fix(docs): use node:lts

Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-05 16:28:17 +00:00 · 2025-11-13 22:08:00 -05:00
42 changed files with 341 additions and 474 deletions
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -8,4 +8,3 @@ msgbox
 xeact
 ABee
 tencent
-maintnotifications
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -83,7 +83,7 @@ var (
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
 	publicUrl                = flag.String("public-url", "", "the externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for forwardAuth).")
 	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
-	customRealIPHeader       = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
+	customRealIPHeader      = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")

 	thothInsecure        = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
 	thothURL             = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
@@ -145,19 +145,19 @@ func parseBindNetFromAddr(address string) (string, string) {
 	return "", address
 }

-func parseSameSite(s string) http.SameSite {
-	switch strings.ToLower(s) {
-	case "none":
-		return http.SameSiteNoneMode
-	case "lax":
-		return http.SameSiteLaxMode
-	case "strict":
-		return http.SameSiteStrictMode
+func parseSameSite(s string) (http.SameSite) {
+    switch strings.ToLower(s) {
+    case "none":
+        return http.SameSiteNoneMode
+    case "lax":
+        return http.SameSiteLaxMode
+    case "strict":
+        return http.SameSiteStrictMode
 	case "default":
 		return http.SameSiteDefaultMode
-	default:
-		log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
-	}
+    default:
+        log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
+    }
 	return http.SameSiteDefaultMode
 }

--- a/cmd/robots2policy/robots2policy_test.go
+++ b/cmd/robots2policy/robots2policy_test.go
@@ -22,9 +22,9 @@ type TestCase struct {
 type TestOptions struct {
 	format           string
 	action           string
+	crawlDelayWeight int
 	policyName       string
 	deniedAction     string
-	crawlDelayWeight int
 }

 func TestDataFileConversion(t *testing.T) {
--- a/decaymap/decaymap.go
+++ b/decaymap/decaymap.go
@@ -13,13 +13,13 @@ func Zilch[T any]() T {
 // Impl is a lazy key->value map. It's a wrapper around a map and a mutex. If values exceed their time-to-live, they are pruned at Get time.
 type Impl[K comparable, V any] struct {
 	data map[K]decayMapEntry[V]
+	lock sync.RWMutex

 	// deleteCh receives decay-deletion requests from readers.
 	deleteCh chan deleteReq[K]
 	// stopCh stops the background cleanup worker.
 	stopCh chan struct{}
 	wg     sync.WaitGroup
-	lock   sync.RWMutex
 }

 type decayMapEntry[V any] struct {
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,14 +13,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

- Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an `ALLOW` threshold.
- Expose WEIGHT rule matches as Prometheus metrics.
 - Allow more OCI registry clients [based on feedback](https://github.com/TecharoHQ/anubis/pull/1253#issuecomment-3506744184).
 - Expose services directory in the embedded `(data)` filesystem.
- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044)).
- Allow Renovate as an OCI registry client.
- Properly handle 4in6 addresses so that IP matching works with those addresses.
- Add support to simple Valkey/Redis cluster mode
+- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044))
+- Allow Renovate as an OCI registry client

 ## v1.23.1: Lyse Hext - Echo 1

--- a/docs/docs/admin/environments/nginx.mdx
+++ b/docs/docs/admin/environments/nginx.mdx
@@ -55,9 +55,8 @@ server {
 # proxy all traffic to the target via Anubis.
 server {
  # Listen on TCP port 443 with TLS (https) and HTTP/2
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  http2 on;
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;

  location / {
    proxy_set_header Host $host;
@@ -114,9 +113,8 @@ Then in a server block:

 server {
  # Listen on 443 with SSL
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  http2 on;
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;

  # Slipstream via Anubis
  include "conf-anubis.inc";
--- a/go.mod
+++ b/go.mod
@@ -5,9 +5,9 @@ go 1.24.2
 require (
 	github.com/TecharoHQ/thoth-proto v0.5.0
 	github.com/a-h/templ v0.3.960
-	github.com/aws/aws-sdk-go-v2 v1.39.6
-	github.com/aws/aws-sdk-go-v2/config v1.31.20
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.90.2
+	github.com/aws/aws-sdk-go-v2 v1.39.5
+	github.com/aws/aws-sdk-go-v2/config v1.31.16
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.89.1
 	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/facebookgo/flagenv v0.0.0-20160425205200-fcd59fca7456
 	github.com/gaissmai/bart v0.26.0
@@ -15,9 +15,9 @@ require (
 	github.com/google/cel-go v0.26.1
 	github.com/google/uuid v1.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0
-	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2
 	github.com/joho/godotenv v1.5.1
-	github.com/lum8rjack/go-ja4h v0.0.0-20250828030157-fa5266d50650
+	github.com/lum8rjack/go-ja4h v0.0.0-20250606032308-3a989c6635be
 	github.com/nicksnyder/go-i18n/v2 v2.6.0
 	github.com/playwright-community/playwright-go v0.5200.1
 	github.com/prometheus/client_golang v1.23.2
@@ -26,18 +26,18 @@ require (
 	github.com/shirou/gopsutil/v4 v4.25.10
 	github.com/testcontainers/testcontainers-go v0.39.0
 	go.etcd.io/bbolt v1.4.3
-	golang.org/x/net v0.47.0
-	golang.org/x/text v0.31.0
+	golang.org/x/net v0.43.0
+	golang.org/x/text v0.28.0
 	google.golang.org/grpc v1.76.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apimachinery v0.34.2
+	k8s.io/apimachinery v0.34.1
 	sigs.k8s.io/yaml v1.6.0
 )

 require (
 	al.essio.dev/pkg/shellescape v1.6.0 // indirect
-	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1 // indirect
-	cel.dev/expr v0.25.1 // indirect
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1 // indirect
+	cel.dev/expr v0.24.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
@@ -52,21 +52,21 @@ require (
 	github.com/a-h/parse v0.0.0-20250122154542-74294addb73e // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.24 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.20 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.12 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 // indirect
-	github.com/aws/smithy-go v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.39.0 // indirect
+	github.com/aws/smithy-go v1.23.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
 	github.com/cavaliergopher/cpio v1.0.1 // indirect
@@ -91,7 +91,7 @@ require (
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dop251/goja v0.0.0-20250630131328-58d95d85e994 // indirect
-	github.com/ebitengine/purego v0.9.1 // indirect
+	github.com/ebitengine/purego v0.9.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
@@ -148,8 +148,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.2 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
@@ -177,26 +177,26 @@ require (
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.44.0 // indirect
-	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250718183923-645b1fa84792 // indirect
-	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/telemetry v0.0.0-20251111182119-bc8e575c7b54 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/telemetry v0.0.0-20250721140356-96f361d9aaf7 // indirect
+	golang.org/x/term v0.34.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 	golang.org/x/vuln v1.1.4 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	honnef.co/go/tools v0.6.1 // indirect
 	mvdan.cc/sh/v3 v3.12.0 // indirect
-	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 )

