diff --git a/_vendor/github.com/docker/buildx/docs/bake-reference.md b/_vendor/github.com/docker/buildx/docs/bake-reference.md
index a5527b06ab..2043f6f1b9 100644
--- a/_vendor/github.com/docker/buildx/docs/bake-reference.md
+++ b/_vendor/github.com/docker/buildx/docs/bake-reference.md
@@ -236,6 +236,7 @@ The following table shows the complete list of attributes that you can assign to
 | [`no-cache-filter`](#targetno-cache-filter)     | List    | Disable build cache for specific stages                              |
 | [`no-cache`](#targetno-cache)                   | Boolean | Disable build cache completely                                       |
 | [`output`](#targetoutput)                       | List    | Output destinations                                                  |
+| [`policy`](#targetpolicy)                       | List    | Policies to validate build sources and metadata                      |
 | [`platforms`](#targetplatforms)                 | List    | Target platforms                                                     |
 | [`pull`](#targetpull)                           | Boolean | Always pull images                                                   |
 | [`secret`](#targetsecret)                       | List    | Secrets to expose to the build                                       |
@@ -899,6 +900,21 @@ target "default" {
 }
 ```
 
+### `target.policy`
+
+Policies to validate build sources and metadata. Each entry uses the same keys
+as the `--policy` flag for `docker buildx build` (`filename`, `reset`,
+`disabled`, `strict`, `log-level`). Bake also automatically loads
+`Dockerfile.rego` alongside the target Dockerfile when present.
+
+```hcl
+target "default" {
+  policy = [
+    { filename = "extra.rego" },
+  ]
+}
+```
+
 ### `target.platforms`
 
 Set target platforms for the build target.
diff --git a/_vendor/github.com/docker/buildx/docs/bake-stdlib.md b/_vendor/github.com/docker/buildx/docs/bake-stdlib.md
index 119a582392..a5503966e5 100644
--- a/_vendor/github.com/docker/buildx/docs/bake-stdlib.md
+++ b/_vendor/github.com/docker/buildx/docs/bake-stdlib.md
@@ -79,6 +79,7 @@ title: Bake standard library functions
 | [`reverselist`](#reverselist)                       | Returns the given list with its elements in reverse order.                                                                                                                                                   |
 | [`rsadecrypt`](#rsadecrypt)                         | Decrypts an RSA-encrypted ciphertext.                                                                                                                                                                        |
 | [`sanitize`](#sanitize)                             | Replaces all non-alphanumeric characters with a underscore, leaving only characters that are valid for a Bake target name.                                                                                   |
+| [`semvercmp`](#semvercmp)                           | Returns true if version satisfies a constraint.                                                                                                                                                              |
 | [`sethaselement`](#sethaselement)                   | Returns true if the given set contains the given element, or false otherwise.                                                                                                                                |
 | [`setintersection`](#setintersection)               | Returns the intersection of all given sets.                                                                                                                                                                  |
 | [`setproduct`](#setproduct)                         | Calculates the cartesian product of two or more sets.                                                                                                                                                        |
@@ -113,9 +114,7 @@ title: Bake standard library functions
 
 <!---MARKER_STDLIB_END-->
 
-## Examples
-
-### <a name="absolute"></a> `absolute`
+## `absolute`
 
 ```hcl
 # docker-bake.hcl
@@ -128,7 +127,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="add"></a> `add`
+## `add`
 
 ```hcl
 # docker-bake.hcl
@@ -141,7 +140,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="and"></a> `and`
+## `and`
 
 ```hcl
 # docker-bake.hcl
@@ -154,7 +153,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="base64decode"></a> `base64decode`
+## `base64decode`
 
 ```hcl
 # docker-bake.hcl
@@ -167,7 +166,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="base64encode"></a> `base64encode`
+## `base64encode`
 
 ```hcl
 # docker-bake.hcl
@@ -180,7 +179,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="basename"></a> `basename`
+## `basename`
 
 ```hcl
 # docker-bake.hcl
@@ -193,7 +192,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="bcrypt"></a> `bcrypt`
+## `bcrypt`
 
 ```hcl
 # docker-bake.hcl
@@ -206,7 +205,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="byteslen"></a> `byteslen`
+## `byteslen`
 
 ```hcl
 # docker-bake.hcl
@@ -219,7 +218,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="bytesslice"></a> `bytesslice`
+## `bytesslice`
 
 ```hcl
 # docker-bake.hcl
@@ -232,7 +231,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="can"></a> `can`
+## `can`
 
 ```hcl
 # docker-bake.hcl
@@ -245,7 +244,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="ceil"></a> `ceil`
+## `ceil`
 
 ```hcl
 # docker-bake.hcl
@@ -258,7 +257,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="chomp"></a> `chomp`
+## `chomp`
 
 ```hcl
 # docker-bake.hcl
@@ -271,7 +270,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="chunklist"></a> `chunklist`
+## `chunklist`
 
 ```hcl
 # docker-bake.hcl
@@ -284,7 +283,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="cidrhost"></a> `cidrhost`
+## `cidrhost`
 
 ```hcl
 # docker-bake.hcl
@@ -297,7 +296,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="cidrnetmask"></a> `cidrnetmask`
+## `cidrnetmask`
 
 ```hcl
 # docker-bake.hcl
@@ -310,7 +309,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="cidrsubnet"></a> `cidrsubnet`
+## `cidrsubnet`
 
 ```hcl
 # docker-bake.hcl
@@ -323,7 +322,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="cidrsubnets"></a> `cidrsubnets`
+## `cidrsubnets`
 
 ```hcl
 # docker-bake.hcl
@@ -336,7 +335,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="coalesce"></a> `coalesce`
+## `coalesce`
 
 ```hcl
 # docker-bake.hcl
@@ -349,7 +348,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="coalescelist"></a> `coalescelist`
+## `coalescelist`
 
