Merge branch 'main' into dev

refactor(state): replace Entrypoint method with ShortLinkMatcher interface
- Cleaned up agent go.mod by removing unused indirect dependencies.
2026-01-12 05:20:33 +01:00 · 2026-01-04 12:43:18 +08:00 · 2026-01-04 12:43:05 +08:00 · 2026-01-04 12:28:32 +08:00 · 2026-01-04 00:37:26 +08:00 · 2026-01-03 20:06:31 +08:00
648 changed files with 53266 additions and 19335 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,24 +1,35 @@
+# docker image tag (latest, nightly)
+TAG=latest
+
 # set timezone to get correct log timestamp
 TZ=ETC/UTC

+# container uid and gid (must match the owner of mounted directories)
+GODOXY_UID=1000
+GODOXY_GID=1000
+
+# Set GODOXY_API_JWT_SECURE=false to allow http
+GODOXY_API_JWT_SECURE=true
+# API JWT Configuration (common)
+# generate secret with `openssl rand -base64 32`
+GODOXY_API_JWT_SECRET=
+# the JWT token time-to-live
+# leave empty to use default (24 hours)
+# format: https://pkg.go.dev/time#Duration
+GODOXY_API_JWT_TOKEN_TTL=
+
 # API/WebUI user password login credentials (optional)
 # These fields are not required for OIDC authentication
 GODOXY_API_USER=admin
 GODOXY_API_PASSWORD=password
-# generate secret with `openssl rand -base64 32`
-GODOXY_API_JWT_SECRET=
-# the JWT token time-to-live
-GODOXY_API_JWT_TOKEN_TTL=1h

 # OIDC Configuration (optional)
 # Uncomment and configure these values to enable OIDC authentication.
+#
 # GODOXY_OIDC_ISSUER_URL=https://accounts.google.com
 # GODOXY_OIDC_CLIENT_ID=your-client-id
 # GODOXY_OIDC_CLIENT_SECRET=your-client-secret
-# Keep /api/auth/callback as the redirect URL, change the domain to match your setup.
-# GODOXY_OIDC_REDIRECT_URL=https://your-domain/api/auth/callback
-# Comma-separated list of scopes
-# GODOXY_OIDC_SCOPES=openid, profile, email
+# GODOXY_OIDC_SCOPES=openid, profile, email, groups # you may also include `offline_access` if your Idp supports it (e.g. Authentik, Pocket ID)
 #
 # User definitions: Uncomment and configure these values to restrict access to specific users or groups.
 # These two fields act as a logical AND operator. For example, given the following membership:
@@ -39,11 +50,26 @@ GODOXY_API_JWT_TOKEN_TTL=1h
 GODOXY_HTTP_ADDR=:80
 GODOXY_HTTPS_ADDR=:443

+# Enable HTTP3
+GODOXY_HTTP3_ENABLED=true
+
 # API listening address
 GODOXY_API_ADDR=127.0.0.1:8888

-# Prometheus Metrics
-GODOXY_PROMETHEUS_ENABLED=true
+# Metrics
+GODOXY_METRICS_DISABLE_CPU=false
+GODOXY_METRICS_DISABLE_MEMORY=false
+GODOXY_METRICS_DISABLE_DISK=false
+GODOXY_METRICS_DISABLE_NETWORK=false
+GODOXY_METRICS_DISABLE_SENSORS=false
+
+# Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com)
+GODOXY_FRONTEND_ALIASES=godoxy
+
+# Docker socket
+# /var/run/podman/podman.sock for podman
+DOCKER_SOCKET=/var/run/docker.sock
+SOCKET_PROXY_LISTEN_ADDR=127.0.0.1:2375

 # Debug mode
 GODOXY_DEBUG=false
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,15 @@
+# These are supported funding model platforms
+
+github: yusing # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+polar: # Replace with a single Polar username
+buy_me_a_coffee: yusingwysq # Replace with a single Buy Me a Coffee username
+thanks_dev: # Replace with a single thanks.dev username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
--- a/.github/workflows/agent-binary.yml
+++ b/.github/workflows/agent-binary.yml
@@ -0,0 +1,50 @@
+name: GoDoxy agent binary
+
+on:
+  push:
+    tags:
+      - v*
+    paths:
+      - "agent/**"
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+            binary_name: godoxy-agent-linux-amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64
+            binary_name: godoxy-agent-linux-arm64
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Verify dependencies
+        run: go mod verify
+      - name: Build
+        run: |
+          make agent=1 NAME=${{ matrix.binary_name }} build
+      - name: Check binary
+        run: |
+          file bin/${{ matrix.binary_name }}
+      - name: Upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.binary_name }}
+          path: bin/${{ matrix.binary_name }}
+      - name: Upload to release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: bin/${{ matrix.binary_name }}
--- a/.github/workflows/docker-image-nightly.yml
+++ b/.github/workflows/docker-image-nightly.yml
@@ -0,0 +1,24 @@
+name: Docker Image CI (nightly)
+
+on:
+  push:
+    branches:
+      - "*" # matches every branch that doesn't contain a '/'
+      - "*/*" # matches every branch containing a single '/'
+      - "**" # matches every branch
+      - "!dependabot/*"
+      - "!main" # excludes main
+
+jobs:
+  build-nightly:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy
+      tag: nightly
+      target: main
+  build-nightly-agent:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy-agent
+      tag: nightly
+      target: agent
--- a/.github/workflows/docker-image-prod.yml
+++ b/.github/workflows/docker-image-prod.yml
@@ -0,0 +1,20 @@
+name: Docker Image CI
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  build-prod:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy
+      tag: latest
+      target: main
+  build-prod-agent:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/godoxy-agent
+      tag: latest
+      target: agent
--- a/.github/workflows/docker-image-socket-proxy.yml
+++ b/.github/workflows/docker-image-socket-proxy.yml
@@ -0,0 +1,22 @@
+name: Docker Image CI (socket-proxy)
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "socket-proxy/**"
+      - "socket-proxy.Dockerfile"
+      - ".github/workflows/docker-image-socket-proxy.yml"
+    tags-ignore:
+      - "**"
+  workflow_dispatch:
+
+jobs:
+  build:
+    uses: ./.github/workflows/docker-image.yml
+    with:
+      image_name: ${{ github.repository_owner }}/socket-proxy
+      tag: latest
+      target: socket-proxy
+      dockerfile: socket-proxy.Dockerfile
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -1,128 +1,158 @@
 name: Docker Image CI

 on:
-    push:
-        tags: ["*"]
+  workflow_call:
+    inputs:
+      tag:
+        required: true
+        type: string
+      image_name:
+        required: true
+        type: string
+      target:
+        required: true
+        type: string
+      dockerfile:
+        required: false
+        type: string
+        default: Dockerfile

 env:
-    REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
+  REGISTRY: ghcr.io
+  MAKE_ARGS: ${{ inputs.target }}=1
+  DIGEST_PATH: /tmp/digests/${{ inputs.target }}
+  DIGEST_NAME_SUFFIX: ${{ inputs.target }}
+  DOCKERFILE: ${{ inputs.dockerfile }}

 jobs:
-    build:
-        name: Build multi-platform Docker image
-        runs-on: ubuntu-22.04
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64

-        permissions:
-            contents: read
-            packages: write
-            id-token: write
-            attestations: write
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}

-        strategy:
-            fail-fast: false
-            matrix:
-                platform:
-                    - linux/amd64
-                    # - linux/arm/v6
-                    # - linux/arm/v7
-                    - linux/arm64
-        steps:
-            - name: Prepare
-              run: |
-                  platform=${{ matrix.platform }}
-                  echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write

-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+    steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
+          tags: |
+            type=raw,value=${{ inputs.tag }},event=branch
+            type=ref,event=tag

-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          platforms: ${{ matrix.platform }}

-            - name: Login to registry
-              uses: docker/login-action@v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

-            - name: Build and push by digest
-              id: build
-              uses: docker/build-push-action@v6
-              with:
-                  platforms: ${{ matrix.platform }}
-                  labels: ${{ steps.meta.outputs.labels }}
-                  outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-                  cache-from: type=gha
-                  cache-to: type=gha,mode=max
-                  build-args: |
-                      VERSION=${{ github.ref_name }}
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: ${{ env.DOCKERFILE }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ inputs.image_name }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }}
+          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }}
+          cache-to: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ inputs.image_name }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max
+          # type=gha,scope=${{ github.workflow }}-${{ env.PLATFORM_PAIR }},mode=max
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            MAKE_ARGS=${{ env.MAKE_ARGS }}

-            - name: Generate artifact attestation
-              uses: actions/attest-build-provenance@v1
-              with:
-                  subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
-                  subject-digest: ${{ steps.build.outputs.digest }}
-                  push-to-registry: true
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ inputs.image_name }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true

-            - name: Export digest
-              run: |
-                  mkdir -p /tmp/digests
-                  digest="${{ steps.build.outputs.digest }}"
-                  touch "/tmp/digests/${digest#sha256:}"
+      - name: Export digest
+        run: |
+          mkdir -p ${{ env.DIGEST_PATH }}
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ env.DIGEST_PATH }}/${digest#sha256:}"

-            - name: Upload digest
-              uses: actions/upload-artifact@v4
-              with:
-                  name: digests-${{ env.PLATFORM_PAIR }}
-                  path: /tmp/digests/*
-                  if-no-files-found: error
-                  retention-days: 1
-    merge:
-        runs-on: ubuntu-22.04
-        needs:
-            - build
-        permissions:
-            contents: read
-            packages: write
-            id-token: write
-        steps:
-            - name: Download digests
-              uses: actions/download-artifact@v4
-              with:
-                  path: /tmp/digests
-                  pattern: digests-*
-                  merge-multiple: true
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}-${{ env.DIGEST_NAME_SUFFIX }}
+          path: ${{ env.DIGEST_PATH }}/*
+          if-no-files-found: error
+          retention-days: 1

-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+  merge:
+    needs: build
+    runs-on: ubuntu-latest

-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write

-            - name: Login to registry
-              uses: docker/login-action@v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.DIGEST_PATH }}
+          pattern: digests-*-${{ env.DIGEST_NAME_SUFFIX }}
+          merge-multiple: true

-            - name: Create manifest list and push
-              id: push
-              working-directory: /tmp/digests
-              run: |
-                  docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-                    $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3

-            - name: Inspect image
-              run: |
-                  docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ inputs.image_name }}
+          tags: |
+            type=raw,value=${{ inputs.tag }},event=branch
+            type=ref,event=tag
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create manifest list and push
+        id: push
+        working-directory: ${{ env.DIGEST_PATH }}
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY }}/${{ inputs.image_name }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ inputs.image_name }}:${{ steps.meta.outputs.version }}
--- a/.github/workflows/merge-main-into-compat.yml
+++ b/.github/workflows/merge-main-into-compat.yml
@@ -0,0 +1,39 @@
+name: Cherry-pick into Compat
+
+on:
+  push:
+    tags:
+      - v*
+    paths:
+      - ".github/workflows/merge-main-into-compat.yml"
+
+jobs:
+  cherry-pick:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Configure git user
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      - name: Cherry-pick commits from last tag
+        run: |
+          git fetch origin compat
+          git checkout compat
+          CURRENT_TAG=${{ github.ref_name }}
+          PREV_TAG=$(git describe --tags --abbrev=0 $CURRENT_TAG^ 2>/dev/null || echo "")
+
+          if [ -z "$PREV_TAG" ]; then
+            echo "No previous tag found. Cherry-picking all commits up to $CURRENT_TAG"
+            git rev-list --reverse --no-merges $CURRENT_TAG | xargs -r git cherry-pick
+          else
+            echo "Cherry-picking commits from $PREV_TAG to $CURRENT_TAG"
+            git rev-list --reverse --no-merges $PREV_TAG..$CURRENT_TAG | xargs -r git cherry-pick
+          fi
+      - name: Push compat
+        run: |
+          git push origin compat
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,9 @@ certs*/
 bin/
 error_pages/
 !examples/error_pages/
+profiles/
+data/
+debug/

 logs/
 log/
@@ -26,7 +29,15 @@ todo.md
 .aider*
 mtrace.json
 .env
+*.env
+.cursorrules
+.cursor/
+.windsurfrules
 test.Dockerfile

 node_modules/
-tsconfig.tsbuildinfo
+tsconfig.tsbuildinfo
+
+!agent.compose.yml
+!agent/pkg/**
+dev-data/
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "internal/gopsutil"]
+	path = internal/gopsutil
+	url = https://github.com/godoxy-app/gopsutil.git
+[submodule "internal/go-oidc"]
+	path = internal/go-oidc
+	url = https://github.com/godoxy-app/go-oidc.git
+[submodule "goutils"]
+	path = goutils
+	url = https://github.com/yusing/goutils.git
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,137 +1,151 @@
-run:
-  timeout: 10m
-
-linters-settings:
-  govet:
-    enable-all: true
-    disable:
-      - shadow
-      - fieldalignment
-  gocyclo:
-    min-complexity: 14
-  goconst:
-    min-len: 3
-    min-occurrences: 4
-  misspell:
-    locale: US
-  funlen:
-    lines: -1
-    statements: 120
-  forbidigo:
-    forbid:
-      - ^print(ln)?$
-  godox:
-    keywords:
-      - FIXME
-  tagalign:
-    align: false
-    sort: true
-    order:
-      - description
-      - json
-      - toml
-      - yaml
-      - yml
-      - label
-      - label-slice-as-struct
-      - file
-      - kv
-      - export
-  stylecheck:
-    dot-import-whitelist:
-      - github.com/yusing/go-proxy/internal/utils/testing # go tests only
-      - github.com/yusing/go-proxy/internal/api/v1/utils # api only
-  revive:
-    rules:
-      - name: struct-tag
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-        disabled: true
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-        disabled: true
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-        disabled: true
-      - name: unreachable-code
-      - name: redefines-builtin-id
-  gomoddirectives:
-    replace-allow-list:
-      - github.com/abbot/go-http-auth
-      - github.com/gorilla/mux
-      - github.com/mailgun/minheap
-      - github.com/mailgun/multibuf
-      - github.com/jaguilar/vt100
-      - github.com/cucumber/godog
-      - github.com/http-wasm/http-wasm-host-go
-  testifylint:
-    disable:
-      - suite-dont-use-pkg
-      - require-error
-      - go-require
-  staticcheck:
-    checks:
-      - all
-      - -SA1019
-  errcheck:
-    exclude-functions:
-      - fmt.Fprintln
+version: "2"
 linters:
-  enable-all: true
+  default: all
  disable:
-    - execinquery # deprecated
-    - gomnd # deprecated
-    - sqlclosecheck # not relevant (SQL)
-    - rowserrcheck # not relevant (SQL)
-    - cyclop # duplicate of gocyclo
-    - depguard # Not relevant
-    - nakedret # Too strict
-    - lll # Not relevant
-    - gocyclo # FIXME must be fixed
-    - gocognit # Too strict
-    - nestif # Too many false-positive.
-    - prealloc # Too many false-positive.
-    - makezero # Not relevant
-    - dupl # Too strict
-    - gci # I don't care
-    - gosec # Too strict
-    - gochecknoinits
+    # - bodyclose
+    - containedctx
+    # - contextcheck
+    - cyclop
+    - depguard
+    # - dupl
+    - err113
+    - exhaustive
+    - exhaustruct
+    - funcorder
+    - forcetypeassert
    - gochecknoglobals
-    - wsl # Too strict
-    - nlreturn # Not relevant
-    - mnd # Too strict
-    - testpackage # Too strict
-    - tparallel # Not relevant
-    - paralleltest # Not relevant
-    - exhaustive # Not relevant
-    - exhaustruct # Not relevant
-    - err113 # Too strict
-    - wrapcheck # Too strict
-    - noctx # Too strict
-    - bodyclose # too many false-positive
-    - forcetypeassert # Too strict
-    - tagliatelle # Too strict
-    - varnamelen # Not relevant
-    - nilnil # Not relevant
-    - ireturn # Not relevant
-    - contextcheck # too many false-positive
-    - containedctx # too many false-positive
-    - maintidx # kind of duplicate of gocyclo
-    - nonamedreturns # Too strict
-    - gosmopolitan # not relevant
-    - exportloopref # Not relevant since go1.22
+    - gochecknoinits
+    - gocognit
+    - goconst
+    - gocyclo
+    - godot
+    - gomoddirectives
+    - gosmopolitan
+    - ireturn
+    - lll
+    - maintidx
+    - makezero
+    - mnd
+    - nakedret
+    - nestif
+    - nlreturn
+    - nonamedreturns
+    - noinlineerr
+    - paralleltest
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - tagalign
+    - tagliatelle
+    - testpackage
+    - tparallel
+    - varnamelen
+    - wrapcheck
+    - wsl
+    - wsl_v5
+  settings:
+    errcheck:
+      exclude-functions:
+        - fmt.Fprintln
+    forbidigo:
+      forbid:
+        - pattern: ^print(ln)?$
+    funlen:
+      lines: -1
+      statements: 120
+    gocyclo:
+      min-complexity: 14
+    godox:
+      keywords:
+        - FIXME
+    gomoddirectives:
+      replace-allow-list:
+        - github.com/abbot/go-http-auth
+        - github.com/gorilla/mux
+        - github.com/mailgun/minheap
+        - github.com/mailgun/multibuf
+        - github.com/jaguilar/vt100
+        - github.com/cucumber/godog
+        - github.com/http-wasm/http-wasm-host-go
+    govet:
+      disable:
+        - shadow
+      enable-all: true
+    misspell:
+      locale: US
+    revive:
+      rules:
+        - name: struct-tag
+        - name: blank-imports
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: exported
+          disabled: true
+        - name: if-return
+        - name: increment-decrement
+        - name: var-naming
+        - name: var-declaration
+        - name: package-comments
+          disabled: true
+        - name: range
+        - name: receiver-naming
+        - name: time-naming
+        - name: unexported-return
+        - name: indent-error-flow
+        - name: errorf
+        - name: empty-block
+        - name: superfluous-else
+        - name: unused-parameter
+          disabled: true
+        - name: unreachable-code
+        - name: redefines-builtin-id
+    staticcheck:
+      checks:
+        - all
+        - -SA1019
+      dot-import-whitelist:
+        - github.com/yusing/godoxy/internal/utils/testing
+    tagalign:
+      align: false
+      sort: true
+      order:
+        - description
+        - json
+        - toml
+        - yaml
+        - yml
+        - label
+        - label-slice-as-struct
+        - file
+        - kv
+        - export
+    testifylint:
+      disable:
+        - suite-dont-use-pkg
+        - require-error
+        - go-require
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -2,37 +2,37 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.8
+  version: 1.25.0
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
  sources:
    - id: trunk
-      ref: v1.6.6
+      ref: v1.7.2
      uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
  enabled:
-    - node@18.20.5
+    - node@22.16.0
    - python@3.10.8
-    - go@1.23.2
+    - go@1.24.3
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
  disabled:
    - markdownlint
    - yamllint
  enabled:
-    - hadolint@2.12.1-beta
-    - actionlint@1.7.6
-    - checkov@3.2.352
+    - checkov@3.2.471
+    - golangci-lint2@2.5.0
+    - hadolint@2.14.0
+    - actionlint@1.7.7
    - git-diff-check
    - gofmt@1.20.4
-    - golangci-lint@1.63.4
-    - osv-scanner@1.9.2
-    - oxipng@9.1.3
-    - prettier@3.4.2
-    - shellcheck@0.10.0
+    - osv-scanner@2.2.2
+    - oxipng@9.1.5
+    - prettier@3.6.2
+    - shellcheck@0.11.0
    - shfmt@3.6.0
-    - trufflehog@3.88.2
+    - trufflehog@3.90.8
 actions:
  disabled:
    - trunk-announce
--- a/.vscode/settings.example.json
+++ b/.vscode/settings.example.json
@@ -1,10 +1,10 @@
 {
  "yaml.schemas": {
-    "https://github.com/yusing/go-proxy/raw/v0.9/schemas/config.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/types/godoxy/config.schema.json": [
      "config.example.yml",
      "config.yml"
    ],
-    "https://github.com/yusing/go-proxy/raw/v0.9/schemas/routes.schema.json": [
+    "https://github.com/yusing/godoxy-webui/raw/refs/heads/main/types/godoxy/routes.schema.json": [
      "providers.example.yml"
    ]
  }
--- a/72
+++ b/72
@@ -1,64 +1,70 @@
-# Stage 1: Builder
-FROM golang:1.23.5-alpine AS builder
+# Stage 1: deps
+FROM golang:1.25.5-alpine AS deps
 HEALTHCHECK NONE

 # package version does not matter
 # trunk-ignore(hadolint/DL3018)
 RUN apk add --no-cache tzdata make libcap-setcap

-WORKDIR /src
-
-# Only copy go.mod and go.sum initially for better caching
-COPY go.mod go.sum /src/
-
-# Utilize build cache
-RUN --mount=type=cache,target="/go/pkg/mod" \
-    go mod download -x
-
+ENV GOPATH=/root/go
 ENV GOCACHE=/root/.cache/go-build

-COPY Makefile /src/
-COPY cmd /src/cmd
-COPY internal /src/internal
-COPY pkg /src/pkg
+WORKDIR /src
+
+COPY goutils/go.mod goutils/go.sum ./goutils/
+COPY internal/go-oidc/go.mod internal/go-oidc/go.sum ./internal/go-oidc/
+COPY internal/gopsutil/go.mod internal/gopsutil/go.sum ./internal/gopsutil/
+COPY go.mod go.sum ./
+
+# remove godoxy stuff from go.mod first
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  --mount=type=cache,target=/root/go/pkg/mod \
+  sed -i '/^module github\.com\/yusing\/godoxy/!{/github\.com\/yusing\/godoxy/d}' go.mod && \
+  sed -i '/^module github\.com\/yusing\/goutils/!{/github\.com\/yusing\/goutils/d}' go.mod && \
+  go mod download -x
+
+# Stage 2: builder
+FROM deps AS builder
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+COPY Makefile ./
+COPY cmd ./cmd
+COPY internal ./internal
+COPY pkg ./pkg
+COPY agent ./agent
+COPY socket-proxy ./socket-proxy
+COPY goutils ./goutils

 ARG VERSION
 ENV VERSION=${VERSION}

-ARG BUILD_FLAGS
-ENV BUILD_FLAGS=${BUILD_FLAGS}
+ARG MAKE_ARGS
+ENV MAKE_ARGS=${MAKE_ARGS}

-RUN --mount=type=cache,target="/go/pkg/mod" \
-    --mount=type=cache,target="/root/.cache/go-build" \
-    make build && \
-    mkdir -p /app/error_pages /app/certs && \
-    mv bin/godoxy /app/godoxy
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  --mount=type=cache,target=/root/go/pkg/mod \
+  make ${MAKE_ARGS} docker=1 build

-# Stage 2: Final image
+# Stage 3: Final image
 FROM scratch

 LABEL maintainer="yusing@6uo.me"
 LABEL proxy.exclude=1
+LABEL proxy.#1.healthcheck.disable=true

 # copy timezone data
 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

 # copy binary
-COPY --from=builder /app /app
-
-# copy example config
-COPY config.example.yml /app/config/config.yml
+COPY --from=builder /app/run /app/run

 # copy certs
 COPY --from=builder /etc/ssl/certs /etc/ssl/certs

 ENV DOCKER_HOST=unix:///var/run/docker.sock
-ENV GODOXY_DEBUG=0
-
-EXPOSE 80
-EXPOSE 8888
-EXPOSE 443

 WORKDIR /app

-CMD ["/app/godoxy"]
+CMD ["/app/run"]
--- a/11
+++ b/11
@@ -0,0 +1,11 @@
+node {
+  stage('SCM') {
+    checkout scm
+  }
+  stage('SonarQube Analysis') {
+    def scannerHome = tool 'SonarScanner';
+    withSonarQubeEnv() {
+      sh "${scannerHome}/bin/sonar-scanner"
+    }
+  }
+}
--- a/26
+++ b/26
@@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2024 [fullname]
+Copyright (c) 2024 - present Yusing

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -19,3 +19,27 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
+
+---
+
+internal/net/gphttp/reverseproxy/reverse_proxy_mod.go is copied from et/http/httputil/reverseproxy.go with modifications to adapt to this project.
+
+Copyright 2011 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+---
+
+internal/utils/io.go has a modified version of io.Copy with context and HTTP flusher handling.
+
+Copyright 2009 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
+
+---
+
+internal/utils/strutils/split_join.go is copied from strings.Split and strings.Join with modifications to adapt to this project.
+
+Copyright 2009 The Go Authors. All rights reserved.
+Use of this source code is governed by a BSD-style
+license that can be found in the LICENSE file.
--- a/209
+++ b/209
@@ -1,60 +1,142 @@
+shell := /bin/sh
 export VERSION ?= $(shell git describe --tags --abbrev=0)
 export BUILD_DATE ?= $(shell date -u +'%Y%m%d-%H%M')
 export GOOS = linux

-LDFLAGS = -X github.com/yusing/go-proxy/pkg.version=${VERSION}
+WEBUI_DIR ?= ../godoxy-webui
+DOCS_DIR ?= ${WEBUI_DIR}/wiki

-ifeq ($(trace), 1)
-	GODOXY_TRACE ?= 1
+GO_TAGS = sonic
+LDFLAGS = -X github.com/yusing/goutils/version.version=${VERSION} -checklinkname=0
+
+ifeq ($(agent), 1)
+	NAME = godoxy-agent
+	PWD = ${shell pwd}/agent
+else ifeq ($(socket-proxy), 1)
+	NAME = godoxy-socket-proxy
+	PWD = ${shell pwd}/socket-proxy
+else
+	NAME = godoxy
+	PWD = ${shell pwd}
 endif

-ifeq ($(debug), 1)
-	CGO_ENABLED = 0
-	GODOXY_DEBUG = 1
-  BUILD_FLAGS = -tags production
-else ifeq ($(pprof), 1)
-	CGO_ENABLED = 1
+ifeq ($(trace), 1)
+	debug = 1
+	GODOXY_TRACE ?= 1
 	GODEBUG = gctrace=1 inittrace=1 schedtrace=3000
-	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/
-	BUILD_FLAGS = -race -gcflags=all='-N -l' -tags pprof
-	DOCKER_TAG = pprof
-	VERSION += -pprof
+endif
+
+ifeq ($(race), 1)
+	CGO_ENABLED = 1
+	GODOXY_DEBUG = 1
+	GO_TAGS += debug
+	BUILD_FLAGS += -race
+else ifeq ($(debug), 1)
+	CGO_ENABLED = 1
+	GODOXY_DEBUG = 1
+	GO_TAGS += debug
+	# FIXME: BUILD_FLAGS += -asan -gcflags=all='-N -l'
+else ifeq ($(pprof), 1)
+	CGO_ENABLED = 0
+	GORACE = log_path=logs/pprof strip_path_prefix=$(shell pwd)/ halt_on_error=1
+	GO_TAGS += pprof
+	VERSION := ${VERSION}-pprof
 else
 	CGO_ENABLED = 0
 	LDFLAGS += -s -w
-  BUILD_FLAGS = -pgo=auto -tags production
-	DOCKER_TAG = latest
+	GO_TAGS += production
+	BUILD_FLAGS += -pgo=auto
 endif

-BUILD_FLAGS += -ldflags='$(LDFLAGS)'
+BUILD_FLAGS += -tags '$(GO_TAGS)' -ldflags='$(LDFLAGS)'
+BIN_PATH := $(shell pwd)/bin/${NAME}

+export NAME
 export CGO_ENABLED
 export GODOXY_DEBUG
 export GODOXY_TRACE
 export GODEBUG
 export GORACE
 export BUILD_FLAGS
-export DOCKER_TAG
+
+ifeq ($(shell id -u), 0)
+	SETCAP_CMD = setcap
+else
+	SETCAP_CMD = sudo setcap
+endif
+
+
+# CAP_NET_BIND_SERVICE: permission for binding to :80 and :443
+POST_BUILD = $(SETCAP_CMD) CAP_NET_BIND_SERVICE=+ep ${BIN_PATH};
+ifeq ($(docker), 1)
+	POST_BUILD += mkdir -p /app && mv ${BIN_PATH} /app/run;
+endif
+
+.PHONY: debug

 test:
-	GODOXY_TEST=1 go test ./internal/...
+	go test -v -race ./internal/...

-get:
-	go get -u ./cmd && go mod tidy
+docker-build-test:
+	docker build -t godoxy .
+	docker build --build-arg=MAKE_ARGS=agent=1 -t godoxy-agent .
+	docker build --build-arg=MAKE_ARGS=socket-proxy=1 -t godoxy-socket-proxy .
+
+go_ver := $(shell go version | cut -d' ' -f3 | cut -d'o' -f2)
+files := $(shell find . -name go.mod -type f -or -name Dockerfile -type f)
+gomod_paths := $(shell find . -name go.mod -type f | xargs dirname)
+
+update-go:
+	for file in ${files}; do \
+		echo "updating $$file"; \
+		sed -i 's|go \([0-9]\+\.[0-9]\+\.[0-9]\+\)|go ${go_ver}|g' $$file; \
+		sed -i 's|FROM golang:.*-alpine|FROM golang:${go_ver}-alpine|g' $$file; \
+	done
+	for path in ${gomod_paths}; do \
+		echo "go mod tidy $$path"; \
+		cd ${PWD}/$$path && go mod tidy; \
+	done
+
+update-deps:
+	for path in ${gomod_paths}; do \
+		echo "go get -u $$path"; \
+		cd ${PWD}/$$path && go get -u ./... && go mod tidy; \
+	done
+
+mod-tidy:
+	for path in ${gomod_paths}; do \
+		echo "go mod tidy $$path"; \
+		cd ${PWD}/$$path && go mod tidy; \
+	done

 build:
-	mkdir -p bin
-	go build ${BUILD_FLAGS} -o bin/godoxy ./cmd
-	if [ $(shell id -u) -eq 0 ]; \
-		then setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
-		else sudo setcap CAP_NET_BIND_SERVICE=+eip bin/godoxy; \
-	fi
+	mkdir -p $(shell dirname ${BIN_PATH})
+	go build -C ${PWD} ${BUILD_FLAGS} -o ${BIN_PATH} ./cmd
+	${POST_BUILD}

 run:
-	[ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+	cd ${PWD} && [ -f .env ] && godotenv -f .env go run ${BUILD_FLAGS} ./cmd
+
+dev:
+	docker compose -f dev.compose.yml $(args)
+
+dev-build: build
+	docker compose -f dev.compose.yml up -t 0 -d app --force-recreate
+
+benchmark:
+	@if [ -z "$(TARGET)" ]; then \
+		docker compose -f dev.compose.yml up -d --force-recreate godoxy traefik caddy nginx; \
+	else \
+		docker compose -f dev.compose.yml up -d --force-recreate $(TARGET); \
+	fi
+	sleep 1
+	@./scripts/benchmark.sh
+
+dev-run: build
+	cd dev-data && ${BIN_PATH}

 mtrace:
-	bin/godoxy debug-ls-mtrace > mtrace.json
+	 ${BIN_PATH} debug-ls-mtrace > mtrace.json

 rapid-crash:
 	docker run --restart=always --name test_crash -p 80 debian:bookworm-slim /bin/cat &&\
@@ -69,57 +151,24 @@ ci-test:
 	act -n --artifact-server-path /tmp/artifacts -s GITHUB_TOKEN="$$(gh auth token)"

 cloc:
-	cloc --not-match-f '_test.go$$' cmd internal pkg
-
-push-docker-io:
-	BUILDER=build docker buildx build \
-		--platform linux/arm64,linux/amd64 \
-		-f Dockerfile \
-		-t docker.io/yusing/godoxy-nightly:${DOCKER_TAG} \
-		-t docker.io/yusing/godoxy-nightly:${VERSION}-${BUILD_DATE} \
-		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
-		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
-		--push .
-
-build-docker:
-	docker build -t godoxy-nightly \
-		--build-arg VERSION="${VERSION}-nightly-${BUILD_DATE}" \
-		--build-arg BUILD_FLAGS="${BUILD_FLAGS}" \
-		.
-
-# To generate schema
-# comment out this part from typescript-json-schema.js#L884
-#
-#	if (indexType.flags !== ts.TypeFlags.Number && !isIndexedObject) {
-#			throw new Error("Not supported: IndexSignatureDeclaration with index symbol other than a number or a string");
-#	}
-
-gen-schema-single:
-	bun --bun run typescript-json-schema --noExtraProps --required --skipLibCheck --tsNodeRegister=true -o schemas/${OUT} schemas/${IN} ${CLASS}
-	# minify
-	python3 -c "import json; f=open('schemas/${OUT}', 'r'); j=json.load(f); f.close(); f=open('schemas/${OUT}', 'w'); json.dump(j, f, separators=(',', ':'));"
-
-gen-schema:
-	bun --bun tsc
-	make IN=config/config.ts \
-			CLASS=Config \
-			OUT=config.schema.json \
-			gen-schema-single
-	make IN=providers/routes.ts \
-			CLASS=Routes \
-			OUT=routes.schema.json \
-			gen-schema-single
-	make IN=middlewares/middleware_compose.ts \
-			CLASS=MiddlewareCompose \
-			OUT=middleware_compose.schema.json \
-			gen-schema-single
-	make IN=docker.ts \
-			CLASS=DockerRoutes \
-			OUT=docker_routes.schema.json \
-			gen-schema-single
-
-update-schema-generator:
-	pnpm up -g typescript-json-schema
+	scc -w -i go --not-match '_test.go$$'

 push-github:
-	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+	git push origin $(shell git rev-parse --abbrev-ref HEAD)
+
+gen-swagger:
+  # go install github.com/swaggo/swag/cmd/swag@latest
+	swag init --parseDependency --parseInternal --parseFuncBody -g handler.go -d internal/api -o internal/api/v1/docs
+	python3 scripts/fix-swagger-json.py
+	# we don't need this
+	rm internal/api/v1/docs/docs.go
+
+gen-swagger-markdown: gen-swagger
+  # brew tap go-swagger/go-swagger && brew install go-swagger
+	swagger generate markdown -f internal/api/v1/docs/swagger.yaml --skip-validation --output ${DOCS_DIR}/src/API.md
+
+gen-api-types: gen-swagger
+	# --disable-throw-on-error
+	bunx --bun swagger-typescript-api generate --sort-types --generate-union-enums --axios --add-readonly --route-types \
+		 --responses -o ${WEBUI_DIR}/lib -n api.ts -p internal/api/v1/docs/swagger.json
+	bunx --bun prettier --config ${WEBUI_DIR}/.prettierrc --write ${WEBUI_DIR}/lib/api.ts
--- a/README.md
+++ b/README.md
@@ -1,120 +1,183 @@
-# GoDoxy
+<div align="center">
+
+<img src="assets/godoxy.png" width="200">

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)
+![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
+[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=go-proxy)

-[繁體中文文檔請看此](README_CHT.md)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

-A lightweight, easy-to-use, and [performant](https://github.com/yusing/go-proxy/wiki/Benchmarks) reverse proxy with a Web UI and dashboard.
+A lightweight, simple, and performant reverse proxy with WebUI.

