From 77f8ee4024cec656db8f097b51b712f11d3d12e4 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Wed, 29 Apr 2026 17:35:31 +0700
Subject: [PATCH 1/4] checker: build host FQDN from subdomain + apex at service
 scope

---
 checker/collect.go       | 18 +++++++++++++++++-
 checker/definition.go    |  6 ++++++
 checker/provider_test.go |  2 +-
 checker/service.go       | 11 ++++++-----
 checker/types.go         |  1 +
 5 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/checker/collect.go b/checker/collect.go
index 153ab32..7e1f4b5 100644
--- a/checker/collect.go
+++ b/checker/collect.go
@@ -21,6 +21,7 @@ import (
 	"time"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
+	happydns "git.happydns.org/happyDomain/model"
 	"golang.org/x/net/html"
 )
 
@@ -143,7 +144,22 @@ func buildTarget(ctx context.Context, opts sdk.CheckerOptions) (Target, error) {
 		userAgent = v
 	}
 
-	host, ips := addressesFromServer(server)
+	// Origin is the FQDN where the service is mounted: svc.Domain holds the
+	// subdomain (relative to apex; "@" for apex), and the domain_name
+	// autofill carries the zone apex.
+	apex := ""
+	if v, ok := sdk.GetOption[string](opts, OptionDomainName); ok {
+		apex = strings.TrimSuffix(v, ".")
+	}
+	subdomain := ""
+	if svc, ok := sdk.GetOption[happydns.ServiceMessage](opts, OptionService); ok {
+		subdomain = strings.TrimSuffix(svc.Domain, ".")
+	}
+	origin := sdk.JoinRelative(subdomain, apex)
+	host, ips := addressesFromServer(server, origin)
+	if host == "" {
+		host = origin
+	}
 	// abstract.Server only pins one A and one AAAA. Resolve the host to
 	// pick up any additional records the authoritative DNS exposes, so
 	// multi-IP deployments aren't silently under-probed. Failures are
diff --git a/checker/definition.go b/checker/definition.go
index 74b1a3f..0aeaffa 100644
--- a/checker/definition.go
+++ b/checker/definition.go
@@ -82,6 +82,12 @@ func (p *httpProvider) Definition() *sdk.CheckerDefinition {
 					AutoFill: sdk.AutoFillService,
 					Hide:     true,
 				},
+				{
+					Id:       OptionDomainName,
+					Label:    "Parent domain name",
+					AutoFill: sdk.AutoFillDomainName,
+					Hide:     true,
+				},
 			},
 		},
 		Rules: Rules(),
diff --git a/checker/provider_test.go b/checker/provider_test.go
index feb9f0c..86a5bf0 100644
--- a/checker/provider_test.go
+++ b/checker/provider_test.go
@@ -227,7 +227,7 @@ func TestAddressesFromServer(t *testing.T) {
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			host, ips := addressesFromServer(c.srv)
+			host, ips := addressesFromServer(c.srv, "")
 			if host != c.wantHost {
 				t.Errorf("host = %q, want %q", host, c.wantHost)
 			}
diff --git a/checker/service.go b/checker/service.go
index f4fbb9c..0ec5c87 100644
--- a/checker/service.go
+++ b/checker/service.go
@@ -9,7 +9,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"strings"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
 	happydns "git.happydns.org/happyDomain/model"
@@ -36,15 +35,17 @@ func resolveServer(opts sdk.CheckerOptions) (*abstract.Server, error) {
 	return &server, nil
 }
 