 ```hcl
 # docker-bake.hcl
@@ -362,7 +361,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="compact"></a> `compact`
+## `compact`
 
 ```hcl
 # docker-bake.hcl
@@ -375,7 +374,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="concat"></a> `concat`
+## `concat`
 
 ```hcl
 # docker-bake.hcl
@@ -388,7 +387,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="contains"></a> `contains`
+## `contains`
 
 ```hcl
 # docker-bake.hcl
@@ -401,7 +400,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="convert"></a> `convert`
+## `convert`
 
 ```hcl
 # docker-bake.hcl
@@ -414,7 +413,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="csvdecode"></a> `csvdecode`
+## `csvdecode`
 
 ```hcl
 # docker-bake.hcl
@@ -427,7 +426,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="dirname"></a> `dirname`
+## `dirname`
 
 ```hcl
 # docker-bake.hcl
@@ -440,7 +439,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="distinct"></a> `distinct`
+## `distinct`
 
 ```hcl
 # docker-bake.hcl
@@ -453,7 +452,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="divide"></a> `divide`
+## `divide`
 
 ```hcl
 # docker-bake.hcl
@@ -466,7 +465,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="element"></a> `element`
+## `element`
 
 ```hcl
 # docker-bake.hcl
@@ -479,7 +478,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="equal"></a> `equal`
+## `equal`
 
 ```hcl
 # docker-bake.hcl
@@ -492,7 +491,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="flatten"></a> `flatten`
+## `flatten`
 
 ```hcl
 # docker-bake.hcl
@@ -505,7 +504,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="floor"></a> `floor`
+## `floor`
 
 ```hcl
 # docker-bake.hcl
@@ -518,7 +517,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="format"></a> `format`
+## `format`
 
 ```hcl
 # docker-bake.hcl
@@ -531,7 +530,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="formatdate"></a> `formatdate`
+## `formatdate`
 
 ```hcl
 # docker-bake.hcl
@@ -544,7 +543,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="formatlist"></a> `formatlist`
+## `formatlist`
 
 ```hcl
 # docker-bake.hcl
@@ -557,7 +556,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="greaterthan"></a> `greaterthan`
+## `greaterthan`
 
 ```hcl
 # docker-bake.hcl
@@ -570,7 +569,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="greaterthanorequalto"></a> `greaterthanorequalto`
+## `greaterthanorequalto`
 
 ```hcl
 # docker-bake.hcl
@@ -583,7 +582,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="hasindex"></a> `hasindex`
+## `hasindex`
 
 ```hcl
 # docker-bake.hcl
@@ -597,7 +596,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="homedir"></a> `homedir`
+## `homedir`
 
 ```hcl
 # docker-bake.hcl
@@ -610,7 +609,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="indent"></a> `indent`
+## `indent`
 
 ```hcl
 # docker-bake.hcl
@@ -624,7 +623,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="index"></a> `index`
+## `index`
 
 ```hcl
 # docker-bake.hcl
@@ -637,7 +636,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="indexof"></a> `indexof`
+## `indexof`
 
 ```hcl
 # docker-bake.hcl
@@ -650,7 +649,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="int"></a> `int`
+## `int`
 
 ```hcl
 # docker-bake.hcl
@@ -663,7 +662,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="join"></a> `join`
+## `join`
 
 ```hcl
 # docker-bake.hcl
@@ -676,7 +675,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="jsondecode"></a> `jsondecode`
+## `jsondecode`
 
 ```hcl
 # docker-bake.hcl
@@ -689,7 +688,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="jsonencode"></a> `jsonencode`
+## `jsonencode`
 
 ```hcl
 # docker-bake.hcl
@@ -702,7 +701,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="keys"></a> `keys`
+## `keys`
 
 ```hcl
 # docker-bake.hcl
@@ -716,7 +715,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="length"></a> `length`
+## `length`
 
 ```hcl
 # docker-bake.hcl
@@ -729,7 +728,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="lessthan"></a> `lessthan`
+## `lessthan`
 
 ```hcl
 # docker-bake.hcl
@@ -742,7 +741,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="lessthanorequalto"></a> `lessthanorequalto`
+## `lessthanorequalto`
 
 ```hcl
 # docker-bake.hcl
@@ -755,7 +754,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="log"></a> `log`
+## `log`
 
 ```hcl
 # docker-bake.hcl
@@ -768,7 +767,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="lookup"></a> `lookup`
+## `lookup`
 
 ```hcl
 # docker-bake.hcl
@@ -781,7 +780,7 @@ target "webapp-dev" {
   }
 }
 ```
-### <a name="lower"></a> `lower`
+## `lower`
 
 ```hcl
 # docker-bake.hcl
@@ -794,7 +793,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="max"></a> `max`
+## `max`
 
 ```hcl
 # docker-bake.hcl
@@ -807,7 +806,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="md5"></a> `md5`
+## `md5`
 
 ```hcl
 # docker-bake.hcl
@@ -820,7 +819,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="merge"></a> `merge`
+## `merge`
 
 ```hcl
 # docker-bake.hcl
@@ -833,7 +832,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="min"></a> `min`
+## `min`
 
 ```hcl
 # docker-bake.hcl
@@ -846,7 +845,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="modulo"></a> `modulo`
+## `modulo`
 
 ```hcl
 # docker-bake.hcl
@@ -859,7 +858,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="multiply"></a> `multiply`
+## `multiply`
 
 ```hcl
 # docker-bake.hcl
@@ -872,7 +871,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="negate"></a> `negate`
+## `negate`
 
 ```hcl
 # docker-bake.hcl
@@ -885,7 +884,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="not"></a> `not`
+## `not`
 
