Callbacks service docs updated

2026-03-02 16:27:33 +01:00
parent 17e08ff26f
commit 2be76aa519
77 changed files with 803 additions and 764 deletions
--- a/api/edge/bff/interface/api/sresponse/callback.go
+++ b/api/edge/bff/interface/api/sresponse/callback.go
@@ -0,0 +1,33 @@
+package sresponse
+
+import (
+	"net/http"
+
+	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/mlogger"
+	"github.com/tech/sendico/pkg/model"
+)
+
+type callbackWriteResponse struct {
+	AccessToken            TokenData        `json:"accessToken"`
+	Callbacks              []model.Callback `json:"callbacks"`
+	GeneratedSigningSecret string           `json:"generatedSigningSecret,omitempty"`
+}
+
+func Callback(
+	logger mlogger.Logger,
+	callback *model.Callback,
+	accessToken *TokenData,
+	generatedSecret string,
+	created bool,
+) http.HandlerFunc {
+	resp := callbackWriteResponse{
+		AccessToken:            *accessToken,
+		Callbacks:              []model.Callback{*callback},
+		GeneratedSigningSecret: generatedSecret,
+	}
+	if created {
+		return response.Created(logger, resp)
+	}
+	return response.Ok(logger, resp)
+}
--- a/api/edge/bff/internal/api/routers/tokens/tokens.go
+++ b/api/edge/bff/internal/api/routers/tokens/tokens.go
@@ -42,9 +42,7 @@ func PrepareRefreshToken(
 	}

 	token := &model.RefreshToken{
-		AccountBoundBase: model.AccountBoundBase{
-			AccountRef: account.GetID(),
-		},
+		AccountRef: account.GetID(),
 		ClientRefreshToken: model.ClientRefreshToken{
 			SessionIdentifier: *session,
 			RefreshToken:      refreshToken,
--- a/api/edge/bff/internal/server/callbacksimp/create.go
+++ b/api/edge/bff/internal/server/callbacksimp/create.go
@@ -0,0 +1,47 @@
+package callbacksimp
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/server/interface/api/sresponse"
+	mutil "github.com/tech/sendico/server/internal/mutil/param"
+	"go.uber.org/zap"
+)
+
+func (a *CallbacksAPI) create(r *http.Request, account *model.Account, accessToken *sresponse.TokenData) http.HandlerFunc {
+	organizationRef, err := a.Oph.GetRef(r)
+	if err != nil {
+		a.Logger.Warn("Failed to parse organization reference", zap.Error(err), mutil.PLog(a.Oph, r))
+		return response.BadReference(a.Logger, a.Name(), a.Oph.Name(), a.Oph.GetID(r), err)
+	}
+
+	var callback model.Callback
+	if err := json.NewDecoder(r.Body).Decode(&callback); err != nil {
+		a.Logger.Warn("Failed to decode callback payload", zap.Error(err))
+		return response.BadPayload(a.Logger, a.Name(), err)
+	}
+
+	mutation, err := a.normalizeAndPrepare(r.Context(), &callback, organizationRef, "", true)
+	if err != nil {
+		return response.Auto(a.Logger, a.Name(), err)
+	}
+
+	if _, err := a.tf.CreateTransaction().Execute(r.Context(), func(ctx context.Context) (any, error) {
+		if err := a.DB.Create(ctx, *account.GetID(), organizationRef, &callback); err != nil {
+			return nil, err
+		}
+		if err := a.applySigningSecretMutation(ctx, *account.GetID(), *callback.GetID(), mutation); err != nil {
+			return nil, err
+		}
+		return nil, nil
+	}); err != nil {
+		a.Logger.Warn("Failed to create callback transaction", zap.Error(err))
+		return response.Auto(a.Logger, a.Name(), err)
+	}
+
+	return a.callbackResponse(&callback, accessToken, mutation.Generated, true)
+}
--- a/api/edge/bff/internal/server/callbacksimp/handlers.go
+++ b/api/edge/bff/internal/server/callbacksimp/handlers.go
@@ -2,7 +2,7 @@ package callbacksimp

 import (
 	"context"
-	"encoding/json"
+	"errors"
 	"net/http"
 	"net/url"
 	"strings"
@@ -16,68 +16,10 @@ import (
 	"go.uber.org/zap"
 )

-type callbackWriteResponse struct {
-	AccessToken            sresponse.TokenData `json:"accessToken"`
-	Callbacks              []model.Callback    `json:"callbacks"`
-	GeneratedSigningSecret string              `json:"generatedSigningSecret,omitempty"`
-}
-
-func (a *CallbacksAPI) create(r *http.Request, account *model.Account, accessToken *sresponse.TokenData) http.HandlerFunc {
-	organizationRef, err := a.Oph.GetRef(r)
-	if err != nil {
-		a.Logger.Warn("Failed to parse organization reference", zap.Error(err), mutil.PLog(a.Oph, r))
-		return response.BadReference(a.Logger, a.Name(), a.Oph.Name(), a.Oph.GetID(r), err)
-	}
-
-	var callback model.Callback
-	if err := json.NewDecoder(r.Body).Decode(&callback); err != nil {
-		a.Logger.Warn("Failed to decode callback payload", zap.Error(err))
-		return response.BadPayload(a.Logger, a.Name(), err)
-	}
-
-	generatedSecret, err := a.normalizeAndPrepare(r.Context(), &callback, organizationRef, true)
-	if err != nil {
-		return response.Auto(a.Logger, a.Name(), err)
-	}
-
-	if err := a.DB.Create(r.Context(), *account.GetID(), organizationRef, &callback); err != nil {
-		a.Logger.Warn("Failed to create callback", zap.Error(err))
-		return response.Auto(a.Logger, a.Name(), err)
-	}
-
-	return a.callbackResponse(&callback, accessToken, generatedSecret, true)
-}
-
-func (a *CallbacksAPI) update(r *http.Request, account *model.Account, accessToken *sresponse.TokenData) http.HandlerFunc {
-	var input model.Callback
-	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
-		a.Logger.Warn("Failed to decode callback payload", zap.Error(err))
-		return response.BadPayload(a.Logger, a.Name(), err)
-	}
-
-	callbackRef := *input.GetID()
-	if callbackRef.IsZero() {
-		return response.Auto(a.Logger, a.Name(), merrors.InvalidArgument("callback id is required", "id"))
-	}
-
-	var existing model.Callback
-	if err := a.db.Get(r.Context(), *account.GetID(), callbackRef, &existing); err != nil {
-		a.Logger.Warn("Failed to fetch callback before update", zap.Error(err))
-		return response.Auto(a.Logger, a.Name(), err)
-	}
-
-	mergeCallbackMutable(&existing, &input)
-	generatedSecret, err := a.normalizeAndPrepare(r.Context(), &existing, existing.OrganizationRef, true)
-	if err != nil {
-		return response.Auto(a.Logger, a.Name(), err)
-	}
-
-	if err := a.DB.Update(r.Context(), *account.GetID(), &existing); err != nil {
-		a.Logger.Warn("Failed to update callback", zap.Error(err))
-		return response.Auto(a.Logger, a.Name(), err)
-	}
-
-	return a.callbackResponse(&existing, accessToken, generatedSecret, false)
+type signingSecretMutation struct {
+	SetSecretRef string
+	Clear        bool
+	Generated    string
 }

 func (a *CallbacksAPI) rotateSecret(r *http.Request, account *model.Account, accessToken *sresponse.TokenData) http.HandlerFunc {
@@ -102,10 +44,8 @@ func (a *CallbacksAPI) rotateSecret(r *http.Request, account *model.Account, acc
 		a.Logger.Warn("Failed to rotate callback signing secret", zap.Error(err))
 		return response.Auto(a.Logger, a.Name(), err)
 	}
-	callback.RetryPolicy.SecretRef = secretRef
-
-	if err := a.DB.Update(r.Context(), *account.GetID(), &callback); err != nil {
-		a.Logger.Warn("Failed to persist rotated callback secret reference", zap.Error(err))
+	if err := a.db.SetSigningSecretRef(r.Context(), *account.GetID(), callbackRef, secretRef); err != nil {
+		a.Logger.Warn("Failed to persist rotated callback signing secret reference", zap.Error(err))
 		return response.Auto(a.Logger, a.Name(), err)
 	}

@@ -116,29 +56,25 @@ func (a *CallbacksAPI) normalizeAndPrepare(
 	ctx context.Context,
 	callback *model.Callback,
 	organizationRef bson.ObjectID,
+	existingSecretRef string,
 	allowSecretGeneration bool,
-) (string, error) {
+) (signingSecretMutation, error) {
 	if callback == nil {
-		return "", merrors.InvalidArgument("callback payload is required")
+		return signingSecretMutation{}, merrors.InvalidArgument("callback payload is required")
 	}
 	if organizationRef.IsZero() {
-		return "", merrors.InvalidArgument("organization reference is required", "organizationRef")
+		return signingSecretMutation{}, merrors.InvalidArgument("organization reference is required", "organizationRef")
 	}

-	callback.SetOrganizationRef(organizationRef)
 	callback.Name = strings.TrimSpace(callback.Name)
 	callback.Description = trimDescription(callback.Description)
-	callback.ClientID = strings.TrimSpace(callback.ClientID)
-	if callback.ClientID == "" {
-		callback.ClientID = organizationRef.Hex()
-	}

 	callback.URL = strings.TrimSpace(callback.URL)
 	if callback.URL == "" {
-		return "", merrors.InvalidArgument("url is required", "url")
+		return signingSecretMutation{}, merrors.InvalidArgument("url is required", "url")
 	}
 	if err := validateCallbackURL(callback.URL); err != nil {
-		return "", err
+		return signingSecretMutation{}, err
 	}
 	if callback.Name == "" {
 		callback.Name = callback.URL
@@ -146,15 +82,15 @@ func (a *CallbacksAPI) normalizeAndPrepare(

 	status, err := normalizeStatus(callback.Status, a.config.DefaultStatus)
 	if err != nil {
-		return "", err
+		return signingSecretMutation{}, err
 	}
 	callback.Status = status
 	callback.EventTypes = normalizeEventTypes(callback.EventTypes, a.config.DefaultEventTypes)

