all: sync with master

2025-01-20 14:41:16 +03:00
parent ceb178fcd5
commit 2e52a2c8a0
61 changed files with 2533 additions and 2711 deletions
--- a/internal/configmigrate/migrations_internal_test.go
+++ b/internal/configmigrate/migrations_internal_test.go
@@ -521,7 +521,7 @@ func TestUpgradeSchema11to12(t *testing.T) {
 		name    string
 	}{{
 		ivl:     1,
-		want:    timeutil.Duration{Duration: timeutil.Day},
+		want:    timeutil.Duration(timeutil.Day),
 		wantErr: "",
 		name:    "success",
 	}, {
@@ -604,7 +604,7 @@ func TestUpgradeSchema11to12(t *testing.T) {
 		ivlVal, ok = ivl.(timeutil.Duration)
 		require.True(t, ok)

-		assert.Equal(t, 90*24*time.Hour, ivlVal.Duration)
+		assert.Equal(t, 90*24*time.Hour, time.Duration(ivlVal))
 	})
 }

@@ -1055,12 +1055,12 @@ func TestUpgradeSchema19to20(t *testing.T) {
 		name    string
 	}{{
 		ivl:     1,
-		want:    timeutil.Duration{Duration: timeutil.Day},
+		want:    timeutil.Duration(timeutil.Day),
 		wantErr: "",
 		name:    "success",
 	}, {
 		ivl:     0,
-		want:    timeutil.Duration{Duration: timeutil.Day},
+		want:    timeutil.Duration(timeutil.Day),
 		wantErr: "",
 		name:    "success",
 	}, {
@@ -1143,7 +1143,7 @@ func TestUpgradeSchema19to20(t *testing.T) {
 		ivlVal, ok = ivl.(timeutil.Duration)
 		require.True(t, ok)

-		assert.Equal(t, 24*time.Hour, ivlVal.Duration)
+		assert.Equal(t, 24*time.Hour, time.Duration(ivlVal))
 	})
 }

--- a/internal/configmigrate/v12.go
+++ b/internal/configmigrate/v12.go
@@ -37,7 +37,7 @@ func migrateTo12(diskConf yobj) (err error) {
 		qlogIvl = 90
 	}

-	dns[field] = timeutil.Duration{Duration: time.Duration(qlogIvl) * timeutil.Day}
+	dns[field] = timeutil.Duration(time.Duration(qlogIvl) * timeutil.Day)

 	return nil
 }
--- a/internal/configmigrate/v20.go
+++ b/internal/configmigrate/v20.go
@@ -38,7 +38,7 @@ func migrateTo20(diskConf yobj) (err error) {
 		ivl = 1
 	}

-	stats[field] = timeutil.Duration{Duration: time.Duration(ivl) * timeutil.Day}
+	stats[field] = timeutil.Duration(time.Duration(ivl) * timeutil.Day)

 	return nil
 }
--- a/internal/configmigrate/v23.go
+++ b/internal/configmigrate/v23.go
@@ -48,7 +48,7 @@ func migrateTo23(diskConf yobj) (err error) {

 	diskConf["http"] = yobj{
 		"address":     netip.AddrPortFrom(bindHostAddr, uint16(bindPort)).String(),
-		"session_ttl": timeutil.Duration{Duration: time.Duration(sessionTTL) * time.Hour}.String(),
+		"session_ttl": timeutil.Duration(time.Duration(sessionTTL) * time.Hour).String(),
 	}

 	delete(diskConf, "bind_host")
--- a/internal/dhcpd/README.md
+++ b/internal/dhcpd/README.md
@@ -1,61 +1,50 @@
- #  Testing DHCP Server
+# Testing DHCP Server

 Contents:
- *  [Test setup with Virtual Box](#vbox)
- *  [Quick test with DHCPTest](#dhcptest)

-##  <a href="#vbox" id="vbox" name="vbox">Test setup with Virtual Box</a>
+- [Test setup with Virtual Box](#vbox)
+- [Quick test with DHCPTest](#dhcptest)

-   ### Prerequisites
+## <a href="#vbox" id="vbox" name="vbox">Test setup with Virtual Box</a>
+
+### Prerequisites

 To set up a test environment for DHCP server you will need:

- *  Linux AG Home host machine (Virtual).
- *  Virtual Box.
- *  Virtual machine (guest OS doesn't matter).
+- Linux AG Home host machine (Virtual)
+- Virtual Box
+- Virtual machine (guest OS doesn't matter)

-   ### Configure Virtual Box
+### Configure Virtual Box

- 1.  Install Virtual Box and run the following command to create a Host-Only
-     network:
+1. Install Virtual Box and run the following command to create a Host-Only network:

-     ```sh
-     $ VBoxManage hostonlyif create
-     ```
+    ```sh
+    VBoxManage hostonlyif create
+    ```

-     You can check its status by `ip a` command.
+    You can check its status by `ip a` command.

-     You can also set up Host-Only network using Virtual Box menu:
+    You can also set up Host-Only network using Virtual Box menu in *File → Host Network Manager.*

-     ```
-     File -> Host Network Manager...
-     ```
+2. Create your virtual machine and set up its network in *VM Settings → Network → Host-only Adapter.*

- 2.  Create your virtual machine and set up its network:
+3. Start your VM, install an OS. Configure your network interface to use DHCP and the OS should ask for a IP address from our DHCP server.

-     ```
-     VM Settings -> Network -> Host-only Adapter
-     ```
+4. To see the current IP addresses on client OS you can use `ip a` command on Linux or `ipconfig` on Windows.

- 3.  Start your VM, install an OS.  Configure your network interface to use
-     DHCP and the OS should ask for a IP address from our DHCP server.
+5. To force the client OS to request an IP from DHCP server again, you can use `dhclient` on Linux or `ipconfig /release` on Windows.

- 4.  To see the current IP addresses on client OS you can use `ip a` command on
-     Linux or `ipconfig` on Windows.
+### Configure server

- 5.  To force the client OS to request an IP from DHCP server again, you can
-     use `dhclient` on Linux or `ipconfig /release` on Windows.
+1. Edit server configuration file `AdGuardHome.yaml`, for example:

-   ### Configure server
-
- 1.  Edit server configuration file `AdGuardHome.yaml`, for example:
-
-     ```yaml
-     dhcp:
-          enabled: true
-          interface_name: vboxnet0
-          local_domain_name: lan
-          dhcpv4:
+    ```yaml
+    dhcp:
+        enabled: true
+        interface_name: vboxnet0
+        local_domain_name: lan
+        dhcpv4:
            gateway_ip: 192.168.56.1
            subnet_mask: 255.255.255.0
            range_start: 192.168.56.2
@@ -63,34 +52,33 @@ To set up a test environment for DHCP server you will need:
            lease_duration: 86400
            icmp_timeout_msec: 1000
            options: []
-          dhcpv6:
+        dhcpv6:
            range_start: 2001::1
            lease_duration: 86400
            ra_slaac_only: false
            ra_allow_slaac: false
-     ```
+    ```

- 2.  Start the server
+2. Start the server:

-     ```sh
-     ./AdGuardHome -v
-     ```
+    ```sh
+    ./AdGuardHome -v
+    ```

-     There should be a message in log which shows that DHCP server is ready:
+    There should be a message in log which shows that DHCP server is ready:

-     ```
-     [info] DHCP: listening on 0.0.0.0:67
-     ```
+    ```none
+    [info] dhcpv4: listening
+    ```

-##  <a href="#dhcptest" id="dhcptest" name="dhcptest">Quick test with DHCPTest utility</a>
+## <a href="#dhcptest" id="dhcptest" name="dhcptest">Quick test with DHCPTest utility</a>

-   ### Prerequisites
+### Prerequisites

- *  [DHCP test utility][dhcptest-gh].
+- [DHCP test utility][dhcptest-gh].

-   ### Quick test
+### Quick test

-The DHCP server could be tested for DISCOVER-OFFER packets with in
-interactive mode.
+The DHCP server could be tested for DISCOVER-OFFER packets with in interactive mode.

 [dhcptest-gh]: https://github.com/CyberShadow/dhcptest
--- a/internal/dhcpd/options_unix.go
+++ b/internal/dhcpd/options_unix.go
@@ -84,7 +84,7 @@ func parseDHCPOptionDur(s string) (val dhcpv4.OptionValue, err error) {
 		return nil, fmt.Errorf("decoding dur: %w", err)
 	}

-	return dhcpv4.Duration(v.Duration), nil
+	return dhcpv4.Duration(v), nil
 }

 // parseDHCPOptionUint parses a DHCP option as an unsigned integer.  bitSize is
--- a/internal/dhcpd/options_unix_test.go
+++ b/internal/dhcpd/options_unix_test.go
@@ -144,8 +144,8 @@ func TestParseOpt(t *testing.T) {
 		in:       "24 dur 3y",
 		wantCode: nil,
 		wantVal:  nil,
-		wantErrMsg: "invalid option string \"24 dur 3y\": decoding dur: " +
-			"unmarshaling duration: time: unknown unit \"y\" in duration \"3y\"",
+		wantErrMsg: `invalid option string "24 dur 3y": decoding dur: time: ` +
+			`unknown unit "y" in duration "3y"`,
 	}, {
 		name:     "u8_error",
 		in:       "23 u8 256",
--- a/internal/dnsforward/beforerequest.go
+++ b/internal/dnsforward/beforerequest.go
@@ -81,7 +81,7 @@ func (s *Server) clientIDFromDNSContext(pctx *proxy.DNSContext) (clientID string

 	cliSrvName, err := clientServerName(pctx, proto)
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("getting client server-name: %w", err)
 	}

 	clientID, err = clientIDFromClientServerName(
--- a/internal/dnsforward/clientid.go
+++ b/internal/dnsforward/clientid.go
@@ -3,6 +3,7 @@ package dnsforward
 import (
 	"crypto/tls"
 	"fmt"
+	"net/http"
 	"path"
 	"strings"

@@ -118,17 +119,13 @@ func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string

 	switch proto {
 	case proxy.ProtoHTTPS:
-		r := pctx.HTTPRequest
-		if connState := r.TLS; connState != nil {
-			srvName = connState.ServerName
-		} else if r.Host != "" {
-			var host string
-			host, err = netutil.SplitHost(r.Host)
-			if err != nil {
-				return "", fmt.Errorf("parsing host: %w", err)
-			}
+		var fromHost bool
+		srvName, fromHost, err = clientServerNameFromHTTP(pctx.HTTPRequest)
+		if err != nil {
+			return "", fmt.Errorf("from http: %w", err)
+		}

-			srvName = host
+		if fromHost {
 			from = "host header"
 		}
 	case proxy.ProtoQUIC:
@@ -153,3 +150,23 @@ func clientServerName(pctx *proxy.DNSContext, proto proxy.Proto) (srvName string

 	return srvName, nil
 }
+
+// clientServerNameFromHTTP returns the TLS server name or the value of the host
+// header depending on the protocol.  fromHost is true if srvName comes from the
+// "Host" HTTP header.
+func clientServerNameFromHTTP(r *http.Request) (srvName string, fromHost bool, err error) {
+	if connState := r.TLS; connState != nil {
+		return connState.ServerName, false, nil
+	}
+
+	if r.Host == "" {
+		return "", false, nil
+	}
+
+	srvName, err = netutil.SplitHost(r.Host)
+	if err != nil {
+		return "", false, fmt.Errorf("parsing host: %w", err)
+	}
+
+	return srvName, true, nil
+}
--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -348,7 +348,7 @@ func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 		conf.EDNSAddr = net.IP(srvConf.EDNSClientSubnet.CustomIP.AsSlice())
 	}

