Bump actions/upload-artifact from 5 to 6

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
2026-04-28 03:17:00 +00:00 · 2025-12-15 19:03:21 +00:00
322 changed files with 3786 additions and 25429 deletions
--- a/.github/workflows/e2e-test-kind.yaml
+++ b/.github/workflows/e2e-test-kind.yaml
@@ -185,7 +185,7 @@ jobs:
        timeout-minutes: 30
      - name: Upload debug bundle
        if: ${{ failure() }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
        with:
          name: DebugBundle-k8s-${{ matrix.k8s }}-job-${{ strategy.job-index }}
          path: /home/runner/work/velero/velero/test/e2e/debug-bundle*
--- a/.github/workflows/pr-filepath-check.yml
+++ b/.github/workflows/pr-filepath-check.yml
@@ -1,93 +0,0 @@
-name: Pull Request File Path Check
-on: [pull_request]
-jobs:
-
-  filepath-check:
-    name: Check for invalid characters in file paths
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: Check out the code
-      uses: actions/checkout@v6
-
-    - name: Validate file paths for Go module compatibility
-      run: |
-        # Go's module zip rejects filenames containing certain characters.
-        # See golang.org/x/mod/module fileNameOK() for the full specification.
-        #
-        # Allowed ASCII: letters, digits, and: !#$%&()+,-.=@[]^_{}~ and space
-        # Allowed non-ASCII: unicode letters only
-        # Rejected: " ' * < > ? ` | / \ : and any non-letter unicode (control
-        #           chars, format chars like U+200E LEFT-TO-RIGHT MARK, etc.)
-        #
-        # This check catches issues like the U+200E incident in PR #9552.
-
-        EXIT_STATUS=0
-
-        git ls-files -z | python3 -c "
-        import sys, unicodedata
-
-        data = sys.stdin.buffer.read()
-        files = data.split(b'\x00')
-
-        # Characters explicitly rejected by Go's fileNameOK
-        # (path separators / and \ are inherent to paths so we check per-element)
-        bad_ascii = set('\"' + \"'\" + '*<>?\`|:')
-
-        allowed_ascii = set('!#$%&()+,-.=@[]^_{}~ ')
-
-        def is_ok(ch):
-            if ch.isascii():
-                return ch.isalnum() or ch in allowed_ascii
-            return ch.isalpha()
-
-        bad_files = []  # list of (original_path, clean_path, char_desc)
-        for f in files:
-            if not f:
-                continue
-            try:
-                name = f.decode('utf-8')
-            except UnicodeDecodeError:
-                print(f'::error::Non-UTF-8 bytes in filename: {f!r}')
-                bad_files.append((repr(f), None, 'non-UTF-8 bytes'))
-                continue
-
-            # Check each path element (split on /)
-            for element in name.split('/'):
-                for ch in element:
-                    if not is_ok(ch):
-                        cp = ord(ch)
-                        char_name = unicodedata.name(ch, f'U+{cp:04X}')
-                        char_desc = f'U+{cp:04X} ({char_name})'
-                        # Build cleaned path by stripping invalid chars
-                        clean = '/'.join(
-                            ''.join(c for c in elem if is_ok(c))
-                            for elem in name.split('/')
-                        )
-                        print(f'::error file={name}::File \"{name}\" contains invalid char {char_desc}')
-                        bad_files.append((name, clean, char_desc))
-                        break
-
-        if bad_files:
-            print()
-            print('The following files have characters that are invalid in Go module zip archives:')
-            print()
-            for original, clean, desc in bad_files:
-                print(f'  {original}  — {desc}')
-            print()
-            print('To fix, rename the files to remove the problematic characters:')
-            print()
-            for original, clean, desc in bad_files:
-                if clean:
-                    print(f'  mv \"{original}\" \"{clean}\" && git add \"{clean}\"')
-                    print(f'  # or: git mv \"{original}\" \"{clean}\"')
-                else:
-                    print(f'  # {original} — cannot auto-suggest rename (non-UTF-8)')
-            print()
-            print('See https://github.com/vmware-tanzu/velero/pull/9552 for context.')
-            sys.exit(1)
-        else:
-            print('All file paths are valid for Go module zip.')
-        " || EXIT_STATUS=1
-
-        exit $EXIT_STATUS
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -55,7 +55,7 @@ checksum:
  name_template: 'CHECKSUM'
 release:
  github:
-    owner: velero-io
+    owner: vmware-tanzu
    name: velero
  draft: true
  prerelease: auto
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -17,7 +17,6 @@ If you're using Velero and want to add your organization to this list,
 <a href="https://www.replicated.com/" border="0" target="_blank"><img alt="replicated.com" src="site/static/img/adopters/replicated-logo-red.svg" height="50"></a>
 <a href="https://cloudcasa.io/" border="0" target="_blank"><img alt="cloudcasa.io" src="site/static/img/adopters/cloudcasa.svg" height="50"></a>
 <a href="https://azure.microsoft.com/" border="0" target="_blank"><img alt="azure.com" src="site/static/img/adopters/azure.svg" height="50"></a>
-<a href="https://www.broadcom.com/" border="0" target="_blank"><img alt="broadcom.com" src="site/static/img/adopters/broadcom.svg" height="50"></a>
 ## Success Stories

 Below is a list of adopters of Velero in **production environments** that have
@@ -69,9 +68,6 @@ Replicated uses the Velero open source project to enable snapshots in [KOTS][101
 **[Microsoft Azure][105]**<br>
 [Azure Backup for AKS][106] is an Azure native, Kubernetes aware, Enterprise ready backup for containerized applications deployed on Azure Kubernetes Service (AKS). AKS Backup utilizes Velero to perform backup and restore operations to protect stateful applications in AKS clusters.<br>

-**[Broadcom][107]**<br>
-[VMware Cloud Foundation][108] (VCF) offers built-in [vSphere Kubernetes Service][109] (VKS),  a Kubernetes runtime that includes a CNCF certified Kubernetes distribution, to deploy and manage containerized workloads. VCF empowers platform engineers with native [Kubernetes multi-cluster management][110] capability for managing Kubernetes (K8s) infrastructure at scale. VCF utilizes Velero for Kubernetes data protection enabling platform engineers to back up and restore containerized workloads manifests & persistent volumes, helping to increase the resiliency of stateful applications in VKS cluster.
-
 ## Adding your organization to the list of Velero Adopters

 If you are using Velero and would like to be included in the list of `Velero Adopters`, add an SVG version of your logo to the `site/static/img/adopters` directory in this repo and submit a [pull request][3] with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). See this for an example [PR][4].
@@ -129,8 +125,3 @@ If you would like to add your logo to a future `Adopters of Velero` section on [

 [105]: https://azure.microsoft.com/
 [106]: https://learn.microsoft.com/azure/backup/backup-overview
-
-[107]: https://www.broadcom.com/
-[108]: https://www.vmware.com/products/cloud-infrastructure/vmware-cloud-foundation
-[109]: https://www.vmware.com/products/cloud-infrastructure/vsphere-kubernetes-service
-[110]: https://blogs.vmware.com/cloud-foundation/2025/09/29/empowering-platform-engineers-with-native-kubernetes-multi-cluster-management-in-vmware-cloud-foundation/
--- a/6
+++ b/6
@@ -13,7 +13,7 @@
 # limitations under the License.

 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.25.9-trixie AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS velero-builder

 ARG GOPROXY
 ARG BIN
@@ -49,7 +49,7 @@ RUN mkdir -p /output/usr/bin && \
    go clean -modcache -cache

 # Restic binary build section
-FROM --platform=$BUILDPLATFORM golang:1.25.9-trixie AS restic-builder
+FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS restic-builder

 ARG GOPROXY
 ARG BIN
@@ -73,7 +73,7 @@ RUN mkdir -p /output/usr/bin && \
    go clean -modcache -cache

 # Velero image packing section
-FROM paketobuildpacks/run-jammy-tiny:0.2.126
+FROM paketobuildpacks/run-jammy-tiny:latest

 LABEL maintainer="Xun Jiang <jxun@vmware.com>"

--- a/2
+++ b/2
@@ -15,7 +15,7 @@
 ARG OS_VERSION=1809

 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.25.7-bookworm AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS velero-builder

 ARG GOPROXY
 ARG BIN
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -7,11 +7,11 @@
 | Maintainer          | GitHub ID                                                     | Affiliation                                      |
 |---------------------|---------------------------------------------------------------|--------------------------------------------------|
 | Scott Seago         | [sseago](https://github.com/sseago)                           | [OpenShift](https://github.com/openshift)        |
-| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | Broadcom                                         |
-| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | Broadcom                                         |
-| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | Broadcom                                         |
+| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | [VMware](https://www.github.com/vmware/)         |
+| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | [VMware](https://www.github.com/vmware/)         |
+| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | [VMware](https://www.github.com/vmware/)         |
 | Shubham Pampattiwar | [shubham-pampattiwar](https://github.com/shubham-pampattiwar) | [OpenShift](https://github.com/openshift)        |
-| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | Broadcom                                         |
+| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | [VMware](https://www.github.com/vmware/)         |
 | Anshul Ahuja        | [anshulahuja98](https://github.com/anshulahuja98)             | [Microsoft Azure](https://www.github.com/azure/) |
 | Tiger Kaovilai      | [kaovilai](https://github.com/kaovilai)                       | [OpenShift](https://github.com/openshift)        |

@@ -27,3 +27,14 @@
 * JenTing Hsiao ([jenting](https://github.com/jenting))
 * Dave Smith-Uchida ([dsu-igeek](https://github.com/dsu-igeek))
 * Ming Qiu ([qiuming-best](https://github.com/qiuming-best))
+
+## Velero Contributors & Stakeholders
+
+| Feature Area           |                                         Lead                                         |
+|------------------------|:------------------------------------------------------------------------------------:|
+| Technical Lead         |               Daniel Jiang [reasonerjt](https://github.com/reasonerjt)               |
+| Kubernetes CSI Liaison |                                                                                      |
+| Deployment             |                                                                                      |
+| Community Management   |            Orlin Vasilev [OrlinVasilev](https://github.com/OrlinVasilev)             |
+| Product Management     | Pradeep Kumar Chaturvedi [pradeepkchaturvedi](https://github.com/pradeepkchaturvedi) |
+
--- a/README.md
+++ b/README.md
@@ -42,11 +42,13 @@ The following is a list of the supported Kubernetes versions for each Velero ver

 | Velero version | Expected Kubernetes version compatibility | Tested on Kubernetes version        |
 |----------------|-------------------------------------------|-------------------------------------|
-| 1.18           | 1.18-latest                               | 1.33.7, 1.34.1, and 1.35.0          |
-| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0  |
+| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0          |
 | 1.16           | 1.18-latest                               | 1.31.4, 1.32.3, and 1.33.0          |
 | 1.15           | 1.18-latest                               | 1.28.8, 1.29.8, 1.30.4 and 1.31.1   |
 | 1.14           | 1.18-latest                               | 1.27.9, 1.28.9, and 1.29.4          |
+| 1.13           | 1.18-latest                               | 1.26.5, 1.27.3, 1.27.8, and 1.28.3  |
+| 1.12           | 1.18-latest                               | 1.25.7, 1.26.5, 1.26.7, and 1.27.3  |
+| 1.11           | 1.18-latest                               | 1.23.10, 1.24.9, 1.25.5, and 1.26.1 |

 Velero supports IPv4, IPv6, and dual stack environments. Support for this was tested against Velero v1.8.

--- a/2
+++ b/2
@@ -52,7 +52,7 @@ git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip(

 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.25.9 as tilt-helper
+FROM golang:1.25 as tilt-helper