-![Screenshot](https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f)
+<h5>
+<a href="https://docs.godoxy.dev">Website</a> | <a href="https://docs.godoxy.dev/Home.html">Wiki</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
+</h5>

-_Join our [Discord](https://discord.gg/umReR62nRd) for help and discussions_
+<h5>EN | <a href="README_CHT.md">中文</a></h5>
+
+<img src="screenshots/webui.jpg" style="max-width: 650">
+
+Have questions? Ask [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)! (Thanks to [@ismesid](https://github.com/arevindh))
+
+</div>

 ## Table of content

 <!-- TOC -->

- [GoDoxy](#godoxy)
-  - [Table of content](#table-of-content)
-  - [Key Features](#key-features)
-  - [Getting Started](#getting-started)
-    - [Prerequisites](#prerequisites)
-    - [Setup](#setup)
-    - [Manual Setup](#manual-setup)
-    - [Folder structrue](#folder-structrue)
-    - [Use JSON Schema in VSCode](#use-json-schema-in-vscode)
-  - [Screenshots](#screenshots)
-    - [idlesleeper](#idlesleeper)
-  - [Build it yourself](#build-it-yourself)
+- [Table of content](#table-of-content)
+- [Running demo](#running-demo)
+- [Key Features](#key-features)
+- [Prerequisites](#prerequisites)
+- [Setup](#setup)
+- [How does GoDoxy work](#how-does-godoxy-work)
+- [Update / Uninstall system agent](#update--uninstall-system-agent)
+- [Screenshots](#screenshots)
+  - [idlesleeper](#idlesleeper)
+  - [Metrics and Logs](#metrics-and-logs)
+- [Manual Setup](#manual-setup)
+  - [Folder structrue](#folder-structrue)
+- [Build it yourself](#build-it-yourself)
+- [Star History](#star-history)
+
+## Running demo
+
+<https://demo.godoxy.dev>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)

 ## Key Features

- Easy to use
-  - Effortless configuration
-  - Simple multi-node setup
-  - Error messages is clear and detailed, easy troubleshooting
- Auto SSL cert management (See [Supported DNS-01 Challenge Providers](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers))
- Auto configuration for docker containers
- Auto hot-reload on container state / config file changes
- **idlesleeper**: stop containers on idle, wake it up on traffic _(optional, see [screenshots](#idlesleeper))_
- HTTP(s) reserve proxy
- OpenID Connect support
- [HTTP middleware support](https://github.com/yusing/go-proxy/wiki/Middlewares)
- [Custom error pages support](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
- TCP and UDP port forwarding
- **Web UI with App dashboard and config editor**
- Supports linux/amd64, linux/arm64
- Written in **[Go](https://go.dev)**
+- **Simple**
+  - Effortless configuration with [simple labels](https://docs.godoxy.dev/Docker-labels-and-Route-Files) or WebUI
+  - [Simple multi-node setup](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
+  - Detailed error messages for easy troubleshooting.
+- **ACL**: connection / request level access control
+  - IP/CIDR
+  - Country **(Maxmind account required)**
+  - Timezone **(Maxmind account required)**
+  - **Access logging**
+  - Periodic notification of access summaries for number of allowed and blocked connections
+- **Advanced Automation**
+  - Automatic SSL certificate management with Let's Encrypt ([using DNS-01 Challenge](https://docs.godoxy.dev/DNS-01-Providers))
+  - Auto-configuration for Docker containers
+  - Hot-reloading of configurations and container state changes
+- **Container Runtime Support**
+  - Docker
+  - Podman
+- **Idle-sleep**: stop and wake containers based on traffic _(see [screenshots](#idlesleeper))_
+  - Docker containers
+  - Proxmox LXCs
+- **Traffic Management**
+  - HTTP reserve proxy
+  - TCP/UDP port forwarding
+  - **OpenID Connect support**: SSO and secure your apps easily
+  - **ForwardAuth support**: integrate with any auth provider (e.g. TinyAuth)
+- **Customization**
+  - [HTTP middlewares](https://docs.godoxy.dev/Middlewares)
+  - [Custom error pages support](https://docs.godoxy.dev/Custom-Error-Pages)
+- **Web UI**
+  - App Dashboard
+  - Config Editor
+  - Uptime and System Metrics
+  - Docker Logs Viewer
+- **Cross-Platform support**
+  - Supports **linux/amd64** and **linux/arm64**
+- **Efficient and Performant**
+  - Written in **[Go](https://go.dev)**

-[🔼Back to top](#table-of-content)
+## Prerequisites

-## Getting Started
+Configure Wildcard DNS Record(s) to point to machine running `GoDoxy`, e.g.

-For full documentation, **[See Wiki](https://github.com/yusing/go-proxy/wiki)**
+- A Record: `*.domain.com` -> `10.0.10.1`
+- AAAA Record (if you use IPv6): `*.domain.com` -> `::ffff:a00:a01`

-### Prerequisites
+## Setup

-Setup DNS Records point to machine which runs `GoDoxy`, e.g.
+> [!NOTE]
+> GoDoxy is designed to be running in `host` network mode, do not change it.
+>
+> To change listening ports, modify `.env`.

- A Record: `*.y.z` -> `10.0.10.1`
- AAAA Record: `*.y.z` -> `::ffff:a00:a01`
+1. Prepare a new directory for docker compose and config files.

-### Setup
+2. Run setup script inside the directory, or [set up manually](#manual-setup)

-1.  Pull the latest docker images
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```

-    ```shell
-    docker pull ghcr.io/yusing/go-proxy:latest
-    ```
+3. Start the docker compose service from generated `compose.yml`:

-2.  Create new directory, `cd` into it, then run setup, or [set up manually](#manual-setup)
+   ```shell
+   docker compose up -d
+   ```

-    ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/godoxy setup
-    ```
+4. You may now do some extra configuration on WebUI `https://godoxy.yourdomain.com`

-3.  _(Optional)_ setup WebUI login (skip if you use OIDC)
+## How does GoDoxy work

-    - set random JWT secret
+1. List all the containers
+2. Read container name, labels and port configurations for each of them
+3. Create a route if applicable (a route is like a "Virtual Host" in NPM)
+4. Watch for container / config changes and update automatically

-      ```shell
-      sed -i "s|API_JWT_SECRET=.*|API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
-      ```
+> [!NOTE]
+> GoDoxy uses the label `proxy.aliases` as the subdomain(s), if unset it defaults to the `container_name` field in docker compose.
+>
+> For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`.

-    - change username and password for WebUI authentication
-      ```shell
-      USERNAME=admin
-      PASSWORD=some-password
-      sed -i "s|API_USERNAME=.*|API_USERNAME=${USERNAME}|g" .env
-      sed -i "s|API_PASSWORD=.*|API_PASSWORD=${PASSWORD}|g" .env
-      ```
+## Update / Uninstall system agent

-4.  _(Optional)_ setup `docker-socket-proxy` other docker nodes (see [Multi docker nodes setup](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)) then add them inside `config.yml`
+Update:

-5.  Start the container `docker compose up -d`
+```bash
+bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- update
+```

-6.  You may now do some extra configuration on WebUI `https://gp.y.z`
+Uninstall:

-[🔼Back to top](#table-of-content)
+```bash
+bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- uninstall
+```

-### Manual Setup
+## Screenshots
+
+### idlesleeper
+
+![idlesleeper](screenshots/idlesleeper.webp)
+
+### Metrics and Logs
+
+<div align="center">
+  <table>
+    <tr>
+      <td align="center"><img src="screenshots/routes.jpg" alt="Routes" width="350"/></td>
+      <td align="center"><img src="screenshots/servers.jpg" alt="Servers" width="350"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>Routes</b></td>
+      <td align="center"><b>Servers</b></td>
+    </tr>
+  </table>
+</div>
+
+## Manual Setup

 1. Make `config` directory then grab `config.example.yml` into `config/config.yml`

-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.9/config.example.yml -O config/config.yml`
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`

 2. Grab `.env.example` into `.env`

-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.9/.env.example -O .env`
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`

 3. Grab `compose.example.yml` into `compose.yml`

-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.9/compose.example.yml -O compose.yml`
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`

 ### Folder structrue

@@ -130,26 +193,16 @@ Setup DNS Records point to machine which runs `GoDoxy`, e.g.
 │   │   ├── middleware2.yml
 │   ├── provider1.yml
 │   └── provider2.yml
+├── data
+│   ├── metrics # metrics data
+│   │   ├── uptime.json
+│   │   └── system_info.json
 └── .env
 ```

-### Use JSON Schema in VSCode
-
-Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscode/settings.json` and modify it to fit your needs
-
-[🔼Back to top](#table-of-content)
-
-## Screenshots
-
-### idlesleeper
-
-![idlesleeper](screenshots/idlesleeper.webp)
-
-[🔼Back to top](#table-of-content)
-
 ## Build it yourself

-1. Clone the repository `git clone https://github.com/yusing/go-proxy --depth=1`
+1. Clone the repository `git clone https://github.com/yusing/godoxy --depth=1`

 2. Install / Upgrade [go (>=1.22)](https://go.dev/doc/install) and `make` if not already

@@ -159,4 +212,8 @@ Copy [`.vscode/settings.example.json`](.vscode/settings.example.json) to `.vscod

 5. build binary with `make build`

+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=yusing/godoxy&type=Date)](https://www.star-history.com/#yusing/godoxy&Date)
+
 [🔼Back to top](#table-of-content)
--- a/README_CHT.md
+++ b/README_CHT.md
@@ -1,121 +1,129 @@
-# GoDoxy
+<div align="center">
+
+<img src="assets/godoxy.png" width="200">

 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
+![GitHub last commit](https://img.shields.io/github/last-commit/yusing/godoxy)
 [![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=ncloc)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yusing_go-proxy&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yusing_go-proxy)
-[![](https://dcbadge.limes.pink/api/server/umReR62nRd)](https://discord.gg/umReR62nRd)

-[English Documentation](README.md)
+![Demo](https://img.shields.io/website?url=https%3A%2F%2Fdemo.godoxy.dev&label=Demo&link=https%3A%2F%2Fdemo.godoxy.dev)
+[![Discord](https://dcbadge.limes.pink/api/server/umReR62nRd?style=flat)](https://discord.gg/umReR62nRd)

-一個輕量級、易於使用且[高效能](https://github.com/yusing/go-proxy/wiki/Benchmarks)的反向代理，具有網頁介面和儀表板。
+輕量、易用、 高效能，且帶有主頁和配置面板的反向代理

-![截圖](screenshots/webui.png)
+<h5>
+<a href="https://docs.godoxy.dev">網站</a> | <a href="https://docs.godoxy.dev/Home.html">文檔</a> | <a href="https://discord.gg/umReR62nRd">Discord</a>
+</h5>

-_加入我們的 [Discord](https://discord.gg/umReR62nRd) 獲取幫助和討論_
+<h5><a href="README.md">EN</a> | 中文</h5>
+
+<img src="https://github.com/user-attachments/assets/4bb371f4-6e4c-425c-89b2-b9e962bdd46f" style="max-width: 650">
+
+有疑問? 問 [ChatGPT](https://chatgpt.com/g/g-6825390374b481919ad482f2e48936a1-godoxy-assistant)！（鳴謝 [@ismesid](https://github.com/arevindh)）
+
+</div>

 ## 目錄

 <!-- TOC -->

- [GoDoxy](#godoxy)
-  - [目錄](#目錄)
-  - [主要特點](#主要特點)
-  - [入門指南](#入門指南)
-    - [前置需求](#前置需求)
-    - [安裝](#安裝)
-    - [手動安裝](#手動安裝)
-    - [資料夾結構](#資料夾結構)
-    - [在 VSCode 中使用 JSON Schema](#在-vscode-中使用-json-schema)
-  - [截圖](#截圖)
-    - [閒置休眠](#閒置休眠)
-  - [自行編譯](#自行編譯)
+- [目錄](#目錄)
+- [運行示例](#運行示例)
+- [主要特點](#主要特點)
+- [前置需求](#前置需求)
+- [安裝](#安裝)
+  - [手動安裝](#手動安裝)
+  - [資料夾結構](#資料夾結構)
+- [更新 / 卸載系統代理 (System Agent)](#更新--卸載系統代理-system-agent)
+- [截圖](#截圖)
+  - [閒置休眠](#閒置休眠)
+  - [監控](#監控)
+- [自行編譯](#自行編譯)
+- [Star History](#star-history)
+
+## 運行示例
+
+<https://demo.godoxy.dev>
+
+[![Deployed on Zeabur](https://zeabur.com/deployed-on-zeabur-dark.svg)](https://zeabur.com/referral?referralCode=yusing&utm_source=yusing&utm_campaign=oss)

 ## 主要特點

- 容易使用
-  - 輕鬆配置
-  - 簡單的多節點設置
-  - 錯誤訊息清晰詳細，易於排除故障
- 自動 SSL 憑證管理（參見 [支援的 DNS-01 驗證提供商](https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers)）
- 自動配置 Docker 容器
- 容器狀態/配置文件變更時自動熱重載
- **閒置休眠**：在閒置時停止容器，有流量時喚醒（_可選，參見[截圖](#閒置休眠)_）
- HTTP(s) 反向代理
- [HTTP 中介軟體支援](https://github.com/yusing/go-proxy/wiki/Middlewares)
- [自訂錯誤頁面支援](https://github.com/yusing/go-proxy/wiki/Middlewares#custom-error-pages)
- TCP 和 UDP 埠轉發
- **網頁介面，具有應用儀表板和配置編輯器**
- 支援 linux/amd64、linux/arm64
- 使用 **[Go](https://go.dev)** 編寫
+- **簡單易用**
+  - 透過 Docker[標籤](https://docs.godoxy.dev/Docker-labels-and-Route-Files)或 WebUI 輕鬆設定
+  - [簡單的多節點設置](https://docs.godoxy.dev/Configurations#multi-docker-nodes-setup)
+  - 詳細的錯誤訊息，便於故障排除
+- **存取控制 (ACL)**：連線/請求層級存取控制
+  - IP/CIDR
+  - 國家 **(需要 Maxmind 帳戶)**
+  - 時區 **(需要 Maxmind 帳戶)**
+  - **存取日誌記錄**
+  - 定時發送摘要 (允許和拒絕的連線次數)
+- **自動化**
+  - 使用 Let's Encrypt 自動管理 SSL 憑證 ([使用 DNS-01 驗證](https://docs.godoxy.dev/DNS-01-Providers))
+  - Docker 容器自動配置
+  - 設定檔與容器狀態變更時自動熱重載
+- **容器運行時支援**
+  - Docker
+  - Podman
+- **閒置休眠**：根據流量停止和喚醒容器 _(參見[截圖](#閒置休眠))_
+  - Docker 容器
+  - Proxmox LXC 容器
+- **流量管理**
+  - HTTP 反向代理
+  - TCP/UDP 連接埠轉送
+  - **OpenID Connect 支援**：輕鬆實現單點登入 (SSO) 並保護您的應用程式
+  - **ForwardAuth 支援**：整合任何 auth provider (例如 TinyAuth)
+- **客製化**
+  - [HTTP 中介軟體](https://docs.godoxy.dev/Middlewares)
+  - [支援自訂錯誤頁面](https://docs.godoxy.dev/Custom-Error-Pages)
+- **網頁使用者介面 (Web UI)**
+  - 應用程式一覽
+  - 設定編輯器
+  - 執行時間與系統指標
+  - Docker 日誌檢視器
+- **跨平台支援**
+  - 支援 **linux/amd64** 與 **linux/arm64**
+- **高效能**
+  - 以 **[Go](https://go.dev)** 語言編寫

-[🔼回到頂部](#目錄)
-
-## 入門指南
-
-完整文檔請參見 **[Wiki](https://github.com/yusing/go-proxy/wiki)**
-
-### 前置需求
+## 前置需求

 設置 DNS 記錄指向運行 `GoDoxy` 的機器，例如：

 - A 記錄：`*.y.z` -> `10.0.10.1`
 - AAAA 記錄：`*.y.z` -> `::ffff:a00:a01`

-### 安裝
+## 安裝

-1.  拉取最新的 Docker 映像
+> [!NOTE]
+> GoDoxy 僅在 `host` 網路模式下運作，請勿更改。
+>
+> 如需更改監聽埠，請修改 `.env`。

-    ```shell
-    docker pull ghcr.io/yusing/go-proxy:latest
-    ```
+1. 準備一個新目錄用於 docker compose 和配置文件。

-2.  建立新目錄，`cd` 進入後運行安裝，或[手動安裝](#手動安裝)
+2. 在目錄內運行安裝腳本，或[手動安裝](#手動安裝)

-    ```shell
-    docker run --rm -v .:/setup ghcr.io/yusing/go-proxy /app/godoxy setup
-    ```
+   ```shell
+   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/setup.sh)"
+   ```

-3.  _（可選）_ 設置網頁介面登入
-
-    - 設置隨機 JWT 密鑰
-
-      ```shell
-      sed -i "s|API_JWT_SECRET=.*|API_JWT_SECRET=$(openssl rand -base64 32)|g" .env
-      ```
-
-    - 更改網頁介面認證的使用者名稱和密碼
-      ```shell
-      USERNAME=admin
-      PASSWORD=some-password
-      sed -i "s|API_USERNAME=.*|API_USERNAME=${USERNAME}|g" .env
-      sed -i "s|API_PASSWORD=.*|API_PASSWORD=${PASSWORD}|g" .env
-      ```
-
-4.  _（可選）_ 設置其他 Docker 節點的 `docker-socket-proxy`（參見 [多 Docker 節點設置](https://github.com/yusing/go-proxy/wiki/Configurations#multi-docker-nodes-setup)），然後在 `config.yml` 中添加它們
-
-5.  啟動容器 `docker compose up -d`
-
-6.  現在您可以進行額外的配置
-    - 使用文字編輯器（如 Visual Studio Code）
-    - 通過網頁介面 `https://gp.y.z`
-
-[🔼回到頂部](#目錄)
+3. 現在可以在 WebUI `https://godoxy.yourdomain.com` 進行額外配置

 ### 手動安裝

 1. 建立 `config` 目錄，然後將 `config.example.yml` 下載到 `config/config.yml`

-   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/go-proxy/v0.9/config.example.yml -O config/config.yml`
+   `mkdir -p config && wget https://raw.githubusercontent.com/yusing/godoxy/main/config.example.yml -O config/config.yml`

 2. 將 `.env.example` 下載到 `.env`

-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.9/.env.example -O .env`
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/.env.example -O .env`

 3. 將 `compose.example.yml` 下載到 `compose.yml`

-   `wget https://raw.githubusercontent.com/yusing/go-proxy/v0.9/compose.example.yml -O compose.yml`
+   `wget https://raw.githubusercontent.com/yusing/godoxy/main/compose.example.yml -O compose.yml`

