chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>
fix(lib): block XSS attacks via nonstandard URLs
2026-04-05 16:28:17 +00:00 · 2025-07-24 13:58:29 +00:00 · 2025-07-24 13:54:33 +00:00
112 changed files with 770 additions and 2689 deletions
--- a/.github/workflows/smoke-tests.yml
+++ b/.github/workflows/smoke-tests.yml
@@ -18,9 +18,7 @@ jobs:
          - git-push
          - healthcheck
          - i18n
-          - palemoon/amd64
-          #- palemoon/i386
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -45,14 +43,3 @@ jobs:
        run: |
          cd test/${{ matrix.test }}
          backoff-retry --try-count 10 ./test.sh
-
-      - name: Sanitize artifact name
-        if: always()
-        run: echo "ARTIFACT_NAME=${{ matrix.test }}" | sed 's|/|-|g' >> $GITHUB_ENV
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        if: always()
-        with:
-          name: ${{ env.ARTIFACT_NAME }}
-          path: test/${{ matrix.test }}/var
--- a/2
+++ b/2
@@ -1 +1 @@
-1.21.3
+1.21.1
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -30,11 +30,10 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/internal/thoth"
 	libanubis "github.com/TecharoHQ/anubis/lib"
-	"github.com/TecharoHQ/anubis/lib/checker/headerexists"
 	botPolicy "github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
@@ -324,7 +323,7 @@ func main() {
 	if *debugBenchmarkJS {
 		policy.Bots = []botPolicy.Bot{{
 			Name:   "",
-			Rules:  headerexists.New("User-Agent"),
+			Rules:  botPolicy.NewHeaderExistsChecker("User-Agent"),
 			Action: config.RuleBenchmark,
 		}}
 	}
--- a/cmd/robots2policy/main.go
+++ b/cmd/robots2policy/main.go
@@ -12,7 +12,6 @@ import (
 	"regexp"
 	"strings"

-	"github.com/TecharoHQ/anubis/lib/checker/expression"
 	"github.com/TecharoHQ/anubis/lib/policy/config"

 	"sigs.k8s.io/yaml"
@@ -38,11 +37,11 @@ type RobotsRule struct {
 }

 type AnubisRule struct {
-	Expression *expression.Config     `yaml:"expression,omitempty" json:"expression,omitempty"`
-	Challenge  *config.ChallengeRules `yaml:"challenge,omitempty" json:"challenge,omitempty"`
-	Weight     *config.Weight         `yaml:"weight,omitempty" json:"weight,omitempty"`
-	Name       string                 `yaml:"name" json:"name"`
-	Action     string                 `yaml:"action" json:"action"`
+	Expression *config.ExpressionOrList `yaml:"expression,omitempty" json:"expression,omitempty"`
+	Challenge  *config.ChallengeRules   `yaml:"challenge,omitempty" json:"challenge,omitempty"`
+	Weight     *config.Weight           `yaml:"weight,omitempty" json:"weight,omitempty"`
+	Name       string                   `yaml:"name" json:"name"`
+	Action     string                   `yaml:"action" json:"action"`
 }

 func init() {
@@ -225,11 +224,11 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 			}

 			if userAgent == "*" {
-				rule.Expression = &expression.Config{
+				rule.Expression = &config.ExpressionOrList{
 					All: []string{"true"}, // Always applies
 				}
 			} else {
-				rule.Expression = &expression.Config{
+				rule.Expression = &config.ExpressionOrList{
 					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgent)},
 				}
 			}
@@ -250,11 +249,11 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 				rule.Name = fmt.Sprintf("%s-global-restriction-%d", *policyName, ruleCounter)
 				rule.Action = "WEIGH"
 				rule.Weight = &config.Weight{Adjust: 20} // Increase difficulty significantly
-				rule.Expression = &expression.Config{
+				rule.Expression = &config.ExpressionOrList{
 					All: []string{"true"}, // Always applies
 				}
 			} else {
-				rule.Expression = &expression.Config{
+				rule.Expression = &config.ExpressionOrList{
 					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgent)},
 				}
 			}
@@ -286,7 +285,7 @@ func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
 			pathCondition := buildPathCondition(disallow)
 			conditions = append(conditions, pathCondition)

-			rule.Expression = &expression.Config{
+			rule.Expression = &config.ExpressionOrList{
 				All: conditions,
 			}

--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,26 +13,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

- The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
-
-## v1.21.3: Minfilia Warde - Echo 3
-
 ### Fixes

 #### Fixes a problem with nonstandard URLs and redirects

-Fixes [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c).
-
 This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.

 This has been fixed by disallowing any URLs without the scheme `http` or `https`.

-Additionally, the "Try again" button has been fixed to completely ignore the user-supplied redirect location. It now redirects to the home page (`/`).
-
-## v1.21.2: Minfilia Warde - Echo 2
-
-This contained an incomplete fix for [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c). Do not use this version.
-
 ## v1.21.1: Minfilia Warde - Echo 1

 - Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
@@ -5908,9 +5908,9 @@
      }
    },
    "node_modules/brace-expansion": {
-      "version": "1.1.12",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
-      "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
+      "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
      "license": "MIT",
      "dependencies": {
        "balanced-match": "^1.0.0",
@@ -6496,16 +6496,16 @@
      }
    },
    "node_modules/compression": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.1.tgz",
-      "integrity": "sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==",
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.0.tgz",
+      "integrity": "sha512-k6WLKfunuqCYD3t6AsuPGvQWaKwuLLh2/xHNcX4qE+vIfDNXpSqnrhwA7O53R7WVQUnt8dVAIW+YHr7xTgOgGA==",
      "license": "MIT",
      "dependencies": {
        "bytes": "3.1.2",
        "compressible": "~2.0.18",
        "debug": "2.6.9",
        "negotiator": "~0.6.4",
-        "on-headers": "~1.1.0",
+        "on-headers": "~1.0.2",
        "safe-buffer": "5.2.1",
        "vary": "~1.1.2"
      },
@@ -13562,9 +13562,9 @@
      }
    },
    "node_modules/on-headers": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
-      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.0.2.tgz",
+      "integrity": "sha512-pZAE+FJLoyITytdqK0U5s+FIpjN0JP3OzFi/u8Rx+EV5/W+JTWGXG8xFzevE7AjBfDqHv/8vL8qQsIhHnqRkrA==",
      "license": "MIT",
      "engines": {
        "node": ">= 0.8"
--- a/errors.go
+++ b/errors.go
@@ -1,7 +0,0 @@
-package anubis
-
-import "errors"
-
-var (
-	ErrMisconfiguration = errors.New("[unexpected] policy: administrator misconfiguration")
-)
--- a/internal/thoth/asnchecker.go
+++ b/internal/thoth/asnchecker.go
@@ -10,11 +10,11 @@ import (
 	"time"

 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )

-func (c *Client) ASNCheckerFor(asns []uint32) checker.Interface {
+func (c *Client) ASNCheckerFor(asns []uint32) checker.Impl {
 	asnMap := map[uint32]struct{}{}
 	var sb strings.Builder
 	fmt.Fprintln(&sb, "ASNChecker")
--- a/internal/thoth/asnchecker_test.go
+++ b/internal/thoth/asnchecker_test.go
@@ -5,12 +5,12 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/thoth"
+	"github.com/TecharoHQ/anubis/internal/thoth"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )

-var _ checker.Interface = &thoth.ASNChecker{}
+var _ checker.Impl = &thoth.ASNChecker{}

 func TestASNChecker(t *testing.T) {
 	cli := loadSecrets(t)
--- a/internal/thoth/auth.go
+++ b/internal/thoth/auth.go
--- a/internal/thoth/cachediptoasn.go
+++ b/internal/thoth/cachediptoasn.go
--- a/internal/thoth/context.go
+++ b/internal/thoth/context.go
--- a/internal/thoth/geoipchecker.go
+++ b/internal/thoth/geoipchecker.go
@@ -9,11 +9,11 @@ import (
 	"strings"
 	"time"

-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 )

-func (c *Client) GeoIPCheckerFor(countries []string) checker.Interface {
+func (c *Client) GeoIPCheckerFor(countries []string) checker.Impl {
 	countryMap := map[string]struct{}{}
 	var sb strings.Builder
 	fmt.Fprintln(&sb, "GeoIPChecker")
--- a/internal/thoth/geoipchecker_test.go
+++ b/internal/thoth/geoipchecker_test.go
@@ -5,11 +5,11 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/thoth"
+	"github.com/TecharoHQ/anubis/internal/thoth"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 )

-var _ checker.Interface = &thoth.GeoIPChecker{}
+var _ checker.Impl = &thoth.GeoIPChecker{}

 func TestGeoIPChecker(t *testing.T) {
 	cli := loadSecrets(t)
--- a/internal/thoth/thoth.go
+++ b/internal/thoth/thoth.go
--- a/internal/thoth/thoth_test.go
+++ b/internal/thoth/thoth_test.go
@@ -4,8 +4,8 @@ import (
 	"os"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/thoth"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
+	"github.com/TecharoHQ/anubis/internal/thoth"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 	"github.com/joho/godotenv"
 )

--- a/internal/thoth/thothmock/iptoasn.go
+++ b/internal/thoth/thothmock/iptoasn.go
--- a/internal/thoth/thothmock/withthothmock.go
+++ b/internal/thoth/thothmock/withthothmock.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"testing"

-	"github.com/TecharoHQ/anubis/lib/thoth"
+	"github.com/TecharoHQ/anubis/internal/thoth"
 )

 func WithMockThoth(t *testing.T) context.Context {
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -28,17 +28,15 @@ import (
 	"github.com/TecharoHQ/anubis/internal/dnsbl"
 	"github.com/TecharoHQ/anubis/internal/ogtags"
 	"github.com/TecharoHQ/anubis/lib/challenge"
-	"github.com/TecharoHQ/anubis/lib/checker"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/TecharoHQ/anubis/lib/policy"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/lib/store"

-	// checker implementations
-	_ "github.com/TecharoHQ/anubis/lib/checker/all"
-
 	// challenge implementations
-	_ "github.com/TecharoHQ/anubis/lib/challenge/all"
+	_ "github.com/TecharoHQ/anubis/lib/challenge/metarefresh"
+	_ "github.com/TecharoHQ/anubis/lib/challenge/proofofwork"
 )

 var (
@@ -386,23 +384,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	lg := internal.GetRequestLogger(r)
 	localizer := localization.GetLocalizer(r)

-	redir := r.FormValue("redir")
-	redirURL, err := url.ParseRequestURI(redir)
-	if err != nil {
-		lg.Error("invalid redirect", "err", err)
-		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
-		return
-	}
-
-	switch redirURL.Scheme {
-	case "", "http", "https":
-		// allowed
-	default:
-		lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
-		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
-		return
-	}
-
 	// Adjust cookie path if base prefix is not empty
 	cookiePath := "/"
 	if anubis.BasePrefix != "" {
@@ -417,6 +398,21 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	redir := r.FormValue("redir")
+
+	redirURL, err := url.ParseRequestURI(redir)
+	if err != nil {
+		lg.Error("invalid redirect", "err", err)
+		s.respondWithError(w, r, localizer.T("invalid_redirect"))
+		return
+	}
+
+	if redirURL.Scheme != "" && redirURL.Scheme != "http" && redirURL.Scheme != "https" {
+		lg.Error("XSS attempt blocked, invalid redirect scheme", "scheme", redirURL.Scheme)
+		s.respondWithStatus(w, r, localizer.T("invalid_redirect"), http.StatusBadRequest)
+		return
+	}
+
 	// used by the path checker rule
 	r.URL = redirURL

@@ -551,7 +547,7 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 		if matches {
 			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
 				Challenge: t.Challenge,
-				Rules:     &checker.Any{},
+				Rules:     &checker.List{},
 			}, nil
 		}
 	}
@@ -562,6 +558,6 @@ func (s *Server) check(r *http.Request) (policy.CheckResult, *policy.Bot, error)
 			ReportAs:   s.policy.DefaultDifficulty,
 			Algorithm:  config.DefaultAlgorithm,
 		},
-		Rules: &checker.Any{},
+		Rules: &checker.List{},
 	}, nil
 }
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -1,7 +1,6 @@
 package lib

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -17,9 +16,9 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )

 func init() {
@@ -835,133 +834,46 @@ func TestPassChallengeXSS(t *testing.T) {
 		},
 	}

-	t.Run("with test cookie", func(t *testing.T) {
-		for _, tc := range testCases {
-			t.Run(tc.name, func(t *testing.T) {
-				nonce := 0
-				elapsedTime := 420
-				calculated := ""
-				calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce)
-				calculated = internal.SHA256sum(calcString)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			nonce := 0
+			elapsedTime := 420
+			calculated := ""
+			calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce)
+			calculated = internal.SHA256sum(calcString)

-				req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
-				if err != nil {
-					t.Fatalf("can't make request: %v", err)
+			req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
+			if err != nil {
+				t.Fatalf("can't make request: %v", err)
+			}
+
+			q := req.URL.Query()
+			q.Set("response", calculated)
+			q.Set("nonce", fmt.Sprint(nonce))
+			q.Set("redir", tc.redir)
+			q.Set("elapsedTime", fmt.Sprint(elapsedTime))
+			req.URL.RawQuery = q.Encode()
+
+			u, err := url.Parse(ts.URL)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			for _, ckie := range cli.Jar.Cookies(u) {
+				if ckie.Name == anubis.TestCookieName {
+					req.AddCookie(ckie)
 				}
+			}