 tool (
--- a/go.sum
+++ b/go.sum
@@ -1,9 +1,9 @@
 al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA=
 al.essio.dev/pkg/shellescape v1.6.0/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
-buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1 h1:31on4W/yPcV4nZHL4+UCiCvLPsMqe/vJcNg8Rci0scc=
-buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1/go.mod h1:fUl8CEN/6ZAMk6bP8ahBJPUJw7rbp+j4x+wCcYi2IG4=
-cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
-cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1 h1:Lg6klmCi3v7VvpqeeLEER9/m5S8y9e9DjhqQnSCNy4k=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250717185734-6c6e0d3c608e.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U=
+cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
+cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
@@ -51,42 +51,42 @@ github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYW
 github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk=
-github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
-github.com/aws/aws-sdk-go-v2/config v1.31.20 h1:/jWF4Wu90EhKCgjTdy1DGxcbcbNrjfBHvksEL79tfQc=
-github.com/aws/aws-sdk-go-v2/config v1.31.20/go.mod h1:95Hh1Tc5VYKL9NJ7tAkDcqeKt+MCXQB1hQZaRdJIZE0=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.24 h1:iJ2FmPT35EaIB0+kMa6TnQ+PwG5A1prEdAw+PsMzfHg=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.24/go.mod h1:U91+DrfjAiXPDEGYhh/x29o4p0qHX5HDqG7y5VViv64=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
+github.com/aws/aws-sdk-go-v2 v1.39.5 h1:e/SXuia3rkFtapghJROrydtQpfQaaUgd1cUvyO1mp2w=
+github.com/aws/aws-sdk-go-v2 v1.39.5/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 h1:t9yYsydLYNBk9cJ73rgPhPWqOh/52fcWDQB5b1JsKSY=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2/go.mod h1:IusfVNTmiSN3t4rhxWFaBAqn+mcNdwKtPcV16eYdgko=
+github.com/aws/aws-sdk-go-v2/config v1.31.16 h1:E4Tz+tJiPc7kGnXwIfCyUj6xHJNpENlY11oKpRTgsjc=
+github.com/aws/aws-sdk-go-v2/config v1.31.16/go.mod h1:2S9hBElpCyGMifv14WxQ7EfPumgoeCPZUpuPX8VtW34=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.20 h1:KFndAnHd9NUuzikHjQ8D5CfFVO+bgELkmcGY8yAw98Q=
+github.com/aws/aws-sdk-go-v2/credentials v1.18.20/go.mod h1:9mCi28a+fmBHSQ0UM79omkz6JtN+PEsvLrnG36uoUv0=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.12 h1:VO3FIM2TDbm0kqp6sFNR0PbioXJb/HzCDW6NtIZpIWE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.12/go.mod h1:6C39gB8kg82tx3r72muZSrNhHia9rjGkX7ORaS2GKNE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.12 h1:p/9flfXdoAnwJnuW9xHEAFY22R3A6skYkW19JFF9F+8=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.12/go.mod h1:ZTLHakoVCTtW8AaLGSwJ3LXqHD9uQKnOcv1TrpO6u2k=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.12 h1:2lTWFvRcnWFFLzHWmtddu5MTchc5Oj2OOey++99tPZ0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.12/go.mod h1:hI92pK+ho8HVcWMHKHrK3Uml4pfG7wvL86FzO0LVtQQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 h1:eg/WYAa12vqTphzIdWMzqYRVKKnCboVPRlvaybNCqPA=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13/go.mod h1:/FDdxWhz1486obGrKKC1HONd7krpk38LBt+dutLcN9k=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 h1:NvMjwvv8hpGUILarKw7Z4Q0w1H9anXKsesMxtw++MA4=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4/go.mod h1:455WPHSwaGj2waRSpQp7TsnpOnBfw8iDfPfbwl7KPJE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 h1:zhBJXdhWIFZ1acfDYIhu4+LCzdUS2Vbcum7D01dXlHQ=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13/go.mod h1:JaaOeCE368qn2Hzi3sEzY6FgAZVCIYcC2nwbro2QCh8=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.2 h1:DhdbtDl4FdNlj31+xiRXANxEE+eC7n8JQz+/ilwQ8Uc=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.2/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 h1:NjShtS1t8r5LUfFVtFeI8xLAHQNTa7UI0VawXlrBMFQ=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.3/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 h1:gTsnx0xXNQ6SBbymoDvcoRHL+q4l/dAFsQuKfDWSaGc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 h1:HK5ON3KmQV2HcAunnx4sKLB9aPf3gKGwVAf7xnx0QT0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.2/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
-github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
-github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.12 h1:itu4KHu8JK/N6NcLIISlf3LL1LccMqruLUXZ9y7yBZw=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.12/go.mod h1:i+6vTU3xziikTY3vcox23X8pPGW5X3wVgd1VZ7ha+x8=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.3 h1:NEe7FaViguRQEm8zl8Ay/kC/QRsMtWUiCGZajQIsLdc=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.3/go.mod h1:JLuCKu5VfiLBBBl/5IzZILU7rxS0koQpHzMOCzycOJU=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.12 h1:MM8imH7NZ0ovIVX7D2RxfMDv7Jt9OiUXkcQ+GqywA7M=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.12/go.mod h1:gf4OGwdNkbEsb7elw2Sy76odfhwNktWII3WgvQgQQ6w=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.12 h1:R3uW0iKl8rgNEXNjVGliW/oMEh9fO/LlUEV8RvIFr1I=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.12/go.mod h1:XEttbEr5yqsw8ebi7vlDoGJJjMXRez4/s9pibpJyL5s=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.89.1 h1:Dq82AV+Qxpno/fG162eAhnD8d48t9S+GZCfz7yv1VeA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.89.1/go.mod h1:MbKLznDKpf7PnSonNRUVYZzfP0CeLkRIUexeblgKcU4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.0 h1:xHXvxst78wBpJFgDW07xllOx0IAzbryrSdM4nMVQ4Dw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.0/go.mod h1:/e8m+AO6HNPPqMyfKRtzZ9+mBF5/x1Wk8QiDva4m07I=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.4 h1:tBw2Qhf0kj4ZwtsVpDiVRU3zKLvjvjgIjHMKirxXg8M=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.4/go.mod h1:Deq4B7sRM6Awq/xyOBlxBdgW8/Z926KYNNaGMW2lrkA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.0 h1:C+BRMnasSYFcgDw8o9H5hzehKzXyAb9GY5v/8bP9DUY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.39.0/go.mod h1:4EjU+4mIx6+JqKQkruye+CaigV7alL3thVPfDd9VlMs=
+github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M=
+github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4pJSv7WO+VECIWUQ7OJYSoTrMh4=
@@ -149,8 +149,8 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dop251/goja v0.0.0-20250630131328-58d95d85e994 h1:aQYWswi+hRL2zJqGacdCZx32XjKYV8ApXFGntw79XAM=
 github.com/dop251/goja v0.0.0-20250630131328-58d95d85e994/go.mod h1:MxLav0peU43GgvwVgNbLAj1s/bSGboKkhuULvq/7hx4=