 ```hcl
 # docker-bake.hcl
@@ -898,7 +897,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="notequal"></a> `notequal`
+## `notequal`
 
 ```hcl
 # docker-bake.hcl
@@ -911,7 +910,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="or"></a> `or`
+## `or`
 
 ```hcl
 # docker-bake.hcl
@@ -924,7 +923,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="parseint"></a> `parseint`
+## `parseint`
 
 ```hcl
 # docker-bake.hcl
@@ -937,7 +936,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="pow"></a> `pow`
+## `pow`
 
 ```hcl
 # docker-bake.hcl
@@ -950,7 +949,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="range"></a> `range`
+## `range`
 
 ```hcl
 # docker-bake.hcl
@@ -963,7 +962,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="regex"></a> `regex`
+## `regex`
 
 ```hcl
 # docker-bake.hcl
@@ -976,7 +975,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="regex_replace"></a> `regex_replace`
+## `regex_replace`
 
 ```hcl
 # docker-bake.hcl
@@ -989,7 +988,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="regexall"></a> `regexall`
+## `regexall`
 
 ```hcl
 # docker-bake.hcl
@@ -1002,7 +1001,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="replace"></a> `replace`
+## `replace`
 
 ```hcl
 # docker-bake.hcl
@@ -1015,7 +1014,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="reverse"></a> `reverse`
+## `reverse`
 
 ```hcl
 # docker-bake.hcl
@@ -1028,7 +1027,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="reverselist"></a> `reverselist`
+## `reverselist`
 
 ```hcl
 # docker-bake.hcl
@@ -1041,7 +1040,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="rsadecrypt"></a> `rsadecrypt`
+## `rsadecrypt`
 
 ```hcl
 # docker-bake.hcl
@@ -1054,7 +1053,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="sanitize"></a> `sanitize`
+## `sanitize`
 
 ```hcl
 # docker-bake.hcl
@@ -1067,7 +1066,32 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="sethaselement"></a> `sethaselement`
+## `semvercmp`
+
+This function checks if a semantic version fits within a set of constraints.
+See [Checking Version Constraints](https://github.com/Masterminds/semver?tab=readme-ov-file#checking-version-constraints)
+for details.
+
+```hcl
+# docker-bake.hcl
+variable "ALPINE_VERSION" {
+  default = "3.23"
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  platforms = semvercmp(ALPINE_VERSION, ">= 3.20") ? [
+    "linux/amd64",
+    "linux/arm64",
+    "linux/riscv64"
+  ] : [
+    "linux/amd64",
+    "linux/arm64"
+  ]
+}
+```
+
+## `sethaselement`
 
 ```hcl
 # docker-bake.hcl
@@ -1080,7 +1104,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="setintersection"></a> `setintersection`
+## `setintersection`
 
 ```hcl
 # docker-bake.hcl
@@ -1093,7 +1117,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="setproduct"></a> `setproduct`
+## `setproduct`
 
 ```hcl
 # docker-bake.hcl
@@ -1106,7 +1130,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="setsubtract"></a> `setsubtract`
+## `setsubtract`
 
 ```hcl
 # docker-bake.hcl
@@ -1119,7 +1143,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="setsymmetricdifference"></a> `setsymmetricdifference`
+## `setsymmetricdifference`
 
 ```hcl
 # docker-bake.hcl
@@ -1132,7 +1156,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="setunion"></a> `setunion`
+## `setunion`
 
 ```hcl
 # docker-bake.hcl
@@ -1145,7 +1169,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="sha1"></a> `sha1`
+## `sha1`
 
 ```hcl
 # docker-bake.hcl
@@ -1158,7 +1182,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="sha256"></a> `sha256`
+## `sha256`
 
 ```hcl
 # docker-bake.hcl
@@ -1171,7 +1195,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="sha512"></a> `sha512`
+## `sha512`
 
 ```hcl
 # docker-bake.hcl
@@ -1184,7 +1208,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="signum"></a> `signum`
+## `signum`
 
 ```hcl
 # docker-bake.hcl
@@ -1199,7 +1223,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="slice"></a> `slice`
+## `slice`
 
 ```hcl
 # docker-bake.hcl
@@ -1212,7 +1236,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="sort"></a> `sort`
+## `sort`
 
 ```hcl
 # docker-bake.hcl
@@ -1225,7 +1249,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="split"></a> `split`
+## `split`
 
 ```hcl
 # docker-bake.hcl
@@ -1238,7 +1262,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="strlen"></a> `strlen`
+## `strlen`
 
 ```hcl
 # docker-bake.hcl
@@ -1251,7 +1275,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="substr"></a> `substr`
+## `substr`
 
 ```hcl
 # docker-bake.hcl
@@ -1264,7 +1288,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="subtract"></a> `subtract`
+## `subtract`
 
 ```hcl
 # docker-bake.hcl
@@ -1277,7 +1301,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="timeadd"></a> `timeadd`
+## `timeadd`
 
 ```hcl
 # docker-bake.hcl
@@ -1290,7 +1314,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="timestamp"></a> `timestamp`
+## `timestamp`
 
 ```hcl
 # docker-bake.hcl
@@ -1303,7 +1327,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="title"></a> `title`
+## `title`
 
 ```hcl
 # docker-bake.hcl
@@ -1316,7 +1340,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="trim"></a> `trim`
+## `trim`
 
 ```hcl
 # docker-bake.hcl
@@ -1329,7 +1353,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="trimprefix"></a> `trimprefix`
+## `trimprefix`
 
 ```hcl
 # docker-bake.hcl
@@ -1342,7 +1366,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="trimspace"></a> `trimspace`
+## `trimspace`
 
 ```hcl
 # docker-bake.hcl
@@ -1355,7 +1379,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="trimsuffix"></a> `trimsuffix`
+## `trimsuffix`
 