-// addressesFromServer returns the (host, ips) tuple to probe.
-func addressesFromServer(server *abstract.Server) (host string, ips []string) {
+// addressesFromServer returns the (host, ips) tuple to probe. origin is
+// the service's parent zone; the A/AAAA Hdr.Name is relative to it as
+// happyDomain encodes service owners, so we must join before using as FQDN.
+func addressesFromServer(server *abstract.Server, origin string) (host string, ips []string) {
 	if server.A != nil && len(server.A.A) > 0 {
-		host = strings.TrimSuffix(server.A.Hdr.Name, ".")
+		host = sdk.JoinRelative(server.A.Hdr.Name, origin)
 		ips = append(ips, server.A.A.String())
 	}
 	if server.AAAA != nil && len(server.AAAA.AAAA) > 0 {
 		if host == "" {
-			host = strings.TrimSuffix(server.AAAA.Hdr.Name, ".")
+			host = sdk.JoinRelative(server.AAAA.Hdr.Name, origin)
 		}
 		ips = append(ips, server.AAAA.AAAA.String())
 	}
diff --git a/checker/types.go b/checker/types.go
index 2c11eac..142c653 100644
--- a/checker/types.go
+++ b/checker/types.go
@@ -24,6 +24,7 @@ const ObservationKeyHTTP = "http"
 
 const (
 	OptionService           = "service"
+	OptionDomainName        = "domain_name"
 	OptionProbeTimeoutMs    = "probeTimeoutMs"
 	OptionMaxRedirects      = "maxRedirects"
 	OptionUserAgent         = "userAgent"

From 4be2bc93436c8b0fe6ab816511a5902e4c5ba0fd Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:57:39 +0700
Subject: [PATCH 2/4] Update rules section

---
 README.md | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 79ac2ad..ca92a97 100644
--- a/README.md
+++ b/README.md
@@ -9,26 +9,30 @@ Deep TLS / certificate analysis is intentionally **delegated to
 [checker-tls](https://git.happydns.org/checker-tls)** - this checker only
 relies on TLS for transport.
 
-## What it checks
+## Rules
 
-| Rule                              | What it verifies                                                                  |
-| --------------------------------- | --------------------------------------------------------------------------------- |
-| `http.tcp_reachable`              | Port 80 accepts connections on every A/AAAA address.                              |
-| `https.tcp_reachable`             | Port 443 accepts connections on every A/AAAA address.                             |
-| `http.https_redirect`             | Plain HTTP redirects to HTTPS (warning if not).                                   |
-| `http.hsts`                       | `Strict-Transport-Security` is present with a sufficient `max-age`.               |
-| `http.csp`                        | `Content-Security-Policy` is set; flags `'unsafe-inline'` / `'unsafe-eval'`.      |
-| `http.x_frame_options`            | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection.      |
-| `http.x_content_type_options`     | `X-Content-Type-Options: nosniff` is set.                                         |
-| `http.x_xss_protection`           | Reports the legacy `X-XSS-Protection` header (recommendation: disable).           |
-| `http.referrer_policy`            | `Referrer-Policy` is set to a privacy-preserving value (W3C Referrer Policy).     |
-| `http.permissions_policy`         | `Permissions-Policy` is set (W3C Permissions Policy, replaces Feature-Policy).    |
-| `http.coop`                       | `Cross-Origin-Opener-Policy` isolates the document from cross-origin windows.     |
-| `http.coep`                       | `Cross-Origin-Embedder-Policy` requires CORP/CORS opt-in for embedded resources.  |
-| `http.corp`                       | `Cross-Origin-Resource-Policy` restricts cross-origin embedding of responses.     |
-| `http.cookie_flags`               | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute.            |
-| `http.sri`                        | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |
-| `http.security_txt`               | `/.well-known/security.txt` is published (RFC 9116).                              |
+| Code                          | Description                                                                                                       | Severity            |
+|-------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
+| `http.tcp_reachable`          | Verifies that every probed IP accepts an HTTP connection on the standard port.                                    | CRITICAL            |
+| `https.tcp_reachable`         | Verifies that every probed IP accepts an HTTPS connection on the standard port.                                   | CRITICAL            |
+| `http.https_redirect`         | Plain HTTP responses must redirect to an HTTPS URL on the same host.                                              | WARNING             |
+| `http.redirect_chain`         | Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades.                  | WARNING             |
+| `http.redirect_permanence`    | HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary).                             | WARNING             |
+| `http.hsts`                   | Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses.                     | WARNING             |
+| `http.csp`                    | Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses.                       | WARNING             |
+| `http.x_frame_options`        | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive.                                   | WARNING             |
+| `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff.                                                      | WARNING             |
+| `http.x_xss_protection`       | Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement).   | INFO                |
+| `http.referrer_policy`        | Verifies that responses set a Referrer-Policy header with a privacy-preserving value.                             | WARNING             |
+| `http.permissions_policy`     | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …).         | WARNING             |
+| `http.coop`                   | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation.                         | WARNING             |
+| `http.coep`                   | Verifies the Cross-Origin-Embedder-Policy (COEP) header, required (with COOP) to enable cross-origin isolation.   | WARNING             |
+| `http.corp`                   | Verifies the Cross-Origin-Resource-Policy (CORP) header restricts cross-origin/cross-site embedding of responses. | WARNING             |
+| `http.cookie_flags`           | Verifies that cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes.                            | WARNING             |
+| `http.cookie_prefixes`        | Verifies cookies using the __Secure- / __Host- name prefixes meet the RFC 6265bis constraints.                    | WARNING             |
+| `http.cookie_size`            | Flags cookies whose Set-Cookie line exceeds the 4096-byte minimum browsers must support (RFC 6265 §6.1).          | WARNING             |
+| `http.sri`                    | Reports cross-origin script and stylesheet tags that are missing Subresource Integrity (integrity=) attributes.   | WARNING             |
+| `http.security_txt`           | Reports whether /.well-known/security.txt (RFC 9116) is published.                                                | WARNING             |
 