-github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
-github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.9.0 h1:mh0zpKBIXDceC63hpvPuGLiJ8ZAa3DfrFTudmfi8A4k=
+github.com/ebitengine/purego v0.9.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
@@ -243,8 +243,8 @@ github.com/goreleaser/nfpm/v2 v2.43.0 h1:o5oureuZkhu55RK0M9WSN8JLW7hu6MymtMh7Lyp
 github.com/goreleaser/nfpm/v2 v2.43.0/go.mod h1:f//PE8PjNHjaPCbd7Jkok+aPKdLTrzM+fuIWg3PfVRg=
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0 h1:QGLs/O40yoNK9vmy4rhUGBVyMf1lISBGtXRpsu/Qu/o=
 github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.1.0/go.mod h1:hM2alZsMUni80N33RBe6J0e423LB+odMj7d3EMP9l20=
-github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 h1:B+8ClL/kCQkRiU82d9xajRPKYMrB7E0MbtzWVi1K4ns=
-github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3/go.mod h1:NbCUVmiS4foBGBHOYlCT25+YmGpJ32dZPi75pGEUpj4=
+github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 h1:sGm2vDRFUrQJO/Veii4h4zG2vvqG6uWNkBHSTqXOZk0=
+github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2/go.mod h1:wd1YpapPLivG6nQgbf7ZkG1hhSOXDhhn4MLTknx2aAc=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
@@ -278,8 +278,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 h1:PpXWgLPs+Fqr325bN2FD2ISlRRztXibcX6e8f5FR5Dc=
 github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35/go.mod h1:autxFIvghDt3jPTLoqZ9OZ7s9qTGNAWmYCjVFWPX/zg=
-github.com/lum8rjack/go-ja4h v0.0.0-20250828030157-fa5266d50650 h1:hhx/Mo6+Hk0mAQS5MW311ON1VlSzp0D1cYhY27IcmnI=
-github.com/lum8rjack/go-ja4h v0.0.0-20250828030157-fa5266d50650/go.mod h1:bMqyXOakqQIdx82d4vcnk5TIZLptZ2gLqju9xmPrWYA=
+github.com/lum8rjack/go-ja4h v0.0.0-20250606032308-3a989c6635be h1:dVIND0nXGXPQnFZYrMXT6CxHhBYhTPMm0GFqcmfaIC4=
+github.com/lum8rjack/go-ja4h v0.0.0-20250606032308-3a989c6635be/go.mod h1:q68TUR45WDa2r3yU4aO6WgxfCc0Vj1qtRaKaRE3yMLM=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE=
@@ -339,10 +339,10 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.2 h1:PcBAckGFTIHt2+L3I33uNRTlKTplNzFctXcWhPyAEN8=
-github.com/prometheus/common v0.67.2/go.mod h1:63W3KZb1JOKgcjlIr64WW/LvFGAqKPj0atm+knVGEko=
-github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/redis/go-redis/v9 v9.16.0 h1:OotgqgLSRCmzfqChbQyG1PHC3tLNR89DG4jdOERSEP4=
 github.com/redis/go-redis/v9 v9.16.0/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -442,8 +442,8 @@ go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz
 go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -452,18 +452,18 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
-golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
-golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/exp/typeparams v0.0.0-20250718183923-645b1fa84792 h1:54/e+WfmhvjR2Zuz8Q7dzLGxIBM+s5WZpvo1QfVDGB8=
 golang.org/x/exp/typeparams v0.0.0-20250718183923-645b1fa84792/go.mod h1:LKZHyeOpPuZcMgxeHjJp4p5yvxrCX1xDvH10zYHhjjQ=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -473,17 +473,17 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
-golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -503,17 +503,17 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/telemetry v0.0.0-20251111182119-bc8e575c7b54 h1:E2/AqCUMZGgd73TQkxUMcMla25GB9i/5HOdLr+uH7Vo=
-golang.org/x/telemetry v0.0.0-20251111182119-bc8e575c7b54/go.mod h1:hKdjCMrbv9skySur+Nek8Hd0uJ0GuxJIoIX2payrIdQ=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20250721140356-96f361d9aaf7 h1:Z53b3vgJH20Us6ljHm4MNVLnJzJEjD3KrU+sNcT4vfs=
+golang.org/x/telemetry v0.0.0-20250721140356-96f361d9aaf7/go.mod h1:4ZwOYna0/zsOKwuR5X/m0QFOJpSZvAxFfkQT+Erd9D4=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -521,8 +521,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -531,10 +531,10 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
-golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
-golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=
+golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
@@ -545,14 +545,14 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba h1:B14OtaXuMaCQsl2deSvNkyPKIzq3BjfxQp8d00QyWx4=
-google.golang.org/genproto/googleapis/api v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:G5IanEx8/PgI9w6CFcYQf7jMtHQhZruvfM1i3qOqk5U=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba h1:UKgtfRM7Yh93Sya0Fo8ZzhDP4qBckrrxEr2oF5UIVb8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251111163417-95abcf5c77ba/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b h1:ULiyYQ0FdsJhwwZUwbaXpZF5yUE3h+RA+gxvBu37ucc=
+google.golang.org/genproto/googleapis/api v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:oDOGiMSXHL4sDTJvFvIB9nRQCGdLP1o/iVaqQK8zB+M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b h1:zPKJod4w6F1+nRGDI9ubnXYhU9NSWoFAijkHkUXeTK8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250804133106-a7a43d27e69b/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
 google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -569,15 +569,15 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
-k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4=
-k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
+k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
+k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
 mvdan.cc/sh/v3 v3.12.0 h1:ejKUR7ONP5bb+UGHGEG/k9V5+pRVIyD+LsZz7o8KHrI=
 mvdan.cc/sh/v3 v3.12.0/go.mod h1:Se6Cj17eYSn+sNooLZiEUnNNmNxg0imoYlTu4CyaGyg=
 pault.ag/go/debian v0.18.0 h1:nr0iiyOU5QlG1VPnhZLNhnCcHx58kukvBJp+dvaM6CQ=
 pault.ag/go/debian v0.18.0/go.mod h1:JFl0XWRCv9hWBrB5MDDZjA5GSEs1X3zcFK/9kCNIUmE=
 pault.ag/go/topsort v0.1.1 h1:L0QnhUly6LmTv0e3DEzbN2q6/FGgAcQvaEw65S53Bg4=
 pault.ag/go/topsort v0.1.1/go.mod h1:r1kc/L0/FZ3HhjezBIPaNVhkqv8L0UJ9bxRuHRVZ0q4=
-sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
-sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
--- a/internal/headers.go
+++ b/internal/headers.go
@@ -87,7 +87,7 @@ func XForwardedForToXRealIP(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if xffHeader := r.Header.Get("X-Forwarded-For"); r.Header.Get("X-Real-Ip") == "" && xffHeader != "" {
 			ip := xff.Parse(xffHeader)
-			slog.Debug("setting X-Real-Ip from X-Forwarded-For", "to", ip, "x-forwarded-for", xffHeader)
+			slog.Debug("setting x-real-ip", "val", ip)
 			r.Header.Set("X-Real-Ip", ip)
 		}