-				q := req.URL.Query()
-				q.Set("response", calculated)
-				q.Set("nonce", fmt.Sprint(nonce))
-				q.Set("redir", tc.redir)
-				q.Set("elapsedTime", fmt.Sprint(elapsedTime))
-				req.URL.RawQuery = q.Encode()
-
-				u, err := url.Parse(ts.URL)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				for _, ckie := range cli.Jar.Cookies(u) {
-					if ckie.Name == anubis.TestCookieName {
-						req.AddCookie(ckie)
-					}
-				}
-
-				resp, err := cli.Do(req)
-				if err != nil {
-					t.Fatalf("can't do request: %v", err)
-				}
+			resp, err := cli.Do(req)
+			if err != nil {
+				t.Fatalf("can't do request: %v", err)
+			}

+			if resp.StatusCode != http.StatusBadRequest {
 				body, _ := io.ReadAll(resp.Body)
-
-				if bytes.Contains(body, []byte(tc.redir)) {
-					t.Log(string(body))
-					t.Error("found XSS in HTML body")
-				}
-
-				if resp.StatusCode != http.StatusBadRequest {
-					t.Errorf("wanted status %d, got %d. body: %s", http.StatusBadRequest, resp.StatusCode, body)
-				}
-			})
-		}
-	})
-
-	t.Run("no test cookie", func(t *testing.T) {
-		for _, tc := range testCases {
-			t.Run(tc.name, func(t *testing.T) {
-				nonce := 0
-				elapsedTime := 420
-				calculated := ""
-				calcString := fmt.Sprintf("%s%d", chall.Challenge, nonce)
-				calculated = internal.SHA256sum(calcString)
-
-				req, err := http.NewRequest(http.MethodGet, ts.URL+"/.within.website/x/cmd/anubis/api/pass-challenge", nil)
-				if err != nil {
-					t.Fatalf("can't make request: %v", err)
-				}
-
-				q := req.URL.Query()
-				q.Set("response", calculated)
-				q.Set("nonce", fmt.Sprint(nonce))
-				q.Set("redir", tc.redir)
-				q.Set("elapsedTime", fmt.Sprint(elapsedTime))
-				req.URL.RawQuery = q.Encode()
-
-				resp, err := cli.Do(req)
-				if err != nil {
-					t.Fatalf("can't do request: %v", err)
-				}
-
-				body, _ := io.ReadAll(resp.Body)
-
-				if bytes.Contains(body, []byte(tc.redir)) {
-					t.Log(string(body))
-					t.Error("found XSS in HTML body")
-				}
-
-				if resp.StatusCode != http.StatusBadRequest {
-					t.Errorf("wanted status %d, got %d. body: %s", http.StatusBadRequest, resp.StatusCode, body)
-				}
-			})
-		}
-	})
-}
-
-func TestXForwardedForNoDoubleComma(t *testing.T) {
-	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
-		fmt.Fprintln(w, "OK")
-	})
-
-	h = internal.XForwardedForToXRealIP(h)
-	h = internal.XForwardedForUpdate(false, h)
-
-	pol := loadPolicies(t, "testdata/permissive.yaml", 4)
-
-	srv := spawnAnubis(t, Options{
-		Next:   h,
-		Policy: pol,
-	})
-	ts := httptest.NewServer(srv)
-	t.Cleanup(ts.Close)
-
-	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	req.Header.Set("X-Real-Ip", "10.0.0.1")
-
-	resp, err := ts.Client().Do(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status)
-	}
-
-	if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") {
-		t.Errorf("X-Forwarded-For has two leading commas: %q", xff)
+				t.Errorf("wanted status %d, got %d. body: %s", http.StatusBadRequest, resp.StatusCode, body)
+			}
+		})
 	}
 }
--- a/lib/challenge/all/all.go
+++ b/lib/challenge/all/all.go
@@ -1,6 +0,0 @@
-package all
-
-import (
-	_ "github.com/TecharoHQ/anubis/lib/challenge/metarefresh"
-	_ "github.com/TecharoHQ/anubis/lib/challenge/proofofwork"
-)
--- a/lib/checker/all.go
+++ b/lib/checker/all.go
@@ -1,35 +0,0 @@
-package checker
-
-import (
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/TecharoHQ/anubis/internal"
-)
-
-type All []Interface
-
-func (a All) Check(r *http.Request) (bool, error) {
-	for _, c := range a {
-		match, err := c.Check(r)
-		if err != nil {
-			return match, err
-		}
-		if !match {
-			return false, err // no match
-		}
-	}
-
-	return true, nil // match
-}
-
-func (a All) Hash() string {
-	var sb strings.Builder
-
-	for _, c := range a {
-		fmt.Fprintln(&sb, c.Hash())
-	}
-
-	return internal.FastHash(sb.String())
-}
--- a/lib/checker/all/all.go
+++ b/lib/checker/all/all.go
@@ -1,10 +0,0 @@
-// Package all imports all of the standard checker types.
-package all
-
-import (
-	_ "github.com/TecharoHQ/anubis/lib/checker/expression"
-	_ "github.com/TecharoHQ/anubis/lib/checker/headerexists"
-	_ "github.com/TecharoHQ/anubis/lib/checker/headermatches"
-	_ "github.com/TecharoHQ/anubis/lib/checker/path"
-	_ "github.com/TecharoHQ/anubis/lib/checker/remoteaddress"
-)
--- a/lib/checker/all_test.go
+++ b/lib/checker/all_test.go
@@ -1,70 +0,0 @@
-package checker
-
-import (
-	"net/http"
-	"testing"
-)
-
-func TestAll_Check(t *testing.T) {
-	tests := []struct {
-		name     string
-		checkers []MockChecker
-		want     bool
-		wantErr  bool
-	}{
-		{
-			name: "All match",
-			checkers: []MockChecker{
-				{Result: true, Err: nil},
-				{Result: true, Err: nil},
-			},
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name: "One not match",
-			checkers: []MockChecker{
-				{Result: true, Err: nil},
-				{Result: false, Err: nil},
-			},
-			want:    false,
-			wantErr: false,
-		},
-		{
-			name: "No match",
-			checkers: []MockChecker{
-				{Result: false, Err: nil},
-				{Result: false, Err: nil},
-			},
-			want:    false,
-			wantErr: false,
-		},
-		{
-			name: "Error encountered",
-			checkers: []MockChecker{
-				{Result: true, Err: nil},
-				{Result: false, Err: http.ErrNotSupported},
-			},
-			want:    false,
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var all All
-			for _, mc := range tt.checkers {
-				all = append(all, mc)
-			}
-
-			got, err := all.Check(nil)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("All.Check() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("All.Check() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/lib/checker/any.go
+++ b/lib/checker/any.go
@@ -1,35 +0,0 @@
-package checker
-
-import (
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/TecharoHQ/anubis/internal"
-)
-
-type Any []Interface
-
-func (a Any) Check(r *http.Request) (bool, error) {
-	for _, c := range a {
-		match, err := c.Check(r)
-		if err != nil {
-			return match, err
-		}
-		if match {
-			return true, err // match
-		}
-	}
-
-	return false, nil // no match
-}
-
-func (a Any) Hash() string {
-	var sb strings.Builder
-
-	for _, c := range a {
-		fmt.Fprintln(&sb, c.Hash())
-	}
-
-	return internal.FastHash(sb.String())
-}
--- a/lib/checker/any_test.go
+++ b/lib/checker/any_test.go
@@ -1,83 +0,0 @@
-package checker
-
-import (
-	"net/http"
-	"testing"
-)
-
-type MockChecker struct {
-	Result bool
-	Err    error
-}
-
-func (m MockChecker) Check(r *http.Request) (bool, error) {
-	return m.Result, m.Err
-}
-
-func (m MockChecker) Hash() string {
-	return "mock-hash"
-}
-
-func TestAny_Check(t *testing.T) {
-	tests := []struct {
-		name     string
-		checkers []MockChecker
-		want     bool
-		wantErr  bool
-	}{
-		{
-			name: "All match",
-			checkers: []MockChecker{
-				{Result: true, Err: nil},
-				{Result: true, Err: nil},
-			},
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name: "One match",
-			checkers: []MockChecker{
-				{Result: false, Err: nil},
-				{Result: true, Err: nil},
-			},
-			want:    true,
-			wantErr: false,
-		},
-		{
-			name: "No match",
-			checkers: []MockChecker{
-				{Result: false, Err: nil},
-				{Result: false, Err: nil},
-			},
-			want:    false,
-			wantErr: false,
-		},
-		{
-			name: "Error encountered",
-			checkers: []MockChecker{
-				{Result: false, Err: nil},
-				{Result: false, Err: http.ErrNotSupported},
-			},
-			want:    false,
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var any Any
-			for _, mc := range tt.checkers {
-				any = append(any, mc)
-			}
-
-			got, err := any.Check(nil)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("Any.Check() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("Any.Check() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/lib/checker/checker.go
+++ b/lib/checker/checker.go
@@ -1,17 +0,0 @@
-// Package checker defines the Checker interface and a helper utility to avoid import cycles.
-package checker
-
-import (
-	"errors"
-	"net/http"
-)
-
-var (
-	ErrUnparseableConfig = errors.New("checker: config is unparseable")
-	ErrInvalidConfig     = errors.New("checker: config is invalid")
-)
-
-type Interface interface {
-	Check(*http.Request) (matches bool, err error)
-	Hash() string
-}
--- a/lib/checker/expression/factory.go
+++ b/lib/checker/expression/factory.go
@@ -1,43 +0,0 @@
-package expression
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-func init() {
-	checker.Register("expression", Factory{})
-}
-
-type Factory struct{}
-
-func (f Factory) Build(ctx context.Context, data json.RawMessage) (checker.Interface, error) {
-	var fc = &Config{}
-
-	if err := json.Unmarshal([]byte(data), fc); err != nil {
-		return nil, errors.Join(checker.ErrUnparseableConfig, err)
-	}
-
-	if err := fc.Valid(); err != nil {
-		return nil, errors.Join(checker.ErrInvalidConfig, err)
-	}
-
-	return New(fc)
-}
-
-func (f Factory) Valid(ctx context.Context, data json.RawMessage) error {
-	var fc = &Config{}
-
-	if err := json.Unmarshal([]byte(data), fc); err != nil {
-		return err
-	}
-
-	if err := fc.Valid(); err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/lib/checker/headerexists/checker.go
+++ b/lib/checker/headerexists/checker.go
@@ -1,32 +0,0 @@
-package headerexists
-
-import (
-	"net/http"
-	"strings"
-
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-func New(key string) checker.Interface {
-	return headerExistsChecker{
-		header: strings.TrimSpace(http.CanonicalHeaderKey(key)),
-		hash:   internal.FastHash(key),
-	}
-}
-
-type headerExistsChecker struct {
-	header, hash string
-}
-
-func (hec headerExistsChecker) Check(r *http.Request) (bool, error) {
-	if r.Header.Get(hec.header) != "" {
-		return true, nil
-	}
-
-	return false, nil
-}
-
-func (hec headerExistsChecker) Hash() string {
-	return hec.hash
-}
--- a/lib/checker/headerexists/checker_test.go
+++ b/lib/checker/headerexists/checker_test.go
@@ -1,57 +0,0 @@
-package headerexists
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"testing"
-)
-
-func TestChecker(t *testing.T) {
-	fac := Factory{}
-
-	for _, tt := range []struct {
-		name      string
-		header    string
-		reqHeader string
-		ok        bool
-	}{
-		{
-			name:      "match",
-			header:    "Authorization",
-			reqHeader: "Authorization",
-			ok:        true,
-		},
-		{
-			name:      "not_match",
-			header:    "Authorization",
-			reqHeader: "Authentication",
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			hec, err := fac.Build(t.Context(), json.RawMessage(fmt.Sprintf("%q", tt.header)))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			t.Log(hec.Hash())
-
-			r, err := http.NewRequest(http.MethodGet, "/", nil)
-			if err != nil {
-				t.Fatalf("can't make request: %v", err)
-			}
-
-			r.Header.Set(tt.reqHeader, "hunter2")
-
-			ok, err := hec.Check(r)
-
-			if tt.ok != ok {
-				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
-			}
-
-			if err != nil {
-				t.Errorf("err: %v", err)
-			}
-		})
-	}
-}
--- a/lib/checker/headerexists/factory.go
+++ b/lib/checker/headerexists/factory.go
@@ -1,40 +0,0 @@
-package headerexists
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-type Factory struct{}
-
-func (f Factory) Build(ctx context.Context, data json.RawMessage) (checker.Interface, error) {
-	var headerName string
-
-	if err := json.Unmarshal([]byte(data), &headerName); err != nil {
-		return nil, fmt.Errorf("%w: want string", checker.ErrUnparseableConfig)
-	}
-
-	if err := f.Valid(ctx, data); err != nil {
-		return nil, err
-	}
-
-	return New(http.CanonicalHeaderKey(headerName)), nil
-}
-
-func (Factory) Valid(ctx context.Context, data json.RawMessage) error {
-	var headerName string
-
-	if err := json.Unmarshal([]byte(data), &headerName); err != nil {
-		return fmt.Errorf("%w: want string", checker.ErrUnparseableConfig)
-	}
-
-	if headerName == "" {
-		return fmt.Errorf("%w: string must not be empty", checker.ErrInvalidConfig)
-	}
-
-	return nil
-}
--- a/lib/checker/headerexists/factory_test.go
+++ b/lib/checker/headerexists/factory_test.go
@@ -1,60 +0,0 @@
-package headerexists
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestFactoryGood(t *testing.T) {
-	files, err := os.ReadDir("./testdata/good")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	fac := Factory{}
-
-	for _, fname := range files {
-		t.Run(fname.Name(), func(t *testing.T) {
-			data, err := os.ReadFile(filepath.Join("testdata", "good", fname.Name()))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if err := fac.Valid(t.Context(), json.RawMessage(data)); err != nil {
-				t.Fatal(err)
-			}
-		})
-	}
-}
-
-func TestFactoryBad(t *testing.T) {