-	err = setProxyUpstreamMode(conf, srvConf.UpstreamMode, srvConf.FastestTimeout.Duration)
+	err = setProxyUpstreamMode(conf, srvConf.UpstreamMode, time.Duration(srvConf.FastestTimeout))
 	if err != nil {
 		return nil, fmt.Errorf("upstream mode: %w", err)
 	}
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -740,7 +740,7 @@ func (s *Server) prepareInternalProxy() (err error) {
 		MessageConstructor:        s,
 	}

-	err = setProxyUpstreamMode(conf, srvConf.UpstreamMode, srvConf.FastestTimeout.Duration)
+	err = setProxyUpstreamMode(conf, srvConf.UpstreamMode, time.Duration(srvConf.FastestTimeout))
 	if err != nil {
 		return fmt.Errorf("invalid upstream mode: %w", err)
 	}
--- a/internal/home/clients.go
+++ b/internal/home/clients.go
@@ -400,7 +400,7 @@ func (clients *clientsContainer) UpstreamConfigByID(
 		upstreams,
 		&upstream.Options{
 			Bootstrap:    bootstrap,
-			Timeout:      config.DNS.UpstreamTimeout.Duration,
+			Timeout:      time.Duration(config.DNS.UpstreamTimeout),
 			HTTPVersions: dnsforward.UpstreamHTTPVersions(config.DNS.UseHTTP3Upstreams),
 			PreferIPv6:   config.DNS.BootstrapPreferIPv6,
 		},
--- a/internal/home/clientshttp.go
+++ b/internal/home/clientshttp.go
@@ -424,6 +424,8 @@ func (clients *clientsContainer) handleUpdateClient(w http.ResponseWriter, r *ht
 }

 // handleFindClient is the handler for GET /control/clients/find HTTP API.
+//
+// Deprecated:  Remove it when migration to the new API is over.
 func (clients *clientsContainer) handleFindClient(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 	data := []map[string]*clientJSON{}
@@ -433,19 +435,58 @@ func (clients *clientsContainer) handleFindClient(w http.ResponseWriter, r *http
 			break
 		}

-		ip, _ := netip.ParseAddr(idStr)
-		c, ok := clients.storage.Find(idStr)
-		var cj *clientJSON
-		if !ok {
-			cj = clients.findRuntime(ip, idStr)
-		} else {
-			cj = clientToJSON(c)
-			disallowed, rule := clients.clientChecker.IsBlockedClient(ip, idStr)
-			cj.Disallowed, cj.DisallowedRule = &disallowed, &rule
-		}
-
 		data = append(data, map[string]*clientJSON{
-			idStr: cj,
+			idStr: clients.findClient(idStr),
+		})
+	}
+
+	aghhttp.WriteJSONResponseOK(w, r, data)
+}
+
+// findClient returns available information about a client by idStr from the
+// client's storage or access settings.  cj is guaranteed to be non-nil.
+func (clients *clientsContainer) findClient(idStr string) (cj *clientJSON) {
+	ip, _ := netip.ParseAddr(idStr)
+	c, ok := clients.storage.Find(idStr)
+	if !ok {
+		return clients.findRuntime(ip, idStr)
+	}
+
+	cj = clientToJSON(c)
+	disallowed, rule := clients.clientChecker.IsBlockedClient(ip, idStr)
+	cj.Disallowed, cj.DisallowedRule = &disallowed, &rule
+
+	return cj
+}
+
+// searchQueryJSON is a request to the POST /control/clients/search HTTP API.
+//
+// TODO(s.chzhen):  Add UIDs.
+type searchQueryJSON struct {
+	Clients []searchClientJSON `json:"clients"`
+}
+
+// searchClientJSON is a part of [searchQueryJSON] that contains a string
+// representation of the client's IP address, CIDR, MAC address, or ClientID.
+type searchClientJSON struct {
+	ID string `json:"id"`
+}
+
+// handleSearchClient is the handler for the POST /control/clients/search HTTP API.
+func (clients *clientsContainer) handleSearchClient(w http.ResponseWriter, r *http.Request) {
+	q := searchQueryJSON{}
+	err := json.NewDecoder(r.Body).Decode(&q)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusBadRequest, "failed to process request body: %s", err)
+
+		return
+	}
+
+	data := []map[string]*clientJSON{}
+	for _, c := range q.Clients {
+		idStr := c.ID
+		data = append(data, map[string]*clientJSON{
+			idStr: clients.findClient(idStr),
 		})
 	}

@@ -493,5 +534,8 @@ func (clients *clientsContainer) registerWebHandlers() {
 	httpRegister(http.MethodPost, "/control/clients/add", clients.handleAddClient)
 	httpRegister(http.MethodPost, "/control/clients/delete", clients.handleDelClient)
 	httpRegister(http.MethodPost, "/control/clients/update", clients.handleUpdateClient)
+	httpRegister(http.MethodPost, "/control/clients/search", clients.handleSearchClient)
+
+	// Deprecated handler.
 	httpRegister(http.MethodGet, "/control/clients/find", clients.handleFindClient)
 }
--- a/internal/home/clientshttp_internal_test.go
+++ b/internal/home/clientshttp_internal_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/client"
 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/AdGuardHome/internal/schedule"
+	"github.com/AdguardTeam/AdGuardHome/internal/whois"
 	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -408,3 +409,145 @@ func TestClientsContainer_HandleFindClient(t *testing.T) {
 		})
 	}
 }
+
+func TestClientsContainer_HandleSearchClient(t *testing.T) {
+	var (
+		runtimeCli = "runtime_client1"
+
+		runtimeCliIP     = "3.3.3.3"
+		blockedCliIP     = "4.4.4.4"
+		nonExistentCliIP = "5.5.5.5"
+
+		allowed     = false
+		dissallowed = true
+
+		emptyRule      = ""
+		disallowedRule = "disallowed_rule"
+	)
+
+	clients := newClientsContainer(t)
+	clients.clientChecker = &testBlockedClientChecker{
+		onIsBlockedClient: func(ip netip.Addr, _ string) (ok bool, rule string) {
+			if ip == netip.MustParseAddr(blockedCliIP) {
+				return true, disallowedRule
+			}
+
+			return false, emptyRule
+		},
+	}
+
+	ctx := testutil.ContextWithTimeout(t, testTimeout)
+
+	clientOne := newPersistentClientWithIDs(t, "client1", []string{testClientIP1})
+	err := clients.storage.Add(ctx, clientOne)
+	require.NoError(t, err)
+
+	clientTwo := newPersistentClientWithIDs(t, "client2", []string{testClientIP2})
+	err = clients.storage.Add(ctx, clientTwo)
+	require.NoError(t, err)
+
+	assertPersistentClients(t, clients, []*client.Persistent{clientOne, clientTwo})
+
+	clients.UpdateAddress(ctx, netip.MustParseAddr(runtimeCliIP), runtimeCli, nil)
+
+	testCases := []struct {
+		name           string
+		query          *searchQueryJSON
+		wantPersistent []*client.Persistent
+		wantRuntime    *clientJSON
+	}{{
+		name: "single",
+		query: &searchQueryJSON{
+			Clients: []searchClientJSON{{
+				ID: testClientIP1,
+			}},
+		},
+		wantPersistent: []*client.Persistent{clientOne},
+	}, {
+		name: "multiple",
+		query: &searchQueryJSON{
+			Clients: []searchClientJSON{{
+				ID: testClientIP1,
+			}, {
+				ID: testClientIP2,
+			}},
+		},
+		wantPersistent: []*client.Persistent{clientOne, clientTwo},
+	}, {
+		name: "runtime",
+		query: &searchQueryJSON{
+			Clients: []searchClientJSON{{
+				ID: runtimeCliIP,
+			}},
+		},
+		wantRuntime: &clientJSON{
+			Name:           runtimeCli,
+			IDs:            []string{runtimeCliIP},
+			Disallowed:     &allowed,
+			DisallowedRule: &emptyRule,
+			WHOIS:          &whois.Info{},
+		},
+	}, {
+		name: "blocked_access",
+		query: &searchQueryJSON{
+			Clients: []searchClientJSON{{
+				ID: blockedCliIP,
+			}},
+		},
+		wantRuntime: &clientJSON{
+			IDs:            []string{blockedCliIP},
+			Disallowed:     &dissallowed,
+			DisallowedRule: &disallowedRule,
+			WHOIS:          &whois.Info{},
+		},
+	}, {
+		name: "non_existing_client",
+		query: &searchQueryJSON{
+			Clients: []searchClientJSON{{
+				ID: nonExistentCliIP,
+			}},
+		},
+		wantRuntime: &clientJSON{
+			IDs:            []string{nonExistentCliIP},
+			Disallowed:     &allowed,
+			DisallowedRule: &emptyRule,
+			WHOIS:          &whois.Info{},
+		},
+	}}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var body []byte
+			body, err = json.Marshal(tc.query)
+			require.NoError(t, err)
+
+			var r *http.Request
+			r, err = http.NewRequest(http.MethodPost, "", bytes.NewReader(body))
+			require.NoError(t, err)
+
+			rw := httptest.NewRecorder()
+			clients.handleSearchClient(rw, r)
+			require.NoError(t, err)
+			require.Equal(t, http.StatusOK, rw.Code)
+
+			body, err = io.ReadAll(rw.Body)
+			require.NoError(t, err)
+
+			clientData := []map[string]*clientJSON{}
+			err = json.Unmarshal(body, &clientData)
+			require.NoError(t, err)
+
+			if tc.wantPersistent != nil {
+				assertPersistentClientsData(t, clients, clientData, tc.wantPersistent)
+
+				return
+			}
+
+			require.Len(t, clientData, 1)
+			require.Len(t, clientData[0], 1)
+
+			rc := clientData[0][tc.wantRuntime.IDs[0]]
+			assert.Equal(t, tc.wantRuntime, rc)
+		})
+	}
+}
--- a/internal/home/config.go
+++ b/internal/home/config.go
@@ -339,7 +339,7 @@ var config = &configuration{
 	AuthBlockMin: 15,
 	HTTPConfig: httpConfig{
 		Address:    netip.AddrPortFrom(netip.IPv4Unspecified(), 3000),
-		SessionTTL: timeutil.Duration{Duration: 30 * timeutil.Day},
+		SessionTTL: timeutil.Duration(30 * timeutil.Day),
 		Pprof: &httpPprofConfig{
 			Enabled: false,
 			Port:    6060,
@@ -355,9 +355,7 @@ var config = &configuration{
 			RefuseAny:              true,
 			UpstreamMode:           dnsforward.UpstreamModeLoadBalance,
 			HandleDDR:              true,
-			FastestTimeout: timeutil.Duration{
-				Duration: fastip.DefaultPingWaitTimeout,
-			},
+			FastestTimeout:         timeutil.Duration(fastip.DefaultPingWaitTimeout),