-	callback.RetryPolicy.MinDelayMS = defaultInt(callback.RetryPolicy.MinDelayMS, defaultRetryMinDelayMS)
-	callback.RetryPolicy.MaxDelayMS = defaultInt(callback.RetryPolicy.MaxDelayMS, defaultRetryMaxDelayMS)
-	if callback.RetryPolicy.MaxDelayMS < callback.RetryPolicy.MinDelayMS {
-		callback.RetryPolicy.MaxDelayMS = callback.RetryPolicy.MinDelayMS
+	callback.RetryPolicy.Backoff.MinDelayMS = defaultInt(callback.RetryPolicy.Backoff.MinDelayMS, defaultRetryMinDelayMS)
+	callback.RetryPolicy.Backoff.MaxDelayMS = defaultInt(callback.RetryPolicy.Backoff.MaxDelayMS, defaultRetryMaxDelayMS)
+	if callback.RetryPolicy.Backoff.MaxDelayMS < callback.RetryPolicy.Backoff.MinDelayMS {
+		callback.RetryPolicy.Backoff.MaxDelayMS = callback.RetryPolicy.Backoff.MinDelayMS
 	}
 	callback.RetryPolicy.MaxAttempts = defaultInt(callback.RetryPolicy.MaxAttempts, defaultRetryMaxAttempts)
 	callback.RetryPolicy.RequestTimeoutMS = defaultInt(callback.RetryPolicy.RequestTimeoutMS, defaultRetryRequestTimeoutMS)
@@ -162,36 +98,55 @@ func (a *CallbacksAPI) normalizeAndPrepare(

 	mode, err := normalizeSigningMode(callback.RetryPolicy.SigningMode)
 	if err != nil {
-		return "", err
+		return signingSecretMutation{}, err
 	}
 	callback.RetryPolicy.SigningMode = mode

-	callback.RetryPolicy.SecretRef = strings.TrimSpace(callback.RetryPolicy.SecretRef)
+	existingSecretRef = strings.TrimSpace(existingSecretRef)
 	switch callback.RetryPolicy.SigningMode {
 	case model.CallbackSigningModeNone:
-		callback.RetryPolicy.SecretRef = ""
-		return "", nil
+		return signingSecretMutation{Clear: existingSecretRef != ""}, nil
 	case model.CallbackSigningModeHMACSHA256:
-		if callback.RetryPolicy.SecretRef != "" {
-			return "", nil
+		if existingSecretRef != "" {
+			return signingSecretMutation{SetSecretRef: existingSecretRef}, nil
 		}
 		if !allowSecretGeneration {
-			return "", merrors.InvalidArgument("secretRef is required for hmac_sha256 callbacks", "retryPolicy.secretRef")
+			return signingSecretMutation{}, merrors.InvalidArgument("signing secret is required for hmac_sha256 callbacks", "retryPolicy.signingMode")
 		}
 		if callback.GetID().IsZero() {
 			callback.SetID(bson.NewObjectID())
 		}
 		secretRef, generatedSecret, err := a.secrets.Provision(ctx, organizationRef, *callback.GetID())
 		if err != nil {
-			return "", err
+			return signingSecretMutation{}, err
 		}
-		callback.RetryPolicy.SecretRef = secretRef
-		return generatedSecret, nil
+		return signingSecretMutation{SetSecretRef: secretRef, Generated: generatedSecret}, nil
 	default:
-		return "", merrors.InvalidArgument("unsupported signing mode", "retryPolicy.signingMode")
+		return signingSecretMutation{}, merrors.InvalidArgument("unsupported signing mode", "retryPolicy.signingMode")
 	}
 }

+func (a *CallbacksAPI) applySigningSecretMutation(
+	ctx context.Context,
+	accountRef,
+	callbackRef bson.ObjectID,
+	mutation signingSecretMutation,
+) error {
+	if callbackRef.IsZero() {
+		return merrors.InvalidArgument("callback reference is required", "callbackRef")
+	}
+	if strings.TrimSpace(mutation.SetSecretRef) != "" {
+		return a.db.SetSigningSecretRef(ctx, accountRef, callbackRef, mutation.SetSecretRef)
+	}
+	if mutation.Clear {
+		err := a.db.ClearSigningSecretRef(ctx, accountRef, callbackRef)
+		if err != nil && !errors.Is(err, merrors.ErrNoData) {
+			return err
+		}
+	}
+	return nil
+}
+
 func (a *CallbacksAPI) callbackResponse(
 	callback *model.Callback,
 	accessToken *sresponse.TokenData,
@@ -202,15 +157,7 @@ func (a *CallbacksAPI) callbackResponse(
 		return response.Internal(a.Logger, a.Name(), merrors.Internal("failed to build callback response"))
 	}

-	resp := callbackWriteResponse{
-		AccessToken:            *accessToken,
-		Callbacks:              []model.Callback{*callback},
-		GeneratedSigningSecret: generatedSecret,
-	}
-	if created {
-		return response.Created(a.Logger, resp)
-	}
-	return response.Ok(a.Logger, resp)
+	return sresponse.Callback(a.Logger, callback, accessToken, generatedSecret, created)
 }

 func normalizeStatus(raw, fallback model.CallbackStatus) (model.CallbackStatus, error) {
@@ -286,16 +233,17 @@ func normalizeHeaders(headers map[string]string) map[string]string {
 }

 func mergeCallbackMutable(dst, src *model.Callback) {
+	dst.OrganizationRef = src.OrganizationRef
 	dst.Describable = src.Describable
-	dst.ClientID = src.ClientID
 	dst.Status = src.Status
 	dst.URL = src.URL
 	dst.EventTypes = append([]string(nil), src.EventTypes...)
 	dst.RetryPolicy = model.CallbackRetryPolicy{
-		MinDelayMS:       src.RetryPolicy.MinDelayMS,
-		MaxDelayMS:       src.RetryPolicy.MaxDelayMS,
+		Backoff: model.CallbackBackoff{
+			MinDelayMS: src.RetryPolicy.Backoff.MinDelayMS,
+			MaxDelayMS: src.RetryPolicy.Backoff.MaxDelayMS,
+		},
 		SigningMode:      src.RetryPolicy.SigningMode,
-		SecretRef:        src.RetryPolicy.SecretRef,
 		Headers:          normalizeHeaders(src.RetryPolicy.Headers),
 		MaxAttempts:      src.RetryPolicy.MaxAttempts,
 		RequestTimeoutMS: src.RetryPolicy.RequestTimeoutMS,
--- a/api/edge/bff/internal/server/callbacksimp/secrets.go
+++ b/api/edge/bff/internal/server/callbacksimp/secrets.go
@@ -81,7 +81,7 @@ func newSigningSecretManager(logger mlogger.Logger, cfg callbacksConfig) (signin
 	}

 	if isVaultConfigEmpty(cfg.Vault) {
-		manager.logger.Warn("Callbacks Vault config is not set; secret generation requires explicit secretRef in payloads")
+		manager.logger.Warn("Callbacks Vault config is not set; hmac signing secret generation is disabled")
 		ensureSigningSecretMetrics()
 		return manager, nil
 	}
--- a/api/edge/bff/internal/server/callbacksimp/service.go
+++ b/api/edge/bff/internal/server/callbacksimp/service.go
@@ -5,6 +5,7 @@ import (

 	api "github.com/tech/sendico/pkg/api/http"
 	"github.com/tech/sendico/pkg/db/callbacks"
+	"github.com/tech/sendico/pkg/db/transaction"
 	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/model"
 	"github.com/tech/sendico/pkg/mservice"
@@ -16,6 +17,7 @@ import (
 type CallbacksAPI struct {
 	papitemplate.ProtectedAPI[model.Callback]
 	db      callbacks.DB
+	tf      transaction.Factory
 	secrets signingSecretManager
 	config  callbacksConfig
 }
@@ -35,6 +37,7 @@ func CreateAPI(apiCtx eapi.API) (*CallbacksAPI, error) {

 	res := &CallbacksAPI{
 		config: newCallbacksConfig(apiCtx.Config().Callbacks),
+		tf:     apiCtx.DBFactory().TransactionFactory(),
 	}

 	p, err := papitemplate.CreateAPI(apiCtx, dbFactory, mservice.Organizations, mservice.Callbacks)
--- a/api/edge/bff/internal/server/callbacksimp/update.go
+++ b/api/edge/bff/internal/server/callbacksimp/update.go
@@ -0,0 +1,59 @@
+package callbacksimp
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/server/interface/api/sresponse"
+	"go.uber.org/zap"
+)
+
+func (a *CallbacksAPI) update(r *http.Request, account *model.Account, accessToken *sresponse.TokenData) http.HandlerFunc {
+	var input model.Callback
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		a.Logger.Warn("Failed to decode callback payload", zap.Error(err))
+		return response.BadPayload(a.Logger, a.Name(), err)
+	}
+
+	callbackRef := *input.GetID()
+	if callbackRef.IsZero() {
+		return response.Auto(a.Logger, a.Name(), merrors.InvalidArgument("callback ref is required", "id"))
+	}
+
+	var existing model.Callback
+	if err := a.db.Get(r.Context(), *account.GetID(), callbackRef, &existing); err != nil {
+		a.Logger.Warn("Failed to fetch callback before update", zap.Error(err))
+		return response.Auto(a.Logger, a.Name(), err)
+	}
+	existingSecretRef, err := a.db.GetSigningSecretRef(r.Context(), *account.GetID(), callbackRef)
+	if err != nil && !errors.Is(err, merrors.ErrNoData) {
+		a.Logger.Warn("Failed to fetch callback signing secret metadata", zap.Error(err))
+		return response.Auto(a.Logger, a.Name(), err)
+	}
+
+	mergeCallbackMutable(&existing, &input)
+	mutation, err := a.normalizeAndPrepare(r.Context(), &existing, existing.OrganizationRef, existingSecretRef, true)
+	if err != nil {
+		return response.Auto(a.Logger, a.Name(), err)
+	}
+
+	if _, err := a.tf.CreateTransaction().Execute(r.Context(), func(ctx context.Context) (any, error) {
+		if err := a.DB.Update(ctx, *account.GetID(), &existing); err != nil {
+			return nil, err
+		}
+		if err := a.applySigningSecretMutation(ctx, *account.GetID(), callbackRef, mutation); err != nil {
+			return nil, err
+		}
+		return nil, nil
+	}); err != nil {
+		a.Logger.Warn("Failed to update callback transaction", zap.Error(err))
+		return response.Auto(a.Logger, a.Name(), err)
+	}
+
+	return a.callbackResponse(&existing, accessToken, mutation.Generated, false)
+}
--- a/api/edge/callbacks/internal/delivery/service.go
+++ b/api/edge/callbacks/internal/delivery/service.go
@@ -10,6 +10,7 @@ import (
 	"sync"
 	"time"

+	"github.com/tech/sendico/edge/callbacks/internal/model"
 	"github.com/tech/sendico/edge/callbacks/internal/signing"
 	"github.com/tech/sendico/edge/callbacks/internal/storage"
 	"github.com/tech/sendico/pkg/merrors"
@@ -154,7 +155,7 @@ func (s *service) runWorker(ctx context.Context, workerID string) {
 	}
 }