-	files, err := os.ReadDir("./testdata/bad")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	fac := Factory{}
-
-	for _, fname := range files {
-		t.Run(fname.Name(), func(t *testing.T) {
-			data, err := os.ReadFile(filepath.Join("testdata", "bad", fname.Name()))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			t.Run("Build", func(t *testing.T) {
-				if _, err := fac.Build(t.Context(), json.RawMessage(data)); err == nil {
-					t.Fatal(err)
-				}
-			})
-
-			t.Run("Valid", func(t *testing.T) {
-				if err := fac.Valid(t.Context(), json.RawMessage(data)); err == nil {
-					t.Fatal(err)
-				}
-			})
-		})
-	}
-}
--- a/lib/checker/headerexists/testdata/bad/empty.json
+++ b/lib/checker/headerexists/testdata/bad/empty.json
@@ -1 +0,0 @@
-""
--- a/lib/checker/headerexists/testdata/bad/object.json
+++ b/lib/checker/headerexists/testdata/bad/object.json
@@ -1 +0,0 @@
-{}
--- a/lib/checker/headerexists/testdata/good/authorization.json
+++ b/lib/checker/headerexists/testdata/good/authorization.json
@@ -1 +0,0 @@
-"Authorization"
--- a/lib/checker/headermatches/checker.go
+++ b/lib/checker/headermatches/checker.go
@@ -1,46 +0,0 @@
-package headermatches
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"regexp"
-
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-type Checker struct {
-	header string
-	regexp *regexp.Regexp
-	hash   string
-}
-
-func (c *Checker) Check(r *http.Request) (bool, error) {
-	if c.regexp.MatchString(r.Header.Get(c.header)) {
-		return true, nil
-	}
-
-	return false, nil
-}
-
-func (c *Checker) Hash() string {
-	return c.hash
-}
-
-func New(key, valueRex string) (checker.Interface, error) {
-	fc := fileConfig{
-		Header:     key,
-		ValueRegex: valueRex,
-	}
-
-	if err := fc.Valid(); err != nil {
-		return nil, err
-	}
-
-	data, err := json.Marshal(fc)
-	if err != nil {
-		return nil, err
-	}
-
-	return Factory{}.Build(context.Background(), json.RawMessage(data))
-}
--- a/lib/checker/headermatches/checker_test.go
+++ b/lib/checker/headermatches/checker_test.go
@@ -1,98 +0,0 @@
-package headermatches
-
-import (
-	"encoding/json"
-	"errors"
-	"net/http"
-	"testing"
-)
-
-func TestChecker(t *testing.T) {
-
-}
-
-func TestHeaderMatchesChecker(t *testing.T) {
-	fac := Factory{}
-
-	for _, tt := range []struct {
-		err            error
-		name           string
-		header         string
-		rexStr         string
-		reqHeaderKey   string
-		reqHeaderValue string
-		ok             bool
-	}{
-		{
-			name:           "match",
-			header:         "Cf-Worker",
-			rexStr:         ".*",
-			reqHeaderKey:   "Cf-Worker",
-			reqHeaderValue: "true",
-			ok:             true,
-			err:            nil,
-		},
-		{
-			name:           "not_match",
-			header:         "Cf-Worker",
-			rexStr:         "false",
-			reqHeaderKey:   "Cf-Worker",
-			reqHeaderValue: "true",
-			ok:             false,
-			err:            nil,
-		},
-		{
-			name:           "not_present",
-			header:         "Cf-Worker",
-			rexStr:         "foobar",
-			reqHeaderKey:   "Something-Else",
-			reqHeaderValue: "true",
-			ok:             false,
-			err:            nil,
-		},
-		{
-			name:   "invalid_regex",
-			rexStr: "a(b",
-			err:    ErrInvalidRegex,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			fc := fileConfig{
-				Header:     tt.header,
-				ValueRegex: tt.rexStr,
-			}
-			data, err := json.Marshal(fc)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			hmc, err := fac.Build(t.Context(), json.RawMessage(data))
-			if err != nil && !errors.Is(err, tt.err) {
-				t.Fatalf("creating HeaderMatchesChecker failed")
-			}
-
-			if tt.err != nil && hmc == nil {
-				return
-			}
-
-			t.Log(hmc.Hash())
-
-			r, err := http.NewRequest(http.MethodGet, "/", nil)
-			if err != nil {
-				t.Fatalf("can't make request: %v", err)
-			}
-
-			r.Header.Set(tt.reqHeaderKey, tt.reqHeaderValue)
-
-			ok, err := hmc.Check(r)
-
-			if tt.ok != ok {
-				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
-			}
-
-			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
-				t.Errorf("err: %v, wanted: %v", err, tt.err)
-			}
-		})
-	}
-}
--- a/lib/checker/headermatches/config.go
+++ b/lib/checker/headermatches/config.go
@@ -1,44 +0,0 @@
-package headermatches
-
-import (
-	"errors"
-	"fmt"
-	"regexp"
-)
-
-var (
-	ErrNoHeader     = errors.New("headermatches: no header is configured")
-	ErrNoValueRegex = errors.New("headermatches: no value regex is configured")
-	ErrInvalidRegex = errors.New("headermatches: value regex is invalid")
-)
-
-type fileConfig struct {
-	Header     string `json:"header" yaml:"header"`
-	ValueRegex string `json:"value_regex" yaml:"value_regex"`
-}
-
-func (fc fileConfig) String() string {
-	return fmt.Sprintf("header=%q value_regex=%q", fc.Header, fc.ValueRegex)
-}
-
-func (fc fileConfig) Valid() error {
-	var errs []error
-
-	if fc.Header == "" {
-		errs = append(errs, ErrNoHeader)
-	}
-
-	if fc.ValueRegex == "" {
-		errs = append(errs, ErrNoValueRegex)
-	}
-
-	if _, err := regexp.Compile(fc.ValueRegex); err != nil {
-		errs = append(errs, ErrInvalidRegex, err)
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
--- a/lib/checker/headermatches/config_test.go
+++ b/lib/checker/headermatches/config_test.go
@@ -1,55 +0,0 @@
-package headermatches
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestFileConfigValid(t *testing.T) {
-	for _, tt := range []struct {
-		name, description string
-		in                fileConfig
-		err               error
-	}{
-		{
-			name:        "simple happy",
-			description: "the most common usecase",
-			in: fileConfig{
-				Header:     "User-Agent",
-				ValueRegex: ".*",
-			},
-		},
-		{
-			name:        "no header",
-			description: "Header must be set, it is not",
-			in: fileConfig{
-				ValueRegex: ".*",
-			},
-			err: ErrNoHeader,
-		},
-		{
-			name:        "no value regex",
-			description: "ValueRegex must be set, it is not",
-			in: fileConfig{
-				Header: "User-Agent",
-			},
-			err: ErrNoValueRegex,
-		},
-		{
-			name:        "invalid regex",
-			description: "the user wrote an invalid value regular expression",
-			in: fileConfig{
-				Header:     "User-Agent",
-				ValueRegex: "[a-z",
-			},
-			err: ErrInvalidRegex,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.in.Valid(); !errors.Is(err, tt.err) {
-				t.Log(tt.description)
-				t.Fatal(err)
-			}
-		})
-	}
-}
--- a/lib/checker/headermatches/factory.go
+++ b/lib/checker/headermatches/factory.go
@@ -1,66 +0,0 @@
-package headermatches
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"regexp"
-
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-func init() {
-	checker.Register("header_matches", Factory{})
-	checker.Register("user_agent", Factory{defaultHeader: "User-Agent"})
-}
-
-type Factory struct {
-	defaultHeader string
-}
-
-func (f Factory) Build(ctx context.Context, data json.RawMessage) (checker.Interface, error) {
-	var fc fileConfig
-
-	if f.defaultHeader != "" {
-		fc.Header = f.defaultHeader
-	}
-
-	if err := json.Unmarshal([]byte(data), &fc); err != nil {
-		return nil, errors.Join(checker.ErrUnparseableConfig, err)
-	}
-
-	if err := fc.Valid(); err != nil {
-		return nil, errors.Join(checker.ErrInvalidConfig, err)
-	}
-
-	valueRex, err := regexp.Compile(fc.ValueRegex)
-	if err != nil {
-		return nil, errors.Join(ErrInvalidRegex, err)
-	}
-
-	return &Checker{
-		header: http.CanonicalHeaderKey(fc.Header),
-		regexp: valueRex,
-		hash:   internal.FastHash(fc.String()),
-	}, nil
-}
-
-func (f Factory) Valid(ctx context.Context, data json.RawMessage) error {
-	var fc fileConfig
-
-	if f.defaultHeader != "" {
-		fc.Header = f.defaultHeader
-	}
-
-	if err := json.Unmarshal([]byte(data), &fc); err != nil {
-		return err
-	}
-
-	if err := fc.Valid(); err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/lib/checker/headermatches/factory_test.go
+++ b/lib/checker/headermatches/factory_test.go
@@ -1,52 +0,0 @@
-package headermatches
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestFactoryGood(t *testing.T) {
-	files, err := os.ReadDir("./testdata/good")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	fac := Factory{}
-
-	for _, fname := range files {
-		t.Run(fname.Name(), func(t *testing.T) {
-			data, err := os.ReadFile(filepath.Join("testdata", "good", fname.Name()))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if err := fac.Valid(t.Context(), json.RawMessage(data)); err != nil {
-				t.Fatal(err)
-			}
-		})
-	}
-}
-
-func TestFactoryBad(t *testing.T) {
-	files, err := os.ReadDir("./testdata/bad")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	fac := Factory{}
-
-	for _, fname := range files {
-		t.Run(fname.Name(), func(t *testing.T) {
-			data, err := os.ReadFile(filepath.Join("testdata", "bad", fname.Name()))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if err := fac.Valid(t.Context(), json.RawMessage(data)); err == nil {
-				t.Fatal(err)
-			}
-		})
-	}
-}
--- a/lib/checker/headermatches/testdata/bad/invalid_config.json
+++ b/lib/checker/headermatches/testdata/bad/invalid_config.json
@@ -1 +0,0 @@
-}
--- a/lib/checker/headermatches/testdata/bad/invalid_value_regex.json
+++ b/lib/checker/headermatches/testdata/bad/invalid_value_regex.json
@@ -1,4 +0,0 @@
-{
-  "header": "User-Agent",
-  "value_regex": "a(b"
-}
--- a/lib/checker/headermatches/testdata/bad/no_header.json
+++ b/lib/checker/headermatches/testdata/bad/no_header.json
@@ -1,3 +0,0 @@
-{
-  "value_regex": "PaleMoon"
-}
--- a/lib/checker/headermatches/testdata/bad/no_value_regex.json
+++ b/lib/checker/headermatches/testdata/bad/no_value_regex.json
@@ -1,3 +0,0 @@
-{
-  "header": "User-Agent"
-}
--- a/lib/checker/headermatches/testdata/bad/nothing.json
+++ b/lib/checker/headermatches/testdata/bad/nothing.json
@@ -1 +0,0 @@
-{}
--- a/lib/checker/headermatches/testdata/good/simple.json
+++ b/lib/checker/headermatches/testdata/good/simple.json
@@ -1,4 +0,0 @@
-{
-  "header": "User-Agent",
-  "value_regex": "PaleMoon"
-}
--- a/lib/checker/headermatches/useragent.go
+++ b/lib/checker/headermatches/useragent.go
@@ -1,35 +0,0 @@
-package headermatches
-
-import (
-	"context"
-	"encoding/json"
-
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-func ValidUserAgent(valueRex string) error {
-	fc := fileConfig{
-		Header:     "User-Agent",
-		ValueRegex: valueRex,
-	}
-
-	return fc.Valid()
-}
-
-func NewUserAgent(valueRex string) (checker.Interface, error) {
-	fc := fileConfig{
-		Header:     "User-Agent",
-		ValueRegex: valueRex,
-	}
-
-	if err := fc.Valid(); err != nil {
-		return nil, err
-	}
-
-	data, err := json.Marshal(fc)
-	if err != nil {
-		return nil, err
-	}
-
-	return Factory{}.Build(context.Background(), json.RawMessage(data))
-}
--- a/lib/checker/path/checker.go
+++ b/lib/checker/path/checker.go
@@ -1,37 +0,0 @@
-package path
-
-import (
-	"fmt"
-	"net/http"
-	"regexp"
-	"strings"
-
-	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-func New(rexStr string) (checker.Interface, error) {
-	rex, err := regexp.Compile(strings.TrimSpace(rexStr))
-	if err != nil {
-		return nil, fmt.Errorf("%w: regex %s failed parse: %w", anubis.ErrMisconfiguration, rexStr, err)
-	}
-	return &Checker{rex, internal.FastHash(rexStr)}, nil
-}
-
-type Checker struct {
-	regexp *regexp.Regexp
-	hash   string
-}
-
-func (c *Checker) Check(r *http.Request) (bool, error) {
-	if c.regexp.MatchString(r.URL.Path) {
-		return true, nil
-	}
-
-	return false, nil
-}
-
-func (c *Checker) Hash() string {
-	return c.hash
-}
--- a/lib/checker/path/checker_test.go
+++ b/lib/checker/path/checker_test.go
@@ -1,90 +0,0 @@
-package path
-
-import (
-	"encoding/json"
-	"errors"
-	"net/http"
-	"testing"
-)
-
-func TestChecker(t *testing.T) {
-	fac := Factory{}
-
-	for _, tt := range []struct {
-		err     error
-		name    string
-		rexStr  string
-		reqPath string
-		ok      bool
-	}{
-		{
-			name:    "match",
-			rexStr:  "^/api/.*",
-			reqPath: "/api/v1/users",
-			ok:      true,
-			err:     nil,
-		},
-		{
-			name:    "not_match",
-			rexStr:  "^/api/.*",
-			reqPath: "/static/index.html",
-			ok:      false,
-			err:     nil,
-		},
-		{
-			name:    "wildcard_match",
-			rexStr:  ".*\\.json$",
-			reqPath: "/data/config.json",
-			ok:      true,
-			err:     nil,
-		},
-		{
-			name:    "wildcard_not_match",
-			rexStr:  ".*\\.json$",
-			reqPath: "/data/config.yaml",
-			ok:      false,
-			err:     nil,
-		},
-		{
-			name:   "invalid_regex",
-			rexStr: "a(b",
-			err:    ErrInvalidRegex,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			fc := fileConfig{
-				Regex: tt.rexStr,
-			}
-			data, err := json.Marshal(fc)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			pc, err := fac.Build(t.Context(), json.RawMessage(data))
-			if err != nil && !errors.Is(err, tt.err) {