 ## Options
 

From 0f6c82f3cb4d3fca4c4006a119c2e5bfa03c7482 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sun, 10 May 2026 19:02:52 +0800
Subject: [PATCH 3/4] Add CI/CD pipeline

---
 .drone-manifest.yml |  22 ++++++
 .drone.yml          | 187 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 209 insertions(+)
 create mode 100644 .drone-manifest.yml
 create mode 100644 .drone.yml

diff --git a/.drone-manifest.yml b/.drone-manifest.yml
new file mode 100644
index 0000000..3414963
--- /dev/null
+++ b/.drone-manifest.yml
@@ -0,0 +1,22 @@
+image: happydomain/checker-http:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
+{{#if build.tags}}
+tags:
+{{#each build.tags}}
+  - {{this}}
+{{/each}}
+{{/if}}
+manifests:
+  - image: happydomain/checker-http:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64
+    platform:
+      architecture: amd64
+      os: linux
+  - image: happydomain/checker-http:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64
+    platform:
+      architecture: arm64
+      os: linux
+      variant: v8
+  - image: happydomain/checker-http:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm
+    platform:
+      architecture: arm
+      os: linux
+      variant: v7
diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..6b02e29
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,187 @@
+---
+kind: pipeline
+type: docker
+name: build-amd64
+
+platform:
+  os: linux
+  arch: amd64
+
+steps:
+  - name: checker build
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: checker build tag
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_SEMVER}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish on Docker Hub
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-http
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: publish on Docker Hub (tag)
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-http
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_SEMVER}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        - tag
+
+trigger:
+  branch:
+    exclude:
+      - renovate/*
+  event:
+    - cron
+    - push
+    - tag
+
+---
+kind: pipeline
+type: docker
+name: build-arm64
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: checker build
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: checker build tag
+    image: golang:1-alpine
+    commands:
+      - apk add --no-cache git make
+      - make
+    environment:
+      CHECKER_VERSION: "${DRONE_SEMVER}"
+      CGO_ENABLED: 0
+    when:
+      event:
+        - tag
+
+  - name: publish on Docker Hub
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-http
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        exclude:
+          - tag
+
+  - name: publish on Docker Hub (tag)
+    image: plugins/docker
+    settings:
+      repo: happydomain/checker-http
+      auto_tag: true
+      auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH}
+      dockerfile: Dockerfile
+      build_args:
+        - CHECKER_VERSION=${DRONE_SEMVER}
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+    when:
+      event:
+        - tag
+
+trigger:
+  event:
+    - cron
+    - push
+    - tag
+
+---
+kind: pipeline
+name: docker-manifest
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: publish on Docker Hub
+    image: plugins/manifest
+    settings:
+      auto_tag: true
+      ignore_missing: true
+      spec: .drone-manifest.yml
+      username:
+        from_secret: docker_username
+      password:
+        from_secret: docker_password
+
+trigger:
+  branch:
+    exclude:
+      - renovate/*
+  event:
+    - cron
+    - push
+    - tag
+
+depends_on:
+  - build-amd64
+  - build-arm64