 			TrustedProxies: []netutil.Prefix{{
 				Prefix: netip.MustParsePrefix("127.0.0.0/8"),
@@ -378,7 +376,7 @@ var config = &configuration{
 			// was later increased to 300 due to https://github.com/AdguardTeam/AdGuardHome/issues/2257
 			MaxGoroutines: 300,
 		},
-		UpstreamTimeout:  timeutil.Duration{Duration: dnsforward.DefaultTimeout},
+		UpstreamTimeout:  timeutil.Duration(dnsforward.DefaultTimeout),
 		UsePrivateRDNS:   true,
 		ServePlainDNS:    true,
 		HostsFileEnabled: true,
@@ -391,13 +389,13 @@ var config = &configuration{
 	QueryLog: queryLogConfig{
 		Enabled:     true,
 		FileEnabled: true,
-		Interval:    timeutil.Duration{Duration: 90 * timeutil.Day},
+		Interval:    timeutil.Duration(90 * timeutil.Day),
 		MemSize:     1000,
 		Ignored:     []string{},
 	},
 	Stats: statsConfig{
 		Enabled:  true,
-		Interval: timeutil.Duration{Duration: 1 * timeutil.Day},
+		Interval: timeutil.Duration(1 * timeutil.Day),
 		Ignored:  []string{},
 	},
 	// NOTE: Keep these parameters in sync with the one put into
@@ -565,8 +563,8 @@ func parseConfig() (err error) {
 		return err
 	}

-	if config.DNS.UpstreamTimeout.Duration == 0 {
-		config.DNS.UpstreamTimeout = timeutil.Duration{Duration: dnsforward.DefaultTimeout}
+	if config.DNS.UpstreamTimeout == 0 {
+		config.DNS.UpstreamTimeout = timeutil.Duration(dnsforward.DefaultTimeout)
 	}

 	// Do not wrap the error because it's informative enough as is.
@@ -659,7 +657,7 @@ func (c *configuration) write() (err error) {
 	if Context.stats != nil {
 		statsConf := stats.Config{}
 		Context.stats.WriteDiskConfig(&statsConf)
-		config.Stats.Interval = timeutil.Duration{Duration: statsConf.Limit}
+		config.Stats.Interval = timeutil.Duration(statsConf.Limit)
 		config.Stats.Enabled = statsConf.Enabled
 		config.Stats.Ignored = statsConf.Ignored.Values()
 	}
@@ -670,7 +668,7 @@ func (c *configuration) write() (err error) {
 		config.DNS.AnonymizeClientIP = dc.AnonymizeClientIP
 		config.QueryLog.Enabled = dc.Enabled
 		config.QueryLog.FileEnabled = dc.FileEnabled
-		config.QueryLog.Interval = timeutil.Duration{Duration: dc.RotationIvl}
+		config.QueryLog.Interval = timeutil.Duration(dc.RotationIvl)
 		config.QueryLog.MemSize = dc.MemSize
 		config.QueryLog.Ignored = dc.Ignored.Values()
 	}
--- a/internal/home/controlinstall.go
+++ b/internal/home/controlinstall.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
 	"net/http"
 	"net/netip"
 	"os"
@@ -19,7 +20,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/quic-go/quic-go/http3"
 )

@@ -124,6 +125,8 @@ func (req *checkConfReq) validateWeb(tcpPorts aghalg.UniqChecker[tcpPort]) (err
 // be set.  canAutofix is true if the port can be unbound by AdGuard Home
 // automatically.
 func (req *checkConfReq) validateDNS(
+	ctx context.Context,
+	l *slog.Logger,
 	tcpPorts aghalg.UniqChecker[tcpPort],
 ) (canAutofix bool, err error) {
 	defer func() { err = errors.Annotate(err, "validating ports: %w") }()
@@ -154,10 +157,10 @@ func (req *checkConfReq) validateDNS(
 	}

 	// Try to fix automatically.
-	canAutofix = checkDNSStubListener()
+	canAutofix = checkDNSStubListener(ctx, l)
 	if canAutofix && req.DNS.Autofix {
-		if derr := disableDNSStubListener(); derr != nil {
-			log.Error("disabling DNSStubListener: %s", err)
+		if derr := disableDNSStubListener(ctx, l); derr != nil {
+			l.ErrorContext(ctx, "disabling DNSStubListener", slogutil.KeyError, err)
 		}

 		err = aghnet.CheckPort("udp", netip.AddrPortFrom(req.DNS.IP, port))
@@ -184,7 +187,7 @@ func (web *webAPI) handleInstallCheckConfig(w http.ResponseWriter, r *http.Reque
 		resp.Web.Status = err.Error()
 	}

-	if resp.DNS.CanAutofix, err = req.validateDNS(tcpPorts); err != nil {
+	if resp.DNS.CanAutofix, err = req.validateDNS(r.Context(), web.logger, tcpPorts); err != nil {
 		resp.DNS.Status = err.Error()
 	} else if !req.DNS.IP.IsUnspecified() {
 		resp.StaticIP = handleStaticIP(req.DNS.IP, req.SetStaticIP)
@@ -233,27 +236,39 @@ func handleStaticIP(ip netip.Addr, set bool) staticIPJSON {
 	return resp
 }

-// Check if DNSStubListener is active
-func checkDNSStubListener() bool {
+// checkDNSStubListener returns true if DNSStubListener is active.
+func checkDNSStubListener(ctx context.Context, l *slog.Logger) (ok bool) {
 	if runtime.GOOS != "linux" {
 		return false
 	}

 	cmd := exec.Command("systemctl", "is-enabled", "systemd-resolved")
-	log.Tracef("executing %s %v", cmd.Path, cmd.Args)
+	l.DebugContext(ctx, "executing", "cmd", cmd.Path, "args", cmd.Args)
 	_, err := cmd.Output()
 	if err != nil || cmd.ProcessState.ExitCode() != 0 {
-		log.Info("command %s has failed: %v code:%d",
-			cmd.Path, err, cmd.ProcessState.ExitCode())
+		l.InfoContext(
+			ctx,
+			"execution failed",
+			"cmd", cmd.Path,
+			"code", cmd.ProcessState.ExitCode(),
+			slogutil.KeyError, err,
+		)
+
 		return false
 	}

 	cmd = exec.Command("grep", "-E", "#?DNSStubListener=yes", "/etc/systemd/resolved.conf")
-	log.Tracef("executing %s %v", cmd.Path, cmd.Args)
+	l.DebugContext(ctx, "executing", "cmd", cmd.Path, "args", cmd.Args)
 	_, err = cmd.Output()
 	if err != nil || cmd.ProcessState.ExitCode() != 0 {
-		log.Info("command %s has failed: %v code:%d",
-			cmd.Path, err, cmd.ProcessState.ExitCode())
+		l.InfoContext(
+			ctx,
+			"execution failed",
+			"cmd", cmd.Path,
+			"code", cmd.ProcessState.ExitCode(),
+			slogutil.KeyError, err,
+		)
+
 		return false
 	}

@@ -269,8 +284,9 @@ DNSStubListener=no
 )
 const resolvConfPath = "/etc/resolv.conf"

-// Deactivate DNSStubListener
-func disableDNSStubListener() (err error) {
+// disableDNSStubListener deactivates DNSStubListerner and returns an error, if
+// any.
+func disableDNSStubListener(ctx context.Context, l *slog.Logger) (err error) {
 	dir := filepath.Dir(resolvedConfPath)
 	err = os.MkdirAll(dir, 0o755)
 	if err != nil {
@@ -290,7 +306,7 @@ func disableDNSStubListener() (err error) {
 	}

 	cmd := exec.Command("systemctl", "reload-or-restart", "systemd-resolved")
-	log.Tracef("executing %s %v", cmd.Path, cmd.Args)
+	l.DebugContext(ctx, "executing", "cmd", cmd.Path, "args", cmd.Args)
 	_, err = cmd.Output()
 	if err != nil {
 		return err
@@ -327,9 +343,9 @@ func copyInstallSettings(dst, src *configuration) {
 // shutdownTimeout is the timeout for shutting HTTP server down operation.
 const shutdownTimeout = 5 * time.Second

-// shutdownSrv shuts srv down and prints error messages to the log.
-func shutdownSrv(ctx context.Context, srv *http.Server) {
-	defer log.OnPanic("")
+// shutdownSrv shuts down srv and logs the error, if any.  l must not be nil.
+func shutdownSrv(ctx context.Context, l *slog.Logger, srv *http.Server) {
+	defer slogutil.RecoverAndLog(ctx, l)

 	if srv == nil {
 		return
@@ -340,19 +356,19 @@ func shutdownSrv(ctx context.Context, srv *http.Server) {
 		return
 	}

-	const msgFmt = "shutting down http server %q: %s"
-	if errors.Is(err, context.Canceled) {
-		log.Debug(msgFmt, srv.Addr, err)
-	} else {
-		log.Error(msgFmt, srv.Addr, err)
+	lvl := slog.LevelDebug
+	if !errors.Is(err, context.Canceled) {
+		lvl = slog.LevelError
 	}
+
+	l.Log(ctx, lvl, "shutting down http server", "addr", srv.Addr, slogutil.KeyError, err)
 }

-// shutdownSrv3 shuts srv down and prints error messages to the log.
+// shutdownSrv3 shuts down srv and logs the error, if any.  l must not be nil.
 //
 // TODO(a.garipov): Think of a good way to merge with [shutdownSrv].
-func shutdownSrv3(srv *http3.Server) {
-	defer log.OnPanic("")
+func shutdownSrv3(ctx context.Context, l *slog.Logger, srv *http3.Server) {
+	defer slogutil.RecoverAndLog(ctx, l)

 	if srv == nil {
 		return
@@ -363,12 +379,12 @@ func shutdownSrv3(srv *http3.Server) {
 		return
 	}

-	const msgFmt = "shutting down http/3 server %q: %s"
-	if errors.Is(err, context.Canceled) {
-		log.Debug(msgFmt, srv.Addr, err)
-	} else {
-		log.Error(msgFmt, srv.Addr, err)
+	lvl := slog.LevelDebug
+	if !errors.Is(err, context.Canceled) {
+		lvl = slog.LevelError
 	}
+
+	l.Log(ctx, lvl, "shutting down http/3 server", "addr", srv.Addr, slogutil.KeyError, err)
 }

 // PasswordMinRunes is the minimum length of user's password in runes.
@@ -436,7 +452,7 @@ func (web *webAPI) handleInstallConfigure(w http.ResponseWriter, r *http.Request
 	// moment we'll allow setting up TLS in the initial configuration or the
 	// configuration itself will use HTTPS protocol, because the underlying
 	// functions potentially restart the HTTPS server.
-	err = startMods(web.logger)
+	err = startMods(web.baseLogger)
 	if err != nil {
 		Context.firstRun = true
 		copyInstallSettings(config, curConfig)
@@ -472,12 +488,11 @@ func (web *webAPI) handleInstallConfigure(w http.ResponseWriter, r *http.Request
 	// and with its own context, because it waits until all requests are handled
 	// and will be blocked by it's own caller.
 	go func(timeout time.Duration) {
-		defer log.OnPanic("web")
-
 		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		defer slogutil.RecoverAndLog(ctx, web.logger)
 		defer cancel()