 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
--- a/changelogs/CHANGELOG-1.18.md
+++ b/changelogs/CHANGELOG-1.18.md
@@ -1,147 +0,0 @@
-## v1.18.1
-
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.18.1
-
-### Container Image
-`velero/velero:v1.18.1`
-
-### Documentation
-https://velero.io/docs/v1.18/
-
-### Upgrading
-https://velero.io/docs/v1.18/upgrade-to-1.18/
-
-### All Changes
-  * Fix wildcard expansion when includes is empty and excludes has wildcards (#9743, @Joeavaikath)
-  * Backporting PR #9700 and #9693, fix issue #9699, add a 2-second gap between temporary CSI VolumeSnapshotContent create and delete operations. Enhance backup deletion logic to handle tarball download failures (#9731, @priyansh17)
-  * Fix issue #9703, fix CSI PVC Backup Plugin list options to only list in installed namespace (#9708, @adam-jian-zhang)
-  * Bump external-snapshotter to v8.4.0 and migrate VolumeGroupSnapshot API from v1beta1 to v1beta2 for Kubernetes 1.34+ compatibility (#9706, @shubham-pampattiwar)
-  * Fix issue #9681, fix restores and podvolumerestores list options to only list in installed namespace (#9696, @adam-jian-zhang)
-  * Fix issue #9659, in the case that PVB/PVR/DU/DD is cancelled before the data path is really started, call EndEvent to prevent data mover pod from crashing because of delay event distribution (#9672, @Lyndon-Li)
-  * Fix issue #9626, let go for uninitialized repo under readonly mode (#9669, @Lyndon-Li)
-  * Fix issue #9460, flush buffer before data mover completes (#9610, @Lyndon-Li)
-  * Fix issue #9475, use node-selector instead of nodName for generic restore (#9609, @Lyndon-Li)
-  * Fix issue #9496, support customized host os (#9606, @Lyndon-Li)
-  * Fix issue #9343, include PV topology to data mover pod affinities (#9594, @Lyndon-Li)
-  * Fix VolumeGroupSnapshot restore failure with Ceph RBD CSI driver by creating stub VolumeGroupSnapshotContent during restore and looking up VolumeSnapshotClass by driver for credential support (#9687, @shubham-pampattiwar)
-  * Add custom action type to volume policies (#9678, @sseago)
-  * Fix issue #9666, fix node-agent node detection in multiple instances scenario (#9671, @adam-jian-zhang)
-  * Add check for file extraction from tarball. (#9661, @blackpiglet)
-  * Fix issue #9636, fix configmap lookup in non-default namespaces (#9637, @adam-jian-zhang)
-  * Optimize VSC handle readiness polling for VSS backups (#9629, @sseago)
-  * Fix DBR stuck when CSI snapshot no longer exists in cloud provider (#9604, @shubham-pampattiwar)
-  * If BIA return updateObj with SkipFromBackupAnnotation, treat it as skip the resource from backup. (#9597, @blackpiglet)
-  * Add ephemeral storage limit and request support for data mover and maintenance job (#9596, @blackpiglet)
-  * Remove wildcard check from getNamespacesToList. (#9587, @blackpiglet)
-
-
-## v1.18
-
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.18.0
-
-### Container Image
-`velero/velero:v1.18.0`
-
-### Documentation
-https://velero.io/docs/v1.18/
-
-### Upgrading
-https://velero.io/docs/v1.18/upgrade-to-1.18/
-
-### Highlights
-#### Concurrent backup
-In v1.18, Velero is capable to process multiple backups concurrently. This is a significant usability improvement, especially for multiple tenants or multiple users case, backups submitted from different users could run their backups simultaneously without interfering with each other.  
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/concurrent-backup-processing.md for more details.
-
-#### Cache volume for data movers
-In v1.18, Velero allows users to configure cache volumes for data mover pods during restore for CSI snapshot data movement and fs-backup. This brings below benefits:
- Solve the problem that data mover pods fail to when pod's ephemeral disk is limited
- Solve the problem that multiple data mover pods fail to run concurrently in one node when the node's ephemeral disk is limited
- Working together with backup repository's cache limit configuration, cache volume with appropriate size helps to improve the restore throughput
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/backup-repo-cache-volume.md for more details.
-
-#### Incremental size for data movers
-In v1.18, Velero allows users to observe the incremental size of data movers backups for CSI snapshot data movement and fs-backup, so that users could visually see the data reduction due to incremental backup.
-
-#### Wildcard support for namespaces
-In v1.18, Velero allows to use Glob regular expressions for namespace filters during backup and restore, so that users could filter namespaces in a batch manner.
-
-#### VolumePolicy for PVC phase
-In v1.18, Velero VolumePolicy supports actions by PVC phase, which help users to do special operations for PVCs with a specific phase, e.g., skip PVCs in Pending/Lost status from the backup.  
-
-#### Scalability and Resiliency improvements
-##### Prevent Velero server OOM Kill for large backup repositories
-In v1.18, some backup repository operations are delay executed out of Velero server, so Velero server won't be OOM Killed.
-
-#### Performance improvement for VolumePolicy
-In v1.18, VolumePolicy is enhanced for large number of pods/PVCs so that the performance is significantly improved.
-
-#### Events for data mover pod diagnostic
-In v1.18, events are recorded into data mover pod diagnostic, which allows user to see more information for troubleshooting when the data mover pod fails.
-
-### Runtime and dependencies
-Golang runtime: 1.25.7  
-kopia: 0.22.3
-
-### Limitations/Known issues
-
-### Breaking changes
-#### Deprecation of PVC selected node feature
-According to [Velero deprecation policy](https://github.com/vmware-tanzu/velero/blob/main/GOVERNANCE.md#deprecation-policy), PVC selected node feature is deprecated in v1.18. Velero could appropriately handle PVC's selected-node annotation, so users don't need to do anything particularly.
-
-### All Changes
-* Remove backup from running list when backup fails validation (#9498, @sseago)
-* Maintenance Job only uses the first element of the LoadAffinity array (#9494, @blackpiglet)
-* Fix issue #9478, add diagnose info on expose peek fails (#9481, @Lyndon-Li)
-* Add Role, RoleBinding, ClusterRole, and ClusterRoleBinding in restore sequence. (#9474, @blackpiglet)
-* Add maintenance job and data mover pod's labels and annotations setting. (#9452, @blackpiglet)
-* Fix plugin init container names exceeding DNS-1123 limit (#9445, @mpryc)
-* Add PVC-to-Pod cache to improve volume policy performance (#9441, @shubham-pampattiwar)
-* Remove VolumeSnapshotClass from CSI B/R process. (#9431, @blackpiglet)
-* Use hookIndex for recording multiple restore exec hooks. (#9366, @blackpiglet)
-* Sanitize Azure HTTP responses in BSL status messages (#9321, @shubham-pampattiwar)
-* Remove labels associated with previous backups (#9206, @Joeavaikath)
-* Add VolumePolicy support for PVC Phase conditions to allow skipping Pending PVCs (#9166, @claude)
-* feat: Enhance BackupStorageLocation with Secret-based CA certificate support (#9141, @kaovilai)
-* Add `--apply` flag to `install` command, allowing usage of Kubernetes apply to make changes to existing installs (#9132, @mjnagel)
-* Fix issue #9194, add doc for GOMAXPROCS behavior change (#9420, @Lyndon-Li)
-* Apply volume policies to VolumeGroupSnapshot PVC filtering (#9419, @shubham-pampattiwar)
-* Fix issue #9276, add doc for cache volume support (#9418, @Lyndon-Li)
-* Add Prometheus metrics for maintenance jobs (#9414, @shubham-pampattiwar)
-* Fix issue #9400, connect repo first time after creation so that init params could be written (#9407, @Lyndon-Li)
-* Cache volume for PVR (#9397, @Lyndon-Li)
-* Cache volume support for DataDownload (#9391, @Lyndon-Li)
-* don't copy securitycontext from first container if configmap found (#9389, @sseago)
-* Refactor repo provider interface for static configuration (#9379, @Lyndon-Li)
-* Fix issue #9365, prevent fake completion notification due to multiple update of single PVR (#9375, @Lyndon-Li)
-* Add cache volume configuration (#9370, @Lyndon-Li)
-* Track actual resource names for GenerateName in restore status (#9368, @shubham-pampattiwar)
-* Fix managed fields patch for resources using GenerateName (#9367, @shubham-pampattiwar)
-* Support cache volume for generic restore exposer and pod volume exposer (#9362, @Lyndon-Li)
-* Add incrementalSize to DU/PVB for reporting new/changed size (#9357, @sseago)
-* Add snapshotSize for DataDownload, PodVolumeRestore (#9354, @Lyndon-Li)
-* Add cache dir configuration for udmrepo (#9353, @Lyndon-Li)
-* Fix the Job build error when BackupReposiotry name longer than 63. (#9350, @blackpiglet)
-* Add cache configuration to VGDP (#9342, @Lyndon-Li)
-* Fix issue #9332, add bytesDone for cache files (#9333, @Lyndon-Li)
-* Fix typos in documentation (#9329, @T4iFooN-IX)
-* Concurrent backup processing (#9307, @sseago)
-* VerifyJSONConfigs verify every elements in Data. (#9302, @blackpiglet)
-* Fix issue #9267, add events to data mover prepare diagnostic (#9296, @Lyndon-Li)
-* Add option for privileged fs-backup pod (#9295, @sseago)
-* Fix issue #9193, don't connect repo in repo controller (#9291, @Lyndon-Li)
-* Implement concurrency control for cache of native VolumeSnapshotter plugin. (#9281, @0xLeo258)
-* Fix issue #7904, remove the code and doc for PVC node selection (#9269, @Lyndon-Li)
-* Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases (#9264, @shubham-pampattiwar)
-* Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment (#9256, @shubham-pampattiwar)
-* Implement wildcard namespace pattern expansion for backup namespace includes/excludes. This change adds support for wildcard patterns (*, ?, [abc], {a,b,c}) in namespace includes and excludes during backup operations (#9255, @Joeavaikath)
-* Protect VolumeSnapshot field from race condition during multi-thread backup (#9248, @0xLeo258)
-* Update AzureAD Microsoft Authentication Library to v1.5.0 (#9244, @priyansh17)
-* Get pod list once per namespace in pvc IBA (#9226, @sseago)
-* Fix issue #7725, add design for backup repo cache configuration (#9148, @Lyndon-Li)
-* Fix issue #9229, don't attach backupPVC to the source node (#9233, @Lyndon-Li)
-* feat: Permit specifying annotations for the BackupPVC (#9173, @clementnuss)
--- a/changelogs/unreleased/9132-mjnagel
+++ b/changelogs/unreleased/9132-mjnagel
@@ -0,0 +1 @@
+Add `--apply` flag to `install` command, allowing usage of Kubernetes apply to make changes to existing installs
--- a/changelogs/unreleased/9148-Lyndon-Li
+++ b/changelogs/unreleased/9148-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #7725, add design for backup repo cache configuration
--- a/changelogs/unreleased/9173-clementnuss
+++ b/changelogs/unreleased/9173-clementnuss
@@ -0,0 +1 @@
+feat: Permit specifying annotations for the BackupPVC
--- a/changelogs/unreleased/9226-sseago
+++ b/changelogs/unreleased/9226-sseago
@@ -0,0 +1 @@
+Get pod list once per namespace in pvc IBA
--- a/changelogs/unreleased/9233-Lyndon-Li
+++ b/changelogs/unreleased/9233-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9229, don't attach backupPVC to the source node
--- a/changelogs/unreleased/9244-priyansh17
+++ b/changelogs/unreleased/9244-priyansh17
@@ -0,0 +1 @@
+Update AzureAD Microsoft Authentication Library to v1.5.0
--- a/changelogs/unreleased/9248-0xLeo258
+++ b/changelogs/unreleased/9248-0xLeo258
@@ -0,0 +1 @@
+Protect VolumeSnapshot field from race condition during multi-thread backup
--- a/changelogs/unreleased/9255-Joeavaikath
+++ b/changelogs/unreleased/9255-Joeavaikath
@@ -0,0 +1,10 @@
+Implement wildcard namespace pattern expansion for backup namespace includes/excludes.
+
+This change adds support for wildcard patterns (*, ?, [abc], {a,b,c}) in namespace includes and excludes during backup operations. 
+When wildcard patterns are detected, they are expanded against the list of active namespaces in the cluster before the backup proceeds.
+
+Key features:
+- Wildcard patterns in namespace includes/excludes are automatically detected and expanded
+- Pattern validation ensures unsupported patterns (regex, consecutive asterisks) are rejected
+- Empty wildcard results (e.g., "invalid*" matching no namespaces) correctly result in empty backups
+- Exact namespace names and "*" continue to work as before (no expansion needed)
--- a/changelogs/unreleased/9256-shubham-pampattiwar
+++ b/changelogs/unreleased/9256-shubham-pampattiwar
@@ -0,0 +1 @@
+Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment
--- a/changelogs/unreleased/9264-shubham-pampattiwar
+++ b/changelogs/unreleased/9264-shubham-pampattiwar
@@ -0,0 +1 @@
+Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases
--- a/changelogs/unreleased/9269-Lyndon-Li
+++ b/changelogs/unreleased/9269-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #7904, remove the code and doc for PVC node selection
--- a/changelogs/unreleased/9281-0xLeo258
+++ b/changelogs/unreleased/9281-0xLeo258
@@ -0,0 +1 @@
+Implement concurrency control for cache of native VolumeSnapshotter plugin.
--- a/changelogs/unreleased/9291-Lyndon-Li
+++ b/changelogs/unreleased/9291-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9193, don't connect repo in repo controller
--- a/changelogs/unreleased/9295-sseago
+++ b/changelogs/unreleased/9295-sseago
@@ -0,0 +1 @@
+Add option for privileged fs-backup pod
--- a/changelogs/unreleased/9296-Lyndon-Li
+++ b/changelogs/unreleased/9296-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9267, add events to data mover prepare diagnostic
--- a/changelogs/unreleased/9302-blackpiglet
+++ b/changelogs/unreleased/9302-blackpiglet
@@ -0,0 +1 @@
+VerifyJSONConfigs verify every elements in Data.
--- a/changelogs/unreleased/9307-sseago
+++ b/changelogs/unreleased/9307-sseago
@@ -0,0 +1 @@
+Concurrent backup processing
--- a/changelogs/unreleased/9321-shubham-pampattiwar
+++ b/changelogs/unreleased/9321-shubham-pampattiwar
@@ -0,0 +1 @@
+Sanitize Azure HTTP responses in BSL status messages
--- a/changelogs/unreleased/9329-T4iFooN-IX
+++ b/changelogs/unreleased/9329-T4iFooN-IX
@@ -0,0 +1 @@
+Fix typos in documentation
--- a/changelogs/unreleased/9333-Lyndon-Li
+++ b/changelogs/unreleased/9333-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9332, add bytesDone for cache files
--- a/changelogs/unreleased/9342-Lyndon-Li
+++ b/changelogs/unreleased/9342-Lyndon-Li
@@ -0,0 +1 @@
+Add cache configuration to VGDP
--- a/changelogs/unreleased/9350-blackpiglet
+++ b/changelogs/unreleased/9350-blackpiglet
@@ -0,0 +1 @@
+Fix the Job build error when BackupReposiotry name longer than 63.
--- a/changelogs/unreleased/9353-Lyndon-Li
+++ b/changelogs/unreleased/9353-Lyndon-Li
@@ -0,0 +1 @@
+Add cache dir configuration for udmrepo
--- a/changelogs/unreleased/9354-Lyndon-Li
+++ b/changelogs/unreleased/9354-Lyndon-Li
@@ -0,0 +1 @@
+Add snapshotSize for DataDownload, PodVolumeRestore
--- a/changelogs/unreleased/9357-sseago
+++ b/changelogs/unreleased/9357-sseago
@@ -0,0 +1 @@
+Add incrementalSize to DU/PVB for reporting new/changed size
--- a/changelogs/unreleased/9362-Lyndon-Li
+++ b/changelogs/unreleased/9362-Lyndon-Li
@@ -0,0 +1 @@
+Support cache volume for generic restore exposer and pod volume exposer
--- a/changelogs/unreleased/9367-shubham-pampattiwar
+++ b/changelogs/unreleased/9367-shubham-pampattiwar
@@ -0,0 +1 @@
+Fix managed fields patch for resources using GenerateName
--- a/changelogs/unreleased/9368-shubham-pampattiwar
+++ b/changelogs/unreleased/9368-shubham-pampattiwar
@@ -0,0 +1 @@
+Track actual resource names for GenerateName in restore status
--- a/changelogs/unreleased/9370-Lyndon-Li
+++ b/changelogs/unreleased/9370-Lyndon-Li
@@ -0,0 +1 @@
+Add cache volume configuration
--- a/changelogs/unreleased/9375-Lyndon-Li
+++ b/changelogs/unreleased/9375-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9365, prevent fake completion notification due to multiple update of single PVR
--- a/changelogs/unreleased/9379-Lyndon-Li
+++ b/changelogs/unreleased/9379-Lyndon-Li
@@ -0,0 +1 @@
+Refactor repo provider interface for static configuration
--- a/changelogs/unreleased/9389-sseago
+++ b/changelogs/unreleased/9389-sseago
@@ -0,0 +1 @@
+don't copy securitycontext from first container if configmap found
--- a/changelogs/unreleased/9391-Lyndon-Li
+++ b/changelogs/unreleased/9391-Lyndon-Li
@@ -0,0 +1 @@
+Cache volume support for DataDownload
--- a/changelogs/unreleased/9397-Lyndon-Li
+++ b/changelogs/unreleased/9397-Lyndon-Li
@@ -0,0 +1 @@
+Cache volume for PVR
--- a/changelogs/unreleased/9407-Lyndon-Li
+++ b/changelogs/unreleased/9407-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9400, connect repo first time after creation so that init params could be written
--- a/changelogs/unreleased/9414-shubham-pampattiwar
+++ b/changelogs/unreleased/9414-shubham-pampattiwar
@@ -0,0 +1 @@
+Add Prometheus metrics for maintenance jobs
--- a/changelogs/unreleased/9418-Lyndon-Li
+++ b/changelogs/unreleased/9418-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9276, add doc for cache volume support
--- a/changelogs/unreleased/9419-shubham-pampattiwar
+++ b/changelogs/unreleased/9419-shubham-pampattiwar
@@ -0,0 +1 @@
+Apply volume policies to VolumeGroupSnapshot PVC filtering
--- a/changelogs/unreleased/9420-Lyndon-Li
+++ b/changelogs/unreleased/9420-Lyndon-Li
@@ -0,0 +1 @@
+Fix issue #9194, add doc for GOMAXPROCS behavior change
--- a/changelogs/unreleased/9431-blackpiglet
+++ b/changelogs/unreleased/9431-blackpiglet
@@ -0,0 +1 @@
+Remove VolumeSnapshotClass from CSI B/R process.
--- a/config/crd/v1/bases/velero.io_backupstoragelocations.yaml
+++ b/config/crd/v1/bases/velero.io_backupstoragelocations.yaml
@@ -113,38 +113,10 @@ spec:
                    description: Bucket is the bucket to use for object storage.
                    type: string
                  caCert:
-                    description: |-
-                      CACert defines a CA bundle to use when verifying TLS connections to the provider.
-                      Deprecated: Use CACertRef instead.
+                    description: CACert defines a CA bundle to use when verifying
+                      TLS connections to the provider.
                    format: byte
                    type: string
-                  caCertRef:
-                    description: |-
-                      CACertRef is a reference to a Secret containing the CA certificate bundle to use
-                      when verifying TLS connections to the provider. The Secret must be in the same
-                      namespace as the BackupStorageLocation.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
-                        type: string
-                      name:
-                        default: ""
-                        description: |-
-                          Name of the referent.
-                          This field is effectively required, but due to backwards compatibility is
-                          allowed to be empty. Instances of this type with an empty value here are
-                          almost certainly wrong.
-                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        type: string
-                      optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
-                        type: boolean
-                    required:
-                    - key
-                    type: object
-                    x-kubernetes-map-type: atomic
                  prefix:
                    description: Prefix is the path inside a bucket to use for Velero
                      storage. Optional.
--- a/config/crd/v1/crds/crds.go
+++ b/config/crd/v1/crds/crds.go
--- a/design/Implemented/bsl-certificate-support_design.md
+++ b/design/Implemented/bsl-certificate-support_design.md
@@ -1,417 +0,0 @@
-# Design for BSL Certificate Support Enhancement
-
-## Abstract
-
-This design document describes the enhancement of BackupStorageLocation (BSL) certificate management in Velero, introducing a Secret-based certificate reference mechanism (`caCertRef`) alongside the existing inline certificate field (`caCert`). This enhancement provides a more secure, Kubernetes-native approach to certificate management while enabling future CLI improvements for automatic certificate discovery.
-
-## Background
-
-Currently, Velero supports TLS certificate verification for object storage providers through an inline `caCert` field in the BSL specification. While functional, this approach has several limitations:
-
- **Security**: Certificates are stored directly in the BSL YAML, potentially exposing sensitive data
- **Management**: Certificate rotation requires updating the BSL resource itself
- **CLI Usability**: Users must manually specify certificates when using CLI commands
- **Size Limitations**: Large certificate bundles can make BSL resources unwieldy
-
-Issue #9097 and PR #8557 highlight the need for improved certificate management that addresses these concerns while maintaining backward compatibility.
-
-## Goals
-
- Provide a secure, Secret-based certificate storage mechanism
- Maintain full backward compatibility with existing BSL configurations
- Enable future CLI enhancements for automatic certificate discovery
- Simplify certificate rotation and management
- Provide clear migration path for existing users
-
-## Non-Goals
-
- Removing support for inline certificates immediately
- Changing the behavior of existing BSL configurations
- Implementing client-side certificate validation
- Supporting certificates from ConfigMaps or other resource types
-
-## High-Level Design
-
-### API Changes
-
-#### New Field: CACertRef
-
-```go
-type ObjectStorageLocation struct {
-    // Existing field (now deprecated)
-    // +optional
-    // +kubebuilder:deprecatedversion:warning="caCert is deprecated, use caCertRef instead"
-    CACert []byte `json:"caCert,omitempty"`
-
-    // New field for Secret reference
-    // +optional
-    CACertRef *corev1api.SecretKeySelector `json:"caCertRef,omitempty"`
-}
-```
-
-The `SecretKeySelector` follows standard Kubernetes patterns:
-```go
-type SecretKeySelector struct {
-    // Name of the Secret
-    Name string `json:"name"`
-    // Key within the Secret
-    Key string `json:"key"`
-}
-```
-
-### Certificate Resolution Logic
-
-The system follows a priority-based resolution:
-
-1. If `caCertRef` is specified, retrieve certificate from the referenced Secret
-2. If `caCert` is specified (and `caCertRef` is not), use the inline certificate
-3. If neither is specified, no custom CA certificate is used
-
-### Validation
-
-BSL validation ensures mutual exclusivity:
-```go
-func (bsl *BackupStorageLocation) Validate() error {
-    if bsl.Spec.ObjectStorage != nil &&
-        bsl.Spec.ObjectStorage.CACert != nil &&
-        bsl.Spec.ObjectStorage.CACertRef != nil {
-        return errors.New("cannot specify both caCert and caCertRef in objectStorage")
-    }
-    return nil
-}
-```
-
-## Detailed Design
-
-### BSL Controller Changes
-
-The BSL controller incorporates validation during reconciliation:
-
-```go
-func (r *backupStorageLocationReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-    // ... existing code ...
-    
-    // Validate BSL configuration
-    if err := location.Validate(); err != nil {
-        r.logger.WithError(err).Error("BSL validation failed")
-        return ctrl.Result{}, err
-    }
-    
-    // ... continue reconciliation ...
-}
-```
-
-### Repository Provider Integration
-
-All repository providers implement consistent certificate handling:
-
-```go
-func configureCACert(bsl *velerov1api.BackupStorageLocation, credGetter *credentials.CredentialGetter) ([]byte, error) {
-    if bsl.Spec.ObjectStorage == nil {
-        return nil, nil
-    }
-
-    // Prefer caCertRef (new method)
-    if bsl.Spec.ObjectStorage.CACertRef != nil {
-        certString, err := credGetter.FromSecret.Get(bsl.Spec.ObjectStorage.CACertRef)
-        if err != nil {
-            return nil, errors.Wrap(err, "error getting CA certificate from secret")
-        }
-        return []byte(certString), nil
-    }
-
-    // Fall back to caCert (deprecated)
-    if bsl.Spec.ObjectStorage.CACert != nil {
-        return bsl.Spec.ObjectStorage.CACert, nil
-    }
-
-    return nil, nil
-}
-```
-
-### CLI Certificate Discovery Integration
-
-#### Background: PR #8557 Implementation
-PR #8557 ("CLI automatically discovers and uses cacert from BSL") was merged in August 2025, introducing automatic CA certificate discovery from BackupStorageLocation for Velero CLI download operations. This eliminated the need for users to manually specify the `--cacert` flag when performing operations like `backup describe`, `backup download`, `backup logs`, and `restore logs`.
-
-#### Current Implementation (Post PR #8557)
-The CLI now automatically discovers certificates from BSL through the `pkg/cmd/util/cacert/bsl_cacert.go` module:
-
-```go
-// Current implementation only supports inline caCert
-func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
-    // ... fetch BSL ...
-    if bsl.Spec.ObjectStorage != nil && len(bsl.Spec.ObjectStorage.CACert) > 0 {
-        return string(bsl.Spec.ObjectStorage.CACert), nil
-    }
-    return "", nil
-}
-```
-
-#### Enhancement with caCertRef Support
-This design extends the existing CLI certificate discovery to support the new `caCertRef` field:
-
-```go
-// Enhanced implementation supporting both caCert and caCertRef
-func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
-    // ... fetch BSL ...
-
-    // Prefer caCertRef over inline caCert
-    if bsl.Spec.ObjectStorage.CACertRef != nil {
-        secret := &corev1api.Secret{}
-        key := types.NamespacedName{
-            Name:      bsl.Spec.ObjectStorage.CACertRef.Name,
-            Namespace: namespace,
-        }
-        if err := client.Get(ctx, key, secret); err != nil {
-            return "", errors.Wrap(err, "error getting certificate secret")
-        }
-
-        certData, ok := secret.Data[bsl.Spec.ObjectStorage.CACertRef.Key]
-        if !ok {
-            return "", errors.Errorf("key %s not found in secret",
-                bsl.Spec.ObjectStorage.CACertRef.Key)
-        }
-        return string(certData), nil
-    }
-
-    // Fall back to inline caCert (deprecated)
-    if bsl.Spec.ObjectStorage.CACert != nil {
-        return string(bsl.Spec.ObjectStorage.CACert), nil
-    }
-
-    return "", nil
-}
-```
-
-#### Certificate Resolution Priority
-
-The CLI follows this priority order for certificate resolution:
-
-1. **`--cacert` flag** - Manual override, highest priority
-2. **`caCertRef`** - Secret-based certificate (recommended)
-3. **`caCert`** - Inline certificate (deprecated)
-4. **System certificate pool** - Default fallback
-
-#### User Experience Improvements
-
-With both PR #8557 and this enhancement:
-
-```bash
-# Automatic discovery - works with both caCert and caCertRef
-velero backup describe my-backup
-velero backup download my-backup
-velero backup logs my-backup
-velero restore logs my-restore
-
-# Manual override still available
-velero backup describe my-backup --cacert /custom/ca.crt
-
-# Debug output shows certificate source
-velero backup download my-backup --log-level=debug
-# [DEBUG] Resolved CA certificate from BSL 'default' Secret 'storage-ca-cert' key 'ca-bundle.crt'
-```
-
-#### RBAC Considerations for CLI
-
-CLI users need read access to Secrets when using `caCertRef`:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: velero-cli-user
-  namespace: velero
-rules:
- apiGroups: ["velero.io"]
-  resources: ["backups", "restores", "backupstoragelocations"]
-  verbs: ["get", "list"]
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
-  # Limited to secrets referenced by BSLs
-```
-
-### Migration Strategy
-
-#### Phase 1: Introduction (Current)
- Add `caCertRef` field
- Mark `caCert` as deprecated
- Both fields supported, mutual exclusivity enforced
-
-#### Phase 2: Migration Period
- Documentation and tools to help users migrate
- Warning messages for `caCert` usage
- CLI enhancements to leverage `caCertRef`
-
-#### Phase 3: Future Removal
- Remove `caCert` field in major version update
- Provide migration tool for automatic conversion
-
-## User Experience
-
-### Creating a BSL with Certificate Reference
-
-1. Create a Secret containing the CA certificate:
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: storage-ca-cert
-  namespace: velero
-type: Opaque
-data:
-  ca-bundle.crt: <base64-encoded-certificate>
-```
-
-2. Reference the Secret in BSL:
-```yaml
-apiVersion: velero.io/v1
-kind: BackupStorageLocation
-metadata:
-  name: default
-  namespace: velero
-spec:
-  provider: aws
-  objectStorage:
-    bucket: my-bucket
-    caCertRef:
-      name: storage-ca-cert
-      key: ca-bundle.crt
-```
-
-### Certificate Rotation
-
-With Secret-based certificates:
-```bash
-# Update the Secret with new certificate
-kubectl create secret generic storage-ca-cert \
-  --from-file=ca-bundle.crt=new-ca.crt \
-  --dry-run=client -o yaml | kubectl apply -f -
-
-# No BSL update required - changes take effect on next use
-```
-
-### CLI Usage Examples
-
-#### Immediate Benefits
- No change required for existing workflows
- Certificate validation errors include helpful context
-
-#### Future CLI Enhancements
-```bash
-# Automatic certificate discovery
-velero backup download my-backup
-
-# Manual override still available
-velero backup download my-backup --cacert /custom/ca.crt
-
-# Debug certificate resolution
-velero backup download my-backup --log-level=debug
-# [DEBUG] Resolved CA certificate from BSL 'default' Secret 'storage-ca-cert'
-```
-
-## Security Considerations
-
-### Advantages of Secret-based Storage
-
-1. **Encryption at Rest**: Secrets are encrypted in etcd
-2. **RBAC Control**: Fine-grained access control via Kubernetes RBAC
-3. **Audit Trail**: Secret access is auditable
-4. **Separation of Concerns**: Certificates separate from configuration
-
-### Required Permissions
-
-The Velero server requires additional RBAC permissions:
-```yaml
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
-  # Scoped to secrets referenced by BSLs
-```
-
-## Compatibility
-
-### Backward Compatibility
-
- Existing BSLs with `caCert` continue to function unchanged
- No breaking changes to API
- Gradual migration path
-
-### Forward Compatibility
-
- Design allows for future enhancements:
-  - Multiple certificate support
-  - Certificate chain validation
-  - Automatic certificate discovery from cloud providers
-
-## Implementation Phases
-
-### Phase 1: Core Implementation ✓ (Current PR)
- API changes with new `caCertRef` field
- Controller validation
- Repository provider updates
- Basic testing
-
-### Phase 2: CLI Enhancement (Future)
- Automatic certificate discovery in CLI
- Enhanced error messages
- Debug logging for certificate resolution
-
-### Phase 3: Migration Tools (Future)
- Automated migration scripts
- Validation tools
- Documentation updates
-
-## Testing
-
-### Unit Tests
- BSL validation logic
- Certificate resolution in providers
- Controller behavior
-
-### Integration Tests
- End-to-end backup/restore with `caCertRef`
- Certificate rotation scenarios
- Migration from `caCert` to `caCertRef`
-
-### Manual Testing Scenarios
-1. Create BSL with `caCertRef`
-2. Perform backup/restore operations
-3. Rotate certificate in Secret
-4. Verify continued operation
-
-## Documentation
-
-### User Documentation
- Migration guide from `caCert` to `caCertRef`
- Examples for common cloud providers
- Troubleshooting guide
-
-### API Documentation
- Updated API reference
- Deprecation notices
- Field descriptions
-
-## Alternatives Considered
-
-### ConfigMap-based Storage
- Pros: Similar to Secrets, simpler API
- Cons: Not designed for sensitive data, no encryption at rest
- Decision: Secrets are the Kubernetes-standard for sensitive data
-
-### External Certificate Management
- Pros: Integration with cert-manager, etc.
- Cons: Additional complexity, dependencies
- Decision: Keep it simple, allow users to manage certificates as needed
-
-### Immediate Removal of Inline Certificates
- Pros: Cleaner API, forces best practices
- Cons: Breaking change, migration burden
- Decision: Gradual deprecation respects existing users
-
-## Conclusion
-
-This design provides a secure, Kubernetes-native approach to certificate management in Velero while maintaining backward compatibility. It establishes the foundation for enhanced CLI functionality and improved user experience, addressing the concerns raised in issue #9097 and enabling the features proposed in PR #8557.
-
-The phased approach ensures smooth migration for existing users while delivering immediate security benefits for new deployments.
--- a/design/Implemented/backup-repo-cache-volume.md
+++ b/design/Implemented/backup-repo-cache-volume.md
--- a/design/Implemented/concurrent-backup-processing.md
+++ b/design/Implemented/concurrent-backup-processing.md
--- a/design/Implemented/wildcard-namespace-support-design.md
+++ b/design/Implemented/wildcard-namespace-support-design.md
--- a/go.mod
+++ b/go.mod
@@ -1,20 +1,20 @@
 module github.com/vmware-tanzu/velero