From 4cae94153f13b3222cdf51b617c21003d5715a89 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sun, 10 May 2026 19:38:04 +0800
Subject: [PATCH 4/4] Update go mod

---
 go.mod | 36 ++++++++++++++---------------
 go.sum | 73 +++++++++++++++++++++++++++++-----------------------------
 2 files changed, 54 insertions(+), 55 deletions(-)

diff --git a/go.mod b/go.mod
index d1764f2..b404e30 100644
--- a/go.mod
+++ b/go.mod
@@ -3,43 +3,43 @@ module git.happydns.org/checker-http
 go 1.25.0
 
 require (
-	git.happydns.org/checker-sdk-go v1.5.0
+	git.happydns.org/checker-sdk-go v1.7.0
 	git.happydns.org/happyDomain v0.7.0
 	github.com/miekg/dns v1.1.72
-	golang.org/x/net v0.51.0
+	golang.org/x/net v0.54.0
 )
 
 require (
-	github.com/bytedance/gopkg v0.1.3 // indirect
-	github.com/bytedance/sonic v1.15.0 // indirect
-	github.com/bytedance/sonic/loader v0.5.0 // indirect
-	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/bytedance/gopkg v0.1.4 // indirect
+	github.com/bytedance/sonic v1.15.1 // indirect
+	github.com/bytedance/sonic/loader v0.5.1 // indirect
+	github.com/cloudwego/base64x v0.1.7 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
-	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/gin-contrib/sse v1.1.1 // indirect
 	github.com/gin-gonic/gin v1.12.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.30.1 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/go-playground/validator/v10 v10.30.2 // indirect
+	github.com/goccy/go-json v0.10.6 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pelletier/go-toml/v2 v2.3.1 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
-	go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect
-	golang.org/x/arch v0.24.0 // indirect
-	golang.org/x/crypto v0.49.0 // indirect
-	golang.org/x/mod v0.33.0 // indirect
+	go.mongodb.org/mongo-driver/v2 v2.6.0 // indirect
+	golang.org/x/arch v0.27.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/mod v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/tools v0.45.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 )
diff --git a/go.sum b/go.sum
index 6950eaa..20dcede 100644
--- a/go.sum
+++ b/go.sum
@@ -1,23 +1,23 @@
-git.happydns.org/checker-sdk-go v1.5.0 h1:5uD5Cm6xJ+lwnhbJ09iCXGHbYS9zRh+Yh0NeBHkAPBY=
-git.happydns.org/checker-sdk-go v1.5.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
+git.happydns.org/checker-sdk-go v1.7.0 h1:dSgo2js5mfXluLc6x0WWZ0MQULd9XV2GI9z0Usk+Qgw=
+git.happydns.org/checker-sdk-go v1.7.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI=
 git.happydns.org/happyDomain v0.7.0 h1:NV82/NbcSeRm0+IUZqaK3Vu9Ovl5+vv4AigUJZMdwws=
 git.happydns.org/happyDomain v0.7.0/go.mod h1:5tgkmqFE65kK359rY49V++49wgZ0gco+Gh9X6tbL+bY=
-github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
-github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
-github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE=
-github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k=
-github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE=
-github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
-github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