-		shutdownSrv(ctx, web.httpServer)
+		shutdownSrv(ctx, web.logger, web.httpServer)
 	}(shutdownTimeout)
 }

--- a/internal/home/controlupdate.go
+++ b/internal/home/controlupdate.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"os"
 	"os/exec"
@@ -16,7 +17,8 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
 	"github.com/AdguardTeam/AdGuardHome/internal/updater"
 	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
+	"github.com/AdguardTeam/golibs/osutil"
 )

 // temporaryError is the interface for temporary errors from the Go standard
@@ -52,7 +54,7 @@ func (web *webAPI) handleVersionJSON(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	err = web.requestVersionInfo(resp, req.Recheck)
+	err = web.requestVersionInfo(r.Context(), resp, req.Recheck)
 	if err != nil {
 		// Don't wrap the error, because it's informative enough as is.
 		aghhttp.Error(r, w, http.StatusBadGateway, "%s", err)
@@ -73,7 +75,11 @@ func (web *webAPI) handleVersionJSON(w http.ResponseWriter, r *http.Request) {

 // requestVersionInfo sets the VersionInfo field of resp if it can reach the
 // update server.
-func (web *webAPI) requestVersionInfo(resp *versionResponse, recheck bool) (err error) {
+func (web *webAPI) requestVersionInfo(
+	ctx context.Context,
+	resp *versionResponse,
+	recheck bool,
+) (err error) {
 	updater := web.conf.updater
 	for range 3 {
 		resp.VersionInfo, err = updater.VersionInfo(recheck)
@@ -89,7 +95,9 @@ func (web *webAPI) requestVersionInfo(resp *versionResponse, recheck bool) (err
 			// See https://github.com/AdguardTeam/AdGuardHome/issues/934.
 			const sleepTime = 2 * time.Second

-			log.Info("update: temp net error: %v; sleeping for %s and retrying", err, sleepTime)
+			err = fmt.Errorf("temp net error: %w; sleeping for %s and retrying", err, sleepTime)
+			web.logger.InfoContext(ctx, "updating version info", slogutil.KeyError, err)
+
 			time.Sleep(sleepTime)

 			continue
@@ -140,7 +148,7 @@ func (web *webAPI) handleUpdate(w http.ResponseWriter, r *http.Request) {
 	// The background context is used because the underlying functions wrap it
 	// with timeout and shut down the server, which handles current request.  It
 	// also should be done in a separate goroutine for the same reason.
-	go finishUpdate(context.Background(), execPath, web.conf.runningAsService)
+	go finishUpdate(context.Background(), web.logger, execPath, web.conf.runningAsService)
 }

 // versionResponse is the response for /control/version.json endpoint.
@@ -180,15 +188,17 @@ func tlsConfUsesPrivilegedPorts(c *tlsConfigSettings) (ok bool) {
 	return c.Enabled && (c.PortHTTPS < 1024 || c.PortDNSOverTLS < 1024 || c.PortDNSOverQUIC < 1024)
 }

-// finishUpdate completes an update procedure.
-func finishUpdate(ctx context.Context, execPath string, runningAsService bool) {
-	var err error
+// finishUpdate completes an update procedure.  It is intended to be used as a
+// goroutine.
+func finishUpdate(ctx context.Context, l *slog.Logger, execPath string, runningAsService bool) {
+	defer slogutil.RecoverAndExit(ctx, l, osutil.ExitCodeFailure)

-	log.Info("stopping all tasks")
+	l.InfoContext(ctx, "stopping all tasks")

 	cleanup(ctx)
 	cleanupAlways()

+	var err error
 	if runtime.GOOS == "windows" {
 		if runningAsService {
 			// NOTE: We can't restart the service via "kardianos/service"
@@ -199,28 +209,28 @@ func finishUpdate(ctx context.Context, execPath string, runningAsService bool) {
 			cmd := exec.Command("cmd", "/c", "net stop AdGuardHome & net start AdGuardHome")
 			err = cmd.Start()
 			if err != nil {
-				log.Fatalf("restarting: stopping: %s", err)
+				panic(fmt.Errorf("restarting service: %w", err))
 			}

-			os.Exit(0)
+			os.Exit(osutil.ExitCodeSuccess)
 		}

 		cmd := exec.Command(execPath, os.Args[1:]...)
-		log.Info("restarting: %q %q", execPath, os.Args[1:])
+		l.InfoContext(ctx, "restarting", "exec_path", execPath, "args", os.Args[1:])
 		cmd.Stdin = os.Stdin
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr
 		err = cmd.Start()
 		if err != nil {
-			log.Fatalf("restarting:: %s", err)
+			panic(fmt.Errorf("restarting: %w", err))
 		}

-		os.Exit(0)
+		os.Exit(osutil.ExitCodeSuccess)
 	}

-	log.Info("restarting: %q %q", execPath, os.Args[1:])
+	l.InfoContext(ctx, "restarting", "exec_path", execPath, "args", os.Args[1:])
 	err = syscall.Exec(execPath, os.Args, os.Environ())
 	if err != nil {
-		log.Fatalf("restarting: %s", err)
+		panic(fmt.Errorf("restarting: %w", err))
 	}
 }
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -47,14 +47,14 @@ func onConfigModified() {

 // initDNS updates all the fields of the [Context] needed to initialize the DNS
 // server and initializes it at last.  It also must not be called unless
-// [config] and [Context] are initialized.  l must not be nil.
+// [config] and [Context] are initialized.  baseLogger must not be nil.
 func initDNS(baseLogger *slog.Logger, statsDir, querylogDir string) (err error) {
 	anonymizer := config.anonymizer()

 	statsConf := stats.Config{
 		Logger:            baseLogger.With(slogutil.KeyPrefix, "stats"),
 		Filename:          filepath.Join(statsDir, "stats.db"),
-		Limit:             config.Stats.Interval.Duration,
+		Limit:             time.Duration(config.Stats.Interval),
 		ConfigModified:    onConfigModified,
 		HTTPRegister:      httpRegister,
 		Enabled:           config.Stats.Enabled,
@@ -80,7 +80,7 @@ func initDNS(baseLogger *slog.Logger, statsDir, querylogDir string) (err error)
 		FindClient:        Context.clients.findMultiple,
 		BaseDir:           querylogDir,
 		AnonymizeClientIP: config.DNS.AnonymizeClientIP,
-		RotationIvl:       config.QueryLog.Interval.Duration,
+		RotationIvl:       time.Duration(config.QueryLog.Interval),
 		MemSize:           config.QueryLog.MemSize,
 		Enabled:           config.QueryLog.Enabled,
 		FileEnabled:       config.QueryLog.FileEnabled,
@@ -243,7 +243,7 @@ func newServerConfig(
 		Config:                 fwdConf,
 		TLSConfig:              newDNSTLSConfig(tlsConf, hosts),
 		TLSAllowUnencryptedDoH: tlsConf.AllowUnencryptedDoH,
-		UpstreamTimeout:        dnsConf.UpstreamTimeout.Duration,
+		UpstreamTimeout:        time.Duration(dnsConf.UpstreamTimeout),
 		TLSv12Roots:            Context.tlsRoots,
 		ConfigModified:         onConfigModified,
 		HTTPRegister:           httpReg,
--- a/internal/home/home.go
+++ b/internal/home/home.go
@@ -167,13 +167,13 @@ func setupContext(opts options) (err error) {
 	if err != nil {
 		log.Error("parsing configuration file: %s", err)

-		os.Exit(1)
+		os.Exit(osutil.ExitCodeFailure)
 	}

 	if opts.checkConfig {
 		log.Info("configuration file is ok")

-		os.Exit(0)
+		os.Exit(osutil.ExitCodeSuccess)
 	}

 	return nil
@@ -522,18 +522,20 @@ func isUpdateEnabled(ctx context.Context, l *slog.Logger, opts *options, customU
 	}
 }

-// initWeb initializes the web module.
+// initWeb initializes the web module.  upd and baseLogger must not be nil.
 func initWeb(
 	ctx context.Context,
 	opts options,
 	clientBuildFS fs.FS,
 	upd *updater.Updater,
-	l *slog.Logger,
+	baseLogger *slog.Logger,
 	customURL bool,
 ) (web *webAPI, err error) {
+	logger := baseLogger.With(slogutil.KeyPrefix, "webapi")
+
 	var clientFS fs.FS
 	if opts.localFrontend {
-		log.Info("warning: using local frontend files")
+		logger.WarnContext(ctx, "using local frontend files")

 		clientFS = os.DirFS("build/static")
 	} else {
@@ -543,10 +545,12 @@ func initWeb(
 		}
 	}

-	disableUpdate := !isUpdateEnabled(ctx, l, &opts, customURL)
+	disableUpdate := !isUpdateEnabled(ctx, baseLogger, &opts, customURL)

 	webConf := &webConfig{
-		updater: upd,
+		updater:    upd,
+		logger:     logger,
+		baseLogger: baseLogger,

 		clientFS: clientFS,

@@ -562,7 +566,7 @@ func initWeb(
 		serveHTTP3:       config.DNS.ServeHTTP3,
 	}

-	web = newWebAPI(webConf, l)
+	web = newWebAPI(ctx, webConf)
 	if web == nil {
 		return nil, errors.Error("can not initialize web")
 	}
@@ -640,7 +644,7 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 		fatalOnError(err)

 		if config.HTTPConfig.Pprof.Enabled {
-			startPprof(config.HTTPConfig.Pprof.Port)
+			startPprof(slogLogger, config.HTTPConfig.Pprof.Port)
 		}
 	}

@@ -692,7 +696,7 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
 		checkPermissions(ctx, slogLogger, Context.workDir, confPath, dataDir, statsDir, querylogDir)
 	}

-	Context.web.start()
+	Context.web.start(ctx)

 	// Wait for other goroutines to complete their job.
 	<-done
@@ -783,7 +787,7 @@ func initUsers() (auth *Auth, err error) {

 	trustedProxies := netutil.SliceSubnetSet(netutil.UnembedPrefixes(config.DNS.TrustedProxies))

-	sessionTTL := config.HTTPConfig.SessionTTL.Seconds()
+	sessionTTL := time.Duration(config.HTTPConfig.SessionTTL).Seconds()
 	auth = InitAuth(sessFilename, config.Users, uint32(sessionTTL), rateLimiter, trustedProxies)
 	if auth == nil {
 		return nil, errors.Error("initializing auth module failed")
@@ -803,15 +807,15 @@ func (c *configuration) anonymizer() (ipmut *aghnet.IPMut) {
 	return aghnet.NewIPMut(anonFunc)
 }

-// startMods initializes and starts the DNS server after installation.  l must
-// not be nil.
-func startMods(l *slog.Logger) (err error) {
+// startMods initializes and starts the DNS server after installation.
+// baseLogger must not be nil.
+func startMods(baseLogger *slog.Logger) (err error) {
 	statsDir, querylogDir, err := checkStatsAndQuerylogDirs(&Context, config)
 	if err != nil {
 		return err
 	}

-	err = initDNS(l, statsDir, querylogDir)
+	err = initDNS(baseLogger, statsDir, querylogDir)
 	if err != nil {
 		return err
 	}
@@ -984,7 +988,7 @@ func loadCmdLineOpts() (opts options) {
 			exitWithError()
 		}

