google Inc. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-// Package urlfetch provides an http.RoundTripper implementation
-// for fetching URLs via App Engine's urlfetch service.
-package urlfetch // import "google.golang.org/appengine/urlfetch"
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/golang/protobuf/proto"
-
-	"google.golang.org/appengine/internal"
-	pb "google.golang.org/appengine/internal/urlfetch"
-)
-
-// Transport is an implementation of http.RoundTripper for
-// App Engine. Users should generally create an http.Client using
-// this transport and use the Client rather than using this transport
-// directly.
-type Transport struct {
-	Context context.Context
-
-	// Controls whether the application checks the validity of SSL certificates
-	// over HTTPS connections. A value of false (the default) instructs the
-	// application to send a request to the server only if the certificate is
-	// valid and signed by a trusted certificate authority (CA), and also
-	// includes a hostname that matches the certificate. A value of true
-	// instructs the application to perform no certificate validation.
-	AllowInvalidServerCertificate bool
-}
-
-// Verify statically that *Transport implements http.RoundTripper.
-var _ http.RoundTripper = (*Transport)(nil)
-
-// Client returns an *http.Client using a default urlfetch Transport. This
-// client will check the validity of SSL certificates.
-//
-// Any deadline of the provided context will be used for requests through this client.
-// If the client does not have a deadline, then an App Engine default of 60 second is used.
-func Client(ctx context.Context) *http.Client {
-	return &http.Client{
-		Transport: &Transport{
-			Context: ctx,
-		},
-	}
-}
-
-type bodyReader struct {
-	content   []byte
-	truncated bool
-	closed    bool
-}
-
-// ErrTruncatedBody is the error returned after the final Read() from a
-// response's Body if the body has been truncated by App Engine's proxy.
-var ErrTruncatedBody = errors.New("urlfetch: truncated body")
-
-func statusCodeToText(code int) string {
-	if t := http.StatusText(code); t != "" {
-		return t
-	}
-	return strconv.Itoa(code)
-}
-
-func (br *bodyReader) Read(p []byte) (n int, err error) {
-	if br.closed {
-		if br.truncated {
-			return 0, ErrTruncatedBody
-		}
-		return 0, io.EOF
-	}
-	n = copy(p, br.content)
-	if n > 0 {
-		br.content = br.content[n:]
-		return
-	}
-	if br.truncated {
-		br.closed = true
-		return 0, ErrTruncatedBody
-	}
-	return 0, io.EOF
-}
-
-func (br *bodyReader) Close() error {
-	br.closed = true
-	br.content = nil
-	return nil
-}
-
-// A map of the URL Fetch-accepted methods that take a request body.
-var methodAcceptsRequestBody = map[string]bool{
-	"POST":  true,
-	"PUT":   true,
-	"PATCH": true,
-}
-
-// urlString returns a valid string given a URL. This function is necessary because
-// the String method of URL doesn't correctly handle URLs with non-empty Opaque values.
-// See http://code.google.com/p/go/issues/detail?id=4860.
-func urlString(u *url.URL) string {
-	if u.Opaque == "" || strings.HasPrefix(u.Opaque, "//") {
-		return u.String()
-	}
-	aux := *u
-	aux.Opaque = "//" + aux.Host + aux.Opaque
-	return aux.String()
-}
-
-// RoundTrip issues a single HTTP request and returns its response. Per the
-// http.RoundTripper interface, RoundTrip only returns an error if there
-// was an unsupported request or the URL Fetch proxy fails.
-// Note that HTTP response codes such as 5xx, 403, 404, etc are not
-// errors as far as the transport is concerned and will be returned
-// with err set to nil.