-go 1.25.9
+go 1.25.0

 require (
-	cloud.google.com/go/storage v1.57.2
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
+	cloud.google.com/go/storage v1.55.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
-	github.com/aws/aws-sdk-go-v2 v1.41.5
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1
+	github.com/aws/aws-sdk-go-v2 v1.24.1
 	github.com/aws/aws-sdk-go-v2/config v1.26.3
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.14
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.143.0
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7
 	github.com/bombsimon/logrusr/v3 v3.0.0
 	github.com/evanphx/json-patch/v5 v5.9.11
@@ -26,28 +26,27 @@ require (
 	github.com/hashicorp/go-plugin v1.6.0
 	github.com/joho/godotenv v1.3.0
 	github.com/kopia/kopia v0.16.0
-	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.4.0
+	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0
 	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.36.1
 	github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.23.2
+	github.com/prometheus/client_golang v1.22.0
 	github.com/prometheus/client_model v0.6.2
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.10.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.11.1
+	github.com/stretchr/testify v1.10.0
 	github.com/vmware-tanzu/crash-diagnostics v0.3.7
-	go.uber.org/zap v1.27.1
-	golang.org/x/mod v0.30.0
-	golang.org/x/oauth2 v0.34.0
-	golang.org/x/sys v0.42.0
-	golang.org/x/text v0.32.0
-	google.golang.org/api v0.256.0
-	google.golang.org/grpc v1.79.3
-	google.golang.org/protobuf v1.36.10
+	go.uber.org/zap v1.27.0
+	golang.org/x/mod v0.29.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/text v0.31.0
+	google.golang.org/api v0.241.0
+	google.golang.org/grpc v1.73.0
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.33.3
 	k8s.io/apiextensions-apiserver v0.33.3
@@ -64,48 +63,48 @@ require (
 )

 require (
-	cel.dev/expr v0.25.1 // indirect
-	cloud.google.com/go v0.121.6 // indirect
-	cloud.google.com/go/auth v0.17.0 // indirect
+	cel.dev/expr v0.23.0 // indirect
+	cloud.google.com/go v0.121.1 // indirect
+	cloud.google.com/go/auth v0.16.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
 	cloud.google.com/go/monitoring v1.24.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect
-	github.com/aws/smithy-go v1.24.2 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chmduquesne/rollinghash v4.0.0+incompatible // indirect
-	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
+	github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/edsrzf/mmap-go v1.2.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
+	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
@@ -113,38 +112,38 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
-	github.com/gofrs/flock v0.13.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
-	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.2 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
-	github.com/hashicorp/cronexpr v1.1.3 // indirect
+	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
-	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/klauspost/crc32 v1.3.0 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/klauspost/reedsolomon v1.12.6 // indirect
+	github.com/klauspost/reedsolomon v1.12.4 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/minio/crc64nvme v1.1.0 // indirect
+	github.com/minio/crc64nvme v1.0.1 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.97 // indirect
+	github.com/minio/minio-go/v7 v7.0.94 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
-	github.com/moby/spdystream v0.5.1 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -154,43 +153,44 @@ require (
 	github.com/natefinch/atomic v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oklog/run v1.0.0 // indirect
-	github.com/philhofer/fwd v1.2.0 // indirect
+	github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/common v0.67.4 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/common v0.65.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rs/xid v1.6.0 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tinylib/msgp v1.3.0 // indirect
 	github.com/vladimirvivien/gexe v0.1.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.48.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/term v0.38.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
+	google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
@@ -198,4 +198,4 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 )

-replace github.com/kopia/kopia => github.com/project-velero/kopia v0.0.0-20251230033609-d946b1e75197
+replace github.com/kopia/kopia => github.com/project-velero/kopia v0.0.0-20250722052735-3ea24d208777
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,7 @@
 al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
 al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
-cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
-cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
+cel.dev/expr v0.23.0 h1:wUb94w6OYQS4uXraxo9U+wUAs9jT47Xvl4iPgAwM2ss=
+cel.dev/expr v0.23.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -24,10 +24,10 @@ cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPT
 cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
 cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
 cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
-cloud.google.com/go v0.121.6/go.mod h1:coChdst4Ea5vUpiALcYKXEpR1S9ZgXbhEzzMcMR66vI=
-cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
-cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
+cloud.google.com/go v0.121.1 h1:S3kTQSydxmu1JfLRLpKtxRPA7rSrYPRPEUmL/PavVUw=
+cloud.google.com/go v0.121.1/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw=
+cloud.google.com/go/auth v0.16.2 h1:QvBAGFPLrDeoiNjyfVunhQ10HKNYuOwZ5noee0M5df4=
+cloud.google.com/go/auth v0.16.2/go.mod h1:sRBas2Y1fB1vZTdurouM0AzuYQBMZinrUYL8EufhtEA=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
@@ -36,8 +36,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
-cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU=
+cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
@@ -45,8 +45,8 @@ cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
 cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
 cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc=
 cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA=
-cloud.google.com/go/longrunning v0.7.0 h1:FV0+SYF1RIj59gyoWDRi45GiYUMM3K1qO51qoboQT1E=
-cloud.google.com/go/longrunning v0.7.0/go.mod h1:ySn2yXmjbK9Ba0zsQqunhDkYi0+9rlXIwnoAf+h+TPY=
+cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE=
+cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY=
 cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM=
 cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
@@ -59,19 +59,19 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-cloud.google.com/go/storage v1.57.2 h1:sVlym3cHGYhrp6XZKkKb+92I1V42ks2qKKpB0CF5Mb4=
-cloud.google.com/go/storage v1.57.2/go.mod h1:n5ijg4yiRXXpCu0sJTD6k+eMf7GRrJmPyr9YxLXGHOk=
+cloud.google.com/go/storage v1.55.0 h1:NESjdAToN9u1tmhVqhXCaCwYBuvEhZLLv0gBr+2znf0=
+cloud.google.com/go/storage v1.55.0/go.mod h1:ztSmTTwzsdXe5syLVS0YsbFxXuvEmEyZj7v7zChEmuY=
 cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
 cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 h1:Wc1ml6QlJs2BHQ/9Bqu1jiyggbsSjramq2oUmp5WeIo=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0 h1:ui3YNbxfW7J3tTFIZMH6LIGRjCngp+J+nIFlnizfNTE=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.6.0/go.mod h1:gZmgV+qBqygoznvqo2J9oKZAFziqhLZ2xE/WVUmzkHA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do=
@@ -80,10 +80,10 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsI
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1 h1:/Zt+cDPnpC3OVDm/JKLOs7M2DKmLRIIp3XIx9pHHiig=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1/go.mod h1:Ng3urmn6dYe8gnbCMoHHVl5APYz2txho3koEkV2o2HA=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 h1:ZJJNFaQ86GVKQ9ehwqyAFE6pIfyicpuJ8IkVaPBc6/4=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3/go.mod h1:URuDvhmATVKqHBH9/0nOiNKk0+YcwfQ3WkK5PqHKxc8=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0 h1:LR0kAX9ykz8G4YgLCaRDVJ3+n43R8MneB5dTy2konZo=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0/go.mod h1:DWAciXemNf++PQJLeXUB4HHH5OpsAh12HZnu2wXE1jA=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
@@ -95,20 +95,20 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0/go.mod h1:jUZ5LYlw40WMd07qxcQJD5M40aUxrfwqQX1g7zxYnrQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 h1:Ron4zCA/yk6U7WOBXhTJcDpsUBG9npumK6xw2auFltQ=
-github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0/go.mod h1:cSgYe11MCNYunTnRXrKiR/tHc0eoKjICUuWpNZoVCOo=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 h1:fYE9p3esPxA/C0rQ0AHhP0drtPXDRhaWiwg1DPqO7IU=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0/go.mod h1:BnBReJLvVYx2CS/UHOgVz2BXKXD9wsQPxZug20nZhd0=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.51.0 h1:OqVGm6Ei3x5+yZmSJG1Mh2NwHvpVmZ08CB5qJhT9Nuk=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.51.0/go.mod h1:SZiPHWGOOk3bl8tkevxkoiwPgsIl6CwrWcbwjfHZpdM=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 h1:6/0iUd0xrnX7qt+mLNRwg5c0PGv8wpE8K90ryANQwMI=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0/go.mod h1:otE2jQekW/PqXk1Awf5lmfokJx4uwuqcj1ab5SpGeW0=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
@@ -123,10 +123,10 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY=
-github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
+github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
+github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 h1:OCs21ST2LrepDfD3lwlQiOqIGp6JiEUqG84GzTDoyJs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4/go.mod h1:usURWEKSNNAcAZuzRn/9ZYPT8aZQkR7xcCtunK/LkJo=
 github.com/aws/aws-sdk-go-v2/config v1.26.3 h1:dKuc2jdp10y13dEEvPqWxqLoc0vF3Z9FC45MvuQSxOA=
 github.com/aws/aws-sdk-go-v2/config v1.26.3/go.mod h1:Bxgi+DeeswYofcYO0XyGClwlrq3DZEXli0kLf4hkGA0=
 github.com/aws/aws-sdk-go-v2/credentials v1.16.14 h1:mMDTwwYO9A0/JbOCOG7EOZHtYM+o7OfGWfu0toa23VE=
@@ -135,34 +135,34 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tC
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11 h1:I6lAa3wBWfCz/cKkOpAcumsETRkFAl70sWi8ItcMEsM=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11/go.mod h1:be1NIO30kJA23ORBLqPo1LttEM6tPNSEcjkd1eKzNW0=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22/go.mod h1:zd/JsJ4P7oGfUhXn1VyLqaRZwPmZwg44Jf2dS84Dm3Y=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 h1:5oE2WzJE56/mVveuDZPJESKlg/00AaS2pY2QZcnxg4M=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10/go.mod h1:FHbKWQtRBYUz4vO5WBWjzMD2by126ny5y/1EoaWoLfI=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.143.0 h1:ZAO4y7MSRqU74ZFCA+HC6Ek5fI7dsTdwJg88s72I/gE=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.143.0/go.mod h1:hIsHE0PaWAQakLCshKS7VKWMGXaqrAFp4m95s2W9E6c=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 h1:JRaIgADQS/U6uXDqlPiefP32yXTda7Kqfx+LgspooZM=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13/go.mod h1:CEuVn5WqOMilYl+tbccq8+N2ieCy0gVn3OtRb0vBNNM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 h1:L0ai8WICYHozIKK+OtPzVJBugL7culcuM4E4JOpIEm8=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10/go.mod h1:byqfyxJBshFk0fF9YmK0M0ugIO8OWjzH2T3bPG4eGuA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 h1:KOxnQeWy5sXyS37fdKEvAsGHOr9fa/qvwxfJurR/BzE=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10/go.mod h1:jMx5INQFYFYB3lQD9W0D8Ohgq6Wnl7NYOJ2TQndbulI=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0 h1:PJTdBMsyvra6FtED7JZtDpQrIAflYDHFoZAu/sKYkwU=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0/go.mod h1:4qXHrG1Ne3VGIMZPCB8OjH/pLFO94sKABIusjh0KWPU=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 h1:dGrs+Q/WzhsiUKh82SfTVN66QzyulXuMDTV/G8ZxOac=
 github.com/aws/aws-sdk-go-v2/service/sso v1.18.6/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 h1:Yf2MIo9x+0tyv76GljxzqA3WtC5mw7NmazD2chwjxE4=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
-github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
+github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -189,8 +189,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
-github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
+github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f h1:C5bqEmzEPLsHm9Mv73lSE9e9bKV23aB1vxOsmZrkl3k=
+github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -211,6 +211,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -227,15 +229,15 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
+github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
+github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
+github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
+github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
+github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
@@ -264,8 +266,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
-github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@@ -299,19 +301,21 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
-github.com/gofrs/flock v0.13.0/go.mod h1:jxeyy9R1auM5S6JYDBhDt+E2TCo7DkratH4Pgi8P+Z0=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -399,12 +403,12 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
-github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
-github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/googleapis/gax-go/v2 v2.14.2 h1:eBLnkZ9635krYIPD+ag1USrOAI0Nr0QYF3+/3GqO0k0=
+github.com/googleapis/gax-go/v2 v2.14.2/go.mod h1:ON64QhlJkhVtSqp4v1uaK92VyZ2gmvDQsweuyLV+8+w=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
@@ -420,12 +424,12 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmg
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/hanwen/go-fuse/v2 v2.9.0 h1:0AOGUkHtbOVeyGLr0tXupiid1Vg7QB7M6YUcdmVdC58=
-github.com/hanwen/go-fuse/v2 v2.9.0/go.mod h1:yE6D2PqWwm3CbYRxFXV9xUd8Md5d6NG0WBs5spCswmI=
+github.com/hanwen/go-fuse/v2 v2.8.0 h1:wV8rG7rmCz8XHSOwBZhG5YcVqcYjkzivjmbaMafPlAs=
+github.com/hanwen/go-fuse/v2 v2.8.0/go.mod h1:yE6D2PqWwm3CbYRxFXV9xUd8Md5d6NG0WBs5spCswmI=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/cronexpr v1.1.3 h1:rl5IkxXN2m681EfivTlccqIryzYJSXRGRNa0xeG7NA4=
-github.com/hashicorp/cronexpr v1.1.3/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4=
+github.com/hashicorp/cronexpr v1.1.2 h1:wG/ZYIKT+RT3QkOdgYc+xsKWVRgnxJ1OJtjjy84fJ9A=
+github.com/hashicorp/cronexpr v1.1.2/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-hclog v0.14.1 h1:nQcJDQwIAGnmoUWp8ubocEX40cCml/17YkF6csQLReU=
@@ -482,20 +486,18 @@ github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXw
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
-github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
-github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
-github.com/klauspost/crc32 v1.3.0 h1:sSmTt3gUt81RP655XGZPElI0PelVTZ6YwCRnPSupoFM=
-github.com/klauspost/crc32 v1.3.0/go.mod h1:D7kQaZhnkX/Y0tstFGf8VUzv2UofNGqCjnC3zdHB0Hw=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
-github.com/klauspost/reedsolomon v1.12.6 h1:8pqE9aECQG/ZFitiUD1xK/E83zwosBAZtE3UbuZM8TQ=
-github.com/klauspost/reedsolomon v1.12.6/go.mod h1:ggJT9lc71Vu+cSOPBlxGvBN6TfAS77qB4fp8vJ05NSA=
+github.com/klauspost/reedsolomon v1.12.4 h1:5aDr3ZGoJbgu/8+j45KtUJxzYm8k08JGtB9Wx1VQ4OA=
+github.com/klauspost/reedsolomon v1.12.4/go.mod h1:d3CzOMOt0JXGIFZm1StgkyF14EYr3xneR2rNWo7NcMU=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kopia/htmluibuild v0.0.1-0.20251125011029-7f1c3f84f29d h1:U3VB/cDMsPW4zB4JRFbVRDzIpPytt889rJUKAG40NPA=
-github.com/kopia/htmluibuild v0.0.1-0.20251125011029-7f1c3f84f29d/go.mod h1:h53A5JM3t2qiwxqxusBe+PFgGcgZdS+DWCQvG5PTlto=
+github.com/kopia/htmluibuild v0.0.1-0.20250607181534-77e0f3f9f557 h1:je1C/xnmKxnaJsIgj45me5qA51TgtK9uMwTxgDw+9H0=
+github.com/kopia/htmluibuild v0.0.1-0.20250607181534-77e0f3f9f557/go.mod h1:h53A5JM3t2qiwxqxusBe+PFgGcgZdS+DWCQvG5PTlto=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -507,8 +509,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubernetes-csi/external-snapshotter/client/v8 v8.4.0 h1:bMqrb3UHgHbP+PW9VwiejfDJU1R0PpXVZNMdeH8WYKI=
-github.com/kubernetes-csi/external-snapshotter/client/v8 v8.4.0/go.mod h1:E3vdYxHj2C2q6qo8/Da4g7P+IcwqRZyy3gJBzYybV9Y=
+github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0 h1:Q3jQ1NkFqv5o+F8dMmHd8SfEmlcwNeo1immFApntEwE=
+github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0/go.mod h1:E3vdYxHj2C2q6qo8/Da4g7P+IcwqRZyy3gJBzYybV9Y=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
@@ -533,12 +535,12 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/minio/crc64nvme v1.1.0 h1:e/tAguZ+4cw32D+IO/8GSf5UVr9y+3eJcxZI2WOO/7Q=
-github.com/minio/crc64nvme v1.1.0/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
+github.com/minio/crc64nvme v1.0.1 h1:DHQPrYPdqK7jQG/Ls5CTBZWeex/2FMS3G5XGkycuFrY=
+github.com/minio/crc64nvme v1.0.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.97 h1:lqhREPyfgHTB/ciX8k2r8k0D93WaFqxbJX36UZq5occ=
-github.com/minio/minio-go/v7 v7.0.97/go.mod h1:re5VXuo0pwEtoNLsNuSr0RrLfT/MBtohwdaSmPPSRSk=
+github.com/minio/minio-go/v7 v7.0.94 h1:1ZoksIKPyaSt64AVOyaQvhDOgVC3MfZsWM6mZXRUGtM=
+github.com/minio/minio-go/v7 v7.0.94/go.mod h1:71t2CqDt3ThzESgZUlU1rBN54mksGGlkLcFgguDnnAc=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -550,8 +552,8 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/moby/spdystream v0.5.1 h1:9sNYeYZUcci9R6/w7KDaFWEWeV4LStVG78Mpyq/Zm/Y=
-github.com/moby/spdystream v0.5.1/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
+github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
+github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -597,8 +599,8 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9 h1:1/WtZae0yGtPq+TI6+Tv1WTxkukpXeMlviSxvL7SRgk=
 github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9/go.mod h1:x3N5drFsm2uilKKuuYo6LdyD8vZAW55sH/9w+pbo1sw=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
-github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
+github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c h1:dAMKvw0MlJT1GshSTtih8C2gDs04w8dReiOGXrGLNoY=
+github.com/philhofer/fwd v1.1.3-0.20240916144458-20a13a1f6b7c/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
 github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
@@ -615,12 +617,12 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/project-velero/kopia v0.0.0-20251230033609-d946b1e75197 h1:iGkfuELGvFCqW+zcrhf2GsOwNH1nWYBsC69IOc57KJk=
-github.com/project-velero/kopia v0.0.0-20251230033609-d946b1e75197/go.mod h1:RL4KehCNKEIDNltN7oruSa3ldwBNVPmQbwmN3Schbjc=
+github.com/project-velero/kopia v0.0.0-20250722052735-3ea24d208777 h1:T7t+u+mnF33qFTDq7bIMSMB51BEA8zkD7aU6tFQNZ6E=
+github.com/project-velero/kopia v0.0.0-20250722052735-3ea24d208777/go.mod h1:qlSnPHrsV8eEeU4l4zqEw8mJ5CUeXr7PDiJNI4r4Bus=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
-github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -628,20 +630,22 @@ github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNw
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
-github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
+github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
+github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
+github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -679,8 +683,8 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
-github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
-github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
+github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
+github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -698,8 +702,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=
 github.com/tg123/go-htpasswd v1.2.4/go.mod h1:EKThQok9xHkun6NBMynNv6Jmu24A33XdZzzl4Q7H1+0=
@@ -727,6 +731,8 @@ github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI=
 github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE=
+github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
+github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
@@ -740,26 +746,26 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
-go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw=
+go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0 h1:rixTyDGXFxRy1xzhKrotaHy3/KXdPhlWARrCgK+eqUY=
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.36.0/go.mod h1:dowW6UsM9MKbJq5JTz2AMVp3/5iW5I/TStsk8S+CfHw=
-go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
-go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
-go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o=
 go.starlark.net v0.0.0-20201006213952-227f4aabceb5/go.mod h1:f0znQkUKRrkk36XxWbGjMqQM8wGv/xHBVE2qc3B5oFU=
 go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY=
@@ -774,10 +780,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
-go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -790,8 +794,8 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -829,8 +833,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -876,8 +880,8 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -891,8 +895,8 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -904,8 +908,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -969,14 +973,14 @@ golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -986,14 +990,14 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1047,16 +1051,14 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1079,8 +1081,8 @@ google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjR
 google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
 google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
 google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
-google.golang.org/api v0.256.0 h1:u6Khm8+F9sxbCTYNoBHg6/Hwv0N/i+V94MvkOSor6oI=
-google.golang.org/api v0.256.0/go.mod h1:KIgPhksXADEKJlnEoRa9qAII4rXcy40vfI8HRqcU964=
+google.golang.org/api v0.241.0 h1:QKwqWQlkc6O895LchPEDUSYr22Xp3NCxpQRiWTB6avE=
+google.golang.org/api v0.241.0/go.mod h1:cOVEm2TpdAGHL2z+UwyS+kmlGr3bVWQQ6sYEqkKje50=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1132,12 +1134,12 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
-google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 h1:1tXaIXCracvtsRxSBsYDiSBN0cuJvM7QYW+MrpIRY78=
+google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2/go.mod h1:49MsLSx0oWMOZqcpB3uL8ZOkAh1+TndpJ8ONoCBWiZk=
+google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1159,8 +1161,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
-google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
+google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1174,8 +1176,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/hack/build-image/Dockerfile
+++ b/hack/build-image/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-FROM --platform=$TARGETPLATFORM golang:1.25.9-trixie
+FROM --platform=$TARGETPLATFORM golang:1.25-bookworm