 ```hcl
 # docker-bake.hcl
@@ -1368,7 +1392,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="try"></a> `try`
+## `try`
 
 ```hcl
 # docker-bake.hcl
@@ -1385,7 +1409,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="upper"></a> `upper`
+## `upper`
 
 ```hcl
 # docker-bake.hcl
@@ -1398,7 +1422,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="urlencode"></a> `urlencode`
+## `urlencode`
 
 ```hcl
 # docker-bake.hcl
@@ -1411,7 +1435,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="uuidv4"></a> `uuidv4`
+## `uuidv4`
 
 ```hcl
 # docker-bake.hcl
@@ -1424,7 +1448,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="uuidv5"></a> `uuidv5`
+## `uuidv5`
 
 ```hcl
 # docker-bake.hcl
@@ -1440,7 +1464,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="values"></a> `values`
+## `values`
 
 ```hcl
 # docker-bake.hcl
@@ -1453,7 +1477,7 @@ target "webapp-dev" {
 }
 ```
 
-### <a name="zipmap"></a> `zipmap`
+## `zipmap`
 
 ```hcl
 # docker-bake.hcl
@@ -1464,4 +1488,4 @@ target "webapp-dev" {
     obj = "${zipmap(["name","stars"], ["Docker", 5])}" # => {name="Docker", stars=5}
   }
 }
-```
\ No newline at end of file
+```
diff --git a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md
index 8587fe3816..00eef1ddbc 100644
--- a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md
+++ b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md
@@ -213,4 +213,19 @@ provenanceEnvDir = "/etc/buildkit/provenance.d"
 [system]
   # how often buildkit scans for changes in the supported emulated platforms
   platformsCacheMaxAge = "1h"
+
+
+# optional signed cache configuration for GitHub Actions backend
+[ghacache.sign]
+# command that signs the payload in stdin and outputs the signature to stdout. Normally you want cosign to produce the signature bytes.
+cmd = ""
+[ghacache.verify]
+required = false
+[ghacache.verify.policy]
+timestampThreshold = 1
+tlogThreshold = 1
+# cetificate properties that need to match. Simple wildcards (*) are supported.
+certificateIssuer = ""
+subjectAlternativeName = ""
+buildSignerURI = ""
 ```
diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md
index 3b2957a9b1..5dac8efa63 100644
--- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md
+++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md
@@ -880,7 +880,7 @@ FROM ubuntu
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
   --mount=type=cache,target=/var/lib/apt,sharing=locked \
-  apt update && apt-get --no-install-recommends install -y gcc
+  apt-get update && apt-get --no-install-recommends install -y gcc
 ```
 
 Apt needs exclusive access to its data, so the caches use the option
@@ -1322,9 +1322,10 @@ The available `[OPTIONS]` are:
 | --------------------------------------- | -------------------------- |
 | [`--keep-git-dir`](#add---keep-git-dir) | 1.1                        |
 | [`--checksum`](#add---checksum)         | 1.6                        |
-| [`--chown`](#add---chown---chmod)       |                            |
-| [`--chmod`](#add---chown---chmod)       | 1.2                        |
+| [`--chmod`](#add---chmod)               | 1.2                        |
+| [`--chown`](#add---chown)               |                            |
 | [`--link`](#add---link)                 | 1.4                        |
+| [`--unpack`](#add---unpack)             | 1.17                       |
 | [`--exclude`](#add---exclude)           | 1.19                       |
 
 The `ADD` instruction copies new files or directories from `<src>` and adds
@@ -1572,28 +1573,31 @@ ADD --keep-git-dir=true https://github.com/moby/buildkit.git#v0.10.1 /buildkit
 ADD [--checksum=<hash>] <src> ... <dir>
 ```
 
-The `--checksum` flag lets you verify the checksum of a remote resource. The
-checksum is formatted as `sha256:<hash>`. SHA-256 is the only supported hash
-algorithm.
+The `--checksum` flag lets you verify the checksum of a remote Git or HTTP
+resource:
+
+- For Git sources, the checksum is the commit SHA. It can be the full commit
+  SHA or match on the prefix (1 or more characters).
+- For HTTP sources, the checksum is the SHA-256 content digest, formatted as
+  `sha256:<hash>`. SHA-256 is the only supported hash algorithm.
 
 ```dockerfile
+ADD --checksum=be1f38e https://github.com/moby/buildkit.git#v0.26.2 /
 ADD --checksum=sha256:24454f830cdb571e2c4ad15481119c43b3cafd48dd869a9b2945d1036d1dc68d https://mirrors.edge.kernel.org/pub/linux/kernel/Historic/linux-0.01.tar.gz /
 ```
 
-The `--checksum` flag only supports HTTP(S) sources.
+### ADD --chmod
 
-### ADD --chown --chmod
+See [`COPY --chmod`](#copy---chmod).
 
-See [`COPY --chown --chmod`](#copy---chown---chmod).
+### ADD --chown
+
+See [`COPY --chown`](#copy---chown).
 
 ### ADD --link
 
 See [`COPY --link`](#copy---link).
 
-### ADD --exclude
-
-See [`COPY --exclude`](#copy---exclude).
-
 ### ADD --unpack
 