-func (t *Transport) RoundTrip(req *http.Request) (res *http.Response, err error) {
-	methNum, ok := pb.URLFetchRequest_RequestMethod_value[req.Method]
-	if !ok {
-		return nil, fmt.Errorf("urlfetch: unsupported HTTP method %q", req.Method)
-	}
-
-	method := pb.URLFetchRequest_RequestMethod(methNum)
-
-	freq := &pb.URLFetchRequest{
-		Method:                        &method,
-		Url:                           proto.String(urlString(req.URL)),
-		FollowRedirects:               proto.Bool(false), // http.Client's responsibility
-		MustValidateServerCertificate: proto.Bool(!t.AllowInvalidServerCertificate),
-	}
-	if deadline, ok := t.Context.Deadline(); ok {
-		freq.Deadline = proto.Float64(deadline.Sub(time.Now()).Seconds())
-	}
-
-	for k, vals := range req.Header {
-		for _, val := range vals {
-			freq.Header = append(freq.Header, &pb.URLFetchRequest_Header{
-				Key:   proto.String(k),
-				Value: proto.String(val),
-			})
-		}
-	}
-	if methodAcceptsRequestBody[req.Method] && req.Body != nil {
-		// Avoid a []byte copy if req.Body has a Bytes method.
-		switch b := req.Body.(type) {
-		case interface {
-			Bytes() []byte
-		}:
-			freq.Payload = b.Bytes()
-		default:
-			freq.Payload, err = ioutil.ReadAll(req.Body)
-			if err != nil {
-				return nil, err
-			}
-		}
-	}
-
-	fres := &pb.URLFetchResponse{}
-	if err := internal.Call(t.Context, "urlfetch", "Fetch", freq, fres); err != nil {
-		return nil, err
-	}
-
-	res = &http.Response{}
-	res.StatusCode = int(*fres.StatusCode)
-	res.Status = fmt.Sprintf("%d %s", res.StatusCode, statusCodeToText(res.StatusCode))
-	res.Header = make(http.Header)
-	res.Request = req
-
-	// Faked:
-	res.ProtoMajor = 1
-	res.ProtoMinor = 1
-	res.Proto = "HTTP/1.1"
-	res.Close = true
-
-	for _, h := range fres.Header {
-		hkey := http.CanonicalHeaderKey(*h.Key)
-		hval := *h.Value
-		if hkey == "Content-Length" {
-			// Will get filled in below for all but HEAD requests.
-			if req.Method == "HEAD" {
-				res.ContentLength, _ = strconv.ParseInt(hval, 10, 64)
-			}
-			continue
-		}
-		res.Header.Add(hkey, hval)
-	}
-
-	if req.Method != "HEAD" {
-		res.ContentLength = int64(len(fres.Content))
-	}
-
-	truncated := fres.GetContentWasTruncated()
-	res.Body = &bodyReader{content: fres.Content, truncated: truncated}
-	return
-}
-
-func init() {
-	internal.RegisterErrorCodeMap("urlfetch", pb.URLFetchServiceError_ErrorCode_name)
-	internal.RegisterTimeoutErrorCode("urlfetch", int32(pb.URLFetchServiceError_DEADLINE_EXCEEDED))
-}
diff --git a/vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go b/vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go
new file mode 100644
index 000000000..2ef36bbcf
--- /dev/null
+++ b/vendor/google.golang.org/protobuf/encoding/protodelim/protodelim.go
@@ -0,0 +1,160 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package protodelim marshals and unmarshals varint size-delimited messages.
+package protodelim
+
+import (
+	"bufio"
+	"encoding/binary"
+	"fmt"
+	"io"
+
+	"google.golang.org/protobuf/encoding/protowire"
+	"google.golang.org/protobuf/internal/errors"
+	"google.golang.org/protobuf/proto"
+)
+
+// MarshalOptions is a configurable varint size-delimited marshaler.
+type MarshalOptions struct{ proto.MarshalOptions }
+
+// MarshalTo writes a varint size-delimited wire-format message to w.
+// If w returns an error, MarshalTo returns it unchanged.
