From 490db0599c3af99955ee4a108f847edcee80f747 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Tue, 24 Mar 2026 12:40:46 -0700 Subject: [PATCH] Step 25: Real FIDO2 hardware key support. HardwareFIDO2 implements FIDO2Device via go-libfido2 (CGo bindings to Yubico's libfido2). Gated behind //go:build fido2 tag to keep default builds CGo-free. Nix flake adds sgard-fido2 package variant. CLI changes: --fido2-pin flag, unlockDEK helper tries FIDO2 first, add-fido2/encrypt init --fido2 use real hardware, auto-unlock added to restore/checkpoint/diff for encrypted entries. Tested manually: add-fido2, add --encrypt, restore, checkpoint, diff all work with hardware FIDO2 key (touch-to-unlock, no passphrase). Co-Authored-By: Claude Opus 4.6 (1M context) --- ARCHITECTURE.md | 21 ++++- CLAUDE.md | 7 +- PROGRESS.md | 5 +- PROJECT_PLAN.md | 12 +-- README.md | 16 ++++ cmd/sgard/add.go | 2 +- cmd/sgard/checkpoint.go | 6 ++ cmd/sgard/diff.go | 6 ++ cmd/sgard/encrypt.go | 44 +++++++---- cmd/sgard/fido2.go | 12 +++ cmd/sgard/main.go | 1 + cmd/sgard/restore.go | 6 ++ flake.nix | 26 ++++++- garden/fido2_hardware.go | 156 +++++++++++++++++++++++++++++++++++++ garden/fido2_nohardware.go | 10 +++ go.mod | 19 +++-- go.sum | 43 ++++++++++ 17 files changed, 358 insertions(+), 34 deletions(-) create mode 100644 cmd/sgard/fido2.go create mode 100644 garden/fido2_hardware.go create mode 100644 garden/fido2_nohardware.go diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md index b9d757d..c4c2fbd 100644 --- a/ARCHITECTURE.md +++ b/ARCHITECTURE.md @@ -577,6 +577,23 @@ Both flags must be specified together on the server side; on the client side `--tls` alone uses the system trust store, and `--tls-ca` adds a custom root. +### FIDO2 Hardware Support + +Real FIDO2 hardware support uses `go-libfido2` (CGo bindings to +Yubico's libfido2 C library). It is gated behind the `fido2` build +tag to avoid requiring CGo and libfido2 for users who don't need it: + +- `go build ./...` — default build, no FIDO2 hardware support +- `go build -tags fido2 ./...` — links against libfido2 for real keys + +The implementation (`garden/fido2_hardware.go`) wraps +`libfido2.Device.MakeCredential` and `Assertion` with the +`HMACSecretExtension` to derive 32-byte HMAC secrets from hardware +keys. A `--fido2-pin` flag is available for PIN-protected devices. + +The Nix flake provides two packages: `sgard` (default, no CGo) and +`sgard-fido2` (links libfido2). + ### DEK Rotation `sgard encrypt rotate-dek` generates a new DEK, re-encrypts all @@ -625,8 +642,10 @@ sgard/ garden/ # Core business logic — one file per operation garden.go # Garden struct, Init, Open, Add, Checkpoint, Status, accessors - encrypt.go # EncryptInit, UnlockDEK, encrypt/decrypt blobs, slot management + encrypt.go # EncryptInit, UnlockDEK, RotateDEK, encrypt/decrypt blobs, slot mgmt encrypt_fido2.go # FIDO2Device interface, AddFIDO2Slot, unlock resolution + fido2_hardware.go # Real FIDO2 via go-libfido2 (//go:build fido2) + fido2_nohardware.go # Stub returning nil (//go:build !fido2) restore.go mirror.go prune.go remove.go verify.go list.go diff.go hasher.go # SHA-256 file hashing diff --git a/CLAUDE.md b/CLAUDE.md index fe0a879..1969161 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -22,11 +22,13 @@ Module: `github.com/kisom/sgard`. Author: K. Isom . ```bash go build ./... # both sgard and sgardd +go build -tags fido2 ./... # with real FIDO2 hardware support (requires libfido2) ``` Nix: ```bash -nix build .