-func (s *service) handleTask(ctx context.Context, workerID string, task *storage.Task) {
+func (s *service) handleTask(ctx context.Context, workerID string, task *model.Task) {
 	started := time.Now()
 	statusCode := 0
 	result := "failed"
--- a/api/edge/callbacks/internal/events/module.go
+++ b/api/edge/callbacks/internal/events/module.go
@@ -4,16 +4,18 @@ import (
 	"context"
 	"encoding/json"
 	"time"
+
+	"go.mongodb.org/mongo-driver/v2/bson"
 )

 // Envelope is the canonical incoming event envelope.
 type Envelope struct {
-	EventID     string          `json:"event_id"`
-	Type        string          `json:"type"`
-	ClientID    string          `json:"client_id"`
-	OccurredAt  time.Time       `json:"occurred_at"`
-	PublishedAt time.Time       `json:"published_at,omitempty"`
-	Data        json.RawMessage `json:"data"`
+	EventID         string          `json:"event_id"`
+	Type            string          `json:"type"`
+	OrganizationRef bson.ObjectID   `json:"organization_ref"`
+	OccurredAt      time.Time       `json:"occurred_at"`
+	PublishedAt     time.Time       `json:"published_at,omitempty"`
+	Data            json.RawMessage `json:"data"`
 }

 // Service parses incoming messages and builds outbound payload bytes.
@@ -24,10 +26,10 @@ type Service interface {

 // Payload is the stable outbound JSON body.
 type Payload struct {
-	EventID     string          `json:"event_id"`
-	Type        string          `json:"type"`
-	ClientID    string          `json:"client_id"`
-	OccurredAt  string          `json:"occurred_at"`
-	PublishedAt string          `json:"published_at,omitempty"`
-	Data        json.RawMessage `json:"data"`
+	EventID         string          `json:"event_id"`
+	Type            string          `json:"type"`
+	OrganizationRef bson.ObjectID   `json:"organization_ref"`
+	OccurredAt      string          `json:"occurred_at"`
+	PublishedAt     string          `json:"published_at,omitempty"`
+	Data            json.RawMessage `json:"data"`
 }
--- a/api/edge/callbacks/internal/events/service.go
+++ b/api/edge/callbacks/internal/events/service.go
@@ -8,6 +8,7 @@ import (

 	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/mlogger"
+	"go.mongodb.org/mongo-driver/v2/bson"
 	"go.uber.org/zap"
 )

@@ -39,8 +40,8 @@ func (s *parserService) Parse(data []byte) (*Envelope, error) {
 	if strings.TrimSpace(envelope.Type) == "" {
 		return nil, merrors.InvalidArgument("type is required", "type")
 	}
-	if strings.TrimSpace(envelope.ClientID) == "" {
-		return nil, merrors.InvalidArgument("client_id is required", "client_id")
+	if envelope.OrganizationRef == bson.NilObjectID {
+		return nil, merrors.InvalidArgument("organization_ref is required", "organization_ref")
 	}
 	if envelope.OccurredAt.IsZero() {
 		return nil, merrors.InvalidArgument("occurred_at is required", "occurred_at")
@@ -51,7 +52,6 @@ func (s *parserService) Parse(data []byte) (*Envelope, error) {

 	envelope.EventID = strings.TrimSpace(envelope.EventID)
 	envelope.Type = strings.TrimSpace(envelope.Type)
-	envelope.ClientID = strings.TrimSpace(envelope.ClientID)
 	envelope.OccurredAt = envelope.OccurredAt.UTC()
 	if !envelope.PublishedAt.IsZero() {
 		envelope.PublishedAt = envelope.PublishedAt.UTC()
@@ -66,11 +66,11 @@ func (s *parserService) BuildPayload(_ context.Context, envelope *Envelope) ([]b
 	}

 	payload := Payload{
-		EventID:    envelope.EventID,
-		Type:       envelope.Type,
-		ClientID:   envelope.ClientID,
-		OccurredAt: envelope.OccurredAt.UTC().Format(time.RFC3339Nano),
-		Data:       envelope.Data,
+		EventID:         envelope.EventID,
+		Type:            envelope.Type,
+		OrganizationRef: envelope.OrganizationRef,
+		OccurredAt:      envelope.OccurredAt.UTC().Format(time.RFC3339Nano),
+		Data:            envelope.Data,
 	}
 	if !envelope.PublishedAt.IsZero() {
 		payload.PublishedAt = envelope.PublishedAt.UTC().Format(time.RFC3339Nano)
--- a/api/edge/callbacks/internal/ingest/service.go
+++ b/api/edge/callbacks/internal/ingest/service.go
@@ -17,6 +17,7 @@ import (
 	np "github.com/tech/sendico/pkg/messaging/notifications/processor"
 	"github.com/tech/sendico/pkg/mlogger"
 	"github.com/tech/sendico/pkg/model"
+	"go.mongodb.org/mongo-driver/v2/bson"
 	"go.uber.org/zap"
 )

@@ -178,7 +179,7 @@ func (s *service) handlePaymentStatusUpdated(ctx context.Context, msg *model.Pay
 		result = ingestResultEmptyPayload
 		return nil
 	}
-	if strings.TrimSpace(msg.EventID) == "" || strings.TrimSpace(msg.ClientID) == "" || msg.OccurredAt.IsZero() {
+	if strings.TrimSpace(msg.EventID) == "" || msg.Data.OrganizationRef == bson.NilObjectID || msg.OccurredAt.IsZero() {
 		result = ingestResultInvalidEvent
 		return nil
 	}
@@ -195,15 +196,15 @@ func (s *service) handlePaymentStatusUpdated(ctx context.Context, msg *model.Pay
 	}

 	parsed := &events.Envelope{
-		EventID:     strings.TrimSpace(msg.EventID),
-		Type:        eventType,
-		ClientID:    strings.TrimSpace(msg.ClientID),
-		OccurredAt:  msg.OccurredAt.UTC(),
-		PublishedAt: msg.PublishedAt.UTC(),
-		Data:        data,
+		EventID:         strings.TrimSpace(msg.EventID),
+		Type:            eventType,
+		OrganizationRef: msg.Data.OrganizationRef,
+		OccurredAt:      msg.OccurredAt.UTC(),
+		PublishedAt:     msg.PublishedAt.UTC(),
+		Data:            data,
 	}

-	inserted, err := s.deps.InboxRepo.TryInsert(ctx, parsed.EventID, parsed.ClientID, parsed.Type, time.Now().UTC())
+	inserted, err := s.deps.InboxRepo.TryInsert(ctx, parsed.EventID, parsed.Type, parsed.OrganizationRef, time.Now().UTC())
 	if err != nil {
 		result = ingestResultInboxError
 		return err
@@ -213,7 +214,7 @@ func (s *service) handlePaymentStatusUpdated(ctx context.Context, msg *model.Pay
 		return nil
 	}

-	endpoints, err := s.deps.Resolver.Resolve(ctx, parsed.ClientID, parsed.Type)
+	endpoints, err := s.deps.Resolver.Resolve(ctx, parsed.Type, parsed.OrganizationRef)
 	if err != nil {
 		result = ingestResultResolveError
 		return err
--- a/api/edge/callbacks/internal/model/callback.go
+++ b/api/edge/callbacks/internal/model/callback.go
@@ -0,0 +1,8 @@
+package model
+
+import pmodel "github.com/tech/sendico/pkg/model"
+
+type CallbackInternal struct {
+	pmodel.Callback `bson:",inline" json:",inline"`
+	SecretRef       string `bson:"secretRef"`
+}
--- a/api/edge/callbacks/internal/model/endpoint.go
+++ b/api/edge/callbacks/internal/model/endpoint.go
@@ -0,0 +1,22 @@
+package model
+
+import (
+	"time"
+
+	"github.com/tech/sendico/pkg/db/storable"
+	pmodel "github.com/tech/sendico/pkg/model"
+)
+
+// Endpoint describes one target callback endpoint.
+type Endpoint struct {
+	storable.Base
+	pmodel.OrganizationBoundBase
+	URL            string
+	SigningMode    string
+	SecretRef      string
+	Headers        map[string]string
+	MaxAttempts    int
+	MinDelay       time.Duration
+	MaxDelay       time.Duration
+	RequestTimeout time.Duration
+}
--- a/api/edge/callbacks/internal/model/task.go
+++ b/api/edge/callbacks/internal/model/task.go
@@ -0,0 +1,37 @@
+package model
+
+import (
+	"time"
+
+	"github.com/tech/sendico/pkg/db/storable"
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+// TaskStatus tracks delivery task lifecycle.
+type TaskStatus string
+
+const (
+	TaskStatusPending   TaskStatus = "PENDING"
+	TaskStatusRetry     TaskStatus = "RETRY"
+	TaskStatusDelivered TaskStatus = "DELIVERED"
+	TaskStatusFailed    TaskStatus = "FAILED"
+)
+
+// Task is one callback delivery job.
+type Task struct {
+	storable.Base
+	EventID        string
+	EndpointRef    bson.ObjectID
+	EndpointURL    string
+	SigningMode    string
+	SecretRef      string
+	Headers        map[string]string
+	Payload        []byte
+	Attempt        int
+	MaxAttempts    int
+	MinDelay       time.Duration
+	MaxDelay       time.Duration
+	RequestTimeout time.Duration
+	Status         TaskStatus
+	NextAttemptAt  time.Time
+}
--- a/api/edge/callbacks/internal/storage/module.go
+++ b/api/edge/callbacks/internal/storage/module.go
@@ -4,54 +4,12 @@ import (
 	"context"
 	"time"

+	"github.com/tech/sendico/edge/callbacks/internal/model"
 	"github.com/tech/sendico/pkg/db"
 	"github.com/tech/sendico/pkg/mlogger"
 	"go.mongodb.org/mongo-driver/v2/bson"
 )