+func (o MarshalOptions) MarshalTo(w io.Writer, m proto.Message) (int, error) {
+	msgBytes, err := o.MarshalOptions.Marshal(m)
+	if err != nil {
+		return 0, err
+	}
+
+	sizeBytes := protowire.AppendVarint(nil, uint64(len(msgBytes)))
+	sizeWritten, err := w.Write(sizeBytes)
+	if err != nil {
+		return sizeWritten, err
+	}
+	msgWritten, err := w.Write(msgBytes)
+	if err != nil {
+		return sizeWritten + msgWritten, err
+	}
+	return sizeWritten + msgWritten, nil
+}
+
+// MarshalTo writes a varint size-delimited wire-format message to w
+// with the default options.
+//
+// See the documentation for [MarshalOptions.MarshalTo].
+func MarshalTo(w io.Writer, m proto.Message) (int, error) {
+	return MarshalOptions{}.MarshalTo(w, m)
+}
+
+// UnmarshalOptions is a configurable varint size-delimited unmarshaler.
+type UnmarshalOptions struct {
+	proto.UnmarshalOptions
+
+	// MaxSize is the maximum size in wire-format bytes of a single message.
+	// Unmarshaling a message larger than MaxSize will return an error.
+	// A zero MaxSize will default to 4 MiB.
+	// Setting MaxSize to -1 disables the limit.
+	MaxSize int64
+}
+
+const defaultMaxSize = 4 << 20 // 4 MiB, corresponds to the default gRPC max request/response size
+
+// SizeTooLargeError is an error that is returned when the unmarshaler encounters a message size
+// that is larger than its configured [UnmarshalOptions.MaxSize].
+type SizeTooLargeError struct {
+	// Size is the varint size of the message encountered
+	// that was larger than the provided MaxSize.
+	Size uint64
+
+	// MaxSize is the MaxSize limit configured in UnmarshalOptions, which Size exceeded.
+	MaxSize uint64
+}
+
+func (e *SizeTooLargeError) Error() string {
+	return fmt.Sprintf("message size %d exceeded unmarshaler's maximum configured size %d", e.Size, e.MaxSize)
+}
+
+// Reader is the interface expected by [UnmarshalFrom].
+// It is implemented by *[bufio.Reader].
+type Reader interface {
+	io.Reader
+	io.ByteReader
+}
+
+// UnmarshalFrom parses and consumes a varint size-delimited wire-format message
+// from r.
+// The provided message must be mutable (e.g., a non-nil pointer to a message).
+//
+// The error is [io.EOF] error only if no bytes are read.
+// If an EOF happens after reading some but not all the bytes,
+// UnmarshalFrom returns a non-io.EOF error.
+// In particular if r returns a non-io.EOF error, UnmarshalFrom returns it unchanged,
+// and if only a size is read with no subsequent message, [io.ErrUnexpectedEOF] is returned.
+func (o UnmarshalOptions) UnmarshalFrom(r Reader, m proto.Message) error {
+	var sizeArr [binary.MaxVarintLen64]byte
+	sizeBuf := sizeArr[:0]
+	for i := range sizeArr {
+		b, err := r.ReadByte()
+		if err != nil {
+			// Immediate EOF is unexpected.
+			if err == io.EOF && i != 0 {
+				break
+			}
+			return err
+		}
+		sizeBuf = append(sizeBuf, b)
+		if b < 0x80 {
+			break
+		}
+	}
+	size, n := protowire.ConsumeVarint(sizeBuf)
+	if n < 0 {
+		return protowire.ParseError(n)
+	}
+
+	maxSize := o.MaxSize
+	if maxSize == 0 {
+		maxSize = defaultMaxSize
+	}
+	if maxSize != -1 && size > uint64(maxSize) {
+		return errors.Wrap(&SizeTooLargeError{Size: size, MaxSize: uint64(maxSize)}, "")
+	}
+
+	var b []byte
+	var err error
+	if br, ok := r.(*bufio.Reader); ok {
+		// Use the []byte from the bufio.Reader instead of having to allocate one.