-				t.Fatalf("creating PathChecker failed")
-			}
-
-			if tt.err != nil && pc == nil {
-				return
-			}
-
-			t.Log(pc.Hash())
-
-			r, err := http.NewRequest(http.MethodGet, tt.reqPath, nil)
-			if err != nil {
-				t.Fatalf("can't make request: %v", err)
-			}
-
-			ok, err := pc.Check(r)
-
-			if tt.ok != ok {
-				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
-			}
-
-			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
-				t.Errorf("err: %v, wanted: %v", err, tt.err)
-			}
-		})
-	}
-}
--- a/lib/checker/path/config.go
+++ b/lib/checker/path/config.go
@@ -1,38 +0,0 @@
-package path
-
-import (
-	"errors"
-	"fmt"
-	"regexp"
-)
-
-var (
-	ErrNoRegex      = errors.New("path: no regex is configured")
-	ErrInvalidRegex = errors.New("path: regex is invalid")
-)
-
-type fileConfig struct {
-	Regex string `json:"regex" yaml:"regex"`
-}
-
-func (fc fileConfig) String() string {
-	return fmt.Sprintf("regex=%q", fc.Regex)
-}
-
-func (fc fileConfig) Valid() error {
-	var errs []error
-
-	if fc.Regex == "" {
-		errs = append(errs, ErrNoRegex)
-	}
-
-	if _, err := regexp.Compile(fc.Regex); err != nil {
-		errs = append(errs, ErrInvalidRegex, err)
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(errs...)
-	}
-
-	return nil
-}
--- a/lib/checker/path/config_test.go
+++ b/lib/checker/path/config_test.go
@@ -1,50 +0,0 @@
-package path
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestFileConfigValid(t *testing.T) {
-	for _, tt := range []struct {
-		name, description string
-		in                fileConfig
-		err               error
-	}{
-		{
-			name:        "simple happy",
-			description: "the most common usecase",
-			in: fileConfig{
-				Regex: "^/api/.*",
-			},
-		},
-		{
-			name:        "wildcard match",
-			description: "match files with specific extension",
-			in: fileConfig{
-				Regex: ".*[.]json$",
-			},
-		},
-		{
-			name:        "no regex",
-			description: "Regex must be set, it is not",
-			in:          fileConfig{},
-			err:         ErrNoRegex,
-		},
-		{
-			name:        "invalid regex",
-			description: "the user wrote an invalid regular expression",
-			in: fileConfig{
-				Regex: "[a-z",
-			},
-			err: ErrInvalidRegex,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.in.Valid(); !errors.Is(err, tt.err) {
-				t.Log(tt.description)
-				t.Fatalf("got %v, wanted %v", err, tt.err)
-			}
-		})
-	}
-}
--- a/lib/checker/path/factory.go
+++ b/lib/checker/path/factory.go
@@ -1,58 +0,0 @@
-package path
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"regexp"
-	"strings"
-
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-)
-
-func init() {
-	checker.Register("path", Factory{})
-}
-
-type Factory struct{}
-
-func (f Factory) Build(ctx context.Context, data json.RawMessage) (checker.Interface, error) {
-	var fc fileConfig
-
-	if err := json.Unmarshal([]byte(data), &fc); err != nil {
-		return nil, errors.Join(checker.ErrUnparseableConfig, err)
-	}
-
-	if err := fc.Valid(); err != nil {
-		return nil, errors.Join(checker.ErrInvalidConfig, err)
-	}
-
-	pathRex, err := regexp.Compile(strings.TrimSpace(fc.Regex))
-	if err != nil {
-		return nil, errors.Join(ErrInvalidRegex, err)
-	}
-
-	return &Checker{
-		regexp: pathRex,
-		hash:   internal.FastHash(fc.String()),
-	}, nil
-}
-
-func (f Factory) Valid(ctx context.Context, data json.RawMessage) error {
-	var fc fileConfig
-
-	if err := json.Unmarshal([]byte(data), &fc); err != nil {
-		return errors.Join(checker.ErrUnparseableConfig, err)
-	}
-
-	return fc.Valid()
-}
-
-func Valid(pathRex string) error {
-	fc := fileConfig{
-		Regex: pathRex,
-	}
-
-	return fc.Valid()
-}
--- a/lib/checker/path/factory_test.go
+++ b/lib/checker/path/factory_test.go
@@ -1,52 +0,0 @@
-package path
-
-import (
-	"encoding/json"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestFactoryGood(t *testing.T) {
-	files, err := os.ReadDir("./testdata/good")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	fac := Factory{}
-
-	for _, fname := range files {
-		t.Run(fname.Name(), func(t *testing.T) {
-			data, err := os.ReadFile(filepath.Join("testdata", "good", fname.Name()))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if err := fac.Valid(t.Context(), json.RawMessage(data)); err != nil {
-				t.Fatal(err)
-			}
-		})
-	}
-}
-
-func TestFactoryBad(t *testing.T) {
-	files, err := os.ReadDir("./testdata/bad")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	fac := Factory{}
-
-	for _, fname := range files {
-		t.Run(fname.Name(), func(t *testing.T) {
-			data, err := os.ReadFile(filepath.Join("testdata", "bad", fname.Name()))
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			if err := fac.Valid(t.Context(), json.RawMessage(data)); err == nil {
-				t.Fatal("expected validation to fail")
-			}
-		})
-	}
-}
--- a/lib/checker/path/testdata/bad/invalid_regex.json
+++ b/lib/checker/path/testdata/bad/invalid_regex.json
@@ -1,3 +0,0 @@
-{
-  "regex": "a(b"
-}
--- a/lib/checker/path/testdata/bad/nothing.json
+++ b/lib/checker/path/testdata/bad/nothing.json
@@ -1 +0,0 @@
-{}
--- a/lib/checker/path/testdata/good/simple.json
+++ b/lib/checker/path/testdata/good/simple.json
@@ -1,3 +0,0 @@
-{
-  "regex": "^/api/.*"
-}
--- a/lib/checker/path/testdata/good/wildcard.json
+++ b/lib/checker/path/testdata/good/wildcard.json
@@ -1,3 +0,0 @@
-{
-  "regex": ".*\\.json$"
-}
--- a/lib/checker/registry.go
+++ b/lib/checker/registry.go
@@ -1,43 +0,0 @@
-package checker
-
-import (
-	"context"
-	"encoding/json"
-	"sort"
-	"sync"
-)
-
-type Factory interface {
-	Build(context.Context, json.RawMessage) (Interface, error)
-	Valid(context.Context, json.RawMessage) error
-}
-
-var (
-	registry map[string]Factory = map[string]Factory{}
-	regLock  sync.RWMutex
-)
-
-func Register(name string, factory Factory) {
-	regLock.Lock()
-	defer regLock.Unlock()
-
-	registry[name] = factory
-}
-
-func Get(name string) (Factory, bool) {
-	regLock.RLock()
-	defer regLock.RUnlock()
-	result, ok := registry[name]
-	return result, ok
-}
-
-func Methods() []string {
-	regLock.RLock()
-	defer regLock.RUnlock()
-	var result []string
-	for method := range registry {
-		result = append(result, method)
-	}
-	sort.Strings(result)
-	return result
-}
--- a/lib/checker/remoteaddress/remoteaddress.go
+++ b/lib/checker/remoteaddress/remoteaddress.go
@@ -1,127 +0,0 @@
-package remoteaddress
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/netip"
-
-	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/gaissmai/bart"
-)
-
-var (
-	ErrNoRemoteAddresses = errors.New("remoteaddress: no remote addresses defined")
-	ErrInvalidCIDR       = errors.New("remoteaddress: invalid CIDR")
-)
-
-func init() {
-	checker.Register("remote_address", Factory{})
-}
-
-type Factory struct{}
-
-func (Factory) Valid(_ context.Context, inp json.RawMessage) error {
-	var fc fileConfig
-	if err := json.Unmarshal([]byte(inp), &fc); err != nil {
-		return fmt.Errorf("%w: %w", checker.ErrUnparseableConfig, err)
-	}
-
-	if err := fc.Valid(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (Factory) Build(_ context.Context, inp json.RawMessage) (checker.Interface, error) {
-	c := struct {
-		RemoteAddr []netip.Prefix `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
-	}{}
-
-	if err := json.Unmarshal([]byte(inp), &c); err != nil {
-		return nil, fmt.Errorf("%w: %w", checker.ErrUnparseableConfig, err)
-	}
-
-	table := new(bart.Lite)
-
-	for _, cidr := range c.RemoteAddr {
-		table.Insert(cidr)
-	}
-
-	return &RemoteAddrChecker{
-		prefixTable: table,
-		hash:        internal.FastHash(string(inp)),
-	}, nil
-}
-
-type fileConfig struct {
-	RemoteAddr []string `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
-}
-
-func (fc fileConfig) Valid() error {
-	var errs []error
-
-	if len(fc.RemoteAddr) == 0 {
-		errs = append(errs, ErrNoRemoteAddresses)
-	}
-
-	for _, cidr := range fc.RemoteAddr {
-		if _, err := netip.ParsePrefix(cidr); err != nil {
-			errs = append(errs, fmt.Errorf("%w: cidr %q is invalid: %w", ErrInvalidCIDR, cidr, err))
-		}
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("%w: %w", checker.ErrInvalidConfig, errors.Join(errs...))
-	}
-
-	return nil
-}
-
-func Valid(cidrs []string) error {
-	fc := fileConfig{
-		RemoteAddr: cidrs,
-	}
-
-	return fc.Valid()
-}
-
-func New(cidrs []string) (checker.Interface, error) {
-	fc := fileConfig{
-		RemoteAddr: cidrs,
-	}
-	data, err := json.Marshal(fc)
-	if err != nil {
-		return nil, err
-	}
-
-	return Factory{}.Build(context.Background(), json.RawMessage(data))
-}
-
-type RemoteAddrChecker struct {
-	prefixTable *bart.Lite
-	hash        string
-}
-
-func (rac *RemoteAddrChecker) Check(r *http.Request) (bool, error) {
-	host := r.Header.Get("X-Real-Ip")
-	if host == "" {
-		return false, fmt.Errorf("%w: header X-Real-Ip is not set", anubis.ErrMisconfiguration)
-	}
-
-	addr, err := netip.ParseAddr(host)
-	if err != nil {
-		return false, fmt.Errorf("%w: %s is not an IP address: %w", anubis.ErrMisconfiguration, host, err)
-	}
-
-	return rac.prefixTable.Contains(addr), nil
-}
-
-func (rac *RemoteAddrChecker) Hash() string {
-	return rac.hash
-}
--- a/lib/checker/remoteaddress/remoteaddress_test.go
+++ b/lib/checker/remoteaddress/remoteaddress_test.go
@@ -1,138 +0,0 @@
-package remoteaddress_test
-
-import (
-	_ "embed"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"testing"
-
-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/checker/remoteaddress"
-)
-
-func TestFactoryIsCheckerFactory(t *testing.T) {
-	if _, ok := (any(remoteaddress.Factory{})).(checker.Factory); !ok {
-		t.Fatal("Factory is not an instance of checker.Factory")
-	}
-}
-
-func TestFactoryValidateConfig(t *testing.T) {
-	f := remoteaddress.Factory{}
-
-	for _, tt := range []struct {
-		name string
-		data []byte
-		err  error
-	}{
-		{
-			name: "basic valid",
-			data: []byte(`{
-  "remote_addresses": [
-    "1.1.1.1/32"
-  ]
-}`),
-		},
-		{
-			name: "not json",
-			data: []byte(`]`),
-			err:  checker.ErrUnparseableConfig,
-		},
-		{
-			name: "no cidr",
-			data: []byte(`{
-  "remote_addresses": []
-}`),
-			err: remoteaddress.ErrNoRemoteAddresses,
-		},
-		{
-			name: "bad cidr",
-			data: []byte(`{
-  "remote_addresses": [
-    "according to all laws of aviation"
-  ]
-}`),
-			err: remoteaddress.ErrInvalidCIDR,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			data := json.RawMessage(tt.data)
-
-			if err := f.Valid(t.Context(), data); !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Fatal("validation didn't do what was expected")
-			}
-		})
-	}
-}
-
-func TestFactoryCreate(t *testing.T) {
-	f := remoteaddress.Factory{}
-
-	for _, tt := range []struct {
-		name  string
-		data  []byte
-		err   error
-		ip    string
-		match bool
-	}{
-		{
-			name: "basic valid",
-			data: []byte(`{
-  "remote_addresses": [
-    "1.1.1.1/32"
-  ]
-}`),
-			ip:    "1.1.1.1",
-			match: true,
-		},
-		{
-			name: "bad cidr",
-			data: []byte(`{
-  "remote_addresses": [
-    "according to all laws of aviation"
-  ]
-}`),
-			err: checker.ErrUnparseableConfig,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			data := json.RawMessage(tt.data)
-
-			impl, err := f.Build(t.Context(), data)
-			if !errors.Is(err, tt.err) {
-				t.Logf("want: %v", tt.err)
-				t.Logf("got:  %v", err)
-				t.Fatal("creation didn't do what was expected")
-			}
-
-			if tt.err != nil {
-				return
-			}
-
-			r, err := http.NewRequest(http.MethodGet, "/", nil)
-			if err != nil {
-				t.Fatalf("can't make request: %v", err)
-			}
-
-			if tt.ip != "" {
-				r.Header.Add("X-Real-Ip", tt.ip)
-			}
-
-			match, err := impl.Check(r)
-
-			if tt.match != match {
-				t.Errorf("match: %v, wanted: %v", match, tt.match)
-			}
-
-			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
-				t.Errorf("err: %v, wanted: %v", err, tt.err)
-			}
-
-			if impl.Hash() == "" {
-				t.Error("hash method returns empty string")
-			}
-		})
-	}
-}
--- a/lib/checker/remoteaddress/testdata/invalid_bad_cidr.json
+++ b/lib/checker/remoteaddress/testdata/invalid_bad_cidr.json
@@ -1,5 +0,0 @@
-{
-  "remote_addresses": [
-    "according to all laws of aviation"
-  ]
-}
--- a/lib/checker/remoteaddress/testdata/invalid_no_cidr.json
+++ b/lib/checker/remoteaddress/testdata/invalid_no_cidr.json
@@ -1,3 +0,0 @@
-{
-  "remote_addresses": []
-}
--- a/lib/checker/remoteaddress/testdata/invalid_not_json.json
+++ b/lib/checker/remoteaddress/testdata/invalid_not_json.json
@@ -1 +0,0 @@
-]
--- a/lib/checker/remoteaddress/testdata/valid_addresses.json
+++ b/lib/checker/remoteaddress/testdata/valid_addresses.json
@@ -1,5 +0,0 @@
-{
-  "remote_addresses": [
-    "1.1.1.1/32"
-  ]
-}
--- a/lib/config_test.go
+++ b/lib/config_test.go
@@ -7,8 +7,8 @@ import (
 	"testing"