 ARG GOPROXY

@@ -21,11 +21,9 @@ ENV GO111MODULE=on
 ENV GOPROXY=${GOPROXY}

 # kubebuilder test bundle is separated from kubebuilder. Need to setup it for CI test.
-# Using setup-envtest to download envtest binaries
-RUN go install sigs.k8s.io/controller-runtime/tools/setup-envtest@v0.0.0-20260305094418-8122a6266696 && \
-    mkdir -p /usr/local/kubebuilder/bin && \
-    ENVTEST_ASSETS_DIR=$(setup-envtest use 1.33.0 --bin-dir /usr/local/kubebuilder/bin -p path) && \
-    cp -r ${ENVTEST_ASSETS_DIR}/* /usr/local/kubebuilder/bin/
+RUN curl -sSLo envtest-bins.tar.gz https://go.kubebuilder.io/test-tools/1.22.1/linux/$(go env GOARCH) && \
+    mkdir /usr/local/kubebuilder && \
+    tar -C /usr/local/kubebuilder --strip-components=1 -zvxf envtest-bins.tar.gz

 RUN wget --quiet https://github.com/kubernetes-sigs/kubebuilder/releases/download/v3.2.0/kubebuilder_linux_$(go env GOARCH) && \
    mv kubebuilder_linux_$(go env GOARCH) /usr/local/kubebuilder/bin/kubebuilder && \
--- a/hack/fix_restic_cve.txt
+++ b/hack/fix_restic_cve.txt
@@ -1,27 +1,8 @@
 diff --git a/go.mod b/go.mod
-index 5f939c481..463125e37 100644
+index 5f939c481..6ae17f4a1 100644
 --- a/go.mod
 +++ b/go.mod
-@@ -1,15 +1,15 @@
- module github.com/restic/restic
- 
- require (
-	cloud.google.com/go/storage v1.28.1
-+	cloud.google.com/go/storage v1.50.0
- 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0
- 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
- 	github.com/anacrolix/fuse v0.2.0
- 	github.com/cenkalti/backoff/v4 v4.2.0
-	github.com/cespare/xxhash/v2 v2.2.0
-+	github.com/cespare/xxhash/v2 v2.3.0
- 	github.com/elithrar/simple-scrypt v1.3.0
- 	github.com/go-ole/go-ole v1.2.6
-	github.com/google/go-cmp v0.5.9
-+	github.com/google/go-cmp v0.7.0
- 	github.com/hashicorp/golang-lru/v2 v2.0.1
- 	github.com/juju/ratelimit v1.0.2
- 	github.com/klauspost/compress v1.15.14
-@@ -24,32 +24,44 @@ require (
+@@ -24,32 +24,31 @@ require (
 	github.com/restic/chunker v0.4.0
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
@@ -33,14 +14,14 @@ index 5f939c481..463125e37 100644
 -	golang.org/x/term v0.4.0
 -	golang.org/x/text v0.6.0
 -	google.golang.org/api v0.106.0
-+	golang.org/x/crypto v0.46.0
-+	golang.org/x/net v0.48.0
-+	golang.org/x/oauth2 v0.34.0
-+	golang.org/x/sync v0.19.0
-+	golang.org/x/sys v0.42.0
-+	golang.org/x/term v0.38.0
-+	golang.org/x/text v0.32.0
-+	google.golang.org/api v0.256.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/net v0.38.0
+	golang.org/x/oauth2 v0.28.0
+	golang.org/x/sync v0.12.0
+	golang.org/x/sys v0.31.0
+	golang.org/x/term v0.30.0
+	golang.org/x/text v0.23.0
+	google.golang.org/api v0.114.0
 )
 
 require (
@@ -48,83 +29,50 @@ index 5f939c481..463125e37 100644
 -	cloud.google.com/go/compute v1.15.1 // indirect
 -	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 -	cloud.google.com/go/iam v0.10.0 // indirect
-+	cel.dev/expr v0.25.1 // indirect
-+	cloud.google.com/go v0.120.0 // indirect
-+	cloud.google.com/go/auth v0.17.0 // indirect
-+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
-+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
-+	cloud.google.com/go/iam v1.5.2 // indirect
-+	cloud.google.com/go/monitoring v1.24.2 // indirect
+	cloud.google.com/go v0.110.0 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cloud.google.com/go/iam v0.13.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 // indirect
-+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
-+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.50.0 // indirect
-+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.50.0 // indirect
-+	github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/dnaeon/go-vcr v1.2.0 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
-+	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
-+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+ 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 -	github.com/golang/protobuf v1.5.2 // indirect
-+	github.com/felixge/httpsnoop v1.0.4 // indirect
-+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
-+	github.com/go-logr/logr v1.4.3 // indirect
-+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b // indirect
-	github.com/google/uuid v1.3.0 // indirect
+ 	github.com/google/uuid v1.3.0 // indirect
 -	github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect
 -	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
-+	github.com/google/s2a-go v0.1.9 // indirect
-+	github.com/google/uuid v1.6.0 // indirect
-+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
-+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
+	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
-@@ -57,17 +69,28 @@ require (
- 	github.com/minio/md5-simd v1.1.2 // indirect
- 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
- 	github.com/modern-go/reflect2 v1.0.2 // indirect
-+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
- 	github.com/rs/xid v1.4.0 // indirect
- 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
- 	github.com/sirupsen/logrus v1.9.0 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
+@@ -63,11 +62,13 @@ require (
+ 	go.opencensus.io v0.24.0 // indirect
+ 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+ 	google.golang.org/appengine v1.6.7 // indirect
 -	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
 -	google.golang.org/grpc v1.52.0 // indirect
 -	google.golang.org/protobuf v1.28.1 // indirect
-+	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
-+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-+	go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
-+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
-+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-+	go.opentelemetry.io/otel v1.43.0 // indirect
-+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
-+	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
-+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
-+	golang.org/x/time v0.14.0 // indirect
-+	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
-+	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
-+	google.golang.org/grpc v1.79.3 // indirect
-+	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
+	google.golang.org/grpc v1.56.3 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 -go 1.18
-+go 1.25.0
+go 1.23.0
+
+toolchain go1.23.7
 diff --git a/go.sum b/go.sum
-index 026e1d2fa..197fa71ee 100644
+index 026e1d2fa..805792055 100644
 --- a/go.sum
 +++ b/go.sum
-@@ -1,42 +1,61 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+@@ -1,23 +1,24 @@
+ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 -cloud.google.com/go v0.108.0 h1:xntQwnfn8oHGX0crLVinvHM+AhXvi3QHQIEcX/2hiWk=
 -cloud.google.com/go v0.108.0/go.mod h1:lNUfQqusBJp0bgAg6qrHgYFYbTB+dOiob1itwnlD33Q=
 -cloud.google.com/go/compute v1.15.1 h1:7UGq3QknM33pw5xATlpzeoomNxsacIVvTqTTvbfajmE=
@@ -134,30 +82,16 @@ index 026e1d2fa..197fa71ee 100644
 -cloud.google.com/go/iam v0.10.0 h1:fpP/gByFs6US1ma53v7VxhvbJpO2Aapng6wabJ99MuI=
 -cloud.google.com/go/iam v0.10.0/go.mod h1:nXAECrMt2qHpF6RZUZseteD6QyanL68reN4OXPw0UWM=
 -cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs=
-cloud.google.com/go/storage v1.28.1 h1:F5QDG5ChchaAVQhINh24U99OWHURqrW8OmQcGKXcbgI=
-cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
-+cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
-+cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
-+cloud.google.com/go v0.120.0 h1:wc6bgG9DHyKqF5/vQvX1CiZrtHnxJjBlKUyF9nP6meA=
-+cloud.google.com/go v0.120.0/go.mod h1:/beW32s8/pGRuj4IILWQNd4uuebeT4dkOhKmkfit64Q=
-+cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
-+cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
-+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
-+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
-+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
-+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-+cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
-+cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
-+cloud.google.com/go/logging v1.13.0 h1:7j0HgAp0B94o1YRDqiqm26w4q1rDMH7XNRU34lJXHYc=
-+cloud.google.com/go/logging v1.13.0/go.mod h1:36CoKh6KA/M0PbhPKMq6/qety2DCAErbhXT62TuXALA=
-+cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE=
-+cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY=
-+cloud.google.com/go/monitoring v1.24.2 h1:5OTsoJ1dXYIiMiuL+sYscLc9BumrL3CarVLL7dd7lHM=
-+cloud.google.com/go/monitoring v1.24.2/go.mod h1:x7yzPWcgDRnPEv3sI+jJGBkwl5qINf+6qY4eq0I9B4U=
-+cloud.google.com/go/storage v1.50.0 h1:3TbVkzTooBvnZsk7WaAQfOsNrdoM8QHusXA1cpk6QJs=
-+cloud.google.com/go/storage v1.50.0/go.mod h1:l7XeiD//vx5lfqE3RavfmU9yvk5Pp0Zhcv482poyafY=
-+cloud.google.com/go/trace v1.11.6 h1:2O2zjPzqPYAHrn3OKl029qlqG6W8ZdYaOWRyr8NgMT4=
-+cloud.google.com/go/trace v1.11.6/go.mod h1:GA855OeDEBiBMzcckLPE2kDunIpC72N+Pq8WFieFjnI=
+cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
+cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
+cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
+cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
+cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
+ cloud.google.com/go/storage v1.28.1 h1:F5QDG5ChchaAVQhINh24U99OWHURqrW8OmQcGKXcbgI=
+ cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0 h1:VuHAcMq8pU1IWNT/m5yRaGqbK0BiQKHT8X4DTp9CHdI=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0/go.mod h1:tZoQYdDZNOiIjdSn0dVWVfl0NEPGOJqVLzSrcFk4Is0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
@@ -167,138 +101,54 @@ index 026e1d2fa..197fa71ee 100644
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 h1:BMTdr+ib5ljLa9MxTJK8x/Ds0MbBb4MfuW5BL0zMJnI=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1/go.mod h1:c6WvOhtmjNUWbLfOG1qxM/q0SPvQNSVJvolm+C52dIU=
 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7KY7zH2mqygeUD0t8hNFXe08p1Pb3/jKE=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 +github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.50.0 h1:5IT7xOdq17MtcdtL/vtl6mGfzhaq4m4vpollPRmlsBQ=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.50.0/go.mod h1:ZV4VOm0/eHR06JLrXWe09068dHpr3TRpY9Uo7T+anuA=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.50.0 h1:nNMpRpnkWDAaqcpxMJvxa/Ud98gjbYwayJY4/9bdjiU=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.50.0/go.mod h1:SZiPHWGOOk3bl8tkevxkoiwPgsIl6CwrWcbwjfHZpdM=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.50.0 h1:ig/FpDD2JofP/NExKQUbn7uOSZzJAQqogfqluZK4ed4=
-+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.50.0/go.mod h1:otE2jQekW/PqXk1Awf5lmfokJx4uwuqcj1ab5SpGeW0=
+ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Julusian/godocdown v0.0.0-20170816220326-6d19f8ff2df8/go.mod h1:INZr5t32rG59/5xeltqoCJoNY7e5x/3xoY9WSWVWg74=
 github.com/anacrolix/fuse v0.2.0 h1:pc+To78kI2d/WUjIyrsdqeJQAesuwpGxlI3h1nAv3Do=
- github.com/anacrolix/fuse v0.2.0/go.mod h1:Kfu02xBwnySDpH3N23BmrP3MDfwAQGRLUCj6XyeOvBQ=
- github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
- github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
- github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
- github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
- github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
-+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
- github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
- github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
- github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
- github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
-+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
- github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
- github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
- github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
-@@ -45,54 +64,47 @@ github.com/dvyukov/go-fuzz v0.0.0-20200318091601-be3528f3a813/go.mod h1:11Gm+ccJ
- github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
- github.com/elithrar/simple-scrypt v1.3.0 h1:KIlOlxdoQf9JWKl5lMAJ28SY2URB0XTRDn2TckyzAZg=
- github.com/elithrar/simple-scrypt v1.3.0/go.mod h1:U2XQRI95XHY0St410VE3UjT7vuKb1qPwrl/EJwEqnZo=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-+github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
-+github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-+github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
-+github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
-+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
-+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
-+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
-+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
- github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
- github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
-+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
-+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+@@ -54,6 +55,7 @@ github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNu
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+ github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+@@ -70,8 +72,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
+ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+@@ -82,17 +84,18 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
+ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 -github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ=
-+github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
-+github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=
+github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
+github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b h1:8htHrh2bw9c7Idkb7YNac+ZpTqLMjRpI+FWu51ltaQc=
 github.com/google/pprof v0.0.0-20230111200839-76d1ae5aea2b/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 -github.com/googleapis/enterprise-certificate-proxy v0.2.1 h1:RY7tHKZcRlk788d5WSo/e83gOyyy742E8GSs771ySpg=
 -github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 -github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ=
 -github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
-+github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
-+github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
-+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-+github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
-+github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
-+github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
-+github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
+github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
+github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A=
+github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
 github.com/hashicorp/golang-lru/v2 v2.0.1 h1:5pv5N1lT1fjLg2VQ5KWc7kmucp2x/kvFOnxuVTqZ6x4=
 github.com/hashicorp/golang-lru/v2 v2.0.1/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
-@@ -111,9 +123,14 @@ github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y7
- github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
- github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
- github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+@@ -114,6 +117,7 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kurin/blazer v0.5.4-0.20211030221322-ba894c124ac6 h1:nz7i1au+nDzgExfqW5Zl6q85XNTvYoGnM5DHiQC0yYs=
 github.com/kurin/blazer v0.5.4-0.20211030221322-ba894c124ac6/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -306,7 +156,7 @@ index 026e1d2fa..197fa71ee 100644
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
 github.com/minio/minio-go/v7 v7.0.46 h1:Vo3tNmNXuj7ME5qrvN4iadO7b4mzu/RSFdUkUhaPldk=
-@@ -129,6 +146,7 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P
+@@ -129,6 +133,7 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P
 github.com/ncw/swift/v2 v2.0.1 h1:q1IN8hNViXEv8Zvg3Xdis4a3c4IlIGezkYz09zQL5J0=
 github.com/ncw/swift/v2 v2.0.1/go.mod h1:z0A9RVdYPjNjXVo2pDOPxZ4eu3oarO1P91fTItcb+Kg=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI=
@@ -314,201 +164,106 @@ index 026e1d2fa..197fa71ee 100644
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
-@@ -137,12 +155,16 @@ github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
- github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg=
- github.com/pkg/xattr v0.4.10-0.20221120235825-35026bbbd013 h1:aqByeeNnF7NiEbXCi7nBxZ272+6f6FUBmj/dUzWCdvc=
- github.com/pkg/xattr v0.4.10-0.20221120235825-35026bbbd013/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
-+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
- github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
-+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
- github.com/restic/chunker v0.4.0 h1:YUPYCUn70MYP7VO4yllypp2SjmsRhRJaad3xKu1QFRw=
- github.com/restic/chunker v0.4.0/go.mod h1:z0cH2BejpW636LXw0R/BGyv+Ey8+m9QGiOanDHItzyw=
- github.com/robertkrimen/godocdown v0.0.0-20130622164427-0bfa04905481/go.mod h1:C9WhFzY47SzYBIvzFqSvHIR6ROgDo4TtdTuRaOMjF/s=
-+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
-+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
- github.com/rs/xid v1.4.0 h1:qd7wPTDkN6KQx2VmMBLrpHkiyQwgFXRnkOLacUiaSNY=
- github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
- github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
-@@ -153,59 +175,62 @@ github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
- github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
- github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
- github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-+github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
-+github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
- github.com/stephens2424/writerset v1.0.2/go.mod h1:aS2JhsMn6eA7e82oNmW4rfsgAOp9COBTTl8mzkwADnc=
- github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
- github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
- github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
- github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
- github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
- github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
- github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c h1:u6SKchux2yDvFQnDHS3lPnIRmfVJ5Sxy3ao2SIdysLQ=
- github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM=
- github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-+go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
-+go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
-+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
-+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
-+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
-+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc=
-+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I=
-+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
-+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
-+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
- golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+@@ -172,8 +177,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 -golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
 -golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
- golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
- golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
- golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+ golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+ golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+@@ -189,17 +194,17 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 -golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
 -golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 -golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M=
 -golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
- golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-@@ -214,68 +239,45 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
+@@ -214,17 +219,17 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 -golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
 -golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 -golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
 -golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
-+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 -golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
 -golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
-+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
- golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
- golang.org/x/tools v0.0.0-20200423201157-2723c5de0d66/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
- golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
- golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+@@ -237,8 +242,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
-golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+ golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
+ golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 -google.golang.org/api v0.106.0 h1:ffmW0faWCwKkpbbtvlY/K/8fUl+JKvNS5CVzRoyfCv8=
 -google.golang.org/api v0.106.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE=
+google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
+ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+ google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+@@ -246,15 +251,15 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID
+ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w=
 -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A=
+google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU=
+ google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+ google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
 -google.golang.org/grpc v1.52.0 h1:kd48UiU7EHsV4rnLyOJRuP/Il/UHE7gdDAQ+SZI7nZk=
 -google.golang.org/grpc v1.52.0/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc=
+google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+ google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+ google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+@@ -266,14 +271,15 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
+ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-+google.golang.org/api v0.256.0 h1:u6Khm8+F9sxbCTYNoBHg6/Hwv0N/i+V94MvkOSor6oI=
-+google.golang.org/api v0.256.0/go.mod h1:KIgPhksXADEKJlnEoRa9qAII4rXcy40vfI8HRqcU964=
-+google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
-+google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
-+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-+google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-+google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
-+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
-+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -517,5 +272,3 @@ index 026e1d2fa..197fa71ee 100644
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/hack/release-tools/goreleaser.sh
+++ b/hack/release-tools/goreleaser.sh
@@ -51,13 +51,11 @@ if [[ "${PUBLISH:-}" != "TRUE" ]]; then
    echo "Not set to publish"
    goreleaser release \
        --clean \
-        --parallelism 2 \
        --release-notes="${RELEASE_NOTES_FILE}" \
        --snapshot # Generate an unversioned snapshot release, skipping all validations and without publishing any artifacts (implies --skip-publish, --skip-announce and --skip-validate)
 else
    echo "Getting ready to publish"
    goreleaser release \
        --clean \
-        --parallelism 2 \
        --release-notes="${RELEASE_NOTES_FILE}"
 fi
--- a/hack/release-tools/tag-release.sh
+++ b/hack/release-tools/tag-release.sh
@@ -24,7 +24,7 @@