+		// This reduces CPU usage and allocated bytes.
+		b, err = br.Peek(int(size))
+		if err == nil {
+			defer br.Discard(int(size))
+		} else {
+			b = nil
+		}
+	}
+	if b == nil {
+		b = make([]byte, size)
+		_, err = io.ReadFull(r, b)
+	}
+
+	if err == io.EOF {
+		return io.ErrUnexpectedEOF
+	}
+	if err != nil {
+		return err
+	}
+	if err := o.Unmarshal(b, m); err != nil {
+		return err
+	}
+	return nil
+}
+
+// UnmarshalFrom parses and consumes a varint size-delimited wire-format message
+// from r with the default options.
+// The provided message must be mutable (e.g., a non-nil pointer to a message).
+//
+// See the documentation for [UnmarshalOptions.UnmarshalFrom].
+func UnmarshalFrom(r Reader, m proto.Message) error {
+	return UnmarshalOptions{}.UnmarshalFrom(r, m)
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index b18c9c11d..a53f6ec95 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -20,7 +20,7 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
 github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
 github.com/Azure/azure-sdk-for-go/sdk/azcore/to
 github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/azidentity
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal
@@ -62,7 +62,7 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version
 github.com/AzureAD/microsoft-authentication-library-for-go/apps/public
-# github.com/IBM/keyprotect-go-client v0.12.2
+# github.com/IBM/keyprotect-go-client v0.14.1
 ## explicit; go 1.15
 github.com/IBM/keyprotect-go-client
 github.com/IBM/keyprotect-go-client/iam
@@ -81,7 +81,7 @@ github.com/antlr/antlr4/runtime/Go/antlr/v4
 # github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
 ## explicit
 github.com/asaskevich/govalidator
-# github.com/aws/aws-sdk-go v1.53.14
+# github.com/aws/aws-sdk-go v1.54.6
 ## explicit; go 1.19
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/auth/bearer
@@ -126,7 +126,7 @@ github.com/aws/aws-sdk-go/service/sso/ssoiface
 github.com/aws/aws-sdk-go/service/ssooidc
 github.com/aws/aws-sdk-go/service/sts
 github.com/aws/aws-sdk-go/service/sts/stsiface
-# github.com/aws/aws-sdk-go-v2 v1.25.2
+# github.com/aws/aws-sdk-go-v2 v1.30.0
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/aws
 github.com/aws/aws-sdk-go-v2/aws/defaults
@@ -141,31 +141,33 @@ github.com/aws/aws-sdk-go-v2/aws/signer/v4
 github.com/aws/aws-sdk-go-v2/aws/transport/http
 github.com/aws/aws-sdk-go-v2/internal/auth
 github.com/aws/aws-sdk-go-v2/internal/auth/smithy
+github.com/aws/aws-sdk-go-v2/internal/context
 github.com/aws/aws-sdk-go-v2/internal/endpoints
 github.com/aws/aws-sdk-go-v2/internal/endpoints/awsrulesfn
+github.com/aws/aws-sdk-go-v2/internal/middleware
 github.com/aws/aws-sdk-go-v2/internal/rand
 github.com/aws/aws-sdk-go-v2/internal/sdk
 github.com/aws/aws-sdk-go-v2/internal/strings
 github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
 github.com/aws/aws-sdk-go-v2/internal/timeconv
-# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2
+# github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/internal/configsources
-# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2
+# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
-# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1
+# github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
-# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2
+# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