#sgard # builds both binaries +nix build .#sgard # builds both binaries (no CGo) +nix build .#sgard-fido2 # with FIDO2 hardware support (links libfido2) ``` Run tests: @@ -53,13 +55,14 @@ make proto - `google.golang.org/protobuf` — protobuf runtime - `golang.org/x/crypto` — SSH key auth (ssh, ssh/agent), Argon2id, XChaCha20-Poly1305 - `github.com/golang-jwt/jwt/v5` — JWT token auth +- `github.com/keys-pub/go-libfido2` — FIDO2 hardware key support (build tag `fido2`, requires libfido2) ## Package Structure ``` cmd/sgard/ CLI entry point (cobra commands, pure wiring) cmd/sgardd/ gRPC server daemon -garden/ Core business logic (Garden struct, encryption via encrypt.go/encrypt_fido2.go) +garden/ Core business logic (Garden struct, encryption, FIDO2 hardware via build tags) manifest/ YAML manifest parsing (Manifest/Entry structs, Load/Save) store/ Content-addressable blob storage (SHA-256 keyed) server/ gRPC server (RPC handlers, JWT/SSH auth interceptor, proto conversion) diff --git a/PROGRESS.md b/PROGRESS.md index d711247..4765cfd 100644 --- a/PROGRESS.md +++ b/PROGRESS.md @@ -7,7 +7,7 @@ ARCHITECTURE.md for design details. ## Current Status -**Phase:** Phase 4 in progress. Steps 21–24 complete, ready for Step 25. +**Phase:** Phase 4 in progress. Steps 21–25 complete, ready for Step 26. **Last updated:** 2026-03-24 @@ -42,7 +42,7 @@ ARCHITECTURE.md for design details. ## Up Next -Step 25: Real FIDO2 Hardware Binding. +Step 26: Test Cleanup. ## Known Issues / Decisions Deferred @@ -88,3 +88,4 @@ Step 25: Real FIDO2 Hardware Binding. | 2026-03-24 | 22 | Shell completion: cobra built-in, README docs for bash/zsh/fish. | | 2026-03-24 | 23 | TLS transport: sgardd --tls-cert/--tls-key, sgard --tls/--tls-ca, 2 integration tests. | | 2026-03-24 | 24 | DEK rotation: RotateDEK re-encrypts all blobs, re-wraps all slots, CLI command, 4 tests. | +| 2026-03-24 | 25 | Real FIDO2: go-libfido2 bindings, build tag gating, CLI wiring, nix sgard-fido2 package. | diff --git a/PROJECT_PLAN.md b/PROJECT_PLAN.md index fb07fdb..3e6445e 100644 --- a/PROJECT_PLAN.md +++ b/PROJECT_PLAN.md @@ -252,11 +252,13 @@ Depends on Steps 17, 18. ### Step 25: Real FIDO2 Hardware Binding -- [ ] Evaluate approach: libfido2 CGo bindings vs subprocess (`fido2-token`/`fido2-cred`) -- [ ] Implement real `FIDO2Device` satisfying the existing interface -- [ ] `cmd/sgard/encrypt.go`: wire real device into `add-fido2` and unlock resolution -- [ ] Build tag or runtime detection for FIDO2 availability -- [ ] Tests: skip on CI without hardware, manual test instructions +- [x] Evaluate approach: go-libfido2 CGo bindings (keys-pub/go-libfido2 v1.5.3) +- [x] `garden/fido2_hardware.go`: HardwareFIDO2 implementing FIDO2Device via libfido2 (`//go:build fido2`) +- [x] `garden/fido2_nohardware.go`: stub returning nil (`//go:build !fido2`) +- [x] `cmd/sgard/fido2.go`: unlockDEK helper, --fido2-pin flag +- [x] `cmd/sgard/encrypt.go`: add-fido2 uses real hardware, encrypt init --fido2 registers slot, all unlock calls use FIDO2-first resolution +- [x] `flake.nix`: sgard-fido2 package variant, libfido2+pkg-config in devShell +- [x] Tests: existing mock-based tests still pass; hardware tests require manual testing with a FIDO2 key ### Step 26: Test Cleanup diff --git a/README.md b/README.md index bb3f3c7..11948bc 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,22 @@ is wrapped by a passphrase-derived key (Argon2id). FIDO2 hardware keys are also supported as an alternative KEK source — sgard tries FIDO2 first and falls back to passphrase automatically. +### FIDO2 hardware keys + +Build with `-tags fido2` (requires libfido2) to enable real hardware +key support, or use `nix build .