@@ -129,8 +129,6 @@ func XForwardedForUpdate(stripPrivate bool, next http.Handler) http.Handler {
 		} else {
 			r.Header.Set("X-Forwarded-For", xffHeaderString)
 		}
-
-		slog.Debug("updating X-Forwarded-For", "original", origXFFHeader, "new", xffHeaderString)
 	})
 }

--- a/internal/ogtags/ogtags.go
+++ b/internal/ogtags/ogtags.go
@@ -22,10 +22,9 @@ const (
 )

 type OGTagCache struct {
-	targetURL  *url.URL
-	client     *http.Client
-	ogOverride map[string]string
-	cache      store.JSON[map[string]string]
+	cache     store.JSON[map[string]string]
+	targetURL *url.URL
+	client    *http.Client

 	// Pre-built strings for optimization
 	unixPrefix          string // "http://unix"
@@ -34,6 +33,7 @@ type OGTagCache struct {
 	ogTimeToLive        time.Duration
 	ogCacheConsiderHost bool
 	ogPassthrough       bool
+	ogOverride          map[string]string
 }

 func NewOGTagCache(target string, conf config.OpenGraph, backend store.Interface) *OGTagCache {
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -68,14 +68,14 @@ var (

 type Server struct {
 	next        http.Handler
-	store       store.Interface
 	mux         *http.ServeMux
 	policy      *policy.ParsedConfig
 	OGTags      *ogtags.OGTagCache
-	logger      *slog.Logger
-	opts        Options
 	ed25519Priv ed25519.PrivateKey
 	hs512Secret []byte
+	opts        Options
+	store       store.Interface
+	logger      *slog.Logger
 }

 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
@@ -117,12 +117,10 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}

 	chall := challenge.Challenge{
-		ID:             id.String(),
-		Method:         rule.Challenge.Algorithm,
-		RandomData:     fmt.Sprintf("%x", randomData),
-		IssuedAt:       time.Now(),
-		Difficulty:     rule.Challenge.Difficulty,
-		PolicyRuleHash: rule.Hash(),
+		ID:         id.String(),
+		Method:     rule.Challenge.Algorithm,
+		RandomData: fmt.Sprintf("%x", randomData),
+		IssuedAt:   time.Now(),
 		Metadata: map[string]string{
 			"User-Agent": r.Header.Get("User-Agent"),
 			"X-Real-Ip":  r.Header.Get("X-Real-Ip"),
@@ -139,44 +137,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	return &chall, err
 }

-func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challenge, lg *slog.Logger) *policy.Bot {
-	if chall == nil {
-		return rule
-	}
-
-	if rule == nil {
-		rule = &policy.Bot{
-			Rules: &checker.List{},
-		}
-	}
-
-	if chall.Difficulty == 0 {
-		// fall back to whatever the policy currently says or the global default
-		if rule.Challenge != nil && rule.Challenge.Difficulty != 0 {
-			chall.Difficulty = rule.Challenge.Difficulty
-		} else {
-			chall.Difficulty = s.policy.DefaultDifficulty
-		}
-	}
-
-	if rule.Challenge == nil {
-		lg.Warn("rule missing challenge configuration; using stored challenge metadata", "rule", rule.Name)
-		rule.Challenge = &config.ChallengeRules{}
-	}
-
-	if rule.Challenge.Difficulty == 0 {
-		rule.Challenge.Difficulty = chall.Difficulty
-	}
-	if rule.Challenge.ReportAs == 0 {
-		rule.Challenge.ReportAs = chall.Difficulty
-	}
-	if rule.Challenge.Algorithm == "" {
-		rule.Challenge.Algorithm = chall.Method
-	}
-
-	return rule
-}
-
 func (s *Server) maybeReverseProxyHttpStatusOnly(w http.ResponseWriter, r *http.Request) {
 	s.maybeReverseProxy(w, r, true)
 }
@@ -501,8 +461,6 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	rule = s.hydrateChallengeRule(rule, chall, lg)
-
 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
 		lg.Error("check failed", "err", err)
@@ -618,7 +576,6 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 				return cr("bot/"+b.Name, b.Action, weight), &b, nil
 			case config.RuleWeigh:
 				lg.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
-				policy.Applications.WithLabelValues("bot/"+b.Name, "WEIGH").Add(1)
 				weight += b.Weight.Adjust
 			}
 		}
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -2,7 +2,6 @@ package lib

 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -19,10 +18,8 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
-	"github.com/TecharoHQ/anubis/lib/store"
 	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )

@@ -154,8 +151,8 @@ func handleChallengeZeroDifficulty(t *testing.T, ts *httptest.Server, cli *http.

 type loggingCookieJar struct {
 	t       *testing.T
-	cookies map[string][]*http.Cookie
 	lock    sync.Mutex
+	cookies map[string][]*http.Cookie
 }

 func (lcj *loggingCookieJar) Cookies(u *url.URL) []*http.Cookie {
@@ -747,9 +744,9 @@ func TestStripBasePrefixFromRequest(t *testing.T) {
 	testCases := []struct {
 		name            string
 		basePrefix      string
+		stripBasePrefix bool
 		requestPath     string
 		expectedPath    string
-		stripBasePrefix bool
 	}{
 		{
 			name:            "strip disabled - no change",
@@ -1030,59 +1027,6 @@ func TestPassChallengeXSS(t *testing.T) {
 	})
 }

-func TestPassChallengeNilRuleChallengeFallback(t *testing.T) {
-	pol := loadPolicies(t, "testdata/zero_difficulty.yaml", 0)
-
-	srv := spawnAnubis(t, Options{
-		Next:   http.NewServeMux(),
-		Policy: pol,
-	})
-
-	allowThreshold, err := policy.ParsedThresholdFromConfig(config.Threshold{
-		Name: "allow-all",
-		Expression: &config.ExpressionOrList{
-			Expression: "true",
-		},
-		Action: config.RuleAllow,
-	})
-	if err != nil {
-		t.Fatalf("can't compile test threshold: %v", err)
-	}
-	srv.policy.Thresholds = []*policy.Threshold{allowThreshold}
-	srv.policy.Bots = nil
-
-	chall := challenge.Challenge{
-		ID:         "test-challenge",
-		Method:     "metarefresh",
-		RandomData: "apple cider",
-		IssuedAt:   time.Now().Add(-5 * time.Second),
-		Difficulty: 1,
-	}
-
-	j := store.JSON[challenge.Challenge]{Underlying: srv.store}
-	if err := j.Set(context.Background(), "challenge:"+chall.ID, chall, time.Minute); err != nil {
-		t.Fatalf("can't insert challenge into store: %v", err)
-	}
-
-	req := httptest.NewRequest(http.MethodGet, "https://example.com"+anubis.APIPrefix+"pass-challenge", nil)
-	q := req.URL.Query()
-	q.Set("redir", "/")
-	q.Set("id", chall.ID)
-	q.Set("challenge", chall.RandomData)
-	req.URL.RawQuery = q.Encode()
-	req.Header.Set("X-Real-Ip", "203.0.113.4")
-	req.Header.Set("User-Agent", "NilChallengeTester/1.0")
-	req.AddCookie(&http.Cookie{Name: anubis.TestCookieName, Value: chall.ID})
-
-	rr := httptest.NewRecorder()
-
-	srv.PassChallenge(rr, req)
-
-	if rr.Code != http.StatusFound {
-		t.Fatalf("expected redirect when validating challenge, got %d", rr.Code)
-	}
-}
-
 func TestXForwardedForNoDoubleComma(t *testing.T) {
 	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
--- a/lib/challenge/challenge.go
+++ b/lib/challenge/challenge.go
@@ -4,12 +4,10 @@ import "time"