 	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 	"github.com/TecharoHQ/anubis/lib/policy"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )

 func TestInvalidChallengeMethod(t *testing.T) {
--- a/lib/http.go
+++ b/lib/http.go
@@ -198,7 +198,7 @@ func (s *Server) respondWithError(w http.ResponseWriter, r *http.Request, messag
 func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg string, status int) {
 	localizer := localization.GetLocalizer(r)

-	templ.Handler(web.Base(localizer.T("oh_noes"), web.ErrorPage(msg, s.opts.WebmasterEmail, localizer), s.policy.Impressum, localizer), templ.WithStatus(status)).ServeHTTP(w, r)
+	templ.Handler(web.Base(localizer.T("oh_noes"), web.ErrorPage(msg, s.opts.WebmasterEmail, r.FormValue("redir"), localizer), s.policy.Impressum, localizer), templ.WithStatus(status)).ServeHTTP(w, r)
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
--- a/lib/policy/bot.go
+++ b/lib/policy/bot.go
@@ -4,12 +4,12 @@ import (
 	"fmt"

 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 )

 type Bot struct {
-	Rules     checker.Interface
+	Rules     checker.Impl
 	Challenge *config.ChallengeRules
 	Weight    *config.Weight
 	Name      string
--- a/lib/checker/expression/checker.go
+++ b/lib/checker/expression/checker.go
@@ -1,44 +1,43 @@
-package expression
+package policy

 import (
 	"fmt"
 	"net/http"

 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/checker/expression/environment"
+	"github.com/TecharoHQ/anubis/lib/policy/config"
+	"github.com/TecharoHQ/anubis/lib/policy/expressions"
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
 )

-type Checker struct {
+type CELChecker struct {
 	program cel.Program
 	src     string
-	hash    string
 }

-func New(cfg *Config) (*Checker, error) {
-	env, err := environment.Bot()
+func NewCELChecker(cfg *config.ExpressionOrList) (*CELChecker, error) {
+	env, err := expressions.BotEnvironment()
 	if err != nil {
 		return nil, err
 	}

-	program, err := environment.Compile(env, cfg.String())
+	program, err := expressions.Compile(env, cfg.String())
 	if err != nil {
 		return nil, fmt.Errorf("can't compile CEL program: %w", err)
 	}

-	return &Checker{
+	return &CELChecker{
 		src:     cfg.String(),
-		hash:    internal.FastHash(cfg.String()),
 		program: program,
 	}, nil
 }

-func (cc *Checker) Hash() string {
-	return cc.hash
+func (cc *CELChecker) Hash() string {
+	return internal.FastHash(cc.src)
 }

-func (cc *Checker) Check(r *http.Request) (bool, error) {
+func (cc *CELChecker) Check(r *http.Request) (bool, error) {
 	result, _, err := cc.program.ContextEval(r.Context(), &CELRequest{r})

 	if err != nil {
@@ -71,15 +70,15 @@ func (cr *CELRequest) ResolveName(name string) (any, bool) {
 	case "path":
 		return cr.URL.Path, true
 	case "query":
-		return URLValues{Values: cr.URL.Query()}, true
+		return expressions.URLValues{Values: cr.URL.Query()}, true
 	case "headers":
-		return HTTPHeaders{Header: cr.Header}, true
+		return expressions.HTTPHeaders{Header: cr.Header}, true
 	case "load_1m":
-		return Load1(), true
+		return expressions.Load1(), true
 	case "load_5m":
-		return Load5(), true
+		return expressions.Load5(), true
 	case "load_15m":
-		return Load15(), true
+		return expressions.Load15(), true
 	default:
 		return nil, false
 	}
--- a/lib/policy/checker.go
+++ b/lib/policy/checker.go
@@ -3,39 +3,153 @@ package policy
 import (
 	"errors"
 	"fmt"
-	"sort"
+	"net/http"
+	"net/netip"
+	"regexp"
 	"strings"

-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/checker/headerexists"
-	"github.com/TecharoHQ/anubis/lib/checker/headermatches"
+	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
+	"github.com/gaissmai/bart"
 )

-func NewHeadersChecker(headermap map[string]string) (checker.Interface, error) {
-	var result checker.All
-	var errs []error
+var (
+	ErrMisconfiguration = errors.New("[unexpected] policy: administrator misconfiguration")
+)

-	var keys []string
-	for key := range headermap {
-		keys = append(keys, key)
+type RemoteAddrChecker struct {
+	prefixTable *bart.Lite
+	hash        string
+}
+
+func NewRemoteAddrChecker(cidrs []string) (checker.Impl, error) {
+	table := new(bart.Lite)
+
+	for _, cidr := range cidrs {
+		prefix, err := netip.ParsePrefix(cidr)
+		if err != nil {
+			return nil, fmt.Errorf("%w: range %s not parsing: %w", ErrMisconfiguration, cidr, err)
+		}
+
+		table.Insert(prefix)
 	}

-	sort.Strings(keys)
+	return &RemoteAddrChecker{
+		prefixTable: table,
+		hash:        internal.FastHash(strings.Join(cidrs, ",")),
+	}, nil
+}

-	for _, key := range keys {
-		rexStr := headermap[key]
+func (rac *RemoteAddrChecker) Check(r *http.Request) (bool, error) {
+	host := r.Header.Get("X-Real-Ip")
+	if host == "" {
+		return false, fmt.Errorf("%w: header X-Real-Ip is not set", ErrMisconfiguration)
+	}
+
+	addr, err := netip.ParseAddr(host)
+	if err != nil {
+		return false, fmt.Errorf("%w: %s is not an IP address: %w", ErrMisconfiguration, host, err)
+	}
+
+	return rac.prefixTable.Contains(addr), nil
+}
+
+func (rac *RemoteAddrChecker) Hash() string {
+	return rac.hash
+}
+
+type HeaderMatchesChecker struct {
+	header string
+	regexp *regexp.Regexp
+	hash   string
+}
+
+func NewUserAgentChecker(rexStr string) (checker.Impl, error) {
+	return NewHeaderMatchesChecker("User-Agent", rexStr)
+}
+
+func NewHeaderMatchesChecker(header, rexStr string) (checker.Impl, error) {
+	rex, err := regexp.Compile(strings.TrimSpace(rexStr))
+	if err != nil {
+		return nil, fmt.Errorf("%w: regex %s failed parse: %w", ErrMisconfiguration, rexStr, err)
+	}
+	return &HeaderMatchesChecker{strings.TrimSpace(header), rex, internal.FastHash(header + ": " + rexStr)}, nil
+}
+
+func (hmc *HeaderMatchesChecker) Check(r *http.Request) (bool, error) {
+	if hmc.regexp.MatchString(r.Header.Get(hmc.header)) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func (hmc *HeaderMatchesChecker) Hash() string {
+	return hmc.hash
+}
+
+type PathChecker struct {
+	regexp *regexp.Regexp
+	hash   string
+}
+
+func NewPathChecker(rexStr string) (checker.Impl, error) {
+	rex, err := regexp.Compile(strings.TrimSpace(rexStr))
+	if err != nil {
+		return nil, fmt.Errorf("%w: regex %s failed parse: %w", ErrMisconfiguration, rexStr, err)
+	}
+	return &PathChecker{rex, internal.FastHash(rexStr)}, nil
+}
+
+func (pc *PathChecker) Check(r *http.Request) (bool, error) {
+	if pc.regexp.MatchString(r.URL.Path) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func (pc *PathChecker) Hash() string {
+	return pc.hash
+}
+
+func NewHeaderExistsChecker(key string) checker.Impl {
+	return headerExistsChecker{strings.TrimSpace(key)}
+}
+
+type headerExistsChecker struct {
+	header string
+}
+
+func (hec headerExistsChecker) Check(r *http.Request) (bool, error) {
+	if r.Header.Get(hec.header) != "" {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func (hec headerExistsChecker) Hash() string {
+	return internal.FastHash(hec.header)
+}
+
+func NewHeadersChecker(headermap map[string]string) (checker.Impl, error) {
+	var result checker.List
+	var errs []error
+
+	for key, rexStr := range headermap {
 		if rexStr == ".*" {
-			result = append(result, headerexists.New(strings.TrimSpace(key)))
+			result = append(result, headerExistsChecker{strings.TrimSpace(key)})
 			continue
 		}

-		c, err := headermatches.New(key, rexStr)
+		rex, err := regexp.Compile(strings.TrimSpace(rexStr))
 		if err != nil {
-			errs = append(errs, fmt.Errorf("while parsing header %s regex %s: %w", key, rexStr, err))
+			errs = append(errs, fmt.Errorf("while compiling header %s regex %s: %w", key, rexStr, err))
 			continue
 		}

-		result = append(result, c)
+		result = append(result, &HeaderMatchesChecker{key, rex, internal.FastHash(key + ": " + rexStr)})
 	}