 ```dockerfile
@@ -1614,6 +1618,10 @@ ADD --unpack=true https://example.com/archive.tar.gz /download
 ADD --unpack=false my-archive.tar.gz .
 ```
 
+### ADD --exclude
+
+See [`COPY --exclude`](#copy---exclude).
+
 ## COPY
 
 COPY has two forms.
@@ -1629,8 +1637,8 @@ The available `[OPTIONS]` are:
 | Option                             | Minimum Dockerfile version |
 | ---------------------------------- | -------------------------- |
 | [`--from`](#copy---from)           |                            |
-| [`--chown`](#copy---chown---chmod) |                            |
-| [`--chmod`](#copy---chown---chmod) | 1.2                        |
+| [`--chmod`](#copy---chmod)         | 1.2                        |
+| [`--chown`](#copy---chown)         |                            |
 | [`--link`](#copy---link)           | 1.4                        |
 | [`--parents`](#copy---parents)     | 1.20                       |
 | [`--exclude`](#copy---exclude)     | 1.19                       |
@@ -1800,32 +1808,52 @@ COPY --from=nginx:latest /etc/nginx/nginx.conf /nginx.conf
 The source path of `COPY --from` is always resolved from filesystem root of the
 image or stage that you specify.
 
-### COPY --chown --chmod
-
-> [!NOTE]
-> Only octal notation is currently supported. Non-octal support is tracked in
-> [moby/buildkit#1951](https://github.com/moby/buildkit/issues/1951).
+### COPY --chmod
 
 ```dockerfile
-COPY [--chown=<user>:<group>] [--chmod=<perms> ...] <src> ... <dest>
+COPY [--chmod=<perms>] <src> ... <dest>
 ```
 
-The `--chown` and `--chmod` features are only supported on Dockerfiles used to build Linux containers,
-and doesn't work on Windows containers. Since user and group ownership concepts do
-not translate between Linux and Windows, the use of `/etc/passwd` and `/etc/group` for
-translating user and group names to IDs restricts this feature to only be viable for
-Linux OS-based containers.
+The `--chmod` flag supports octal notation (e.g., `755`, `644`) and symbolic
+notation (e.g., `+x`, `g=u`). Symbolic notation (added in Dockerfile version 1.14)
+is useful when octal isn't flexible enough. For example, `u=rwX,go=rX` sets
+directories to 755 and files to 644, while preserving the executable bit on files
+that already have it. (Capital `X` means "executable only if it's a directory or
+already executable.")
 
-All files and directories copied from the build context are created with a UID and GID of `0` unless the
-optional `--chown` flag specifies a given username, groupname, or UID/GID
-combination to request specific ownership of the copied content. The
-format of the `--chown` flag allows for either username and groupname strings
-or direct integer UID and GID in any combination. Providing a username without
-groupname or a UID without GID will use the same numeric UID as the GID. If a
-username or groupname is provided, the container's root filesystem
-`/etc/passwd` and `/etc/group` files will be used to perform the translation
-from name to integer UID or GID respectively. The following examples show
-valid definitions for the `--chown` flag:
+For more information about symbolic notation syntax, see the
+[chmod(1) manual](https://man.freebsd.org/cgi/man.cgi?chmod).
+
+Examples using octal notation:
+
+```dockerfile
+COPY --chmod=755 app.sh /app/
+COPY --chmod=644 file.txt /data/
+ARG MODE=440
+COPY --chmod=$MODE . .
+```
+
+Examples using symbolic notation:
+
+```dockerfile
+COPY --chmod=+x script.sh /app/
+COPY --chmod=u=rwX,go=rX . /app/
+COPY --chmod=g=u config/ /config/
+```
+
+The `--chmod` flag is not supported when building Windows containers.
+
+### COPY --chown
+
+```dockerfile
+COPY [--chown=<user>:<group>] <src> ... <dest>
+```
+
+Sets ownership of copied files. Without this flag, files are created with UID
+and GID of 0.
+
+The flag accepts usernames, group names, UIDs, or GIDs in any combination.
+If you specify only a user, the GID is set to the same numeric value as the UID.
 
 ```dockerfile
 COPY --chown=55:mygroup files* /somedir/
@@ -1835,22 +1863,12 @@ COPY --chown=10:11 files* /somedir/
 COPY --chown=myuser:mygroup --chmod=644 files* /somedir/
 ```
 
-If the container root filesystem doesn't contain either `/etc/passwd` or
-`/etc/group` files and either user or group names are used in the `--chown`
-flag, the build will fail on the `COPY` operation. Using numeric IDs requires
-no lookup and does not depend on container root filesystem content.
+When using names instead of numeric IDs, BuildKit resolves them using
+`/etc/passwd` and `/etc/group` in the container's root filesystem. If these
+files are missing or don't contain the specified names, the build fails.
+Numeric IDs don't require this lookup.
 
-With the Dockerfile syntax version 1.10.0 and later,
-the `--chmod` flag supports variable interpolation,
-which lets you define the permission bits using build arguments:
-
-```dockerfile
-# syntax=docker/dockerfile:1.10
-FROM alpine
-WORKDIR /src
-ARG MODE=440
-COPY --chmod=$MODE . .
-```
+The `--chown` flag is not supported when building Windows containers.
 
 ### COPY --link
 
@@ -2358,7 +2376,7 @@ USER <UID>[:<GID>]
 The `USER` instruction sets the user name (or UID) and optionally the user
 group (or GID) to use as the default user and group for the remainder of the
 current stage. The specified user is used for `RUN` instructions and at
-runtime, runs the relevant `ENTRYPOINT` and `CMD` commands.
+runtime runs the relevant `ENTRYPOINT` and `CMD` commands.
 
 > Note that when specifying a group for the user, the user will have _only_ the
 > specified group membership. Any other configured group memberships will be ignored.
@@ -2426,9 +2444,15 @@ Therefore, to avoid unintended operations in unknown directories, it's best prac
 ARG <name>[=<default value>] [<name>[=<default value>]...]
 ```
 
-The `ARG` instruction defines a variable that users can pass at build-time to
+The `ARG` instruction defines a variable that users can pass at build time to
 the builder with the `docker build` command using the `--build-arg <varname>=<value>`
-flag.
+flag. This variable can be used in subsequent instructions such as `FROM`, `ENV`,
+`WORKDIR`, and others using the `${VAR}` or `$VAR` template syntax.
+It is also passed to all subsequent `RUN` instructions as a build-time
+environment variable.
+
+Unlike `ENV`, an `ARG` variable is not embedded in the image and is not available
+in the final container.
 