 // Challenge is the metadata about a single challenge issuance.
 type Challenge struct {
-	IssuedAt       time.Time         `json:"issuedAt"`
-	Metadata       map[string]string `json:"metadata"`
-	ID             string            `json:"id"`
-	Method         string            `json:"method"`
-	RandomData     string            `json:"randomData"`
-	PolicyRuleHash string            `json:"policyRuleHash,omitempty"`
-	Difficulty     int               `json:"difficulty,omitempty"`
-	Spent          bool              `json:"spent"`
+	ID         string            `json:"id"`         // UUID identifying the challenge
+	Method     string            `json:"method"`     // Challenge method
+	RandomData string            `json:"randomData"` // The random data the client processes
+	IssuedAt   time.Time         `json:"issuedAt"`   // When the challenge was issued
+	Metadata   map[string]string `json:"metadata"`   // Challenge metadata such as IP address and user agent
+	Spent      bool              `json:"spent"`      // Has the challenge already been solved?
 }
--- a/lib/challenge/challengetest/challengetest.go
+++ b/lib/challenge/challengetest/challengetest.go
@@ -4,7 +4,6 @@ import (
 	"testing"
 	"time"

-	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/google/uuid"
@@ -20,6 +19,5 @@ func New(t *testing.T) *challenge.Challenge {
 		ID:         id.String(),
 		RandomData: randomData,
 		IssuedAt:   time.Now(),
-		Difficulty: anubis.DefaultDifficulty,
 	}
 }
--- a/lib/config.go
+++ b/lib/config.go
@@ -29,24 +29,24 @@ import (
 type Options struct {
 	Next                 http.Handler
 	Policy               *policy.ParsedConfig
-	Logger               *slog.Logger
-	OpenGraph            config.OpenGraph
-	PublicUrl            string
+	Target               string
+	CookieDynamicDomain  bool
 	CookieDomain         string
-	JWTRestrictionHeader string
+	CookieExpiration     time.Duration
+	CookiePartitioned    bool
 	BasePrefix           string
 	WebmasterEmail       string
-	Target               string
 	RedirectDomains      []string
 	ED25519PrivateKey    ed25519.PrivateKey
 	HS512Secret          []byte
-	CookieExpiration     time.Duration
-	CookieSameSite       http.SameSite
+	StripBasePrefix      bool
+	OpenGraph            config.OpenGraph
 	ServeRobotsTXT       bool
 	CookieSecure         bool
-	StripBasePrefix      bool
-	CookiePartitioned    bool
-	CookieDynamicDomain  bool
+	CookieSameSite       http.SameSite
+	Logger               *slog.Logger
+	PublicUrl            string
+	JWTRestrictionHeader string
 	DifficultyInJWT      bool
 }

--- a/lib/http_test.go
+++ b/lib/http_test.go
@@ -13,9 +13,9 @@ import (
 func TestSetCookie(t *testing.T) {
 	for _, tt := range []struct {
 		name       string
+		options    Options
 		host       string
 		cookieName string
-		options    Options
 	}{
 		{
 			name:       "basic",
--- a/lib/localization/localization_test.go
+++ b/lib/localization/localization_test.go
@@ -31,7 +31,7 @@ func TestLocalizationService(t *testing.T) {
 		"vi":    "Đang nạp...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
-		"sv":    "Laddar...",
+		"sv" : "Laddar...",
 	}

 	var keys []string
--- a/lib/policy/checker.go
+++ b/lib/policy/checker.go
@@ -51,11 +51,6 @@ func (rac *RemoteAddrChecker) Check(r *http.Request) (bool, error) {
 		return false, fmt.Errorf("%w: %s is not an IP address: %w", ErrMisconfiguration, host, err)
 	}

-	// Convert IPv4-mapped IPv6 addresses to IPv4
-	if addr.Is6() && addr.Is4In6() {
-		addr = addr.Unmap()
-	}
-
 	return rac.prefixTable.Contains(addr), nil
 }

--- a/lib/policy/checker_test.go
+++ b/lib/policy/checker_test.go
@@ -21,20 +21,6 @@ func TestRemoteAddrChecker(t *testing.T) {
 			ok:    true,
 			err:   nil,
 		},
-		{
-			name:  "match_ipv4_in_ipv6",
-			cidrs: []string{"0.0.0.0/0"},
-			ip:    "::ffff:1.1.1.1",
-			ok:    true,
-			err:   nil,
-		},
-		{
-			name:  "match_ipv4_in_ipv6_hex",
-			cidrs: []string{"0.0.0.0/0"},
-			ip:    "::ffff:101:101",
-			ok:    true,
-			err:   nil,
-		},
 		{
 			name:  "match_ipv6",
 			cidrs: []string{"::/0"},
--- a/lib/policy/config/asn_test.go
+++ b/lib/policy/config/asn_test.go
@@ -8,9 +8,9 @@ import (

 func TestASNsValid(t *testing.T) {
 	for _, tt := range []struct {
-		err   error
-		input *ASNs
 		name  string
+		input *ASNs
+		err   error
 	}{
 		{
 			name: "basic valid",
--- a/lib/policy/config/config.go
+++ b/lib/policy/config/config.go
@@ -62,11 +62,13 @@ type BotConfig struct {
 	Expression     *ExpressionOrList `json:"expression,omitempty" yaml:"expression,omitempty"`
 	Challenge      *ChallengeRules   `json:"challenge,omitempty" yaml:"challenge,omitempty"`
 	Weight         *Weight           `json:"weight,omitempty" yaml:"weight,omitempty"`
-	GeoIP          *GeoIP            `json:"geoip,omitempty"`
-	ASNs           *ASNs             `json:"asns,omitempty"`
 	Name           string            `json:"name" yaml:"name"`
 	Action         Rule              `json:"action" yaml:"action"`
 	RemoteAddr     []string          `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
+
+	// Thoth features
+	GeoIP *GeoIP `json:"geoip,omitempty"`
+	ASNs  *ASNs  `json:"asns,omitempty"`
 }