-		os.Exit(0)
+		os.Exit(osutil.ExitCodeSuccess)
 	}

 	return opts
--- a/internal/home/options.go
+++ b/internal/home/options.go
@@ -10,6 +10,7 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/configmigrate"
 	"github.com/AdguardTeam/AdGuardHome/internal/version"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/osutil"
 	"github.com/AdguardTeam/golibs/stringutil"
 )

@@ -329,7 +330,7 @@ var cmdLineOpts = []cmdLineOpt{{
 				fmt.Println(version.Full())
 			}

-			os.Exit(0)
+			os.Exit(osutil.ExitCodeSuccess)

 			return nil
 		}, nil
--- a/internal/home/web.go
+++ b/internal/home/web.go
@@ -3,6 +3,7 @@ package home
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"io/fs"
 	"log/slog"
 	"net/http"
@@ -15,9 +16,11 @@ import (
 	"github.com/AdguardTeam/AdGuardHome/internal/updater"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/netutil/httputil"
 	"github.com/AdguardTeam/golibs/netutil/urlutil"
+	"github.com/AdguardTeam/golibs/osutil"
 	"github.com/NYTimes/gziphandler"
 	"github.com/quic-go/quic-go/http3"
 	"golang.org/x/net/http2"
@@ -39,6 +42,13 @@ const (
 type webConfig struct {
 	updater *updater.Updater

+	// logger is a slog logger used in webAPI. It must not be nil.
+	logger *slog.Logger
+
+	// baseLogger is used to create loggers for other entities.  It must not be
+	// nil.
+	baseLogger *slog.Logger
+
 	clientFS fs.FS

 	// BindAddr is the binding address with port for plain HTTP web interface.
@@ -94,21 +104,26 @@ type webAPI struct {
 	// logger is a slog logger used in webAPI. It must not be nil.
 	logger *slog.Logger

+	// baseLogger is used to create loggers for other entities.  It must not be
+	// nil.
+	baseLogger *slog.Logger
+
 	// httpsServer is the server that handles HTTPS traffic.  If it is not nil,
 	// [Web.http3Server] must also not be nil.
 	httpsServer httpsServer
 }

-// newWebAPI creates a new instance of the web UI and API server.  l must not be
-// nil.
+// newWebAPI creates a new instance of the web UI and API server.  conf must be
+// valid.
 //
 // TODO(a.garipov):  Return a proper error.
-func newWebAPI(conf *webConfig, l *slog.Logger) (w *webAPI) {
-	log.Info("web: initializing")
+func newWebAPI(ctx context.Context, conf *webConfig) (w *webAPI) {
+	conf.logger.InfoContext(ctx, "initializing")

 	w = &webAPI{
-		conf:   conf,
-		logger: l,
+		conf:       conf,
+		logger:     conf.logger,
+		baseLogger: conf.baseLogger,
 	}

 	clientFS := http.FileServer(http.FS(conf.clientFS))
@@ -118,7 +133,11 @@ func newWebAPI(conf *webConfig, l *slog.Logger) (w *webAPI) {

 	// add handlers for /install paths, we only need them when we're not configured yet
 	if conf.firstRun {
-		log.Info("This is the first launch of AdGuard Home, redirecting everything to /install.html ")
+		conf.logger.InfoContext(
+			ctx,
+			"This is the first launch of AdGuard Home, redirecting everything to /install.html",
+		)
+
 		Context.mux.Handle("/install.html", preInstallHandler(clientFS))
 		w.registerInstallHandlers()
 	} else {
@@ -154,7 +173,9 @@ func webCheckPortAvailable(port uint16) (ok bool) {
 // tlsConfigChanged updates the TLS configuration and restarts the HTTPS server
 // if necessary.
 func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf tlsConfigSettings) {
-	log.Debug("web: applying new tls configuration")
+	defer slogutil.RecoverAndExit(ctx, web.logger, osutil.ExitCodeFailure)
+
+	web.logger.DebugContext(ctx, "applying new tls configuration")

 	enabled := tlsConf.Enabled &&
 		tlsConf.PortHTTPS != 0 &&
@@ -165,7 +186,7 @@ func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf tlsConfigSettin
 	if enabled {
 		cert, err = tls.X509KeyPair(tlsConf.CertificateChainData, tlsConf.PrivateKeyData)
 		if err != nil {
-			log.Fatal(err)
+			panic(err)
 		}
 	}

@@ -173,8 +194,8 @@ func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf tlsConfigSettin
 	if web.httpsServer.server != nil {
 		var cancel context.CancelFunc
 		ctx, cancel = context.WithTimeout(ctx, shutdownTimeout)
-		shutdownSrv(ctx, web.httpsServer.server)
-		shutdownSrv3(web.httpsServer.server3)
+		shutdownSrv(ctx, web.logger, web.httpsServer.server)
+		shutdownSrv3(ctx, web.logger, web.httpsServer.server3)

 		cancel()
 	}
@@ -185,12 +206,17 @@ func (web *webAPI) tlsConfigChanged(ctx context.Context, tlsConf tlsConfigSettin
 	web.httpsServer.cond.L.Unlock()
 }

+// loggerKeyServer is the key used by [webAPI] to identify servers.
+const loggerKeyServer = "server"
+
 // start - start serving HTTP requests
-func (web *webAPI) start() {
-	log.Println("AdGuard Home is available at the following addresses:")
+func (web *webAPI) start(ctx context.Context) {
+	defer slogutil.RecoverAndExit(ctx, web.logger, osutil.ExitCodeFailure)
+
+	web.logger.InfoContext(ctx, "AdGuard Home is available at the following addresses:")

 	// for https, we have a separate goroutine loop
-	go web.tlsServerLoop()
+	go web.tlsServerLoop(ctx)

 	// this loop is used as an ability to change listening host and/or port
 	for !web.httpsServer.inShutdown {
@@ -200,17 +226,19 @@ func (web *webAPI) start() {
 		// Use an h2c handler to support unencrypted HTTP/2, e.g. for proxies.
 		hdlr := h2c.NewHandler(withMiddlewares(Context.mux, limitRequestBody), &http2.Server{})

+		logger := web.baseLogger.With(loggerKeyServer, "plain")
+
 		// Create a new instance, because the Web is not usable after Shutdown.
 		web.httpServer = &http.Server{
-			ErrorLog:          log.StdLog("web: plain", log.DEBUG),
 			Addr:              web.conf.BindAddr.String(),
 			Handler:           hdlr,
 			ReadTimeout:       web.conf.ReadTimeout,
 			ReadHeaderTimeout: web.conf.ReadHeaderTimeout,
 			WriteTimeout:      web.conf.WriteTimeout,
+			ErrorLog:          slog.NewLogLogger(logger.Handler(), slog.LevelError),
 		}
 		go func() {
-			defer log.OnPanic("web: plain")
+			defer slogutil.RecoverAndLog(ctx, web.logger)

 			errs <- web.httpServer.ListenAndServe()
 		}()
@@ -218,7 +246,7 @@ func (web *webAPI) start() {
 		err := <-errs
 		if !errors.Is(err, http.ErrServerClosed) {
 			cleanupAlways()
-			log.Fatal(err)
+			panic(err)
 		}

 		// We use ErrServerClosed as a sign that we need to rebind on a new
@@ -228,7 +256,7 @@ func (web *webAPI) start() {

 // close gracefully shuts down the HTTP servers.
 func (web *webAPI) close(ctx context.Context) {
-	log.Info("stopping http server...")
+	web.logger.InfoContext(ctx, "stopping http server")

 	web.httpsServer.cond.L.Lock()
 	web.httpsServer.inShutdown = true
@@ -238,14 +266,16 @@ func (web *webAPI) close(ctx context.Context) {
 	ctx, cancel = context.WithTimeout(ctx, shutdownTimeout)
 	defer cancel()

-	shutdownSrv(ctx, web.httpsServer.server)
-	shutdownSrv3(web.httpsServer.server3)
-	shutdownSrv(ctx, web.httpServer)
+	shutdownSrv(ctx, web.logger, web.httpsServer.server)
+	shutdownSrv3(ctx, web.logger, web.httpsServer.server3)
+	shutdownSrv(ctx, web.logger, web.httpServer)

-	log.Info("stopped http server")
+	web.logger.InfoContext(ctx, "stopped http server")
 }

-func (web *webAPI) tlsServerLoop() {
+func (web *webAPI) tlsServerLoop(ctx context.Context) {
+	defer slogutil.RecoverAndExit(ctx, web.logger, osutil.ExitCodeFailure)
+
 	for {
 		web.httpsServer.cond.L.Lock()
 		if web.httpsServer.inShutdown {
@@ -273,38 +303,40 @@ func (web *webAPI) tlsServerLoop() {
 		}()

 		addr := netip.AddrPortFrom(web.conf.BindAddr.Addr(), portHTTPS).String()
+		logger := web.baseLogger.With(loggerKeyServer, "https")
+
 		web.httpsServer.server = &http.Server{
-			ErrorLog: log.StdLog("web: https", log.DEBUG),
-			Addr:     addr,
+			Addr:    addr,
+			Handler: withMiddlewares(Context.mux, limitRequestBody),
 			TLSConfig: &tls.Config{
 				Certificates: []tls.Certificate{web.httpsServer.cert},
 				RootCAs:      Context.tlsRoots,
 				CipherSuites: Context.tlsCipherIDs,
 				MinVersion:   tls.VersionTLS12,
 			},
-			Handler:           withMiddlewares(Context.mux, limitRequestBody),
 			ReadTimeout:       web.conf.ReadTimeout,
 			ReadHeaderTimeout: web.conf.ReadHeaderTimeout,
 			WriteTimeout:      web.conf.WriteTimeout,
+			ErrorLog:          slog.NewLogLogger(logger.Handler(), slog.LevelError),
 		}

 		printHTTPAddresses(urlutil.SchemeHTTPS)

 		if web.conf.serveHTTP3 {
-			go web.mustStartHTTP3(addr)
+			go web.mustStartHTTP3(ctx, addr)
 		}

-		log.Debug("web: starting https server")
+		web.logger.DebugContext(ctx, "starting https server")
 		err := web.httpsServer.server.ListenAndServeTLS("", "")
 		if !errors.Is(err, http.ErrServerClosed) {
 			cleanupAlways()
-			log.Fatalf("web: https: %s", err)
+			panic(fmt.Errorf("https: %w", err))
 		}
 	}
 }

-func (web *webAPI) mustStartHTTP3(address string) {
-	defer log.OnPanic("web: http3")
+func (web *webAPI) mustStartHTTP3(ctx context.Context, address string) {
+	defer slogutil.RecoverAndExit(ctx, web.logger, osutil.ExitCodeFailure)

 	web.httpsServer.server3 = &http3.Server{
 		// TODO(a.garipov): See if there is a way to use the error log as
@@ -319,16 +351,16 @@ func (web *webAPI) mustStartHTTP3(address string) {
 		Handler: withMiddlewares(Context.mux, limitRequestBody),
 	}