 # The following variables are needed:

-# - $VELERO_VERSION: defines the tag of Velero that any https://github.com/velero-io/velero/...
+# - $VELERO_VERSION: defines the tag of Velero that any https://github.com/vmware-tanzu/velero/...
 #   links in the docs should redirect to.
 # - $REMOTE: defines the remote that should be used when pushing tags and branches. Defaults to "upstream"
 # - $publish: TRUE/FALSE value where FALSE (or not including it) will indicate a dry-run, and TRUE, or simply adding 'publish',
--- a/internal/delete/actions/csi/volumesnapshotcontent_action.go
+++ b/internal/delete/actions/csi/volumesnapshotcontent_action.go
@@ -27,8 +27,10 @@ import (
 	corev1api "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"

+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/client"
 	plugincommon "github.com/vmware-tanzu/velero/pkg/plugin/framework/common"
 	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
@@ -42,10 +44,6 @@ type volumeSnapshotContentDeleteItemAction struct {
 	crClient crclient.Client
 }

-const tempVSCCreateDeleteGap = 2 * time.Second
-
-var sleepBetweenTempVSCCreateAndDelete = time.Sleep
-
 // AppliesTo returns information indicating
 // VolumeSnapshotContentRestoreItemAction action should be invoked
 // while restoring VolumeSnapshotContent.snapshot.storage.k8s.io resources
@@ -117,11 +115,31 @@ func (p *volumeSnapshotContentDeleteItemAction) Execute(
 		return errors.Wrapf(err, "fail to create VolumeSnapshotContent %s", snapCont.Name)
 	}

-	// Add a small delay before delete to avoid create/delete race conditions in CSI controllers.
-	sleepBetweenTempVSCCreateAndDelete(tempVSCCreateDeleteGap)
+	// Read resource timeout from backup annotation, if not set, use default value.
+	timeout, err := time.ParseDuration(
+		input.Backup.Annotations[velerov1api.ResourceTimeoutAnnotation])
+	if err != nil {
+		p.log.Warnf("fail to parse resource timeout annotation %s: %s",
+			input.Backup.Annotations[velerov1api.ResourceTimeoutAnnotation], err.Error())
+		timeout = 10 * time.Minute
+	}
+	p.log.Debugf("resource timeout is set to %s", timeout.String())
+
+	interval := 5 * time.Second
+
+	// Wait until VSC created and ReadyToUse is true.
+	if err := wait.PollUntilContextTimeout(
+		context.Background(),
+		interval,
+		timeout,
+		true,
+		func(ctx context.Context) (bool, error) {
+			return checkVSCReadiness(ctx, &snapCont, p.crClient)
+		},
+	); err != nil {
+		return errors.Wrapf(err, "fail to wait VolumeSnapshotContent %s becomes ready.", snapCont.Name)
+	}

-	// Delete the temp VSC immediately to trigger cloud snapshot removal.
-	// The CSI driver will handle the actual cloud snapshot deletion.
 	if err := p.crClient.Delete(
 		context.TODO(),
 		&snapCont,
@@ -149,13 +167,6 @@ var checkVSCReadiness = func(
 		return true, nil
 	}

-	// Fail fast on permanent CSI driver errors (e.g., InvalidSnapshot.NotFound)
-	if tmpVSC.Status != nil && tmpVSC.Status.Error != nil && tmpVSC.Status.Error.Message != nil {
-		return false, errors.Errorf(
-			"VolumeSnapshotContent %s has error: %s", vsc.Name, *tmpVSC.Status.Error.Message,
-		)
-	}
-
 	return false, nil
 }

--- a/internal/delete/actions/csi/volumesnapshotcontent_action_test.go
+++ b/internal/delete/actions/csi/volumesnapshotcontent_action_test.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"testing"
-	"time"

 	snapshotv1api "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumesnapshot/v1"
 	"github.com/pkg/errors"
@@ -38,50 +37,6 @@ import (
 	velerotest "github.com/vmware-tanzu/velero/pkg/test"
 )

-// fakeClientWithErrors wraps a real client and injects errors for specific operations.
-type fakeClientWithErrors struct {
-	crclient.Client
-	getError    error
-	patchError  error
-	deleteError error
-}
-
-type fakeClientWithCallTracking struct {
-	crclient.Client
-	events *[]string
-}
-
-func (c *fakeClientWithCallTracking) Create(ctx context.Context, obj crclient.Object, opts ...crclient.CreateOption) error {
-	*c.events = append(*c.events, "create")
-	return c.Client.Create(ctx, obj, opts...)
-}
-
-func (c *fakeClientWithCallTracking) Delete(ctx context.Context, obj crclient.Object, opts ...crclient.DeleteOption) error {
-	*c.events = append(*c.events, "delete")
-	return c.Client.Delete(ctx, obj, opts...)
-}
-
-func (c *fakeClientWithErrors) Get(ctx context.Context, key crclient.ObjectKey, obj crclient.Object, opts ...crclient.GetOption) error {
-	if c.getError != nil {
-		return c.getError
-	}
-	return c.Client.Get(ctx, key, obj, opts...)
-}
-
-func (c *fakeClientWithErrors) Patch(ctx context.Context, obj crclient.Object, patch crclient.Patch, opts ...crclient.PatchOption) error {
-	if c.patchError != nil {
-		return c.patchError
-	}
-	return c.Client.Patch(ctx, obj, patch, opts...)
-}
-
-func (c *fakeClientWithErrors) Delete(ctx context.Context, obj crclient.Object, opts ...crclient.DeleteOption) error {
-	if c.deleteError != nil {
-		return c.deleteError
-	}
-	return c.Client.Delete(ctx, obj, opts...)
-}
-
 func TestVSCExecute(t *testing.T) {
 	snapshotHandleStr := "test"
 	tests := []struct {
@@ -139,19 +94,6 @@ func TestVSCExecute(t *testing.T) {
 				return false, errors.Errorf("test error case")
 			},
 		},
-		{
-			name:      "Error case with CSI error, dangling VSC should be cleaned up",
-			vsc:       builder.ForVolumeSnapshotContent("bar").ObjectMeta(builder.WithLabelsMap(map[string]string{velerov1api.BackupNameLabel: "backup"})).Status(&snapshotv1api.VolumeSnapshotContentStatus{SnapshotHandle: &snapshotHandleStr}).Result(),
-			backup:    builder.ForBackup("velero", "backup").ObjectMeta(builder.WithAnnotationsMap(map[string]string{velerov1api.ResourceTimeoutAnnotation: "5s"})).Result(),
-			expectErr: true,
-			function: func(
-				ctx context.Context,
-				vsc *snapshotv1api.VolumeSnapshotContent,
-				client crclient.Client,
-			) (bool, error) {
-				return false, errors.Errorf("VolumeSnapshotContent %s has error: InvalidSnapshot.NotFound", vsc.Name)
-			},
-		},
 	}

 	for _, test := range tests {
@@ -248,24 +190,6 @@ func TestCheckVSCReadiness(t *testing.T) {
 			expectErr: false,
 			ready:     false,
 		},
-		{
-			name: "VSC has error from CSI driver",
-			vsc: &snapshotv1api.VolumeSnapshotContent{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "vsc-1",
-					Namespace: "velero",
-				},
-				Status: &snapshotv1api.VolumeSnapshotContentStatus{
-					ReadyToUse: boolPtr(false),
-					Error: &snapshotv1api.VolumeSnapshotError{
-						Message: stringPtr("InvalidSnapshot.NotFound: The snapshot 'snap-0abc123' does not exist."),
-					},
-				},
-			},
-			createVSC: true,
-			expectErr: true,
-			ready:     false,
-		},
 	}

 	for _, test := range tests {
@@ -283,44 +207,3 @@ func TestCheckVSCReadiness(t *testing.T) {
 		})
 	}
 }
-
-func TestVSCExecute_CreateSleepDeleteOrder(t *testing.T) {
-	snapshotHandleStr := "test"
-	vsc := builder.ForVolumeSnapshotContent("bar").
-		ObjectMeta(builder.WithLabelsMap(map[string]string{velerov1api.BackupNameLabel: "backup"})).
-		Status(&snapshotv1api.VolumeSnapshotContentStatus{SnapshotHandle: &snapshotHandleStr}).
-		Result()
-
-	vscMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(vsc)
-	require.NoError(t, err)
-
-	events := make([]string, 0, 3)
-	realClient := velerotest.NewFakeControllerRuntimeClient(t)
-	trackingClient := &fakeClientWithCallTracking{Client: realClient, events: &events}
-
-	originalSleep := sleepBetweenTempVSCCreateAndDelete
-	t.Cleanup(func() {
-		sleepBetweenTempVSCCreateAndDelete = originalSleep
-	})
-
-	sleepBetweenTempVSCCreateAndDelete = func(d time.Duration) {
-		require.Equal(t, tempVSCCreateDeleteGap, d)
-		events = append(events, "sleep")
-	}
-
-	p := volumeSnapshotContentDeleteItemAction{log: logrus.StandardLogger(), crClient: trackingClient}
-	err = p.Execute(&velero.DeleteItemActionExecuteInput{
-		Item:   &unstructured.Unstructured{Object: vscMap},
-		Backup: builder.ForBackup("velero", "backup").Result(),
-	})
-	require.NoError(t, err)
-	require.Equal(t, []string{"create", "sleep", "delete"}, events)
-}
-
-func boolPtr(b bool) *bool {
-	return &b
-}
-
-func stringPtr(s string) *string {
-	return &s
-}
--- a/internal/hook/wait_exec_hook_handler.go
+++ b/internal/hook/wait_exec_hook_handler.go
@@ -169,7 +169,7 @@ func (e *DefaultWaitExecHookHandler) HandleHooks(
 					hookLog.Error(err)
 					errors = append(errors, err)

-					errTracker := multiHookTracker.Record(restoreName, newPod.Namespace, newPod.Name, hook.Hook.Container, hook.HookSource, hook.HookName, HookPhase(""), hook.hookIndex, true, err)
+					errTracker := multiHookTracker.Record(restoreName, newPod.Namespace, newPod.Name, hook.Hook.Container, hook.HookSource, hook.HookName, HookPhase(""), i, true, err)
 					if errTracker != nil {
 						hookLog.WithError(errTracker).Warn("Error recording the hook in hook tracker")
 					}
@@ -195,7 +195,7 @@ func (e *DefaultWaitExecHookHandler) HandleHooks(
 					hookFailed = true
 				}

-				errTracker := multiHookTracker.Record(restoreName, newPod.Namespace, newPod.Name, hook.Hook.Container, hook.HookSource, hook.HookName, HookPhase(""), hook.hookIndex, hookFailed, hookErr)
+				errTracker := multiHookTracker.Record(restoreName, newPod.Namespace, newPod.Name, hook.Hook.Container, hook.HookSource, hook.HookName, HookPhase(""), i, hookFailed, hookErr)
 				if errTracker != nil {
 					hookLog.WithError(errTracker).Warn("Error recording the hook in hook tracker")
 				}
@@ -239,7 +239,7 @@ func (e *DefaultWaitExecHookHandler) HandleHooks(
 	// containers to become ready.
 	// Each unexecuted hook is logged as an error and this error will be returned from this function.
 	for _, hooks := range byContainer {
-		for _, hook := range hooks {
+		for i, hook := range hooks {
 			if hook.executed {
 				continue
 			}
@@ -252,7 +252,7 @@ func (e *DefaultWaitExecHookHandler) HandleHooks(
 				},
 			)

-			errTracker := multiHookTracker.Record(restoreName, pod.Namespace, pod.Name, hook.Hook.Container, hook.HookSource, hook.HookName, HookPhase(""), hook.hookIndex, true, err)
+			errTracker := multiHookTracker.Record(restoreName, pod.Namespace, pod.Name, hook.Hook.Container, hook.HookSource, hook.HookName, HookPhase(""), i, true, err)
 			if errTracker != nil {
 				hookLog.WithError(errTracker).Warn("Error recording the hook in hook tracker")
 			}
--- a/internal/hook/wait_exec_hook_handler_test.go
+++ b/internal/hook/wait_exec_hook_handler_test.go
@@ -706,130 +706,6 @@ func TestWaitExecHandleHooks(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "Multiple hooks with non-sequential indices (bug #9359)",
-			initialPod: builder.ForPod("default", "my-pod").
-				Containers(&corev1api.Container{
-					Name: "container1",
-				}).
-				ContainerStatuses(&corev1api.ContainerStatus{
-					Name: "container1",
-					State: corev1api.ContainerState{
-						Running: &corev1api.ContainerStateRunning{},
-					},
-				}).
-				Result(),
-			groupResource: "pods",
-			byContainer: map[string][]PodExecRestoreHook{
-				"container1": {
-					{
-						HookName:   "first-hook",
-						HookSource: HookSourceAnnotation,
-						Hook: velerov1api.ExecRestoreHook{
-							Container:   "container1",
-							Command:     []string{"/usr/bin/foo"},
-							OnError:     velerov1api.HookErrorModeContinue,
-							ExecTimeout: metav1.Duration{Duration: time.Second},
-							WaitTimeout: metav1.Duration{Duration: time.Minute},
-						},
-						hookIndex: 0,
-					},
-					{
-						HookName:   "second-hook",
-						HookSource: HookSourceAnnotation,
-						Hook: velerov1api.ExecRestoreHook{
-							Container:   "container1",
-							Command:     []string{"/usr/bin/bar"},
-							OnError:     velerov1api.HookErrorModeContinue,
-							ExecTimeout: metav1.Duration{Duration: time.Second},
-							WaitTimeout: metav1.Duration{Duration: time.Minute},
-						},
-						hookIndex: 2,
-					},
-					{
-						HookName:   "third-hook",
-						HookSource: HookSourceAnnotation,
-						Hook: velerov1api.ExecRestoreHook{
-							Container:   "container1",
-							Command:     []string{"/usr/bin/third"},
-							OnError:     velerov1api.HookErrorModeContinue,
-							ExecTimeout: metav1.Duration{Duration: time.Second},
-							WaitTimeout: metav1.Duration{Duration: time.Minute},
-						},
-						hookIndex: 4,
-					},
-				},
-			},
-			expectedExecutions: []expectedExecution{
-				{
-					name: "first-hook",
-					hook: &velerov1api.ExecHook{
-						Container: "container1",
-						Command:   []string{"/usr/bin/foo"},
-						OnError:   velerov1api.HookErrorModeContinue,
-						Timeout:   metav1.Duration{Duration: time.Second},
-					},
-					error: nil,
-					pod: builder.ForPod("default", "my-pod").
-						ObjectMeta(builder.WithResourceVersion("1")).
-						Containers(&corev1api.Container{
-							Name: "container1",
-						}).
-						ContainerStatuses(&corev1api.ContainerStatus{
-							Name: "container1",
-							State: corev1api.ContainerState{
-								Running: &corev1api.ContainerStateRunning{},
-							},
-						}).
-						Result(),
-				},
-				{
-					name: "second-hook",
-					hook: &velerov1api.ExecHook{
-						Container: "container1",
-						Command:   []string{"/usr/bin/bar"},
-						OnError:   velerov1api.HookErrorModeContinue,
-						Timeout:   metav1.Duration{Duration: time.Second},
-					},
-					error: nil,
-					pod: builder.ForPod("default", "my-pod").
-						ObjectMeta(builder.WithResourceVersion("1")).
-						Containers(&corev1api.Container{
-							Name: "container1",
-						}).
-						ContainerStatuses(&corev1api.ContainerStatus{
-							Name: "container1",
-							State: corev1api.ContainerState{
-								Running: &corev1api.ContainerStateRunning{},
-							},
-						}).
-						Result(),
-				},
-				{
-					name: "third-hook",
-					hook: &velerov1api.ExecHook{
-						Container: "container1",
-						Command:   []string{"/usr/bin/third"},
-						OnError:   velerov1api.HookErrorModeContinue,
-						Timeout:   metav1.Duration{Duration: time.Second},
-					},
-					error: nil,
-					pod: builder.ForPod("default", "my-pod").
-						ObjectMeta(builder.WithResourceVersion("1")).
-						Containers(&corev1api.Container{
-							Name: "container1",
-						}).
-						ContainerStatuses(&corev1api.ContainerStatus{
-							Name: "container1",
-							State: corev1api.ContainerState{
-								Running: &corev1api.ContainerStateRunning{},
-							},
-						}).
-						Result(),
-				},
-			},
-			expectedErrors: nil,
-		},
 	}

 	for _, test := range tests {
--- a/internal/resourcepolicies/resource_policies.go
+++ b/internal/resourcepolicies/resource_policies.go
@@ -42,8 +42,6 @@ const (
 	FSBackup VolumeActionType = "fs-backup"
 	// snapshot action can have 3 different meaning based on velero configuration and backup spec - cloud provider based snapshots, local csi snapshots and datamover snapshots
 	Snapshot VolumeActionType = "snapshot"
-	// custom action is used to identify a volume that will be handled by an external plugin. Velero will not snapshot or use fs-backup if action=="custom"
-	Custom VolumeActionType = "custom"
 )