 func (b BotConfig) Zero() bool {
@@ -322,13 +324,13 @@ func (sc StatusCodes) Valid() error {
 }

 type fileConfig struct {
+	Bots        []BotOrImport       `json:"bots"`
+	DNSBL       bool                `json:"dnsbl"`
 	OpenGraph   openGraphFileConfig `json:"openGraph,omitempty"`
 	Impressum   *Impressum          `json:"impressum,omitempty"`
-	Store       *Store              `json:"store"`
-	Bots        []BotOrImport       `json:"bots"`
-	Thresholds  []Threshold         `json:"thresholds"`
 	StatusCodes StatusCodes         `json:"status_codes"`
-	DNSBL       bool                `json:"dnsbl"`
+	Store       *Store              `json:"store"`
+	Thresholds  []Threshold         `json:"thresholds"`
 }

 func (c *fileConfig) Valid() error {
@@ -460,13 +462,13 @@ func Load(fin io.Reader, fname string) (*Config, error) {
 }

 type Config struct {
-	Impressum   *Impressum
-	Store       *Store
-	OpenGraph   OpenGraph
 	Bots        []BotConfig
 	Thresholds  []Threshold
-	StatusCodes StatusCodes
 	DNSBL       bool
+	Impressum   *Impressum
+	OpenGraph   OpenGraph
+	StatusCodes StatusCodes
+	Store       *Store
 }

 func (c Config) Valid() error {
--- a/lib/policy/config/config_test.go
+++ b/lib/policy/config/config_test.go
@@ -15,9 +15,9 @@ func p[V any](v V) *V { return &v }

 func TestBotValid(t *testing.T) {
 	var tests = []struct {
-		bot  BotConfig
 		err  error
 		name string
+		bot  BotConfig
 	}{
 		{
 			name: "simple user agent",
--- a/lib/policy/config/expressionorlist_test.go
+++ b/lib/policy/config/expressionorlist_test.go
@@ -11,10 +11,10 @@ import (

 func TestExpressionOrListMarshalJSON(t *testing.T) {
 	for _, tt := range []struct {
-		err    error
-		input  *ExpressionOrList
 		name   string
+		input  *ExpressionOrList
 		output []byte
+		err    error
 	}{
 		{
 			name: "single expression",
@@ -74,10 +74,10 @@ func TestExpressionOrListMarshalJSON(t *testing.T) {

 func TestExpressionOrListMarshalYAML(t *testing.T) {
 	for _, tt := range []struct {
-		err    error
-		input  *ExpressionOrList
 		name   string
+		input  *ExpressionOrList
 		output []byte
+		err    error
 	}{
 		{
 			name: "single expression",
@@ -217,8 +217,8 @@ func TestExpressionOrListUnmarshalJSON(t *testing.T) {
 func TestExpressionOrListString(t *testing.T) {
 	for _, tt := range []struct {
 		name string
-		out  string
 		in   ExpressionOrList
+		out  string
 	}{
 		{
 			name: "single expression",
--- a/lib/policy/config/geoip_test.go
+++ b/lib/policy/config/geoip_test.go
@@ -7,9 +7,9 @@ import (

 func TestGeoIPValid(t *testing.T) {
 	for _, tt := range []struct {
-		err   error
-		input *GeoIP
 		name  string
+		input *GeoIP
+		err   error
 	}{
 		{
 			name: "basic valid",
--- a/lib/policy/config/impressum_test.go
+++ b/lib/policy/config/impressum_test.go
@@ -8,9 +8,9 @@ import (

 func TestImpressumValid(t *testing.T) {
 	for _, cs := range []struct {
-		err  error
-		inp  Impressum
 		name string
+		inp  Impressum
+		err  error
 	}{
 		{
 			name: "basic happy path",
--- a/lib/policy/config/opengraph.go
+++ b/lib/policy/config/opengraph.go
@@ -13,17 +13,17 @@ var (
 )

 type openGraphFileConfig struct {
-	Override     map[string]string `json:"override,omitempty" yaml:"override,omitempty"`
-	TimeToLive   string            `json:"ttl" yaml:"ttl"`
 	Enabled      bool              `json:"enabled" yaml:"enabled"`
 	ConsiderHost bool              `json:"considerHost" yaml:"enabled"`
+	TimeToLive   string            `json:"ttl" yaml:"ttl"`
+	Override     map[string]string `json:"override,omitempty" yaml:"override,omitempty"`
 }

 type OpenGraph struct {
-	Override     map[string]string `json:"override,omitempty" yaml:"override,omitempty"`
-	TimeToLive   time.Duration     `json:"ttl" yaml:"ttl"`
 	Enabled      bool              `json:"enabled" yaml:"enabled"`
 	ConsiderHost bool              `json:"considerHost" yaml:"enabled"`
+	Override     map[string]string `json:"override,omitempty" yaml:"override,omitempty"`
+	TimeToLive   time.Duration     `json:"ttl" yaml:"ttl"`
 }

 func (og *openGraphFileConfig) Valid() error {
--- a/lib/policy/config/opengraph_test.go
+++ b/lib/policy/config/opengraph_test.go
@@ -7,9 +7,9 @@ import (

 func TestOpenGraphFileConfigValid(t *testing.T) {
 	for _, tt := range []struct {
-		err   error
-		input *openGraphFileConfig
 		name  string
+		input *openGraphFileConfig
+		err   error
 	}{
 		{
 			name: "basic happy path",
--- a/lib/policy/config/store_test.go
+++ b/lib/policy/config/store_test.go
@@ -12,9 +12,9 @@ import (

 func TestStoreValid(t *testing.T) {
 	for _, tt := range []struct {
-		err   error
 		name  string
 		input config.Store
+		err   error
 	}{
 		{
 			name:  "no backend",
--- a/lib/policy/config/threshold.go
+++ b/lib/policy/config/threshold.go
@@ -31,10 +31,10 @@ var (
 )

 type Threshold struct {
-	Expression *ExpressionOrList `json:"expression" yaml:"expression"`
-	Challenge  *ChallengeRules   `json:"challenge" yaml:"challenge"`
 	Name       string            `json:"name" yaml:"name"`
+	Expression *ExpressionOrList `json:"expression" yaml:"expression"`
 	Action     Rule              `json:"action" yaml:"action"`
+	Challenge  *ChallengeRules   `json:"challenge" yaml:"challenge"`
 }

 func (t Threshold) Valid() error {
--- a/lib/policy/config/threshold_test.go
+++ b/lib/policy/config/threshold_test.go
@@ -10,9 +10,9 @@ import (

 func TestThresholdValid(t *testing.T) {
 	for _, tt := range []struct {
-		err   error
-		input *Threshold
 		name  string
+		input *Threshold
+		err   error
 	}{
 		{
 			name: "basic allow",
--- a/lib/policy/expressions/environment_test.go
+++ b/lib/policy/expressions/environment_test.go
@@ -14,11 +14,11 @@ func TestBotEnvironment(t *testing.T) {