-	log.Debug("web: starting http/3 server")
+	web.logger.DebugContext(ctx, "starting http/3 server")
 	err := web.httpsServer.server3.ListenAndServe()
 	if !errors.Is(err, http.ErrServerClosed) {
 		cleanupAlways()
-		log.Fatalf("web: http3: %s", err)
+		panic(fmt.Errorf("http3: %w", err))
 	}
 }

 // startPprof launches the debug and profiling server on the provided port.
-func startPprof(port uint16) {
+func startPprof(baseLogger *slog.Logger, port uint16) {
 	addr := netip.AddrPortFrom(netutil.IPv4Localhost(), port)

 	runtime.SetBlockProfileRate(1)
@@ -337,13 +369,16 @@ func startPprof(port uint16) {
 	mux := http.NewServeMux()
 	httputil.RoutePprof(mux)

-	go func() {
-		defer log.OnPanic("pprof server")
+	ctx := context.Background()
+	logger := baseLogger.With(slogutil.KeyPrefix, "pprof")

-		log.Info("pprof: listening on %q", addr)
+	go func() {
+		defer slogutil.RecoverAndLog(ctx, logger)
+
+		logger.InfoContext(ctx, "listening", "addr", addr)
 		err := http.ListenAndServe(addr.String(), mux)
 		if !errors.Is(err, http.ErrServerClosed) {
-			log.Error("pprof: shutting down: %s", err)
+			logger.ErrorContext(ctx, "shutting down", slogutil.KeyError, err)
 		}
 	}()
 }
--- a/internal/next/agh/agh.go
+++ b/internal/next/agh/agh.go
@@ -13,6 +13,7 @@ import (
 type ServiceWithConfig[ConfigType any] interface {
 	service.Interface

+	// Config returns a deep clone of the configuration of the service.
 	Config() (c ConfigType)
 }

--- a/internal/next/changelog.md
+++ b/internal/next/changelog.md
@@ -1,15 +1,17 @@
 # AdGuard Home v0.108.0 Changelog DRAFT

-This changelog should be merged into the main one once the next API matures
-enough.
+This changelog should be merged into the main one once the next API matures enough.

 ## [v0.108.0] - TODO

 ### Added

 - The ability to change the port of the pprof debug API.
+
 - The ability to log to stderr using `--logFile=stderr`.
+
 - The new `--web-addr` flag to set the Web UI address in a `host:port` form.
+
 - `SIGHUP` now reloads all configuration from the configuration file ([#5676]).

 ### Changed
@@ -20,20 +22,21 @@ enough.

 #### Other changes

- `-h` is now an alias for `--help` instead of the removed `--host`, see below.
-  Use `--web-addr=host:port` to set an address on which to serve the Web UI.
+- `-h` is now an alias for `--help` instead of the removed `--host`, see below. Use `--web-addr=host:port` to set an address on which to serve the Web UI.

 ### Fixed

 - `--check-config` breaking the configuration file ([#4067]).
+
 - Inconsistent application of `--work-dir/-w` ([#2598], [#2902]).
+
 - The order of `-v/--verbose` and `--version` being significant ([#2893]).

 ### Removed

 - The deprecated `--no-mem-optimization` and `--no-etc-hosts` flags.
- `--host` and `-p/--port` flags.  Use `--web-addr=host:port` to set an address
-  on which to serve the Web UI.  `-h` is now an alias for `--help`, see above.
+
+- `--host` and `-p/--port` flags.  Use `--web-addr=host:port` to set an address on which to serve the Web UI.  `-h` is now an alias for `--help`, see above.

 [#2598]: https://github.com/AdguardTeam/AdGuardHome/issues/2598
 [#2893]: https://github.com/AdguardTeam/AdGuardHome/issues/2893
--- a/internal/next/configmgr/config.go
+++ b/internal/next/configmgr/config.go
@@ -1,12 +1,12 @@
 package configmgr

 import (
-	"fmt"
 	"net/netip"

 	"github.com/AdguardTeam/golibs/container"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/timeutil"
+	"github.com/AdguardTeam/golibs/validate"
 )

 // config is the top-level on-disk configuration structure.
@@ -19,10 +19,10 @@ type config struct {
 }

 // type check
-var _ validator = (*config)(nil)
+var _ validate.Interface = (*config)(nil)

-// validate implements the [validator] interface for *config.
-func (c *config) validate() (err error) {
+// Validate implements the [validate.Interface] interface for *config.
+func (c *config) Validate() (err error) {
 	if c == nil {
 		return errors.ErrNoValue
 	}
@@ -30,7 +30,7 @@ func (c *config) validate() (err error) {
 	// TODO(a.garipov): Add more validations.

 	// Keep this in the same order as the fields in the config.
-	validators := container.KeyValues[string, validator]{{
+	validators := container.KeyValues[string, validate.Interface]{{
 		Key:   "dns",
 		Value: c.DNS,
 	}, {
@@ -41,14 +41,12 @@ func (c *config) validate() (err error) {
 		Value: c.Log,
 	}}

+	var errs []error
 	for _, kv := range validators {
-		err = kv.Value.validate()
-		if err != nil {
-			return fmt.Errorf("%s: %w", kv.Key, err)
-		}
+		errs = validate.Append(errs, kv.Key, kv.Value)
 	}

-	return nil
+	return errors.Join(errs...)
 }

 // dnsConfig is the on-disk DNS configuration.
@@ -63,21 +61,19 @@ type dnsConfig struct {
 }

 // type check
-var _ validator = (*dnsConfig)(nil)
+var _ validate.Interface = (*dnsConfig)(nil)

-// validate implements the [validator] interface for *dnsConfig.
+// Validate implements the [validate.Interface] interface for *dnsConfig.
 //
 // TODO(a.garipov): Add more validations.
-func (c *dnsConfig) validate() (err error) {
-	// TODO(a.garipov): Add more validations.
-	switch {
-	case c == nil:
+func (c *dnsConfig) Validate() (err error) {
+	if c == nil {
 		return errors.ErrNoValue
-	case c.UpstreamTimeout.Duration <= 0:
-		return newErrNotPositive("upstream_timeout", c.UpstreamTimeout)
-	default:
-		return nil
 	}
+
+	// TODO(a.garipov): Add more validations.
+
+	return validate.Positive("upstream_timeout", c.UpstreamTimeout)
 }

 // httpConfig is the on-disk web API configuration.
@@ -92,20 +88,23 @@ type httpConfig struct {
 }

 // type check
-var _ validator = (*httpConfig)(nil)
+var _ validate.Interface = (*httpConfig)(nil)

-// validate implements the [validator] interface for *httpConfig.
+// Validate implements the [validate.Interface] interface for *httpConfig.
 //
 // TODO(a.garipov): Add more validations.
-func (c *httpConfig) validate() (err error) {
-	switch {
-	case c == nil:
+func (c *httpConfig) Validate() (err error) {
+	if c == nil {
 		return errors.ErrNoValue
-	case c.Timeout.Duration <= 0:
-		return newErrNotPositive("timeout", c.Timeout)
-	default:
-		return c.Pprof.validate()
 	}
+
+	errs := []error{
+		validate.Positive("timeout", c.Timeout),
+	}
+
+	errs = validate.Append(errs, "pprof", c.Pprof)
+
+	return errors.Join(errs...)
 }

 // httpPprofConfig is the on-disk pprof configuration.
@@ -115,10 +114,10 @@ type httpPprofConfig struct {
 }

 // type check
-var _ validator = (*httpPprofConfig)(nil)
+var _ validate.Interface = (*httpPprofConfig)(nil)

-// validate implements the [validator] interface for *httpPprofConfig.
-func (c *httpPprofConfig) validate() (err error) {
+// Validate implements the [validate.Interface] interface for *httpPprofConfig.
+func (c *httpPprofConfig) Validate() (err error) {
 	if c == nil {
 		return errors.ErrNoValue
 	}
@@ -128,17 +127,17 @@ func (c *httpPprofConfig) validate() (err error) {

 // logConfig is the on-disk web API configuration.
 type logConfig struct {
-	// TODO(a.garipov): Use.
+	// TODO(a.garipov):  Use.
 	Verbose bool `yaml:"verbose"`
 }

 // type check
-var _ validator = (*logConfig)(nil)
+var _ validate.Interface = (*logConfig)(nil)

-// validate implements the [validator] interface for *logConfig.
+// Validate implements the [validate.Interface] interface for *logConfig.
 //
 // TODO(a.garipov): Add more validations.
-func (c *logConfig) validate() (err error) {
+func (c *logConfig) Validate() (err error) {
 	if c == nil {
 		return errors.ErrNoValue
 	}
--- a/internal/next/configmgr/configmgr.go
+++ b/internal/next/configmgr/configmgr.go
@@ -63,7 +63,7 @@ func Validate(fileName string) (err error) {
 		return err
 	}

-	err = conf.validate()
+	err = conf.Validate()
 	if err != nil {
 		return fmt.Errorf("validating config: %w", err)
 	}
@@ -105,7 +105,7 @@ func New(ctx context.Context, c *Config) (m *Manager, err error) {
 		return nil, err
 	}

-	err = conf.validate()
+	err = conf.Validate()
 	if err != nil {
 		return nil, fmt.Errorf("validating config: %w", err)
 	}
@@ -162,7 +162,7 @@ func (m *Manager) assemble(
 		BootstrapServers:    conf.DNS.BootstrapDNS,
 		UpstreamServers:     conf.DNS.UpstreamDNS,
 		DNS64Prefixes:       conf.DNS.DNS64Prefixes,
-		UpstreamTimeout:     conf.DNS.UpstreamTimeout.Duration,
+		UpstreamTimeout:     time.Duration(conf.DNS.UpstreamTimeout),
 		BootstrapPreferIPv6: conf.DNS.BootstrapPreferIPv6,
 		UseDNS64:            conf.DNS.UseDNS64,
 	}
@@ -185,7 +185,7 @@ func (m *Manager) assemble(
 		Addresses:       conf.HTTP.Addresses,
 		SecureAddresses: conf.HTTP.SecureAddresses,
 		OverrideAddress: webAddr,
-		Timeout:         conf.HTTP.Timeout.Duration,
+		Timeout:         time.Duration(conf.HTTP.Timeout),
 		ForceHTTPS:      conf.HTTP.ForceHTTPS,
 	}