 > [!WARNING]
 > It isn't recommended to use build arguments for passing secrets such as
diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md
index d1b1f1050d..2060cc6db4 100644
--- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md
+++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/_index.md
@@ -100,7 +100,7 @@ To learn more about how to use build checks, see
       <td>FROM --platform flag should not use a constant value</td>
     </tr>
     <tr>
-      <td><a href="./copy-ignored-file/">CopyIgnoredFile (experimental)</a></td>
+      <td><a href="./copy-ignored-file/">CopyIgnoredFile</a></td>
       <td>Attempting to Copy file that is excluded by .dockerignore</td>
     </tr>
     <tr>
diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md
index 3e8e57e8d4..535da0be63 100644
--- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md
+++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/rules/copy-ignored-file.md
@@ -6,10 +6,6 @@ aliases:
   - /go/dockerfile/rule/copy-ignored-file/
 ---
 
-> [!NOTE]
-> This check is experimental and is not enabled by default. To enable it, see
-> [Experimental checks](https://docs.docker.com/go/build-checks-experimental/).
-
 ## Output
 
 ```text
diff --git a/_vendor/modules.txt b/_vendor/modules.txt
index 1af181486e..3c6bbc8002 100644
--- a/_vendor/modules.txt
+++ b/_vendor/modules.txt
@@ -1,7 +1,7 @@
 # github.com/moby/moby/api v1.53.0
-# github.com/moby/buildkit v0.26.3
-# github.com/docker/buildx v0.30.1
-# github.com/docker/cli v29.1.2+incompatible
+# github.com/moby/buildkit v0.27.0
+# github.com/docker/buildx v0.31.0
+# github.com/docker/cli v29.1.5+incompatible
 # github.com/docker/compose/v5 v5.0.1
 # github.com/docker/model-runner/cmd/cli v1.0.3
 # github.com/docker/mcp-gateway v0.22.0
diff --git a/data/buildx/docker_buildx.yaml b/data/buildx/docker_buildx.yaml
index 78b279c5a9..0f8cd0c383 100644
--- a/data/buildx/docker_buildx.yaml
+++ b/data/buildx/docker_buildx.yaml
@@ -16,6 +16,7 @@ cname:
     - docker buildx imagetools
     - docker buildx inspect
     - docker buildx ls
+    - docker buildx policy
     - docker buildx prune
     - docker buildx rm
     - docker buildx stop
@@ -33,6 +34,7 @@ clink:
     - docker_buildx_imagetools.yaml
     - docker_buildx_inspect.yaml
     - docker_buildx_ls.yaml
+    - docker_buildx_policy.yaml
     - docker_buildx_prune.yaml
     - docker_buildx_rm.yaml
     - docker_buildx_stop.yaml
diff --git a/data/buildx/docker_buildx_bake.yaml b/data/buildx/docker_buildx_bake.yaml
index d4460e9c9a..68fe69e008 100644
--- a/data/buildx/docker_buildx_bake.yaml
+++ b/data/buildx/docker_buildx_bake.yaml
@@ -198,6 +198,16 @@ options:
       experimentalcli: false
       kubernetes: false
       swarm: false
+    - option: var
+      value_type: stringArray
+      default_value: '[]'
+      description: Set a variable value (e.g., `name=value`)
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
 inherited_options:
     - option: builder
       value_type: string
@@ -578,6 +588,7 @@ examples: |-
     $ docker buildx bake --set *.platform=linux/arm64       # overrides platform for all targets
     $ docker buildx bake --set foo*.no-cache                # bypass caching only for targets starting with 'foo'
     $ docker buildx bake --set target.platform+=linux/arm64 # appends 'linux/arm64' to the platform list
+    $ docker buildx bake --set target.contexts.bar=../bar   # overrides 'bar' named context
     ```
 
     > [!NOTE]
@@ -596,6 +607,7 @@ examples: |-
     * `cache-to`
     * `call`
     * `context`
+    * `contexts`
     * `dockerfile`
     * `entitlements`
     * `extra-hosts`
diff --git a/data/buildx/docker_buildx_build.yaml b/data/buildx/docker_buildx_build.yaml
index aee91492c4..6dd7b8b616 100644
--- a/data/buildx/docker_buildx_build.yaml
+++ b/data/buildx/docker_buildx_build.yaml
@@ -332,6 +332,17 @@ options:
       experimentalcli: false
       kubernetes: false
       swarm: false
+    - option: policy
+      value_type: stringArray
+      default_value: '[]'
+      description: |
+        Policy configuration (format: `filename=path[,filename=path][,reset=true|false][,disabled=true|false][,strict=true|false][,log-level=level]`)
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
     - option: print
       value_type: string
       description: Print result of information request (e.g., outline, targets)
@@ -376,7 +387,7 @@ options:
     - option: push
       value_type: bool
       default_value: "false"
-      description: Shorthand for `--output=type=registry`
+      description: Shorthand for `--output=type=registry,unpack=false`
       details_url: '#push'
       deprecated: false
       hidden: false
@@ -704,8 +715,13 @@ examples: |-
     --build-context=name=VALUE
     ```
 
-    Define additional build context with specified contents. In Dockerfile the context can be accessed when `FROM name` or `--from=name` is used.
-    When Dockerfile defines a stage with the same name it is overwritten.
+    Define additional build context with specified contents.
+
+    In a Dockerfile:
+
+    - the context can be accessed when `FROM name` or `--from=name` is used
+    - the context overrides a stage called `name` when used as `FROM ... AS name`
+    - the context overrides a `#syntax` directive when used as `#syntax=name`
 
     The value can be a:
 
diff --git a/data/buildx/docker_buildx_dap_build.yaml b/data/buildx/docker_buildx_dap_build.yaml
index b7c221c715..43cc6a99a7 100644
--- a/data/buildx/docker_buildx_dap_build.yaml
+++ b/data/buildx/docker_buildx_dap_build.yaml
@@ -321,6 +321,17 @@ options:
       experimentalcli: false
       kubernetes: false
       swarm: false
+    - option: policy
+      value_type: stringArray
+      default_value: '[]'
+      description: |
+        Policy configuration (format: `filename=path[,filename=path][,reset=true|false][,disabled=true|false][,strict=true|false][,log-level=level]`)
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
     - option: print
       value_type: string