 	t.Run("missingHeader", func(t *testing.T) {
 		tests := []struct {
-			headers     map[string]string
 			name        string
 			expression  string
-			description string
+			headers     map[string]string
 			expected    types.Bool
+			description string
 		}{
 			{
 				name:       "missing-header",
@@ -167,10 +167,10 @@ func TestBotEnvironment(t *testing.T) {

 		t.Run("invalid", func(t *testing.T) {
 			for _, tt := range []struct {
-				env             any
 				name            string
 				description     string
 				expression      string
+				env             any
 				wantFailCompile bool
 				wantFailEval    bool
 			}{
@@ -244,11 +244,11 @@ func TestThresholdEnvironment(t *testing.T) {
 	}

 	tests := []struct {
-		variables     map[string]interface{}
 		name          string
 		expression    string
-		description   string
+		variables     map[string]interface{}
 		expected      types.Bool
+		description   string
 		shouldCompile bool
 	}{
 		{
--- a/lib/policy/expressions/loadavg.go
+++ b/lib/policy/expressions/loadavg.go
@@ -10,8 +10,8 @@ import (
 )

 type loadAvg struct {
-	data *load.AvgStat
 	lock sync.RWMutex
+	data *load.AvgStat
 }

 func (l *loadAvg) updateThread(ctx context.Context) {
--- a/lib/policy/policy.go
+++ b/lib/policy/policy.go
@@ -29,15 +29,16 @@ var (
 )

 type ParsedConfig struct {
-	Store             store.Interface
-	orig              *config.Config
-	Impressum         *config.Impressum
-	OpenGraph         config.OpenGraph
+	orig *config.Config
+
 	Bots              []Bot
 	Thresholds        []*Threshold
-	StatusCodes       config.StatusCodes
-	DefaultDifficulty int
 	DNSBL             bool
+	Impressum         *config.Impressum
+	OpenGraph         config.OpenGraph
+	DefaultDifficulty int
+	StatusCodes       config.StatusCodes
+	Store             store.Interface
 }

 func newParsedConfig(orig *config.Config) *ParsedConfig {
--- a/lib/redirect_security_test.go
+++ b/lib/redirect_security_test.go
@@ -13,7 +13,7 @@ import (

 func TestRedirectSecurity(t *testing.T) {
 	tests := []struct {
-		reqHost  string
+		name     string
 		testType string // "constructRedirectURL", "serveHTTPNext", "renderIndex"

 		// For constructRedirectURL tests
@@ -23,16 +23,17 @@ func TestRedirectSecurity(t *testing.T) {

 		// For serveHTTPNext tests
 		redirParam string
-		name       string
-
-		errorContains  string
-		expectedStatus int
+		reqHost    string

 		// For renderIndex tests
 		returnHTTPStatusOnly bool
-		shouldError          bool
-		shouldNotRedirect    bool
-		shouldBlock          bool
+
+		// Expected results
+		expectedStatus    int
+		shouldError       bool
+		shouldNotRedirect bool
+		shouldBlock       bool
+		errorContains     string
 	}{
 		// constructRedirectURL tests - X-Forwarded-Proto validation
 		{
--- a/lib/store/bbolt/factory_test.go
+++ b/lib/store/bbolt/factory_test.go
@@ -17,9 +17,9 @@ func TestFactoryValid(t *testing.T) {

 	t.Run("invalid config", func(t *testing.T) {
 		for _, tt := range []struct {
-			err  error
 			name string
 			cfg  Config
+			err  error
 		}{
 			{
 				name: "missing path",
--- a/lib/store/s3api/factory.go
+++ b/lib/store/s3api/factory.go
@@ -88,8 +88,8 @@ func (Factory) Valid(data json.RawMessage) error {
 }

 type Config struct {
-	BucketName string `json:"bucketName"`
 	PathStyle  bool   `json:"pathStyle"`
+	BucketName string `json:"bucketName"`
 }

 func (c Config) Valid() error {
--- a/lib/store/s3api/s3api_test.go
+++ b/lib/store/s3api/s3api_test.go
@@ -17,10 +17,10 @@ import (

 // mockS3 is an in-memory mock of the methods we use.
 type mockS3 struct {
+	mu     sync.RWMutex
+	bucket string
 	data   map[string][]byte
 	meta   map[string]map[string]string
-	bucket string
-	mu     sync.RWMutex
 }

 func (m *mockS3) PutObject(ctx context.Context, in *s3.PutObjectInput, _ ...func(*s3.Options)) (*s3.PutObjectOutput, error) {
--- a/lib/store/storetest/storetest.go
+++ b/lib/store/storetest/storetest.go
@@ -21,9 +21,9 @@ func Common(t *testing.T, f store.Factory, config json.RawMessage) {
 	}

 	for _, tt := range []struct {
-		err  error
-		doer func(t *testing.T, s store.Interface) error
 		name string
+		doer func(t *testing.T, s store.Interface) error
+		err  error
 	}{
 		{
 			name: "basic get set delete",
--- a/lib/store/valkey/factory.go
+++ b/lib/store/valkey/factory.go
@@ -5,98 +5,80 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"time"

 	"github.com/TecharoHQ/anubis/lib/store"
 	valkey "github.com/redis/go-redis/v9"
-	"github.com/redis/go-redis/v9/maintnotifications"
+)
+
+var (
+	ErrNoURL  = errors.New("valkey.Config: no URL defined")
+	ErrBadURL = errors.New("valkey.Config: URL is invalid")
 )

 func init() {
 	store.Register("valkey", Factory{})
 }

-// Errors kept as-is so other code/tests still pass.
-var (
-	ErrNoURL  = errors.New("valkey.Config: no URL defined")
-	ErrBadURL = errors.New("valkey.Config: URL is invalid")
-)
+type Factory struct{}

-// Config is what Anubis unmarshals from the "parameters" JSON.
-type Config struct {
-	URL     string `json:"url"`
-	Cluster bool   `json:"cluster,omitempty"`
-}
+func (Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
+	var config Config

-func (c Config) Valid() error {
-	if c.URL == "" {
-		return ErrNoURL
+	if err := json.Unmarshal([]byte(data), &config); err != nil {
+		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
 	}