 ### 資料夾結構

@@ -131,14 +139,26 @@ _加入我們的 [Discord](https://discord.gg/umReR62nRd) 獲取幫助和討論_
 │   │   ├── middleware2.yml
 │   ├── provider1.yml
 │   └── provider2.yml
+├── data
+│   ├── metrics # metrics data
+│   │   ├── uptime.json
+│   │   └── system_info.json
 └── .env
 ```

-### 在 VSCode 中使用 JSON Schema
+## 更新 / 卸載系統代理 (System Agent)

-複製 [`.vscode/settings.example.json`](.vscode/settings.example.json) 到 `.vscode/settings.json` 並根據需要修改
+更新：

-[🔼回到頂部](#目錄)
+```bash
+sudo /bin/bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- update
+```
+
+卸載：
+
+```bash
+sudo /bin/bash -c "$(curl -fsSL https://github.com/yusing/godoxy/raw/refs/heads/main/scripts/install-agent.sh)" -- uninstall
+```

 ## 截圖

@@ -146,11 +166,24 @@ _加入我們的 [Discord](https://discord.gg/umReR62nRd) 獲取幫助和討論_

 ![閒置休眠](screenshots/idlesleeper.webp)

-[🔼回到頂部](#目錄)
+### 監控
+
+<div align="center">
+  <table>
+    <tr>
+      <td align="center"><img src="screenshots/routes.jpg" alt="Routes" width="350"/></td>
+      <td align="center"><img src="screenshots/servers.jpg" alt="Servers" width="350"/></td>
+    </tr>
+    <tr>
+      <td align="center"><b>路由</b></td>
+      <td align="center"><b>伺服器</b></td>
+    </tr>
+  </table>
+</div>

 ## 自行編譯

-1. 克隆儲存庫 `git clone https://github.com/yusing/go-proxy --depth=1`
+1. 克隆儲存庫 `git clone https://github.com/yusing/godoxy --depth=1`

 2. 如果尚未安裝，請安裝/升級 [go (>=1.22)](https://go.dev/doc/install) 和 `make`

@@ -160,4 +193,8 @@ _加入我們的 [Discord](https://discord.gg/umReR62nRd) 獲取幫助和討論_

 5. 使用 `make build` 編譯二進制檔案

-[🔼回到頂部](#目錄)
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=yusing/godoxy&type=Date)](https://www.star-history.com/#yusing/godoxy&Date)
+
+[🔼 回到頂部](#目錄)
--- a/agent/cmd/main.go
+++ b/agent/cmd/main.go
@@ -0,0 +1,81 @@
+package main
+
+import (
+	"os"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/agent/pkg/server"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
+	httpServer "github.com/yusing/goutils/server"
+	strutils "github.com/yusing/goutils/strings"
+	"github.com/yusing/goutils/task"
+	"github.com/yusing/goutils/version"
+)
+
+func main() {
+	writer := zerolog.ConsoleWriter{
+		Out:        os.Stderr,
+		TimeFormat: "01-02 15:04",
+	}
+	zerolog.TimeFieldFormat = writer.TimeFormat
+	log.Logger = zerolog.New(writer).Level(zerolog.InfoLevel).With().Timestamp().Logger()
+	ca := &agent.PEMPair{}
+	err := ca.Load(env.AgentCACert)
+	if err != nil {
+		log.Fatal().Err(err).Msg("init CA error")
+	}
+	caCert, err := ca.ToTLSCert()
+	if err != nil {
+		log.Fatal().Err(err).Msg("init CA error")
+	}
+
+	srv := &agent.PEMPair{}
+	srv.Load(env.AgentSSLCert)
+	if err != nil {
+		log.Fatal().Err(err).Msg("init SSL error")
+	}
+	srvCert, err := srv.ToTLSCert()
+	if err != nil {
+		log.Fatal().Err(err).Msg("init SSL error")
+	}
+
+	log.Info().Msgf("GoDoxy Agent version %s", version.Get())
+	log.Info().Msgf("Agent name: %s", env.AgentName)
+	log.Info().Msgf("Agent port: %d", env.AgentPort)
+	log.Info().Msgf("Agent runtime: %s", env.Runtime)
+
+	log.Info().Msg(`
+Tips:
+1. To change the agent name, you can set the AGENT_NAME environment variable.
+2. To change the agent port, you can set the AGENT_PORT environment variable.
+`)
+
+	t := task.RootTask("agent", false)
+	opts := server.Options{
+		CACert:     caCert,
+		ServerCert: srvCert,
+		Port:       env.AgentPort,
+	}
+
+	server.StartAgentServer(t, opts)
+
+	if socketproxy.ListenAddr != "" {
+		runtime := strutils.Title(string(env.Runtime))
+
+		log.Info().Msgf("%s socket listening on: %s", runtime, socketproxy.ListenAddr)
+		opts := httpServer.Options{
+			Name:     runtime,
+			HTTPAddr: socketproxy.ListenAddr,
+			Handler:  socketproxy.NewHandler(),
+		}
+		httpServer.StartServer(t, opts)
+	}
+
+	systeminfo.Poller.Start()
+
+	task.WaitExit(3)
+}
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -0,0 +1,127 @@
+module github.com/yusing/godoxy/agent
+
+go 1.25.5
+
+replace (
+	github.com/shirou/gopsutil/v4 => ../internal/gopsutil
+	github.com/yusing/godoxy => ../
+	github.com/yusing/godoxy/socketproxy => ../socket-proxy
+	github.com/yusing/goutils => ../goutils
+	github.com/yusing/goutils/http/reverseproxy => ../goutils/http/reverseproxy
+	github.com/yusing/goutils/http/websocket => ../goutils/http/websocket
+	github.com/yusing/goutils/server => ../goutils/server
+)
+
+exclude github.com/containerd/nerdctl/mod/tigron v0.0.0
+
+require (
+	github.com/bytedance/sonic v1.14.2
+	github.com/gin-gonic/gin v1.11.0
+	github.com/gorilla/websocket v1.5.3
+	github.com/puzpuzpuz/xsync/v4 v4.2.0
+	github.com/rs/zerolog v1.34.0
+	github.com/stretchr/testify v1.11.1
+	github.com/valyala/fasthttp v1.68.0
+	github.com/yusing/godoxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/godoxy/socketproxy v0.0.0-00010101000000-000000000000
+	github.com/yusing/goutils v0.7.0
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20251217162119-cb0f79b51ce2
+	github.com/yusing/goutils/server v0.0.0-20251217162119-cb0f79b51ce2
+)
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/PuerkitoBio/goquery v1.11.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/andybalholm/cascadia v1.3.3 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/bytedance/gopkg v0.1.3 // indirect
+	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/docker/cli v29.1.3+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-acme/lego/v4 v4.30.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.30.1 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/goccy/go-yaml v1.19.1 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/gotify/server/v2 v2.7.3 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lithammer/fuzzysearch v1.1.8 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
+	github.com/luthermonson/go-proxmox v0.2.4 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.69 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/moby/api v1.52.0 // indirect
+	github.com/moby/moby/client v0.2.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/oschwald/maxminddb-golang v1.13.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pires/go-proxyproto v0.8.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.58.0 // indirect
+	github.com/samber/lo v1.52.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.11 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/vincent-petithory/dataurl v1.0.0 // indirect
+	github.com/yusing/ds v0.3.1 // indirect
+	github.com/yusing/gointernals v0.1.16 // indirect
+	github.com/yusing/goutils/http/websocket v0.0.0-20251217162119-cb0f79b51ce2 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	golang.org/x/arch v0.23.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -0,0 +1,348 @@
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
+github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
+github.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs=
+github.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
+github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
+github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
+github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
+github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
+github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
+github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
+github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
+github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
+github.com/docker/cli v29.1.3+incompatible h1:+kz9uDWgs+mAaIZojWfFt4d53/jv0ZUOOoSh5ZnH36c=
+github.com/docker/cli v29.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
+github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/go-acme/lego/v4 v4.30.1 h1:tmb6U0lvy8Mc3lQbqKwTat7oAhE8FUYNJ3D0gSg6pJU=
+github.com/go-acme/lego/v4 v4.30.1/go.mod h1:V7m/Ip+EeFkjOe028+zeH+SwWtESxw1LHelwMIfAjm4=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
+github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
+github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.19.1 h1:3rG3+v8pkhRqoQ/88NYNMHYVGYztCOCIZ7UQhu7H+NE=
+github.com/goccy/go-yaml v1.19.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gotify/server/v2 v2.7.3 h1:nro/ZnxdlZFvxFcw9LREGA8zdk6CK744azwhuhX/A4g=
+github.com/gotify/server/v2 v2.7.3/go.mod h1:VAtE1RIc/2j886PYs9WPQbMjqbFsoyQ0G8IdFtnAxU0=
+github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
+github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
+github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/luthermonson/go-proxmox v0.2.4 h1:XQ6YNUTVvHS7N4EJxWpuqWLW2s1VPtsIblxLV/rGHLw=
+github.com/luthermonson/go-proxmox v0.2.4/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
+github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
+github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/moby/api v1.52.0 h1:00BtlJY4MXkkt84WhUZPRqt5TvPbgig2FZvTbe3igYg=
+github.com/moby/moby/api v1.52.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/client v0.2.1 h1:1Grh1552mvv6i+sYOdY+xKKVTvzJegcVMhuXocyDz/k=
+github.com/moby/moby/client v0.2.1/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
+github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
+github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.58.0 h1:ggY2pvZaVdB9EyojxL1p+5mptkuHyX5MOSv4dgWF4Ug=
+github.com/quic-go/quic-go v0.58.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
+github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
+github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
+github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
+github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=
+github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=
+github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=
+github.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.68.0 h1:v12Nx16iepr8r9ySOwqI+5RBJ/DqTxhOy1HrHoDFnok=
+github.com/valyala/fasthttp v1.68.0/go.mod h1:5EXiRfYQAoiO/khu4oU9VISC/eVY6JqmSpPJoHCKsz4=
+github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
+github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yusing/ds v0.3.1 h1:mCqTgTQD8RhiBpcysvii5kZ7ZBmqcknVsFubNALGLbY=
+github.com/yusing/ds v0.3.1/go.mod h1:XhKV4l7cZwBbbl7lRzNC9zX27zvCM0frIwiuD40ULRk=
+github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
+github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
+golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/agent/pkg/agent/agent_pool.go
+++ b/agent/pkg/agent/agent_pool.go
@@ -0,0 +1,68 @@
+package agent
+
+import (
+	"iter"
+	"os"
+	"strings"
+
+	"github.com/puzpuzpuz/xsync/v4"
+)
+
+var agentPool = xsync.NewMap[string, *AgentConfig](xsync.WithPresize(10))
+
+func init() {
+	if strings.HasSuffix(os.Args[0], ".test") {
+		agentPool.Store("test-agent", &AgentConfig{
+			Addr: "test-agent",
+		})
+	}
+}
+
+func GetAgent(agentAddrOrDockerHost string) (*AgentConfig, bool) {
+	if !IsDockerHostAgent(agentAddrOrDockerHost) {
+		return getAgentByAddr(agentAddrOrDockerHost)
+	}
+	return getAgentByAddr(GetAgentAddrFromDockerHost(agentAddrOrDockerHost))
+}
+
+func GetAgentByName(name string) (*AgentConfig, bool) {
+	for _, agent := range agentPool.Range {
+		if agent.Name == name {
+			return agent, true
+		}
+	}
+	return nil, false
+}
+
+func AddAgent(agent *AgentConfig) {
+	agentPool.Store(agent.Addr, agent)
+}
+
+func RemoveAgent(agent *AgentConfig) {
+	agentPool.Delete(agent.Addr)
+}
+
+func RemoveAllAgents() {
+	agentPool.Clear()
+}
+
+func ListAgents() []*AgentConfig {
+	agents := make([]*AgentConfig, 0, agentPool.Size())
+	for _, agent := range agentPool.Range {
+		agents = append(agents, agent)
+	}
+	return agents
+}
+
+func IterAgents() iter.Seq2[string, *AgentConfig] {
+	return agentPool.Range
+}
+
+func NumAgents() int {
+	return agentPool.Size()
+}
+
+func getAgentByAddr(addr string) (agent *AgentConfig, ok bool) {
+	agent, ok = agentPool.Load(addr)
+	return agent, ok
+}
--- a/agent/pkg/agent/bare_metal.go
+++ b/agent/pkg/agent/bare_metal.go
@@ -0,0 +1,33 @@
+package agent
+
+import (
+	"bytes"
+	"text/template"
+)
+
+var (
+	installScript = `AGENT_NAME="{{.Name}}" \
+	AGENT_PORT="{{.Port}}" \
+	AGENT_CA_CERT="{{.CACert}}" \
+	AGENT_SSL_CERT="{{.SSLCert}}" \
+	{{ if eq .ContainerRuntime "nerdctl" -}}
+	DOCKER_SOCKET="/var/run/containerd/containerd.sock" \
+	RUNTIME="nerdctl" \
+	{{ else if eq .ContainerRuntime "podman" -}}
+	DOCKER_SOCKET="/var/run/podman/podman.sock" \
+	RUNTIME="podman" \
+	{{ else -}}
+	DOCKER_SOCKET="/var/run/docker.sock" \
+	RUNTIME="docker" \
+	{{ end -}}
+	bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/godoxy/main/scripts/install-agent.sh)"`
+	installScriptTemplate = template.Must(template.New("install.sh").Parse(installScript))
+)
+
+func (c *AgentEnvConfig) Generate() (string, error) {
+	buf := bytes.NewBuffer(make([]byte, 0, 4096))
+	if err := installScriptTemplate.Execute(buf, c); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}
--- a/agent/pkg/agent/config.go
+++ b/agent/pkg/agent/config.go
@@ -0,0 +1,241 @@
+package agent
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/valyala/fasthttp"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+	"github.com/yusing/goutils/version"
+)
+
+type AgentConfig struct {
+	Addr    string           `json:"addr"`
+	Name    string           `json:"name"`
+	Version version.Version  `json:"version" swaggertype:"string"`
+	Runtime ContainerRuntime `json:"runtime"`
+
+	httpClient                *http.Client
+	fasthttpClientHealthCheck *fasthttp.Client
+	tlsConfig                 tls.Config
+	l                         zerolog.Logger
+} // @name Agent
+
+const (
+	EndpointVersion    = "/version"
+	EndpointName       = "/name"
+	EndpointRuntime    = "/runtime"
+	EndpointProxyHTTP  = "/proxy/http"
+	EndpointHealth     = "/health"
+	EndpointLogs       = "/logs"
+	EndpointSystemInfo = "/system_info"
+
+	AgentHost = CertsDNSName
+
+	APIEndpointBase = "/godoxy/agent"
+	APIBaseURL      = "https://" + AgentHost + APIEndpointBase
+
+	DockerHost = "https://" + AgentHost
+
+	FakeDockerHostPrefix    = "agent://"
+	FakeDockerHostPrefixLen = len(FakeDockerHostPrefix)
+)
+
+func mustParseURL(urlStr string) *url.URL {
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
+
+var (
+	AgentURL              = mustParseURL(APIBaseURL)
+	HTTPProxyURL          = mustParseURL(APIBaseURL + EndpointProxyHTTP)
+	HTTPProxyURLPrefixLen = len(APIEndpointBase + EndpointProxyHTTP)
+)
+
+func IsDockerHostAgent(dockerHost string) bool {
+	return strings.HasPrefix(dockerHost, FakeDockerHostPrefix)
+}
+
+func GetAgentAddrFromDockerHost(dockerHost string) string {
+	return dockerHost[FakeDockerHostPrefixLen:]
+}
+
+func (cfg *AgentConfig) FakeDockerHost() string {
+	return FakeDockerHostPrefix + cfg.Addr
+}
+
+func (cfg *AgentConfig) Parse(addr string) error {
+	cfg.Addr = addr
+	return nil
+}
+
+var serverVersion = version.Get()
+
+func (cfg *AgentConfig) StartWithCerts(ctx context.Context, ca, crt, key []byte) error {
+	clientCert, err := tls.X509KeyPair(crt, key)
+	if err != nil {
+		return err
+	}
+
+	// create tls config
+	caCertPool := x509.NewCertPool()
+	ok := caCertPool.AppendCertsFromPEM(ca)
+	if !ok {
+		return errors.New("invalid ca certificate")
+	}
+
+	cfg.tlsConfig = tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      caCertPool,
+		ServerName:   CertsDNSName,
+	}
+
+	// create transport and http client
+	cfg.httpClient = cfg.NewHTTPClient()
+	applyNormalTransportConfig(cfg.httpClient)
+
+	cfg.fasthttpClientHealthCheck = cfg.NewFastHTTPHealthCheckClient()
+
+	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	// get agent name
+	name, _, err := cfg.fetchString(ctx, EndpointName)
+	if err != nil {
+		return err
+	}
+
+	cfg.Name = name
+
+	cfg.l = log.With().Str("agent", cfg.Name).Logger()
+
+	// check agent version
+	agentVersion, _, err := cfg.fetchString(ctx, EndpointVersion)
+	if err != nil {
+		return err
+	}
+
+	// check agent runtime
+	runtime, status, err := cfg.fetchString(ctx, EndpointRuntime)
+	if err != nil {
+		return err
+	}
+	switch status {
+	case http.StatusOK:
+		switch runtime {
+		case "docker":
+			cfg.Runtime = ContainerRuntimeDocker
+		// case "nerdctl":
+		// 	cfg.Runtime = ContainerRuntimeNerdctl
+		case "podman":
+			cfg.Runtime = ContainerRuntimePodman
+		default:
+			return fmt.Errorf("invalid agent runtime: %s", runtime)
+		}
+	case http.StatusNotFound:
+		// backward compatibility, old agent does not have runtime endpoint
+		cfg.Runtime = ContainerRuntimeDocker
+	default:
+		return fmt.Errorf("failed to get agent runtime: HTTP %d %s", status, runtime)
+	}
+
+	cfg.Version = version.Parse(agentVersion)
+
+	if serverVersion.IsNewerThanMajor(cfg.Version) {
+		log.Warn().Msgf("agent %s major version mismatch: server: %s, agent: %s", cfg.Name, serverVersion, cfg.Version)
+	}
+
+	log.Info().Msgf("agent %q initialized", cfg.Name)
+	return nil
+}
+
+func (cfg *AgentConfig) Start(ctx context.Context) error {
+	filepath, ok := certs.AgentCertsFilepath(cfg.Addr)
+	if !ok {
+		return fmt.Errorf("invalid agent host: %s", cfg.Addr)
+	}
+
+	certData, err := os.ReadFile(filepath)
+	if err != nil {
+		return fmt.Errorf("failed to read agent certs: %w", err)
+	}
+
+	ca, crt, key, err := certs.ExtractCert(certData)
+	if err != nil {
+		return fmt.Errorf("failed to extract agent certs: %w", err)
+	}
+
+	return cfg.StartWithCerts(ctx, ca, crt, key)
+}
+
+func (cfg *AgentConfig) NewHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: cfg.Transport(),
+	}
+}
+
+func (cfg *AgentConfig) NewFastHTTPHealthCheckClient() *fasthttp.Client {
+	return &fasthttp.Client{
+		Dial: func(addr string) (net.Conn, error) {
+			if addr != AgentHost+":443" {
+				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
+			}
+			return net.Dial("tcp", cfg.Addr)
+		},
+		TLSConfig:                     &cfg.tlsConfig,
+		ReadTimeout:                   5 * time.Second,
+		WriteTimeout:                  3 * time.Second,
+		DisableHeaderNamesNormalizing: true,
+		DisablePathNormalizing:        true,
+		NoDefaultUserAgentHeader:      true,
+		ReadBufferSize:                1024,
+		WriteBufferSize:               1024,
+	}
+}
+
+func (cfg *AgentConfig) Transport() *http.Transport {
+	return &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if addr != AgentHost+":443" {
+				return nil, &net.AddrError{Err: "invalid address", Addr: addr}
+			}
+			if network != "tcp" {
+				return nil, &net.OpError{Op: "dial", Net: network, Source: nil, Addr: nil}
+			}
+			return cfg.DialContext(ctx)
+		},
+		TLSClientConfig: &cfg.tlsConfig,
+	}
+}
+
+var dialer = &net.Dialer{Timeout: 5 * time.Second}
+
+func (cfg *AgentConfig) DialContext(ctx context.Context) (net.Conn, error) {
+	return dialer.DialContext(ctx, "tcp", cfg.Addr)
+}
+
+func (cfg *AgentConfig) String() string {
+	return cfg.Name + "@" + cfg.Addr
+}
+
+func applyNormalTransportConfig(client *http.Client) {
+	transport := client.Transport.(*http.Transport)
+	transport.MaxIdleConns = 100
+	transport.MaxIdleConnsPerHost = 100
+	transport.ReadBufferSize = 16384
+	transport.WriteBufferSize = 16384
+}
--- a/agent/pkg/agent/docker_compose.go
+++ b/agent/pkg/agent/docker_compose.go
@@ -0,0 +1,28 @@
+package agent
+
+import (
+	"bytes"
+	"text/template"
+
+	_ "embed"
+)
+
+var (
+	//go:embed templates/agent.compose.yml.tmpl
+	agentComposeYAML         string
+	agentComposeYAMLTemplate = template.Must(template.New("agent.compose.yml.tmpl").Parse(agentComposeYAML))
+)
+
+const (
+	DockerImageProduction = "ghcr.io/yusing/godoxy-agent:latest"
+	DockerImageNightly    = "ghcr.io/yusing/godoxy-agent:nightly"
+)
+
+func (c *AgentComposeConfig) Generate() (string, error) {
+	buf := bytes.NewBuffer(make([]byte, 0, 1024))
+	err := agentComposeYAMLTemplate.Execute(buf, c)
+	if err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}
--- a/agent/pkg/agent/env.go
+++ b/agent/pkg/agent/env.go
@@ -0,0 +1,25 @@
+package agent
+
+type (
+	ContainerRuntime string
+	AgentEnvConfig   struct {
+		Name             string
+		Port             int
+		CACert           string
+		SSLCert          string
+		ContainerRuntime ContainerRuntime
+	}
+	AgentComposeConfig struct {
+		Image string
+		*AgentEnvConfig
+	}
+	Generator interface {
+		Generate() (string, error)
+	}
+)
+
+const (
+	ContainerRuntimeDocker ContainerRuntime = "docker"
+	ContainerRuntimePodman ContainerRuntime = "podman"
+	// ContainerRuntimeNerdctl ContainerRuntime = "nerdctl"
+)
--- a/agent/pkg/agent/http_requests.go
+++ b/agent/pkg/agent/http_requests.go
@@ -0,0 +1,112 @@
+package agent
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/bytedance/sonic"
+	"github.com/gorilla/websocket"
+	"github.com/valyala/fasthttp"
+	httputils "github.com/yusing/goutils/http"
+	"github.com/yusing/goutils/http/reverseproxy"
+)
+
+func (cfg *AgentConfig) Do(ctx context.Context, method, endpoint string, body io.Reader) (*http.Response, error) {
+	req, err := http.NewRequestWithContext(ctx, method, APIBaseURL+endpoint, body)
+	if err != nil {
+		return nil, err
+	}
+	return cfg.httpClient.Do(req)
+}
+
+func (cfg *AgentConfig) Forward(req *http.Request, endpoint string) (*http.Response, error) {
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = APIEndpointBase + endpoint
+	req.RequestURI = ""
+	resp, err := cfg.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
+type HealthCheckResponse struct {
+	Healthy bool          `json:"healthy"`
+	Detail  string        `json:"detail"`
+	Latency time.Duration `json:"latency"`
+}
+
+func (cfg *AgentConfig) DoHealthCheck(timeout time.Duration, query string) (ret HealthCheckResponse, err error) {
+	req := fasthttp.AcquireRequest()
+	defer fasthttp.ReleaseRequest(req)
+
+	resp := fasthttp.AcquireResponse()
+	defer fasthttp.ReleaseResponse(resp)
+
+	req.SetRequestURI(APIBaseURL + EndpointHealth + "?" + query)
+	req.Header.SetMethod(fasthttp.MethodGet)
+	req.Header.Set("Accept-Encoding", "identity")
+	req.SetConnectionClose()
+
+	start := time.Now()
+	err = cfg.fasthttpClientHealthCheck.DoTimeout(req, resp, timeout)
+	ret.Latency = time.Since(start)
+	if err != nil {
+		return ret, err
+	}
+
+	if status := resp.StatusCode(); status != http.StatusOK {
+		ret.Detail = fmt.Sprintf("HTTP %d %s", status, resp.Body())
+		return ret, nil
+	} else {
+		err = sonic.Unmarshal(resp.Body(), &ret)
+		if err != nil {
+			return ret, err
+		}
+	}
+	return ret, nil
+}
+
+func (cfg *AgentConfig) fetchString(ctx context.Context, endpoint string) (string, int, error) {
+	resp, err := cfg.Do(ctx, "GET", endpoint, nil)
+	if err != nil {
+		return "", 0, err
+	}
+	defer resp.Body.Close()
+
+	data, release, err := httputils.ReadAllBody(resp)
+	if err != nil {
+		return "", 0, err
+	}
+	ret := string(data)
+	release(data)
+	return ret, resp.StatusCode, nil
+}
+
+func (cfg *AgentConfig) Websocket(ctx context.Context, endpoint string) (*websocket.Conn, *http.Response, error) {
+	transport := cfg.Transport()
+	dialer := websocket.Dialer{
+		NetDialContext:    transport.DialContext,
+		NetDialTLSContext: transport.DialTLSContext,
+	}
+	return dialer.DialContext(ctx, APIBaseURL+endpoint, http.Header{
+		"Host": {AgentHost},
+	})
+}
+
+// ReverseProxy reverse proxies the request to the agent
+//
+// It will create a new request with the same context, method, and body, but with the agent host and scheme, and the endpoint
+// If the request has a query, it will be added to the proxy request's URL
+func (cfg *AgentConfig) ReverseProxy(w http.ResponseWriter, req *http.Request, endpoint string) {
+	rp := reverseproxy.NewReverseProxy("agent", AgentURL, cfg.Transport())
+	req.URL.Host = AgentHost
+	req.URL.Scheme = "https"
+	req.URL.Path = endpoint
+	req.RequestURI = ""
+	rp.ServeHTTP(w, req)
+}
--- a/agent/pkg/agent/new_agent.go
+++ b/agent/pkg/agent/new_agent.go
@@ -0,0 +1,247 @@
+package agent
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+	"math/big"
+	"strings"
+	"time"
+)
+
+const (
+	CertsDNSName = "godoxy.agent"
+)
+
+func toPEMPair(certDER []byte, key *ecdsa.PrivateKey) *PEMPair {
+	marshaledKey, err := marshalECPrivateKey(key)
+	if err != nil {
+		// This is a critical internal error during PEM encoding of a newly generated key.
+		// Panicking is acceptable here as it indicates a fundamental issue.
+		panic(fmt.Sprintf("failed to marshal EC private key for PEM encoding: %v", err))
+	}
+	return &PEMPair{
+		Cert: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}),
+		Key:  pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: marshaledKey}),
+	}
+}
+
+func marshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
+	derBytes, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal EC private key: %w", err)
+	}
+	return derBytes, nil
+}
+
+func b64Encode(data []byte) string {
+	return base64.StdEncoding.EncodeToString(data)
+}
+
+func b64Decode(data string) ([]byte, error) {
+	return base64.StdEncoding.DecodeString(data)
+}
+
+type PEMPair struct {
+	Cert, Key []byte
+}
+
+func (p *PEMPair) String() string {
+	return b64Encode(p.Cert) + ";" + b64Encode(p.Key)
+}
+
+func (p *PEMPair) Load(data string) (err error) {
+	parts := strings.Split(data, ";")
+	if len(parts) != 2 {
+		return errors.New("invalid PEM pair")
+	}
+	p.Cert, err = b64Decode(parts[0])
+	if err != nil {
+		return err
+	}
+	p.Key, err = b64Decode(parts[1])
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (p *PEMPair) Encrypt(encKey []byte) (PEMPair, error) {
+	cert, err := encrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := encrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func (p *PEMPair) Decrypt(encKey []byte) (PEMPair, error) {
+	cert, err := decrypt(p.Cert, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	key, err := decrypt(p.Key, encKey)
+	if err != nil {
+		return PEMPair{}, err
+	}
+	return PEMPair{Cert: cert, Key: key}, nil
+}
+
+func encrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	return gcm.Seal(nonce, nonce, data, nil), nil
+}
+
+func decrypt(data []byte, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := data[:gcm.NonceSize()]
+	ciphertext := data[gcm.NonceSize():]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
+func (p *PEMPair) ToTLSCert() (*tls.Certificate, error) {
+	cert, err := tls.X509KeyPair(p.Cert, p.Key)
+	return &cert, err
+}
+
+func newSerialNumber() (*big.Int, error) {
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) // 128-bit random number
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+	return serialNumber, nil
+}
+
+func NewAgent() (ca, srv, client *PEMPair, err error) {
+	caSerialNumber, err := newSerialNumber()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	// Create the CA's certificate
+	caTemplate := &x509.Certificate{
+		SerialNumber: caSerialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"GoDoxy"},
+			CommonName:   CertsDNSName,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(1000, 0, 0), // 1000 years
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		MaxPathLen:            0,
+		MaxPathLenZero:        true,
+		SignatureAlgorithm:    x509.ECDSAWithSHA256,
+	}
+
+	caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	caDER, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	ca = toPEMPair(caDER, caKey)
+
+	// Generate a new private key for the server certificate
+	serverKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	serverSerialNumber, err := newSerialNumber()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	srvTemplate := &x509.Certificate{
+		SerialNumber: serverSerialNumber,
+		Issuer:       caTemplate.Subject,
+		Subject: pkix.Name{
+			Organization:       caTemplate.Subject.Organization,
+			OrganizationalUnit: []string{"Server"},
+			CommonName:         CertsDNSName,
+		},
+		DNSNames:           []string{CertsDNSName},
+		NotBefore:          time.Now(),
+		NotAfter:           time.Now().AddDate(1000, 0, 0), // Add validity period
+		KeyUsage:           x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
+	}
+
+	srvCertDER, err := x509.CreateCertificate(rand.Reader, srvTemplate, caTemplate, &serverKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	srv = toPEMPair(srvCertDER, serverKey)
+
+	clientKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	clientSerialNumber, err := newSerialNumber()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	clientTemplate := &x509.Certificate{
+		SerialNumber: clientSerialNumber,
+		Issuer:       caTemplate.Subject,
+		Subject: pkix.Name{
+			Organization:       caTemplate.Subject.Organization,
+			OrganizationalUnit: []string{"Client"},
+			CommonName:         CertsDNSName,
+		},
+		DNSNames:           []string{CertsDNSName},
+		NotBefore:          time.Now(),
+		NotAfter:           time.Now().AddDate(1000, 0, 0),
+		KeyUsage:           x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		SignatureAlgorithm: x509.ECDSAWithSHA256,
+	}
+	clientCertDER, err := x509.CreateCertificate(rand.Reader, clientTemplate, caTemplate, &clientKey.PublicKey, caKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	client = toPEMPair(clientCertDER, clientKey)
+	return ca, srv, client, err
+}
--- a/agent/pkg/agent/new_agent_test.go
+++ b/agent/pkg/agent/new_agent_test.go
@@ -0,0 +1,112 @@
+package agent
+
+import (
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewAgent(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	require.NoError(t, err)
+	require.NotNil(t, ca)
+	require.NotNil(t, srv)
+	require.NotNil(t, client)
+}
+
+func TestPEMPair(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	require.NoError(t, err)
+
+	for i, p := range []*PEMPair{ca, srv, client} {
+		t.Run(fmt.Sprintf("load-%d", i), func(t *testing.T) {
+			var pp PEMPair
+			err := pp.Load(p.String())
+			require.NoError(t, err)
+			require.Equal(t, p.Cert, pp.Cert)
+			require.Equal(t, p.Key, pp.Key)
+		})
+	}
+}
+
+func TestPEMPairToTLSCert(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	require.NoError(t, err)
+
+	for i, p := range []*PEMPair{ca, srv, client} {
+		t.Run(fmt.Sprintf("toTLSCert-%d", i), func(t *testing.T) {
+			cert, err := p.ToTLSCert()
+			require.NoError(t, err)
+			require.NotNil(t, cert)
+		})
+	}
+}
+
+func TestServerClient(t *testing.T) {
+	ca, srv, client, err := NewAgent()
+	require.NoError(t, err)
+
+	srvTLS, err := srv.ToTLSCert()
+	require.NoError(t, err)
+	require.NotNil(t, srvTLS)
+
+	clientTLS, err := client.ToTLSCert()
+	require.NoError(t, err)
+	require.NotNil(t, clientTLS)
+
+	caPool := x509.NewCertPool()
+	require.True(t, caPool.AppendCertsFromPEM(ca.Cert))
+
+	srvTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{*srvTLS},
+		ClientCAs:    caPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	clientTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{*clientTLS},
+		RootCAs:      caPool,
+		ServerName:   CertsDNSName,
+	}
+
+	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	server.TLS = srvTLSConfig
+	server.StartTLS()
+	defer server.Close()
+
+	httpClient := &http.Client{
+		Transport: &http.Transport{TLSClientConfig: clientTLSConfig},
+	}
+
+	resp, err := httpClient.Get(server.URL)
+	require.NoError(t, err)
+	require.Equal(t, resp.StatusCode, http.StatusOK)
+}
+
+func TestPEMPairEncryptDecrypt(t *testing.T) {
+	encKey := make([]byte, 32)
+	_, err := rand.Read(encKey)
+	require.NoError(t, err)
+
+	ca, _, _, err := NewAgent()
+	require.NoError(t, err)
+
+	encCA, err := ca.Encrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, encCA)
+
+	decCA, err := encCA.Decrypt(encKey)
+	require.NoError(t, err)
+	require.NotNil(t, decCA)
+
+	require.Equal(t, string(ca.Cert), string(decCA.Cert))
+	require.Equal(t, string(ca.Key), string(decCA.Key))
+}
--- a/agent/pkg/agent/templates/agent.compose.yml
+++ b/agent/pkg/agent/templates/agent.compose.yml
@@ -0,0 +1,44 @@
+services:
+  agent:
+    image: "{{.Image}}"
+    container_name: godoxy-agent
+    restart: always
+    network_mode: host # do not change this
+    environment:
+      AGENT_NAME: "{{.Name}}"
+      AGENT_PORT: "{{.Port}}"
+      AGENT_CA_CERT: "{{.CACert}}"
+      AGENT_SSL_CERT: "{{.SSLCert}}"
+      # use agent as a docker socket proxy: [host]:port
+      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
+      LISTEN_ADDR:
+      POST: false
+      ALLOW_RESTARTS: false
+      ALLOW_START: false
+      ALLOW_STOP: false
+      AUTH: false
+      BUILD: false
+      COMMIT: false
+      CONFIGS: false
+      CONTAINERS: false
+      DISTRIBUTION: false
+      EVENTS: true
+      EXEC: false
+      GRPC: false
+      IMAGES: false
+      INFO: false
+      NETWORKS: false
+      NODES: false
+      PING: true
+      PLUGINS: false
+      SECRETS: false
+      SERVICES: false
+      SESSION: false
+      SWARM: false
+      SYSTEM: false
+      TASKS: false
+      VERSION: true
+      VOLUMES: false
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/app/data
--- a/agent/pkg/agent/templates/agent.compose.yml.tmpl
+++ b/agent/pkg/agent/templates/agent.compose.yml.tmpl
@@ -0,0 +1,66 @@
+services:
+  agent:
+    image: "{{.Image}}"
+    container_name: godoxy-agent
+    restart: always
+    {{ if eq .ContainerRuntime "podman" -}}
+    ports:
+      - "{{.Port}}:{{.Port}}"
+    {{ else -}}
+    network_mode: host # do not change this
+    {{ end -}}
+    environment:
+      {{ if eq .ContainerRuntime "nerdctl" -}}
+      DOCKER_SOCKET: "/var/run/containerd/containerd.sock"
+      RUNTIME: "nerdctl"
+      {{ else if eq .ContainerRuntime "podman" -}}
+      DOCKER_SOCKET: "/var/run/podman/podman.sock"
+      RUNTIME: "podman"
+      {{ else -}}
+      DOCKER_SOCKET: "/var/run/docker.sock"