       description: Print result of information request (e.g., outline, targets)
@@ -363,7 +374,7 @@ options:
     - option: push
       value_type: bool
       default_value: "false"
-      description: Shorthand for `--output=type=registry`
+      description: Shorthand for `--output=type=registry,unpack=false`
       deprecated: false
       hidden: false
       experimental: false
diff --git a/data/buildx/docker_buildx_debug_build.yaml b/data/buildx/docker_buildx_debug_build.yaml
index 4ba3d136fd..e3e403930c 100644
--- a/data/buildx/docker_buildx_debug_build.yaml
+++ b/data/buildx/docker_buildx_debug_build.yaml
@@ -314,6 +314,17 @@ options:
       experimentalcli: false
       kubernetes: false
       swarm: false
+    - option: policy
+      value_type: stringArray
+      default_value: '[]'
+      description: |
+        Policy configuration (format: `filename=path[,filename=path][,reset=true|false][,disabled=true|false][,strict=true|false][,log-level=level]`)
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
     - option: print
       value_type: string
       description: Print result of information request (e.g., outline, targets)
@@ -356,7 +367,7 @@ options:
     - option: push
       value_type: bool
       default_value: "false"
-      description: Shorthand for `--output=type=registry`
+      description: Shorthand for `--output=type=registry,unpack=false`
       deprecated: false
       hidden: false
       experimental: false
diff --git a/data/buildx/docker_buildx_policy.yaml b/data/buildx/docker_buildx_policy.yaml
new file mode 100644
index 0000000000..a905cbc376
--- /dev/null
+++ b/data/buildx/docker_buildx_policy.yaml
@@ -0,0 +1,39 @@
+command: docker buildx policy
+short: Commands for working with build policies
+long: Commands for working with build policies
+pname: docker buildx
+plink: docker_buildx.yaml
+cname:
+    - docker buildx policy eval
+    - docker buildx policy test
+clink:
+    - docker_buildx_policy_eval.yaml
+    - docker_buildx_policy_test.yaml
+inherited_options:
+    - option: builder
+      value_type: string
+      description: Override the configured builder instance
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: debug
+      shorthand: D
+      value_type: bool
+      default_value: "false"
+      description: Enable debug logging
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+deprecated: false
+hidden: false
+experimental: false
+experimentalcli: false
+kubernetes: false
+swarm: false
+
diff --git a/data/buildx/docker_buildx_policy_eval.yaml b/data/buildx/docker_buildx_policy_eval.yaml
new file mode 100644
index 0000000000..ba43380f6c
--- /dev/null
+++ b/data/buildx/docker_buildx_policy_eval.yaml
@@ -0,0 +1,65 @@
+command: docker buildx policy eval
+short: Evaluate policy for a source
+long: Evaluate policy for a source
+usage: docker buildx policy eval [OPTIONS] source
+pname: docker buildx policy
+plink: docker_buildx_policy.yaml
+options:
+    - option: fields
+      value_type: stringSlice
+      default_value: '[]'
+      description: Fields to evaluate
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: filename
+      value_type: string
+      default_value: Dockerfile
+      description: Policy filename to evaluate
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: print
+      value_type: bool
+      default_value: "false"
+      description: Print policy output
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+inherited_options:
+    - option: builder
+      value_type: string
+      description: Override the configured builder instance
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: debug
+      shorthand: D
+      value_type: bool
+      default_value: "false"
+      description: Enable debug logging
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+deprecated: false
+hidden: false
+experimental: false
+experimentalcli: false
+kubernetes: false
+swarm: false
+
diff --git a/data/buildx/docker_buildx_policy_test.yaml b/data/buildx/docker_buildx_policy_test.yaml
new file mode 100644
index 0000000000..7a18fbc865
--- /dev/null
+++ b/data/buildx/docker_buildx_policy_test.yaml
@@ -0,0 +1,54 @@
+command: docker buildx policy test
+short: Run policy tests
+long: Run policy tests
+usage: docker buildx policy test <path>
+pname: docker buildx policy
+plink: docker_buildx_policy.yaml
+options:
+    - option: filename
+      value_type: string
+      default_value: Dockerfile
+      description: Name of the Dockerfile to validate
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: run
+      value_type: string
+      description: Run only tests with name containing this substring
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+inherited_options:
+    - option: builder
+      value_type: string
+      description: Override the configured builder instance
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+    - option: debug
+      shorthand: D
+      value_type: bool
+      default_value: "false"
+      description: Enable debug logging
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
+deprecated: false
+hidden: false
+experimental: false
+experimentalcli: false
+kubernetes: false
+swarm: false
+
diff --git a/go.mod b/go.mod
index c1bc50bc4e..3b051ec12d 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/slice v0.0.0-20250327172914-2fdc97757edf // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/containerd/containerd/v2 v2.2.1-0.20251115011841-efd86f2b0bc2 // indirect
+	github.com/containerd/containerd/v2 v2.2.1 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
@@ -25,12 +25,12 @@ require (
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.0 // indirect
-	github.com/docker/buildx v0.30.1 // indirect
-	github.com/docker/cli v29.1.2+incompatible // indirect; see "replace" rule at the bottom for actual version
+	github.com/docker/buildx v0.31.0 // indirect
+	github.com/docker/cli v29.1.5+incompatible // indirect; see "replace" rule at the bottom for actual version