-	// Just validate that it's a valid Redis URL.
-	if _, err := valkey.ParseURL(c.URL); err != nil {
-		return fmt.Errorf("%w: %v", ErrBadURL, err)
+	if err := config.Valid(); err != nil {
+		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
+	}
+
+	opts, err := valkey.ParseURL(config.URL)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
+	}
+
+	rdb := valkey.NewClient(opts)
+
+	if _, err := rdb.Ping(ctx).Result(); err != nil {
+		return nil, fmt.Errorf("can't ping valkey instance: %w", err)
+	}
+
+	return &Store{
+		rdb: rdb,
+	}, nil
+}
+
+func (Factory) Valid(data json.RawMessage) error {
+	var config Config
+	if err := json.Unmarshal([]byte(data), &config); err != nil {
+		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
+	}
+
+	if err := config.Valid(); err != nil {
+		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
 	}

 	return nil
 }

-// redisClient is satisfied by *valkey.Client and *valkey.ClusterClient.
-type redisClient interface {
-	Get(ctx context.Context, key string) *valkey.StringCmd
-	Set(ctx context.Context, key string, value interface{}, expiration time.Duration) *valkey.StatusCmd
-	Del(ctx context.Context, keys ...string) *valkey.IntCmd
-	Ping(ctx context.Context) *valkey.StatusCmd
+type Config struct {
+	URL string `json:"url"`
 }

-type Factory struct{}
+func (c Config) Valid() error {
+	var errs []error

-func (Factory) Valid(data json.RawMessage) error {
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return err
+	if c.URL == "" {
+		errs = append(errs, ErrNoURL)
 	}
-	return cfg.Valid()
-}
-
-func (Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return nil, err
-	}
-	if err := cfg.Valid(); err != nil {
-		return nil, err
-	}
-
-	opts, err := valkey.ParseURL(cfg.URL)
-	if err != nil {
-		return nil, fmt.Errorf("valkey.Factory: %w", err)
-	}
-
-	var client redisClient
-
-	if cfg.Cluster {
-		// Cluster mode: use the parsed Addr as the seed node.
-		clusterOpts := &valkey.ClusterOptions{
-			Addrs: []string{opts.Addr},
-			// Explicitly disable maintenance notifications
-			// This prevents the client from sending CLIENT MAINT_NOTIFICATIONS ON
-			MaintNotificationsConfig: &maintnotifications.Config{
-				Mode: maintnotifications.ModeDisabled,
-			},
-		}
-		client = valkey.NewClusterClient(clusterOpts)
-	} else {
-		opts.MaintNotificationsConfig = &maintnotifications.Config{
-			Mode: maintnotifications.ModeDisabled,
-		}
-		client = valkey.NewClient(opts)
-	}
-
-	// Optional but nice: fail fast if the cluster/single node is unreachable.
-	if err := client.Ping(ctx).Err(); err != nil {
-		return nil, fmt.Errorf("valkey.Factory: ping failed: %w", err)
-	}
-
-	return &Store{client: client}, nil
+
+	if _, err := valkey.ParseURL(c.URL); err != nil {
+		errs = append(errs, ErrBadURL)
+	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf("valkey.Config: invalid config: %w", errors.Join(errs...))
+	}
+
+	return nil
 }
--- a/lib/store/valkey/valkey.go
+++ b/lib/store/valkey/valkey.go
@@ -2,46 +2,52 @@ package valkey

 import (
 	"context"
+	"fmt"
 	"time"

 	"github.com/TecharoHQ/anubis/lib/store"
 	valkey "github.com/redis/go-redis/v9"
 )

-// Store implements store.Interface on top of Redis/Valkey.
 type Store struct {
-	client redisClient
-}
-
-var _ store.Interface = (*Store)(nil)
-
-func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
-	cmd := s.client.Get(ctx, key)
-	if err := cmd.Err(); err != nil {
-		if err == valkey.Nil {
-			return nil, store.ErrNotFound
-		}
-		return nil, err
-	}
-	return cmd.Bytes()
-}
-
-func (s *Store) Set(ctx context.Context, key string, value []byte, expiry time.Duration) error {
-	return s.client.Set(ctx, key, value, expiry).Err()
+	rdb *valkey.Client
 }

 func (s *Store) Delete(ctx context.Context, key string) error {
-	res := s.client.Del(ctx, key)
-	if err := res.Err(); err != nil {
-		return err
+	n, err := s.rdb.Del(ctx, key).Result()
+	if err != nil {
+		return fmt.Errorf("can't delete from valkey: %w", err)
 	}
-	if n, _ := res.Result(); n == 0 {
-		return store.ErrNotFound
+
+	switch n {
+	case 0:
+		return fmt.Errorf("%w: %d key(s) deleted", store.ErrNotFound, n)
+	default:
+		return nil
 	}
+}
+
+func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
+	result, err := s.rdb.Get(ctx, key).Result()
+	if err != nil {
+		if valkey.HasErrorPrefix(err, "redis: nil") {
+			return nil, fmt.Errorf("%w: %w", store.ErrNotFound, err)
+		}
+
+		return nil, fmt.Errorf("can't fetch from valkey: %w", err)
+	}
+
+	return []byte(result), nil
+}
+
+func (s *Store) Set(ctx context.Context, key string, value []byte, expiry time.Duration) error {
+	if _, err := s.rdb.Set(ctx, key, string(value), expiry).Result(); err != nil {
+		return fmt.Errorf("can't set %q in valkey: %w", key, err)
+	}
+
 	return nil
 }

-// IsPersistent tells Anubis this backend is “real” storage, not in-memory.
 func (s *Store) IsPersistent() bool {
 	return true
 }
--- a/lib/store/valkey/valkey_test.go
+++ b/lib/store/valkey/valkey_test.go
@@ -2,14 +2,20 @@ package valkey

 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"testing"

+	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/store/storetest"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
 )

+func init() {
+	internal.UnbreakDocker()
+}
+
 func TestImpl(t *testing.T) {
 	if os.Getenv("DONT_USE_NETWORK") != "" {
 		t.Skip("test requires network egress")
@@ -18,26 +24,26 @@ func TestImpl(t *testing.T) {

 	testcontainers.SkipIfProviderIsNotHealthy(t)

-	valkeyC, err := testcontainers.Run(
-		t.Context(), "valkey/valkey:8",
-		testcontainers.WithExposedPorts("6379/tcp"),
-		testcontainers.WithWaitStrategy(
-			wait.ForListeningPort("6379/tcp"),
-			wait.ForLog("Ready to accept connections"),
-		),
-	)
+	req := testcontainers.ContainerRequest{
+		Image:      "valkey/valkey:8",
+		WaitingFor: wait.ForLog("Ready to accept connections"),
+	}
+	valkeyC, err := testcontainers.GenericContainer(t.Context(), testcontainers.GenericContainerRequest{
+		ContainerRequest: req,
+		Started:          true,
+	})
 	testcontainers.CleanupContainer(t, valkeyC)
 	if err != nil {
 		t.Fatal(err)
 	}

-	endpoint, err := valkeyC.PortEndpoint(t.Context(), "6379/tcp", "redis")
+	containerIP, err := valkeyC.ContainerIP(t.Context())
 	if err != nil {
 		t.Fatal(err)
 	}

 	data, err := json.Marshal(Config{
-		URL: endpoint,
+		URL: fmt.Sprintf("redis://%s:6379/0", containerIP),
 	})
 	if err != nil {
 		t.Fatal(err)
--- a/run/openrc/anubis.initd
+++ b/run/openrc/anubis.initd