 // Action defined as one action for a specific way of backup
@@ -148,9 +146,6 @@ func (p *Policies) BuildPolicy(resPolicies *ResourcePolicies) error {
 		if len(con.PVCLabels) > 0 {
 			volP.conditions = append(volP.conditions, &pvcLabelsCondition{labels: con.PVCLabels})
 		}
-		if len(con.PVCPhase) > 0 {
-			volP.conditions = append(volP.conditions, &pvcPhaseCondition{phases: con.PVCPhase})
-		}
 		p.volumePolicies = append(p.volumePolicies, volP)
 	}

@@ -196,9 +191,6 @@ func (p *Policies) GetMatchAction(res any) (*Action, error) {
 		if data.PVC != nil {
 			volume.parsePVC(data.PVC)
 		}
-	case data.PVC != nil:
-		// Handle PVC-only scenarios (e.g., unbound PVCs)
-		volume.parsePVC(data.PVC)
 	default:
 		return nil, errors.New("failed to convert object")
 	}
--- a/internal/resourcepolicies/resource_policies_test.go
+++ b/internal/resourcepolicies/resource_policies_test.go
@@ -983,69 +983,6 @@ volumePolicies:
 			},
 			skip: false,
 		},
-		{
-			name: "PVC phase matching - Pending phase should skip",
-			yamlData: `version: v1
-volumePolicies:
- conditions:
-   pvcPhase: ["Pending"]
-  action:
-    type: skip`,
-			vol:    nil,
-			podVol: nil,
-			pvc: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "default",
-					Name:      "pvc-pending",
-				},
-				Status: corev1api.PersistentVolumeClaimStatus{
-					Phase: corev1api.ClaimPending,
-				},
-			},
-			skip: true,
-		},
-		{
-			name: "PVC phase matching - Bound phase should not skip",
-			yamlData: `version: v1
-volumePolicies:
- conditions:
-   pvcPhase: ["Pending"]
-  action:
-    type: skip`,
-			vol:    nil,
-			podVol: nil,
-			pvc: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "default",
-					Name:      "pvc-bound",
-				},
-				Status: corev1api.PersistentVolumeClaimStatus{
-					Phase: corev1api.ClaimBound,
-				},
-			},
-			skip: false,
-		},
-		{
-			name: "PVC phase matching - Multiple phases (Pending, Lost)",
-			yamlData: `version: v1
-volumePolicies:
- conditions:
-   pvcPhase: ["Pending", "Lost"]
-  action:
-    type: skip`,
-			vol:    nil,
-			podVol: nil,
-			pvc: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "default",
-					Name:      "pvc-lost",
-				},
-				Status: corev1api.PersistentVolumeClaimStatus{
-					Phase: corev1api.ClaimLost,
-				},
-			},
-			skip: true,
-		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
@@ -1122,53 +1059,32 @@ func TestParsePVC(t *testing.T) {
 		name           string
 		pvc            *corev1api.PersistentVolumeClaim
 		expectedLabels map[string]string
-		expectedPhase  string
 		expectErr      bool
 	}{
 		{
-			name: "valid PVC with labels and Pending phase",
+			name: "valid PVC with labels",
 			pvc: &corev1api.PersistentVolumeClaim{
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: map[string]string{"env": "prod"},
 				},
-				Status: corev1api.PersistentVolumeClaimStatus{
-					Phase: corev1api.ClaimPending,
-				},
 			},
 			expectedLabels: map[string]string{"env": "prod"},
-			expectedPhase:  "Pending",
 			expectErr:      false,
 		},
 		{
-			name: "valid PVC with Bound phase",
+			name: "valid PVC with empty labels",
 			pvc: &corev1api.PersistentVolumeClaim{
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: map[string]string{},
 				},
-				Status: corev1api.PersistentVolumeClaimStatus{
-					Phase: corev1api.ClaimBound,
-				},
 			},
 			expectedLabels: nil,
-			expectedPhase:  "Bound",
-			expectErr:      false,
-		},
-		{
-			name: "valid PVC with Lost phase",
-			pvc: &corev1api.PersistentVolumeClaim{
-				Status: corev1api.PersistentVolumeClaimStatus{
-					Phase: corev1api.ClaimLost,
-				},
-			},
-			expectedLabels: nil,
-			expectedPhase:  "Lost",
 			expectErr:      false,
 		},
 		{
 			name:           "nil PVC pointer",
 			pvc:            (*corev1api.PersistentVolumeClaim)(nil),
 			expectedLabels: nil,
-			expectedPhase:  "",
 			expectErr:      false,
 		},
 	}
@@ -1179,66 +1095,6 @@ func TestParsePVC(t *testing.T) {
 			s.parsePVC(tc.pvc)

 			assert.Equal(t, tc.expectedLabels, s.pvcLabels)
-			assert.Equal(t, tc.expectedPhase, s.pvcPhase)
-		})
-	}
-}
-
-func TestPVCPhaseMatch(t *testing.T) {
-	tests := []struct {
-		name          string
-		condition     *pvcPhaseCondition
-		volume        *structuredVolume
-		expectedMatch bool
-	}{
-		{
-			name:          "match Pending phase",
-			condition:     &pvcPhaseCondition{phases: []string{"Pending"}},
-			volume:        &structuredVolume{pvcPhase: "Pending"},
-			expectedMatch: true,
-		},
-		{
-			name:          "match multiple phases - Pending matches",
-			condition:     &pvcPhaseCondition{phases: []string{"Pending", "Bound"}},
-			volume:        &structuredVolume{pvcPhase: "Pending"},
-			expectedMatch: true,
-		},
-		{
-			name:          "match multiple phases - Bound matches",
-			condition:     &pvcPhaseCondition{phases: []string{"Pending", "Bound"}},
-			volume:        &structuredVolume{pvcPhase: "Bound"},
-			expectedMatch: true,
-		},
-		{
-			name:          "no match for different phase",
-			condition:     &pvcPhaseCondition{phases: []string{"Pending"}},
-			volume:        &structuredVolume{pvcPhase: "Bound"},
-			expectedMatch: false,
-		},
-		{
-			name:          "no match for empty phase",
-			condition:     &pvcPhaseCondition{phases: []string{"Pending"}},
-			volume:        &structuredVolume{pvcPhase: ""},
-			expectedMatch: false,
-		},
-		{
-			name:          "match with empty phases list (always match)",
-			condition:     &pvcPhaseCondition{phases: []string{}},
-			volume:        &structuredVolume{pvcPhase: "Pending"},
-			expectedMatch: true,
-		},
-		{
-			name:          "match with nil phases list (always match)",
-			condition:     &pvcPhaseCondition{phases: nil},
-			volume:        &structuredVolume{pvcPhase: "Pending"},
-			expectedMatch: true,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			result := tc.condition.match(tc.volume)
-			assert.Equal(t, tc.expectedMatch, result)
 		})
 	}
 }
--- a/internal/resourcepolicies/volume_resources.go
+++ b/internal/resourcepolicies/volume_resources.go
@@ -51,7 +51,6 @@ type structuredVolume struct {
 	csi          *csiVolumeSource
 	volumeType   SupportedVolume
 	pvcLabels    map[string]string
-	pvcPhase     string
 }

 func (s *structuredVolume) parsePV(pv *corev1api.PersistentVolume) {
@@ -71,11 +70,8 @@ func (s *structuredVolume) parsePV(pv *corev1api.PersistentVolume) {
 }

 func (s *structuredVolume) parsePVC(pvc *corev1api.PersistentVolumeClaim) {
-	if pvc != nil {
-		if len(pvc.GetLabels()) > 0 {
-			s.pvcLabels = pvc.Labels
-		}
-		s.pvcPhase = string(pvc.Status.Phase)
+	if pvc != nil && len(pvc.GetLabels()) > 0 {
+		s.pvcLabels = pvc.Labels
 	}
 }

@@ -114,31 +110,6 @@ func (c *pvcLabelsCondition) validate() error {
 	return nil
 }

-// pvcPhaseCondition defines a condition that matches if the PVC's phase matches any of the provided phases.
-type pvcPhaseCondition struct {
-	phases []string
-}
-
-func (c *pvcPhaseCondition) match(v *structuredVolume) bool {
-	// No phases specified: always match.
-	if len(c.phases) == 0 {
-		return true
-	}
-	if v.pvcPhase == "" {
-		return false
-	}
-	for _, phase := range c.phases {
-		if v.pvcPhase == phase {
-			return true
-		}
-	}
-	return false
-}
-
-func (c *pvcPhaseCondition) validate() error {
-	return nil
-}
-
 type capacityCondition struct {
 	capacity capacity
 }
--- a/internal/resourcepolicies/volume_resources_validator.go
+++ b/internal/resourcepolicies/volume_resources_validator.go
@@ -46,7 +46,6 @@ type volumeConditions struct {
 	CSI          *csiVolumeSource  `yaml:"csi,omitempty"`
 	VolumeTypes  []SupportedVolume `yaml:"volumeTypes,omitempty"`
 	PVCLabels    map[string]string `yaml:"pvcLabels,omitempty"`
-	PVCPhase     []string          `yaml:"pvcPhase,omitempty"`
 }

 func (c *capacityCondition) validate() error {
@@ -90,7 +89,7 @@ func decodeStruct(r io.Reader, s any) error {
 func (a *Action) validate() error {
 	// validate Type
 	valid := false
-	if a.Type == Skip || a.Type == Snapshot || a.Type == FSBackup || a.Type == Custom {
+	if a.Type == Skip || a.Type == Snapshot || a.Type == FSBackup {
 		valid = true
 	}
 	if !valid {
--- a/internal/volume/volumes_information.go
+++ b/internal/volume/volumes_information.go
@@ -146,10 +146,6 @@ type CSISnapshotInfo struct {

 	// The VolumeSnapshot's Status.ReadyToUse value
 	ReadyToUse *bool
-
-	// The VolumeGroupSnapshotHandle from VSC status, used to create stub VGSC during restore
-	// for CSI drivers that populate this field (e.g., Ceph RBD).
-	VolumeGroupSnapshotHandle string `json:"volumeGroupSnapshotHandle,omitempty"`
 }

 // SnapshotDataMovementInfo is used for displaying the snapshot data mover status.
@@ -460,10 +456,6 @@ func (v *BackupVolumesInformation) generateVolumeInfoForCSIVolumeSnapshot() {
 		if volumeSnapshotContent.Status.SnapshotHandle != nil {
 			snapshotHandle = *volumeSnapshotContent.Status.SnapshotHandle
 		}
-		volumeGroupSnapshotHandle := ""
-		if volumeSnapshotContent.Status != nil && volumeSnapshotContent.Status.VolumeGroupSnapshotHandle != nil {
-			volumeGroupSnapshotHandle = *volumeSnapshotContent.Status.VolumeGroupSnapshotHandle
-		}
 		if pvcPVInfo := v.pvMap.retrieve("", *volumeSnapshot.Spec.Source.PersistentVolumeClaimName, volumeSnapshot.Namespace); pvcPVInfo != nil {
 			volumeInfo := &BackupVolumeInfo{
 				BackupMethod:          CSISnapshot,
@@ -474,13 +466,12 @@ func (v *BackupVolumesInformation) generateVolumeInfoForCSIVolumeSnapshot() {
 				SnapshotDataMoved:     false,
 				PreserveLocalSnapshot: true,
 				CSISnapshotInfo: &CSISnapshotInfo{
-					VSCName:                   *volumeSnapshot.Status.BoundVolumeSnapshotContentName,
-					Size:                      size,
-					Driver:                    volumeSnapshotContent.Spec.Driver,
-					SnapshotHandle:            snapshotHandle,
-					OperationID:               operation.Spec.OperationID,
-					ReadyToUse:                volumeSnapshot.Status.ReadyToUse,
-					VolumeGroupSnapshotHandle: volumeGroupSnapshotHandle,
+					VSCName:        *volumeSnapshot.Status.BoundVolumeSnapshotContentName,
+					Size:           size,
+					Driver:         volumeSnapshotContent.Spec.Driver,
+					SnapshotHandle: snapshotHandle,
+					OperationID:    operation.Spec.OperationID,
+					ReadyToUse:     volumeSnapshot.Status.ReadyToUse,
 				},
 				PVInfo: &PVInfo{
 					ReclaimPolicy: string(pvcPVInfo.PV.Spec.PersistentVolumeReclaimPolicy),
--- a/internal/volumehelper/volume_policy_helper.go
+++ b/internal/volumehelper/volume_policy_helper.go
@@ -1,11 +1,9 @@
 package volumehelper

 import (
-	"context"
 	"fmt"
 	"strings"

-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	corev1api "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -13,14 +11,17 @@ import (
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"

 	"github.com/vmware-tanzu/velero/internal/resourcepolicies"
-	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/kuberesource"
 	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 	kubeutil "github.com/vmware-tanzu/velero/pkg/util/kube"
 	podvolumeutil "github.com/vmware-tanzu/velero/pkg/util/podvolume"
-	vhutil "github.com/vmware-tanzu/velero/pkg/util/volumehelper"
 )

+type VolumeHelper interface {
+	ShouldPerformSnapshot(obj runtime.Unstructured, groupResource schema.GroupResource) (bool, error)
+	ShouldPerformFSBackup(volume corev1api.Volume, pod corev1api.Pod) (bool, error)
+}
+
 type volumeHelperImpl struct {
 	volumePolicy             *resourcepolicies.Policies
 	snapshotVolumes          *bool
@@ -32,16 +33,8 @@ type volumeHelperImpl struct {
 	// to the volume policy check, but fs-backup is based on the pod resource,
 	// the resource filter on PVC and PV doesn't work on this scenario.
 	backupExcludePVC bool
-	// pvcPodCache provides cached PVC to Pod mappings for improved performance.
-	// When there are many PVCs and pods, using this cache avoids O(N*M) lookups.
-	pvcPodCache *podvolumeutil.PVCPodCache
 }

-// NewVolumeHelperImpl creates a VolumeHelper without PVC-to-Pod caching.
-//
-// Deprecated: Use NewVolumeHelperImplWithNamespaces or NewVolumeHelperImplWithCache instead
-// for better performance. These functions provide PVC-to-Pod caching which avoids O(N*M)
-// complexity when there are many PVCs and pods. See issue #9179 for details.
 func NewVolumeHelperImpl(
 	volumePolicy *resourcepolicies.Policies,
 	snapshotVolumes *bool,
@@ -49,44 +42,7 @@ func NewVolumeHelperImpl(
 	client crclient.Client,
 	defaultVolumesToFSBackup bool,
 	backupExcludePVC bool,
-) vhutil.VolumeHelper {
-	// Pass nil namespaces - no cache will be built, so this never fails.
-	// This is used by plugins that don't need the cache optimization.
-	vh, _ := NewVolumeHelperImplWithNamespaces(
-		volumePolicy,
-		snapshotVolumes,
-		logger,
-		client,
-		defaultVolumesToFSBackup,
-		backupExcludePVC,
-		nil,
-	)
-	return vh
-}
-
-// NewVolumeHelperImplWithNamespaces creates a VolumeHelper with a PVC-to-Pod cache for improved performance.
-// The cache is built internally from the provided namespaces list.
-// This avoids O(N*M) complexity when there are many PVCs and pods.
-// See issue #9179 for details.
-// Returns an error if cache building fails - callers should not proceed with backup in this case.
-func NewVolumeHelperImplWithNamespaces(
-	volumePolicy *resourcepolicies.Policies,
-	snapshotVolumes *bool,
-	logger logrus.FieldLogger,
-	client crclient.Client,
-	defaultVolumesToFSBackup bool,
-	backupExcludePVC bool,
-	namespaces []string,
-) (vhutil.VolumeHelper, error) {
-	var pvcPodCache *podvolumeutil.PVCPodCache
-	if len(namespaces) > 0 {
-		pvcPodCache = podvolumeutil.NewPVCPodCache()
-		if err := pvcPodCache.BuildCacheForNamespaces(context.Background(), namespaces, client); err != nil {
-			return nil, err
-		}
-		logger.Infof("Built PVC-to-Pod cache for %d namespaces", len(namespaces))
-	}
-
+) VolumeHelper {
 	return &volumeHelperImpl{
 		volumePolicy:             volumePolicy,
 		snapshotVolumes:          snapshotVolumes,
@@ -94,33 +50,7 @@ func NewVolumeHelperImplWithNamespaces(
 		client:                   client,
 		defaultVolumesToFSBackup: defaultVolumesToFSBackup,
 		backupExcludePVC:         backupExcludePVC,
-		pvcPodCache:              pvcPodCache,
-	}, nil
-}
-
-// NewVolumeHelperImplWithCache creates a VolumeHelper using an externally managed PVC-to-Pod cache.
-// This is used by plugins that build the cache lazily per-namespace (following the pattern from PR #9226).
-// The cache can be nil, in which case PVC-to-Pod lookups will fall back to direct API calls.
-func NewVolumeHelperImplWithCache(
-	backup velerov1api.Backup,
-	client crclient.Client,
-	logger logrus.FieldLogger,
-	pvcPodCache *podvolumeutil.PVCPodCache,
-) (vhutil.VolumeHelper, error) {
-	resourcePolicies, err := resourcepolicies.GetResourcePoliciesFromBackup(backup, client, logger)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to get volume policies from backup")
 	}
-
-	return &volumeHelperImpl{
-		volumePolicy:             resourcePolicies,
-		snapshotVolumes:          backup.Spec.SnapshotVolumes,
-		logger:                   logger,
-		client:                   client,
-		defaultVolumesToFSBackup: boolptr.IsSetToTrue(backup.Spec.DefaultVolumesToFsBackup),
-		backupExcludePVC:         boolptr.IsSetToTrue(backup.Spec.SnapshotMoveData),
-		pvcPodCache:              pvcPodCache,
-	}, nil
 }

 func (v *volumeHelperImpl) ShouldPerformSnapshot(obj runtime.Unstructured, groupResource schema.GroupResource) (bool, error) {
@@ -130,7 +60,6 @@ func (v *volumeHelperImpl) ShouldPerformSnapshot(obj runtime.Unstructured, group
 	pv := new(corev1api.PersistentVolume)
 	var err error

-	var pvNotFoundErr error
 	if groupResource == kuberesource.PersistentVolumeClaims {
 		if err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &pvc); err != nil {
 			v.logger.WithError(err).Error("fail to convert unstructured into PVC")
@@ -139,10 +68,8 @@ func (v *volumeHelperImpl) ShouldPerformSnapshot(obj runtime.Unstructured, group

 		pv, err = kubeutil.GetPVForPVC(pvc, v.client)
 		if err != nil {
-			// Any error means PV not available - save to return later if no policy matches
-			v.logger.Debugf("PV not found for PVC %s: %v", pvc.Namespace+"/"+pvc.Name, err)
-			pvNotFoundErr = err
-			pv = nil
+			v.logger.WithError(err).Errorf("fail to get PV for PVC %s", pvc.Namespace+"/"+pvc.Name)
+			return false, err
 		}
 	}

@@ -157,7 +84,7 @@ func (v *volumeHelperImpl) ShouldPerformSnapshot(obj runtime.Unstructured, group
 		vfd := resourcepolicies.NewVolumeFilterData(pv, nil, pvc)
 		action, err := v.volumePolicy.GetMatchAction(vfd)
 		if err != nil {
-			v.logger.WithError(err).Errorf("fail to get VolumePolicy match action for %+v", vfd)
+			v.logger.WithError(err).Errorf("fail to get VolumePolicy match action for PV %s", pv.Name)
 			return false, err
 		}

@@ -166,30 +93,22 @@ func (v *volumeHelperImpl) ShouldPerformSnapshot(obj runtime.Unstructured, group
 		// If there is no match action, go on to the next check.
 		if action != nil {
 			if action.Type == resourcepolicies.Snapshot {
-				v.logger.Infof("performing snapshot action for %+v", vfd)
+				v.logger.Infof(fmt.Sprintf("performing snapshot action for pv %s", pv.Name))
 				return true, nil
 			} else {
-				v.logger.Infof("Skip snapshot action for %+v as the action type is %s", vfd, action.Type)
+				v.logger.Infof("Skip snapshot action for pv %s as the action type is %s", pv.Name, action.Type)
 				return false, nil
 			}
 		}
 	}