@@ -266,7 +266,7 @@ func (m *Manager) updateCurrentDNS(c *dnssvc.Config) {
 	m.current.DNS.BootstrapDNS = slices.Clone(c.BootstrapServers)
 	m.current.DNS.UpstreamDNS = slices.Clone(c.UpstreamServers)
 	m.current.DNS.DNS64Prefixes = slices.Clone(c.DNS64Prefixes)
-	m.current.DNS.UpstreamTimeout = timeutil.Duration{Duration: c.UpstreamTimeout}
+	m.current.DNS.UpstreamTimeout = timeutil.Duration(c.UpstreamTimeout)
 	m.current.DNS.BootstrapPreferIPv6 = c.BootstrapPreferIPv6
 	m.current.DNS.UseDNS64 = c.UseDNS64
 }
@@ -318,6 +318,6 @@ func (m *Manager) updateCurrentWeb(c *websvc.Config) {

 	m.current.HTTP.Addresses = slices.Clone(c.Addresses)
 	m.current.HTTP.SecureAddresses = slices.Clone(c.SecureAddresses)
-	m.current.HTTP.Timeout = timeutil.Duration{Duration: c.Timeout}
+	m.current.HTTP.Timeout = timeutil.Duration(c.Timeout)
 	m.current.HTTP.ForceHTTPS = c.ForceHTTPS
 }
--- a/internal/next/configmgr/error.go
+++ b/internal/next/configmgr/error.go
@@ -1,31 +0,0 @@
-package configmgr
-
-import (
-	"fmt"
-
-	"github.com/AdguardTeam/golibs/errors"
-	"github.com/AdguardTeam/golibs/timeutil"
-	"golang.org/x/exp/constraints"
-)
-
-// validator is the interface for configuration entities that can validate
-// themselves.
-type validator interface {
-	// validate returns an error if the entity isn't valid.
-	validate() (err error)
-}
-
-// numberOrDuration is the constraint for integer types along with
-// timeutil.Duration.
-type numberOrDuration interface {
-	constraints.Integer | timeutil.Duration
-}
-
-// newErrNotPositive returns an error about the value that must be positive but
-// isn't.  prop is the name of the property to mention in the error message.
-//
-// TODO(a.garipov): Consider moving such helpers to golibs and use in AdGuardDNS
-// as well.
-func newErrNotPositive[T numberOrDuration](prop string, v T) (err error) {
-	return fmt.Errorf("%s: %w, got %v", prop, errors.ErrNotPositive, v)
-}
--- a/internal/next/jsonpatch/jsonpatch.go
+++ b/internal/next/jsonpatch/jsonpatch.go
@@ -0,0 +1,43 @@
+// Package jsonpatch contains utilities for JSON Merge Patch APIs.
+//
+// See https://www.rfc-editor.org/rfc/rfc7396.
+package jsonpatch
+
+import (
+	"bytes"
+	"encoding/json"
+
+	"github.com/AdguardTeam/golibs/errors"
+)
+
+// NonRemovable is a type that prevents JSON null from being used to try and
+// remove a value.
+type NonRemovable[T any] struct {
+	Value T
+	IsSet bool
+}
+
+// type check
+var _ json.Unmarshaler = (*NonRemovable[struct{}])(nil)
+
+// UnmarshalJSON implements the [json.Unmarshaler] interface for *NonRemovable.
+func (v *NonRemovable[T]) UnmarshalJSON(b []byte) (err error) {
+	if v == nil {
+		return errors.Error("jsonpatch.NonRemovable is nil")
+	}
+
+	if bytes.Equal(b, []byte("null")) {
+		return errors.Error("property cannot be removed")
+	}
+
+	v.IsSet = true
+
+	return json.Unmarshal(b, &v.Value)
+}
+
+// Set sets ptr if the value has been provided.
+func (v NonRemovable[T]) Set(ptr *T) {
+	if v.IsSet {
+		*ptr = v.Value
+	}
+}
--- a/internal/next/jsonpatch/jsonpatch_test.go
+++ b/internal/next/jsonpatch/jsonpatch_test.go
@@ -0,0 +1,29 @@
+package jsonpatch_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/next/jsonpatch"
+	"github.com/AdguardTeam/golibs/testutil"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNonRemovable(t *testing.T) {
+	type T struct {
+		Value jsonpatch.NonRemovable[int] `json:"value"`
+	}
+
+	var v T
+
+	err := json.Unmarshal([]byte(`{"value":null}`), &v)
+	testutil.AssertErrorMsg(t, "property cannot be removed", err)
+
+	err = json.Unmarshal([]byte(`{"value":42}`), &v)
+	assert.NoError(t, err)
+
+	var got int
+	v.Value.Set(&got)
+
+	assert.Equal(t, 42, got)
+}
--- a/internal/next/websvc/dns.go
+++ b/internal/next/websvc/dns.go
@@ -5,10 +5,9 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
-	"github.com/AdguardTeam/AdGuardHome/internal/next/dnssvc"
+	"github.com/AdguardTeam/AdGuardHome/internal/next/jsonpatch"
 )

 // ReqPatchSettingsDNS describes the request to the PATCH /api/v1/settings/dns
@@ -16,13 +15,15 @@ import (
 type ReqPatchSettingsDNS struct {
 	// TODO(a.garipov): Add more as we go.

-	Addresses           []netip.AddrPort     `json:"addresses"`
-	BootstrapServers    []string             `json:"bootstrap_servers"`
-	UpstreamServers     []string             `json:"upstream_servers"`
-	DNS64Prefixes       []netip.Prefix       `json:"dns64_prefixes"`
-	UpstreamTimeout     aghhttp.JSONDuration `json:"upstream_timeout"`
-	BootstrapPreferIPv6 bool                 `json:"bootstrap_prefer_ipv6"`
-	UseDNS64            bool                 `json:"use_dns64"`
+	Addresses        jsonpatch.NonRemovable[[]netip.AddrPort] `json:"addresses"`
+	BootstrapServers jsonpatch.NonRemovable[[]string]         `json:"bootstrap_servers"`
+	UpstreamServers  jsonpatch.NonRemovable[[]string]         `json:"upstream_servers"`
+	DNS64Prefixes    jsonpatch.NonRemovable[[]netip.Prefix]   `json:"dns64_prefixes"`
+
+	UpstreamTimeout jsonpatch.NonRemovable[aghhttp.JSONDuration] `json:"upstream_timeout"`
+
+	BootstrapPreferIPv6 jsonpatch.NonRemovable[bool] `json:"bootstrap_prefer_ipv6"`
+	UseDNS64            jsonpatch.NonRemovable[bool] `json:"use_dns64"`
 }

 // HTTPAPIDNSSettings are the DNS settings as used by the HTTP API.  See the
@@ -42,13 +43,7 @@ type HTTPAPIDNSSettings struct {
 // handlePatchSettingsDNS is the handler for the PATCH /api/v1/settings/dns HTTP
 // API.
 func (svc *Service) handlePatchSettingsDNS(w http.ResponseWriter, r *http.Request) {
-	req := &ReqPatchSettingsDNS{
-		Addresses:        []netip.AddrPort{},
-		BootstrapServers: []string{},
-		UpstreamServers:  []string{},
-	}
-
-	// TODO(a.garipov): Validate nulls and proper JSON patch.
+	req := &ReqPatchSettingsDNS{}

 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
@@ -57,16 +52,20 @@ func (svc *Service) handlePatchSettingsDNS(w http.ResponseWriter, r *http.Reques
 		return
 	}

-	newConf := &dnssvc.Config{
-		Logger:              svc.logger,
-		Addresses:           req.Addresses,
-		BootstrapServers:    req.BootstrapServers,
-		UpstreamServers:     req.UpstreamServers,
-		DNS64Prefixes:       req.DNS64Prefixes,
-		UpstreamTimeout:     time.Duration(req.UpstreamTimeout),
-		BootstrapPreferIPv6: req.BootstrapPreferIPv6,
-		UseDNS64:            req.UseDNS64,
-	}
+	dnsSvc := svc.confMgr.DNS()
+	newConf := dnsSvc.Config()
+
+	// TODO(a.garipov): Add more as we go.
+
+	req.Addresses.Set(&newConf.Addresses)
+	req.BootstrapServers.Set(&newConf.BootstrapServers)
+	req.UpstreamServers.Set(&newConf.UpstreamServers)
+	req.DNS64Prefixes.Set(&newConf.DNS64Prefixes)
+
+	req.UpstreamTimeout.Set((*aghhttp.JSONDuration)(&newConf.UpstreamTimeout))
+
+	req.BootstrapPreferIPv6.Set(&newConf.BootstrapPreferIPv6)
+	req.UseDNS64.Set(&newConf.UseDNS64)

 	ctx := r.Context()
 	err = svc.confMgr.UpdateDNS(ctx, newConf)
--- a/internal/next/websvc/dns_test.go
+++ b/internal/next/websvc/dns_test.go
@@ -41,7 +41,7 @@ func TestService_HandlePatchSettingsDNS(t *testing.T) {
 				return nil
 			},
 			OnShutdown: func(_ context.Context) (err error) { panic("not implemented") },
-			OnConfig:   func() (c *dnssvc.Config) { panic("not implemented") },
+			OnConfig:   func() (c *dnssvc.Config) { return &dnssvc.Config{} },
 		}
 	}
 	confMgr.onUpdateDNS = func(ctx context.Context, c *dnssvc.Config) (err error) {
--- a/internal/next/websvc/http.go
+++ b/internal/next/websvc/http.go
@@ -10,6 +10,7 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/next/agh"
+	"github.com/AdguardTeam/AdGuardHome/internal/next/jsonpatch"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
 )

@@ -20,9 +21,12 @@ type ReqPatchSettingsHTTP struct {
 	//
 	// TODO(a.garipov): Add wait time.

-	Addresses       []netip.AddrPort     `json:"addresses"`
-	SecureAddresses []netip.AddrPort     `json:"secure_addresses"`
-	Timeout         aghhttp.JSONDuration `json:"timeout"`
+	Addresses       jsonpatch.NonRemovable[[]netip.AddrPort] `json:"addresses"`
+	SecureAddresses jsonpatch.NonRemovable[[]netip.AddrPort] `json:"secure_addresses"`
+
+	Timeout jsonpatch.NonRemovable[aghhttp.JSONDuration] `json:"timeout"`
+
+	ForceHTTPS jsonpatch.NonRemovable[bool] `json:"force_https"`
 }

 // HTTPAPIHTTPSettings are the HTTP settings as used by the HTTP API.  See the
@@ -41,8 +45,6 @@ type HTTPAPIHTTPSettings struct {
 func (svc *Service) handlePatchSettingsHTTP(w http.ResponseWriter, r *http.Request) {
 	req := &ReqPatchSettingsHTTP{}