#sgard-fido2`: + +```sh +# Register a FIDO2 key (touch required) +sgard encrypt add-fido2 + +# With a PIN-protected device +sgard encrypt add-fido2 --fido2-pin 1234 + +# Unlock is automatic — FIDO2 is tried first, passphrase as fallback +sgard restore # touch your key when prompted +``` + The encryption config (wrapped DEKs, salts) lives in the manifest, so it syncs with push/pull. The server never has the DEK. diff --git a/cmd/sgard/add.go b/cmd/sgard/add.go index 41c2adc..68609c0 100644 --- a/cmd/sgard/add.go +++ b/cmd/sgard/add.go @@ -30,7 +30,7 @@ var addCmd = &cobra.Command{ if !g.HasEncryption() { return fmt.Errorf("encryption not initialized; run sgard encrypt init first") } - if err := g.UnlockDEK(promptPassphrase); err != nil { + if err := unlockDEK(g); err != nil { return err } } diff --git a/cmd/sgard/checkpoint.go b/cmd/sgard/checkpoint.go index 312547f..492e36a 100644 --- a/cmd/sgard/checkpoint.go +++ b/cmd/sgard/checkpoint.go @@ -18,6 +18,12 @@ var checkpointCmd = &cobra.Command{ return err } + if g.HasEncryption() && g.NeedsDEK(g.List()) { + if err := unlockDEK(g); err != nil { + return err + } + } + if err := g.Checkpoint(checkpointMessage); err != nil { return err } diff --git a/cmd/sgard/diff.go b/cmd/sgard/diff.go index cf30cf6..8da5a91 100644 --- a/cmd/sgard/diff.go +++ b/cmd/sgard/diff.go @@ -17,6 +17,12 @@ var diffCmd = &cobra.Command{ return err } + if g.HasEncryption() && g.NeedsDEK(g.List()) { + if err := unlockDEK(g); err != nil { + return err + } + } + d, err := g.Diff(args[0]) if err != nil { return err diff --git a/cmd/sgard/encrypt.go b/cmd/sgard/encrypt.go index fb736ed..05a2aa6 100644 --- a/cmd/sgard/encrypt.go +++ b/cmd/sgard/encrypt.go @@ -36,8 +36,16 @@ var encryptInitCmd = &cobra.Command{ fmt.Println("Encryption initialized with passphrase slot.") if fido2InitFlag { - fmt.Println("FIDO2 support requires a hardware device implementation.") - fmt.Println("Run 'sgard encrypt add-fido2' when a FIDO2 device is available.") + device := garden.DetectHardwareFIDO2(fido2PinFlag) + if device == nil { + fmt.Println("No FIDO2 device detected. Run 'sgard encrypt add-fido2' when one is connected.") + } else { + fmt.Println("Touch your FIDO2 device to register...") + if err := g.AddFIDO2Slot(device, fido2LabelFlag); err != nil { + return fmt.Errorf("adding FIDO2 slot: %w", err) + } + fmt.Println("FIDO2 slot added.") + } } return nil @@ -59,13 +67,22 @@ var addFido2Cmd = &cobra.Command{ return fmt.Errorf("encryption not initialized; run sgard encrypt init first") } - if err := g.UnlockDEK(promptPassphrase); err != nil { + if err := unlockDEK(g); err != nil { return err } - // Real FIDO2 device implementation would go here. - // For now, this is a placeholder that explains the requirement. - return fmt.Errorf("FIDO2 hardware support not yet implemented; requires libfido2 binding") + device := garden.DetectHardwareFIDO2(fido2PinFlag) + if device == nil { + return fmt.Errorf("no FIDO2 device detected; connect a FIDO2 key and try again") + } + + fmt.Println("Touch your FIDO2 device to register...") + if err := g.AddFIDO2Slot(device, fido2LabelFlag); err != nil { + return err + } + + fmt.Println("FIDO2 slot added.") + return nil }, } @@ -130,9 +147,8 @@ var changePassphraseCmd = &cobra.Command{ return fmt.Errorf("encryption not initialized") } - // Unlock with current passphrase. - fmt.Println("Enter current passphrase:") - if err := g.UnlockDEK(promptPassphrase); err != nil { + // Unlock with current credentials. + if err := unlockDEK(g); err != nil { return err } @@ -166,15 +182,15 @@ var rotateDEKCmd = &cobra.Command{ return fmt.Errorf("encryption not initialized") } - // Unlock with current passphrase. - fmt.Println("Enter passphrase to unlock:") - if err := g.UnlockDEK(promptPassphrase); err != nil { + // Unlock with current credentials. + if err := unlockDEK(g); err != nil { return err } // Rotate — re-prompts for passphrase to re-wrap slot. fmt.Println("Enter passphrase to re-wrap DEK:") - if err := g.RotateDEK(promptPassphrase); err != nil { + device := garden.DetectHardwareFIDO2(fido2PinFlag) + if err := g.RotateDEK(promptPassphrase, device); err != nil { return err } @@ -184,7 +200,7 @@ var rotateDEKCmd = &cobra.Command{ } func init() { - encryptInitCmd.Flags().BoolVar(&fido2InitFlag, "fido2", false, "also set up FIDO2 (placeholder)") + encryptInitCmd.Flags().BoolVar(&fido2InitFlag, "fido2", false, "also register a FIDO2 hardware key") addFido2Cmd.Flags().StringVar(&fido2LabelFlag, "label", "", "slot label (default: fido2/)") encryptCmd.AddCommand(encryptInitCmd) diff --git a/cmd/sgard/fido2.go b/cmd/sgard/fido2.go new file mode 100644 index 0000000..d2f68dc --- /dev/null +++ b/cmd/sgard/fido2.go @@ -0,0 +1,12 @@ +package main + +import "github.com/kisom/sgard/garden" + +var fido2PinFlag string + +// unlockDEK attempts to unlock the DEK, trying FIDO2 hardware first +// (if available) and falling back to passphrase. +func unlockDEK(g *garden.Garden) error { + device := garden.DetectHardwareFIDO2(fido2PinFlag) + return g.UnlockDEK(promptPassphrase, device) +} diff --git a/cmd/sgard/main.go b/cmd/sgard/main.go index 6969907..babb36f 100644 --- a/cmd/sgard/main.go +++ b/cmd/sgard/main.go @@ -116,6 +116,7 @@ func main() { rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key") rootCmd.PersistentFlags().BoolVar(&tlsFlag, "tls", false, "use TLS for remote connection") rootCmd.PersistentFlags().StringVar(&tlsCAFlag, "tls-ca", "", "path to CA certificate for TLS verification") + rootCmd.PersistentFlags().StringVar(&fido2PinFlag, "fido2-pin", "", "PIN for FIDO2 device (if PIN-protected)") if err := rootCmd.Execute(); err != nil { fmt.Fprintln(os.Stderr, err) diff --git a/cmd/sgard/restore.go b/cmd/sgard/restore.go index 2d1f761..dba6aa6 100644 --- a/cmd/sgard/restore.go +++ b/cmd/sgard/restore.go @@ -21,6 +21,12 @@ var restoreCmd = &cobra.Command{ return err } + if g.HasEncryption() && g.NeedsDEK(g.List()) { + if err := unlockDEK(g); err != nil { + return err + } + } + confirm := func(path string) bool { fmt.Printf("Overwrite %s? [y/N] ", path) scanner := bufio.NewScanner(os.Stdin) diff --git a/flake.nix b/flake.nix index 8c0a4fe..905e9ac 100644 --- a/flake.nix +++ b/flake.nix @@ -15,11 +15,11 @@ packages = { sgard = pkgs.buildGoModule { pname = "sgard"; - version = "2.0.0"; + version = "2.1.0"; src = pkgs.lib.cleanSource ./.; subPackages = [ "cmd/sgard" "cmd/sgardd" ]; - vendorHash = "sha256-0YpP1YfpAIAgY8k+7DlWosYN6MT5a2KLtNhQFvKT7pM="; + vendorHash = "sha256-0aGo5EbvPWt9Oflq+GTq8nEBUWZj3O5Ni4Qwd5EBa7Y="; ldflags = [ "-s" "-w" ]; @@ -29,6 +29,26 @@ }; }; + sgard-fido2 = pkgs.buildGoModule { + pname = "sgard-fido2"; + version = "2.1.0"; + src = pkgs.lib.cleanSource ./.; + subPackages = [ "cmd/sgard" "cmd/sgardd" ]; + + vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk="; + + buildInputs = [ pkgs.libfido2 ]; + nativeBuildInputs = [ pkgs.pkg-config ]; + tags = [ "fido2" ]; + + ldflags = [ "-s" "-w" ]; + + meta = { + description = "Shimmering Clarity Gardener: dotfile management (with FIDO2 hardware support)"; + mainProgram = "sgard"; + }; + }; + default = self.packages.