 	github.com/docker/compose/v5 v5.0.1 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v28.5.2+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/docker-credential-helpers v0.9.5 // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/mcp-gateway v0.22.0 // indirect
@@ -52,13 +52,13 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/gpustack/gguf-parser-go v0.22.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
 	github.com/henvic/httpretty v0.1.4 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jaypipes/ghw v0.19.1 // indirect
 	github.com/jaypipes/pcidb v1.1.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.1 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/kolesnikovae/go-winjob v1.0.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
@@ -67,7 +67,7 @@ require (
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/moby/buildkit v0.26.3 // indirect
+	github.com/moby/buildkit v0.27.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/moby/api v1.53.0 // indirect; see "replace" rule at the bottom for actual version
@@ -88,9 +88,9 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.1 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect
 	github.com/spf13/cobra v1.10.2 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
@@ -111,27 +111,27 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	gonum.org/v1/gonum v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251103181224-f26f9409b101 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
 	google.golang.org/grpc v1.77.0 // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.2-0.20250314012144-ee69052608d9 // indirect
 )
 
 replace (
-	github.com/docker/buildx => github.com/docker/buildx v0.30.1
+	github.com/docker/buildx => github.com/docker/buildx v0.31.0
 	github.com/docker/cli => github.com/docker/cli v29.1.2+incompatible
 	github.com/docker/compose/v5 => github.com/docker/compose/v5 v5.0.1
 	github.com/docker/mcp-gateway => github.com/docker/mcp-gateway v0.22.0
diff --git a/go.sum b/go.sum
index 93122abc7d..ca778dd6c6 100644
--- a/go.sum
+++ b/go.sum
@@ -26,6 +26,8 @@ github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQ
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/containerd/containerd/v2 v2.2.1-0.20251115011841-efd86f2b0bc2 h1:WcvXNS/OmpiitTVdzRAudKwvShKxcOP4Elf2FyxSoTg=
 github.com/containerd/containerd/v2 v2.2.1-0.20251115011841-efd86f2b0bc2/go.mod h1:YCMjKjA4ZA7egdHNi3/93bJR1+2oniYlnS+c0N62HdE=
+github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk=
+github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@@ -48,6 +50,8 @@ github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxK
 github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docker/buildx v0.30.1 h1:3vthfaTQOLt5QfN2nl7rKuPLUvx69nL5ZikFIXp//c8=
 github.com/docker/buildx v0.30.1/go.mod h1:8nwT0V6UNYNo9rXq6WO/BQd9KrJ0JYcY/QX6x0y1Oro=
+github.com/docker/buildx v0.31.0 h1:1hc/VRXlViJAG8QEReNa46Ui15qyrbfYTVl29K8yI2c=
+github.com/docker/buildx v0.31.0/go.mod h1:SD+jYLnt3S4SXqohVtV+8z+dihnOgwMJ8t+bLQvsaCk=
 github.com/docker/cli v29.1.2+incompatible h1:s4QI7drXpIo78OM+CwuthPsO5kCf8cpNsck5PsLVTH8=
 github.com/docker/cli v29.1.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/compose/v5 v5.0.0 h1:J2uMCzJ/5xLcoIVVXvMmPe6HBzVQpmJThKa7Qk7Xldc=
@@ -60,6 +64,8 @@ github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaft
 github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
+github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
+github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -108,6 +114,8 @@ github.com/gpustack/gguf-parser-go v0.22.1 h1:FRnEDWqT0Rcplr/R9ctCRSN2+3DhVsf6dn
 github.com/gpustack/gguf-parser-go v0.22.1/go.mod h1:y4TwTtDqFWTK+xvprOjRUh+dowgU2TKCX37vRKvGiZ0=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
 github.com/henvic/httpretty v0.1.4 h1:Jo7uwIRWVFxkqOnErcoYfH90o3ddQyVrSANeS4cxYmU=
 github.com/henvic/httpretty v0.1.4/go.mod h1:Dn60sQTZfbt2dYsdUSNsCljyF4AfdqnuJFDLJA1I4AM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -123,6 +131,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
 github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
 github.com/kolesnikovae/go-winjob v1.0.0 h1:OKEtCHB3sYNAiqNwGDhf08Y6luM7C8mP+42rp1N6SeE=
 github.com/kolesnikovae/go-winjob v1.0.0/go.mod h1:k0joOLP3/NBrRmDQjPV2+oN1TPmEWt6arTNtFjVeQuM=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
@@ -191,6 +201,8 @@ github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oE
 github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
 github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
+github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
@@ -198,6 +210,8 @@ github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUc
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d h1:3VwvTjiRPA7cqtgOWddEL+JrcijMlXUmj99c/6YyZoY=
 github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d/go.mod h1:tAG61zBM1DYRaGIPloumExGvScf08oHuo0kFoOqdbT0=
 github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
@@ -253,18 +267,24 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
 golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=
 golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
 golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -288,16 +308,22 @@ golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
 golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
 golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
 golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
 golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -306,12 +332,18 @@ gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
 google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/api v0.0.0-20251103181224-f26f9409b101 h1:vk5TfqZHNn0obhPIYeS+cxIFKFQgser/M2jnI+9c6MM=
+google.golang.org/genproto/googleapis/api v0.0.0-20251103181224-f26f9409b101/go.mod h1:E17fc4PDhkr22dE3RgnH2hEubUaky6ZwW4VhANxyspg=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 h1:tRPGkdGHuewF4UisLzzHHr1spKw92qLM98nIzxbC0wY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
 google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
 google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=