-// TaskStatus tracks delivery task lifecycle.
-type TaskStatus string
-
-const (
-	TaskStatusPending   TaskStatus = "PENDING"
-	TaskStatusRetry     TaskStatus = "RETRY"
-	TaskStatusDelivered TaskStatus = "DELIVERED"
-	TaskStatusFailed    TaskStatus = "FAILED"
-)
-
-// Endpoint describes one target callback endpoint.
-type Endpoint struct {
-	ID             bson.ObjectID
-	ClientID       string
-	URL            string
-	SigningMode    string
-	SecretRef      string
-	Headers        map[string]string
-	MaxAttempts    int
-	MinDelay       time.Duration
-	MaxDelay       time.Duration
-	RequestTimeout time.Duration
-}
-
-// Task is one callback delivery job.
-type Task struct {
-	ID             bson.ObjectID
-	EventID        string
-	EndpointID     bson.ObjectID
-	EndpointURL    string
-	SigningMode    string
-	SecretRef      string
-	Headers        map[string]string
-	Payload        []byte
-	Attempt        int
-	MaxAttempts    int
-	MinDelay       time.Duration
-	MaxDelay       time.Duration
-	RequestTimeout time.Duration
-	Status         TaskStatus
-	NextAttemptAt  time.Time
-}
-
 // TaskDefaults are applied when creating tasks.
 type TaskDefaults struct {
 	MaxAttempts    int
@@ -69,18 +27,18 @@ type Options struct {

 // InboxRepo controls event dedupe state.
 type InboxRepo interface {
-	TryInsert(ctx context.Context, eventID, clientID, eventType string, at time.Time) (bool, error)
+	TryInsert(ctx context.Context, eventID, ceventType string, organizationRef bson.ObjectID, at time.Time) (bool, error)
 }

 // EndpointRepo resolves endpoints for events.
 type EndpointRepo interface {
-	FindActiveByClientAndType(ctx context.Context, clientID, eventType string) ([]Endpoint, error)
+	FindActive(ctx context.Context, eventType string, organizationRef bson.ObjectID) ([]model.Endpoint, error)
 }

 // TaskRepo manages callback tasks.
 type TaskRepo interface {
-	UpsertTasks(ctx context.Context, eventID string, endpoints []Endpoint, payload []byte, defaults TaskDefaults, at time.Time) error
-	LockNextTask(ctx context.Context, now time.Time, workerID string, lockTTL time.Duration) (*Task, error)
+	UpsertTasks(ctx context.Context, eventID string, endpoints []model.Endpoint, payload []byte, defaults TaskDefaults, at time.Time) error
+	LockNextTask(ctx context.Context, now time.Time, workerID string, lockTTL time.Duration) (*model.Task, error)
 	MarkDelivered(ctx context.Context, taskID bson.ObjectID, httpCode int, latency time.Duration, at time.Time) error
 	MarkRetry(ctx context.Context, taskID bson.ObjectID, attempt int, nextAttemptAt time.Time, lastError string, httpCode int, at time.Time) error
 	MarkFailed(ctx context.Context, taskID bson.ObjectID, attempt int, lastError string, httpCode int, at time.Time) error
--- a/api/edge/callbacks/internal/storage/service.go
+++ b/api/edge/callbacks/internal/storage/service.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"

+	"github.com/tech/sendico/edge/callbacks/internal/model"
 	"github.com/tech/sendico/pkg/db"
 	"github.com/tech/sendico/pkg/db/repository"
 	"github.com/tech/sendico/pkg/db/repository/builder"
@@ -13,6 +14,7 @@ import (
 	"github.com/tech/sendico/pkg/db/storable"
 	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/mlogger"
+	pmodel "github.com/tech/sendico/pkg/model"
 	"github.com/tech/sendico/pkg/mservice"
 	mutil "github.com/tech/sendico/pkg/mutil/db"
 	"go.mongodb.org/mongo-driver/v2/bson"
@@ -39,10 +41,10 @@ type mongoRepository struct {
 }

 type inboxDoc struct {
-	storable.Base `bson:",inline"`
-	EventID       string `bson:"event_id"`
-	ClientID      string `bson:"client_id"`
-	EventType     string `bson:"event_type"`
+	storable.Base                `bson:",inline"`
+	pmodel.OrganizationBoundBase `bson:",inline"`
+	EventID                      string `bson:"event_id"`
+	EventType                    string `bson:"event_type"`
 }

 func (d *inboxDoc) Collection() string {
@@ -64,12 +66,12 @@ type deliveryPolicy struct {
 }

 type endpointDoc struct {
-	storable.Base  `bson:",inline"`
-	deliveryPolicy `bson:"retry_policy"`
-	ClientID       string   `bson:"client_id"`
-	Status         string   `bson:"status"`
-	URL            string   `bson:"url"`
-	EventTypes     []string `bson:"event_types"`
+	storable.Base                `bson:",inline"`
+	pmodel.OrganizationBoundBase `bson:",inline"`
+	deliveryPolicy               `bson:"retry_policy"`
+	Status                       string   `bson:"status"`
+	URL                          string   `bson:"url"`
+	EventTypes                   []string `bson:"event_types"`
 }

 func (d *endpointDoc) Collection() string {
@@ -79,18 +81,18 @@ func (d *endpointDoc) Collection() string {
 type taskDoc struct {
 	storable.Base  `bson:",inline"`
 	deliveryPolicy `bson:"retry_policy"`
-	EventID        string        `bson:"event_id"`
-	EndpointID     bson.ObjectID `bson:"endpoint_id"`
-	EndpointURL    string        `bson:"endpoint_url"`
-	Payload        []byte        `bson:"payload"`
-	Status         TaskStatus    `bson:"status"`
-	Attempt        int           `bson:"attempt"`
-	LastError      string        `bson:"last_error,omitempty"`
-	LastHTTPCode   int           `bson:"last_http_code,omitempty"`
-	NextAttemptAt  time.Time     `bson:"next_attempt_at"`
-	LockedUntil    *time.Time    `bson:"locked_until,omitempty"`
-	WorkerID       string        `bson:"worker_id,omitempty"`
-	DeliveredAt    *time.Time    `bson:"delivered_at,omitempty"`
+	EventID        string           `bson:"event_id"`
+	EndpointRef    bson.ObjectID    `bson:"endpoint_ref"`
+	EndpointURL    string           `bson:"endpoint_url"`
+	Payload        []byte           `bson:"payload"`
+	Status         model.TaskStatus `bson:"status"`
+	Attempt        int              `bson:"attempt"`
+	LastError      string           `bson:"last_error,omitempty"`
+	LastHTTPCode   int              `bson:"last_http_code,omitempty"`
+	NextAttemptAt  time.Time        `bson:"next_attempt_at"`
+	LockedUntil    *time.Time       `bson:"locked_until,omitempty"`
+	WorkerID       string           `bson:"worker_id,omitempty"`
+	DeliveredAt    *time.Time       `bson:"delivered_at,omitempty"`
 }

 func (d *taskDoc) Collection() string {
@@ -152,7 +154,7 @@ func (m *mongoRepository) ensureIndexes() error {
 			Unique: true,
 			Keys: []ri.Key{
 				{Field: "event_id", Sort: ri.Asc},
-				{Field: "endpoint_id", Sort: ri.Asc},
+				{Field: "endpoint_ref", Sort: ri.Asc},
 			},
 		},
 		{
@@ -172,7 +174,7 @@ func (m *mongoRepository) ensureIndexes() error {
 	if err := m.endpointsRepo.CreateIndex(&ri.Definition{
 		Name: "idx_client_event",
 		Keys: []ri.Key{
-			{Field: "client_id", Sort: ri.Asc},
+			{Field: "organization_ref", Sort: ri.Asc},
 			{Field: "status", Sort: ri.Asc},
 			{Field: "event_types", Sort: ri.Asc},
 		},
@@ -188,11 +190,11 @@ type inboxStore struct {
 	repo   repository.Repository
 }

-func (r *inboxStore) TryInsert(ctx context.Context, eventID, clientID, eventType string, at time.Time) (bool, error) {
+func (r *inboxStore) TryInsert(ctx context.Context, eventID, eventType string, organizationRef bson.ObjectID, at time.Time) (bool, error) {
 	doc := &inboxDoc{
-		EventID:   strings.TrimSpace(eventID),
-		ClientID:  strings.TrimSpace(clientID),
-		EventType: strings.TrimSpace(eventType),
+		OrganizationBoundBase: pmodel.OrganizationBoundBase{OrganizationRef: organizationRef},
+		EventID:               strings.TrimSpace(eventID),
+		EventType:             strings.TrimSpace(eventType),
 	}

 	filter := repository.Filter("event_id", doc.EventID)
@@ -212,21 +214,20 @@ type endpointStore struct {
 	repo   repository.Repository
 }

-func (r *endpointStore) FindActiveByClientAndType(ctx context.Context, clientID, eventType string) ([]Endpoint, error) {
-	clientID = strings.TrimSpace(clientID)
+func (r *endpointStore) FindActive(ctx context.Context, eventType string, organizationRef bson.ObjectID) ([]model.Endpoint, error) {
 	eventType = strings.TrimSpace(eventType)
-	if clientID == "" {
-		return nil, merrors.InvalidArgument("client_id is required", "client_id")
+	if organizationRef == bson.NilObjectID {
+		return nil, merrors.InvalidArgument("organization_ref is required", "organization_ref")
 	}
 	if eventType == "" {
 		return nil, merrors.InvalidArgument("event type is required", "event_type")
 	}

 	query := repository.Query().
-		Filter(repository.Field("client_id"), clientID).
+		Filter(repository.OrgField(), organizationRef).
 		In(repository.Field("status"), "active", "enabled")

-	out := make([]Endpoint, 0)
+	out := make([]model.Endpoint, 0)
 	err := r.repo.FindManyByFilter(ctx, query, func(cur *mongo.Cursor) error {
 		doc := &endpointDoc{}
 		if err := cur.Decode(doc); err != nil {
@@ -238,17 +239,17 @@ func (r *endpointStore) FindActiveByClientAndType(ctx context.Context, clientID,
 		if !supportsEventType(doc.EventTypes, eventType) {
 			return nil
 		}
-		out = append(out, Endpoint{
-			ID:             doc.ID,
-			ClientID:       doc.ClientID,
-			URL:            strings.TrimSpace(doc.URL),
-			SigningMode:    strings.TrimSpace(doc.SigningMode),
-			SecretRef:      strings.TrimSpace(doc.SecretRef),
-			Headers:        cloneHeaders(doc.Headers),
-			MaxAttempts:    doc.MaxAttempts,
-			MinDelay:       time.Duration(doc.MinDelayMS) * time.Millisecond,
-			MaxDelay:       time.Duration(doc.MaxDelayMS) * time.Millisecond,
-			RequestTimeout: time.Duration(doc.RequestTimeoutMS) * time.Millisecond,
+		out = append(out, model.Endpoint{
+			Base:                  doc.Base,
+			OrganizationBoundBase: doc.OrganizationBoundBase,
+			URL:                   strings.TrimSpace(doc.URL),
+			SigningMode:           strings.TrimSpace(doc.SigningMode),
+			SecretRef:             strings.TrimSpace(doc.SecretRef),
+			Headers:               cloneHeaders(doc.Headers),
+			MaxAttempts:           doc.MaxAttempts,
+			MinDelay:              time.Duration(doc.MinDelayMS) * time.Millisecond,
+			MaxDelay:              time.Duration(doc.MaxDelayMS) * time.Millisecond,
+			RequestTimeout:        time.Duration(doc.RequestTimeoutMS) * time.Millisecond,
 		})
 		return nil
 	})
@@ -281,7 +282,7 @@ type taskStore struct {
 	repo   repository.Repository
 }