+      RUNTIME: "docker"
+      {{ end -}}
+      AGENT_NAME: "{{.Name}}"
+      AGENT_PORT: "{{.Port}}"
+      AGENT_CA_CERT: "{{.CACert}}"
+      AGENT_SSL_CERT: "{{.SSLCert}}"
+      # use agent as a docker socket proxy: [host]:port
+      # set LISTEN_ADDR to enable (e.g. 127.0.0.1:2375)
+      LISTEN_ADDR:
+      POST: false
+      ALLOW_RESTARTS: false
+      ALLOW_START: false
+      ALLOW_STOP: false
+      AUTH: false
+      BUILD: false
+      COMMIT: false
+      CONFIGS: false
+      CONTAINERS: false
+      DISTRIBUTION: false
+      EVENTS: true
+      EXEC: false
+      GRPC: false
+      IMAGES: false
+      INFO: false
+      NETWORKS: false
+      NODES: false
+      PING: true
+      PLUGINS: false
+      SECRETS: false
+      SERVICES: false
+      SESSION: false
+      SWARM: false
+      SYSTEM: false
+      TASKS: false
+      VERSION: true
+      VOLUMES: false
+    volumes:
+      {{ if eq .ContainerRuntime "podman" -}}
+      - /var/run/podman/podman.sock:/var/run/podman/podman.sock
+      {{ else if eq .ContainerRuntime "nerdctl" -}}
+      - /var/run/containerd/containerd.sock:/var/run/containerd/containerd.sock
+      - /var/lib/nerdctl:/var/lib/nerdctl:ro # required to read metadata like network info
+      {{ else -}}
+      - /var/run/docker.sock:/var/run/docker.sock
+      {{ end -}}
+      - ./data:/app/data
--- a/agent/pkg/agentproxy/config.go
+++ b/agent/pkg/agentproxy/config.go
@@ -0,0 +1,73 @@
+package agentproxy
+
+import (
+	"encoding/base64"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/bytedance/sonic"
+	route "github.com/yusing/godoxy/internal/route/types"
+)
+
+type Config struct {
+	Scheme string `json:"scheme,omitempty"`
+	Host   string `json:"host,omitempty"` // host or host:port
+
+	route.HTTPConfig
+}
+
+func ConfigFromHeaders(h http.Header) (Config, error) {
+	cfg, err := proxyConfigFromHeaders(h)
+	if cfg.Host == "" || err != nil {
+		cfg = proxyConfigFromHeadersLegacy(h)
+	}
+	return cfg, nil
+}
+
+func proxyConfigFromHeadersLegacy(h http.Header) (cfg Config) {
+	cfg.Host = h.Get(HeaderXProxyHost)
+	isHTTPS, _ := strconv.ParseBool(h.Get(HeaderXProxyHTTPS))
+	cfg.NoTLSVerify, _ = strconv.ParseBool(h.Get(HeaderXProxySkipTLSVerify))
+	responseHeaderTimeout, err := strconv.Atoi(h.Get(HeaderXProxyResponseHeaderTimeout))
+	if err != nil {
+		responseHeaderTimeout = 0
+	}
+	cfg.ResponseHeaderTimeout = time.Duration(responseHeaderTimeout) * time.Second
+
+	cfg.Scheme = "http"
+	if isHTTPS {
+		cfg.Scheme = "https"
+	}
+
+	return cfg
+}
+
+func proxyConfigFromHeaders(h http.Header) (cfg Config, err error) {
+	cfg.Scheme = h.Get(HeaderXProxyScheme)
+	cfg.Host = h.Get(HeaderXProxyHost)
+
+	cfgBase64 := h.Get(HeaderXProxyConfig)
+	cfgJSON, err := base64.StdEncoding.DecodeString(cfgBase64)
+	if err != nil {
+		return cfg, err
+	}
+
+	err = sonic.Unmarshal(cfgJSON, &cfg)
+	return cfg, err
+}
+
+func (cfg *Config) SetAgentProxyConfigHeadersLegacy(h http.Header) {
+	h.Set(HeaderXProxyHost, cfg.Host)
+	h.Set(HeaderXProxyHTTPS, strconv.FormatBool(cfg.Scheme == "https"))
+	h.Set(HeaderXProxySkipTLSVerify, strconv.FormatBool(cfg.NoTLSVerify))
+	h.Set(HeaderXProxyResponseHeaderTimeout, strconv.Itoa(int(cfg.ResponseHeaderTimeout.Round(time.Second).Seconds())))
+}
+
+func (cfg *Config) SetAgentProxyConfigHeaders(h http.Header) {
+	h.Set(HeaderXProxyHost, cfg.Host)
+	h.Set(HeaderXProxyScheme, string(cfg.Scheme))
+	cfgJSON, _ := sonic.Marshal(cfg.HTTPConfig)
+	cfgBase64 := base64.StdEncoding.EncodeToString(cfgJSON)
+	h.Set(HeaderXProxyConfig, cfgBase64)
+}
--- a/agent/pkg/agentproxy/headers.go
+++ b/agent/pkg/agentproxy/headers.go
@@ -0,0 +1,14 @@
+package agentproxy
+
+const (
+	HeaderXProxyScheme = "X-Proxy-Scheme"
+	HeaderXProxyHost   = "X-Proxy-Host"
+	HeaderXProxyConfig = "X-Proxy-Config"
+)
+
+// deprecated
+const (
+	HeaderXProxyHTTPS                 = "X-Proxy-Https"
+	HeaderXProxySkipTLSVerify         = "X-Proxy-Skip-Tls-Verify"
+	HeaderXProxyResponseHeaderTimeout = "X-Proxy-Response-Header-Timeout"
+)
--- a/agent/pkg/certs/zip.go
+++ b/agent/pkg/certs/zip.go
@@ -0,0 +1,85 @@
+package certs
+
+import (
+	"archive/zip"
+	"bytes"
+	"io"
+	"path/filepath"
+
+	strutils "github.com/yusing/goutils/strings"
+)
+
+const AgentCertsBasePath = "certs"
+
+func writeFile(zipWriter *zip.Writer, name string, data []byte) error {
+	w, err := zipWriter.CreateHeader(&zip.FileHeader{
+		Name:   name,
+		Method: zip.Store,
+	})
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(data)
+	return err
+}
+
+func readFile(f *zip.File) ([]byte, error) {
+	r, err := f.Open()
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+	return io.ReadAll(r)
+}
+
+func ZipCert(ca, crt, key []byte) ([]byte, error) {
+	data := bytes.NewBuffer(make([]byte, 0, 6144))
+	zipWriter := zip.NewWriter(data)
+	defer zipWriter.Close()
+
+	if err := writeFile(zipWriter, "ca.pem", ca); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "cert.pem", crt); err != nil {
+		return nil, err
+	}
+	if err := writeFile(zipWriter, "key.pem", key); err != nil {
+		return nil, err
+	}
+	if err := zipWriter.Close(); err != nil {
+		return nil, err
+	}
+	return data.Bytes(), nil
+}
+
+func isValidAgentHost(host string) bool {
+	return strutils.IsValidFilename(host + ".zip")
+}
+
+func AgentCertsFilepath(host string) (filepathOut string, ok bool) {
+	if !isValidAgentHost(host) {
+		return "", false
+	}
+	return filepath.Join(AgentCertsBasePath, host+".zip"), true
+}
+
+func ExtractCert(data []byte) (ca, crt, key []byte, err error) {
+	zipReader, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	for _, file := range zipReader.File {
+		switch file.Name {
+		case "ca.pem":
+			ca, err = readFile(file)
+		case "cert.pem":
+			crt, err = readFile(file)
+		case "key.pem":
+			key, err = readFile(file)
+		}
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+	return ca, crt, key, nil
+}
--- a/agent/pkg/certs/zip_test.go
+++ b/agent/pkg/certs/zip_test.go
@@ -0,0 +1,20 @@
+package certs_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+)
+
+func TestZipCert(t *testing.T) {
+	ca, crt, key := []byte("test1"), []byte("test2"), []byte("test3")
+	zipData, err := certs.ZipCert(ca, crt, key)
+	require.NoError(t, err)
+
+	ca2, crt2, key2, err := certs.ExtractCert(zipData)
+	require.NoError(t, err)
+	require.Equal(t, ca, ca2)
+	require.Equal(t, crt, crt2)
+	require.Equal(t, key, key2)
+}
--- a/agent/pkg/env/env.go
+++ b/agent/pkg/env/env.go
@@ -0,0 +1,49 @@
+package env
+
+import (
+	"os"
+
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/goutils/env"
+
+	"github.com/rs/zerolog/log"
+)
+
+func DefaultAgentName() string {
+	name, err := os.Hostname()
+	if err != nil {
+		return "agent"
+	}
+	return name
+}
+
+var (
+	AgentName                string
+	AgentPort                int
+	AgentSkipClientCertCheck bool
+	AgentCACert              string
+	AgentSSLCert             string
+	DockerSocket             string
+	Runtime                  agent.ContainerRuntime
+)
+
+func init() {
+	Load()
+}
+
+func Load() {
+	DockerSocket = env.GetEnvString("DOCKER_SOCKET", "/var/run/docker.sock")
+	AgentName = env.GetEnvString("AGENT_NAME", DefaultAgentName())
+	AgentPort = env.GetEnvInt("AGENT_PORT", 8890)
+	AgentSkipClientCertCheck = env.GetEnvBool("AGENT_SKIP_CLIENT_CERT_CHECK", false)
+
+	AgentCACert = env.GetEnvString("AGENT_CA_CERT", "")
+	AgentSSLCert = env.GetEnvString("AGENT_SSL_CERT", "")
+	Runtime = agent.ContainerRuntime(env.GetEnvString("RUNTIME", "docker"))
+
+	switch Runtime {
+	case agent.ContainerRuntimeDocker, agent.ContainerRuntimePodman: //, agent.ContainerRuntimeNerdctl:
+	default:
+		log.Fatal().Str("runtime", string(Runtime)).Msg("invalid runtime")
+	}
+}
--- a/agent/pkg/handler/check_health.go
+++ b/agent/pkg/handler/check_health.go
@@ -0,0 +1,91 @@
+package handler
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/bytedance/sonic"
+	"github.com/yusing/godoxy/internal/types"
+	"github.com/yusing/godoxy/internal/watcher/health/monitor"
+)
+
+func CheckHealth(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	scheme := query.Get("scheme")
+	if scheme == "" {
+		http.Error(w, "missing scheme", http.StatusBadRequest)
+		return
+	}
+
+	var (
+		result types.HealthCheckResult
+		err    error
+	)
+	switch scheme {
+	case "fileserver":
+		path := query.Get("path")
+		if path == "" {
+			http.Error(w, "missing path", http.StatusBadRequest)
+			return
+		}
+		_, err := os.Stat(path)
+		result = types.HealthCheckResult{Healthy: err == nil}
+		if err != nil {
+			result.Detail = err.Error()
+		}
+	case "http", "https": // path is optional
+		host := query.Get("host")
+		path := query.Get("path")
+		if host == "" {
+			http.Error(w, "missing host", http.StatusBadRequest)
+			return
+		}
+		result, err = monitor.NewHTTPHealthMonitor(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+			Path:   path,
+		}, healthCheckConfigFromRequest(r)).CheckHealth()
+	case "tcp", "udp":
+		host := query.Get("host")
+		if host == "" {
+			http.Error(w, "missing host", http.StatusBadRequest)
+			return
+		}
+		hasPort := strings.Contains(host, ":")
+		port := query.Get("port")
+		if port != "" && hasPort {
+			http.Error(w, "port and host with port cannot both be provided", http.StatusBadRequest)
+			return
+		}
+		if port != "" {
+			host = fmt.Sprintf("%s:%s", host, port)
+		}
+		result, err = monitor.NewRawHealthMonitor(&url.URL{
+			Scheme: scheme,
+			Host:   host,
+		}, healthCheckConfigFromRequest(r)).CheckHealth()
+	}
+
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadGateway)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	sonic.ConfigDefault.NewEncoder(w).Encode(result)
+}
+
+func healthCheckConfigFromRequest(r *http.Request) types.HealthCheckConfig {
+	// we only need timeout and base context because it's one shot request
+	return types.HealthCheckConfig{
+		Timeout: types.HealthCheckTimeoutDefault,
+		BaseContext: func() context.Context {
+			return r.Context()
+		},
+	}
+}
--- a/agent/pkg/handler/check_health_test.go
+++ b/agent/pkg/handler/check_health_test.go
@@ -0,0 +1,226 @@
+package handler_test
+
+import (
+	"encoding/json"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/handler"
+	"github.com/yusing/godoxy/internal/types"
+)
+
+func TestCheckHealthHTTP(t *testing.T) {
+	tests := []struct {
+		name            string
+		setupServer     func() *httptest.Server
+		queryParams     map[string]string
+		expectedStatus  int
+		expectedHealthy bool
+	}{
+		{
+			name: "Valid",
+			setupServer: func() *httptest.Server {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusOK)
+				}))
+			},
+			queryParams: map[string]string{
+				"scheme": "http",
+				"host":   "localhost",
+				"path":   "/",
+			},
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:        "InvalidQuery",
+			setupServer: nil,
+			queryParams: map[string]string{
+				"scheme": "http",
+			},
+			expectedStatus: http.StatusBadRequest,
+		},
+		{
+			name:        "ConnectionError",
+			setupServer: nil,
+			queryParams: map[string]string{
+				"scheme": "http",
+				"host":   "localhost:12345",
+			},
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var server *httptest.Server
+			if tt.setupServer != nil {
+				server = tt.setupServer()
+				defer server.Close()
+				u, _ := url.Parse(server.URL)
+				tt.queryParams["scheme"] = u.Scheme
+				tt.queryParams["host"] = u.Host
+				tt.queryParams["path"] = u.Path
+			}
+
+			recorder := httptest.NewRecorder()
+			query := url.Values{}
+			for key, value := range tt.queryParams {
+				query.Set(key, value)
+			}
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			if tt.expectedStatus == http.StatusOK {
+				var result types.HealthCheckResult
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+				require.Equal(t, result.Healthy, tt.expectedHealthy)
+			}
+		})
+	}
+}
+
+func TestCheckHealthFileServer(t *testing.T) {
+	tests := []struct {
+		name            string
+		path            string
+		expectedStatus  int
+		expectedHealthy bool
+		expectedDetail  string
+	}{
+		{
+			name:            "ValidPath",
+			path:            t.TempDir(),
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+			expectedDetail:  "",
+		},
+		{
+			name:            "InvalidPath",
+			path:            "/invalid",
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: false,
+			expectedDetail:  "stat /invalid: no such file or directory",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			query := url.Values{}
+			query.Set("scheme", "fileserver")
+			query.Set("path", tt.path)
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			var result types.HealthCheckResult
+			require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+			require.Equal(t, result.Healthy, tt.expectedHealthy)
+			require.Equal(t, result.Detail, tt.expectedDetail)
+		})
+	}
+}
+
+func TestCheckHealthTCPUDP(t *testing.T) {
+	tcp, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	go func() {
+		conn, err := tcp.Accept()
+		require.NoError(t, err)
+		conn.Close()
+	}()
+
+	udp, err := net.ListenPacket("udp", "localhost:0")
+	require.NoError(t, err)
+	go func() {
+		buf := make([]byte, 1024)
+		n, addr, err := udp.ReadFrom(buf)
+		require.NoError(t, err)
+		require.Equal(t, string(buf[:n]), "ping")
+		_, _ = udp.WriteTo([]byte("pong"), addr)
+		udp.Close()
+	}()
+
+	tests := []struct {
+		name            string
+		scheme          string
+		host            string
+		port            int
+		expectedStatus  int
+		expectedHealthy bool
+	}{
+		{
+			name:            "ValidTCP",
+			scheme:          "tcp",
+			host:            "localhost",
+			port:            tcp.Addr().(*net.TCPAddr).Port,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:            "InvalidHost",
+			scheme:          "tcp",
+			host:            "",
+			port:            8080,
+			expectedStatus:  http.StatusBadRequest,
+			expectedHealthy: false,
+		},
+		{
+			name:            "ValidUDP",
+			scheme:          "udp",
+			host:            "localhost",
+			port:            udp.LocalAddr().(*net.UDPAddr).Port,
+			expectedStatus:  http.StatusOK,
+			expectedHealthy: true,
+		},
+		{
+			name:            "InvalidHost",
+			scheme:          "udp",
+			host:            "",
+			port:            8080,
+			expectedStatus:  http.StatusBadRequest,
+			expectedHealthy: false,
+		},
+		{
+			name:            "Port in both host and port",
+			scheme:          "tcp",
+			host:            "localhost:1234",
+			port:            1234,
+			expectedStatus:  http.StatusBadRequest,
+			expectedHealthy: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			query := url.Values{}
+			query.Set("scheme", tt.scheme)
+			query.Set("host", tt.host)
+			query.Set("port", strconv.Itoa(tt.port))
+
+			recorder := httptest.NewRecorder()
+			request := httptest.NewRequest(http.MethodGet, agent.APIEndpointBase+agent.EndpointHealth+"?"+query.Encode(), nil)
+			handler.CheckHealth(recorder, request)
+
+			require.Equal(t, recorder.Code, tt.expectedStatus)
+
+			if tt.expectedStatus == http.StatusOK {
+				var result types.HealthCheckResult
+				require.NoError(t, json.Unmarshal(recorder.Body.Bytes(), &result))
+				require.Equal(t, result.Healthy, tt.expectedHealthy)
+			}
+		})
+	}
+}
--- a/agent/pkg/handler/handler.go
+++ b/agent/pkg/handler/handler.go
@@ -0,0 +1,60 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gorilla/websocket"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	socketproxy "github.com/yusing/godoxy/socketproxy/pkg"
+	"github.com/yusing/goutils/version"
+)
+
+type ServeMux struct{ *http.ServeMux }
+
+func (mux ServeMux) HandleEndpoint(method, endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(method+" "+agent.APIEndpointBase+endpoint, handler)
+}
+
+func (mux ServeMux) HandleFunc(endpoint string, handler http.HandlerFunc) {
+	mux.ServeMux.HandleFunc(agent.APIEndpointBase+endpoint, handler)
+}
+
+var upgrader = &websocket.Upgrader{
+	// no origin check needed for internal websocket
+	CheckOrigin: func(r *http.Request) bool {
+		return true
+	},
+}
+
+func NewAgentHandler() http.Handler {
+	gin.SetMode(gin.ReleaseMode)
+	mux := ServeMux{http.NewServeMux()}
+
+	metricsHandler := gin.Default()
+	{
+		metrics := metricsHandler.Group(agent.APIEndpointBase)
+		metrics.GET(agent.EndpointSystemInfo, func(c *gin.Context) {
+			c.Set("upgrader", upgrader)
+			systeminfo.Poller.ServeHTTP(c)
+		})
+	}
+
+	mux.HandleFunc(agent.EndpointProxyHTTP+"/{path...}", ProxyHTTP)
+	mux.HandleEndpoint("GET", agent.EndpointVersion, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, version.Get())
+	})
+	mux.HandleEndpoint("GET", agent.EndpointName, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.AgentName)
+	})
+	mux.HandleEndpoint("GET", agent.EndpointRuntime, func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprint(w, env.Runtime)
+	})
+	mux.HandleEndpoint("GET", agent.EndpointHealth, CheckHealth)
+	mux.HandleEndpoint("GET", agent.EndpointSystemInfo, metricsHandler.ServeHTTP)
+	mux.ServeMux.HandleFunc("/", socketproxy.DockerSocketHandler(env.DockerSocket))
+	return mux
+}
--- a/agent/pkg/handler/proxy_http.go
+++ b/agent/pkg/handler/proxy_http.go
@@ -0,0 +1,72 @@
+package handler
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httputil"
+	"strings"
+	"time"
+
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/agentproxy"
+)
+
+func NewTransport() *http.Transport {
+	return &http.Transport{
+		MaxIdleConnsPerHost:   100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		ResponseHeaderTimeout: 60 * time.Second,
+		WriteBufferSize:       16 * 1024, // 16KB
+		ReadBufferSize:        16 * 1024, // 16KB
+	}
+}
+
+func ProxyHTTP(w http.ResponseWriter, r *http.Request) {
+	cfg, err := agentproxy.ConfigFromHeaders(r.Header)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("failed to parse agent proxy config: %s", err.Error()), http.StatusBadRequest)
+		return
+	}
+
+	transport := NewTransport()
+	if cfg.ResponseHeaderTimeout > 0 {
+		transport.ResponseHeaderTimeout = cfg.ResponseHeaderTimeout
+	}
+	if cfg.DisableCompression {
+		transport.DisableCompression = true
+	}
+
+	transport.TLSClientConfig, err = cfg.BuildTLSConfig(r.URL)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("failed to build TLS client config: %s", err.Error()), http.StatusInternalServerError)
+		return
+	}
+
+	// Strip the {API_BASE}/proxy/http prefix while preserving URL escaping.
+	//
+	// NOTE: `r.URL.Path` is decoded. If we rewrite it without keeping `RawPath`
+	// in sync, Go may re-escape the path (e.g. turning "%5B" into "%255B"),
+	// which breaks urls with percent-encoded characters, like Next.js static chunk URLs.
+	prefix := agent.APIEndpointBase + agent.EndpointProxyHTTP
+	r.URL.Path = strings.TrimPrefix(r.URL.Path, prefix)
+	if r.URL.RawPath != "" {
+		if after, ok := strings.CutPrefix(r.URL.RawPath, prefix); ok {
+			r.URL.RawPath = after
+		} else {
+			// RawPath is no longer a valid encoding for Path; force Go to re-derive it.
+			r.URL.RawPath = ""
+		}
+	}
+	r.RequestURI = ""
+
+	rp := &httputil.ReverseProxy{
+		Director: func(r *http.Request) {
+			r.URL.Scheme = cfg.Scheme
+			r.URL.Host = cfg.Host
+		},
+		Transport: transport,
+	}
+	rp.ServeHTTP(w, r)
+}
--- a/agent/pkg/server/server.go
+++ b/agent/pkg/server/server.go
@@ -0,0 +1,43 @@
+package server
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/env"
+	"github.com/yusing/godoxy/agent/pkg/handler"
+	"github.com/yusing/goutils/server"
+	"github.com/yusing/goutils/task"
+)
+
+type Options struct {
+	CACert, ServerCert *tls.Certificate
+	Port               int
+}
+
+func StartAgentServer(parent task.Parent, opt Options) {
+	caCertPool := x509.NewCertPool()
+	caCertPool.AddCert(opt.CACert.Leaf)
+
+	// Configure TLS
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{*opt.ServerCert},
+		ClientCAs:    caCertPool,
+		ClientAuth:   tls.RequireAndVerifyClientCert,
+	}
+
+	if env.AgentSkipClientCertCheck {
+		tlsConfig.ClientAuth = tls.NoClientCert
+	}
+
+	agentServer := &http.Server{
+		Addr:      fmt.Sprintf(":%d", opt.Port),
+		Handler:   handler.NewAgentHandler(),
+		TLSConfig: tlsConfig,
+	}
+
+	server.Start(parent.Subtask("agent-server", false), agentServer, server.WithLogger(&log.Logger))
+}
--- a/assets/godoxy.png
+++ b/assets/godoxy.png
--- a/bun.lock
+++ b/bun.lock
@@ -1,120 +0,0 @@
-{
-  "lockfileVersion": 1,
-  "workspaces": {
-    "": {
-      "name": "godoxy-types",
-      "devDependencies": {
-        "prettier": "^3.4.2",
-        "typescript": "^5.7.3",
-        "typescript-json-schema": "^0.65.1",
-      },
-    },
-  },
-  "packages": {
-    "@cspotcode/source-map-support": ["@cspotcode/source-map-support@0.8.1", "", { "dependencies": { "@jridgewell/trace-mapping": "0.3.9" } }, "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw=="],
-
-    "@jridgewell/resolve-uri": ["@jridgewell/resolve-uri@3.1.2", "", {}, "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw=="],
-
-    "@jridgewell/sourcemap-codec": ["@jridgewell/sourcemap-codec@1.5.0", "", {}, "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ=="],
-
-    "@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.9", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.0.3", "@jridgewell/sourcemap-codec": "^1.4.10" } }, "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ=="],
-
-    "@tsconfig/node10": ["@tsconfig/node10@1.0.11", "", {}, "sha512-DcRjDCujK/kCk/cUe8Xz8ZSpm8mS3mNNpta+jGCA6USEDfktlNvm1+IuZ9eTcDbNk41BHwpHHeW+N1lKCz4zOw=="],
-
-    "@tsconfig/node12": ["@tsconfig/node12@1.0.11", "", {}, "sha512-cqefuRsh12pWyGsIoBKJA9luFu3mRxCA+ORZvA4ktLSzIuCUtWVxGIuXigEwO5/ywWFMZ2QEGKWvkZG1zDMTag=="],
-
-    "@tsconfig/node14": ["@tsconfig/node14@1.0.3", "", {}, "sha512-ysT8mhdixWK6Hw3i1V2AeRqZ5WfXg1G43mqoYlM2nc6388Fq5jcXyr5mRsqViLx/GJYdoL0bfXD8nmF+Zn/Iow=="],
-
-    "@tsconfig/node16": ["@tsconfig/node16@1.0.4", "", {}, "sha512-vxhUy4J8lyeyinH7Azl1pdd43GJhZH/tP2weN8TntQblOY+A0XbT8DJk1/oCPuOOyg/Ja757rG0CgHcWC8OfMA=="],
-
-    "@types/json-schema": ["@types/json-schema@7.0.15", "", {}, "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA=="],
-
-    "@types/node": ["@types/node@18.19.74", "", { "dependencies": { "undici-types": "~5.26.4" } }, "sha512-HMwEkkifei3L605gFdV+/UwtpxP6JSzM+xFk2Ia6DNFSwSVBRh9qp5Tgf4lNFOMfPVuU0WnkcWpXZpgn5ufO4A=="],
-
-    "acorn": ["acorn@8.14.0", "", { "bin": { "acorn": "bin/acorn" } }, "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA=="],
-
-    "acorn-walk": ["acorn-walk@8.3.4", "", { "dependencies": { "acorn": "^8.11.0" } }, "sha512-ueEepnujpqee2o5aIYnvHU6C0A42MNdsIDeqy5BydrkuC5R1ZuUFnm27EeFJGoEHJQgn3uleRvmTXaJgfXbt4g=="],
-
-    "ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="],
-
-    "ansi-styles": ["ansi-styles@4.3.0", "", { "dependencies": { "color-convert": "^2.0.1" } }, "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg=="],
-
-    "arg": ["arg@4.1.3", "", {}, "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA=="],
-
-    "balanced-match": ["balanced-match@1.0.2", "", {}, "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="],
-
-    "brace-expansion": ["brace-expansion@1.1.11", "", { "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA=="],
-
-    "cliui": ["cliui@8.0.1", "", { "dependencies": { "string-width": "^4.2.0", "strip-ansi": "^6.0.1", "wrap-ansi": "^7.0.0" } }, "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ=="],
-
-    "color-convert": ["color-convert@2.0.1", "", { "dependencies": { "color-name": "~1.1.4" } }, "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ=="],
-
-    "color-name": ["color-name@1.1.4", "", {}, "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="],
-
-    "concat-map": ["concat-map@0.0.1", "", {}, "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg=="],
-
-    "create-require": ["create-require@1.1.1", "", {}, "sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ=="],
-
-    "diff": ["diff@4.0.2", "", {}, "sha512-58lmxKSA4BNyLz+HHMUzlOEpg09FV+ev6ZMe3vJihgdxzgcwZ8VoEEPmALCZG9LmqfVoNMMKpttIYTVG6uDY7A=="],
-
-    "emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="],
-
-    "escalade": ["escalade@3.2.0", "", {}, "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="],
-
-    "fs.realpath": ["fs.realpath@1.0.0", "", {}, "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="],
-
-    "get-caller-file": ["get-caller-file@2.0.5", "", {}, "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg=="],
-
-    "glob": ["glob@7.2.3", "", { "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q=="],
-
-    "inflight": ["inflight@1.0.6", "", { "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA=="],
-
-    "inherits": ["inherits@2.0.4", "", {}, "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="],
-
-    "is-fullwidth-code-point": ["is-fullwidth-code-point@3.0.0", "", {}, "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg=="],
-
-    "make-error": ["make-error@1.3.6", "", {}, "sha512-s8UhlNe7vPKomQhC1qFelMokr/Sc3AgNbso3n74mVPA5LTZwkB9NlXf4XPamLxJE8h0gh73rM94xvwRT2CVInw=="],
-
-    "minimatch": ["minimatch@3.1.2", "", { "dependencies": { "brace-expansion": "^1.1.7" } }, "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw=="],
-
-    "once": ["once@1.4.0", "", { "dependencies": { "wrappy": "1" } }, "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w=="],
-
-    "path-equal": ["path-equal@1.2.5", "", {}, "sha512-i73IctDr3F2W+bsOWDyyVm/lqsXO47aY9nsFZUjTT/aljSbkxHxxCoyZ9UUrM8jK0JVod+An+rl48RCsvWM+9g=="],
-
-    "path-is-absolute": ["path-is-absolute@1.0.1", "", {}, "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg=="],
-
-    "prettier": ["prettier@3.4.2", "", { "bin": { "prettier": "bin/prettier.cjs" } }, "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ=="],
-
-    "require-directory": ["require-directory@2.1.1", "", {}, "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q=="],
-
-    "safe-stable-stringify": ["safe-stable-stringify@2.5.0", "", {}, "sha512-b3rppTKm9T+PsVCBEOUR46GWI7fdOs00VKZ1+9c1EWDaDMvjQc6tUwuFyIprgGgTcWoVHSKrU8H31ZHA2e0RHA=="],
-
-    "string-width": ["string-width@4.2.3", "", { "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g=="],
-
-    "strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
-
-    "ts-node": ["ts-node@10.9.2", "", { "dependencies": { "@cspotcode/source-map-support": "^0.8.0", "@tsconfig/node10": "^1.0.7", "@tsconfig/node12": "^1.0.7", "@tsconfig/node14": "^1.0.0", "@tsconfig/node16": "^1.0.2", "acorn": "^8.4.1", "acorn-walk": "^8.1.1", "arg": "^4.1.0", "create-require": "^1.1.0", "diff": "^4.0.1", "make-error": "^1.1.1", "v8-compile-cache-lib": "^3.0.1", "yn": "3.1.1" }, "peerDependencies": { "@swc/core": ">=1.2.50", "@swc/wasm": ">=1.2.50", "@types/node": "*", "typescript": ">=2.7" }, "optionalPeers": ["@swc/core", "@swc/wasm"], "bin": { "ts-node": "dist/bin.js", "ts-script": "dist/bin-script-deprecated.js", "ts-node-cwd": "dist/bin-cwd.js", "ts-node-esm": "dist/bin-esm.js", "ts-node-script": "dist/bin-script.js", "ts-node-transpile-only": "dist/bin-transpile.js" } }, "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ=="],
-
-    "typescript": ["typescript@5.7.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw=="],
-
-    "typescript-json-schema": ["typescript-json-schema@0.65.1", "", { "dependencies": { "@types/json-schema": "^7.0.9", "@types/node": "^18.11.9", "glob": "^7.1.7", "path-equal": "^1.2.5", "safe-stable-stringify": "^2.2.0", "ts-node": "^10.9.1", "typescript": "~5.5.0", "yargs": "^17.1.1" }, "bin": { "typescript-json-schema": "bin/typescript-json-schema" } }, "sha512-tuGH7ff2jPaUYi6as3lHyHcKpSmXIqN7/mu50x3HlYn0EHzLpmt3nplZ7EuhUkO0eqDRc9GqWNkfjgBPIS9kxg=="],
-
-    "undici-types": ["undici-types@5.26.5", "", {}, "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="],
-
-    "v8-compile-cache-lib": ["v8-compile-cache-lib@3.0.1", "", {}, "sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg=="],
-
-    "wrap-ansi": ["wrap-ansi@7.0.0", "", { "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", "strip-ansi": "^6.0.0" } }, "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q=="],
-
-    "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
-
-    "y18n": ["y18n@5.0.8", "", {}, "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA=="],
-
-    "yargs": ["yargs@17.7.2", "", { "dependencies": { "cliui": "^8.0.1", "escalade": "^3.1.1", "get-caller-file": "^2.0.5", "require-directory": "^2.1.1", "string-width": "^4.2.3", "y18n": "^5.0.5", "yargs-parser": "^21.1.1" } }, "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w=="],
-
-    "yargs-parser": ["yargs-parser@21.1.1", "", {}, "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw=="],
-
-    "yn": ["yn@3.1.1", "", {}, "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q=="],
-
-    "typescript-json-schema/typescript": ["typescript@5.5.4", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q=="],
-  }
-}
--- a/cmd/bench_server/Dockerfile
+++ b/cmd/bench_server/Dockerfile
@@ -0,0 +1,18 @@
+FROM golang:1.25.5-alpine AS builder
+
+HEALTHCHECK NONE
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+COPY main.go ./
+
+RUN go build -o bench_server main.go
+
+FROM scratch
+
+COPY --from=builder /src/bench_server /app/run
+
+USER 1001:1001
+
+CMD ["/app/run"]
--- a/cmd/bench_server/go.mod
+++ b/cmd/bench_server/go.mod
@@ -0,0 +1,3 @@
+module github.com/yusing/godoxy/cmd/bench_server
+
+go 1.25.5
--- a/cmd/bench_server/go.sum
+++ b/cmd/bench_server/go.sum
--- a/cmd/bench_server/main.go
+++ b/cmd/bench_server/main.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"math/rand/v2"
+)
+
+var printables = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+var random = make([]byte, 4096)
+
+func init() {
+	for i := range random {
+		random[i] = printables[rand.IntN(len(printables))]
+	}
+}
+
+func main() {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write(random)
+	})
+
+	server := &http.Server{
+		Addr:    ":80",
+		Handler: handler,
+	}
+
+	log.Println("Bench server listening on :80")
+	if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		log.Fatalf("ListenAndServe: %v", err)
+	}
+}
--- a/cmd/debug_page.go
+++ b/cmd/debug_page.go
@@ -0,0 +1,257 @@
+//go:build !production
+
+package main
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/api"
+	apiV1 "github.com/yusing/godoxy/internal/api/v1"
+	agentApi "github.com/yusing/godoxy/internal/api/v1/agent"
+	authApi "github.com/yusing/godoxy/internal/api/v1/auth"
+	certApi "github.com/yusing/godoxy/internal/api/v1/cert"
+	dockerApi "github.com/yusing/godoxy/internal/api/v1/docker"
+	fileApi "github.com/yusing/godoxy/internal/api/v1/file"
+	homepageApi "github.com/yusing/godoxy/internal/api/v1/homepage"
+	metricsApi "github.com/yusing/godoxy/internal/api/v1/metrics"
+	routeApi "github.com/yusing/godoxy/internal/api/v1/route"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/idlewatcher"
+	idlewatcherTypes "github.com/yusing/godoxy/internal/idlewatcher/types"
+)
+
+type debugMux struct {
+	endpoints []debugEndpoint
+	mux       http.ServeMux
+}
+
+type debugEndpoint struct {
+	name   string
+	method string
+	path   string
+}
+
+func newDebugMux() *debugMux {
+	return &debugMux{
+		endpoints: make([]debugEndpoint, 0),
+		mux:       *http.NewServeMux(),
+	}
+}
+
+func (mux *debugMux) registerEndpoint(name, method, path string) {
+	mux.endpoints = append(mux.endpoints, debugEndpoint{name: name, method: method, path: path})
+}
+
+func (mux *debugMux) HandleFunc(name, method, path string, handler http.HandlerFunc) {
+	mux.registerEndpoint(name, method, path)
+	mux.mux.HandleFunc(method+" "+path, handler)
+}
+
+func (mux *debugMux) Finalize() {
+	mux.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintln(w, `
+<!DOCTYPE html>
+<html>
+	<head>
+		<style>
+				body {
+					font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, Apple Color Emoji, Segoe UI Emoji;
+					font-size: 16px;
+					line-height: 1.5;
+					color: #f8f9fa;
+					background-color: #121212;
+					margin: 0;
+					padding: 0;
+				}
+				table {
+					border-collapse: collapse;
+					width: 100%;
+					margin-top: 20px;
+				}
+				th, td {
+					padding: 12px;
+					text-align: left;
+					border-bottom: 1px solid #333;
+				}
+				th {
+					background-color: #1e1e1e;
+					font-weight: 600;
+					color: #f8f9fa;
+				}
+				td {
+					color: #e9ecef;
+				}
+				.link {
+					color: #007bff;
+					text-decoration: none;
+				}
+				.link:hover {
+					text-decoration: underline;
+				}
+				.method {
+					color: #6c757d;
+					font-family: monospace;
+				}
+				.path {
+					color: #6c757d;
+					font-family: monospace;
+				}
+		</style>
+	</head>
+	<body>
+		<table>
+			<thead>
+				<tr>
+					<th>Name</th>
+					<th>Method</th>
+					<th>Path</th>
+				</tr>
+			</thead>
+			<tbody>`)
+		for _, endpoint := range mux.endpoints {
+			fmt.Fprintf(w, "<tr><td><a class='link' href=%q>%s</a></td><td class='method'>%s</td><td class='path'>%s</td></tr>", endpoint.path, endpoint.name, endpoint.method, endpoint.path)
+		}
+		fmt.Fprintln(w, `
+			</tbody>
+		</table>
+	</body>
+</html>`)
+	})
+}
+
+func listenDebugServer() {
+	mux := newDebugMux()
+	mux.mux.HandleFunc("/favicon.ico", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "image/svg+xml")
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><text x="50" y="50" text-anchor="middle" dominant-baseline="middle">🐙</text></svg>`))
+	})
+
+	mux.HandleFunc("Auth block page", "GET", "/auth/block", AuthBlockPageHandler)