-	// If resource is PVC, and PV is nil (e.g., Pending/Lost PVC with no matching policy), return the original error
-	if groupResource == kuberesource.PersistentVolumeClaims && pv == nil && pvNotFoundErr != nil {
-		v.logger.WithError(pvNotFoundErr).Errorf("fail to get PV for PVC %s", pvc.Namespace+"/"+pvc.Name)
-		return false, pvNotFoundErr
-	}
-
 	// If this PV is claimed, see if we've already taken a (pod volume backup)
 	// snapshot of the contents of this PV. If so, don't take a snapshot.
 	if pv.Spec.ClaimRef != nil {
-		// Use cached lookup if available for better performance with many PVCs/pods
-		pods, err := podvolumeutil.GetPodsUsingPVCWithCache(
+		pods, err := podvolumeutil.GetPodsUsingPVC(
 			pv.Spec.ClaimRef.Namespace,
 			pv.Spec.ClaimRef.Name,
 			v.client,
-			v.pvcPodCache,
 		)
 		if err != nil {
 			v.logger.WithError(err).Errorf("fail to get pod for PV %s", pv.Name)
@@ -214,7 +133,7 @@ func (v *volumeHelperImpl) ShouldPerformSnapshot(obj runtime.Unstructured, group
 		return true, nil
 	}

-	v.logger.Infof("skipping snapshot action for pv %s possibly due to no volume policy setting or snapshotVolumes is false", pv.Name)
+	v.logger.Infof(fmt.Sprintf("skipping snapshot action for pv %s possibly due to no volume policy setting or snapshotVolumes is false", pv.Name))
 	return false, nil
 }

@@ -224,7 +143,6 @@ func (v volumeHelperImpl) ShouldPerformFSBackup(volume corev1api.Volume, pod cor
 		return false, nil
 	}

-	var pvNotFoundErr error
 	if v.volumePolicy != nil {
 		var resource any
 		var err error
@@ -236,13 +154,10 @@ func (v volumeHelperImpl) ShouldPerformFSBackup(volume corev1api.Volume, pod cor
 				v.logger.WithError(err).Errorf("fail to get PVC for pod %s", pod.Namespace+"/"+pod.Name)
 				return false, err
 			}
-			pvResource, err := kubeutil.GetPVForPVC(pvc, v.client)
+			resource, err = kubeutil.GetPVForPVC(pvc, v.client)
 			if err != nil {
-				// Any error means PV not available - save to return later if no policy matches
-				v.logger.Debugf("PV not found for PVC %s: %v", pvc.Namespace+"/"+pvc.Name, err)
-				pvNotFoundErr = err
-			} else {
-				resource = pvResource
+				v.logger.WithError(err).Errorf("fail to get PV for PVC %s", pvc.Namespace+"/"+pvc.Name)
+				return false, err
 			}
 		}

@@ -269,12 +184,6 @@ func (v volumeHelperImpl) ShouldPerformFSBackup(volume corev1api.Volume, pod cor
 				return false, nil
 			}
 		}
-
-		// If no policy matched and PV was not found, return the original error
-		if pvNotFoundErr != nil {
-			v.logger.WithError(pvNotFoundErr).Errorf("fail to get PV for PVC %s", pvc.Namespace+"/"+pvc.Name)
-			return false, pvNotFoundErr
-		}
 	}

 	if v.shouldPerformFSBackupLegacy(volume, pod) {
@@ -315,121 +224,6 @@ func (v volumeHelperImpl) shouldPerformFSBackupLegacy(
 	}
 }

-func (v *volumeHelperImpl) ShouldPerformCustomAction(obj runtime.Unstructured, groupResource schema.GroupResource, matchParams map[string]any) (bool, error) {
-	// check if volume policy exists and also check if the object(pv/pvc) fits a volume policy criteria and see if the associated action is custom with the provided param values
-	pvc := new(corev1api.PersistentVolumeClaim)
-	pv := new(corev1api.PersistentVolume)
-	var err error
-
-	var pvNotFoundErr error
-	if groupResource == kuberesource.PersistentVolumeClaims {
-		if err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &pvc); err != nil {
-			v.logger.WithError(err).Error("fail to convert unstructured into PVC")
-			return false, err
-		}
-
-		pv, err = kubeutil.GetPVForPVC(pvc, v.client)
-		if err != nil {
-			// Any error means PV not available - save to return later if no policy matches
-			v.logger.Debugf("PV not found for PVC %s: %v", pvc.Namespace+"/"+pvc.Name, err)
-			pvNotFoundErr = err
-			pv = nil
-		}
-	}
-
-	if groupResource == kuberesource.PersistentVolumes {
-		if err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &pv); err != nil {
-			v.logger.WithError(err).Error("fail to convert unstructured into PV")
-			return false, err
-		}
-	}
-
-	if v.volumePolicy != nil {
-		vfd := resourcepolicies.NewVolumeFilterData(pv, nil, pvc)
-		action, err := v.volumePolicy.GetMatchAction(vfd)
-		if err != nil {
-			v.logger.WithError(err).Errorf("fail to get VolumePolicy match action for %+v", vfd)
-			return false, err
-		}
-
-		// If there is a match action, and the action type is custom, return true
-		// if the provided parameters match as well, else return false.
-		// If there is no match action, also return false
-		if action != nil {
-			if action.Type == resourcepolicies.Custom {
-				for k, requiredValue := range matchParams {
-					if actionValue, ok := action.Parameters[k]; !ok || actionValue != requiredValue {
-						v.logger.Infof("Skipping custom action for %+v as value for parameter %s is %s rather than the required %s", vfd, k, actionValue, requiredValue)
-						return false, nil
-					}
-				}
-				v.logger.Infof("performing custom action for %+v", vfd)
-				return true, nil
-			} else {
-				v.logger.Infof("Skipping custom action for %+v as the action type is %s", vfd, action.Type)
-				return false, nil
-			}
-		}
-	}
-	// If resource is PVC, and PV is nil (e.g., Pending/Lost PVC with no matching policy), return the original error
-	// Don't error out on no PV, just return false
-	if groupResource == kuberesource.PersistentVolumeClaims && pv == nil && pvNotFoundErr != nil {
-		v.logger.WithError(pvNotFoundErr).Warnf("fail to get PV for PVC %s", pvc.Namespace+"/"+pvc.Name)
-		return false, nil
-	}
-
-	v.logger.Infof("skipping custom action for pv %s due to no matching volume policy", pv.Name)
-	return false, nil
-}
-
-// returns false if no matching action found. Returns true with the action name and Parameters map if there is a matching policy
-func (v *volumeHelperImpl) GetActionParameters(obj runtime.Unstructured, groupResource schema.GroupResource) (bool, string, map[string]any, error) {
-	// if volume policy exists, return action parameters.
-	pvc := new(corev1api.PersistentVolumeClaim)
-	pv := new(corev1api.PersistentVolume)
-	var err error
-
-	if groupResource == kuberesource.PersistentVolumeClaims {
-		if err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &pvc); err != nil {
-			v.logger.WithError(err).Error("fail to convert unstructured into PVC")
-			return false, "", nil, err
-		}
-
-		pv, err = kubeutil.GetPVForPVC(pvc, v.client)
-		if err != nil {
-			v.logger.WithError(err).Warnf("failed to get PV for PVC %s", pvc.Namespace+"/"+pvc.Name)
-			return false, "", nil, nil
-		}
-	}
-
-	if groupResource == kuberesource.PersistentVolumes {
-		if err = runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), &pv); err != nil {
-			v.logger.WithError(err).Error("fail to convert unstructured into PV")
-			return false, "", nil, err
-		}
-	}
-
-	if v.volumePolicy != nil {
-		vfd := resourcepolicies.NewVolumeFilterData(pv, nil, pvc)
-		action, err := v.volumePolicy.GetMatchAction(vfd)
-		if err != nil {
-			v.logger.WithError(err).Errorf("fail to get VolumePolicy match action for PV %s", pv.Name)
-			return false, "", nil, err
-		}
-
-		// If there is a match action, and the action type is custom, return true
-		// if the provided parameters match as well, else return false.
-		// If there is no match action, also return false
-		if action != nil {
-			v.logger.Infof("found matching action for pv %s, returning parameters", pv.Name)
-			return true, string(action.Type), action.Parameters, nil
-		}
-	}
-
-	v.logger.Infof("no matching volume policy found for pv %s, no parameters to return", pv.Name)
-	return false, "", nil, nil
-}
-
 func (v *volumeHelperImpl) shouldIncludeVolumeInBackup(vol corev1api.Volume) bool {
 	includeVolumeInBackup := true
 	// cannot backup hostpath volumes as they are not mounted into /var/lib/kubelet/pods
--- a/internal/volumehelper/volume_policy_helper_test.go
+++ b/internal/volumehelper/volume_policy_helper_test.go
@@ -34,7 +34,6 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/builder"
 	"github.com/vmware-tanzu/velero/pkg/kuberesource"
 	velerotest "github.com/vmware-tanzu/velero/pkg/test"
-	podvolumeutil "github.com/vmware-tanzu/velero/pkg/util/podvolume"
 )

 func TestVolumeHelperImpl_ShouldPerformSnapshot(t *testing.T) {
@@ -286,7 +285,7 @@ func TestVolumeHelperImpl_ShouldPerformSnapshot(t *testing.T) {
 			expectedErr:         false,
 		},
 		{
-			name:          "PVC not having PV, return false and error when no matching policy",
+			name:          "PVC not having PV, return false and error case PV not found",
 			inputObj:      builder.ForPersistentVolumeClaim("default", "example-pvc").StorageClass("gp2-csi").Result(),
 			groupResource: kuberesource.PersistentVolumeClaims,
 			resourcePolicies: &resourcepolicies.ResourcePolicies{
@@ -739,807 +738,3 @@ func TestGetVolumeFromResource(t *testing.T) {
 		assert.ErrorContains(t, err, "resource is not a PersistentVolume or Volume")
 	})
 }
-
-func TestVolumeHelperImplWithCache_ShouldPerformSnapshot(t *testing.T) {
-	testCases := []struct {
-		name                     string
-		inputObj                 runtime.Object
-		groupResource            schema.GroupResource
-		pod                      *corev1api.Pod
-		resourcePolicies         *resourcepolicies.ResourcePolicies
-		snapshotVolumesFlag      *bool
-		defaultVolumesToFSBackup bool
-		buildCache               bool
-		shouldSnapshot           bool
-		expectedErr              bool
-	}{
-		{
-			name:          "VolumePolicy match with cache, returns true",
-			inputObj:      builder.ForPersistentVolume("example-pv").StorageClass("gp2-csi").ClaimRef("ns", "pvc-1").Result(),
-			groupResource: kuberesource.PersistentVolumes,
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Snapshot,
-						},
-					},
-				},
-			},
-			snapshotVolumesFlag: ptr.To(true),
-			buildCache:          true,
-			shouldSnapshot:      true,
-			expectedErr:         false,
-		},
-		{
-			name:          "VolumePolicy not match, fs-backup via opt-out with cache, skips snapshot",
-			inputObj:      builder.ForPersistentVolume("example-pv").StorageClass("gp3-csi").ClaimRef("ns", "pvc-1").Result(),
-			groupResource: kuberesource.PersistentVolumes,
-			pod: builder.ForPod("ns", "pod-1").Volumes(
-				&corev1api.Volume{
-					Name: "volume",
-					VolumeSource: corev1api.VolumeSource{
-						PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-							ClaimName: "pvc-1",
-						},
-					},
-				},
-			).Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Snapshot,
-						},
-					},
-				},
-			},
-			snapshotVolumesFlag:      ptr.To(true),
-			defaultVolumesToFSBackup: true,
-			buildCache:               true,
-			shouldSnapshot:           false,
-			expectedErr:              false,
-		},
-		{
-			name:          "Cache not built, falls back to direct lookup",
-			inputObj:      builder.ForPersistentVolume("example-pv").StorageClass("gp2-csi").ClaimRef("ns", "pvc-1").Result(),
-			groupResource: kuberesource.PersistentVolumes,
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Snapshot,
-						},
-					},
-				},
-			},
-			snapshotVolumesFlag: ptr.To(true),
-			buildCache:          false,
-			shouldSnapshot:      true,
-			expectedErr:         false,
-		},
-		{
-			name:          "No volume policy, defaultVolumesToFSBackup with cache, skips snapshot",
-			inputObj:      builder.ForPersistentVolume("example-pv").StorageClass("gp2-csi").ClaimRef("ns", "pvc-1").Result(),
-			groupResource: kuberesource.PersistentVolumes,
-			pod: builder.ForPod("ns", "pod-1").Volumes(
-				&corev1api.Volume{
-					Name: "volume",
-					VolumeSource: corev1api.VolumeSource{
-						PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-							ClaimName: "pvc-1",
-						},
-					},
-				},
-			).Result(),
-			resourcePolicies:         nil,
-			snapshotVolumesFlag:      ptr.To(true),
-			defaultVolumesToFSBackup: true,
-			buildCache:               true,
-			shouldSnapshot:           false,
-			expectedErr:              false,
-		},
-	}
-
-	objs := []runtime.Object{
-		&corev1api.PersistentVolumeClaim{
-			ObjectMeta: metav1.ObjectMeta{
-				Namespace: "ns",
-				Name:      "pvc-1",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			fakeClient := velerotest.NewFakeControllerRuntimeClient(t, objs...)
-			if tc.pod != nil {
-				require.NoError(t, fakeClient.Create(t.Context(), tc.pod))
-			}
-
-			var p *resourcepolicies.Policies
-			if tc.resourcePolicies != nil {
-				p = &resourcepolicies.Policies{}
-				err := p.BuildPolicy(tc.resourcePolicies)
-				require.NoError(t, err)
-			}
-
-			var namespaces []string
-			if tc.buildCache {
-				namespaces = []string{"ns"}
-			}
-
-			vh, err := NewVolumeHelperImplWithNamespaces(
-				p,
-				tc.snapshotVolumesFlag,
-				logrus.StandardLogger(),
-				fakeClient,
-				tc.defaultVolumesToFSBackup,
-				false,
-				namespaces,
-			)
-			require.NoError(t, err)
-
-			obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(tc.inputObj)
-			require.NoError(t, err)
-
-			actualShouldSnapshot, actualError := vh.ShouldPerformSnapshot(&unstructured.Unstructured{Object: obj}, tc.groupResource)
-			if tc.expectedErr {
-				require.Error(t, actualError)
-				return
-			}
-			require.NoError(t, actualError)
-			require.Equalf(t, tc.shouldSnapshot, actualShouldSnapshot, "Want shouldSnapshot as %t; Got shouldSnapshot as %t", tc.shouldSnapshot, actualShouldSnapshot)
-		})
-	}
-}
-
-func TestVolumeHelperImplWithCache_ShouldPerformFSBackup(t *testing.T) {
-	testCases := []struct {
-		name                     string
-		pod                      *corev1api.Pod
-		resources                []runtime.Object
-		resourcePolicies         *resourcepolicies.ResourcePolicies
-		snapshotVolumesFlag      *bool
-		defaultVolumesToFSBackup bool
-		buildCache               bool
-		shouldFSBackup           bool
-		expectedErr              bool
-	}{
-		{
-			name: "VolumePolicy match with cache, return true",
-			pod: builder.ForPod("ns", "pod-1").
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-1",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-1",
-							},
-						},
-					}).Result(),
-			resources: []runtime.Object{
-				builder.ForPersistentVolumeClaim("ns", "pvc-1").
-					VolumeName("pv-1").
-					StorageClass("gp2-csi").Phase(corev1api.ClaimBound).Result(),
-				builder.ForPersistentVolume("pv-1").StorageClass("gp2-csi").Result(),
-			},
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.FSBackup,
-						},
-					},
-				},
-			},
-			buildCache:     true,
-			shouldFSBackup: true,
-			expectedErr:    false,
-		},
-		{
-			name: "VolumePolicy match with cache, action is snapshot, return false",
-			pod: builder.ForPod("ns", "pod-1").
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-1",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-1",
-							},
-						},
-					}).Result(),
-			resources: []runtime.Object{
-				builder.ForPersistentVolumeClaim("ns", "pvc-1").
-					VolumeName("pv-1").
-					StorageClass("gp2-csi").Phase(corev1api.ClaimBound).Result(),
-				builder.ForPersistentVolume("pv-1").StorageClass("gp2-csi").Result(),
-			},
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Snapshot,
-						},
-					},
-				},
-			},
-			buildCache:     true,
-			shouldFSBackup: false,
-			expectedErr:    false,
-		},
-		{
-			name: "Cache not built, falls back to direct lookup, opt-in annotation",
-			pod: builder.ForPod("ns", "pod-1").
-				ObjectMeta(builder.WithAnnotations(velerov1api.VolumesToBackupAnnotation, "vol-1")).
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-1",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-1",
-							},
-						},
-					}).Result(),
-			resources: []runtime.Object{
-				builder.ForPersistentVolumeClaim("ns", "pvc-1").
-					VolumeName("pv-1").
-					StorageClass("gp2-csi").Phase(corev1api.ClaimBound).Result(),
-				builder.ForPersistentVolume("pv-1").StorageClass("gp2-csi").Result(),
-			},
-			buildCache:               false,
-			defaultVolumesToFSBackup: false,
-			shouldFSBackup:           true,
-			expectedErr:              false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			fakeClient := velerotest.NewFakeControllerRuntimeClient(t, tc.resources...)
-			if tc.pod != nil {
-				require.NoError(t, fakeClient.Create(t.Context(), tc.pod))
-			}
-
-			var p *resourcepolicies.Policies
-			if tc.resourcePolicies != nil {
-				p = &resourcepolicies.Policies{}
-				err := p.BuildPolicy(tc.resourcePolicies)
-				require.NoError(t, err)
-			}
-
-			var namespaces []string
-			if tc.buildCache {
-				namespaces = []string{"ns"}
-			}
-
-			vh, err := NewVolumeHelperImplWithNamespaces(
-				p,
-				tc.snapshotVolumesFlag,
-				logrus.StandardLogger(),
-				fakeClient,
-				tc.defaultVolumesToFSBackup,
-				false,
-				namespaces,
-			)
-			require.NoError(t, err)
-
-			actualShouldFSBackup, actualError := vh.ShouldPerformFSBackup(tc.pod.Spec.Volumes[0], *tc.pod)
-			if tc.expectedErr {
-				require.Error(t, actualError)
-				return
-			}
-			require.NoError(t, actualError)
-			require.Equalf(t, tc.shouldFSBackup, actualShouldFSBackup, "Want shouldFSBackup as %t; Got shouldFSBackup as %t", tc.shouldFSBackup, actualShouldFSBackup)
-		})
-	}
-}
-
-// TestNewVolumeHelperImplWithCache tests the NewVolumeHelperImplWithCache constructor
-// which is used by plugins that build the cache lazily per-namespace.
-func TestNewVolumeHelperImplWithCache(t *testing.T) {
-	testCases := []struct {
-		name                    string
-		backup                  velerov1api.Backup
-		resourcePolicyConfigMap *corev1api.ConfigMap
-		pvcPodCache             bool // whether to pass a cache
-		expectError             bool
-	}{
-		{
-			name: "creates VolumeHelper with nil cache",
-			backup: velerov1api.Backup{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-backup",
-					Namespace: "velero",
-				},
-				Spec: velerov1api.BackupSpec{
-					SnapshotVolumes:          ptr.To(true),
-					DefaultVolumesToFsBackup: ptr.To(false),
-				},
-			},
-			pvcPodCache: false,
-			expectError: false,
-		},
-		{
-			name: "creates VolumeHelper with non-nil cache",
-			backup: velerov1api.Backup{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-backup",
-					Namespace: "velero",
-				},
-				Spec: velerov1api.BackupSpec{
-					SnapshotVolumes:          ptr.To(true),
-					DefaultVolumesToFsBackup: ptr.To(true),
-					SnapshotMoveData:         ptr.To(true),
-				},
-			},
-			pvcPodCache: true,
-			expectError: false,
-		},
-		{
-			name: "creates VolumeHelper with resource policies",
-			backup: velerov1api.Backup{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-backup",
-					Namespace: "velero",
-				},
-				Spec: velerov1api.BackupSpec{
-					SnapshotVolumes: ptr.To(true),
-					ResourcePolicy: &corev1api.TypedLocalObjectReference{
-						Kind: "ConfigMap",
-						Name: "resource-policy",
-					},
-				},
-			},
-			resourcePolicyConfigMap: &corev1api.ConfigMap{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "resource-policy",
-					Namespace: "velero",
-				},
-				Data: map[string]string{
-					"policy": `version: v1
-volumePolicies:
- conditions:
-    storageClass:
-    - gp2-csi
-  action:
-    type: snapshot`,
-				},
-			},
-			pvcPodCache: true,
-			expectError: false,
-		},
-		{
-			name: "fails when resource policy ConfigMap not found",
-			backup: velerov1api.Backup{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-backup",
-					Namespace: "velero",
-				},
-				Spec: velerov1api.BackupSpec{
-					ResourcePolicy: &corev1api.TypedLocalObjectReference{
-						Kind: "ConfigMap",
-						Name: "non-existent-policy",
-					},
-				},
-			},
-			pvcPodCache: false,
-			expectError: true,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var objs []runtime.Object
-			if tc.resourcePolicyConfigMap != nil {
-				objs = append(objs, tc.resourcePolicyConfigMap)
-			}
-			fakeClient := velerotest.NewFakeControllerRuntimeClient(t, objs...)
-
-			var cache *podvolumeutil.PVCPodCache
-			if tc.pvcPodCache {
-				cache = podvolumeutil.NewPVCPodCache()
-			}
-
-			vh, err := NewVolumeHelperImplWithCache(
-				tc.backup,
-				fakeClient,
-				logrus.StandardLogger(),
-				cache,
-			)
-
-			if tc.expectError {
-				require.Error(t, err)
-				require.Nil(t, vh)
-			} else {
-				require.NoError(t, err)
-				require.NotNil(t, vh)
-			}
-		})
-	}
-}
-
-// TestNewVolumeHelperImplWithCache_UsesCache verifies that the VolumeHelper created
-// via NewVolumeHelperImplWithCache actually uses the provided cache for lookups.
-func TestNewVolumeHelperImplWithCache_UsesCache(t *testing.T) {
-	// Create a pod that uses a PVC via opt-out (defaultVolumesToFsBackup=true)
-	pod := builder.ForPod("ns", "pod-1").Volumes(
-		&corev1api.Volume{
-			Name: "volume",
-			VolumeSource: corev1api.VolumeSource{
-				PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-					ClaimName: "pvc-1",
-				},
-			},
-		},
-	).Result()
-
-	pvc := &corev1api.PersistentVolumeClaim{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "ns",
-			Name:      "pvc-1",
-		},
-	}
-
-	pv := builder.ForPersistentVolume("example-pv").StorageClass("gp2-csi").ClaimRef("ns", "pvc-1").Result()
-
-	fakeClient := velerotest.NewFakeControllerRuntimeClient(t, pvc, pv, pod)
-
-	// Build cache for the namespace
-	cache := podvolumeutil.NewPVCPodCache()
-	err := cache.BuildCacheForNamespace(t.Context(), "ns", fakeClient)
-	require.NoError(t, err)
-
-	backup := velerov1api.Backup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-backup",
-			Namespace: "velero",
-		},
-		Spec: velerov1api.BackupSpec{
-			SnapshotVolumes:          ptr.To(true),
-			DefaultVolumesToFsBackup: ptr.To(true), // opt-out mode
-		},
-	}
-
-	vh, err := NewVolumeHelperImplWithCache(backup, fakeClient, logrus.StandardLogger(), cache)
-	require.NoError(t, err)
-
-	// Convert PV to unstructured
-	obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(pv)
-	require.NoError(t, err)
-
-	// ShouldPerformSnapshot should return false because the volume is selected for fs-backup
-	// This relies on the cache to find the pod using the PVC
-	shouldSnapshot, err := vh.ShouldPerformSnapshot(&unstructured.Unstructured{Object: obj}, kuberesource.PersistentVolumes)
-	require.NoError(t, err)
-	require.False(t, shouldSnapshot, "Expected snapshot to be skipped due to fs-backup selection via cache")
-}
-
-// TestVolumeHelperImpl_ShouldPerformSnapshot_UnboundPVC tests that Pending and Lost PVCs with
-// phase-based skip policies don't cause errors when GetPVForPVC would fail.
-func TestVolumeHelperImpl_ShouldPerformSnapshot_UnboundPVC(t *testing.T) {
-	testCases := []struct {
-		name             string
-		inputPVC         *corev1api.PersistentVolumeClaim
-		resourcePolicies *resourcepolicies.ResourcePolicies
-		shouldSnapshot   bool
-		expectedErr      bool
-	}{
-		{
-			name: "Pending PVC with phase-based skip policy should not error and return false",
-			inputPVC: builder.ForPersistentVolumeClaim("ns", "pvc-pending").
-				StorageClass("non-existent-class").
-				Phase(corev1api.ClaimPending).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"pvcPhase": []string{"Pending"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldSnapshot: false,
-			expectedErr:    false,
-		},
-		{
-			name: "Pending PVC without matching skip policy should error (no PV)",
-			inputPVC: builder.ForPersistentVolumeClaim("ns", "pvc-pending-no-policy").
-				StorageClass("non-existent-class").
-				Phase(corev1api.ClaimPending).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldSnapshot: false,
-			expectedErr:    true,
-		},
-		{
-			name: "Lost PVC with phase-based skip policy should not error and return false",
-			inputPVC: builder.ForPersistentVolumeClaim("ns", "pvc-lost").
-				StorageClass("some-class").
-				Phase(corev1api.ClaimLost).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"pvcPhase": []string{"Lost"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldSnapshot: false,
-			expectedErr:    false,
-		},
-		{
-			name: "Lost PVC with policy for Pending and Lost should not error and return false",
-			inputPVC: builder.ForPersistentVolumeClaim("ns", "pvc-lost").
-				StorageClass("some-class").
-				Phase(corev1api.ClaimLost).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"pvcPhase": []string{"Pending", "Lost"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldSnapshot: false,
-			expectedErr:    false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			fakeClient := velerotest.NewFakeControllerRuntimeClient(t)
-
-			var p *resourcepolicies.Policies
-			if tc.resourcePolicies != nil {
-				p = &resourcepolicies.Policies{}
-				err := p.BuildPolicy(tc.resourcePolicies)
-				require.NoError(t, err)
-			}
-
-			vh := NewVolumeHelperImpl(
-				p,
-				ptr.To(true),
-				logrus.StandardLogger(),
-				fakeClient,
-				false,
-				false,
-			)
-
-			obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(tc.inputPVC)
-			require.NoError(t, err)
-
-			actualShouldSnapshot, actualError := vh.ShouldPerformSnapshot(&unstructured.Unstructured{Object: obj}, kuberesource.PersistentVolumeClaims)
-			if tc.expectedErr {
-				require.Error(t, actualError, "Want error; Got nil error")
-				return
-			}
-
-			require.NoError(t, actualError)
-			require.Equalf(t, tc.shouldSnapshot, actualShouldSnapshot, "Want shouldSnapshot as %t; Got shouldSnapshot as %t", tc.shouldSnapshot, actualShouldSnapshot)
-		})
-	}
-}
-
-// TestVolumeHelperImpl_ShouldPerformFSBackup_UnboundPVC tests that Pending and Lost PVCs with
-// phase-based skip policies don't cause errors when GetPVForPVC would fail.
-func TestVolumeHelperImpl_ShouldPerformFSBackup_UnboundPVC(t *testing.T) {
-	testCases := []struct {
-		name             string
-		pod              *corev1api.Pod
-		pvc              *corev1api.PersistentVolumeClaim
-		resourcePolicies *resourcepolicies.ResourcePolicies
-		shouldFSBackup   bool
-		expectedErr      bool
-	}{
-		{
-			name: "Pending PVC with phase-based skip policy should not error and return false",
-			pod: builder.ForPod("ns", "pod-1").
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-pending",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-pending",
-							},
-						},
-					}).Result(),
-			pvc: builder.ForPersistentVolumeClaim("ns", "pvc-pending").
-				StorageClass("non-existent-class").
-				Phase(corev1api.ClaimPending).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"pvcPhase": []string{"Pending"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldFSBackup: false,
-			expectedErr:    false,
-		},
-		{
-			name: "Pending PVC without matching skip policy should error (no PV)",
-			pod: builder.ForPod("ns", "pod-1").
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-pending",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-pending-no-policy",
-							},
-						},
-					}).Result(),
-			pvc: builder.ForPersistentVolumeClaim("ns", "pvc-pending-no-policy").
-				StorageClass("non-existent-class").
-				Phase(corev1api.ClaimPending).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"storageClass": []string{"gp2-csi"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldFSBackup: false,
-			expectedErr:    true,
-		},
-		{
-			name: "Lost PVC with phase-based skip policy should not error and return false",
-			pod: builder.ForPod("ns", "pod-1").
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-lost",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-lost",
-							},
-						},
-					}).Result(),
-			pvc: builder.ForPersistentVolumeClaim("ns", "pvc-lost").
-				StorageClass("some-class").
-				Phase(corev1api.ClaimLost).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"pvcPhase": []string{"Lost"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldFSBackup: false,
-			expectedErr:    false,
-		},
-		{
-			name: "Lost PVC with policy for Pending and Lost should not error and return false",
-			pod: builder.ForPod("ns", "pod-1").
-				Volumes(
-					&corev1api.Volume{
-						Name: "vol-lost",
-						VolumeSource: corev1api.VolumeSource{
-							PersistentVolumeClaim: &corev1api.PersistentVolumeClaimVolumeSource{
-								ClaimName: "pvc-lost",
-							},
-						},
-					}).Result(),
-			pvc: builder.ForPersistentVolumeClaim("ns", "pvc-lost").
-				StorageClass("some-class").
-				Phase(corev1api.ClaimLost).
-				Result(),
-			resourcePolicies: &resourcepolicies.ResourcePolicies{
-				Version: "v1",
-				VolumePolicies: []resourcepolicies.VolumePolicy{
-					{
-						Conditions: map[string]any{
-							"pvcPhase": []string{"Pending", "Lost"},
-						},
-						Action: resourcepolicies.Action{
-							Type: resourcepolicies.Skip,
-						},
-					},
-				},
-			},
-			shouldFSBackup: false,
-			expectedErr:    false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			fakeClient := velerotest.NewFakeControllerRuntimeClient(t, tc.pvc)
-			require.NoError(t, fakeClient.Create(t.Context(), tc.pod))
-
-			var p *resourcepolicies.Policies
-			if tc.resourcePolicies != nil {
-				p = &resourcepolicies.Policies{}
-				err := p.BuildPolicy(tc.resourcePolicies)
-				require.NoError(t, err)
-			}
-
-			vh := NewVolumeHelperImpl(
-				p,
-				ptr.To(true),
-				logrus.StandardLogger(),
-				fakeClient,
-				false,
-				false,
-			)
-
-			actualShouldFSBackup, actualError := vh.ShouldPerformFSBackup(tc.pod.Spec.Volumes[0], *tc.pod)
-			if tc.expectedErr {
-				require.Error(t, actualError, "Want error; Got nil error")
-				return
-			}
-
-			require.NoError(t, actualError)
-			require.Equalf(t, tc.shouldFSBackup, actualShouldFSBackup, "Want shouldFSBackup as %t; Got shouldFSBackup as %t", tc.shouldFSBackup, actualShouldFSBackup)
-		})
-	}
-}
--- a/pkg/apis/velero/v1/backupstoragelocation_types.go
+++ b/pkg/apis/velero/v1/backupstoragelocation_types.go
@@ -17,8 +17,6 @@ limitations under the License.
 package v1