-func (r *taskStore) UpsertTasks(ctx context.Context, eventID string, endpoints []Endpoint, payload []byte, defaults TaskDefaults, at time.Time) error {
+func (r *taskStore) UpsertTasks(ctx context.Context, eventID string, endpoints []model.Endpoint, payload []byte, defaults TaskDefaults, at time.Time) error {
 	eventID = strings.TrimSpace(eventID)
 	if eventID == "" {
 		return merrors.InvalidArgument("event id is required", "event_id")
@@ -292,7 +293,7 @@ func (r *taskStore) UpsertTasks(ctx context.Context, eventID string, endpoints [

 	now := at.UTC()
 	for _, endpoint := range endpoints {
-		if endpoint.ID == bson.NilObjectID {
+		if endpoint.GetID() == nil || *endpoint.GetID() == bson.NilObjectID {
 			continue
 		}

@@ -327,13 +328,13 @@ func (r *taskStore) UpsertTasks(ctx context.Context, eventID string, endpoints [

 		doc := &taskDoc{}
 		doc.EventID = eventID
-		doc.EndpointID = endpoint.ID
+		doc.EndpointRef = *endpoint.GetID()
 		doc.EndpointURL = strings.TrimSpace(endpoint.URL)
 		doc.SigningMode = strings.TrimSpace(endpoint.SigningMode)
 		doc.SecretRef = strings.TrimSpace(endpoint.SecretRef)
 		doc.Headers = cloneHeaders(endpoint.Headers)
 		doc.Payload = append([]byte(nil), payload...)
-		doc.Status = TaskStatusPending
+		doc.Status = model.TaskStatusPending
 		doc.Attempt = 0
 		doc.MaxAttempts = maxAttempts
 		doc.MinDelayMS = int(minDelay / time.Millisecond)
@@ -341,7 +342,7 @@ func (r *taskStore) UpsertTasks(ctx context.Context, eventID string, endpoints [
 		doc.RequestTimeoutMS = int(requestTimeout / time.Millisecond)
 		doc.NextAttemptAt = now

-		filter := repository.Filter("event_id", eventID).And(repository.Filter("endpoint_id", endpoint.ID))
+		filter := repository.Filter("event_id", eventID).And(repository.Filter("endpoint_ref", endpoint.ID))
 		if err := r.repo.Insert(ctx, doc, filter); err != nil {
 			if errors.Is(err, merrors.ErrDataConflict) {
 				continue
@@ -353,7 +354,7 @@ func (r *taskStore) UpsertTasks(ctx context.Context, eventID string, endpoints [
 	return nil
 }

-func (r *taskStore) LockNextTask(ctx context.Context, now time.Time, workerID string, lockTTL time.Duration) (*Task, error) {
+func (r *taskStore) LockNextTask(ctx context.Context, now time.Time, workerID string, lockTTL time.Duration) (*model.Task, error) {
 	workerID = strings.TrimSpace(workerID)
 	if workerID == "" {
 		return nil, merrors.InvalidArgument("worker id is required", "worker_id")
@@ -368,7 +369,7 @@ func (r *taskStore) LockNextTask(ctx context.Context, now time.Time, workerID st
 	)

 	query := repository.Query().
-		In(repository.Field("status"), string(TaskStatusPending), string(TaskStatusRetry)).
+		In(repository.Field("status"), string(model.TaskStatusPending), string(model.TaskStatusRetry)).
 		Comparison(repository.Field("next_attempt_at"), builder.Lte, now).
 		And(lockFilter).
 		Sort(repository.Field("next_attempt_at"), true).
@@ -390,7 +391,7 @@ func (r *taskStore) LockNextTask(ctx context.Context, now time.Time, workerID st
 			Set(repository.Field("worker_id"), workerID)

 		conditional := repository.IDFilter(candidate.ID).And(
-			repository.Query().In(repository.Field("status"), string(TaskStatusPending), string(TaskStatusRetry)),
+			repository.Query().In(repository.Field("status"), string(model.TaskStatusPending), string(model.TaskStatusRetry)),
 			repository.Query().Comparison(repository.Field("next_attempt_at"), builder.Lte, now),
 			lockFilter,
 		)
@@ -427,7 +428,7 @@ func (r *taskStore) MarkDelivered(ctx context.Context, taskID bson.ObjectID, htt
 	}

 	patch := repository.Patch().
-		Set(repository.Field("status"), TaskStatusDelivered).
+		Set(repository.Field("status"), model.TaskStatusDelivered).
 		Set(repository.Field("last_http_code"), httpCode).
 		Set(repository.Field("delivered_at"), time.Now()).
 		Set(repository.Field("locked_until"), nil).
@@ -446,7 +447,7 @@ func (r *taskStore) MarkRetry(ctx context.Context, taskID bson.ObjectID, attempt
 	}

 	patch := repository.Patch().
-		Set(repository.Field("status"), TaskStatusRetry).
+		Set(repository.Field("status"), model.TaskStatusRetry).
 		Set(repository.Field("attempt"), attempt).
 		Set(repository.Field("next_attempt_at"), nextAttemptAt.UTC()).
 		Set(repository.Field("last_error"), strings.TrimSpace(lastError)).
@@ -466,7 +467,7 @@ func (r *taskStore) MarkFailed(ctx context.Context, taskID bson.ObjectID, attemp
 	}

 	patch := repository.Patch().
-		Set(repository.Field("status"), TaskStatusFailed).
+		Set(repository.Field("status"), model.TaskStatusFailed).
 		Set(repository.Field("attempt"), attempt).
 		Set(repository.Field("last_error"), strings.TrimSpace(lastError)).
 		Set(repository.Field("last_http_code"), httpCode).
@@ -479,14 +480,14 @@ func (r *taskStore) MarkFailed(ctx context.Context, taskID bson.ObjectID, attemp
 	return nil
 }

-func mapTaskDoc(doc *taskDoc) *Task {
+func mapTaskDoc(doc *taskDoc) *model.Task {
 	if doc == nil {
 		return nil
 	}
-	return &Task{
-		ID:             doc.ID,
+	return &model.Task{
+		Base:           doc.Base,
 		EventID:        doc.EventID,
-		EndpointID:     doc.EndpointID,
+		EndpointRef:    doc.EndpointRef,
 		EndpointURL:    doc.EndpointURL,
 		SigningMode:    doc.SigningMode,
 		SecretRef:      doc.SecretRef,
--- a/api/edge/callbacks/internal/subscriptions/module.go
+++ b/api/edge/callbacks/internal/subscriptions/module.go
@@ -3,12 +3,14 @@ package subscriptions
 import (
 	"context"

+	"github.com/tech/sendico/edge/callbacks/internal/model"
 	"github.com/tech/sendico/edge/callbacks/internal/storage"
+	"go.mongodb.org/mongo-driver/v2/bson"
 )

 // Resolver resolves active webhook endpoints for an event.
 type Resolver interface {
-	Resolve(ctx context.Context, clientID, eventType string) ([]storage.Endpoint, error)
+	Resolve(ctx context.Context, eventType string, organizationRef bson.ObjectID) ([]model.Endpoint, error)
 }

 // Dependencies defines subscriptions resolver dependencies.
--- a/api/edge/callbacks/internal/subscriptions/service.go
+++ b/api/edge/callbacks/internal/subscriptions/service.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"strings"

+	"github.com/tech/sendico/edge/callbacks/internal/model"
 	"github.com/tech/sendico/edge/callbacks/internal/storage"
 	"github.com/tech/sendico/pkg/merrors"
+	"go.mongodb.org/mongo-driver/v2/bson"
 )

 type service struct {
@@ -21,15 +23,15 @@ func New(deps Dependencies) (Resolver, error) {
 	return &service{repo: deps.EndpointRepo}, nil
 }

-func (s *service) Resolve(ctx context.Context, clientID, eventType string) ([]storage.Endpoint, error) {
-	if strings.TrimSpace(clientID) == "" {
+func (s *service) Resolve(ctx context.Context, eventType string, organizationRef bson.ObjectID) ([]model.Endpoint, error) {
+	if organizationRef == bson.NilObjectID {
 		return nil, merrors.InvalidArgument("subscriptions: client id is required", "clientID")
 	}
 	if strings.TrimSpace(eventType) == "" {
 		return nil, merrors.InvalidArgument("subscriptions: event type is required", "eventType")
 	}

-	endpoints, err := s.repo.FindActiveByClientAndType(ctx, clientID, eventType)
+	endpoints, err := s.repo.FindActive(ctx, eventType, organizationRef)
 	if err != nil {
 		return nil, err
 	}
--- a/api/gateway/chain/go.mod
+++ b/api/gateway/chain/go.mod
@@ -23,7 +23,7 @@ require (

 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc // indirect
+	github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.24.4 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
--- a/api/gateway/chain/go.sum
+++ b/api/gateway/chain/go.sum
@@ -6,8 +6,8 @@ github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc h1:1stW1OipdBj8Me+nj26SzT8yil7OYve0r3cWobzk1JQ=
-github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc/go.mod h1:ioLG6R+5bUSO1oeGSDxOV3FADARuMoytZCSX6MEMQkI=
+github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b h1:zoMPWbn27kscAQflTWzSHhm9fuex5SXSpyMlhCFPfxk=
+github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b/go.mod h1:ioLG6R+5bUSO1oeGSDxOV3FADARuMoytZCSX6MEMQkI=
 github.com/VictoriaMetrics/fastcache v1.13.0 h1:AW4mheMR5Vd9FkAPUv+NH6Nhw+fmbTMGMsNAoA/+4G0=
 github.com/VictoriaMetrics/fastcache v1.13.0/go.mod h1:hHXhl4DA2fTL2HTZDJFXWgW0LNjo6B+4aj2Wmng3TjU=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
--- a/api/gateway/tron/go.mod
+++ b/api/gateway/tron/go.mod
@@ -26,7 +26,7 @@ require (