+	mux.HandleFunc("Idlewatcher loading page", "GET", idlewatcherTypes.PathPrefix, idlewatcher.DebugHandler)
+	apiHandler := newApiHandler(mux)
+	mux.mux.HandleFunc("/api/v1/", apiHandler.ServeHTTP)
+
+	mux.Finalize()
+
+	go http.ListenAndServe(":7777", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Pragma", "no-cache")
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		w.Header().Set("Expires", "0")
+		mux.mux.ServeHTTP(w, r)
+	}))
+}
+
+func newApiHandler(debugMux *debugMux) *gin.Engine {
+	r := gin.New()
+	r.Use(api.ErrorHandler())
+	r.Use(api.ErrorLoggingMiddleware())
+	r.Use(api.NoCache())
+
+	registerGinRoute := func(router gin.IRouter, method, name string, path string, handler gin.HandlerFunc) {
+		if group, ok := router.(*gin.RouterGroup); ok {
+			debugMux.registerEndpoint(name, method, group.BasePath()+path)
+		} else {
+			debugMux.registerEndpoint(name, method, path)
+		}
+		router.Handle(method, path, handler)
+	}
+
+	registerGinRoute(r, "GET", "App version", "/api/v1/version", apiV1.Version)
+
+	v1 := r.Group("/api/v1")
+	if auth.IsEnabled() {
+		v1Auth := v1.Group("/auth")
+		{
+			registerGinRoute(v1Auth, "HEAD", "Auth check", "/check", authApi.Check)
+			registerGinRoute(v1Auth, "POST", "Auth login", "/login", authApi.Login)
+			registerGinRoute(v1Auth, "GET", "Auth callback", "/callback", authApi.Callback)
+			registerGinRoute(v1Auth, "POST", "Auth callback", "/callback", authApi.Callback)
+			registerGinRoute(v1Auth, "POST", "Auth logout", "/logout", authApi.Logout)
+			registerGinRoute(v1Auth, "GET", "Auth logout", "/logout", authApi.Logout)
+		}
+	}
+
+	{
+		// enable cache for favicon
+		registerGinRoute(v1, "GET", "Route favicon", "/favicon", apiV1.FavIcon)
+		registerGinRoute(v1, "GET", "Route health", "/health", apiV1.Health)
+		registerGinRoute(v1, "GET", "List icons", "/icons", apiV1.Icons)
+		registerGinRoute(v1, "POST", "Config reload", "/reload", apiV1.Reload)
+		registerGinRoute(v1, "GET", "Route stats", "/stats", apiV1.Stats)
+
+		route := v1.Group("/route")
+		{
+			registerGinRoute(route, "GET", "List routes", "/list", routeApi.Routes)
+			registerGinRoute(route, "GET", "Get route", "/:which", routeApi.Route)
+			registerGinRoute(route, "GET", "List providers", "/providers", routeApi.Providers)
+			registerGinRoute(route, "GET", "List routes by provider", "/by_provider", routeApi.ByProvider)
+			registerGinRoute(route, "POST", "Playground", "/playground", routeApi.Playground)
+		}
+
+		file := v1.Group("/file")
+		{
+			registerGinRoute(file, "GET", "List files", "/list", fileApi.List)
+			registerGinRoute(file, "GET", "Get file", "/content", fileApi.Get)
+			registerGinRoute(file, "PUT", "Set file", "/content", fileApi.Set)
+			registerGinRoute(file, "POST", "Set file", "/content", fileApi.Set)
+			registerGinRoute(file, "POST", "Validate file", "/validate", fileApi.Validate)
+		}
+
+		homepage := v1.Group("/homepage")
+		{
+			registerGinRoute(homepage, "GET", "List categories", "/categories", homepageApi.Categories)
+			registerGinRoute(homepage, "GET", "List items", "/items", homepageApi.Items)
+			registerGinRoute(homepage, "POST", "Set item", "/set/item", homepageApi.SetItem)
+			registerGinRoute(homepage, "POST", "Set items batch", "/set/items_batch", homepageApi.SetItemsBatch)
+			registerGinRoute(homepage, "POST", "Set item visible", "/set/item_visible", homepageApi.SetItemVisible)
+			registerGinRoute(homepage, "POST", "Set item favorite", "/set/item_favorite", homepageApi.SetItemFavorite)
+			registerGinRoute(homepage, "POST", "Set item sort order", "/set/item_sort_order", homepageApi.SetItemSortOrder)
+			registerGinRoute(homepage, "POST", "Set item all sort order", "/set/item_all_sort_order", homepageApi.SetItemAllSortOrder)
+			registerGinRoute(homepage, "POST", "Set item fav sort order", "/set/item_fav_sort_order", homepageApi.SetItemFavSortOrder)
+			registerGinRoute(homepage, "POST", "Set category order", "/set/category_order", homepageApi.SetCategoryOrder)
+			registerGinRoute(homepage, "POST", "Item click", "/item_click", homepageApi.ItemClick)
+		}
+
+		cert := v1.Group("/cert")
+		{
+			registerGinRoute(cert, "GET", "Get cert info", "/info", certApi.Info)
+			registerGinRoute(cert, "GET", "Renew cert", "/renew", certApi.Renew)
+		}
+
+		agent := v1.Group("/agent")
+		{
+			registerGinRoute(agent, "GET", "List agents", "/list", agentApi.List)
+			registerGinRoute(agent, "POST", "Create agent", "/create", agentApi.Create)
+			registerGinRoute(agent, "POST", "Verify agent", "/verify", agentApi.Verify)
+		}
+
+		metrics := v1.Group("/metrics")
+		{
+			registerGinRoute(metrics, "GET", "Get system info", "/system_info", metricsApi.SystemInfo)
+			registerGinRoute(metrics, "GET", "Get all system info", "/all_system_info", metricsApi.AllSystemInfo)
+			registerGinRoute(metrics, "GET", "Get uptime", "/uptime", metricsApi.Uptime)
+		}
+
+		docker := v1.Group("/docker")
+		{
+			registerGinRoute(docker, "GET", "Get container", "/container/:id", dockerApi.GetContainer)
+			registerGinRoute(docker, "GET", "List containers", "/containers", dockerApi.Containers)
+			registerGinRoute(docker, "GET", "Get docker info", "/info", dockerApi.Info)
+			registerGinRoute(docker, "GET", "Get docker logs", "/logs/:id", dockerApi.Logs)
+			registerGinRoute(docker, "POST", "Start docker container", "/start", dockerApi.Start)
+			registerGinRoute(docker, "POST", "Stop docker container", "/stop", dockerApi.Stop)
+			registerGinRoute(docker, "POST", "Restart docker container", "/restart", dockerApi.Restart)
+		}
+	}
+
+	return r
+}
+
+func AuthBlockPageHandler(w http.ResponseWriter, r *http.Request) {
+	auth.WriteBlockPage(w, http.StatusForbidden, "Forbidden", "Login", "/login")
+}
--- a/cmd/debug_page_prod.go
+++ b/cmd/debug_page_prod.go
@@ -0,0 +1,7 @@
+//go:build production
+
+package main
+
+func listenDebugServer() {
+	// no-op
+}
--- a/cmd/h2c_test_server/Dockerfile
+++ b/cmd/h2c_test_server/Dockerfile
@@ -0,0 +1,18 @@
+FROM golang:1.25.5-alpine AS builder
+
+HEALTHCHECK NONE
+
+WORKDIR /src
+
+COPY go.mod go.sum ./
+COPY main.go ./
+
+RUN go build -o h2c_test_server main.go
+
+FROM scratch
+
+COPY --from=builder /src/h2c_test_server /app/run
+
+USER 1001:1001
+
+CMD ["/app/run"]
--- a/cmd/h2c_test_server/go.mod
+++ b/cmd/h2c_test_server/go.mod
@@ -0,0 +1,7 @@
+module github.com/yusing/godoxy/cmd/h2c_test_server
+
+go 1.25.5
+
+require golang.org/x/net v0.48.0
+
+require golang.org/x/text v0.32.0 // indirect
--- a/cmd/h2c_test_server/go.sum
+++ b/cmd/h2c_test_server/go.sum
@@ -0,0 +1,4 @@
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
--- a/cmd/h2c_test_server/main.go
+++ b/cmd/h2c_test_server/main.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+)
+
+func main() {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("ok"))
+	})
+
+	server := &http.Server{
+		Addr:    ":80",
+		Handler: h2c.NewHandler(handler, &http2.Server{}),
+	}
+
+	log.Println("H2C server listening on :80")
+	if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		log.Fatalf("ListenAndServe: %v", err)
+	}
+}
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -1,170 +1,89 @@
 package main

 import (
-	"encoding/json"
-	"io"
-	"log"
 	"os"
-	"os/signal"
-	"syscall"
-	"time"
+	"sync"

-	"github.com/rs/zerolog"
-	"github.com/yusing/go-proxy/internal"
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
-	"github.com/yusing/go-proxy/internal/api/v1/favicon"
-	"github.com/yusing/go-proxy/internal/api/v1/query"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/config"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/route/routes/routequery"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/pkg"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/api"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/config"
+	"github.com/yusing/godoxy/internal/dnsproviders"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/logging"
+	"github.com/yusing/godoxy/internal/logging/memlogger"
+	"github.com/yusing/godoxy/internal/metrics/systeminfo"
+	"github.com/yusing/godoxy/internal/metrics/uptime"
+	"github.com/yusing/godoxy/internal/net/gphttp/middleware"
+	"github.com/yusing/godoxy/internal/route/rules"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/server"
+	"github.com/yusing/goutils/task"
+	"github.com/yusing/goutils/version"
 )

-var rawLogger = log.New(os.Stdout, "", 0)
-
-func init() {
-	var out io.Writer = os.Stderr
-	if common.EnableLogStreaming {
-		out = zerolog.MultiLevelWriter(out, v1.GetMemLogger())
+func parallel(fns ...func()) {
+	var wg sync.WaitGroup
+	for _, fn := range fns {
+		wg.Go(fn)
 	}
-	logging.InitLogger(out)
-	// logging.AddHook(v1.GetMemLogger())
-	internal.InitIconListCache()
-	homepage.InitOverridesConfig()
-	favicon.InitIconCache()
+	wg.Wait()
 }

 func main() {
 	initProfiling()
-	args := common.GetArgs()

-	switch args.Command {
-	case common.CommandSetup:
-		internal.Setup()
-		return
-	case common.CommandReload:
-		if err := query.ReloadServer(); err != nil {
-			E.LogFatal("server reload error", err)
-		}
-		rawLogger.Println("ok")
-		return
-	case common.CommandListIcons:
-		icons, err := internal.ListAvailableIcons()
-		if err != nil {
-			rawLogger.Fatal(err)
-		}
-		printJSON(icons)
-		return
-	case common.CommandListRoutes:
-		routes, err := query.ListRoutes()
-		if err != nil {
-			log.Printf("failed to connect to api server: %s", err)
-			log.Printf("falling back to config file")
-		} else {
-			printJSON(routes)
-			return
-		}
-	case common.CommandDebugListMTrace:
-		trace, err := query.ListMiddlewareTraces()
-		if err != nil {
-			log.Fatal(err)
-		}
-		printJSON(trace)
-		return
-	}
+	logging.InitLogger(os.Stderr, memlogger.GetMemLogger())
+	log.Info().Msgf("GoDoxy version %s", version.Get())
+	log.Trace().Msg("trace enabled")
+	parallel(
+		dnsproviders.InitProviders,
+		homepage.InitIconListCache,
+		systeminfo.Poller.Start,
+		middleware.LoadComposeFiles,
+	)

-	if args.Command == common.CommandStart {
-		logging.Info().Msgf("GoDoxy version %s", pkg.GetVersion())
-		logging.Trace().Msg("trace enabled")
-		// logging.AddHook(notif.GetDispatcher())
-	} else {
-		logging.DiscardLogger()
-	}
-
-	if args.Command == common.CommandValidate {
-		data, err := os.ReadFile(common.ConfigPath)
-		if err == nil {
-			err = config.Validate(data)
-		}
-		if err != nil {
-			log.Fatal("config error: ", err)
-		}
-		log.Print("config OK")
-		return
+	if common.APIJWTSecret == nil {
+		log.Warn().Msg("API_JWT_SECRET is not set, using random key")
+		common.APIJWTSecret = common.RandomJWTKey()
 	}

 	for _, dir := range common.RequiredDirectories {
 		prepareDirectory(dir)
 	}

-	middleware.LoadComposeFiles()
-
-	var cfg *config.Config
-	var err E.Error
-	if cfg, err = config.Load(); err != nil {
-		E.LogWarn("errors in config", err)
+	err := config.Load()
+	if err != nil {
+		gperr.LogWarn("errors in config", err)
 	}

-	switch args.Command {
-	case common.CommandListRoutes:
-		cfg.StartProxyProviders()
-		printJSON(routequery.RoutesByAlias())
-		return
-	case common.CommandListConfigs:
-		printJSON(cfg.Value())
-		return
-	case common.CommandDebugListEntries:
-		printJSON(cfg.DumpEntries())
-		return
-	case common.CommandDebugListProviders:
-		printJSON(cfg.DumpRouteProviders())
-		return
-	}
+	config.StartProxyServers()

-	cfg.Start(&config.StartServersOptions{
-		Proxy: true,
-	})
 	if err := auth.Initialize(); err != nil {
-		logging.Fatal().Err(err).Msg("failed to initialize authentication")
+		log.Fatal().Err(err).Msg("failed to initialize authentication")
 	}
+	rules.InitAuthHandler(auth.AuthOrProceed)
+
 	// API Handler needs to start after auth is initialized.
-	cfg.StartServers(&config.StartServersOptions{
-		API: true,
+	server.StartServer(task.RootTask("api_server", false), server.Options{
+		Name:     "api",
+		HTTPAddr: common.APIHTTPAddr,
+		Handler:  api.NewHandler(),
 	})

+	listenDebugServer()
+
+	uptime.Poller.Start()
 	config.WatchChanges()

-	sig := make(chan os.Signal, 1)
-	signal.Notify(sig, syscall.SIGINT)
-	signal.Notify(sig, syscall.SIGTERM)
-	signal.Notify(sig, syscall.SIGHUP)
-
-	// wait for signal
-	<-sig
-
-	// gracefully shutdown
-	logging.Info().Msg("shutting down")
-	_ = task.GracefulShutdown(time.Second * time.Duration(cfg.Value().TimeoutShutdown))
+	task.WaitExit(config.Value().TimeoutShutdown)
 }

 func prepareDirectory(dir string) {
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 		if err = os.MkdirAll(dir, 0o755); err != nil {
-			logging.Fatal().Msgf("failed to create directory %s: %v", dir, err)
+			log.Fatal().Msgf("failed to create directory %s: %v", dir, err)
 		}
 	}
 }
-
-func printJSON(obj any) {
-	j, err := json.MarshalIndent(obj, "", "  ")
-	if err != nil {
-		logging.Fatal().Err(err).Send()
-	}
-	rawLogger.Print(string(j)) // raw output for convenience using "jq"
-}
--- a/cmd/main_prof.go
+++ b/cmd/main_prof.go
@@ -1,20 +0,0 @@
-//go:build pprof
-
-package main
-
-import (
-	"log"
-	"net/http"
-	_ "net/http/pprof"
-	"runtime"
-	"runtime/debug"
-)
-
-func initProfiling() {
-	runtime.GOMAXPROCS(2)
-	debug.SetMemoryLimit(100 * 1024 * 1024)
-	debug.SetMaxStack(15 * 1024 * 1024)
-	go func() {
-		log.Println(http.ListenAndServe(":7777", nil))
-	}()
-}
--- a/cmd/pprof_production.go
+++ b/cmd/pprof_production.go
@@ -1,4 +1,4 @@
-//go:build production
+//go:build !pprof

 package main

--- a/cmd/pprof_prof.go
+++ b/cmd/pprof_prof.go
@@ -0,0 +1,48 @@
+//go:build pprof
+
+package main
+
+import (
+	"net/http"
+	_ "net/http/pprof"
+	"runtime"
+	"runtime/debug"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	strutils "github.com/yusing/goutils/strings"
+)
+
+func initProfiling() {
+	go func() {
+		log.Info().Msgf("pprof server started at http://localhost:7777/debug/pprof/")
+		log.Error().Err(http.ListenAndServe(":7777", nil)).Msg("pprof server failed")
+	}()
+	go func() {
+		ticker := time.NewTicker(time.Second * 10)
+		defer ticker.Stop()
+
+		var m runtime.MemStats
+		var gcStats debug.GCStats
+
+		for range ticker.C {
+			runtime.ReadMemStats(&m)
+			debug.ReadGCStats(&gcStats)
+
+			log.Info().Msgf("-----------------------------------------------------")
+			log.Info().Msgf("Timestamp: %s", time.Now().Format(time.RFC3339))
+			log.Info().Msgf("  Go Heap - In Use (Alloc/HeapAlloc): %s", strutils.FormatByteSize(m.Alloc))
+			log.Info().Msgf("  Go Heap - Reserved from OS (HeapSys): %s", strutils.FormatByteSize(m.HeapSys))
+			log.Info().Msgf("  Go Stacks - In Use (StackInuse): %s", strutils.FormatByteSize(m.StackInuse))
+			log.Info().Msgf("  Go Runtime - Other Sys (MSpanInuse, MCacheInuse, BuckHashSys, GCSys, OtherSys): %s", strutils.FormatByteSize(m.MSpanInuse+m.MCacheInuse+m.BuckHashSys+m.GCSys+m.OtherSys))
+			log.Info().Msgf("  Go Runtime - Total from OS (Sys): %s", strutils.FormatByteSize(m.Sys))
+			log.Info().Msgf("  Go Runtime - Freed from OS (HeapReleased): %s", strutils.FormatByteSize(m.HeapReleased))
+			log.Info().Msgf("  Number of Goroutines: %d", runtime.NumGoroutine())
+			log.Info().Msgf("  Number of completed GC cycles: %d", m.NumGC)
+			log.Info().Msgf("  Number of GCs: %d", gcStats.NumGC)
+			log.Info().Msgf("  Total GC time: %s", gcStats.PauseTotal)
+			log.Info().Msgf("  Last GC time: %s", gcStats.LastGC.Format(time.DateTime))
+			log.Info().Msg("-----------------------------------------------------")
+		}
+	}()
+}
--- a/compose.example.yml
+++ b/compose.example.yml
@@ -1,40 +1,84 @@
 ---
 services:
+  socket-proxy:
+    container_name: socket-proxy
+    image: ghcr.io/yusing/socket-proxy:latest
+    environment:
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - CONTAINERS=1
+      - EVENTS=1
+      - INFO=1
+      - PING=1
+      - POST=1
+      - VERSION=1
+    volumes:
+      - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock
+    restart: unless-stopped
+    tmpfs:
+      - /run
+    ports:
+      - ${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}:2375
  frontend:
-    image: ghcr.io/yusing/go-proxy-frontend:latest
+    image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}
+    # lite variant
+    # image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest}-lite
    container_name: godoxy-frontend
    restart: unless-stopped
-    network_mode: host
    env_file: .env
+    # comment out `user` for lite variant
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    read_only: true
+    tmpfs:
+      - /app/.next/cache # next image caching
+
+      # for lite variant, do not change uid/gid
+      # - /var/cache/nginx:uid=101,gid=101
+      # - /run:uid=101,gid=101
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
    depends_on:
      - app
-    # modify below to fit your needs
    labels:
-      proxy.aliases: gp
-      proxy.#1.port: 3000
-      # proxy.#1.middlewares.cidr_whitelist.status: 403
-      # proxy.#1.middlewares.cidr_whitelist.message: IP not allowed
-      # proxy.#1.middlewares.cidr_whitelist.allow: |
+      proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy}
+      # proxy.#1.middlewares.cidr_whitelist: |
+      #   status: 403
+      #   message: IP not allowed
+      #   allow:
      #     - 127.0.0.1
      #     - 10.0.0.0/8
      #     - 192.168.0.0/16
      #     - 172.16.0.0/12
  app:
-    image: ghcr.io/yusing/go-proxy:latest
-    container_name: godoxy
+    image: ghcr.io/yusing/godoxy:${TAG:-latest}
+    container_name: godoxy-proxy
    restart: always
-    network_mode: host
+    network_mode: host # do not change this
    env_file: .env
+    user: ${GODOXY_UID:-1000}:${GODOXY_GID:-1000}
+    depends_on:
+      socket-proxy:
+        condition: service_started
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - all
+    cap_add:
+      - NET_BIND_SERVICE
+    environment:
+      - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375}
    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
      - ./config:/app/config
      - ./logs:/app/logs
-      - ./error_pages:/app/error_pages
+      - ./error_pages:/app/error_pages:ro
+      - ./data:/app/data

-      # To use autocert, certs will be stored in "./certs".
-      # You can also use a docker volume to store it
+      # This path stores certs obtained from autocert and agent TLS client certs
      - ./certs:/app/certs

-      # remove "./certs:/app/certs" and uncomment below to use existing certificate
+      # mount existing certificate
      # - /path/to/certs/cert.crt:/app/certs/cert.crt
      # - /path/to/certs/priv.key:/app/certs/priv.key
--- a/config.example.yml
+++ b/config.example.yml
@@ -4,6 +4,8 @@

 # autocert:
 #   provider: local
+#   cert_path: /path/to/cert.crt # default: /app/certs/cert.crt
+#   key_path: /path/to/priv.key # default: /app/certs/priv.key

 # 2. cloudflare
 # autocert:
@@ -15,28 +17,82 @@
 #   options:
 #     auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token

-# 3. other providers, see https://github.com/yusing/go-proxy/wiki/Supported-DNS%E2%80%9001-Providers#supported-dns-01-providers
+# 3. other providers, see https://docs.godoxy.dev/DNS-01-Providers
+
+# Access Control
+# When enabled, it will be applied globally at connection level,
+# all incoming connections (web, tcp and udp) will be checked against the ACL rules.
+
+# acl:
+#   default: allow # or deny (default: allow)
+#   allow_local: true # or false (default: true)
+#   allow:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   deny:
+#     - ip:1.2.3.4
+#     - cidr:1.2.3.4/32
+#     - country:US
+#     - timezone:Asia/Shanghai
+#   log: # warning: logging ACL can be slow based on the number of incoming connections and configured rules
+#     path: /app/logs/acl.log # (default: none)
+#     stdout: false # (default: false)
+#     keep: 30 days # (default: 30 days)
+#     log_allowed: false # (default: false)
+#   notify:
+#     interval: 1m # (default: 1m)
+#     to: [gotify, discord] # names under providers.notification
+#     include_allowed: false # (default: false)

 entrypoint:
+  # Proxy Protocol: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address
+  # When set to true, web entrypoint and all tcp routes will be wrapped with Proxy Protocol listener in order to preserve the client's IP address.
+  # Note that HTTP/3 with proxy protocol is not supported yet.
+  support_proxy_protocol: false
+
  # Below define an example of middleware config
-  # 1. block non local IP connections
-  # 2. redirect HTTP to HTTPS
+  # 1. set security headers
+  # 2. block non local IP connections
+  # 3. redirect HTTP to HTTPS
  #
-  # middlewares:
-  #   - use: CIDRWhitelist
-  #     allow:
-  #       - "127.0.0.1"
-  #       - "10.0.0.0/8"
-  #       - "172.16.0.0/12"
-  #       - "192.168.0.0/16"
-  #     status: 403
-  #     message: "Forbidden"
-  #   - use: RedirectHTTP
+  middlewares:
+    - use: CloudflareRealIP
+    - use: ModifyResponse
+      set_headers:
+        Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
+        Access-Control-Allow-Headers: "*"
+        Access-Control-Allow-Origin: "*"
+        Access-Control-Max-Age: 180
+        Vary: "*"
+        X-XSS-Protection: 1; mode=block
+        Content-Security-Policy: "object-src 'self'; frame-ancestors 'self';"
+        X-Content-Type-Options: nosniff
+        X-Frame-Options: SAMEORIGIN
+        Referrer-Policy: same-origin
+        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+    # - use: RedirectHTTP

  # below enables access log
  access_log:
    format: combined
    path: /app/logs/entrypoint.log
+    stdout: false # (default: false)
+    keep: 30 days # (default: 30 days)
+
+  # customize behavior for non-existent routes, e.g. pass over to another proxy
+  #
+  # rules:
+  #   not_found:
+  #     - name: default
+  #       do: proxy http://other-proxy:8080
+
+defaults:
+  healthcheck:
+    interval: 5s
+    timeout: 15s
+    retries: 3

 providers:
  # include files are standalone yaml files under `config/` directory
@@ -61,9 +117,13 @@ providers:
    # remote-1: tcp://10.0.2.1:2375
    # remote-2: ssh://root:1234@10.0.2.2

-  # notification providers (notify when service health changes)
+  # notification providers
  #
  # notification:
+  #   - name: ntfy
+  #     provider: ntfy
+  #     url: https://ntfy.domain.tld
+  #     topic: godoxy
  #   - name: gotify
  #     provider: gotify
  #     url: https://gotify.domain.tld
@@ -72,9 +132,22 @@ providers:
  #     provider: webhook
  #     url: https://discord.com/api/webhooks/...
  #     template: discord # this means use payload template from internal/notif/templates/discord.json
+  #   - name: pushover
+  #     provider: webhook
+  #     url: https://api.pushover.net/1/messages.json
+  #     mime_type: application/x-www-form-urlencoded
+  #     payload: '{"token": "your-app-token", "user": "your-user-key", "title": $title, "message": $message}'

-# Check https://github.com/yusing/go-proxy/wiki/Certificates-and-domain-matching#domain-matching
-# for explaination of `match_domains`
+  # Proxmox providers (for idlesleep support for proxmox LXCs)
+  #
+  # proxmox:
+  #   - url: https://pve.domain.com:8006/api2/json
+  #     token_id: root@pam!abcdef
+  #     secret: aaaa-bbbb-cccc-dddd
+  #     no_tls_verify: true
+
+# Match domains
+# See https://docs.godoxy.dev/Certificates-and-domain-matching
 #
 # match_domains:
 #   - my.site
--- a/dev.Dockerfile
+++ b/dev.Dockerfile
@@ -0,0 +1,7 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update && apt-get install -y ca-certificates
+
+WORKDIR /app
+
+CMD ["/app/run"]
--- a/dev.compose.yml
+++ b/dev.compose.yml
@@ -0,0 +1,257 @@
+x-benchmark: &benchmark
+  restart: no
+  labels:
+    proxy.exclude: true
+    proxy.#1.healthcheck.disable: true
+services:
+  app:
+    image: godoxy-dev
+    build:
+      context: .
+      dockerfile: dev.Dockerfile
+    container_name: godoxy-proxy-dev
+    restart: unless-stopped
+    env_file: dev.env
+    environment:
+      DOCKER_HOST: unix:///var/run/docker.sock
+      TZ: Asia/Hong_Kong
+      API_ADDR: 127.0.0.1:8999
+      API_USER: dev
+      API_PASSWORD: 1234
+      API_SKIP_ORIGIN_CHECK: true
+      API_JWT_TTL: 24h
+      DEBUG: true
+      API_JWT_SECRET: 1234567891234567
+    labels:
+      proxy.exclude: true
+      proxy.#1.healthcheck.disable: true
+    ipc: host
+    network_mode: host
+    volumes:
+      - ./bin/godoxy:/app/run:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./dev-data/config:/app/config
+      - ./dev-data/certs:/app/certs
+      - ./dev-data/error_pages:/app/error_pages:ro
+      - ./dev-data/data:/app/data
+      - ./dev-data/logs:/app/logs
+      - ~/certs/myCA.pem:/etc/ssl/certs/ca.crt:ro
+  parca:
+    image: ghcr.io/parca-dev/parca:v0.24.2
+    container_name: godoxy-parca
+    restart: unless-stopped
+    command: [/parca, --config-path, /parca.yaml]
+    network_mode: host
+    # ports:
+    #   - 7070:7070
+    configs:
+      - source: parca
+        target: /parca.yaml
+    labels:
+      proxy.#1.port: "7070"
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:v3
+    container_name: tinyauth
+    restart: unless-stopped
+    environment:
+      - SECRET=12345678912345671234567891234567
+      - APP_URL=https://tinyauth.my.app
+      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+    labels:
+      proxy.tinyauth.port: "3000"
+  jotty: # issue #182
+    image: ghcr.io/fccview/jotty:latest
+    container_name: jotty
+    user: "1000:1000"
+    tmpfs:
+      - /app/data:rw,uid=1000,gid=1000
+      - /app/config:rw,uid=1000,gid=1000
+      - /app/.next/cache:rw,uid=1000,gid=1000
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+    labels:
+      proxy.aliases: "jotty.my.app"
+  postgres-test:
+    image: postgres:18-alpine
+    container_name: postgres-test
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+      - POSTGRES_DB=postgres
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+  h2c_test_server:
+    build:
+      context: cmd/h2c_test_server
+      dockerfile: Dockerfile
+    container_name: h2c_test
+    restart: unless-stopped
+    labels:
+      proxy.#1.scheme: h2c
+      proxy.#1.port: 80
+  bench: # returns 4096 bytes of random data
+    <<: *benchmark
+    build:
+      context: cmd/bench_server
+      dockerfile: Dockerfile
+    container_name: bench
+  godoxy:
+    <<: *benchmark
+    build: .
+    container_name: godoxy-benchmark
+    ports:
+      - 8080:80
+    configs:
+      - source: godoxy_config
+        target: /app/config/config.yml
+      - source: godoxy_provider
+        target: /app/config/providers.yml
+  traefik:
+    <<: *benchmark
+    image: traefik:latest
+    container_name: traefik
+    command:
+      - --api.insecure=true
+      - --entrypoints.web.address=:8081
+      - --providers.file.directory=/etc/traefik/dynamic
+      - --providers.file.watch=true
+      - --log.level=ERROR
+    ports:
+      - 8081:8081
+    configs:
+      - source: traefik_config
+        target: /etc/traefik/dynamic/routes.yml
+  caddy:
+    <<: *benchmark
+    image: caddy:latest
+    container_name: caddy
+    ports:
+      - 8082:80
+    configs:
+      - source: caddy_config
+        target: /etc/caddy/Caddyfile
+    tmpfs:
+      - /data
+      - /config
+  nginx:
+    <<: *benchmark
+    image: nginx:latest
+    container_name: nginx
+    command: nginx -g 'daemon off;' -c /etc/nginx/nginx.conf
+    ports:
+      - 8083:80
+    configs:
+      - source: nginx_config
+        target: /etc/nginx/nginx.conf
+
+configs:
+  godoxy_config:
+    content: |
+      providers:
+        include:
+          - providers.yml
+  godoxy_provider:
+    content: |
+      bench.domain.com:
+        host: bench
+  traefik_config:
+    content: |
+      http:
+        routers:
+          bench:
+            rule: "Host(`bench.domain.com`)"
+            entryPoints:
+              - web
+            service: bench
+        services:
+          bench:
+            loadBalancer:
+              servers:
+                - url: "http://bench:80"
+  caddy_config:
+    content: |
+      {
+        admin off
+        auto_https off
+        default_bind 0.0.0.0
+
+        servers {
+          protocols h1 h2c
+        }
+      }
+
+      http://bench.domain.com {
+        reverse_proxy bench:80
+      }
+  nginx_config:
+    content: |
+      worker_processes auto;
+      worker_rlimit_nofile 65535;
+      error_log /dev/null;
+      pid /var/run/nginx.pid;
+
+      events {
+        worker_connections 10240;
+        multi_accept on;
+        use epoll;
+      }
+
+      http {
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        
+        access_log off;
+        
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        keepalive_requests 10000;
+        
+        upstream backend {
+          server bench:80;
+          keepalive 128;
+        }
+
+        server {
+          listen 80 default_server;
+          server_name _;
+          http2 on;
+
+          return 404;
+        }
+
+        server {
+          listen 80;
+          server_name bench.domain.com;
+          http2 on;
+          
+          location / {
+            proxy_pass http://backend;
+            proxy_http_version 1.1;
+            proxy_set_header Connection "";
+            proxy_set_header Host $$host;
+            proxy_set_header X-Real-IP $$remote_addr;
+            proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
+            proxy_buffering off;
+          }
+        }
+      }
+  parca:
+    content: |
+      object_storage:
+        bucket:
+          type: "FILESYSTEM"
+          config:
+            directory: "./data"
+      scrape_configs:
+        - job_name: "parca"
+          scrape_interval: "1s"
+          static_configs:
+            - targets: [ 'localhost:7777' ]
--- a/go.mod
+++ b/go.mod
@@ -1,82 +1,181 @@
-module github.com/yusing/go-proxy
+module github.com/yusing/godoxy

-go 1.23.5
+go 1.25.5

-require (
-	github.com/PuerkitoBio/goquery v1.10.1
-	github.com/coder/websocket v1.8.12
-	github.com/coreos/go-oidc/v3 v3.12.0
-	github.com/docker/cli v27.5.1+incompatible
-	github.com/docker/docker v27.5.1+incompatible
-	github.com/fsnotify/fsnotify v1.8.0
-	github.com/go-acme/lego/v4 v4.21.0
-	github.com/go-playground/validator/v10 v10.24.0
-	github.com/gobwas/glob v0.2.3
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/gotify/server/v2 v2.6.1
-	github.com/lithammer/fuzzysearch v1.1.8
-	github.com/prometheus/client_golang v1.20.5
-	github.com/puzpuzpuz/xsync/v3 v3.5.0
-	github.com/rs/zerolog v1.33.0
-	github.com/vincent-petithory/dataurl v1.0.0
-	golang.org/x/crypto v0.32.0
-	golang.org/x/net v0.34.0
-	golang.org/x/oauth2 v0.25.0
-	golang.org/x/text v0.21.0
-	golang.org/x/time v0.9.0
-	gopkg.in/yaml.v3 v3.0.1
+replace (
+	github.com/coreos/go-oidc/v3 => ./internal/go-oidc
+	github.com/shirou/gopsutil/v4 => ./internal/gopsutil
+	github.com/yusing/godoxy/agent => ./agent
+	github.com/yusing/godoxy/internal/dnsproviders => ./internal/dnsproviders
+	github.com/yusing/goutils => ./goutils
+	github.com/yusing/goutils/http/reverseproxy => ./goutils/http/reverseproxy
+	github.com/yusing/goutils/http/websocket => ./goutils/http/websocket
+	github.com/yusing/goutils/server => ./goutils/server
 )

 require (
+	github.com/PuerkitoBio/goquery v1.11.0 // parsing HTML for extract fav icon
+	github.com/coreos/go-oidc/v3 v3.17.0 // oidc authentication
+	github.com/fsnotify/fsnotify v1.9.0 // file watcher
+	github.com/gin-gonic/gin v1.11.0 // api server
+	github.com/go-acme/lego/v4 v4.30.1 // acme client
+	github.com/go-playground/validator/v10 v10.30.1 // validator
+	github.com/gobwas/glob v0.2.3 // glob matcher for route rules
+	github.com/gorilla/websocket v1.5.3 // websocket for API and agent
+	github.com/gotify/server/v2 v2.7.3 // reference the Message struct for json response
+	github.com/lithammer/fuzzysearch v1.1.8 // fuzzy search for searching icons and filtering metrics
+	github.com/pires/go-proxyproto v0.8.1 // proxy protocol support
+	github.com/puzpuzpuz/xsync/v4 v4.2.0 // lock free map for concurrent operations
+	github.com/rs/zerolog v1.34.0 // logging
+	github.com/vincent-petithory/dataurl v1.0.0 // data url for fav icon
+	golang.org/x/crypto v0.46.0 // encrypting password with bcrypt
+	golang.org/x/net v0.48.0 // HTTP header utilities
+	golang.org/x/oauth2 v0.34.0 // oauth2 authentication
+	golang.org/x/sync v0.19.0
+	golang.org/x/time v0.14.0 // time utilities
+)
+
+require (
+	github.com/bytedance/gopkg v0.1.3 // xxhash64 for fast hash
+	github.com/bytedance/sonic v1.14.2 // fast json parsing
+	github.com/docker/cli v29.1.3+incompatible // needs docker/cli/cli/connhelper connection helper for docker client
+	github.com/goccy/go-yaml v1.19.1 // yaml parsing for different config files
+	github.com/golang-jwt/jwt/v5 v5.3.0 // jwt authentication
+	github.com/luthermonson/go-proxmox v0.2.4 // proxmox API client
+	github.com/moby/moby/api v1.52.0 // docker API
+	github.com/moby/moby/client v0.2.1 // docker client
+	github.com/oschwald/maxminddb-golang v1.13.1 // maxminddb for geoip database
+	github.com/quic-go/quic-go v0.58.0 // http3 support
+	github.com/shirou/gopsutil/v4 v4.25.11 // system information
+	github.com/spf13/afero v1.15.0 // afero for file system operations
+	github.com/stretchr/testify v1.11.1 // testing framework
+	github.com/valyala/fasthttp v1.68.0 // fast http for health check
+	github.com/yusing/ds v0.3.1 // data structures and algorithms
+	github.com/yusing/godoxy/agent v0.0.0-20251230135310-5087800fd763