 	if len(errs) != 0 {
--- a/lib/policy/checker/checker.go
+++ b/lib/policy/checker/checker.go
@@ -0,0 +1,41 @@
+// Package checker defines the Checker interface and a helper utility to avoid import cycles.
+package checker
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/TecharoHQ/anubis/internal"
+)
+
+type Impl interface {
+	Check(*http.Request) (bool, error)
+	Hash() string
+}
+
+type List []Impl
+
+func (l List) Check(r *http.Request) (bool, error) {
+	for _, c := range l {
+		ok, err := c.Check(r)
+		if err != nil {
+			return ok, err
+		}
+		if ok {
+			return ok, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (l List) Hash() string {
+	var sb strings.Builder
+
+	for _, c := range l {
+		fmt.Fprintln(&sb, c.Hash())
+	}
+
+	return internal.FastHash(sb.String())
+}
--- a/lib/policy/checker_test.go
+++ b/lib/policy/checker_test.go
@@ -0,0 +1,200 @@
+package policy
+
+import (
+	"errors"
+	"net/http"
+	"testing"
+)
+
+func TestRemoteAddrChecker(t *testing.T) {
+	for _, tt := range []struct {
+		err   error
+		name  string
+		ip    string
+		cidrs []string
+		ok    bool
+	}{
+		{
+			name:  "match_ipv4",
+			cidrs: []string{"0.0.0.0/0"},
+			ip:    "1.1.1.1",
+			ok:    true,
+			err:   nil,
+		},
+		{
+			name:  "match_ipv6",
+			cidrs: []string{"::/0"},
+			ip:    "cafe:babe::",
+			ok:    true,
+			err:   nil,
+		},
+		{
+			name:  "not_match_ipv4",
+			cidrs: []string{"1.1.1.1/32"},
+			ip:    "1.1.1.2",
+			ok:    false,
+			err:   nil,
+		},
+		{
+			name:  "not_match_ipv6",
+			cidrs: []string{"cafe:babe::/128"},
+			ip:    "cafe:babe:4::/128",
+			ok:    false,
+			err:   nil,
+		},
+		{
+			name:  "no_ip_set",
+			cidrs: []string{"::/0"},
+			ok:    false,
+			err:   ErrMisconfiguration,
+		},
+		{
+			name:  "invalid_ip",
+			cidrs: []string{"::/0"},
+			ip:    "According to all natural laws of aviation",
+			ok:    false,
+			err:   ErrMisconfiguration,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			rac, err := NewRemoteAddrChecker(tt.cidrs)
+			if err != nil && !errors.Is(err, tt.err) {
+				t.Fatalf("creating RemoteAddrChecker failed: %v", err)
+			}
+
+			r, err := http.NewRequest(http.MethodGet, "/", nil)
+			if err != nil {
+				t.Fatalf("can't make request: %v", err)
+			}
+
+			if tt.ip != "" {
+				r.Header.Add("X-Real-Ip", tt.ip)
+			}
+
+			ok, err := rac.Check(r)
+
+			if tt.ok != ok {
+				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
+			}
+
+			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
+				t.Errorf("err: %v, wanted: %v", err, tt.err)
+			}
+		})
+	}
+}
+
+func TestHeaderMatchesChecker(t *testing.T) {
+	for _, tt := range []struct {
+		err            error
+		name           string
+		header         string
+		rexStr         string
+		reqHeaderKey   string
+		reqHeaderValue string
+		ok             bool
+	}{
+		{
+			name:           "match",
+			header:         "Cf-Worker",
+			rexStr:         ".*",
+			reqHeaderKey:   "Cf-Worker",
+			reqHeaderValue: "true",
+			ok:             true,
+			err:            nil,
+		},
+		{
+			name:           "not_match",
+			header:         "Cf-Worker",
+			rexStr:         "false",
+			reqHeaderKey:   "Cf-Worker",
+			reqHeaderValue: "true",
+			ok:             false,
+			err:            nil,
+		},
+		{
+			name:           "not_present",
+			header:         "Cf-Worker",
+			rexStr:         "foobar",
+			reqHeaderKey:   "Something-Else",
+			reqHeaderValue: "true",
+			ok:             false,
+			err:            nil,
+		},
+		{
+			name:   "invalid_regex",
+			rexStr: "a(b",
+			err:    ErrMisconfiguration,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			hmc, err := NewHeaderMatchesChecker(tt.header, tt.rexStr)
+			if err != nil && !errors.Is(err, tt.err) {
+				t.Fatalf("creating HeaderMatchesChecker failed")
+			}
+
+			if tt.err != nil && hmc == nil {
+				return
+			}
+
+			r, err := http.NewRequest(http.MethodGet, "/", nil)
+			if err != nil {
+				t.Fatalf("can't make request: %v", err)
+			}
+
+			r.Header.Set(tt.reqHeaderKey, tt.reqHeaderValue)
+
+			ok, err := hmc.Check(r)
+
+			if tt.ok != ok {
+				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
+			}
+
+			if err != nil && tt.err != nil && !errors.Is(err, tt.err) {
+				t.Errorf("err: %v, wanted: %v", err, tt.err)
+			}
+		})
+	}
+}
+
+func TestHeaderExistsChecker(t *testing.T) {
+	for _, tt := range []struct {
+		name      string
+		header    string
+		reqHeader string
+		ok        bool
+	}{
+		{
+			name:      "match",
+			header:    "Authorization",
+			reqHeader: "Authorization",
+			ok:        true,
+		},
+		{
+			name:      "not_match",
+			header:    "Authorization",
+			reqHeader: "Authentication",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			hec := headerExistsChecker{tt.header}
+
+			r, err := http.NewRequest(http.MethodGet, "/", nil)
+			if err != nil {
+				t.Fatalf("can't make request: %v", err)
+			}
+
+			r.Header.Set(tt.reqHeader, "hunter2")
+
+			ok, err := hec.Check(r)
+
+			if tt.ok != ok {
+				t.Errorf("ok: %v, wanted: %v", ok, tt.ok)
+			}
+
+			if err != nil {
+				t.Errorf("err: %v", err)
+			}
+		})
+	}
+}
--- a/lib/policy/config/config.go
+++ b/lib/policy/config/config.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"net"
 	"net/http"
 	"os"
 	"regexp"
@@ -12,10 +13,6 @@ import (
 	"time"

 	"github.com/TecharoHQ/anubis/data"
-	"github.com/TecharoHQ/anubis/lib/checker/expression"
-	"github.com/TecharoHQ/anubis/lib/checker/headermatches"
-	"github.com/TecharoHQ/anubis/lib/checker/path"
-	"github.com/TecharoHQ/anubis/lib/checker/remoteaddress"
 	"k8s.io/apimachinery/pkg/util/yaml"
 )

@@ -28,12 +25,12 @@ var (
 	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
 	ErrInvalidPathRegex                  = errors.New("config.Bot: invalid path regex")
 	ErrInvalidHeadersRegex               = errors.New("config.Bot: invalid headers regex")
+	ErrInvalidCIDR                       = errors.New("config.Bot: invalid CIDR")
 	ErrRegexEndsWithNewline              = errors.New("config.Bot: regular expression ends with newline (try >- instead of > in yaml)")
 	ErrInvalidImportStatement            = errors.New("config.ImportStatement: invalid source file")
 	ErrCantSetBotAndImportValuesAtOnce   = errors.New("config.BotOrImport: can't set bot rules and import values at the same time")
 	ErrMustSetBotOrImportRules           = errors.New("config.BotOrImport: rule definition is invalid, you must set either bot rules or an import statement, not both")
 	ErrStatusCodeNotValid                = errors.New("config.StatusCode: status code not valid, must be between 100 and 599")
-	ErrUnparseableConfig                 = errors.New("config: can't parse configuration file")
 )

 type Rule string
@@ -59,15 +56,15 @@ func (r Rule) Valid() error {
 const DefaultAlgorithm = "fast"

 type BotConfig struct {
-	UserAgentRegex *string            `json:"user_agent_regex,omitempty" yaml:"user_agent_regex,omitempty"`
-	PathRegex      *string            `json:"path_regex,omitempty" yaml:"path_regex,omitempty"`
-	HeadersRegex   map[string]string  `json:"headers_regex,omitempty" yaml:"headers_regex,omitempty"`
-	Expression     *expression.Config `json:"expression,omitempty" yaml:"expression,omitempty"`
-	Challenge      *ChallengeRules    `json:"challenge,omitempty" yaml:"challenge,omitempty"`
-	Weight         *Weight            `json:"weight,omitempty" yaml:"weight,omitempty"`
-	Name           string             `json:"name" yaml:"name"`
-	Action         Rule               `json:"action" yaml:"action"`
-	RemoteAddr     []string           `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
+	UserAgentRegex *string           `json:"user_agent_regex,omitempty" yaml:"user_agent_regex,omitempty"`
+	PathRegex      *string           `json:"path_regex,omitempty" yaml:"path_regex,omitempty"`
+	HeadersRegex   map[string]string `json:"headers_regex,omitempty" yaml:"headers_regex,omitempty"`
+	Expression     *ExpressionOrList `json:"expression,omitempty" yaml:"expression,omitempty"`
+	Challenge      *ChallengeRules   `json:"challenge,omitempty" yaml:"challenge,omitempty"`
+	Weight         *Weight           `json:"weight,omitempty" yaml:"weight,omitempty"`
+	Name           string            `json:"name" yaml:"name"`
+	Action         Rule              `json:"action" yaml:"action"`
+	RemoteAddr     []string          `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`

 	// Thoth features
 	GeoIP *GeoIP `json:"geoip,omitempty"`
@@ -121,7 +118,7 @@ func (b *BotConfig) Valid() error {
 			errs = append(errs, fmt.Errorf("%w: user agent regex: %q", ErrRegexEndsWithNewline, *b.UserAgentRegex))
 		}

-		if err := headermatches.ValidUserAgent(*b.UserAgentRegex); err != nil {
+		if _, err := regexp.Compile(*b.UserAgentRegex); err != nil {
 			errs = append(errs, ErrInvalidUserAgentRegex, err)
 		}
 	}
@@ -131,7 +128,7 @@ func (b *BotConfig) Valid() error {
 			errs = append(errs, fmt.Errorf("%w: path regex: %q", ErrRegexEndsWithNewline, *b.PathRegex))
 		}

-		if err := path.Valid(*b.PathRegex); err != nil {
+		if _, err := regexp.Compile(*b.PathRegex); err != nil {
 			errs = append(errs, ErrInvalidPathRegex, err)
 		}
 	}
@@ -153,8 +150,10 @@ func (b *BotConfig) Valid() error {
 	}

 	if len(b.RemoteAddr) > 0 {
-		if err := remoteaddress.Valid(b.RemoteAddr); err != nil {
-			errs = append(errs, err)
+		for _, cidr := range b.RemoteAddr {
+			if _, _, err := net.ParseCIDR(cidr); err != nil {
+				errs = append(errs, ErrInvalidCIDR, err)
+			}
 		}
 	}

--- a/lib/policy/config/config_test.go
+++ b/lib/policy/config/config_test.go
@@ -8,7 +8,6 @@ import (
 	"testing"

 	"github.com/TecharoHQ/anubis/data"
-	"github.com/TecharoHQ/anubis/lib/checker/remoteaddress"
 	. "github.com/TecharoHQ/anubis/lib/policy/config"
 )

@@ -138,7 +137,7 @@ func TestBotValid(t *testing.T) {
 				Action:     RuleAllow,
 				RemoteAddr: []string{"0.0.0.0/33"},
 			},
-			err: remoteaddress.ErrInvalidCIDR,
+			err: ErrInvalidCIDR,
 		},
 		{
 			name: "only filter by IP range",
--- a/lib/policy/config/expressionorlist.go
+++ b/lib/policy/config/expressionorlist.go
@@ -1,4 +1,4 @@
-package expression
+package config

 import (
 	"encoding/json"
@@ -9,18 +9,18 @@ import (
 )

 var (
-	ErrExpressionOrListMustBeStringOrObject = errors.New("expression: this must be a string or an object")
-	ErrExpressionEmpty                      = errors.New("expression: this expression is empty")
-	ErrExpressionCantHaveBoth               = errors.New("expression: expression block can't contain multiple expression types")
+	ErrExpressionOrListMustBeStringOrObject = errors.New("config: this must be a string or an object")
+	ErrExpressionEmpty                      = errors.New("config: this expression is empty")
+	ErrExpressionCantHaveBoth               = errors.New("config: expression block can't contain multiple expression types")
 )

-type Config struct {
+type ExpressionOrList struct {
 	Expression string   `json:"-" yaml:"-"`
 	All        []string `json:"all,omitempty" yaml:"all,omitempty"`
 	Any        []string `json:"any,omitempty" yaml:"any,omitempty"`
 }

-func (eol Config) String() string {
+func (eol ExpressionOrList) String() string {
 	switch {
 	case len(eol.Expression) != 0:
 		return eol.Expression
@@ -46,7 +46,7 @@ func (eol Config) String() string {
 	panic("this should not happen")
 }

-func (eol Config) Equal(rhs *Config) bool {
+func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool {
 	if eol.Expression != rhs.Expression {
 		return false
 	}
@@ -62,7 +62,7 @@ func (eol Config) Equal(rhs *Config) bool {
 	return true
 }

-func (eol *Config) MarshalYAML() (any, error) {
+func (eol *ExpressionOrList) MarshalYAML() (any, error) {
 	switch {
 	case len(eol.All) == 1 && len(eol.Any) == 0:
 		eol.Expression = eol.All[0]
@@ -76,11 +76,11 @@ func (eol *Config) MarshalYAML() (any, error) {
 		return eol.Expression, nil
 	}

-	type RawExpressionOrList Config
+	type RawExpressionOrList ExpressionOrList
 	return RawExpressionOrList(*eol), nil
 }

-func (eol *Config) MarshalJSON() ([]byte, error) {
+func (eol *ExpressionOrList) MarshalJSON() ([]byte, error) {
 	switch {
 	case len(eol.All) == 1 && len(eol.Any) == 0:
 		eol.Expression = eol.All[0]
@@ -94,17 +94,17 @@ func (eol *Config) MarshalJSON() ([]byte, error) {
 		return json.Marshal(string(eol.Expression))
 	}

-	type RawExpressionOrList Config
+	type RawExpressionOrList ExpressionOrList
 	val := RawExpressionOrList(*eol)
 	return json.Marshal(val)
 }

-func (eol *Config) UnmarshalJSON(data []byte) error {
+func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error {
 	switch string(data[0]) {
 	case `"`: // string
 		return json.Unmarshal(data, &eol.Expression)
 	case "{": // object
-		type RawExpressionOrList Config
+		type RawExpressionOrList ExpressionOrList
 		var val RawExpressionOrList
 		if err := json.Unmarshal(data, &val); err != nil {
 			return err
@@ -118,7 +118,7 @@ func (eol *Config) UnmarshalJSON(data []byte) error {
 	return ErrExpressionOrListMustBeStringOrObject
 }