${system}.sgard; }; @@ -39,6 +59,8 @@ protobuf protoc-gen-go protoc-gen-go-grpc + libfido2 + pkg-config ]; }; } diff --git a/garden/fido2_hardware.go b/garden/fido2_hardware.go new file mode 100644 index 0000000..69748cb --- /dev/null +++ b/garden/fido2_hardware.go @@ -0,0 +1,156 @@ +//go:build fido2 + +package garden + +import ( + "crypto/sha256" + "fmt" + + libfido2 "github.com/keys-pub/go-libfido2" +) + +const rpID = "sgard" + +// HardwareFIDO2 implements FIDO2Device using a real hardware authenticator +// via libfido2. +type HardwareFIDO2 struct { + pin string // device PIN (empty if no PIN set) +} + +// NewHardwareFIDO2 creates a HardwareFIDO2 device. The PIN is needed for +// operations on PIN-protected authenticators. +func NewHardwareFIDO2(pin string) *HardwareFIDO2 { + return &HardwareFIDO2{pin: pin} +} + +// Available reports whether a FIDO2 device is connected. +func (h *HardwareFIDO2) Available() bool { + locs, err := libfido2.DeviceLocations() + if err != nil { + return false + } + return len(locs) > 0 +} + +// Register creates a new credential with the hmac-secret extension. +// Returns the credential ID and the HMAC-secret output for the given salt. +func (h *HardwareFIDO2) Register(salt []byte) ([]byte, []byte, error) { + dev, err := h.deviceForPath() + if err != nil { + return nil, nil, err + } + + cdh := sha256.Sum256(salt) + // CTAP2 hmac-secret extension requires a 32-byte salt. + hmacSalt := fido2Salt(salt) + + userID := sha256.Sum256([]byte("sgard-user")) + attest, err := dev.MakeCredential( + cdh[:], + libfido2.RelyingParty{ID: rpID, Name: "sgard"}, + libfido2.User{ID: userID[:], Name: "sgard"}, + libfido2.ES256, + h.pin, + &libfido2.MakeCredentialOpts{ + Extensions: []libfido2.Extension{libfido2.HMACSecretExtension}, + RK: libfido2.False, + }, + ) + if err != nil { + return nil, nil, fmt.Errorf("fido2 make credential: %w", err) + } + + // Do an assertion to get the HMAC-secret for this salt. + assertion, err := dev.Assertion( + rpID, + cdh[:], + [][]byte{attest.CredentialID}, + h.pin, + &libfido2.AssertionOpts{ + Extensions: []libfido2.Extension{libfido2.HMACSecretExtension}, + HMACSalt: hmacSalt, + UP: libfido2.True, + }, + ) + if err != nil { + return nil, nil, fmt.Errorf("fido2 assertion for hmac-secret: %w", err) + } + + return attest.CredentialID, assertion.HMACSecret, nil +} + +// Derive computes HMAC(device_secret, salt) for an existing credential. +// Requires user touch. +func (h *HardwareFIDO2) Derive(credentialID []byte, salt []byte) ([]byte, error) { + dev, err := h.deviceForPath() + if err != nil { + return nil, err + } + + cdh := sha256.Sum256(salt) + hmacSalt := fido2Salt(salt) + + assertion, err := dev.Assertion( + rpID, + cdh[:], + [][]byte{credentialID}, + h.pin, + &libfido2.AssertionOpts{ + Extensions: []libfido2.Extension{libfido2.HMACSecretExtension}, + HMACSalt: hmacSalt, + UP: libfido2.True, + }, + ) + if err != nil { + return nil, fmt.Errorf("fido2 assertion: %w", err) + } + + return assertion.HMACSecret, nil +} + +// MatchesCredential