 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc // indirect
+	github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.24.4 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
--- a/api/gateway/tron/go.sum
+++ b/api/gateway/tron/go.sum
@@ -6,8 +6,8 @@ github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc h1:1stW1OipdBj8Me+nj26SzT8yil7OYve0r3cWobzk1JQ=
-github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc/go.mod h1:ioLG6R+5bUSO1oeGSDxOV3FADARuMoytZCSX6MEMQkI=
+github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b h1:zoMPWbn27kscAQflTWzSHhm9fuex5SXSpyMlhCFPfxk=
+github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b/go.mod h1:ioLG6R+5bUSO1oeGSDxOV3FADARuMoytZCSX6MEMQkI=
 github.com/VictoriaMetrics/fastcache v1.13.0 h1:AW4mheMR5Vd9FkAPUv+NH6Nhw+fmbTMGMsNAoA/+4G0=
 github.com/VictoriaMetrics/fastcache v1.13.0/go.mod h1:hHXhl4DA2fTL2HTZDJFXWgW0LNjo6B+4aj2Wmng3TjU=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
--- a/api/payments/orchestrator/internal/service/orchestrationv2/psvc/status_publish.go
+++ b/api/payments/orchestrator/internal/service/orchestrationv2/psvc/status_publish.go
@@ -81,11 +81,10 @@ func (p *brokerPaymentStatusPublisher) Publish(_ context.Context, in paymentStat
 	message := &model.PaymentStatusUpdated{
 		EventID:     buildPaymentStatusEventID(paymentRef, payment.Version, in.CurrentState),
 		Type:        model.PaymentStatusUpdatedType,
-		ClientID:    payment.OrganizationRef.Hex(),
 		OccurredAt:  occurredAt,
 		PublishedAt: time.Now().UTC(),
 		Data: model.PaymentStatusUpdatedData{
-			OrganizationRef:  payment.OrganizationRef.Hex(),
+			OrganizationRef:  payment.OrganizationRef,
 			PaymentRef:       paymentRef,
 			QuotationRef:     strings.TrimSpace(payment.QuotationRef),
 			ClientPaymentRef: strings.TrimSpace(payment.ClientPaymentRef),
--- a/api/pkg/db/callbacks/callbacks.go
+++ b/api/pkg/db/callbacks/callbacks.go
@@ -12,4 +12,7 @@ type DB interface {
 	auth.ProtectedDB[*model.Callback]
 	SetArchived(ctx context.Context, accountRef, organizationRef, callbackRef bson.ObjectID, archived, cascade bool) error
 	List(ctx context.Context, accountRef, organizationRef, _ bson.ObjectID, cursor *model.ViewCursor) ([]model.Callback, error)
+	GetSigningSecretRef(ctx context.Context, accountRef, callbackRef bson.ObjectID) (string, error)
+	SetSigningSecretRef(ctx context.Context, accountRef, callbackRef bson.ObjectID, secretRef string) error
+	ClearSigningSecretRef(ctx context.Context, accountRef, callbackRef bson.ObjectID) error
 }
--- a/api/pkg/db/internal/mongo/callbacksdb/callback.go
+++ b/api/pkg/db/internal/mongo/callbacksdb/callback.go
@@ -0,0 +1,8 @@
+package callbacksdb
+
+import "github.com/tech/sendico/pkg/model"
+
+type callbackInternal struct {
+	model.Callback `bson:",inline" json:",inline"`
+	SecretRef      string `bson:"secret_ref" json:"-"`
+}
--- a/api/pkg/db/internal/mongo/callbacksdb/db.go
+++ b/api/pkg/db/internal/mongo/callbacksdb/db.go
@@ -2,14 +2,12 @@ package callbacksdb

 import (
 	"context"
-	"errors"

 	"github.com/tech/sendico/pkg/auth"
 	"github.com/tech/sendico/pkg/db/callbacks"
 	"github.com/tech/sendico/pkg/db/policy"
 	ri "github.com/tech/sendico/pkg/db/repository/index"
 	"github.com/tech/sendico/pkg/db/storable"
-	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/mlogger"
 	"github.com/tech/sendico/pkg/model"
 	"github.com/tech/sendico/pkg/mservice"
@@ -29,10 +27,6 @@ func Create(
 	pdb policy.DB,
 	db *mongo.Database,
 ) (*CallbacksDB, error) {
-	if err := ensureBuiltInPolicy(ctx, logger, pdb); err != nil {
-		return nil, err
-	}
-
 	p, err := auth.CreateDBImp[*model.Callback](ctx, logger, pdb, enforcer, mservice.Callbacks, db)
 	if err != nil {
 		return nil, err
@@ -43,7 +37,7 @@ func Create(
 			Name: "uq_callbacks_client_url",
 			Keys: []ri.Key{
 				{Field: storable.OrganizationRefField, Sort: ri.Asc},
-				{Field: "client_id", Sort: ri.Asc},
+				{Field: "organization_ref", Sort: ri.Asc},
 				{Field: "url", Sort: ri.Asc},
 			},
 			Unique: true,
@@ -82,31 +76,4 @@ func Create(
 	}, nil
 }

-func ensureBuiltInPolicy(ctx context.Context, logger mlogger.Logger, pdb policy.DB) error {
-	var existing model.PolicyDescription
-	if err := pdb.GetBuiltInPolicy(ctx, mservice.Callbacks, &existing); err == nil {
-		return nil
-	} else if !errors.Is(err, merrors.ErrNoData) {
-		return err
-	}
-
-	description := "Callbacks subscription management"
-	resourceTypes := []mservice.Type{mservice.Callbacks}
-	policyDescription := &model.PolicyDescription{
-		Describable: model.Describable{
-			Name:        "Callbacks",
-			Description: &description,
-		},
-		ResourceTypes: &resourceTypes,
-	}
-	if err := pdb.Create(ctx, policyDescription); err != nil && !errors.Is(err, merrors.ErrDataConflict) {
-		if logger != nil {
-			logger.Warn("Failed to create built-in callbacks policy", zap.Error(err))
-		}
-		return err
-	}
-
-	return pdb.GetBuiltInPolicy(ctx, mservice.Callbacks, &existing)
-}
-
 var _ callbacks.DB = (*CallbacksDB)(nil)
--- a/api/pkg/db/internal/mongo/callbacksdb/secretref.go
+++ b/api/pkg/db/internal/mongo/callbacksdb/secretref.go
@@ -0,0 +1,60 @@
+package callbacksdb
+
+import (
+	"context"
+	"strings"
+
+	"github.com/tech/sendico/pkg/db/repository"
+	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/model"
+	"go.mongodb.org/mongo-driver/v2/bson"
+)
+
+func (db *CallbacksDB) GetSigningSecretRef(ctx context.Context, accountRef, callbackRef bson.ObjectID) (string, error) {
+	if callbackRef.IsZero() {
+		return "", merrors.InvalidArgument("callback reference is required", "callbackRef")
+	}
+
+	// Enforce read permissions through the public callback object first.
+	var callback model.Callback
+	if err := db.Get(ctx, accountRef, callbackRef, &callback); err != nil {
+		return "", err
+	}
+
+	internal := &callbackInternal{}
+	if err := db.DBImp.Repository.Get(ctx, callbackRef, internal); err != nil {
+		return "", err
+	}
+
+	return strings.TrimSpace(internal.SecretRef), nil
+}
+
+func (db *CallbacksDB) SetSigningSecretRef(ctx context.Context, accountRef, callbackRef bson.ObjectID, secretRef string) error {
+	if callbackRef.IsZero() {
+		return merrors.InvalidArgument("callback reference is required", "callbackRef")
+	}
+	value := strings.TrimSpace(secretRef)
+	if value == "" {
+		return merrors.InvalidArgument("secret reference is required", "secretRef")
+	}
+
+	return db.Patch(
+		ctx,
+		accountRef,
+		callbackRef,
+		repository.Patch().Set(repository.Field("secretRef"), value),
+	)
+}
+
+func (db *CallbacksDB) ClearSigningSecretRef(ctx context.Context, accountRef, callbackRef bson.ObjectID) error {
+	if callbackRef.IsZero() {
+		return merrors.InvalidArgument("callback reference is required", "callbackRef")
+	}
+
+	return db.Patch(
+		ctx,
+		accountRef,
+		callbackRef,
+		repository.Patch().Unset(repository.Field("secretRef")),
+	)
+}
--- a/api/pkg/db/internal/mongo/verificationimp/consume.go
+++ b/api/pkg/db/internal/mongo/verificationimp/consume.go
@@ -12,6 +12,7 @@ import (
 	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/model"
 	mutil "github.com/tech/sendico/pkg/mutil/db"
+	"github.com/tech/sendico/pkg/mutil/mzap"
 	"go.mongodb.org/mongo-driver/v2/bson"
 	"go.uber.org/zap"
 )
@@ -54,7 +55,6 @@ func (db *verificationDB) Consume(
 				zap.String("purpose", string(purpose)),
 				zap.Bool("account_scoped", accountScoped),
 				zap.String("account_ref", accountRefHex),
-				zap.Any("scope_filter", scopeFilter.BuildQuery()),
 			)

 			// 1) Fast path for magic-link tokens: hash is deterministic and globally unique.
@@ -69,7 +69,6 @@ func (db *verificationDB) Consume(
 				zap.String("purpose", string(purpose)),
 				zap.Bool("account_scoped", accountScoped),
 				zap.String("account_ref", accountRefHex),
-				zap.Any("magic_filter", magicFilter.BuildQuery()),
 			)
 			var direct model.VerificationToken
 			err := db.DBImp.FindOne(ctx, magicFilter, &direct)
@@ -152,7 +151,7 @@ func (db *verificationDB) Consume(
 					db.Logger.Debug("Verification consume OTP candidate evaluated",
 						zap.Int("candidate_index", i),
 						zap.Int("candidate_total", len(tokens)),
-						zap.String("candidate_id", t.ID.Hex()),
+						mzap.ObjRef("candidate_ref", t.ID),
 						zap.Bool("candidate_has_salt", t.Salt != nil),
 						zap.Bool("candidate_used", t.UsedAt != nil),
 						zap.Time("candidate_expires_at", t.ExpiresAt),
@@ -181,7 +180,6 @@ func (db *verificationDB) Consume(
 						zap.String("purpose", string(purpose)),
 						zap.Bool("account_scoped", accountScoped),
 						zap.String("account_ref", accountRefHex),
-						zap.Any("active_filter", activeFilter.BuildQuery()),
 					)

 					incremented, patchErr := db.DBImp.PatchMany(
@@ -271,8 +269,7 @@ func (db *verificationDB) Consume(
 				zap.String("purpose", string(purpose)),
 				zap.Bool("account_scoped", accountScoped),
 				zap.String("account_ref", accountRefHex),
-				zap.String("token_id", token.ID.Hex()),
-				zap.Any("consume_filter", consumeFilter.BuildQuery()),
+				mzap.StorableRef(token),
 			)

 			updated, err := db.DBImp.PatchMany(
@@ -285,7 +282,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 					zap.Error(err),
 				)
 				return nil, err
@@ -294,7 +291,7 @@ func (db *verificationDB) Consume(
 				zap.String("purpose", string(purpose)),
 				zap.Bool("account_scoped", accountScoped),
 				zap.String("account_ref", accountRefHex),
-				zap.String("token_id", token.ID.Hex()),
+				mzap.StorableRef(token),
 				zap.Int("updated_count", updated),
 			)