-# github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
+# github.com/aws/aws-sdk-go-v2/service/sts v1.29.1
 ## explicit; go 1.20
 github.com/aws/aws-sdk-go-v2/service/sts
 github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints
 github.com/aws/aws-sdk-go-v2/service/sts/types
-# github.com/aws/smithy-go v1.20.1
+# github.com/aws/smithy-go v1.20.2
 ## explicit; go 1.20
 github.com/aws/smithy-go
 github.com/aws/smithy-go/auth
@@ -275,12 +277,12 @@ github.com/gemalto/kmip-go/ttlv
 # github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 ## explicit
 github.com/ghodss/yaml
-# github.com/go-jose/go-jose/v3 v3.0.3
-## explicit; go 1.12
-github.com/go-jose/go-jose/v3
-github.com/go-jose/go-jose/v3/cipher
-github.com/go-jose/go-jose/v3/json
-github.com/go-jose/go-jose/v3/jwt
+# github.com/go-jose/go-jose/v4 v4.0.1
+## explicit; go 1.21
+github.com/go-jose/go-jose/v4
+github.com/go-jose/go-jose/v4/cipher
+github.com/go-jose/go-jose/v4/json
+github.com/go-jose/go-jose/v4/jwt
 # github.com/go-logr/logr v1.4.1
 ## explicit; go 1.18
 github.com/go-logr/logr
@@ -298,9 +300,9 @@ github.com/go-openapi/jsonreference/internal
 # github.com/go-openapi/swag v0.22.3
 ## explicit; go 1.18
 github.com/go-openapi/swag
-# github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572
-## explicit; go 1.13
-github.com/go-task/slim-sprig
+# github.com/go-task/slim-sprig/v3 v3.0.0
+## explicit; go 1.20
+github.com/go-task/slim-sprig/v3
 # github.com/gogo/protobuf v1.3.2
 ## explicit; go 1.15
 github.com/gogo/protobuf/gogoproto
@@ -374,8 +376,8 @@ github.com/google/go-cmp/cmp/internal/value
 ## explicit; go 1.12
 github.com/google/gofuzz
 github.com/google/gofuzz/bytesource
-# github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
-## explicit; go 1.14
+# github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6
+## explicit; go 1.19
 github.com/google/pprof/profile
 # github.com/google/uuid v1.6.0
 ## explicit
@@ -429,8 +431,8 @@ github.com/hashicorp/hcl/hcl/token
 github.com/hashicorp/hcl/json/parser
 github.com/hashicorp/hcl/json/scanner
 github.com/hashicorp/hcl/json/token
-# github.com/hashicorp/vault/api v1.12.0
-## explicit; go 1.19
+# github.com/hashicorp/vault/api v1.14.0
+## explicit; go 1.21
 github.com/hashicorp/vault/api
 # github.com/hashicorp/vault/api/auth/approle v0.5.0
 ## explicit; go 1.16
@@ -453,8 +455,8 @@ github.com/josharian/intern
 # github.com/json-iterator/go v1.1.12
 ## explicit; go 1.12
 github.com/json-iterator/go
-# github.com/kubernetes-csi/csi-lib-utils v0.17.0
-## explicit; go 1.21
+# github.com/kubernetes-csi/csi-lib-utils v0.18.1
+## explicit; go 1.22.0
 github.com/kubernetes-csi/csi-lib-utils/connection
 github.com/kubernetes-csi/csi-lib-utils/metrics
 github.com/kubernetes-csi/csi-lib-utils/protosanitizer
@@ -485,9 +487,6 @@ github.com/mattn/go-colorable
 # github.com/mattn/go-isatty v0.0.20
 ## explicit; go 1.15
 github.com/mattn/go-isatty
-# github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0
-## explicit; go 1.19
-github.com/matttproud/golang_protobuf_extensions/v2/pbutil
 # github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
 ## explicit
 github.com/mgutz/ansi
@@ -516,7 +515,7 @@ github.com/munnerz/goautoneg
 # github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
 ## explicit
 github.com/mxk/go-flowrate/flowrate
-# github.com/onsi/ginkgo/v2 v2.17.1
+# github.com/onsi/ginkgo/v2 v2.19.0