reports whether the connected device might hold the +// given credential. Since probing without user presence is unreliable +// across devices, we optimistically return true and let Derive handle +// the actual verification (which requires a touch). +func (h *HardwareFIDO2) MatchesCredential(_ []byte) bool { + return h.Available() +} + +// fido2Salt returns a 32-byte salt suitable for the CTAP2 hmac-secret +// extension. If the input is already 32 bytes, it is returned as-is. +// Otherwise, SHA-256 is used to derive a 32-byte value deterministically. +func fido2Salt(salt []byte) []byte { + if len(salt) == 32 { + return salt + } + h := sha256.Sum256(salt) + return h[:] +} + +// deviceForPath returns a Device handle for the first connected FIDO2 +// device. The library manages open/close internally per operation. +func (h *HardwareFIDO2) deviceForPath() (*libfido2.Device, error) { + locs, err := libfido2.DeviceLocations() + if err != nil { + return nil, fmt.Errorf("listing fido2 devices: %w", err) + } + if len(locs) == 0 { + return nil, fmt.Errorf("no fido2 device found") + } + + dev, err := libfido2.NewDevice(locs[0].Path) + if err != nil { + return nil, fmt.Errorf("opening fido2 device %s: %w", locs[0].Path, err) + } + return dev, nil +} + +// DetectHardwareFIDO2 returns a HardwareFIDO2 device if hardware is available, +// or nil if no device is connected. +func DetectHardwareFIDO2(pin string) FIDO2Device { + d := NewHardwareFIDO2(pin) + if d.Available() { + return d + } + return nil +} diff --git a/garden/fido2_nohardware.go b/garden/fido2_nohardware.go new file mode 100644 index 0000000..7e354dd --- /dev/null +++ b/garden/fido2_nohardware.go @@ -0,0 +1,10 @@ +//go:build !fido2 + +package garden + +// DetectHardwareFIDO2 is a stub that returns nil when built without the +// fido2 build tag. Build with -tags fido2 and link against libfido2 to +// enable real hardware support. +func DetectHardwareFIDO2(_ string) FIDO2Device { + return nil +} diff --git a/go.mod b/go.mod index 92a8687..5bf2d7b 100644 --- a/go.mod +++ b/go.mod @@ -3,17 +3,22 @@ module github.com/kisom/sgard go 1.25.7 require ( - github.com/golang-jwt/jwt/v5 v5.3.1 // indirect + github.com/golang-jwt/jwt/v5 v5.3.1 + github.com/jonboulle/clockwork v0.5.0 + github.com/keys-pub/go-libfido2 v1.5.3 + github.com/spf13/cobra v1.10.2 + golang.org/x/crypto v0.49.0 + google.golang.org/grpc v1.79.3 + google.golang.org/protobuf v1.36.11 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jonboulle/clockwork v0.5.0 // indirect - github.com/spf13/cobra v1.10.2 // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/spf13/pflag v1.0.9 // indirect - golang.org/x/crypto v0.49.0 // indirect golang.org/x/net v0.51.0 // indirect golang.org/x/sys v0.42.0 // indirect golang.org/x/text v0.35.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect - google.golang.org/grpc v1.79.3 // indirect - google.golang.org/protobuf v1.36.11 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 5ad7c2d..a2da081 100644 --- a/go.sum +++ b/go.sum @@ -1,30 +1,73 @@ +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY= github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I= github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60= +github.com/keys-pub/go-libfido2 v1.5.3 h1:vtgHxlSB43u6lj0TSuA3VvT6z3E7VI+L1a2hvMFdECk= +github.com/keys-pub/go-libfido2 v1.5.3/go.mod h1:P0V19qHwJNY0htZwZDe9Ilvs/nokGhdFX7faKFyZ6+U= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=