-func (eol *Config) Valid() error {
+func (eol *ExpressionOrList) Valid() error {
 	if eol.Expression == "" && len(eol.All) == 0 && len(eol.Any) == 0 {
 		return ErrExpressionEmpty
 	}
--- a/lib/policy/config/expressionorlist_test.go
+++ b/lib/policy/config/expressionorlist_test.go
@@ -1,4 +1,4 @@
-package expression
+package config

 import (
 	"bytes"
@@ -12,13 +12,13 @@ import (
 func TestExpressionOrListMarshalJSON(t *testing.T) {
 	for _, tt := range []struct {
 		name   string
-		input  *Config
+		input  *ExpressionOrList
 		output []byte
 		err    error
 	}{
 		{
 			name: "single expression",
-			input: &Config{
+			input: &ExpressionOrList{
 				Expression: "true",
 			},
 			output: []byte(`"true"`),
@@ -26,7 +26,7 @@ func TestExpressionOrListMarshalJSON(t *testing.T) {
 		},
 		{
 			name: "all",
-			input: &Config{
+			input: &ExpressionOrList{
 				All: []string{"true", "true"},
 			},
 			output: []byte(`{"all":["true","true"]}`),
@@ -34,7 +34,7 @@ func TestExpressionOrListMarshalJSON(t *testing.T) {
 		},
 		{
 			name: "all one",
-			input: &Config{
+			input: &ExpressionOrList{
 				All: []string{"true"},
 			},
 			output: []byte(`"true"`),
@@ -42,7 +42,7 @@ func TestExpressionOrListMarshalJSON(t *testing.T) {
 		},
 		{
 			name: "any",
-			input: &Config{
+			input: &ExpressionOrList{
 				Any: []string{"true", "false"},
 			},
 			output: []byte(`{"any":["true","false"]}`),
@@ -50,7 +50,7 @@ func TestExpressionOrListMarshalJSON(t *testing.T) {
 		},
 		{
 			name: "any one",
-			input: &Config{
+			input: &ExpressionOrList{
 				Any: []string{"true"},
 			},
 			output: []byte(`"true"`),
@@ -75,13 +75,13 @@ func TestExpressionOrListMarshalJSON(t *testing.T) {
 func TestExpressionOrListMarshalYAML(t *testing.T) {
 	for _, tt := range []struct {
 		name   string
-		input  *Config
+		input  *ExpressionOrList
 		output []byte
 		err    error
 	}{
 		{
 			name: "single expression",
-			input: &Config{
+			input: &ExpressionOrList{
 				Expression: "true",
 			},
 			output: []byte(`"true"`),
@@ -89,7 +89,7 @@ func TestExpressionOrListMarshalYAML(t *testing.T) {
 		},
 		{
 			name: "all",
-			input: &Config{
+			input: &ExpressionOrList{
 				All: []string{"true", "true"},
 			},
 			output: []byte(`all:
@@ -99,7 +99,7 @@ func TestExpressionOrListMarshalYAML(t *testing.T) {
 		},
 		{
 			name: "all one",
-			input: &Config{
+			input: &ExpressionOrList{
 				All: []string{"true"},
 			},
 			output: []byte(`"true"`),
@@ -107,7 +107,7 @@ func TestExpressionOrListMarshalYAML(t *testing.T) {
 		},
 		{
 			name: "any",
-			input: &Config{
+			input: &ExpressionOrList{
 				Any: []string{"true", "false"},
 			},
 			output: []byte(`any:
@@ -117,7 +117,7 @@ func TestExpressionOrListMarshalYAML(t *testing.T) {
 		},
 		{
 			name: "any one",
-			input: &Config{
+			input: &ExpressionOrList{
 				Any: []string{"true"},
 			},
 			output: []byte(`"true"`),
@@ -145,14 +145,14 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 	for _, tt := range []struct {
 		err      error
 		validErr error
-		result   *Config
+		result   *ExpressionOrList
 		name     string
 		inp      string
 	}{
 		{
 			name: "simple",
 			inp:  `"\"User-Agent\" in headers"`,
-			result: &Config{
+			result: &ExpressionOrList{
 				Expression: `"User-Agent" in headers`,
 			},
 		},
@@ -161,7 +161,7 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 			inp: `{
 			"all": ["\"User-Agent\" in headers"]
 			}`,
-			result: &Config{
+			result: &ExpressionOrList{
 				All: []string{
 					`"User-Agent" in headers`,
 				},
@@ -172,7 +172,7 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 			inp: `{
 			"any": ["\"User-Agent\" in headers"]
 			}`,
-			result: &Config{
+			result: &ExpressionOrList{
 				Any: []string{
 					`"User-Agent" in headers`,
 				},
@@ -195,7 +195,7 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
-			var eol Config
+			var eol ExpressionOrList

 			if err := json.Unmarshal([]byte(tt.inp), &eol); !errors.Is(err, tt.err) {
 				t.Errorf("wanted unmarshal error: %v but got: %v", tt.err, err)
@@ -217,40 +217,40 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 func TestExpressionOrListString(t *testing.T) {
 	for _, tt := range []struct {
 		name string
-		in   Config
+		in   ExpressionOrList
 		out  string
 	}{
 		{
 			name: "single expression",
-			in: Config{
+			in: ExpressionOrList{
 				Expression: "true",
 			},
 			out: "true",
 		},
 		{
 			name: "all",
-			in: Config{
+			in: ExpressionOrList{
 				All: []string{"true"},
 			},
 			out: "( true )",
 		},
 		{
 			name: "all with &&",
-			in: Config{
+			in: ExpressionOrList{
 				All: []string{"true", "true"},
 			},
 			out: "( true ) && ( true )",
 		},
 		{
 			name: "any",
-			in: Config{
+			in: ExpressionOrList{
 				All: []string{"true"},
 			},
 			out: "( true )",
 		},
 		{
 			name: "any with ||",
-			in: Config{
+			in: ExpressionOrList{
 				Any: []string{"true", "true"},
 			},
 			out: "( true ) || ( true )",
--- a/lib/policy/config/threshold.go
+++ b/lib/policy/config/threshold.go
@@ -5,7 +5,6 @@ import (
 	"fmt"

 	"github.com/TecharoHQ/anubis"
-	"github.com/TecharoHQ/anubis/lib/checker/expression"
 )

 var (
@@ -18,7 +17,7 @@ var (
 	DefaultThresholds = []Threshold{
 		{
 			Name: "legacy-anubis-behaviour",
-			Expression: &expression.Config{
+			Expression: &ExpressionOrList{
 				Expression: "weight > 0",
 			},
 			Action: RuleChallenge,
@@ -32,10 +31,10 @@ var (
 )

 type Threshold struct {
-	Name       string             `json:"name" yaml:"name"`
-	Expression *expression.Config `json:"expression" yaml:"expression"`
-	Action     Rule               `json:"action" yaml:"action"`
-	Challenge  *ChallengeRules    `json:"challenge" yaml:"challenge"`
+	Name       string            `json:"name" yaml:"name"`
+	Expression *ExpressionOrList `json:"expression" yaml:"expression"`
+	Action     Rule              `json:"action" yaml:"action"`
+	Challenge  *ChallengeRules   `json:"challenge" yaml:"challenge"`
 }

 func (t Threshold) Valid() error {
--- a/lib/policy/config/threshold_test.go
+++ b/lib/policy/config/threshold_test.go
@@ -6,8 +6,6 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
-
-	"github.com/TecharoHQ/anubis/lib/checker/expression"
 )

 func TestThresholdValid(t *testing.T) {
@@ -20,7 +18,7 @@ func TestThresholdValid(t *testing.T) {
 			name: "basic allow",
 			input: &Threshold{
 				Name:       "basic-allow",
-				Expression: &expression.Config{Expression: "true"},
+				Expression: &ExpressionOrList{Expression: "true"},
 				Action:     RuleAllow,
 			},
 			err: nil,
@@ -29,7 +27,7 @@ func TestThresholdValid(t *testing.T) {
 			name: "basic challenge",
 			input: &Threshold{
 				Name:       "basic-challenge",
-				Expression: &expression.Config{Expression: "true"},
+				Expression: &ExpressionOrList{Expression: "true"},
 				Action:     RuleChallenge,
 				Challenge: &ChallengeRules{
 					Algorithm:  "fast",
@@ -52,9 +50,9 @@ func TestThresholdValid(t *testing.T) {
 		{
 			name: "invalid expression",
 			input: &Threshold{
-				Expression: &expression.Config{},
+				Expression: &ExpressionOrList{},
 			},
-			err: expression.ErrExpressionEmpty,
+			err: ErrExpressionEmpty,
 		},
 		{
 			name:  "invalid action",
--- a/lib/policy/expressions/README.md
+++ b/lib/policy/expressions/README.md
--- a/lib/checker/expression/environment/environment.go
+++ b/lib/checker/expression/environment/environment.go
@@ -1,4 +1,4 @@
-package environment
+package expressions

 import (
 	"math/rand/v2"
@@ -10,11 +10,11 @@ import (
 	"github.com/google/cel-go/ext"
 )

-// Bot creates a new CEL environment, this is the set of variables and
-// functions that are passed into the CEL scope so that Anubis can fail
-// loudly and early when something is invalid instead of blowing up at
-// runtime.
-func Bot() (*cel.Env, error) {
+// BotEnvironment creates a new CEL environment, this is the set of
+// variables and functions that are passed into the CEL scope so that
+// Anubis can fail loudly and early when something is invalid instead
+// of blowing up at runtime.
+func BotEnvironment() (*cel.Env, error) {
 	return New(
 		// Variables exposed to CEL programs:
 		cel.Variable("remoteAddress", cel.StringType),
@@ -57,14 +57,13 @@ func Bot() (*cel.Env, error) {
 	)
 }

-// Threshold creates a new CEL environment for threshold checking.
-func Threshold() (*cel.Env, error) {
+// NewThreshold creates a new CEL environment for threshold checking.
+func ThresholdEnvironment() (*cel.Env, error) {
 	return New(
 		cel.Variable("weight", cel.IntType),
 	)
 }

-// New creates a new base CEL environment.
 func New(opts ...cel.EnvOption) (*cel.Env, error) {
 	args := []cel.EnvOption{
 		ext.Strings(
@@ -96,7 +95,7 @@ func New(opts ...cel.EnvOption) (*cel.Env, error) {
 	return cel.NewEnv(args...)
 }

-// Compile takes a CEL environment and syntax tree then emits an optimized
+// Compile takes CEL environment and syntax tree then emits an optimized
 // Program for execution.
 func Compile(env *cel.Env, src string) (cel.Program, error) {
 	intermediate, iss := env.Compile(src)
--- a/lib/checker/expression/environment/environment_test.go
+++ b/lib/checker/expression/environment/environment_test.go
@@ -1,4 +1,4 @@
-package environment
+package expressions

 import (
 	"testing"
@@ -6,8 +6,8 @@ import (
 	"github.com/google/cel-go/common/types"
 )

-func TestBot(t *testing.T) {
-	env, err := Bot()
+func TestBotEnvironment(t *testing.T) {
+	env, err := BotEnvironment()
 	if err != nil {
 		t.Fatalf("failed to create bot environment: %v", err)
 	}
@@ -108,8 +108,8 @@ func TestBot(t *testing.T) {
 	})
 }

-func TestThreshold(t *testing.T) {
-	env, err := Threshold()
+func TestThresholdEnvironment(t *testing.T) {
+	env, err := ThresholdEnvironment()
 	if err != nil {
 		t.Fatalf("failed to create threshold environment: %v", err)
 	}
--- a/lib/policy/expressions/http_headers.go
+++ b/lib/policy/expressions/http_headers.go
@@ -1,4 +1,4 @@
-package expression
+package expressions

 import (
 	"net/http"
--- a/lib/policy/expressions/http_headers_test.go
+++ b/lib/policy/expressions/http_headers_test.go
@@ -1,4 +1,4 @@
-package expression
+package expressions

 import (
 	"net/http"
--- a/lib/policy/expressions/loadavg.go
+++ b/lib/policy/expressions/loadavg.go
@@ -1,4 +1,4 @@
-package expression
+package expressions

 import (
 	"context"
--- a/lib/policy/expressions/url_values.go
+++ b/lib/policy/expressions/url_values.go
@@ -1,4 +1,4 @@
-package expression
+package expressions

 import (
 	"errors"
--- a/lib/policy/expressions/url_values_test.go
+++ b/lib/policy/expressions/url_values_test.go
@@ -1,4 +1,4 @@
-package expression
+package expressions

 import (
 	"net/url"
--- a/lib/policy/policy.go
+++ b/lib/policy/policy.go
@@ -8,14 +8,10 @@ import (
 	"log/slog"
 	"sync/atomic"

-	"github.com/TecharoHQ/anubis/lib/checker"
-	"github.com/TecharoHQ/anubis/lib/checker/expression"
-	"github.com/TecharoHQ/anubis/lib/checker/headermatches"
-	"github.com/TecharoHQ/anubis/lib/checker/path"
-	"github.com/TecharoHQ/anubis/lib/checker/remoteaddress"
+	"github.com/TecharoHQ/anubis/internal/thoth"
+	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/lib/store"
-	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"

@@ -77,10 +73,10 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 			Action: b.Action,
 		}

-		cl := checker.Any{}
+		cl := checker.List{}

 		if len(b.RemoteAddr) > 0 {
-			c, err := remoteaddress.New(b.RemoteAddr)
+			c, err := NewRemoteAddrChecker(b.RemoteAddr)
 			if err != nil {
 				validationErrs = append(validationErrs, fmt.Errorf("while processing rule %s remote addr set: %w", b.Name, err))
 			} else {
@@ -89,7 +85,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 		}

 		if b.UserAgentRegex != nil {
-			c, err := headermatches.NewUserAgent(*b.UserAgentRegex)
+			c, err := NewUserAgentChecker(*b.UserAgentRegex)
 			if err != nil {
 				validationErrs = append(validationErrs, fmt.Errorf("while processing rule %s user agent regex: %w", b.Name, err))
 			} else {
@@ -98,7 +94,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 		}

 		if b.PathRegex != nil {
-			c, err := path.New(*b.PathRegex)
+			c, err := NewPathChecker(*b.PathRegex)
 			if err != nil {
 				validationErrs = append(validationErrs, fmt.Errorf("while processing rule %s path regex: %w", b.Name, err))
 			} else {
@@ -116,7 +112,7 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 		}

 		if b.Expression != nil {
-			c, err := expression.New(b.Expression)
+			c, err := NewCELChecker(b.Expression)
 			if err != nil {
 				validationErrs = append(validationErrs, fmt.Errorf("while processing rule %s expressions: %w", b.Name, err))
 			} else {
--- a/lib/policy/policy_test.go
+++ b/lib/policy/policy_test.go
@@ -7,7 +7,7 @@ import (