-	// TODO(a.garipov): Validate nulls and proper JSON patch.
-
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		aghhttp.WriteJSONResponseError(w, r, fmt.Errorf("decoding: %w", err))
@@ -50,20 +52,14 @@ func (svc *Service) handlePatchSettingsHTTP(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	newConf := &Config{
-		Logger: svc.logger,
-		Pprof: &PprofConfig{
-			Port:    svc.pprofPort,
-			Enabled: svc.pprof != nil,
-		},
-		ConfigManager:   svc.confMgr,
-		Frontend:        svc.frontend,
-		TLS:             svc.tls,
-		Addresses:       req.Addresses,
-		SecureAddresses: req.SecureAddresses,
-		Timeout:         time.Duration(req.Timeout),
-		ForceHTTPS:      svc.forceHTTPS,
-	}
+	newConf := svc.Config()
+
+	// TODO(a.garipov): Add more as we go.
+
+	req.Addresses.Set(&newConf.Addresses)
+	req.SecureAddresses.Set(&newConf.SecureAddresses)
+	req.Timeout.Set((*aghhttp.JSONDuration)(&newConf.Timeout))
+	req.ForceHTTPS.Set(&newConf.ForceHTTPS)

 	aghhttp.WriteJSONResponseOK(w, r, &HTTPAPIHTTPSettings{
 		Addresses:       newConf.Addresses,
--- a/internal/schedule/schedule.go
+++ b/internal/schedule/schedule.go
@@ -163,8 +163,8 @@ func (w *Weekly) UnmarshalYAML(value *yaml.Node) (err error) {
 	}
 	for i, d := range days {
 		r := dayRange{
-			start: d.Start.Duration,
-			end:   d.End.Duration,
+			start: time.Duration(d.Start),
+			end:   time.Duration(d.End),
 		}

 		err = w.validate(r)
@@ -255,32 +255,32 @@ func (w *Weekly) MarshalYAML() (v any, err error) {
 	return weeklyConfigYAML{
 		TimeZone: w.location.String(),
 		Sunday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Sunday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Sunday].end},
+			Start: timeutil.Duration(w.days[time.Sunday].start),
+			End:   timeutil.Duration(w.days[time.Sunday].end),
 		},
 		Monday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Monday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Monday].end},
+			Start: timeutil.Duration(w.days[time.Monday].start),
+			End:   timeutil.Duration(w.days[time.Monday].end),
 		},
 		Tuesday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Tuesday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Tuesday].end},
+			Start: timeutil.Duration(w.days[time.Tuesday].start),
+			End:   timeutil.Duration(w.days[time.Tuesday].end),
 		},
 		Wednesday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Wednesday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Wednesday].end},
+			Start: timeutil.Duration(w.days[time.Wednesday].start),
+			End:   timeutil.Duration(w.days[time.Wednesday].end),
 		},
 		Thursday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Thursday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Thursday].end},
+			Start: timeutil.Duration(w.days[time.Thursday].start),
+			End:   timeutil.Duration(w.days[time.Thursday].end),
 		},
 		Friday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Friday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Friday].end},
+			Start: timeutil.Duration(w.days[time.Friday].start),
+			End:   timeutil.Duration(w.days[time.Friday].end),
 		},
 		Saturday: dayConfigYAML{
-			Start: timeutil.Duration{Duration: w.days[time.Saturday].start},
-			End:   timeutil.Duration{Duration: w.days[time.Saturday].end},
+			Start: timeutil.Duration(w.days[time.Saturday].start),
+			End:   timeutil.Duration(w.days[time.Saturday].end),
 		},
 	}, nil
 }
--- a/internal/stats/http.go
+++ b/internal/stats/http.go
@@ -63,11 +63,7 @@ func (s *StatsCtx) handleStats(w http.ResponseWriter, r *http.Request) {
 		resp, ok = s.getData(uint32(s.limit.Hours()))
 	}()

-	s.logger.DebugContext(
-		ctx,
-		"prepared data",
-		"elapsed", timeutil.Duration{Duration: time.Since(start)},
-	)
+	s.logger.DebugContext(ctx, "prepared data", "elapsed", time.Since(start))

 	if !ok {
 		// Don't bring the message to the lower case since it's a part of UI
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/AdguardTeam/AdGuardHome/internal/tools

-go 1.23.4
+go 1.23.5

 require (
 	github.com/fzipp/gocyclo v0.6.0
@@ -9,8 +9,8 @@ require (
 	github.com/jstemmer/go-junit-report/v2 v2.1.0
 	github.com/kisielk/errcheck v1.8.0
 	github.com/securego/gosec/v2 v2.21.4
-	github.com/uudashr/gocognit v1.1.3
-	golang.org/x/tools v0.27.0
+	github.com/uudashr/gocognit v1.2.0
+	golang.org/x/tools v0.28.0
 	golang.org/x/vuln v1.1.3
 	honnef.co/go/tools v0.5.1
 	mvdan.cc/gofumpt v0.7.0
@@ -21,7 +21,7 @@ require (
 require (
 	cloud.google.com/go v0.116.0 // indirect
 	cloud.google.com/go/ai v0.9.0 // indirect
-	cloud.google.com/go/auth v0.11.0 // indirect
+	cloud.google.com/go/auth v0.12.1 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/longrunning v0.6.3 // indirect
@@ -30,8 +30,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/google/generative-ai-go v0.18.0 // indirect
+	github.com/google/generative-ai-go v0.19.0 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
@@ -41,28 +40,27 @@ require (
 	github.com/gookit/color v1.5.4 // indirect
 	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 // indirect
 	go.opentelemetry.io/otel v1.32.0 // indirect
 	go.opentelemetry.io/otel/metric v1.32.0 // indirect
 	go.opentelemetry.io/otel/trace v1.32.0 // indirect
-	golang.org/x/crypto v0.29.0 // indirect
-	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
-	golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/exp v0.0.0-20241210194714-1829a127f884 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20241210194714-1829a127f884 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.31.0 // indirect
+	golang.org/x/net v0.32.0 // indirect
 	golang.org/x/oauth2 v0.24.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/telemetry v0.0.0-20241108154256-525ce2e96f55 // indirect
-	golang.org/x/term v0.26.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/telemetry v0.0.0-20241204182053-c0ac0e154df3 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
-	google.golang.org/api v0.209.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect
-	google.golang.org/grpc v1.68.0 // indirect
+	google.golang.org/api v0.211.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/grpc v1.68.1 // indirect
 	google.golang.org/protobuf v1.35.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	mvdan.cc/editorconfig v0.3.0 // indirect
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -1,31 +1,21 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE=
 cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U=
 cloud.google.com/go/ai v0.9.0 h1:r1Ig8O8+Qr3Ia3WfoO+gokD0fxB2Rk4quppuKjmGMsY=
 cloud.google.com/go/ai v0.9.0/go.mod h1:28bKM/oxmRgxmRgI1GLumFv+NSkt+DscAg/gF+54zzY=
-cloud.google.com/go/auth v0.11.0 h1:Ic5SZz2lsvbYcWT5dfjNWgw6tTlGi2Wc8hyQSC9BstA=
-cloud.google.com/go/auth v0.11.0/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI=
+cloud.google.com/go/auth v0.12.1 h1:n2Bj25BUMM0nvE9D2XLTiImanwZhO3DkfWSYS/SAJP4=
+cloud.google.com/go/auth v0.12.1/go.mod h1:BFMu+TNpF3DmvfBO9ClqTR/SiqVIm7LukKF9mbendF4=
 cloud.google.com/go/auth/oauth2adapt v0.2.6 h1:V6a6XDu2lTwPZWOawrAa9HUK+DB2zfJyTuciBG5hFkU=
 cloud.google.com/go/auth/oauth2adapt v0.2.6/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8=
 cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo=
 cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
 cloud.google.com/go/longrunning v0.6.3 h1:A2q2vuyXysRcwzqDpMMLSI6mb6o39miS52UEG/Rd2ng=
 cloud.google.com/go/longrunning v0.6.3/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
 github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg=
 github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
@@ -39,34 +29,14 @@ github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
-github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs=
 github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo=
-github.com/google/generative-ai-go v0.18.0 h1:6ybg9vOCLcI/UpBBYXOTVgvKmcUKFRNj+2Cj3GnebSo=
-github.com/google/generative-ai-go v0.18.0/go.mod h1:JYolL13VG7j79kM5BtHz4qwONHkeJQzOCkKXnpqtS/E=
+github.com/google/generative-ai-go v0.19.0 h1:R71szggh8wHMCUlEMsW2A/3T+5LdEIkiaHSYgSpUgdg=
+github.com/google/generative-ai-go v0.19.0/go.mod h1:JYolL13VG7j79kM5BtHz4qwONHkeJQzOCkKXnpqtS/E=
 github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
 github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -78,7 +48,6 @@ github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qA
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM=
 github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
@@ -103,28 +72,19 @@ github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
 github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/securego/gosec/v2 v2.21.4 h1:Le8MSj0PDmOnHJgUATjD96PaXRvCpKC+DGJvwyy0Mlk=
 github.com/securego/gosec/v2 v2.21.4/go.mod h1:Jtb/MwRQfRxCXyCm1rfM1BEiiiTfUOdyzzAhlr6lUTA=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/uudashr/gocognit v1.1.3 h1:l+a111VcDbKfynh+airAy/DJQKaXh2m9vkoysMPSZyM=
-github.com/uudashr/gocognit v1.1.3/go.mod h1:aKH8/e8xbTRBwjbCkwZ8qt4l2EpKXl31KMHgSS+lZ2U=
+github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYRA=
+github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0 h1:qtFISDHKolvIxzSs0gIaiPUPR0Cucb0F2coHC7ZLdps=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.57.0/go.mod h1:Y+Pop1Q6hCOnETWTW4NROK/q1hv50hM7yDaUTjG8lp8=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.57.0 h1:DheMAlT6POBP+gh8RUH19EOTnQIor5QE0uSRPtzCpSw=
@@ -137,110 +97,68 @@ go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQD
 go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo=
-golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak=
-golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f h1:WTyX8eCCyfdqiPYkRGm0MqElSfYFH3yR1+rl/mct9sA=
-golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/exp v0.0.0-20241210194714-1829a127f884 h1:Y/Mj/94zIQQGHVSv1tTtQBDaQaJe62U9bkDZKKyhPCU=
+golang.org/x/exp v0.0.0-20241210194714-1829a127f884/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
+golang.org/x/exp/typeparams v0.0.0-20241210194714-1829a127f884 h1:1xaZTydL5Gsg78QharTwKfA9FY9CZ1VQj6D/AZEvHR0=
+golang.org/x/exp/typeparams v0.0.0-20241210194714-1829a127f884/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
 golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
 golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/telemetry v0.0.0-20241108154256-525ce2e96f55 h1:ZZOVC4W26kVZSAW314SD81pWtiRgWNMbZsgLqKXx9lE=
-golang.org/x/telemetry v0.0.0-20241108154256-525ce2e96f55/go.mod h1:7Vh679jcBo81KQrd4wo0gKov7BE6IHwu1tEhHxHNM30=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20241204182053-c0ac0e154df3 h1:rCLsPBq7l0E9Z451UgkWFkaWYhgt7dGmAlpD6hLjK5I=
+golang.org/x/telemetry v0.0.0-20241204182053-c0ac0e154df3/go.mod h1:8h4Hgq+jcTvCDv2+i7NrfWwpYHcESleo2nGHxLbFLJ4=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
 golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o=
-golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q=
+golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
+golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
 golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw=
 golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.209.0 h1:Ja2OXNlyRlWCWu8o+GgI4yUn/wz9h/5ZfFbKz+dQX+w=
-google.golang.org/api v0.209.0/go.mod h1:I53S168Yr/PNDNMi5yPnDc0/LGRZO6o7PoEbl/HY3CM=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a h1:OAiGFfOiA0v9MRYsSidp3ubZaBnteRUyn3xB2ZQ5G/E=
-google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a/go.mod h1:jehYqy3+AhJU9ve55aNOaSml7wUXjF9x6z2LcCfpAhY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a h1:hgh8P4EuoxpsuKMXX/To36nOFD7vixReXgn8lPGnt+o=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
-google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/api v0.211.0 h1:IUpLjq09jxBSV1lACO33CGY3jsRcbctfGzhj+ZSE/Bg=
+google.golang.org/api v0.211.0/go.mod h1:XOloB4MXFH4UTlQSGuNUxw0UT74qdENK8d6JNsXKLi0=
+google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q=
+google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
 google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
 google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I=
 honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
 mvdan.cc/editorconfig v0.3.0 h1:D1D2wLYEYGpawWT5SpM5pRivgEgXjtEXwC9MWhEY0gQ=