+	github.com/yusing/godoxy/internal/dnsproviders v0.0.0-20251230043958-dba8441e8a5d
+	github.com/yusing/gointernals v0.1.16
+	github.com/yusing/goutils v0.7.0
+	github.com/yusing/goutils/http/reverseproxy v0.0.0-20251217162119-cb0f79b51ce2
+	github.com/yusing/goutils/http/websocket v0.0.0-20251217162119-cb0f79b51ce2
+	github.com/yusing/goutils/server v0.0.0-20251217162119-cb0f79b51ce2
+)
+
+require (
+	cloud.google.com/go/auth v0.18.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
+	github.com/benbjohnson/clock v1.3.5 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/diskfs/go-diskfs v1.7.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/docker/go-connections v0.6.0
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/gofrs/flock v0.13.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.63 // indirect
+	github.com/miekg/dns v1.1.69 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/term v0.5.0 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/nrdcg/goacmedns v0.2.0 // indirect
+	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/ovh/go-ovh v1.6.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.30.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/tools v0.29.0 // indirect
-	google.golang.org/protobuf v1.36.4 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/ovh/go-ovh v1.9.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	github.com/samber/lo v1.52.0 // indirect
+	github.com/samber/slog-common v0.19.0 // indirect
+	github.com/samber/slog-zerolog/v2 v2.9.0 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
+	github.com/sony/gobreaker v1.0.0 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.uber.org/atomic v1.11.0
+	go.uber.org/ratelimit v0.3.1 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
+	google.golang.org/api v0.258.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
+
+require (
+	github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/bytedance/sonic/loader v0.4.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-ozzo/ozzo-validation/v4 v4.3.0 // indirect
+	github.com/go-resty/resty/v2 v2.17.1 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/linode/linodego v1.63.0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.105.2 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.105.2 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/stretchr/objx v0.5.3 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/vultr/govultr/v3 v3.26.1 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	golang.org/x/arch v0.23.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,89 +1,179 @@
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+cloud.google.com/go/auth v0.18.0 h1:wnqy5hrv7p3k7cShwAU/Br3nzod7fxoqG+k0VZ+/Pk0=
+cloud.google.com/go/auth v0.18.0/go.mod h1:wwkPM1AgE1f2u6dG443MiWoD8C3BtOywNsUMcUTVDRo=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 h1:lpOxwrQ919lCZoNCd69rVt8u1eLZuMORrGXqy8sNf3c=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0/go.mod h1:fSvRkb8d26z9dbL40Uf/OO6Vo9iExtZK3D0ulRV+8M0=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsIIvxVT+uE6yrNldntJKlLRgxGbZ85kgtz5SNBhMw=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 h1:yzrctSl9GMIQ5lHu7jc8olOsGjWDCsBpJhWqfGa/YIM=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0/go.mod h1:GE4m0rnnfwLGX0Y9A9A25Zx5N/90jneT5ABevqzhuFQ=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 h1:zLzoX5+W2l95UJoVwiyNS4dX8vHyQ6x2xRLoBBL9wMk=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0/go.mod h1:wVEOJfGTj0oPAUGA1JuRAvz/lxXQsWW16axmHPP47Bk=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/PuerkitoBio/goquery v1.10.1 h1:Y8JGYUkXWTGRB6Ars3+j3kN0xg1YqqlwvdTV8WTFQcU=
-github.com/PuerkitoBio/goquery v1.10.1/go.mod h1:IYiHrOMps66ag56LEH7QYDDupKXyo5A8qrjIx3ZtujY=
+github.com/PuerkitoBio/goquery v1.11.0 h1:jZ7pwMQXIITcUXNH83LLk+txlaEy6NVOfTuP43xxfqw=
+github.com/PuerkitoBio/goquery v1.11.0/go.mod h1:wQHgxUOU3JGuj3oD/QFfxUdlzW6xPHfqyHre6VMY4DQ=
+github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 h1:h/33OxYLqBk0BYmEbSUy7MlvgQR/m1w1/7OJFKoPL1I=
+github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0/go.mod h1:rvh3imDA6EaQi+oM/GQHkQAOHbXPKJ7EWJvfjuw141Q=
+github.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs=
+github.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
-github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
-github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/asaskevich/govalidator v0.0.0-20200108200545-475eaeb16496/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
+github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
+github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
+github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
+github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
+github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M=
+github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM=
+github.com/bytedance/sonic v1.14.2 h1:k1twIoe97C1DtYUo+fZQy865IuHia4PR5RPiuGPPIIE=
+github.com/bytedance/sonic v1.14.2/go.mod h1:T80iDELeHiHKSc0C9tubFygiuXoGzrkjKzX2quAx980=
+github.com/bytedance/sonic/loader v0.4.0 h1:olZ7lEqcxtZygCK9EKYKADnpQoYkRQxaeY2NYzevs+o=
+github.com/bytedance/sonic/loader v0.4.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cloudflare/cloudflare-go v0.115.0 h1:84/dxeeXweCc0PN5Cto44iTA8AkG1fyT11yPO5ZB7sM=
-github.com/cloudflare/cloudflare-go v0.115.0/go.mod h1:Ds6urDwn/TF2uIU24mu7H91xkKP8gSAHxQ44DSZgVmU=
-github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
-github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo=
-github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=
+github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v27.5.1+incompatible h1:JB9cieUT9YNiMITtIsguaN55PLOHhBSz3LKVc6cqWaY=
-github.com/docker/cli v27.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8=
-github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
+github.com/docker/cli v29.1.3+incompatible h1:+kz9uDWgs+mAaIZojWfFt4d53/jv0ZUOOoSh5ZnH36c=
+github.com/docker/cli v29.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
+github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=
+github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
-github.com/go-acme/lego/v4 v4.21.0 h1:arEW+8o5p7VI8Bk1kr/PDlgD1DrxtTH1gJ4b7mehL8o=
-github.com/go-acme/lego/v4 v4.21.0/go.mod h1:HrSWzm3Ckj45Ie3i+p1zKVobbQoMOaGu9m4up0dUeDI=
-github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
-github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
+github.com/go-acme/lego/v4 v4.30.1 h1:tmb6U0lvy8Mc3lQbqKwTat7oAhE8FUYNJ3D0gSg6pJU=
+github.com/go-acme/lego/v4 v4.30.1/go.mod h1:V7m/Ip+EeFkjOe028+zeH+SwWtESxw1LHelwMIfAjm4=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
+github.com/go-ozzo/ozzo-validation/v4 v4.3.0 h1:byhDUpfEwjsVQb1vBunvIjh2BHQ9ead57VkAEY4V+Es=
+github.com/go-ozzo/ozzo-validation/v4 v4.3.0/go.mod h1:2NKgrcHl3z6cJs+3Oo940FPRiTzuqKbvfrL2RxCj6Ew=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
-github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
+github.com/go-resty/resty/v2 v2.17.1 h1:x3aMpHK1YM9e4va/TMDRlusDDoZiQ+ViDu/WpA6xTM4=
+github.com/go-resty/resty/v2 v2.17.1/go.mod h1:kCKZ3wWmwJaNc7S29BRtUhJwy7iqmn+2mLtQrOyQlVA=
+github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
+github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-yaml v1.19.1 h1:3rG3+v8pkhRqoQ/88NYNMHYVGYztCOCIZ7UQhu7H+NE=
+github.com/goccy/go-yaml v1.19.1/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
+github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
+github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
+github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gotify/server/v2 v2.6.1 h1:Kf7v5fzBxzELzZa/jonWfwJMkqYqh1LBzBpCmt5QIAI=
-github.com/gotify/server/v2 v2.6.1/go.mod h1:Dk8HLyTVDqmXM8YEg6tjROBen6mxyHZFRggJFHTwZLc=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
-github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
-github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/gax-go/v2 v2.16.0 h1:iHbQmKLLZrexmb0OSsNGTeSTS0HO4YvFOG8g5E4Zd0Y=
+github.com/googleapis/gax-go/v2 v2.16.0/go.mod h1:o1vfQjjNZn4+dPnRdl/4ZD7S9414Y4xA+a/6Icj6l14=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gotify/server/v2 v2.7.3 h1:nro/ZnxdlZFvxFcw9LREGA8zdk6CK744azwhuhX/A4g=
+github.com/gotify/server/v2 v2.7.3/go.mod h1:VAtE1RIc/2j886PYs9WPQbMjqbFsoyQ0G8IdFtnAxU0=
+github.com/h2non/gock v1.2.0 h1:K6ol8rfrRkUOefooBC8elXoaNGYkpp7y2qcxGG6BzUE=
+github.com/h2non/gock v1.2.0/go.mod h1:tNhoxHYW2W42cYkYb1WqzdbYIieALC99kpYr7rH/BQk=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
+github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
+github.com/jarcoal/httpmock v1.4.1 h1:0Ju+VCFuARfFlhVXFc2HxlcQkfB+Xq12/EotHko+x2A=
+github.com/jarcoal/httpmock v1.4.1/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0=
+github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
+github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 h1:9Nu54bhS/H/Kgo2/7xNSUuC5G28VR8ljfrLKU2G4IjU=
+github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12/go.mod h1:TBzl5BIHNXfS9+C35ZyJaklL7mLDbgUkcgXzSLa8Tk0=
+github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
+github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -92,8 +182,16 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/linode/linodego v1.63.0 h1:MdjizfXNJDVJU6ggoJmMO5O9h4KGPGivNX0fzrAnstk=
+github.com/linode/linodego v1.63.0/go.mod h1:GoiwLVuLdBQcAebxAVKVL3mMYUgJZR/puOUSla04xBE=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 h1:PwQumkgq4/acIiZhtifTV5OUqqiP82UAl0h87xj/l9k=
+github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
+github.com/luthermonson/go-proxmox v0.2.4 h1:XQ6YNUTVvHS7N4EJxWpuqWLW2s1VPtsIblxLV/rGHLw=
+github.com/luthermonson/go-proxmox v0.2.4/go.mod h1:oyFgg2WwTEIF0rP6ppjiixOHa5ebK1p8OaRiFhvICBQ=
+github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
+github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -101,96 +199,164 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
-github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
-github.com/miekg/dns v1.1.63 h1:8M5aAw6OMZfFXTT7K5V0Eu5YiiL8l7nUAkyN6C9YwaY=
-github.com/miekg/dns v1.1.63/go.mod h1:6NGHfjhpmr5lt3XPLuyfDJi5AXbNIPM9PY6H6sF1Nfs=
+github.com/maxatome/go-testdeep v1.14.0 h1:rRlLv1+kI8eOI3OaBXZwb3O7xY3exRzdW5QyX48g9wI=
+github.com/maxatome/go-testdeep v1.14.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
+github.com/miekg/dns v1.1.69 h1:Kb7Y/1Jo+SG+a2GtfoFUfDkG//csdRPwRLkCsxDG9Sc=
+github.com/miekg/dns v1.1.69/go.mod h1:7OyjD9nEba5OkqQ/hB4fy3PIoxafSZJtducccIelz3g=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/moby/moby/api v1.52.0 h1:00BtlJY4MXkkt84WhUZPRqt5TvPbgig2FZvTbe3igYg=
+github.com/moby/moby/api v1.52.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/client v0.2.1 h1:1Grh1552mvv6i+sYOdY+xKKVTvzJegcVMhuXocyDz/k=
+github.com/moby/moby/client v0.2.1/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/nrdcg/goacmedns v0.2.0 h1:ADMbThobzEMnr6kg2ohs4KGa3LFqmgiBA22/6jUWJR0=
+github.com/nrdcg/goacmedns v0.2.0/go.mod h1:T5o6+xvSLrQpugmwHvrSNkzWht0UGAwj2ACBMhh73Cg=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.105.2 h1:l0tH15ACQADZAzC+LZ+mo2tIX4H6uZu0ulrVmG5Tqz0=
+github.com/nrdcg/oci-go-sdk/common/v1065 v1065.105.2/go.mod h1:Gcs8GCaZXL3FdiDWgdnMxlOLEdRprJJnPYB22TX1jw8=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.105.2 h1:gzB4c6ztb38C/jYiqEaFC+mCGcWFHDji9e6jwymY9d4=
+github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.105.2/go.mod h1:l1qIPIq2uRV5WTSvkbhbl/ndbeOu7OCb3UZ+0+2ZSb8=
+github.com/nrdcg/porkbun v0.4.0 h1:rWweKlwo1PToQ3H+tEO9gPRW0wzzgmI/Ob3n2Guticw=
+github.com/nrdcg/porkbun v0.4.0/go.mod h1:/QMskrHEIM0IhC/wY7iTCUgINsxdT2WcOphktJ9+Q54=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/ovh/go-ovh v1.6.0 h1:ixLOwxQdzYDx296sXcgS35TOPEahJkpjMGtzPadCjQI=
-github.com/ovh/go-ovh v1.6.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/oschwald/maxminddb-golang v1.13.1 h1:G3wwjdN9JmIK2o/ermkHM+98oX5fS+k5MbwsmL4MRQE=
+github.com/oschwald/maxminddb-golang v1.13.1/go.mod h1:K4pgV9N/GcK694KSTmVSDTODk4IsCNThNdTmnaBZ/F8=
+github.com/ovh/go-ovh v1.9.0 h1:6K8VoL3BYjVV3In9tPJUdT7qMx9h0GExN9EXx1r2kKE=
+github.com/ovh/go-ovh v1.9.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
+github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
+github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/puzpuzpuz/xsync/v3 v3.5.0 h1:i+cMcpEDY1BkNm7lPDkCtE4oElsYLn+EKF8kAu2vXT4=
-github.com/puzpuzpuz/xsync/v3 v3.5.0/go.mod h1:VjzYrABPabuM4KyBh1Ftq6u8nhwY5tBPKP9jpmh0nnA=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
-github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
+github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.58.0 h1:ggY2pvZaVdB9EyojxL1p+5mptkuHyX5MOSv4dgWF4Ug=
+github.com/quic-go/quic-go v0.58.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
+github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
+github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
+github.com/samber/slog-common v0.19.0 h1:fNcZb8B2uOLooeYwFpAlKjkQTUafdjfqKcwcC89G9YI=
+github.com/samber/slog-common v0.19.0/go.mod h1:dTz+YOU76aH007YUU0DffsXNsGFQRQllPQh9XyNoA3M=
+github.com/samber/slog-zerolog/v2 v2.9.0 h1:6LkOabJmZdNLaUWkTC3IVVA+dq7b/V0FM6lz6/7+THI=
+github.com/samber/slog-zerolog/v2 v2.9.0/go.mod h1:gnQW9VnCfM34v2pRMUIGMsZOVbYLqY/v0Wxu6atSVGc=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 h1:ObX9hZmK+VmijreZO/8x9pQ8/P/ToHD/bdSb4Eg4tUo=
+github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36/go.mod h1:LEsDu4BubxK7/cWhtlQWfuxwL4rf/2UEpxXz1o1EMtM=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=
+github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sony/gobreaker v1.0.0 h1:feX5fGGXSl3dYd4aHZItw+FpHLvvoaqkawKjVNiFMNQ=
+github.com/sony/gobreaker v1.0.0/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/objx v0.5.3 h1:jmXUvGomnU1o3W/V5h2VEradbpJDwGrzugQQvL0POH4=
+github.com/stretchr/objx v0.5.3/go.mod h1:rDQraq+vQZU7Fde9LOZLr8Tax6zZvy4kuNKF+QYS+U0=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tklauser/go-sysconf v0.3.16 h1:frioLaCQSsF5Cy1jgRBrzr6t502KIIwQ0MArYICU0nA=
+github.com/tklauser/go-sysconf v0.3.16/go.mod h1:/qNL9xxDhc7tx3HSRsLWNnuzbVfh3e7gh/BmM179nYI=
+github.com/tklauser/numcpus v0.11.0 h1:nSTwhKH5e1dMNsCdVBukSZrURJRoHbSEQjdEbY+9RXw=
+github.com/tklauser/numcpus v0.11.0/go.mod h1:z+LwcLq54uWZTX0u/bGobaV34u6V7KNlTZejzM6/3MQ=
+github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
+github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
+github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY=
+github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.68.0 h1:v12Nx16iepr8r9ySOwqI+5RBJ/DqTxhOy1HrHoDFnok=
+github.com/valyala/fasthttp v1.68.0/go.mod h1:5EXiRfYQAoiO/khu4oU9VISC/eVY6JqmSpPJoHCKsz4=
 github.com/vincent-petithory/dataurl v1.0.0 h1:cXw+kPto8NLuJtlMsI152irrVw9fRDX8AbShPRpg2CI=
 github.com/vincent-petithory/dataurl v1.0.0/go.mod h1:FHafX5vmDzyP+1CQATJn7WFKc9CvnvxyvZy6I1MrG/U=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/vultr/govultr/v3 v3.26.1 h1:G/M0rMQKwVSmL+gb0UgETbW5mcQi0Vf/o/ZSGdBCxJw=
+github.com/vultr/govultr/v3 v3.26.1/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 h1:umZgi92IyxfXd/l4kaDhnKgY8rnN/cZcF1LKc6I8OQ8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0/go.mod h1:4lVs6obhSVRb1EW5FhOuBTyiQhtRtAnnva9vD3yRfq8=
-go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
-go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
-go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE=
-go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
-go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
-go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+github.com/yusing/ds v0.3.1 h1:mCqTgTQD8RhiBpcysvii5kZ7ZBmqcknVsFubNALGLbY=
+github.com/yusing/ds v0.3.1/go.mod h1:XhKV4l7cZwBbbl7lRzNC9zX27zvCM0frIwiuD40ULRk=
+github.com/yusing/gointernals v0.1.16 h1:GrhZZdxzA+jojLEqankctJrOuAYDb7kY1C93S1pVR34=
+github.com/yusing/gointernals v0.1.16/go.mod h1:B/0FVXt4WPmgzVy3ynzkqKi+BSGaJVmwCJBRXYapo34=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
+go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
+go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
+go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
+go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
+go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
+go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
+go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
+go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
+go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
+go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+go.uber.org/ratelimit v0.3.1 h1:K4qVE+byfv/B3tC+4nYWP7v/6SimcO7HzHekoMNBma0=
+go.uber.org/ratelimit v0.3.1/go.mod h1:6euWsTB6U/Nb3X++xEUXA8ciPJvr19Q/0h1+oDcJhRk=
+golang.org/x/arch v0.23.0 h1:lKF64A2jF6Zd8L0knGltUnegD62JMFBiCPBmQpToHhg=
+golang.org/x/arch v0.23.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -199,29 +365,31 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -229,8 +397,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -248,40 +416,46 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
-golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
-google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 h1:pgr/4QbFyktUv9CtQ/Fq4gzEE6/Xs7iCXbktaGzLHbQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697/go.mod h1:+D9ySVjN8nY8YCVjc5O7PZDIdZporIDY3KaGfJunh88=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
-google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
-google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
-google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
-google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/api v0.258.0 h1:IKo1j5FBlN74fe5isA2PVozN3Y5pwNKriEgAXPOkDAc=
+google.golang.org/api v0.258.0/go.mod h1:qhOMTQEZ6lUps63ZNq9jhODswwjkjYYguA7fA3TBFww=
+google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217 h1:GvESR9BIyHUahIb0NcTum6itIWtdoglGX+rnGxm2934=
+google.golang.org/genproto v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:yJ2HH4EHEDTd3JiLmhds6NkJ17ITVYOdV3m3VKOnws0=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b h1:Mv8VFug0MP9e5vUxfBcE3vUkV6CImK3cMNMIDFjmzxU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
+google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
--- a/1
+++ b/1
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -0,0 +1,309 @@
+package acl
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"sync/atomic"
+	"time"
+
+	"github.com/puzpuzpuz/xsync/v4"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/common"
+	"github.com/yusing/godoxy/internal/logging/accesslog"
+	"github.com/yusing/godoxy/internal/maxmind"
+	"github.com/yusing/godoxy/internal/notif"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
+	"github.com/yusing/goutils/task"
+)
+
+type Config struct {
+	Default    string                     `json:"default" validate:"omitempty,oneof=allow deny"` // default: allow
+	AllowLocal *bool                      `json:"allow_local"`                                   // default: true
+	Allow      Matchers                   `json:"allow"`
+	Deny       Matchers                   `json:"deny"`
+	Log        *accesslog.ACLLoggerConfig `json:"log"`
+
+	Notify struct {
+		To             []string      `json:"to"`              // list of notification providers
+		Interval       time.Duration `json:"interval"`        // interval between notifications
+		IncludeAllowed *bool         `json:"include_allowed"` // default: false
+	} `json:"notify"`
+
+	config
+	valErr gperr.Error
+}
+
+const defaultNotifyInterval = 1 * time.Minute
+
+type config struct {
+	defaultAllow bool
+	allowLocal   bool
+	ipCache      *xsync.Map[string, *checkCache]
+
+	// will be nil if Notify.To is empty
+	// these are per IP, reset every Notify.Interval
+	allowedCount map[string]uint32
+	blockedCount map[string]uint32
+
+	// these are total, never reset
+	totalAllowedCount uint64
+	totalBlockedCount uint64
+
+	logAllowed bool
+	// will be nil if Log is nil
+	logger accesslog.AccessLogger
+
+	// will never tick if Notify.To is empty
+	notifyTicker  *time.Ticker
+	notifyAllowed bool
+
+	// will be nil if both Log and Notify.To are empty
+	logNotifyCh chan ipLog
+}
+
+type checkCache struct {
+	*maxmind.IPInfo
+	allow   bool
+	created time.Time
+}
+
+type ipLog struct {
+	info    *maxmind.IPInfo
+	allowed bool
+}
+
+// could be nil
+var ActiveConfig atomic.Pointer[Config]
+
+const cacheTTL = 1 * time.Minute
+
+func (c *checkCache) Expired() bool {
+	return c.created.Add(cacheTTL).Before(time.Now())
+}
+
+// TODO: add stats
+
+const (
+	ACLAllow = "allow"
+	ACLDeny  = "deny"
+)
+
+func (c *Config) Validate() gperr.Error {
+	switch c.Default {
+	case "", ACLAllow:
+		c.defaultAllow = true
+	case ACLDeny:
+		c.defaultAllow = false
+	default:
+		c.valErr = gperr.New("invalid default value").Subject(c.Default)
+		return c.valErr
+	}
+
+	if c.AllowLocal != nil {
+		c.allowLocal = *c.AllowLocal
+	} else {
+		c.allowLocal = true
+	}
+
+	if c.Notify.Interval < 0 {
+		c.Notify.Interval = defaultNotifyInterval
+	}
+
+	if c.Log != nil {
+		c.logAllowed = c.Log.LogAllowed
+	}
+
+	if !c.allowLocal && !c.defaultAllow && len(c.Allow) == 0 {
+		c.valErr = gperr.New("allow_local is false and default is deny, but no allow rules are configured")
+		return c.valErr
+	}
+
+	c.ipCache = xsync.NewMap[string, *checkCache]()
+
+	if c.Notify.IncludeAllowed != nil {
+		c.notifyAllowed = *c.Notify.IncludeAllowed
+	} else {
+		c.notifyAllowed = false
+	}
+	return nil
+}
+
+func (c *Config) Valid() bool {
+	return c != nil && c.valErr == nil
+}
+
+func (c *Config) Start(parent task.Parent) gperr.Error {
+	if c.Log != nil {
+		logger, err := accesslog.NewAccessLogger(parent, c.Log)
+		if err != nil {
+			return gperr.New("failed to start access logger").With(err)
+		}
+		c.logger = logger
+	}
+	if c.valErr != nil {
+		return c.valErr
+	}
+
+	if c.needLogOrNotify() {
+		c.logNotifyCh = make(chan ipLog, 100)
+	}
+
+	if c.needNotify() {
+		c.allowedCount = make(map[string]uint32)
+		c.blockedCount = make(map[string]uint32)
+		c.notifyTicker = time.NewTicker(c.Notify.Interval)
+	} else {
+		c.notifyTicker = time.NewTicker(time.Duration(math.MaxInt64)) // never tick
+	}
+
+	if c.needLogOrNotify() {
+		go c.logNotifyLoop(parent)
+	}
+
+	log.Info().
+		Str("default", c.Default).
+		Bool("allow_local", c.allowLocal).
+		Int("allow_rules", len(c.Allow)).
+		Int("deny_rules", len(c.Deny)).
+		Msg("ACL started")
+	return nil
+}
+
+func (c *Config) cacheRecord(info *maxmind.IPInfo, allow bool) {
+	if common.ForceResolveCountry && info.City == nil {
+		maxmind.LookupCity(info)
+	}
+	c.ipCache.Store(info.Str, &checkCache{
+		IPInfo:  info,
+		allow:   allow,
+		created: time.Now(),
+	})
+}
+
+func (c *Config) needLogOrNotify() bool {
+	return c.needLog() || c.needNotify()
+}
+
+func (c *Config) needLog() bool {
+	return c.logger != nil
+}
+
+func (c *Config) needNotify() bool {
+	return len(c.Notify.To) > 0
+}
+
+func (c *Config) getCachedCity(ip string) string {
+	record, ok := c.ipCache.Load(ip)
+	if ok {
+		if record.City != nil {
+			if record.City.Country.IsoCode != "" {
+				return record.City.Country.IsoCode
+			}
+			return record.City.Location.TimeZone
+		}
+	}
+	return "unknown location"
+}
+
+func (c *Config) logNotifyLoop(parent task.Parent) {
+	defer c.notifyTicker.Stop()
+
+	for {
+		select {
+		case <-parent.Context().Done():
+			return
+		case log := <-c.logNotifyCh:
+			if c.logger != nil {
+				if !log.allowed || c.logAllowed {
+					c.logger.LogACL(log.info, !log.allowed)
+				}
+			}
+			if c.needNotify() {
+				if log.allowed {
+					if c.notifyAllowed {
+						c.allowedCount[log.info.Str]++
+						c.totalAllowedCount++
+					}
+				} else {
+					c.blockedCount[log.info.Str]++
+					c.totalBlockedCount++
+				}
+			}
+		case <-c.notifyTicker.C: // will never tick when notify is disabled
+			total := len(c.allowedCount) + len(c.blockedCount)
+			if total == 0 {
+				continue
+			}
+			total++
+			fieldsBody := make(notif.ListBody, total)
+			i := 0
+			fieldsBody[i] = fmt.Sprintf("Total: allowed %d, blocked %d", c.totalAllowedCount, c.totalBlockedCount)
+			i++
+			for ip, count := range c.allowedCount {
+				fieldsBody[i] = fmt.Sprintf("%s (%s): allowed %d times", ip, c.getCachedCity(ip), count)
+				i++
+			}
+			for ip, count := range c.blockedCount {
+				fieldsBody[i] = fmt.Sprintf("%s (%s): blocked %d times", ip, c.getCachedCity(ip), count)
+				i++
+			}
+			notif.Notify(&notif.LogMessage{
+				Level: zerolog.InfoLevel,
+				Title: "ACL Summary for last " + strutils.FormatDuration(c.Notify.Interval),
+				Body:  fieldsBody,
+				To:    c.Notify.To,
+			})
+			clear(c.allowedCount)
+			clear(c.blockedCount)
+		}
+	}
+}
+
+// log and notify if needed
+func (c *Config) logAndNotify(info *maxmind.IPInfo, allowed bool) {
+	if c.logNotifyCh != nil {
+		c.logNotifyCh <- ipLog{info: info, allowed: allowed}
+	}
+}
+
+func (c *Config) IPAllowed(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	// always allow loopback, not logged
+	if ip.IsLoopback() {
+		return true
+	}
+
+	if c.allowLocal && ip.IsPrivate() {
+		c.logAndNotify(&maxmind.IPInfo{IP: ip, Str: ip.String()}, true)
+		return true
+	}
+
+	ipStr := ip.String()
+	record, ok := c.ipCache.Load(ipStr)
+	if ok && !record.Expired() {
+		c.logAndNotify(record.IPInfo, record.allow)
+		return record.allow
+	}
+
+	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
+	if c.Allow.Match(ipAndStr) {
+		c.logAndNotify(ipAndStr, true)
+		c.cacheRecord(ipAndStr, true)
+		return true
+	}
+	if c.Deny.Match(ipAndStr) {
+		c.logAndNotify(ipAndStr, false)
+		c.cacheRecord(ipAndStr, false)
+		return false
+	}
+
+	c.logAndNotify(ipAndStr, c.defaultAllow)
+	c.cacheRecord(ipAndStr, c.defaultAllow)
+	return c.defaultAllow
+}
--- a/internal/acl/matcher.go
+++ b/internal/acl/matcher.go
@@ -0,0 +1,112 @@
+package acl
+
+import (
+	"net"
+	"strings"
+
+	"github.com/yusing/godoxy/internal/maxmind"
+	gperr "github.com/yusing/goutils/errs"
+)
+
+type MatcherFunc func(*maxmind.IPInfo) bool
+
+type Matcher struct {
+	match MatcherFunc
+}
+
+type Matchers []Matcher
+
+const (
+	MatcherTypeIP       = "ip"
+	MatcherTypeCIDR     = "cidr"
+	MatcherTypeTimeZone = "tz"
+	MatcherTypeCountry  = "country"
+)
+
+// TODO: use this error in the future
+//
+//nolint:unused
+var errMatcherFormat = gperr.Multiline().AddLines(
+	"invalid matcher format, expect {type}:{value}",
+	"Available types: ip|cidr|tz|country",
+	"ip:127.0.0.1",
+	"cidr:127.0.0.0/8",
+	"tz:Asia/Shanghai",
+	"country:GB",
+)
+
+var (
+	errSyntax      = gperr.New("syntax error")
+	errInvalidIP   = gperr.New("invalid IP")
+	errInvalidCIDR = gperr.New("invalid CIDR")
+)
+
+func (matcher *Matcher) Parse(s string) error {
+	parts := strings.Split(s, ":")
+	if len(parts) != 2 {
+		return errSyntax
+	}
+
+	switch parts[0] {
+	case MatcherTypeIP:
+		ip := net.ParseIP(parts[1])
+		if ip == nil {
+			return errInvalidIP
+		}
+		matcher.match = matchIP(ip)
+	case MatcherTypeCIDR:
+		_, net, err := net.ParseCIDR(parts[1])
+		if err != nil {
+			return errInvalidCIDR
+		}
+		matcher.match = matchCIDR(net)
+	case MatcherTypeTimeZone:
+		matcher.match = matchTimeZone(parts[1])
+	case MatcherTypeCountry:
+		matcher.match = matchISOCode(parts[1])
+	default:
+		return errSyntax
+	}
+	return nil
+}
+
+func (matchers Matchers) Match(ip *maxmind.IPInfo) bool {
+	for _, m := range matchers {
+		if m.match(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func matchIP(ip net.IP) MatcherFunc {
+	return func(ip2 *maxmind.IPInfo) bool {
+		return ip.Equal(ip2.IP)
+	}
+}
+
+func matchCIDR(n *net.IPNet) MatcherFunc {
+	return func(ip *maxmind.IPInfo) bool {
+		return n.Contains(ip.IP)
+	}
+}
+
+func matchTimeZone(tz string) MatcherFunc {
+	return func(ip *maxmind.IPInfo) bool {
+		city, ok := maxmind.LookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Location.TimeZone == tz
+	}
+}
+
+func matchISOCode(iso string) MatcherFunc {
+	return func(ip *maxmind.IPInfo) bool {
+		city, ok := maxmind.LookupCity(ip)
+		if !ok {
+			return false
+		}
+		return city.Country.IsoCode == iso
+	}
+}
--- a/internal/acl/matcher_test.go
+++ b/internal/acl/matcher_test.go
@@ -0,0 +1,49 @@
+package acl
+
+import (
+	"net"
+	"reflect"
+	"testing"
+
+	maxmind "github.com/yusing/godoxy/internal/maxmind/types"
+	"github.com/yusing/godoxy/internal/serialization"
+)
+
+func TestMatchers(t *testing.T) {
+	strMatchers := []string{
+		"ip:127.0.0.1",
+		"cidr:10.0.0.0/8",
+	}
+
+	var mathers Matchers
+	err := serialization.Convert(reflect.ValueOf(strMatchers), reflect.ValueOf(&mathers), false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		ip   string
+		want bool
+	}{
+		{"127.0.0.1", true},
+		{"10.0.0.1", true},
+		{"127.0.0.2", false},
+		{"192.168.0.1", false},
+		{"11.0.0.1", false},
+	}
+
+	for _, test := range tests {
+		ip := net.ParseIP(test.ip)
+		if ip == nil {
+			t.Fatalf("invalid ip: %s", test.ip)
+		}
+
+		got := mathers.Match(&maxmind.IPInfo{
+			IP:  ip,
+			Str: test.ip,
+		})
+		if got != test.want {
+			t.Errorf("mathers.Match(%s) = %v, want %v", test.ip, got, test.want)
+		}
+	}
+}
--- a/internal/acl/tcp_listener.go
+++ b/internal/acl/tcp_listener.go
@@ -0,0 +1,75 @@
+package acl
+
+import (
+	"errors"
+	"io"
+	"net"
+	"time"
+)
+
+type TCPListener struct {
+	acl *Config
+	lis net.Listener
+}
+
+type noConn struct{}
+
+func (noConn) Read(b []byte) (int, error)         { return 0, io.EOF }
+func (noConn) Write(b []byte) (int, error)        { return 0, io.EOF }
+func (noConn) Close() error                       { return nil }
+func (noConn) LocalAddr() net.Addr                { return nil }
+func (noConn) RemoteAddr() net.Addr               { return nil }
+func (noConn) SetDeadline(t time.Time) error      { return nil }
+func (noConn) SetReadDeadline(t time.Time) error  { return nil }
+func (noConn) SetWriteDeadline(t time.Time) error { return nil }
+
+func (c *Config) WrapTCP(lis net.Listener) net.Listener {
+	if c == nil {
+		return lis
+	}
+	return &TCPListener{
+		acl: c,
+		lis: lis,
+	}
+}
+
+func (s *TCPListener) Addr() net.Addr {
+	return s.lis.Addr()
+}
+
+func (s *TCPListener) Accept() (net.Conn, error) {
+	c, err := s.lis.Accept()
+	if err != nil {
+		return nil, err
+	}
+	addr, ok := c.RemoteAddr().(*net.TCPAddr)
+	if !ok {
+		// Not a TCPAddr, drop
+		c.Close()
+		return noConn{}, nil
+	}
+	if !s.acl.IPAllowed(addr.IP) {
+		c.Close()
+		return noConn{}, nil
+	}
+	return c, nil
+}
+
+type tcpListener interface {
+	SetDeadline(t time.Time) error
+}
+
+var _ tcpListener = (*net.TCPListener)(nil)
+
+func (s *TCPListener) SetDeadline(t time.Time) error {
+	switch lis := s.lis.(type) {
+	case tcpListener:
+		return lis.SetDeadline(t)
+	default:
+		return errors.New("not a TCPListener")
+	}
+}
+
+func (s *TCPListener) Close() error {
+	return s.lis.Close()
+}
--- a/internal/acl/udp_listener.go
+++ b/internal/acl/udp_listener.go
@@ -0,0 +1,105 @@
+package acl
+
+import (
+	"errors"
+	"net"
+	"time"
+)
+
+type UDPListener struct {
+	acl *Config
+	lis net.PacketConn
+}
+
+func (c *Config) WrapUDP(lis net.PacketConn) net.PacketConn {
+	if c == nil {
+		return lis
+	}
+	return &UDPListener{
+		acl: c,
+		lis: lis,
+	}
+}
+
+func (s *UDPListener) LocalAddr() net.Addr {
+	return s.lis.LocalAddr()
+}
+
+func (s *UDPListener) ReadFrom(p []byte) (int, net.Addr, error) {
+	for {
+		n, addr, err := s.lis.ReadFrom(p)
+		if err != nil {
+			return n, addr, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet from disallowed IP
+			continue
+		}
+		return n, addr, nil
+	}
+}
+
+func (s *UDPListener) WriteTo(p []byte, addr net.Addr) (int, error) {
+	for {
+		n, err := s.lis.WriteTo(p, addr)
+		if err != nil {
+			return n, err
+		}
+		udpAddr, ok := addr.(*net.UDPAddr)
+		if !ok {
+			// Not a UDPAddr, drop
+			continue
+		}
+		if !s.acl.IPAllowed(udpAddr.IP) {
+			// Drop packet to disallowed IP
+			continue
+		}
+		return n, nil
+	}
+}
+
+func (s *UDPListener) SetDeadline(t time.Time) error {
+	return s.lis.SetDeadline(t)
+}
+
+func (s *UDPListener) SetReadDeadline(t time.Time) error {
+	return s.lis.SetReadDeadline(t)
+}
+
+func (s *UDPListener) SetWriteDeadline(t time.Time) error {
+	return s.lis.SetWriteDeadline(t)
+}
+
+type udpListener interface {
+	SetReadBuffer(bytes int) error
+	SetWriteBuffer(bytes int) error
+}
+
+var _ udpListener = (*net.UDPConn)(nil)
+
+func (s *UDPListener) SetReadBuffer(bytes int) error {
+	switch lis := s.lis.(type) {
+	case udpListener:
+		return lis.SetReadBuffer(bytes)
+	default:
+		return errors.New("not a UDPConn")
+	}
+}
+
+func (s *UDPListener) SetWriteBuffer(bytes int) error {
+	switch lis := s.lis.(type) {
+	case udpListener:
+		return lis.SetWriteBuffer(bytes)
+	default:
+		return errors.New("not a UDPConn")
+	}
+}
+
+func (s *UDPListener) Close() error {
+	return s.lis.Close()
+}
--- a/internal/api/handler.go
+++ b/internal/api/handler.go
@@ -2,69 +2,206 @@ package api

 import (
 	"net/http"
+	"reflect"

-	"github.com/prometheus/client_golang/prometheus/promhttp"
-	v1 "github.com/yusing/go-proxy/internal/api/v1"
-	"github.com/yusing/go-proxy/internal/api/v1/auth"
-	"github.com/yusing/go-proxy/internal/api/v1/favicon"
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	"github.com/yusing/go-proxy/internal/logging"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/codec/json"