 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
-	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
+	"github.com/TecharoHQ/anubis/internal/thoth/thothmock"
 )

 func TestDefaultPolicyMustParse(t *testing.T) {
--- a/lib/policy/thresholds.go
+++ b/lib/policy/thresholds.go
@@ -1,8 +1,8 @@
 package policy

 import (
-	"github.com/TecharoHQ/anubis/lib/checker/expression/environment"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
+	"github.com/TecharoHQ/anubis/lib/policy/expressions"
 	"github.com/google/cel-go/cel"
 )

@@ -16,12 +16,12 @@ func ParsedThresholdFromConfig(t config.Threshold) (*Threshold, error) {
 		Threshold: t,
 	}

-	env, err := environment.Threshold()
+	env, err := expressions.ThresholdEnvironment()
 	if err != nil {
 		return nil, err
 	}

-	program, err := environment.Compile(env, t.Expression.String())
+	program, err := expressions.Compile(env, t.Expression.String())
 	if err != nil {
 		return nil, err
 	}
--- a/lib/testdata/permissive.yaml
+++ b/lib/testdata/permissive.yaml
@@ -1,4 +0,0 @@
-bots:
-  - import: (data)/common/allow-private-addresses.yaml
-
-dnsbl: false
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.21.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.21.3",
+      "version": "1.21.1",
      "license": "ISC",
      "devDependencies": {
        "cssnano": "^7.1.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.21.1",
  "description": "",
  "main": "index.js",
  "scripts": {
--- a/test/cmd/cipra/internal/containerip.go
+++ b/test/cmd/cipra/internal/containerip.go
@@ -1,33 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/docker/docker/client"
-)
-
-// GetContainerIPAddress returns the first non-empty IP address of the container with the given name.
-// It returns the IP address as a string or an error.
-func GetContainerIPAddress(containerName string) (string, error) {
-	ctx := context.Background()
-	cli, err := client.NewClientWithOpts(client.FromEnv)
-	if err != nil {
-		return "", err
-	}
-
-	// Get container details
-	containerJSON, err := cli.ContainerInspect(ctx, containerName)
-	if err != nil {
-		return "", err
-	}
-
-	// Loop through all networks and return the first IP address found
-	for _, net := range containerJSON.NetworkSettings.Networks {
-		if net.IPAddress != "" {
-			return net.IPAddress, nil
-		}
-	}
-
-	return "", fmt.Errorf("no IP address found for container %q", containerName)
-}
--- a/test/cmd/cipra/internal/getlanip.go
+++ b/test/cmd/cipra/internal/getlanip.go
@@ -1,50 +0,0 @@
-package internal
-
-import (
-	"fmt"
-	"net"
-)
-
-// GetLANIP returns the first non-loopback IPv4 LAN IP address.
-func GetLANIP() (net.IP, error) {
-	ifaces, err := net.Interfaces()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, iface := range ifaces {
-		// Skip down or loopback interfaces
-		if iface.Flags&(net.FlagUp|net.FlagLoopback) != net.FlagUp {
-			continue
-		}
-
-		addrs, err := iface.Addrs()
-		if err != nil {
-			continue // skip interfaces we can't query
-		}
-
-		for _, addr := range addrs {
-			var ip net.IP
-
-			switch v := addr.(type) {
-			case *net.IPNet:
-				ip = v.IP
-			case *net.IPAddr:
-				ip = v.IP
-			}
-
-			if ip == nil || ip.IsLoopback() {
-				continue
-			}
-
-			ip = ip.To4()
-			if ip == nil {
-				continue // not an IPv4 address
-			}
-
-			return ip, nil
-		}
-	}
-
-	return nil, fmt.Errorf("no connected LAN IPv4 address found")
-}
--- a/test/cmd/cipra/internal/unbreakdocker.go
+++ b/test/cmd/cipra/internal/unbreakdocker.go
@@ -1,34 +0,0 @@
-package internal
-
-import (
-	"context"
-	"log"
-	"os"
-
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/client"
-)
-
-// UnbreakDocker connects the container named after the current hostname
-// to the specified Docker network.
-func UnbreakDocker(networkName string) error {
-	ctx := context.Background()
-
-	cli, err := client.NewClientWithOpts(client.FromEnv)
-	if err != nil {
-		return err
-	}
-
-	hostname, err := os.Hostname()
-	if err != nil {
-		return err
-	}
-
-	err = cli.NetworkConnect(ctx, networkName, hostname, &network.EndpointSettings{})
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Connected container %q to network %q\n", hostname, networkName)
-	return nil
-}
--- a/test/cmd/cipra/main.go
+++ b/test/cmd/cipra/main.go
@@ -1,114 +0,0 @@
-package main
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"os/exec"
-	"strings"
-	"time"
-
-	"github.com/TecharoHQ/anubis/test/cmd/cipra/internal"
-	"github.com/facebookgo/flagenv"
-)
-
-var (
-	bind                 = flag.String("bind", ":9090", "TCP host:port to bind HTTP on")
-	browserBin           = flag.String("browser-bin", "palemoon", "browser binary name")
-	browserContainerName = flag.String("browser-container-name", "palemoon", "browser container name")
-	composeName          = flag.String("compose-name", "", "docker compose base name for resources")
-	vncServerContainer   = flag.String("vnc-container-name", "display", "VNC host:port (NOT a display number)")
-)
-
-func main() {
-	flagenv.Parse()
-	flag.Parse()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
-	defer cancel()
-
-	lanip, err := internal.GetLANIP()
-	if err != nil {
-		log.Panic(err)
-	}
-
-	os.Setenv("TARGET", fmt.Sprintf("%s%s", lanip.String(), *bind))
-
-	http.HandleFunc("/{$}", func(w http.ResponseWriter, r *http.Request) {
-		http.Error(w, "OK", http.StatusOK)
-		log.Println("got termination signal", r.RequestURI)
-		go func() {
-			time.Sleep(2 * time.Second)
-			cancel()
-		}()
-	})
-
-	srv := &http.Server{
-		Handler: http.DefaultServeMux,
-		Addr:    *bind,
-	}
-
-	go func() {
-		if err := srv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Panic(err)
-		}
-	}()
-
-	if err := RunScript(ctx, "docker", "compose", "up", "-d"); err != nil {
-		log.Fatalf("can't start project: %v", err)
-	}
-
-	defer RunScript(ctx, "docker", "compose", "down", "-t", "1")
-	defer RunScript(ctx, "docker", "compose", "rm", "-f")
-
-	internal.UnbreakDocker(*composeName + "_default")
-
-	if err := RunScript(ctx, "docker", "exec", fmt.Sprintf("%s-%s-1", *composeName, *browserContainerName), "bash", "/hack/scripts/install-cert.sh"); err != nil {
-		log.Panic(err)
-	}
-
-	if err := RunScript(ctx, "docker", "exec", fmt.Sprintf("%s-%s-1", *composeName, *browserContainerName), *browserBin, "https://relayd"); err != nil {
-		log.Panic(err)
-	}
-
-	<-ctx.Done()
-	srv.Close()
-	time.Sleep(2 * time.Second)
-}
-
-func RunScript(ctx context.Context, args ...string) error {
-	var err error
-	backoff := 250 * time.Millisecond
-
-	for attempt := 0; attempt < 5; attempt++ {
-		select {
-		case <-ctx.Done():
-			return nil
-		default:
-		}
-		log.Printf("Running command: %s", strings.Join(args, " "))
-		cmd := exec.CommandContext(ctx, args[0], args[1:]...)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-
-		err = cmd.Run()
-		if exitErr, ok := err.(*exec.ExitError); ok {
-			log.Printf("attempt=%d code=%d", attempt, exitErr.ExitCode())
-		}
-
-		if err == nil {
-			return nil
-		}
-
-		log.Printf("Attempt %d failed: %v %T", attempt+1, err, err)
-		log.Printf("Retrying in %v...", backoff)
-		time.Sleep(backoff)
-		backoff *= 2
-	}
-
-	return fmt.Errorf("script failed after 5 attempts: %w", err)
-}
--- a/test/go.mod
+++ b/test/go.mod
@@ -6,7 +6,6 @@ replace github.com/TecharoHQ/anubis => ..

 require (
 	github.com/TecharoHQ/anubis v1.19.1
-	github.com/docker/docker v28.0.1+incompatible
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
 	github.com/google/uuid v1.6.0
 )
@@ -14,38 +13,27 @@ require (
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 // indirect
 	cel.dev/expr v0.24.0 // indirect
-	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/TecharoHQ/thoth-proto v0.4.0 // indirect
 	github.com/a-h/templ v0.3.906 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/facebookgo/ensure v0.0.0-20200202191622-63f1cf65ac4c // indirect
 	github.com/facebookgo/subset v0.0.0-20200203212716-c811ad88dec4 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gaissmai/bart v0.20.5 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/google/cel-go v0.25.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 // indirect
 	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/jsha/minica v1.1.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/lum8rjack/go-ja4h v0.0.0-20250606032308-3a989c6635be // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nicksnyder/go-i18n/v2 v2.6.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
@@ -57,22 +45,15 @@ require (
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.etcd.io/bbolt v1.4.2 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
-	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 // indirect
-	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sys v0.34.0 // indirect
 	golang.org/x/text v0.27.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a // indirect
 	google.golang.org/grpc v1.73.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
-	gotest.tools/v3 v3.5.2 // indirect
 	k8s.io/apimachinery v0.33.2 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/yaml v1.5.0 // indirect
--- a/test/go.sum
+++ b/test/go.sum
@@ -24,8 +24,6 @@ github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
-github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -34,6 +32,7 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -62,7 +61,6 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/gaissmai/bart v0.20.5 h1:ehoWZWQ7j//qt0K0Zs4i9hpoPpbgqsMQiR8W2QPJh+c=
 github.com/gaissmai/bart v0.20.5/go.mod h1:cEed+ge8dalcbpi8wtS9x9m2hn/fNJH5suhdGQOHnYk=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -85,14 +83,10 @@ github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 h1:QGLs
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0/go.mod h1:hM2alZsMUni80N33RBe6J0e423LB+odMj7d3EMP9l20=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 h1:sGm2vDRFUrQJO/Veii4h4zG2vvqG6uWNkBHSTqXOZk0=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2/go.mod h1:wd1YpapPLivG6nQgbf7ZkG1hhSOXDhhn4MLTknx2aAc=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/jsha/minica v1.1.0 h1:O2ZbzAN75w4RTB+5+HfjIEvY5nxRqDlwj3ZlLVG5JD8=
 github.com/jsha/minica v1.1.0/go.mod h1:dxC3wNmD+gU1ewXo/R8jB2ihB6wNpyXrG8aUk5Iuf/k=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -170,8 +164,6 @@ github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFA
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
 github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=
@@ -182,10 +174,6 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
 go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
 go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA=
 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
 go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
 go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
@@ -194,57 +182,28 @@ go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5J
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
-go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.3 h1:bXOww4E/J3f66rav3pX3m8w6jDE4knZjGOw8b5Y6iNE=
 go.yaml.in/yaml/v3 v3.0.3/go.mod h1:tBHosrYAkRZjRAOREWbDnBXUf08JOwYq++0QNwQiWzI=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
 golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
 golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
 golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
 golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
 golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a h1:SGktgSolFCo75dnHJF2yMvnns6jCmHFJ0vE4Vn2JKvQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20250528174236-200df99c418a/go.mod h1:a77HrdMjoeKbnd2jmgcWdaS++ZLZAEq3orIOAEIKiVw=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a h1:v2PbRU4K3llS09c7zodFpNePeamkAwG3mPrAery9VeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
 google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
@@ -255,8 +214,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
-gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
 k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
--- a/test/i18n/var/.gitignore
+++ b/test/i18n/var/.gitignore
@@ -1,2 +0,0 @@
-*
-!.gitignore
--- a/test/lib/lib.sh
+++ b/test/lib/lib.sh
@@ -1,51 +0,0 @@
-REPO_ROOT=$(git rev-parse --show-toplevel)
-(cd $REPO_ROOT && go install ./utils/cmd/...)
-
-function cleanup() {
-  pkill -P $$
-
-  if [ -f "docker-compose.yaml" ]; then
-    docker compose down -t 1 || :
-    docker compose rm -f || :
-  fi
-}
-
-trap cleanup EXIT SIGINT
-
-function build_anubis_ko() {
-  (
-    cd $REPO_ROOT && npm ci && npm run assets
-  )
-  (
-    cd $REPO_ROOT &&
-      VERSION=devel ko build \
-        --platform=all \
-        --base-import-paths \
-        --tags="latest" \
-        --image-user=1000 \
-        --image-annotation="" \
-        --image-label="" \
-        ./cmd/anubis \
-        --local
-  )
-}
-
-function mint_cert() {
-  if [ "$#" -ne 1 ]; then
-    echo "Usage: mint_cert <domain.name>"
-  fi
-
-  domainName="$1"
-
-  # If the transient local TLS certificate doesn't exist, mint a new one
-  if [ ! -f "${REPO_ROOT}/test/pki/${domainName}/cert.pem" ]; then
-    # Subshell to contain the directory change
-    (
-      cd ${REPO_ROOT}/test/pki &&
-        mkdir -p "${domainName}" &&
-        go tool minica -domains "${domainName}" &&
-        cd "${domainName}" &&
-        chmod 666 *
-    )
-  fi
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .21.3
 .21.1