-github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/bytedance/gopkg v0.1.4 h1:oZnQwnX82KAIWb7033bEwtxvTqXcYMxDBaQxo5JJHWM=
+github.com/bytedance/gopkg v0.1.4/go.mod h1:v1zWfPm21Fb+OsyXN2VAHdL6TBb2L88anLQgdyje6R4=
+github.com/bytedance/sonic v1.15.1 h1:nJD5PmM0vY7J8CT6MxoqbVAAMhkSmV2HgRAUrrpLoOw=
+github.com/bytedance/sonic v1.15.1/go.mod h1:mT2NbXunuaEbnZ+mRIX/vYqKISmgEuHFDI4UzmKx2SA=
+github.com/bytedance/sonic/loader v0.5.1 h1:Ygpfa9zwRCCKSlrp5bBP/b/Xzc3VxsAW+5NIYXrOOpI=
+github.com/bytedance/sonic/loader v0.5.1/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/cloudwego/base64x v0.1.7 h1:NppS+Fgzg5ovhn4NkUXaDT3x9jldgH5ToMCqzBSi2zI=
+github.com/cloudwego/base64x v0.1.7/go.mod h1:Cu1PV9zfrSf7ET2tIbWbbEy7jO7HHJ13q4X2SQ8aWYg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
 github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
-github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
-github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-contrib/sse v1.1.1 h1:uGYpNwTacv5R68bSGMapo62iLTRa9l5zxGCps4hK6ko=
+github.com/gin-contrib/sse v1.1.1/go.mod h1:QXzuVkA0YO7o/gun03UI1Q+FTI8ZV/n5t03kIQAI89s=
 github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8=
 github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -26,10 +26,10 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
-github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
-github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
-github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/go-playground/validator/v10 v10.30.2 h1:JiFIMtSSHb2/XBUbWM4i/MpeQm9ZK2xqPNk8vgvu5JQ=
+github.com/go-playground/validator/v10 v10.30.2/go.mod h1:mAf2pIOVXjTEBrwUMGKkCWKKPs9NheYGabeB04txQSc=
+github.com/goccy/go-json v0.10.6 h1:p8HrPJzOakx/mn/bQtjgNjdTcN+/S6FcG2CTtQOrHVU=
+github.com/goccy/go-json v0.10.6/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -41,8 +41,8 @@ github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzh
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/miekg/dns v1.1.72 h1:vhmr+TF2A3tuoGNkLDFK9zi36F2LS+hKTRW0Uf8kbzI=
 github.com/miekg/dns v1.1.72/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -50,8 +50,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.3.1 h1:MYEvvGnQjeNkRF1qUuGolNtNExTDwct51yp7olPtrEc=
+github.com/pelletier/go-toml/v2 v2.3.1/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -73,27 +73,26 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
 github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE=
-go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
+go.mongodb.org/mongo-driver/v2 v2.6.0 h1:b9sJOYrkmt4l8bY43ZenFBcPlhYIjaOfYHLtbB/5qi8=
+go.mongodb.org/mongo-driver/v2 v2.6.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-golang.org/x/arch v0.24.0 h1:qlJ3M9upxvFfwRM51tTg3Yl+8CP9vCC1E7vlFpgv99Y=
-golang.org/x/arch v0.24.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/arch v0.27.0 h1:0WNVcR8u9yFz8j5FvdHpgwNp3FS5U4guYdzHwEiGjoU=
+golang.org/x/arch v0.27.0/go.mod h1:0X+GdSIP+kL5wPmpK7sdkEVTt2XoYP0cSjQSbZBwOi8=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=