+	"github.com/gorilla/websocket"
+	"github.com/rs/zerolog/log"
+	apiV1 "github.com/yusing/godoxy/internal/api/v1"
+	agentApi "github.com/yusing/godoxy/internal/api/v1/agent"
+	authApi "github.com/yusing/godoxy/internal/api/v1/auth"
+	certApi "github.com/yusing/godoxy/internal/api/v1/cert"
+	dockerApi "github.com/yusing/godoxy/internal/api/v1/docker"
+	fileApi "github.com/yusing/godoxy/internal/api/v1/file"
+	homepageApi "github.com/yusing/godoxy/internal/api/v1/homepage"
+	metricsApi "github.com/yusing/godoxy/internal/api/v1/metrics"
+	routeApi "github.com/yusing/godoxy/internal/api/v1/route"
+	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/godoxy/internal/common"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
 )

-type ServeMux struct{ *http.ServeMux }
+// @title           GoDoxy API
+// @version         1.0
+// @description     GoDoxy API
+// @termsOfService  https://github.com/yusing/godoxy/blob/main/LICENSE

-func (mux ServeMux) HandleFunc(methods, endpoint string, handler http.HandlerFunc) {
-	for _, m := range strutils.CommaSeperatedList(methods) {
-		mux.ServeMux.HandleFunc(m+" "+endpoint, handler)
+// @contact.name   Yusing
+// @contact.url    https://github.com/yusing/godoxy/issues
+
+// @license.name  MIT
+// @license.url   https://github.com/yusing/godoxy/blob/main/LICENSE
+
+// @BasePath  /api/v1
+
+// @externalDocs.description  GoDoxy Docs
+// @externalDocs.url          https://docs.godoxy.dev
+func NewHandler() *gin.Engine {
+	if !common.IsDebug {
+		gin.SetMode("release")
+	}
+	r := gin.New()
+	r.Use(ErrorHandler())
+	r.Use(ErrorLoggingMiddleware())
+	r.Use(NoCache())
+
+	log.Debug().Msg("gin codec json.API: " + reflect.TypeOf(json.API).Name())
+
+	r.GET("/api/v1/version", apiV1.Version)
+
+	if auth.IsEnabled() {
+		v1Auth := r.Group("/api/v1/auth")
+		{
+			v1Auth.HEAD("/check", authApi.Check)
+			v1Auth.POST("/login", authApi.Login)
+			v1Auth.GET("/callback", authApi.Callback)
+			v1Auth.POST("/callback", authApi.Callback)
+			v1Auth.POST("/logout", authApi.Logout)
+			v1Auth.GET("/logout", authApi.Logout)
+		}
+	}
+
+	v1 := r.Group("/api/v1")
+	if auth.IsEnabled() {
+		v1.Use(AuthMiddleware())
+	}
+	if common.APISkipOriginCheck {
+		v1.Use(SkipOriginCheckMiddleware())
+	}
+	{
+		// enable cache for favicon
+		v1.GET("/favicon", apiV1.FavIcon)
+		v1.GET("/health", apiV1.Health)
+		v1.GET("/icons", apiV1.Icons)
+		v1.POST("/reload", apiV1.Reload)
+		v1.GET("/stats", apiV1.Stats)
+
+		route := v1.Group("/route")
+		{
+			route.GET("/list", routeApi.Routes)
+			route.GET("/:which", routeApi.Route)
+			route.GET("/providers", routeApi.Providers)
+			route.GET("/by_provider", routeApi.ByProvider)
+			route.POST("/playground", routeApi.Playground)
+		}
+
+		file := v1.Group("/file")
+		{
+			file.GET("/list", fileApi.List)
+			file.GET("/content", fileApi.Get)
+			file.PUT("/content", fileApi.Set)
+			file.POST("/content", fileApi.Set)
+			file.POST("/validate", fileApi.Validate)
+		}
+
+		homepage := v1.Group("/homepage")
+		{
+			homepage.GET("/categories", homepageApi.Categories)
+			homepage.GET("/items", homepageApi.Items)
+			homepage.POST("/set/item", homepageApi.SetItem)
+			homepage.POST("/set/items_batch", homepageApi.SetItemsBatch)
+			homepage.POST("/set/item_visible", homepageApi.SetItemVisible)
+			homepage.POST("/set/item_favorite", homepageApi.SetItemFavorite)
+			homepage.POST("/set/item_sort_order", homepageApi.SetItemSortOrder)
+			homepage.POST("/set/item_all_sort_order", homepageApi.SetItemAllSortOrder)
+			homepage.POST("/set/item_fav_sort_order", homepageApi.SetItemFavSortOrder)
+			homepage.POST("/set/category_order", homepageApi.SetCategoryOrder)
+			homepage.POST("/item_click", homepageApi.ItemClick)
+		}
+
+		cert := v1.Group("/cert")
+		{
+			cert.GET("/info", certApi.Info)
+			cert.GET("/renew", certApi.Renew)
+		}
+
+		agent := v1.Group("/agent")
+		{
+			agent.GET("/list", agentApi.List)
+			agent.POST("/create", agentApi.Create)
+			agent.POST("/verify", agentApi.Verify)
+		}
+
+		metrics := v1.Group("/metrics")
+		{
+			metrics.GET("/system_info", metricsApi.SystemInfo)
+			metrics.GET("/all_system_info", metricsApi.AllSystemInfo)
+			metrics.GET("/uptime", metricsApi.Uptime)
+		}
+
+		docker := v1.Group("/docker")
+		{
+			docker.GET("/container/:id", dockerApi.GetContainer)
+			docker.GET("/containers", dockerApi.Containers)
+			docker.GET("/info", dockerApi.Info)
+			docker.GET("/logs/:id", dockerApi.Logs)
+			docker.POST("/start", dockerApi.Start)
+			docker.POST("/stop", dockerApi.Stop)
+			docker.POST("/restart", dockerApi.Restart)
+		}
+	}
+
+	return r
+}
+
+func NoCache() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// skip cache if Cache-Control header is set
+		if c.Writer.Header().Get("Cache-Control") == "" {
+			c.Header("Cache-Control", "no-cache, no-store, must-revalidate")
+			c.Header("Pragma", "no-cache")
+			c.Header("Expires", "0")
+		}
+		c.Next()
 	}
 }

-func NewHandler(cfg config.ConfigInstance) http.Handler {
-	mux := ServeMux{http.NewServeMux()}
-	mux.HandleFunc("GET", "/v1", v1.Index)
-	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
-	mux.HandleFunc("POST", "/v1/reload", useCfg(cfg, v1.Reload))
-	mux.HandleFunc("GET", "/v1/list", auth.RequireAuth(useCfg(cfg, v1.List)))
-	mux.HandleFunc("GET", "/v1/list/{what}", auth.RequireAuth(useCfg(cfg, v1.List)))
-	mux.HandleFunc("GET", "/v1/list/{what}/{which}", auth.RequireAuth(useCfg(cfg, v1.List)))
-	mux.HandleFunc("GET", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.GetFileContent))
-	mux.HandleFunc("POST,PUT", "/v1/file/{type}/{filename}", auth.RequireAuth(v1.SetFileContent))
-	mux.HandleFunc("POST", "/v1/file/validate/{type}", auth.RequireAuth(v1.ValidateFile))
-	mux.HandleFunc("GET", "/v1/stats", useCfg(cfg, v1.Stats))
-	mux.HandleFunc("GET", "/v1/stats/ws", useCfg(cfg, v1.StatsWS))
-	mux.HandleFunc("GET", "/v1/health/ws", auth.RequireAuth(useCfg(cfg, v1.HealthWS)))
-	mux.HandleFunc("GET", "/v1/logs/ws", auth.RequireAuth(useCfg(cfg, v1.LogsWS())))
-	mux.HandleFunc("GET", "/v1/favicon", auth.RequireAuth(favicon.GetFavIcon))
-	mux.HandleFunc("POST", "/v1/homepage/set", auth.RequireAuth(v1.SetHomePageOverrides))
-
-	if common.PrometheusEnabled {
-		mux.Handle("GET /v1/metrics", promhttp.Handler())
-		logging.Info().Msg("prometheus metrics enabled")
+func AuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		err := auth.GetDefaultAuth().CheckToken(c.Request)
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, apitypes.Error("Unauthorized", err))
+			c.Abort()
+			return
+		}
+		c.Next()
 	}
+}

-	defaultAuth := auth.GetDefaultAuth()
-	if defaultAuth != nil {
-		mux.HandleFunc("GET", "/v1/auth/redirect", defaultAuth.RedirectLoginPage)
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			if err := defaultAuth.CheckToken(r); err != nil {
-				http.Error(w, err.Error(), http.StatusUnauthorized)
-				return
+func SkipOriginCheckMiddleware() gin.HandlerFunc {
+	upgrader := &websocket.Upgrader{
+		CheckOrigin: func(r *http.Request) bool {
+			return true
+		},
+	}
+	return func(c *gin.Context) {
+		c.Set("upgrader", upgrader)
+		c.Next()
+	}
+}
+
+func ErrorHandler() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Next()
+		if len(c.Errors) > 0 {
+			logger := log.With().Str("uri", c.Request.RequestURI).Logger()
+			for _, err := range c.Errors {
+				gperr.LogError("Internal error", err.Err, &logger)
 			}
-		})
-		mux.HandleFunc("GET,POST", "/v1/auth/callback", defaultAuth.LoginCallbackHandler)
-		mux.HandleFunc("GET,POST", "/v1/auth/logout", defaultAuth.LogoutCallbackHandler)
-	} else {
-		mux.HandleFunc("GET", "/v1/auth/check", func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusOK)
-		})
+			if !c.IsWebsocket() {
+				c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
+			}
+		}
 	}
-	return mux
 }

-func useCfg(cfg config.ConfigInstance, handler func(cfg config.ConfigInstance, w http.ResponseWriter, r *http.Request)) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		handler(cfg, w, r)
-	}
+func ErrorLoggingMiddleware() gin.HandlerFunc {
+	return gin.CustomRecoveryWithWriter(nil, func(c *gin.Context, err any) {
+		log.Error().Any("error", err).Str("uri", c.Request.RequestURI).Msg("Internal error")
+		if !c.IsWebsocket() {
+			c.JSON(http.StatusInternalServerError, apitypes.Error("Internal server error"))
+		}
+	})
 }
--- a/internal/api/v1/agent/common.go
+++ b/internal/api/v1/agent/common.go
@@ -0,0 +1,67 @@
+package agentapi
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"sync/atomic"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+)
+
+type PEMPairResponse struct {
+	Cert string `json:"cert" format:"base64"`
+	Key  string `json:"key" format:"base64"`
+} // @name PEMPairResponse
+
+var encryptionKey atomic.Value
+
+const rotateKeyInterval = 15 * time.Minute
+
+func init() {
+	if err := rotateKey(); err != nil {
+		log.Panic().Err(err).Msg("failed to generate encryption key")
+	}
+	go func() {
+		for range time.Tick(rotateKeyInterval) {
+			if err := rotateKey(); err != nil {
+				log.Error().Err(err).Msg("failed to rotate encryption key")
+			}
+		}
+	}()
+}
+
+func getEncryptionKey() []byte {
+	return encryptionKey.Load().([]byte)
+}
+
+func rotateKey() error {
+	// generate a random 32 bytes key
+	key := make([]byte, 32)
+	if _, err := rand.Read(key); err != nil {
+		return err
+	}
+	encryptionKey.Store(key)
+	return nil
+}
+
+func toPEMPairResponse(encPEMPair agent.PEMPair) PEMPairResponse {
+	return PEMPairResponse{
+		Cert: base64.StdEncoding.EncodeToString(encPEMPair.Cert),
+		Key:  base64.StdEncoding.EncodeToString(encPEMPair.Key),
+	}
+}
+
+func fromEncryptedPEMPairResponse(pemPair PEMPairResponse) (agent.PEMPair, error) {
+	encCert, err := base64.StdEncoding.DecodeString(pemPair.Cert)
+	if err != nil {
+		return agent.PEMPair{}, err
+	}
+	encKey, err := base64.StdEncoding.DecodeString(pemPair.Key)
+	if err != nil {
+		return agent.PEMPair{}, err
+	}
+	pair := agent.PEMPair{Cert: encCert, Key: encKey}
+	return pair.Decrypt(getEncryptionKey())
+}
--- a/internal/api/v1/agent/create.go
+++ b/internal/api/v1/agent/create.go
@@ -0,0 +1,107 @@
+package agentapi
+
+import (
+	"net"
+	"net/http"
+	"strconv"
+
+	_ "embed"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type NewAgentRequest struct {
+	Name             string                 `json:"name" binding:"required"`
+	Host             string                 `json:"host" binding:"required"`
+	Port             int                    `json:"port" binding:"required,min=1,max=65535"`
+	Type             string                 `json:"type" binding:"required,oneof=docker system"`
+	Nightly          bool                   `json:"nightly" binding:"omitempty"`
+	ContainerRuntime agent.ContainerRuntime `json:"container_runtime" binding:"omitempty,oneof=docker podman" default:"docker"`
+} // @name NewAgentRequest
+
+type NewAgentResponse struct {
+	Compose string          `json:"compose"`
+	CA      PEMPairResponse `json:"ca"`
+	Client  PEMPairResponse `json:"client"`
+} // @name NewAgentResponse
+
+// @x-id				"create"
+// @BasePath		/api/v1
+// @Summary		Create a new agent
+// @Description	Create a new agent and return the docker compose file, encrypted CA and client PEMs
+// @Description	The returned PEMs are encrypted with a random key and will be used for verification when adding a new agent
+// @Tags			agent
+// @Accept			json
+// @Produce		json
+// @Param			request	body		NewAgentRequest	true	"Request"
+// @Success		200		{object}	NewAgentResponse
+// @Failure		400		{object}	apitypes.ErrorResponse
+// @Failure		403		{object}	apitypes.ErrorResponse
+// @Failure		409		{object}	apitypes.ErrorResponse
+// @Failure		500		{object}	apitypes.ErrorResponse
+// @Router			/agent/create [post]
+func Create(c *gin.Context) {
+	var request NewAgentRequest
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	hostport := net.JoinHostPort(request.Host, strconv.Itoa(request.Port))
+	if _, ok := agent.GetAgent(hostport); ok {
+		c.JSON(http.StatusConflict, apitypes.Error("agent already exists"))
+		return
+	}
+
+	var image string
+	if request.Nightly {
+		image = agent.DockerImageNightly
+	} else {
+		image = agent.DockerImageProduction
+	}
+
+	ca, srv, client, err := agent.NewAgent()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create agent"))
+		return
+	}
+
+	var cfg agent.Generator = &agent.AgentEnvConfig{
+		Name:             request.Name,
+		Port:             request.Port,
+		CACert:           ca.String(),
+		SSLCert:          srv.String(),
+		ContainerRuntime: request.ContainerRuntime,
+	}
+	if request.Type == "docker" {
+		cfg = &agent.AgentComposeConfig{
+			Image:          image,
+			AgentEnvConfig: cfg.(*agent.AgentEnvConfig),
+		}
+	}
+	template, err := cfg.Generate()
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to generate agent config"))
+		return
+	}
+
+	key := getEncryptionKey()
+	encCA, err := ca.Encrypt(key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to encrypt CA PEMs"))
+		return
+	}
+	encClient, err := client.Encrypt(key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to encrypt client PEMs"))
+		return
+	}
+
+	c.JSON(http.StatusOK, NewAgentResponse{
+		Compose: template,
+		CA:      toPEMPairResponse(encCA),
+		Client:  toPEMPairResponse(encClient),
+	})
+}
--- a/internal/api/v1/agent/list.go
+++ b/internal/api/v1/agent/list.go
@@ -0,0 +1,33 @@
+package agentapi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+
+	_ "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"list"
+// @BasePath		/api/v1
+// @Summary		List agents
+// @Description	List agents
+// @Tags			agent,websocket
+// @Accept			json
+// @Produce		json
+// @Success		200	{array}		Agent
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Router			/agent/list [get]
+func List(c *gin.Context) {
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 10*time.Second, func() (any, error) {
+			return agent.ListAgents(), nil
+		})
+	} else {
+		c.JSON(http.StatusOK, agent.ListAgents())
+	}
+}
--- a/internal/api/v1/agent/verify.go
+++ b/internal/api/v1/agent/verify.go
@@ -0,0 +1,114 @@
+package agentapi
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/agent/pkg/agent"
+	"github.com/yusing/godoxy/agent/pkg/certs"
+	config "github.com/yusing/godoxy/internal/config/types"
+	"github.com/yusing/godoxy/internal/route/provider"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
+)
+
+type VerifyNewAgentRequest struct {
+	Host             string                 `json:"host"`
+	CA               PEMPairResponse        `json:"ca"`
+	Client           PEMPairResponse        `json:"client"`
+	ContainerRuntime agent.ContainerRuntime `json:"container_runtime"`
+} // @name VerifyNewAgentRequest
+
+// @x-id          "verify"
+// @BasePath		/api/v1
+// @Summary		Verify a new agent
+// @Description	Verify a new agent and return the number of routes added
+// @Tags			agent
+// @Accept			json
+// @Produce		json
+// @Param			request	body		VerifyNewAgentRequest	true	"Request"
+// @Success		200		{object}	SuccessResponse
+// @Failure		400		{object}	ErrorResponse
+// @Failure		403		{object}	ErrorResponse
+// @Failure		500		{object}	ErrorResponse
+// @Router			/agent/verify [post]
+func Verify(c *gin.Context) {
+	var request VerifyNewAgentRequest
+	if err := c.ShouldBindJSON(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	filename, ok := certs.AgentCertsFilepath(request.Host)
+	if !ok {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid host", nil))
+		return
+	}
+
+	ca, err := fromEncryptedPEMPairResponse(request.CA)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid CA", err))
+		return
+	}
+
+	client, err := fromEncryptedPEMPairResponse(request.Client)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid client", err))
+		return
+	}
+
+	nRoutesAdded, err := verifyNewAgent(request.Host, ca, client, request.ContainerRuntime)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	zip, err := certs.ZipCert(ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to zip certs"))
+		return
+	}
+
+	if err := os.WriteFile(filename, zip, 0o600); err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to write certs"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success(fmt.Sprintf("Added %d routes", nRoutesAdded)))
+}
+
+func verifyNewAgent(host string, ca agent.PEMPair, client agent.PEMPair, containerRuntime agent.ContainerRuntime) (int, gperr.Error) {
+	cfgState := config.ActiveState.Load()
+	for _, a := range cfgState.Value().Providers.Agents {
+		if a.Addr == host {
+			return 0, gperr.New("agent already exists")
+		}
+	}
+
+	var agentCfg agent.AgentConfig
+	agentCfg.Addr = host
+	agentCfg.Runtime = containerRuntime
+
+	err := agentCfg.StartWithCerts(cfgState.Context(), ca.Cert, client.Cert, client.Key)
+	if err != nil {
+		return 0, gperr.Wrap(err, "failed to start agent")
+	}
+
+	provider := provider.NewAgentProvider(&agentCfg)
+	if _, loaded := cfgState.LoadOrStoreProvider(provider.String(), provider); loaded {
+		return 0, gperr.Errorf("provider %s already exists", provider.String())
+	}
+
+	// agent must be added before loading routes
+	agent.AddAgent(&agentCfg)
+	err = provider.LoadRoutes()
+	if err != nil {
+		cfgState.DeleteProvider(provider.String())
+		agent.RemoveAgent(&agentCfg)
+		return 0, gperr.Wrap(err, "failed to load routes")
+	}
+
+	return provider.NumRoutes(), nil
+}
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -1,54 +0,0 @@
-package auth
-
-import (
-	"net/http"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/logging"
-)
-
-var defaultAuth Provider
-
-// Initialize sets up authentication providers.
-func Initialize() error {
-	if !IsEnabled() {
-		logging.Warn().Msg("authentication is disabled, please set API_JWT_SECRET or OIDC_* to enable authentication")
-		return nil
-	}
-
-	var err error
-	// Initialize OIDC if configured.
-	if common.OIDCIssuerURL != "" {
-		defaultAuth, err = NewOIDCProviderFromEnv()
-	} else {
-		defaultAuth, err = NewUserPassAuthFromEnv()
-	}
-
-	return err
-}
-
-func GetDefaultAuth() Provider {
-	return defaultAuth
-}
-
-func IsEnabled() bool {
-	return common.APIJWTSecret != nil || IsOIDCEnabled()
-}
-
-func IsOIDCEnabled() bool {
-	return common.OIDCIssuerURL != ""
-}
-
-func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
-	if IsEnabled() {
-		return func(w http.ResponseWriter, r *http.Request) {
-			if err := defaultAuth.CheckToken(r); err != nil {
-				U.RespondError(w, err, http.StatusUnauthorized)
-			} else {
-				next(w, r)
-			}
-		}
-	}
-	return next
-}
--- a/internal/api/v1/auth/callback.go
+++ b/internal/api/v1/auth/callback.go
@@ -0,0 +1,24 @@
+//nolint:dupword
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id				"callback"
+// @Base			/api/v1
+// @Summary		Auth Callback
+// @Description	Handles the callback from the provider after successful authentication
+// @Tags			auth
+// @Produce		plain
+// @Param		  body	body	auth.UserPassAuthCallbackRequest	true	"Userpass only"
+// @Success		200	{string}	string	"Userpass: OK"
+// @Success		302	{string}	string	"OIDC: Redirects to home page"
+// @Failure		400	{string}	string	"OIDC: invalid request (missing state cookie or oauth state)"
+// @Failure		400	{string}	string	"Userpass: invalid request / credentials"
+// @Failure		500	{string}	string	"Internal server error"
+// @Router			/auth/callback [post]
+func Callback(c *gin.Context) {
+	auth.GetDefaultAuth().PostAuthCallbackHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/check.go
+++ b/internal/api/v1/auth/check.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id	  	"check"
+// @Base			/api/v1
+// @Summary		Check authentication status
+// @Description	Checks if the user is authenticated by validating their token
+// @Tags			auth
+// @Produce		plain
+// @Success		200	{string}	string	"OK"
+// @Failure		302	{string}	string	"Redirects to login page or IdP"
+// @Router			/auth/check [head]
+func Check(c *gin.Context) {
+	auth.AuthCheckHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/login.go
+++ b/internal/api/v1/auth/login.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id       "login"
+// @Base       /api/v1
+// @Summary    Login
+// @Description Initiates the login process by redirecting the user to the provider's login page
+// @Tags       auth
+// @Produce    plain
+// @Success    302 {string} string "Redirects to login page or IdP"
+// @Failure    429 {string} string "Too Many Requests"
+// @Router     /auth/login [post]
+func Login(c *gin.Context) {
+	auth.GetDefaultAuth().LoginHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/logout.go
+++ b/internal/api/v1/auth/logout.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/auth"
+)
+
+// @x-id				"logout"
+// @Base			/api/v1
+// @Summary		Logout
+// @Description	Logs out the user by invalidating the token
+// @Tags			auth
+// @Produce		plain
+// @Success		302	{string} string	"Redirects to home page"
+// @Router			/auth/logout [post]
+// @Router			/auth/logout [get]
+func Logout(c *gin.Context) {
+	auth.GetDefaultAuth().LogoutHandler(c.Writer, c.Request)
+}
--- a/internal/api/v1/auth/oidc.go
+++ b/internal/api/v1/auth/oidc.go
@@ -1,274 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-	"slices"
-	"time"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	CE "github.com/yusing/go-proxy/internal/utils"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-	"golang.org/x/oauth2"
-)
-
-type OIDCProvider struct {
-	oauthConfig   *oauth2.Config
-	oidcProvider  *oidc.Provider
-	oidcVerifier  *oidc.IDTokenVerifier
-	oidcLogoutURL *url.URL
-	allowedUsers  []string
-	allowedGroups []string
-	isMiddleware  bool
-}
-
-const CookieOauthState = "godoxy_oidc_state"
-
-const (
-	OIDCMiddlewareCallbackPath = "/auth/callback"
-	OIDCLogoutPath             = "/auth/logout"
-)
-
-func NewOIDCProvider(issuerURL, clientID, clientSecret, redirectURL, logoutURL string, allowedUsers, allowedGroups []string) (*OIDCProvider, error) {
-	if len(allowedUsers)+len(allowedGroups) == 0 {
-		return nil, errors.New("OIDC users, groups, or both must not be empty")
-	}
-
-	var logout *url.URL
-	var err error
-	if logoutURL != "" {
-		logout, err = url.Parse(logoutURL)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse logout URL: %w", err)
-		}
-	}
-
-	provider, err := oidc.NewProvider(context.Background(), issuerURL)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
-	}
-
-	return &OIDCProvider{
-		oauthConfig: &oauth2.Config{
-			ClientID:     clientID,
-			ClientSecret: clientSecret,
-			RedirectURL:  redirectURL,
-			Endpoint:     provider.Endpoint(),
-			Scopes:       strutils.CommaSeperatedList(common.OIDCScopes),
-		},
-		oidcProvider: provider,
-		oidcVerifier: provider.Verifier(&oidc.Config{
-			ClientID: clientID,
-		}),
-		oidcLogoutURL: logout,
-		allowedUsers:  allowedUsers,
-		allowedGroups: allowedGroups,
-	}, nil
-}
-
-// NewOIDCProviderFromEnv creates a new OIDCProvider from environment variables.
-func NewOIDCProviderFromEnv() (*OIDCProvider, error) {
-	return NewOIDCProvider(
-		common.OIDCIssuerURL,
-		common.OIDCClientID,
-		common.OIDCClientSecret,
-		common.OIDCRedirectURL,
-		common.OIDCLogoutURL,
-		common.OIDCAllowedUsers,
-		common.OIDCAllowedGroups,
-	)
-}
-
-func (auth *OIDCProvider) TokenCookieName() string {
-	return "godoxy_oidc_token"
-}
-
-func (auth *OIDCProvider) SetIsMiddleware(enabled bool) {
-	auth.isMiddleware = enabled
-	auth.oauthConfig.RedirectURL = ""
-}
-
-func (auth *OIDCProvider) SetAllowedUsers(users []string) {
-	auth.allowedUsers = users
-}
-
-func (auth *OIDCProvider) SetAllowedGroups(groups []string) {
-	auth.allowedGroups = groups
-}
-
-func (auth *OIDCProvider) CheckToken(r *http.Request) error {
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		return ErrMissingToken
-	}
-
-	// checks for Expiry, Audience == ClientID, Issuer, etc.
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), token.Value)
-	if err != nil {
-		return fmt.Errorf("failed to verify ID token: %w: %w", ErrInvalidToken, err)
-	}
-
-	if len(idToken.Audience) == 0 {
-		return ErrInvalidToken
-	}
-
-	var claims struct {
-		Email    string   `json:"email"`
-		Username string   `json:"preferred_username"`
-		Groups   []string `json:"groups"`
-	}
-	if err := idToken.Claims(&claims); err != nil {
-		return fmt.Errorf("failed to parse claims: %w", err)
-	}
-
-	// Logical AND between allowed users and groups.
-	allowedUser := slices.Contains(auth.allowedUsers, claims.Username)
-	allowedGroup := len(CE.Intersect(claims.Groups, auth.allowedGroups)) > 0
-	if !allowedUser && !allowedGroup {
-		return ErrUserNotAllowed.Subject(claims.Username)
-	}
-	return nil
-}
-
-// generateState generates a random string for OIDC state.
-const oidcStateLength = 32
-
-func generateState() (string, error) {
-	b := make([]byte, oidcStateLength)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(b)[:oidcStateLength], nil
-}
-
-// RedirectOIDC initiates the OIDC login flow.
-func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Request) {
-	state, err := generateState()
-	if err != nil {
-		U.HandleErr(w, r, err, http.StatusInternalServerError)
-		return
-	}
-	http.SetCookie(w, &http.Cookie{
-		Name:     CookieOauthState,
-		Value:    state,
-		MaxAge:   300,
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   true,
-		Path:     "/",
-	})
-
-	redirURL := auth.oauthConfig.AuthCodeURL(state)
-	if auth.isMiddleware {
-		u, err := r.URL.Parse(redirURL)
-		if err != nil {
-			U.HandleErr(w, r, err, http.StatusInternalServerError)
-			return
-		}
-		q := u.Query()
-		q.Set("redirect_uri", "https://"+r.Host+OIDCMiddlewareCallbackPath+q.Get("redirect_uri"))
-		u.RawQuery = q.Encode()
-		redirURL = u.String()
-	}
-	http.Redirect(w, r, redirURL, http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) exchange(r *http.Request) (*oauth2.Token, error) {
-	if auth.isMiddleware {
-		cfg := *auth.oauthConfig
-		cfg.RedirectURL = "https://" + r.Host + OIDCMiddlewareCallbackPath
-		return cfg.Exchange(r.Context(), r.URL.Query().Get("code"))
-	}
-	return auth.oauthConfig.Exchange(r.Context(), r.URL.Query().Get("code"))
-}
-
-// OIDCCallbackHandler handles the OIDC callback.
-func (auth *OIDCProvider) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	// For testing purposes, skip provider verification
-	if common.IsTest {
-		auth.handleTestCallback(w, r)
-		return
-	}
-
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		U.HandleErr(w, r, E.New("missing state cookie"), http.StatusBadRequest)
-		return
-	}
-
-	query := r.URL.Query()
-	if query.Get("state") != state.Value {
-		U.HandleErr(w, r, E.New("invalid oauth state"), http.StatusBadRequest)
-		return
-	}
-
-	oauth2Token, err := auth.exchange(r)
-	if err != nil {
-		U.HandleErr(w, r, fmt.Errorf("failed to exchange token: %w", err), http.StatusInternalServerError)
-		return
-	}
-
-	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
-	if !ok {
-		U.HandleErr(w, r, E.New("missing id_token"), http.StatusInternalServerError)
-		return
-	}
-
-	idToken, err := auth.oidcVerifier.Verify(r.Context(), rawIDToken)
-	if err != nil {
-		U.HandleErr(w, r, fmt.Errorf("failed to verify ID token: %w", err), http.StatusInternalServerError)
-		return
-	}
-
-	setTokenCookie(w, r, auth.TokenCookieName(), rawIDToken, time.Until(idToken.Expiry))
-
-	// Redirect to home page
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}
-
-func (auth *OIDCProvider) LogoutCallbackHandler(w http.ResponseWriter, r *http.Request) {
-	if auth.oidcLogoutURL == nil {
-		DefaultLogoutCallbackHandler(auth, w, r)
-		return
-	}
-
-	token, err := r.Cookie(auth.TokenCookieName())
-	if err != nil {
-		U.HandleErr(w, r, E.New("missing token cookie"), http.StatusBadRequest)
-		return
-	}
-	clearTokenCookie(w, r, auth.TokenCookieName())
-
-	logoutURL := *auth.oidcLogoutURL
-	logoutURL.Query().Add("id_token_hint", token.Value)
-
-	http.Redirect(w, r, logoutURL.String(), http.StatusFound)
-}
-
-// handleTestCallback handles OIDC callback in test environment.
-func (auth *OIDCProvider) handleTestCallback(w http.ResponseWriter, r *http.Request) {
-	state, err := r.Cookie(CookieOauthState)
-	if err != nil {
-		U.HandleErr(w, r, E.New("missing state cookie"), http.StatusBadRequest)
-		return
-	}
-
-	if r.URL.Query().Get("state") != state.Value {
-		U.HandleErr(w, r, E.New("invalid oauth state"), http.StatusBadRequest)
-		return
-	}
-
-	// Create test JWT token
-	setTokenCookie(w, r, auth.TokenCookieName(), "test", time.Hour)
-
-	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-}
--- a/internal/api/v1/auth/provider.go
+++ b/internal/api/v1/auth/provider.go
@@ -1,13 +0,0 @@
-package auth
-
-import (
-	"net/http"
-)
-
-type Provider interface {
-	TokenCookieName() string
-	CheckToken(r *http.Request) error
-	RedirectLoginPage(w http.ResponseWriter, r *http.Request)
-	LoginCallbackHandler(w http.ResponseWriter, r *http.Request)
-	LogoutCallbackHandler(w http.ResponseWriter, r *http.Request)
-}
--- a/internal/api/v1/auth/utils.go
+++ b/internal/api/v1/auth/utils.go
@@ -1,69 +0,0 @@
-package auth
-
-import (
-	"net"
-	"net/http"
-	"time"
-
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
-)
-
-var (
-	ErrMissingToken   = E.New("missing token")
-	ErrInvalidToken   = E.New("invalid token")
-	ErrUserNotAllowed = E.New("user not allowed")
-)
-
-// cookieFQDN returns the fully qualified domain name of the request host
-// with subdomain stripped.
-//
-// If the request host does not have a subdomain,
-// an empty string is returned
-//
-//	"abc.example.com" -> "example.com"
-//	"example.com" -> ""
-func cookieFQDN(r *http.Request) string {
-	host, _, err := net.SplitHostPort(r.Host)
-	if err != nil {
-		host = r.Host
-	}
-	parts := strutils.SplitRune(host, '.')
-	if len(parts) < 2 {
-		return ""
-	}
-	parts[0] = ""
-	return strutils.JoinRune(parts, '.')
-}
-
-func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     name,
-		Value:    value,
-		MaxAge:   int(ttl.Seconds()),
-		Domain:   cookieFQDN(r),
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	})
-}
-
-func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     name,
-		Value:    "",
-		MaxAge:   -1,
-		Domain:   cookieFQDN(r),
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	})
-}
-
-// DefaultLogoutCallbackHandler clears the token cookie and redirects to the login page..
-func DefaultLogoutCallbackHandler(auth Provider, w http.ResponseWriter, r *http.Request) {
-	clearTokenCookie(w, r, auth.TokenCookieName())
-	auth.RedirectLoginPage(w, r)
-}
--- a/internal/api/v1/cert/info.go
+++ b/internal/api/v1/cert/info.go
@@ -0,0 +1,53 @@
+package certapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/autocert"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type CertInfo struct {
+	Subject        string   `json:"subject"`
+	Issuer         string   `json:"issuer"`
+	NotBefore      int64    `json:"not_before"`
+	NotAfter       int64    `json:"not_after"`
+	DNSNames       []string `json:"dns_names"`
+	EmailAddresses []string `json:"email_addresses"`
+} // @name CertInfo
+
+// @x-id				"info"
+// @BasePath		/api/v1
+// @Summary		Get cert info
+// @Description	Get cert info
+// @Tags			cert
+// @Produce		json
+// @Success		200	{object}	CertInfo
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/cert/info [get]
+func Info(c *gin.Context) {
+	autocert := autocert.ActiveProvider.Load()
+	if autocert == nil {
+		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
+		return
+	}
+
+	cert, err := autocert.GetCert(nil)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get cert info"))
+		return
+	}
+
+	certInfo := CertInfo{
+		Subject:        cert.Leaf.Subject.CommonName,
+		Issuer:         cert.Leaf.Issuer.CommonName,
+		NotBefore:      cert.Leaf.NotBefore.Unix(),
+		NotAfter:       cert.Leaf.NotAfter.Unix(),
+		DNSNames:       cert.Leaf.DNSNames,
+		EmailAddresses: cert.Leaf.EmailAddresses,
+	}
+	c.JSON(http.StatusOK, certInfo)
+}
--- a/internal/api/v1/cert/renew.go
+++ b/internal/api/v1/cert/renew.go
@@ -0,0 +1,72 @@
+package certapi
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/autocert"
+	"github.com/yusing/godoxy/internal/logging/memlogger"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+// @x-id				"renew"
+// @BasePath		/api/v1
+// @Summary		Renew cert
+// @Description	Renew cert
+// @Tags			cert,websocket
+// @Produce		plain
+// @Success		200	{object}	apitypes.SuccessResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/cert/renew [get]
+func Renew(c *gin.Context) {
+	autocert := autocert.ActiveProvider.Load()
+	if autocert == nil {
+		c.JSON(http.StatusNotFound, apitypes.Error("autocert is not enabled"))
+		return
+	}
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+		return
+	}
+	defer manager.Close()
+
+	logs, cancel := memlogger.Events()
+	defer cancel()
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+
+		err = autocert.ObtainCert()
+		if err != nil {
+			gperr.LogError("failed to obtain cert", err)
+			_ = manager.WriteData(websocket.TextMessage, []byte(err.Error()), 10*time.Second)
+		} else {
+			log.Info().Msg("cert obtained successfully")
+		}
+	}()
+
+	for {
+		select {
+		case l := <-logs:
+			if err != nil {
+				return
+			}
+
+			err = manager.WriteData(websocket.TextMessage, l, 10*time.Second)
+			if err != nil {
+				return
+			}
+		case <-done:
+			return
+		}
+	}
+}
--- a/internal/api/v1/docker/container.go
+++ b/internal/api/v1/docker/container.go
@@ -0,0 +1,64 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+// @x-id				"container"