@@ -322,7 +319,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 					zap.Error(incrementErr),
 				)
 			} else {
@@ -330,7 +327,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 					zap.Int("updated_count", incremented),
 					zap.String("transaction_note", "this update occurs inside transaction and may roll back depending on returned error"),
 				)
@@ -343,7 +340,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 					zap.Error(err),
 				)
 				return nil, merrors.Internal("failed to re-check token state")
@@ -353,7 +350,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 				}, tokenStateFields(&fresh)...,
 				)...,
 			)
@@ -363,7 +360,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 				)
 				return nil, verification.ErorrTokenAlreadyUsed()
 			}
@@ -372,7 +369,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 					zap.Time("now_utc", now),
 					zap.Time("token_expires_at", fresh.ExpiresAt),
 				)
@@ -383,7 +380,7 @@ func (db *verificationDB) Consume(
 					zap.String("purpose", string(purpose)),
 					zap.Bool("account_scoped", accountScoped),
 					zap.String("account_ref", accountRefHex),
-					zap.String("token_id", token.ID.Hex()),
+					mzap.StorableRef(token),
 					zap.Int("token_attempts", fresh.Attempts),
 					zap.Int("token_max_retries", *fresh.MaxRetries),
 				)
@@ -394,7 +391,7 @@ func (db *verificationDB) Consume(
 				zap.String("purpose", string(purpose)),
 				zap.Bool("account_scoped", accountScoped),
 				zap.String("account_ref", accountRefHex),
-				zap.String("token_id", token.ID.Hex()),
+				mzap.StorableRef(token),
 			)
 			return nil, verification.ErorrTokenNotFound()
 		},
@@ -457,8 +454,8 @@ func tokenIsDigitsOnly(value string) bool {

 func tokenStateFields(token *model.VerificationToken) []zap.Field {
 	fields := []zap.Field{
-		zap.String("token_id", token.ID.Hex()),
-		zap.String("token_account_ref", token.AccountRef.Hex()),
+		mzap.StorableRef(token),
+		mzap.ObjRef("token_account_ref", token.AccountRef),
 		zap.String("token_purpose", string(token.Purpose)),
 		zap.Bool("token_has_target", strings.TrimSpace(token.Target) != ""),
 		zap.Bool("token_has_idempotency_key", token.IdempotencyKey != nil),
--- a/api/pkg/db/internal/mongo/verificationimp/create.go
+++ b/api/pkg/db/internal/mongo/verificationimp/create.go
@@ -29,14 +29,6 @@ func syntheticIdempotencyKey() string {
 	return "auto:" + bson.NewObjectID().Hex()
 }

-func verificationContextFilter(request *verification.Request) builder.Query {
-	return repository.Query().And(
-		repository.Filter("accountRef", request.AccountRef),
-		repository.Filter("purpose", request.Purpose),
-		repository.Filter("target", request.Target),
-	)
-}
-
 func activeContextFilter(request *verification.Request, now time.Time) builder.Query {
 	return repository.Query().And(
 		repository.Filter("accountRef", request.AccountRef),
--- a/api/pkg/go.mod
+++ b/api/pkg/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc // indirect
+	github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bits-and-blooms/bitset v1.24.4 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.10.0 // indirect
--- a/api/pkg/go.sum
+++ b/api/pkg/go.sum
@@ -6,8 +6,8 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc h1:1stW1OipdBj8Me+nj26SzT8yil7OYve0r3cWobzk1JQ=
-github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260225065256-91dd007ecddc/go.mod h1:ioLG6R+5bUSO1oeGSDxOV3FADARuMoytZCSX6MEMQkI=
+github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b h1:zoMPWbn27kscAQflTWzSHhm9fuex5SXSpyMlhCFPfxk=
+github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20260302101851-b43f15d4ea3b/go.mod h1:ioLG6R+5bUSO1oeGSDxOV3FADARuMoytZCSX6MEMQkI=
 github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA=
 github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
--- a/api/pkg/model/callback.go
+++ b/api/pkg/model/callback.go
@@ -16,11 +16,14 @@ const (
 	CallbackSigningModeHMACSHA256 CallbackSigningMode = "hmac_sha256"
 )

+type CallbackBackoff struct {
+	MinDelayMS int `bson:"min_ms" json:"minDelayMs"`
+	MaxDelayMS int `bson:"max_ms" json:"maxDelayMs"`
+}
+
 type CallbackRetryPolicy struct {
-	MinDelayMS       int                 `bson:"min_ms" json:"minDelayMs"`
-	MaxDelayMS       int                 `bson:"max_ms" json:"maxDelayMs"`
+	Backoff          CallbackBackoff     `bson:"backoff" json:"backoff"`
 	SigningMode      CallbackSigningMode `bson:"signing_mode" json:"signingMode"`
-	SecretRef        string              `bson:"secret_ref,omitempty" json:"secretRef,omitempty"`
 	Headers          map[string]string   `bson:"headers,omitempty" json:"headers,omitempty"`
 	MaxAttempts      int                 `bson:"max_attempts" json:"maxAttempts"`
 	RequestTimeoutMS int                 `bson:"request_timeout_ms" json:"requestTimeoutMs"`
@@ -29,7 +32,6 @@ type CallbackRetryPolicy struct {
 type Callback struct {
 	PermissionBound `bson:",inline" json:",inline"`
 	Describable     `bson:",inline" json:",inline"`
-	ClientID        string              `bson:"client_id" json:"clientId"`
 	Status          CallbackStatus      `bson:"status" json:"status"`
 	URL             string              `bson:"url" json:"url"`
 	EventTypes      []string            `bson:"event_types" json:"eventTypes"`
--- a/api/pkg/model/payment_orchestrator_status.go
+++ b/api/pkg/model/payment_orchestrator_status.go
@@ -1,6 +1,10 @@
 package model

-import "time"
+import (
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/bson"
+)

 const (
 	PaymentStatusUpdatedType = "payment.status.updated"
@@ -9,21 +13,20 @@ const (
 type PaymentStatusUpdated struct {
 	EventID     string                   `json:"event_id,omitempty"`
 	Type        string                   `json:"type,omitempty"`
-	ClientID    string                   `json:"client_id,omitempty"`
 	OccurredAt  time.Time                `json:"occurred_at,omitempty"`
 	PublishedAt time.Time                `json:"published_at,omitempty"`
 	Data        PaymentStatusUpdatedData `json:"data"`
 }

 type PaymentStatusUpdatedData struct {
-	OrganizationRef  string `json:"organization_ref,omitempty"`
-	PaymentRef       string `json:"payment_ref,omitempty"`
-	QuotationRef     string `json:"quotation_ref,omitempty"`
-	ClientPaymentRef string `json:"client_payment_ref,omitempty"`
-	IdempotencyKey   string `json:"idempotency_key,omitempty"`
-	State            string `json:"state,omitempty"`
-	PreviousState    string `json:"previous_state,omitempty"`
-	Version          uint64 `json:"version,omitempty"`
-	IsTerminal       bool   `json:"is_terminal"`
-	Event            string `json:"event,omitempty"`
+	OrganizationRef  bson.ObjectID `json:"organization_ref,omitempty"`
+	PaymentRef       string        `json:"payment_ref,omitempty"`
+	QuotationRef     string        `json:"quotation_ref,omitempty"`
+	ClientPaymentRef string        `json:"client_payment_ref,omitempty"`
+	IdempotencyKey   string        `json:"idempotency_key,omitempty"`
+	State            string        `json:"state,omitempty"`
+	PreviousState    string        `json:"previous_state,omitempty"`
+	Version          uint64        `json:"version,omitempty"`
+	IsTerminal       bool          `json:"is_terminal"`
+	Event            string        `json:"event,omitempty"`
 }
--- a/api/pkg/model/refresh.go
+++ b/api/pkg/model/refresh.go
@@ -3,7 +3,9 @@ package model
 import (
 	"time"

+	"github.com/tech/sendico/pkg/db/storable"
 	"github.com/tech/sendico/pkg/mservice"
+	"go.mongodb.org/mongo-driver/v2/bson"
 )

 type ClientRefreshToken struct {
@@ -12,13 +14,14 @@ type ClientRefreshToken struct {
 }

 type RefreshToken struct {
-	AccountBoundBase   `bson:",inline" json:",inline"`
+	storable.Base      `bson:",inline" json:",inline"`
 	ClientRefreshToken `bson:",inline" json:",inline"`
-	ExpiresAt          time.Time `bson:"expiresAt"`
-	IsRevoked          bool      `bson:"isRevoked"`
-	LastUsedAt         time.Time `bson:"lastUsedAt,omitempty"`
-	UserAgent          string    `bson:"userAgent"`
-	IPAddress          string    `bson:"ipAddress"`
+	AccountRef         *bson.ObjectID `bson:"accountRef,omitempty" json:"accountRef,omitempty"`
+	ExpiresAt          time.Time      `bson:"expiresAt"`
+	IsRevoked          bool           `bson:"isRevoked"`
+	LastUsedAt         time.Time      `bson:"lastUsedAt,omitempty"`
+	UserAgent          string         `bson:"userAgent"`
+	IPAddress          string         `bson:"ipAddress"`
 }