 ## explicit; go 1.20
 github.com/onsi/ginkgo/v2
 github.com/onsi/ginkgo/v2/config
@@ -538,7 +537,7 @@ github.com/onsi/ginkgo/v2/internal/parallel_support
 github.com/onsi/ginkgo/v2/internal/testingtproxy
 github.com/onsi/ginkgo/v2/reporters
 github.com/onsi/ginkgo/v2/types
-# github.com/onsi/gomega v1.32.0
+# github.com/onsi/gomega v1.33.1
 ## explicit; go 1.20
 github.com/onsi/gomega
 github.com/onsi/gomega/format
@@ -574,7 +573,7 @@ github.com/pkg/xattr
 # github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
 ## explicit
 github.com/pmezard/go-difflib/difflib
-# github.com/prometheus/client_golang v1.18.0
+# github.com/prometheus/client_golang v1.19.1 => github.com/prometheus/client_golang v1.18.0
 ## explicit; go 1.19
 github.com/prometheus/client_golang/prometheus
 github.com/prometheus/client_golang/prometheus/collectors
@@ -583,10 +582,10 @@ github.com/prometheus/client_golang/prometheus/promhttp
 github.com/prometheus/client_golang/prometheus/testutil
 github.com/prometheus/client_golang/prometheus/testutil/promlint
 github.com/prometheus/client_golang/prometheus/testutil/promlint/validations
-# github.com/prometheus/client_model v0.5.0
+# github.com/prometheus/client_model v0.6.1
 ## explicit; go 1.19
 github.com/prometheus/client_model/go
-# github.com/prometheus/common v0.45.0
+# github.com/prometheus/common v0.55.0 => github.com/prometheus/common v0.47.0
 ## explicit; go 1.20
 github.com/prometheus/common/expfmt
 github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg
@@ -750,7 +749,7 @@ golang.org/x/net/internal/timeseries
 golang.org/x/net/proxy
 golang.org/x/net/trace
 golang.org/x/net/websocket
-# golang.org/x/oauth2 v0.18.0
+# golang.org/x/oauth2 v0.19.0
 ## explicit; go 1.18
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
@@ -809,15 +808,6 @@ golang.org/x/tools/go/ast/inspector
 # gomodules.xyz/jsonpatch/v2 v2.4.0 => github.com/gomodules/jsonpatch/v2 v2.2.0
 ## explicit; go 1.12
 gomodules.xyz/jsonpatch/v2
-# google.golang.org/appengine v1.6.8
-## explicit; go 1.11
-google.golang.org/appengine/internal
-google.golang.org/appengine/internal/base
-google.golang.org/appengine/internal/datastore
-google.golang.org/appengine/internal/log
-google.golang.org/appengine/internal/remote_api
-google.golang.org/appengine/internal/urlfetch
-google.golang.org/appengine/urlfetch
 # google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de
 ## explicit; go 1.19
 # google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237
@@ -888,6 +878,7 @@ google.golang.org/grpc/status
 google.golang.org/grpc/tap
 # google.golang.org/protobuf v1.34.2
 ## explicit; go 1.20
+google.golang.org/protobuf/encoding/protodelim
 google.golang.org/protobuf/encoding/protojson
 google.golang.org/protobuf/encoding/prototext
 google.golang.org/protobuf/encoding/protowire
@@ -1805,6 +1796,8 @@ sigs.k8s.io/yaml/goyaml.v2
 # code.cloudfoundry.org/gofileutils => github.com/cloudfoundry/gofileutils v0.0.0-20170111115228-4d0c80011a0f
 # github.com/ceph/ceph-csi/api => ./api
 # github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
+# github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.18.0
+# github.com/prometheus/common => github.com/prometheus/common v0.47.0
 # gomodules.xyz/jsonpatch/v2 => github.com/gomodules/jsonpatch/v2 v2.2.0
 # k8s.io/api => k8s.io/api v0.30.2
 # k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.2