+// @BasePath		/api/v1
+// @Summary		Get container
+// @Description	Get container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			id	path		string	true	"Container ID"
+// @Success		200	{object}		Container
+// @Failure		400	{object}	apitypes.ErrorResponse "ID is required"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/container/{id} [get]
+func GetContainer(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("id is required"))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(id)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	dockerClient, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer dockerClient.Close()
+
+	cont, err := dockerClient.ContainerInspect(c.Request.Context(), id, client.ContainerInspectOptions{})
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to inspect container"))
+		return
+	}
+
+	var state ContainerState
+	if cont.Container.State != nil {
+		state = cont.Container.State.Status
+	}
+
+	c.JSON(http.StatusOK, &Container{
+		Server: dockerCfg.URL,
+		Name:   cont.Container.Name,
+		ID:     cont.Container.ID,
+		Image:  cont.Container.Image,
+		State:  state,
+	})
+}
--- a/internal/api/v1/docker/containers.go
+++ b/internal/api/v1/docker/containers.go
@@ -0,0 +1,69 @@
+package dockerapi
+
+import (
+	"context"
+	"sort"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/client"
+	gperr "github.com/yusing/goutils/errs"
+
+	_ "github.com/yusing/goutils/apitypes"
+)
+
+type ContainerState = container.ContainerState // @name ContainerState
+
+type Container struct {
+	Server string         `json:"server"`
+	Name   string         `json:"name"`
+	ID     string         `json:"id"`
+	Image  string         `json:"image"`
+	State  ContainerState `json:"state,omitempty" extensions:"x-nullable"`
+} // @name ContainerResponse
+
+// @x-id				"containers"
+// @BasePath		/api/v1
+// @Summary		Get containers
+// @Description	Get containers
+// @Tags			docker
+// @Produce		json
+// @Success		200	{array}		Container
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/containers [get]
+func Containers(c *gin.Context) {
+	serveHTTP[Container](c, GetContainers)
+}
+
+func GetContainers(ctx context.Context, dockerClients DockerClients) ([]Container, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get containers")
+	containers := make([]Container, 0)
+	for server, dockerClient := range dockerClients {
+		conts, err := dockerClient.ContainerList(ctx, client.ContainerListOptions{All: true})
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		for _, cont := range conts.Items {
+			containers = append(containers, Container{
+				Server: server,
+				Name:   cont.Names[0],
+				ID:     cont.ID,
+				Image:  cont.Image,
+				State:  cont.State,
+			})
+		}
+	}
+	sort.Slice(containers, func(i, j int) bool {
+		return containers[i].Name < containers[j].Name
+	})
+	if err := errs.Error(); err != nil {
+		gperr.LogError("failed to get containers", err)
+		if len(containers) == 0 {
+			return nil, err
+		}
+		return containers, nil
+	}
+	return containers, nil
+}
--- a/internal/api/v1/docker/info.go
+++ b/internal/api/v1/docker/info.go
@@ -0,0 +1,82 @@
+package dockerapi
+
+import (
+	"context"
+	"sort"
+
+	"github.com/gin-gonic/gin"
+	dockerSystem "github.com/moby/moby/api/types/system"
+	"github.com/moby/moby/client"
+	gperr "github.com/yusing/goutils/errs"
+	strutils "github.com/yusing/goutils/strings"
+
+	_ "github.com/yusing/goutils/apitypes"
+)
+
+type containerStats struct {
+	Total   int `json:"total"`
+	Running int `json:"running"`
+	Paused  int `json:"paused"`
+	Stopped int `json:"stopped"`
+} // @name ContainerStats
+
+type dockerInfo struct {
+	Name          string         `json:"name"`
+	ServerVersion string         `json:"version"`
+	Containers    containerStats `json:"containers"`
+	Images        int            `json:"images"`
+	NCPU          int            `json:"n_cpu"`
+	MemTotal      string         `json:"memory"`
+} // @name ServerInfo
+
+func toDockerInfo(info dockerSystem.Info) dockerInfo {
+	return dockerInfo{
+		Name:          info.Name,
+		ServerVersion: info.ServerVersion,
+		Containers: containerStats{
+			Total:   info.ContainersRunning,
+			Running: info.ContainersRunning,
+			Paused:  info.ContainersPaused,
+			Stopped: info.ContainersStopped,
+		},
+		Images:   info.Images,
+		NCPU:     info.NCPU,
+		MemTotal: strutils.FormatByteSize(info.MemTotal),
+	}
+}
+
+// @x-id				"info"
+// @BasePath		/api/v1
+// @Summary		Get docker info
+// @Description	Get docker info
+// @Tags			docker
+// @Produce		json
+// @Success		200	{object}		dockerInfo
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/info [get]
+func Info(c *gin.Context) {
+	serveHTTP[dockerInfo](c, GetDockerInfo)
+}
+
+func GetDockerInfo(ctx context.Context, dockerClients DockerClients) ([]dockerInfo, gperr.Error) {
+	errs := gperr.NewBuilder("failed to get docker info")
+	dockerInfos := make([]dockerInfo, len(dockerClients))
+
+	i := 0
+	for name, dockerClient := range dockerClients {
+		info, err := dockerClient.Info(ctx, client.InfoOptions{})
+		if err != nil {
+			errs.Add(err)
+			continue
+		}
+		info.Info.Name = name
+		dockerInfos[i] = toDockerInfo(info.Info)
+		i++
+	}
+
+	sort.Slice(dockerInfos, func(i, j int) bool {
+		return dockerInfos[i].Name < dockerInfos[j].Name
+	})
+	return dockerInfos, errs.Error()
+}
--- a/internal/api/v1/docker/logs.go
+++ b/internal/api/v1/docker/logs.go
@@ -0,0 +1,112 @@
+package dockerapi
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/client"
+	"github.com/rs/zerolog/log"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+	"github.com/yusing/goutils/http/websocket"
+	"github.com/yusing/goutils/task"
+)
+
+type LogsQueryParams struct {
+	Stdout bool   `form:"stdout,default=true"`
+	Stderr bool   `form:"stderr,default=true"`
+	Since  string `form:"from"`
+	Until  string `form:"to"`
+	Levels string `form:"levels"`
+} //	@name	LogsQueryParams
+
+// @x-id				"logs"
+// @BasePath		/api/v1
+// @Summary		Get docker container logs
+// @Description	Get docker container logs by container id
+// @Tags			docker,websocket
+// @Accept			json
+// @Produce		json
+// @Param			id	path	string	true	"container id"
+// @Param			stdout		query	bool	false	"show stdout"
+// @Param			stderr		query	bool	false	"show stderr"
+// @Param			from		query	string	false	"from timestamp"
+// @Param			to			query	string	false	"to timestamp"
+// @Param			levels		query	string	false	"levels"
+// @Success		200
+// @Failure		400	{object}	apitypes.ErrorResponse
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "server not found or container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/logs/{id} [get]
+func Logs(c *gin.Context) {
+	id := c.Param("id")
+	if id == "" {
+		c.JSON(http.StatusBadRequest, apitypes.Error("container id is required"))
+		return
+	}
+
+	var queryParams LogsQueryParams
+	if err := c.ShouldBindQuery(&queryParams); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid query params"))
+		return
+	}
+
+	// TODO: implement levels
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(id)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error(fmt.Sprintf("container %s not found", id)))
+		return
+	}
+
+	dockerClient, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get docker client"))
+		return
+	}
+	defer dockerClient.Close()
+
+	opts := client.ContainerLogsOptions{
+		ShowStdout: queryParams.Stdout,
+		ShowStderr: queryParams.Stderr,
+		Since:      queryParams.Since,
+		Until:      queryParams.Until,
+		Timestamps: true,
+		Follow:     true,
+		Tail:       "100",
+	}
+	if queryParams.Levels != "" {
+		opts.Details = true
+	}
+
+	logs, err := dockerClient.ContainerLogs(c.Request.Context(), id, opts)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to get container logs"))
+		return
+	}
+	defer logs.Close()
+
+	manager, err := websocket.NewManagerWithUpgrade(c)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create websocket manager"))
+		return
+	}
+	defer manager.Close()
+
+	writer := manager.NewWriter(websocket.TextMessage)
+
+	_, err = stdcopy.StdCopy(writer, writer, logs) // de-multiplex logs
+	if err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, task.ErrProgramExiting) {
+			return
+		}
+		log.Err(err).
+			Str("server", dockerCfg.URL).
+			Str("container", id).
+			Msg("failed to de-multiplex logs")
+	}
+}
--- a/internal/api/v1/docker/restart.go
+++ b/internal/api/v1/docker/restart.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type RestartRequest struct {
+	ID string `json:"id" binding:"required"`
+	client.ContainerRestartOptions
+}
+
+// @x-id				"restart"
+// @BasePath		/api/v1
+// @Summary		Restart container
+// @Description	Restart container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body	RestartRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/restart [post]
+func Restart(c *gin.Context) {
+	var req RestartRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	_, err = client.ContainerRestart(c.Request.Context(), req.ID, req.ContainerRestartOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to restart container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container restarted"))
+}
--- a/internal/api/v1/docker/start.go
+++ b/internal/api/v1/docker/start.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type StartRequest struct {
+	ID string `json:"id" binding:"required"`
+	client.ContainerStartOptions
+}
+
+// @x-id				"start"
+// @BasePath		/api/v1
+// @Summary		Start container
+// @Description	Start container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StartRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/start [post]
+func Start(c *gin.Context) {
+	var req StartRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	_, err = client.ContainerStart(c.Request.Context(), req.ID, req.ContainerStartOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to start container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container started"))
+}
--- a/internal/api/v1/docker/stop.go
+++ b/internal/api/v1/docker/stop.go
@@ -0,0 +1,58 @@
+package dockerapi
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/moby/moby/client"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type StopRequest struct {
+	ID string `json:"id" binding:"required"`
+	client.ContainerStopOptions
+}
+
+// @x-id				"stop"
+// @BasePath		/api/v1
+// @Summary		Stop container
+// @Description	Stop container by container id
+// @Tags			docker
+// @Produce		json
+// @Param			request	body		StopRequest	true	"Request"
+// @Success		200	{object}  apitypes.SuccessResponse
+// @Failure		400	{object}	apitypes.ErrorResponse "Invalid request"
+// @Failure		403	{object}	apitypes.ErrorResponse
+// @Failure		404	{object}	apitypes.ErrorResponse "Container not found"
+// @Failure		500	{object}	apitypes.ErrorResponse
+// @Router			/docker/stop [post]
+func Stop(c *gin.Context) {
+	var req StopRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	dockerCfg, ok := docker.GetDockerCfgByContainerID(req.ID)
+	if !ok {
+		c.JSON(http.StatusNotFound, apitypes.Error("container not found"))
+		return
+	}
+
+	client, err := docker.NewClient(dockerCfg)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to create docker client"))
+		return
+	}
+
+	defer client.Close()
+
+	_, err = client.ContainerStop(c.Request.Context(), req.ID, req.ContainerStopOptions)
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to stop container"))
+		return
+	}
+
+	c.JSON(http.StatusOK, apitypes.Success("container stopped"))
+}
--- a/internal/api/v1/docker/utils.go
+++ b/internal/api/v1/docker/utils.go
@@ -0,0 +1,54 @@
+package dockerapi
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/docker"
+	apitypes "github.com/yusing/goutils/apitypes"
+	gperr "github.com/yusing/goutils/errs"
+	"github.com/yusing/goutils/http/httpheaders"
+	"github.com/yusing/goutils/http/websocket"
+)
+
+type (
+	DockerClients     map[string]*docker.SharedClient
+	ResultType[T any] interface {
+		map[string]T | []T
+	}
+)
+
+// closeAllClients closes all docker clients after a delay.
+//
+// This is used to ensure that all docker clients are closed after the http handler returns.
+func closeAllClients(dockerClients DockerClients) {
+	for _, dockerClient := range dockerClients {
+		dockerClient.Close()
+	}
+}
+
+func handleResult[V any, T ResultType[V]](c *gin.Context, errs error, result T) {
+	if errs != nil {
+		if len(result) == 0 {
+			c.Error(apitypes.InternalServerError(errs, "docker errors"))
+			return
+		}
+	}
+	c.JSON(http.StatusOK, result)
+}
+
+func serveHTTP[V any, T ResultType[V]](c *gin.Context, getResult func(ctx context.Context, dockerClients DockerClients) (T, gperr.Error)) {
+	dockerClients := docker.Clients()
+	defer closeAllClients(dockerClients)
+
+	if httpheaders.IsWebsocket(c.Request.Header) {
+		websocket.PeriodicWrite(c, 5*time.Second, func() (any, error) {
+			return getResult(c.Request.Context(), dockerClients)
+		})
+	} else {
+		result, err := getResult(c.Request.Context(), dockerClients)
+		handleResult[V](c, err, result)
+	}
+}
--- a/internal/api/v1/docs/swagger.json
+++ b/internal/api/v1/docs/swagger.json
--- a/internal/api/v1/docs/swagger.yaml
+++ b/internal/api/v1/docs/swagger.yaml
--- a/internal/api/v1/favicon.go
+++ b/internal/api/v1/favicon.go
@@ -0,0 +1,105 @@
+package v1
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/homepage"
+	"github.com/yusing/godoxy/internal/route/routes"
+	apitypes "github.com/yusing/goutils/apitypes"
+
+	_ "unsafe"
+)
+
+type GetFavIconRequest struct {
+	URL     string               `form:"url" binding:"required_without=Alias"`
+	Alias   string               `form:"alias" binding:"required_without=URL"`
+	Variant homepage.IconVariant `form:"variant" binding:"omitempty,oneof=light dark"`
+} //	@name	GetFavIconRequest
+
+// @x-id				"favicon"
+// @BasePath		/api/v1
+// @Summary		Get favicon
+// @Description	Get favicon
+// @Tags			v1
+// @Accept			json
+// @Produce		image/svg+xml,image/x-icon,image/png,image/webp
+// @Param			url		query		string	false	"URL of the route"
+// @Param			alias	query		string	false	"Alias of the route"
+// @Success		200		{array}		homepage.FetchResult
+// @Failure		400		{object}	apitypes.ErrorResponse "Bad Request: alias is empty or route is not HTTPRoute"
+// @Failure		403		{object}	apitypes.ErrorResponse "Forbidden: unauthorized"
+// @Failure		404		{object}	apitypes.ErrorResponse "Not Found: route or icon not found"
+// @Failure		500		{object}	apitypes.ErrorResponse "Internal Server Error: internal error"
+// @Router			/favicon [get]
+func FavIcon(c *gin.Context) {
+	var request GetFavIconRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	// try with url
+	if request.URL != "" {
+		var iconURL homepage.IconURL
+		if err := iconURL.Parse(request.URL); err != nil {
+			c.JSON(http.StatusBadRequest, apitypes.Error("invalid url", err))
+			return
+		}
+		icon := &iconURL
+		if request.Variant != homepage.IconVariantNone {
+			icon = icon.WithVariant(request.Variant)
+		}
+		fetchResult, err := homepage.FetchFavIconFromURL(c.Request.Context(), icon)
+		if err != nil {
+			homepage.GinFetchError(c, fetchResult.StatusCode, err)
+			return
+		}
+		c.Data(fetchResult.StatusCode, fetchResult.ContentType(), fetchResult.Icon)
+		return
+	}
+
+	// try with alias
+	result, err := GetFavIconFromAlias(c.Request.Context(), request.Alias, request.Variant)
+	if err != nil {
+		homepage.GinFetchError(c, result.StatusCode, err)
+		return
+	}
+	c.Data(result.StatusCode, result.ContentType(), result.Icon)
+}
+
+//go:linkname GetFavIconFromAlias v1.GetFavIconFromAlias
+func GetFavIconFromAlias(ctx context.Context, alias string, variant homepage.IconVariant) (homepage.FetchResult, error) {
+	// try with route.Icon
+	r, ok := routes.HTTP.Get(alias)
+	if !ok {
+		return homepage.FetchResultWithErrorf(http.StatusNotFound, "route not found")
+	}
+
+	var (
+		result homepage.FetchResult
+		err    error
+	)
+	hp := r.HomepageItem()
+	if hp.Icon != nil {
+		if hp.Icon.IconSource == homepage.IconSourceRelative {
+			result, err = homepage.FindIcon(ctx, r, *hp.Icon.FullURL, variant)
+		} else if variant != homepage.IconVariantNone {
+			result, err = homepage.FetchFavIconFromURL(ctx, hp.Icon.WithVariant(variant))
+			if err != nil {
+				// fallback to no variant
+				result, err = homepage.FetchFavIconFromURL(ctx, hp.Icon.WithVariant(homepage.IconVariantNone))
+			}
+		} else {
+			result, err = homepage.FetchFavIconFromURL(ctx, hp.Icon)
+		}
+	} else {
+		// try extract from "link[rel=icon]"
+		result, err = homepage.FindIcon(ctx, r, "/", variant)
+	}
+	if result.StatusCode == 0 {
+		result.StatusCode = http.StatusOK
+	}
+	return result, err
+}
--- a/internal/api/v1/favicon/cache.go
+++ b/internal/api/v1/favicon/cache.go
@@ -1,133 +0,0 @@
-package favicon
-
-import (
-	"encoding/json"
-	"sync"
-	"time"
-
-	"github.com/yusing/go-proxy/internal/common"
-	"github.com/yusing/go-proxy/internal/logging"
-	route "github.com/yusing/go-proxy/internal/route/types"
-	"github.com/yusing/go-proxy/internal/task"
-	"github.com/yusing/go-proxy/internal/utils"
-)
-
-type cacheEntry struct {
-	Icon       []byte    `json:"icon"`
-	LastAccess time.Time `json:"lastAccess"`
-}
-
-// cache key can be absolute url or route name.
-var (
-	iconCache   = make(map[string]*cacheEntry)
-	iconCacheMu sync.RWMutex
-)
-
-const (
-	iconCacheTTL    = 24 * time.Hour
-	cleanUpInterval = time.Hour
-)
-
-func InitIconCache() {
-	err := utils.LoadJSONIfExist(common.IconCachePath, &iconCache)
-	if err != nil {
-		logging.Error().Err(err).Msg("failed to load icon cache")
-	} else {
-		logging.Info().Msgf("icon cache loaded (%d icons)", len(iconCache))
-	}
-
-	go func() {
-		cleanupTicker := time.NewTicker(cleanUpInterval)
-		defer cleanupTicker.Stop()
-		for {
-			select {
-			case <-task.RootContextCanceled():
-				return
-			case <-cleanupTicker.C:
-				pruneExpiredIconCache()
-			}
-		}
-	}()
-
-	task.OnProgramExit("save_favicon_cache", func() {
-		iconCacheMu.Lock()
-		defer iconCacheMu.Unlock()
-
-		if len(iconCache) == 0 {
-			return
-		}
-
-		if err := utils.SaveJSON(common.IconCachePath, &iconCache, 0o644); err != nil {
-			logging.Error().Err(err).Msg("failed to save icon cache")
-		}
-	})
-}
-
-func pruneExpiredIconCache() {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-
-	nPruned := 0
-	for key, icon := range iconCache {
-		if icon.IsExpired() {
-			delete(iconCache, key)
-			nPruned++
-		}
-	}
-	logging.Info().Int("pruned", nPruned).Msg("pruned expired icon cache")
-}
-
-func routeKey(r route.HTTPRoute) string {
-	return r.RawEntry().Provider + ":" + r.TargetName()
-}
-
-func PruneRouteIconCache(route route.HTTPRoute) {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-	delete(iconCache, routeKey(route))
-}
-
-func loadIconCache(key string) *fetchResult {
-	iconCacheMu.RLock()
-	defer iconCacheMu.RUnlock()
-
-	icon, ok := iconCache[key]
-	if ok && icon != nil {
-		logging.Debug().
-			Str("key", key).
-			Msg("icon found in cache")
-		icon.LastAccess = time.Now()
-		return &fetchResult{icon: icon.Icon}
-	}
-	return nil
-}
-
-func storeIconCache(key string, icon []byte) {
-	iconCacheMu.Lock()
-	defer iconCacheMu.Unlock()
-	iconCache[key] = &cacheEntry{Icon: icon, LastAccess: time.Now()}
-}
-
-func (e *cacheEntry) IsExpired() bool {
-	return time.Since(e.LastAccess) > iconCacheTTL
-}
-
-func (e *cacheEntry) UnmarshalJSON(data []byte) error {
-	attempt := struct {
-		Icon       []byte    `json:"icon"`
-		LastAccess time.Time `json:"lastAccess"`
-	}{}
-	err := json.Unmarshal(data, &attempt)
-	if err == nil {
-		e.Icon = attempt.Icon
-		e.LastAccess = attempt.LastAccess
-		return nil
-	}
-	// fallback to bytes
-	err = json.Unmarshal(data, &e.Icon)
-	if err == nil {
-		e.LastAccess = time.Now()
-		return nil
-	}
-	return err
-}
--- a/internal/api/v1/favicon/favicon.go
+++ b/internal/api/v1/favicon/favicon.go
@@ -1,284 +0,0 @@
-package favicon
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"io"
-	"net/http"
-	"net/url"
-	"path"
-	"strings"
-	"time"
-
-	"github.com/PuerkitoBio/goquery"
-	"github.com/vincent-petithory/dataurl"
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/homepage"
-	"github.com/yusing/go-proxy/internal/logging"
-	gphttp "github.com/yusing/go-proxy/internal/net/http"
-	"github.com/yusing/go-proxy/internal/route/routes"
-	route "github.com/yusing/go-proxy/internal/route/types"
-)
-
-type fetchResult struct {
-	icon        []byte
-	contentType string
-	statusCode  int
-	errMsg      string
-}
-
-func (res *fetchResult) OK() bool {
-	return res.icon != nil
-}
-
-func (res *fetchResult) ContentType() string {
-	if res.contentType == "" {
-		if bytes.HasPrefix(res.icon, []byte("<svg")) || bytes.HasPrefix(res.icon, []byte("<?xml")) {
-			return "image/svg+xml"
-		} else {
-			return "image/x-icon"
-		}
-	}
-	return res.contentType
-}
-
-// GetFavIcon returns the favicon of the route
-//
-// Returns:
-//   - 200 OK: if icon found
-//   - 400 Bad Request: if alias is empty or route is not HTTPRoute
-//   - 404 Not Found: if route or icon not found
-//   - 500 Internal Server Error: if internal error
-//   - others: depends on route handler response
-func GetFavIcon(w http.ResponseWriter, req *http.Request) {
-	url, alias := req.FormValue("url"), req.FormValue("alias")
-	if url == "" && alias == "" {
-		U.RespondError(w, U.ErrMissingKey("url or alias"), http.StatusBadRequest)
-		return
-	}
-	if url != "" && alias != "" {
-		U.RespondError(w, U.ErrInvalidKey("url and alias are mutually exclusive"), http.StatusBadRequest)
-		return
-	}
-
-	// try with url
-	if url != "" {
-		var iconURL homepage.IconURL
-		if err := iconURL.Parse(url); err != nil {
-			U.RespondError(w, err, http.StatusBadRequest)
-			return
-		}
-		fetchResult := getFavIconFromURL(&iconURL)
-		if !fetchResult.OK() {
-			http.Error(w, fetchResult.errMsg, fetchResult.statusCode)
-			return
-		}
-		w.Header().Set("Content-Type", fetchResult.ContentType())
-		U.WriteBody(w, fetchResult.icon)
-		return
-	}
-
-	// try with route.Homepage.Icon
-	r, ok := routes.GetHTTPRoute(alias)
-	if !ok {
-		U.RespondError(w, errors.New("no such route"), http.StatusNotFound)
-		return
-	}
-
-	var result *fetchResult
-	hp := r.RawEntry().Homepage.GetOverride()
-	if !hp.IsEmpty() && hp.Icon != nil {
-		if hp.Icon.IconSource == homepage.IconSourceRelative {
-			result = findIcon(r, req, hp.Icon.Value)
-		} else {
-			result = getFavIconFromURL(hp.Icon)
-		}
-	} else {
-		// try extract from "link[rel=icon]"
-		result = findIcon(r, req, "/")
-	}
-	if result.statusCode == 0 {
-		result.statusCode = http.StatusOK
-	}
-	if !result.OK() {
-		http.Error(w, result.errMsg, result.statusCode)
-		return
-	}
-	w.Header().Set("Content-Type", result.ContentType())
-	U.WriteBody(w, result.icon)
-}
-
-func getFavIconFromURL(iconURL *homepage.IconURL) *fetchResult {
-	switch iconURL.IconSource {
-	case homepage.IconSourceAbsolute:
-		return fetchIconAbsolute(iconURL.URL())
-	case homepage.IconSourceRelative:
-		return &fetchResult{statusCode: http.StatusBadRequest, errMsg: "unexpected relative icon"}
-	case homepage.IconSourceWalkXCode, homepage.IconSourceSelfhSt:
-		return fetchKnownIcon(iconURL)
-	}
-	return &fetchResult{statusCode: http.StatusBadRequest, errMsg: "invalid icon source"}
-}
-
-func fetchIconAbsolute(url string) *fetchResult {
-	if result := loadIconCache(url); result != nil {
-		return result
-	}
-
-	resp, err := U.Get(url)
-	if err != nil || resp.StatusCode != http.StatusOK {
-		if err == nil {
-			err = errors.New(resp.Status)
-		}
-		logging.Error().Err(err).
-			Str("url", url).
-			Msg("failed to get icon")
-		return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
-	}
-
-	defer resp.Body.Close()
-	icon, err := io.ReadAll(resp.Body)
-	if err != nil {
-		logging.Error().Err(err).
-			Str("url", url).
-			Msg("failed to read icon")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-	}
-
-	storeIconCache(url, icon)
-	return &fetchResult{icon: icon}
-}
-
-var nameSanitizer = strings.NewReplacer(
-	"_", "-",
-	" ", "-",
-	"(", "",
-	")", "",
-)
-
-func sanitizeName(name string) string {
-	return strings.ToLower(nameSanitizer.Replace(name))
-}
-
-func fetchKnownIcon(url *homepage.IconURL) *fetchResult {
-	// if icon isn't in the list, no need to fetch
-	if !url.HasIcon() {
-		logging.Debug().
-			Str("value", url.String()).
-			Str("url", url.URL()).
-			Msg("no such icon")
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "no such icon"}
-	}
-
-	return fetchIconAbsolute(url.URL())
-}
-
-func fetchIcon(filetype, filename string) *fetchResult {
-	result := fetchKnownIcon(homepage.NewSelfhStIconURL(filename, filetype))
-	if result.icon == nil {
-		return result
-	}
-	return fetchKnownIcon(homepage.NewWalkXCodeIconURL(filename, filetype))
-}
-
-func findIcon(r route.HTTPRoute, req *http.Request, uri string) *fetchResult {
-	key := routeKey(r)
-	if result := loadIconCache(key); result != nil {
-		return result
-	}
-
-	result := fetchIcon("png", sanitizeName(r.TargetName()))
-	cont := r.RawEntry().Container
-	if !result.OK() && cont != nil {
-		result = fetchIcon("png", sanitizeName(cont.ImageName))
-	}
-	if !result.OK() {
-		// fallback to parse html
-		result = findIconSlow(r, req, uri)
-	}
-	if result.OK() {
-		storeIconCache(key, result.icon)
-	}
-	return result
-}
-
-func findIconSlow(r route.HTTPRoute, req *http.Request, uri string) *fetchResult {
-	ctx, cancel := context.WithTimeoutCause(req.Context(), 3*time.Second, errors.New("favicon request timeout"))
-	defer cancel()
-	newReq := req.WithContext(ctx)
-	newReq.Header.Set("Accept-Encoding", "identity") // disable compression
-	if !strings.HasPrefix(uri, "/") {
-		uri = "/" + uri
-	}
-	u, err := url.ParseRequestURI(uri)
-	if err != nil {
-		logging.Error().Err(err).
-			Str("route", r.TargetName()).
-			Str("path", uri).
-			Msg("failed to parse uri")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "cannot parse uri"}
-	}
-	newReq.URL.Path = u.Path
-	newReq.URL.RawPath = u.RawPath
-	newReq.URL.RawQuery = u.RawQuery
-	newReq.RequestURI = u.String()
-
-	c := newContent()
-	r.ServeHTTP(c, newReq)
-	if c.status != http.StatusOK {
-		switch c.status {
-		case 0:
-			return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "connection error"}
-		default:
-			if loc := c.Header().Get("Location"); loc != "" {
-				loc = path.Clean(loc)
-				if !strings.HasPrefix(loc, "/") {
-					loc = "/" + loc
-				}
-				if loc == newReq.URL.Path {
-					return &fetchResult{statusCode: http.StatusBadGateway, errMsg: "circular redirect"}
-				}
-				return findIconSlow(r, req, loc)
-			}
-		}
-		return &fetchResult{statusCode: c.status, errMsg: "upstream error: " + string(c.data)}
-	}
-	// return icon data
-	if !gphttp.GetContentType(c.header).IsHTML() {
-		return &fetchResult{icon: c.data, contentType: c.header.Get("Content-Type")}
-	}
-	// try extract from "link[rel=icon]" from path "/"
-	doc, err := goquery.NewDocumentFromReader(bytes.NewBuffer(c.data))
-	if err != nil {
-		logging.Error().Err(err).
-			Str("route", r.TargetName()).
-			Msg("failed to parse html")
-		return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-	}
-	ele := doc.Find("head > link[rel=icon]").First()
-	if ele.Length() == 0 {
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "icon element not found"}
-	}
-	href := ele.AttrOr("href", "")
-	if href == "" {
-		return &fetchResult{statusCode: http.StatusNotFound, errMsg: "icon href not found"}
-	}
-	// https://en.wikipedia.org/wiki/Data_URI_scheme
-	if strings.HasPrefix(href, "data:image/") {
-		dataURI, err := dataurl.DecodeString(href)
-		if err != nil {
-			logging.Error().Err(err).
-				Str("route", r.TargetName()).
-				Msg("failed to decode favicon")
-			return &fetchResult{statusCode: http.StatusInternalServerError, errMsg: "internal error"}
-		}
-		return &fetchResult{icon: dataURI.Data, contentType: dataURI.ContentType()}
-	}
-	switch {
-	case strings.HasPrefix(href, "http://"), strings.HasPrefix(href, "https://"):
-		return fetchIconAbsolute(href)
-	default:
-		return findIconSlow(r, req, path.Clean(href))
-	}
-}
--- a/internal/api/v1/file.go
+++ b/internal/api/v1/file.go
@@ -1,133 +0,0 @@
-package v1
-
-import (
-	"io"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-
-	U "github.com/yusing/go-proxy/internal/api/v1/utils"
-	"github.com/yusing/go-proxy/internal/common"
-	config "github.com/yusing/go-proxy/internal/config/types"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/net/http/middleware"
-	"github.com/yusing/go-proxy/internal/route/provider"
-)
-
-type FileType string
-
-const (
-	FileTypeConfig     FileType = "config"
-	FileTypeProvider   FileType = "provider"
-	FileTypeMiddleware FileType = "middleware"
-)
-
-func fileType(file string) FileType {
-	switch {
-	case strings.HasPrefix(path.Base(file), "config."):
-		return FileTypeConfig
-	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
-		return FileTypeMiddleware
-	}
-	return FileTypeProvider
-}
-
-func (t FileType) IsValid() bool {
-	switch t {
-	case FileTypeConfig, FileTypeProvider, FileTypeMiddleware:
-		return true
-	}
-	return false
-}
-
-func (t FileType) GetPath(filename string) string {
-	if t == FileTypeMiddleware {
-		return path.Join(common.MiddlewareComposeBasePath, filename)
-	}
-	return path.Join(common.ConfigBasePath, filename)
-}
-
-func getArgs(r *http.Request) (fileType FileType, filename string, err error) {
-	fileType = FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		err = U.ErrInvalidKey("type")
-		return
-	}
-	filename = r.PathValue("filename")
-	if filename == "" {
-		err = U.ErrMissingKey("filename")
-	}
-	return
-}
-
-func GetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
-		return
-	}
-	content, err := os.ReadFile(fileType.GetPath(filename))
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	U.WriteBody(w, content)
-}
-
-func validateFile(fileType FileType, content []byte) error {
-	switch fileType {
-	case FileTypeConfig:
-		return config.Validate(content)
-	case FileTypeMiddleware:
-		errs := E.NewBuilder("middleware errors")
-		middleware.BuildMiddlewaresFromYAML("", content, errs)
-		return errs.Error()
-	}
-	return provider.Validate(content)
-}
-
-func ValidateFile(w http.ResponseWriter, r *http.Request) {
-	fileType := FileType(r.PathValue("type"))
-	if !fileType.IsValid() {
-		U.RespondError(w, U.ErrInvalidKey("type"), http.StatusBadRequest)
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	r.Body.Close()
-	err = validateFile(fileType, content)
-	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
-
-func SetFileContent(w http.ResponseWriter, r *http.Request) {
-	fileType, filename, err := getArgs(r)
-	if err != nil {
-		U.RespondError(w, err, http.StatusBadRequest)
-		return
-	}
-	content, err := io.ReadAll(r.Body)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-
-	if valErr := validateFile(fileType, content); valErr != nil {
-		U.RespondError(w, valErr, http.StatusBadRequest)
-		return
-	}
-
-	err = os.WriteFile(fileType.GetPath(filename), content, 0o644)
-	if err != nil {
-		U.HandleErr(w, r, err)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
--- a/internal/api/v1/file/get.go
+++ b/internal/api/v1/file/get.go
@@ -0,0 +1,73 @@
+package fileapi
+
+import (
+	"net/http"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/yusing/godoxy/internal/common"
+	apitypes "github.com/yusing/goutils/apitypes"
+)
+
+type FileType string // @name FileType
+
+const (
+	FileTypeConfig     FileType = "config"     // @name FileTypeConfig
+	FileTypeProvider   FileType = "provider"   // @name FileTypeProvider
+	FileTypeMiddleware FileType = "middleware" // @name FileTypeMiddleware
+)
+
+type GetFileContentRequest struct {
+	FileType FileType `form:"type" binding:"required,oneof=config provider middleware"`
+	Filename string   `form:"filename" binding:"required" format:"filename"`
+} //	@name	GetFileContentRequest
+
+// @x-id				"get"
+// @BasePath		/api/v1
+// @Summary		Get file content
+// @Description	Get file content
+// @Tags			file
+// @Accept			json
+// @Produce		json,application/godoxy+yaml
+// @Param			query	query		GetFileContentRequest	true	"Request"
+// @Success		200			{string}	application/godoxy+yaml	"File content"
+// @Failure		400			{object}	apitypes.ErrorResponse
+// @Failure		403			{object}	apitypes.ErrorResponse
+// @Failure		500			{object}	apitypes.ErrorResponse
+// @Router			/file/content [get]
+func Get(c *gin.Context) {
+	var request GetFileContentRequest
+	if err := c.ShouldBindQuery(&request); err != nil {
+		c.JSON(http.StatusBadRequest, apitypes.Error("invalid request", err))
+		return
+	}
+
+	content, err := os.ReadFile(request.FileType.GetPath(request.Filename))
+	if err != nil {
+		c.Error(apitypes.InternalServerError(err, "failed to read file"))
+		return
+	}
+
+	// RFC 9512: https://www.rfc-editor.org/rfc/rfc9512.html
+	// xxx/yyy+yaml
+	c.Data(http.StatusOK, "application/godoxy+yaml", content)
+}
+
+func GetFileType(file string) FileType {
+	switch {
+	case strings.HasPrefix(path.Base(file), "config."):
+		return FileTypeConfig
+	case strings.HasPrefix(file, common.MiddlewareComposeBasePath):
+		return FileTypeMiddleware
+	}
+	return FileTypeProvider
+}
+
+func (t FileType) GetPath(filename string) string {
+	if t == FileTypeMiddleware {
+		return path.Join(common.MiddlewareComposeBasePath, filename)
+	}
+	return path.Join(common.ConfigBasePath, filename)
+}
--- a/Show More
+++ b/Show More