 func (*RefreshToken) Collection() string {
--- a/api/server/go.sum
+++ b/api/server/go.sum
@@ -1,388 +0,0 @@
-dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
-dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/aws/aws-sdk-go-v2 v1.41.2 h1:LuT2rzqNQsauaGkPK/7813XxcZ3o3yePY0Iy891T2ls=
-github.com/aws/aws-sdk-go-v2 v1.41.2/go.mod h1:IvvlAZQXvTXznUPfRVfryiG1fbzE2NGK6m9u39YQ+S4=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5 h1:zWFmPmgw4sveAYi1mRqG+E/g0461cJ5M4bJ8/nc6d3Q=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.5/go.mod h1:nVUlMLVV8ycXSb7mSkcNu9e3v/1TJq2RTlrPwhYWr5c=
-github.com/aws/aws-sdk-go-v2/config v1.32.10 h1:9DMthfO6XWZYLfzZglAgW5Fyou2nRI5CuV44sTedKBI=
-github.com/aws/aws-sdk-go-v2/config v1.32.10/go.mod h1:2rUIOnA2JaiqYmSKYmRJlcMWy6qTj1vuRFscppSBMcw=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.10 h1:EEhmEUFCE1Yhl7vDhNOI5OCL/iKMdkkYFTRpZXNw7m8=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.10/go.mod h1:RnnlFCAlxQCkN2Q379B67USkBMu1PipEEiibzYN5UTE=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18 h1:Ii4s+Sq3yDfaMLpjrJsqD6SmG/Wq/P5L/hw2qa78UAY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.18/go.mod h1:6x81qnY++ovptLE6nWQeWrpXxbnlIex+4H4eYYGcqfc=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18 h1:F43zk1vemYIqPAwhjTjYIz0irU2EY7sOb/F5eJ3HuyM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.18/go.mod h1:w1jdlZXrGKaJcNoL+Nnrj+k5wlpGXqnNrKoP22HvAug=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18 h1:xCeWVjj0ki0l3nruoyP2slHsGArMxeiiaoPN5QZH6YQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.18/go.mod h1:r/eLGuGCBw6l36ZRWiw6PaZwPXb6YOj+i/7MizNl5/k=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.18 h1:eZioDaZGJ0tMM4gzmkNIO2aAoQd+je7Ug7TkvAzlmkU=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.18/go.mod h1:CCXwUKAJdoWr6/NcxZ+zsiPr6oH/Q5aTooRGYieAyj4=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5 h1:CeY9LUdur+Dxoeldqoun6y4WtJ3RQtzk0JMP2gfUay0=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.5/go.mod h1:AZLZf2fMaahW5s/wMRciu1sYbdsikT/UHwbUjOdEVTc=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.10 h1:fJvQ5mIBVfKtiyx0AHY6HeWcRX5LGANLpq8SVR+Uazs=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.10/go.mod h1:Kzm5e6OmNH8VMkgK9t+ry5jEih4Y8whqs+1hrkxim1I=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18 h1:LTRCYFlnnKFlKsyIQxKhJuDuA3ZkrDQMRYm6rXiHlLY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.18/go.mod h1:XhwkgGG6bHSd00nO/mexWTcTjgd6PjuvWQMqSn2UaEk=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.18 h1:/A/xDuZAVD2BpsS2fftFRo/NoEKQJ8YTnJDEHBy2Gtg=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.18/go.mod h1:hWe9b4f+djUQGmyiGEeOnZv69dtMSgpDRIvNMvuvzvY=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.96.2 h1:M1A9AjcFwlxTLuf0Faj88L8Iqw0n/AJHjpZTQzMMsSc=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.96.2/go.mod h1:KsdTV6Q9WKUZm2mNJnUFmIoXfZux91M3sr/a4REX8e0=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.6 h1:MzORe+J94I+hYu2a6XmV5yC9huoTv8NRcCrUNedDypQ=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.6/go.mod h1:hXzcHLARD7GeWnifd8j9RWqtfIgxj4/cAtIVIK7hg8g=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.11 h1:7oGD8KPfBOJGXiCoRKrrrQkbvCp8N++u36hrLMPey6o=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.11/go.mod h1:0DO9B5EUJQlIDif+XJRWCljZRKsAFKh3gpFz7UnDtOo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15 h1:edCcNp9eGIUDUCrzoCu1jWAXLGFIizeqkdkKgRlJwWc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.15/go.mod h1:lyRQKED9xWfgkYC/wmmYfv7iVIM68Z5OQ88ZdcV1QbU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.7 h1:NITQpgo9A5NrDZ57uOWj+abvXSb83BbyggcUBVksN7c=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.7/go.mod h1:sks5UWBhEuWYDPdwlnRFn1w7xWdH29Jcpe+/PJQefEs=
-github.com/aws/smithy-go v1.24.1 h1:VbyeNfmYkWoxMVpGUAbQumkODcYmfMRfZ8yQiH30SK0=
-github.com/aws/smithy-go v1.24.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
-github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs=
-github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
-github.com/casbin/casbin/v2 v2.135.0 h1:6BLkMQiGotYyS5yYeWgW19vxqugUlvHFkFiLnLR/bxk=
-github.com/casbin/casbin/v2 v2.135.0/go.mod h1:FmcfntdXLTcYXv/hxgNntcRPqAbwOG9xsism0yXT+18=
-github.com/casbin/govaluate v1.3.0/go.mod h1:G/UnbIjZk/0uMNaLwZZmFQrR72tYRZWQkO70si/iR7A=
-github.com/casbin/govaluate v1.10.0 h1:ffGw51/hYH3w3rZcxO/KcaUIDOLP84w7nsidMVgaDG0=
-github.com/casbin/govaluate v1.10.0/go.mod h1:G/UnbIjZk/0uMNaLwZZmFQrR72tYRZWQkO70si/iR7A=
-github.com/casbin/mongodb-adapter/v4 v4.3.0 h1:yYXky9v1by6vj/0QK7OyHyd/xpz4vzh0lCi7JKrS4qQ=
-github.com/casbin/mongodb-adapter/v4 v4.3.0/go.mod h1:bOTSYZUjX7I9E0ExEvgq46m3mcDNRII7g8iWjrM1BHE=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
-github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
-github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1 h1:5RVFMOWjMyRy8cARdy79nAmgYw3hK/4HUq48LQ6Wwqo=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.1/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
-github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
-github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
-github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
-github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
-github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
-github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
-github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
-github.com/go-chi/jwtauth/v5 v5.4.0 h1:Ieh0xMJsFvqylqJ02/mQHKzbbKO9DYNBh4DPKCwTwYI=
-github.com/go-chi/jwtauth/v5 v5.4.0/go.mod h1:w6yjqUUXz1b8+oiJel64Sz1KJwduQM6qUA5QNzO5+bQ=
-github.com/go-chi/metrics v0.1.1 h1:CXhbnkAVVjb0k73EBRQ6Z2YdWFnbXZgNtg1Mboguibk=
-github.com/go-chi/metrics v0.1.1/go.mod h1:mcGTM1pPalP7WCtb+akNYFO/lwNwBBLCuedepqjoPn4=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
-github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
-github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs=
-github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
-github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
-github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
-github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38=
-github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo=
-github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY=
-github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU=
-github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
-github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc/v3 v3.0.4 h1:pXyH2ppK8GYYggygxJ3TvxpCZnbEUWc9qSwRTTApaLA=
-github.com/lestrrat-go/httprc/v3 v3.0.4/go.mod h1:mSMtkZW92Z98M5YoNNztbRGxbXHql7tSitCvaxvo9l0=
-github.com/lestrrat-go/jwx/v3 v3.0.13 h1:AdHKiPIYeCSnOJtvdpipPg/0SuFh9rdkN+HF3O0VdSk=
-github.com/lestrrat-go/jwx/v3 v3.0.13/go.mod h1:2m0PV1A9tM4b/jVLMx8rh6rBl7F6WGb3EG2hufN9OQU=
-github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
-github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
-github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54 h1:mFWunSatvkQQDhpdyuFAYwyAan3hzCuma+Pz8sqvOfg=
-github.com/lufia/plan9stats v0.0.0-20250827001030-24949be3fa54/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
-github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
-github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
-github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
-github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
-github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
-github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe h1:iruDEfMl2E6fbMZ9s0scYfZQ84/6SPL6zC8ACM2oIL0=
-github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nats-io/nats.go v1.49.0 h1:yh/WvY59gXqYpgl33ZI+XoVPKyut/IcEaqtsiuTJpoE=
-github.com/nats-io/nats.go v1.49.0/go.mod h1:fDCn3mN5cY8HooHwE2ukiLb4p4G4ImmzvXyJt+tGwdw=
-github.com/nats-io/nkeys v0.4.15 h1:JACV5jRVO9V856KOapQ7x+EY8Jo3qw1vJt/9Jpwzkk4=
-github.com/nats-io/nkeys v0.4.15/go.mod h1:CpMchTXC9fxA5zrMo4KpySxNjiDVvr8ANOSZdiNfUrs=
-github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
-github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
-github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
-github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
-github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
-github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
-github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
-github.com/prometheus/procfs v0.20.0 h1:AA7aCvjxwAquZAlonN7888f2u4IN8WVeFgBi4k82M4Q=
-github.com/prometheus/procfs v0.20.0/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
-github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
-github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
-github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
-github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
-github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
-github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
-github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
-github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
-github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
-github.com/testcontainers/testcontainers-go v0.33.0 h1:zJS9PfXYT5O0ZFXM2xxXfk4J5UMw/kRiISng037Gxdw=
-github.com/testcontainers/testcontainers-go v0.33.0/go.mod h1:W80YpTa8D5C3Yy16icheD01UTDu+LmXIA2Keo+jWtT8=
-github.com/testcontainers/testcontainers-go/modules/mongodb v0.33.0 h1:iXVA84s5hKMS5gn01GWOYHE3ymy/2b+0YkpFeTxB2XY=
-github.com/testcontainers/testcontainers-go/modules/mongodb v0.33.0/go.mod h1:R6tMjTojRiaoo89fh/hf7tOmfzohdqSU17R9DwSVSog=
-github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=
-github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=
-github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=
-github.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ=
-github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
-github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE=
-github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
-github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
-github.com/xdg-go/scram v1.2.0 h1:bYKF2AEwG5rqd1BumT4gAnvwU/M9nBp2pTSxeZw7Wvs=
-github.com/xdg-go/scram v1.2.0/go.mod h1:3dlrS0iBaWKYVt2ZfA4cj48umJZ+cAEbR6/SjLA88I8=
-github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
-github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
-github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
-github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
-github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.mongodb.org/mongo-driver v1.17.8 h1:BDP3+U3Y8K0vTrpqDJIRaXNhb/bKyoVeg6tIJsW5EhM=
-go.mongodb.org/mongo-driver v1.17.8/go.mod h1:LlOhpH5NUEfhxcAwG0UEkMqwYcc4JU18gtCdGudk/tQ=
-go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
-go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 h1:QKdN8ly8zEMrByybbQgv8cWBcdAarwmIPZ6FThrWXJs=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0/go.mod h1:bTdK1nhqF76qiPoCCdyFIV+N/sRHYXYCTQc+3VCi3MI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
-go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
-go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.8.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/multierr v1.7.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
-go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
-go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
-go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
-go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=
-google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-moul.io/chizap v1.0.3 h1:mliXvvuS5HVo3QP8qPXczWtRM5dQ9UmK3bBVIkZo6ek=
-moul.io/chizap v1.0.3/go.mod h1:pq4R9kGLwz4XjBc4hodQYuoE7Yc9RUabLBFyyi2uErk=