 import (
-	"errors"
-
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -148,15 +146,8 @@ type ObjectStorageLocation struct {
 	Prefix string `json:"prefix,omitempty"`

 	// CACert defines a CA bundle to use when verifying TLS connections to the provider.
-	// Deprecated: Use CACertRef instead.
 	// +optional
 	CACert []byte `json:"caCert,omitempty"`
-
-	// CACertRef is a reference to a Secret containing the CA certificate bundle to use
-	// when verifying TLS connections to the provider. The Secret must be in the same
-	// namespace as the BackupStorageLocation.
-	// +optional
-	CACertRef *corev1api.SecretKeySelector `json:"caCertRef,omitempty"`
 }

 // BackupStorageLocationPhase is the lifecycle phase of a Velero BackupStorageLocation.
@@ -186,13 +177,3 @@ const (

 // TODO(2.0): remove the AccessMode field from BackupStorageLocationStatus.
 // TODO(2.0): remove the LastSyncedRevision field from BackupStorageLocationStatus.
-
-// Validate validates the BackupStorageLocation to ensure that only one of CACert or CACertRef is set.
-func (bsl *BackupStorageLocation) Validate() error {
-	if bsl.Spec.ObjectStorage != nil &&
-		bsl.Spec.ObjectStorage.CACert != nil &&
-		bsl.Spec.ObjectStorage.CACertRef != nil {
-		return errors.New("cannot specify both caCert and caCertRef in objectStorage")
-	}
-	return nil
-}
--- a/pkg/apis/velero/v1/backupstoragelocation_types_test.go
+++ b/pkg/apis/velero/v1/backupstoragelocation_types_test.go
@@ -1,121 +0,0 @@
-/*
-Copyright The Velero Contributors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"testing"
-
-	corev1api "k8s.io/api/core/v1"
-)
-
-func TestBackupStorageLocationValidate(t *testing.T) {
-	tests := []struct {
-		name        string
-		bsl         *BackupStorageLocation
-		expectError bool
-	}{
-		{
-			name: "valid - neither CACert nor CACertRef set",
-			bsl: &BackupStorageLocation{
-				Spec: BackupStorageLocationSpec{
-					StorageType: StorageType{
-						ObjectStorage: &ObjectStorageLocation{
-							Bucket: "test-bucket",
-						},
-					},
-				},
-			},
-			expectError: false,
-		},
-		{
-			name: "valid - only CACert set",
-			bsl: &BackupStorageLocation{
-				Spec: BackupStorageLocationSpec{
-					StorageType: StorageType{
-						ObjectStorage: &ObjectStorageLocation{
-							Bucket: "test-bucket",
-							CACert: []byte("test-cert"),
-						},
-					},
-				},
-			},
-			expectError: false,
-		},
-		{
-			name: "valid - only CACertRef set",
-			bsl: &BackupStorageLocation{
-				Spec: BackupStorageLocationSpec{
-					StorageType: StorageType{
-						ObjectStorage: &ObjectStorageLocation{
-							Bucket: "test-bucket",
-							CACertRef: &corev1api.SecretKeySelector{
-								LocalObjectReference: corev1api.LocalObjectReference{
-									Name: "ca-cert-secret",
-								},
-								Key: "ca.crt",
-							},
-						},
-					},
-				},
-			},
-			expectError: false,
-		},
-		{
-			name: "invalid - both CACert and CACertRef set",
-			bsl: &BackupStorageLocation{
-				Spec: BackupStorageLocationSpec{
-					StorageType: StorageType{
-						ObjectStorage: &ObjectStorageLocation{
-							Bucket: "test-bucket",
-							CACert: []byte("test-cert"),
-							CACertRef: &corev1api.SecretKeySelector{
-								LocalObjectReference: corev1api.LocalObjectReference{
-									Name: "ca-cert-secret",
-								},
-								Key: "ca.crt",
-							},
-						},
-					},
-				},
-			},
-			expectError: true,
-		},
-		{
-			name: "valid - no ObjectStorage",
-			bsl: &BackupStorageLocation{
-				Spec: BackupStorageLocationSpec{
-					StorageType: StorageType{
-						ObjectStorage: nil,
-					},
-				},
-			},
-			expectError: false,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			err := test.bsl.Validate()
-			if test.expectError && err == nil {
-				t.Errorf("expected error but got none")
-			}
-			if !test.expectError && err != nil {
-				t.Errorf("expected no error but got: %v", err)
-			}
-		})
-	}
-}
--- a/pkg/apis/velero/v1/labels_annotations.go
+++ b/pkg/apis/velero/v1/labels_annotations.go
@@ -102,15 +102,6 @@ const (
 	// even if the resource contains a matching selector label.
 	ExcludeFromBackupLabel = "velero.io/exclude-from-backup"

-	// SkipFromBackupAnnotation is the annotation used by internal BackupItemActions
-	// to indicate that a resource should be skipped from backup,
-	// even if it doesn't have the ExcludeFromBackupLabel.
-	// This is used in cases where we want to skip backup of a resource based on some logic in a plugin.
-	//
-	// Notice: SkipFromBackupAnnotation's priority is higher than MustIncludeAdditionalItemAnnotation.
-	// If SkipFromBackupAnnotation is set, the resource will be skipped even if MustIncludeAdditionalItemAnnotation is set.
-	SkipFromBackupAnnotation = "velero.io/skip-from-backup"
-
 	// defaultVGSLabelKey is the default label key used to group PVCs under a VolumeGroupSnapshot
 	DefaultVGSLabelKey = "velero.io/volume-group"

@@ -141,7 +132,6 @@ const (
 	VolumeSnapshotRestoreSize                       = "velero.io/csi-volumesnapshot-restore-size"
 	DriverNameAnnotation                            = "velero.io/csi-driver-name"
 	VSCDeletionPolicyAnnotation                     = "velero.io/csi-vsc-deletion-policy"
-	VolumeGroupSnapshotHandleAnnotation             = "velero.io/csi-volumegroupsnapshot-handle"
 	VolumeSnapshotClassSelectorLabel                = "velero.io/csi-volumesnapshot-class"
 	VolumeSnapshotClassDriverBackupAnnotationPrefix = "velero.io/csi-volumesnapshot-class"
 	VolumeSnapshotClassDriverPVCAnnotation          = "velero.io/csi-volumesnapshot-class"
--- a/pkg/apis/velero/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/velero/v1/zz_generated.deepcopy.go
@@ -915,11 +915,6 @@ func (in *ObjectStorageLocation) DeepCopyInto(out *ObjectStorageLocation) {
 		*out = make([]byte, len(*in))
 		copy(*out, *in)
 	}
-	if in.CACertRef != nil {
-		in, out := &in.CACertRef, &out.CACertRef
-		*out = new(corev1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectStorageLocation.
--- a/pkg/archive/extractor.go
+++ b/pkg/archive/extractor.go
@@ -19,10 +19,8 @@ package archive
 import (
 	"archive/tar"
 	"compress/gzip"
-	"fmt"
 	"io"
 	"path/filepath"
-	"strings"

 	"github.com/sirupsen/logrus"

@@ -68,16 +66,6 @@ func (e *Extractor) writeFile(target string, tarRdr *tar.Reader) error {
 	return nil
 }

-// sanitizeArchivePath sanitizes archive file path from "G305: Zip Slip vulnerability"
-func sanitizeArchivePath(destDir, sourcePath string) (targetPath string, err error) {
-	targetPath = filepath.Join(destDir, sourcePath)
-	if strings.HasPrefix(targetPath, filepath.Clean(destDir)) {
-		return targetPath, nil
-	}
-
-	return "", fmt.Errorf("invalid archive path %q: escapes target directory", sourcePath)
-}
-
 func (e *Extractor) readBackup(tarRdr *tar.Reader) (string, error) {
 	dir, err := e.fs.TempDir("", "")
 	if err != nil {
@@ -96,11 +84,7 @@ func (e *Extractor) readBackup(tarRdr *tar.Reader) (string, error) {
 			return "", err
 		}

-		target, err := sanitizeArchivePath(dir, header.Name)
-		if err != nil {
-			e.log.Infof("error sanitizing archive path: %s", err.Error())
-			return "", err
-		}
+		target := filepath.Join(dir, header.Name) //nolint:gosec // Internal usage. No need to check.

 		switch header.Typeflag {
 		case tar.TypeDir:
--- a/pkg/archive/extractor_test.go
+++ b/pkg/archive/extractor_test.go
@@ -18,7 +18,6 @@ package archive

 import (
 	"archive/tar"
-	"bytes"
 	"compress/gzip"
 	"io"
 	"os"
@@ -88,31 +87,6 @@ func TestUnzipAndExtractBackup(t *testing.T) {
 	}
 }

-func TestUnzipAndExtractBackupRejectsPathTraversal(t *testing.T) {
-	ext := NewExtractor(test.NewLogger(), test.NewFakeFileSystem())
-
-	var buf bytes.Buffer
-	gzw := gzip.NewWriter(&buf)
-	tw := tar.NewWriter(gzw)
-
-	err := tw.WriteHeader(&tar.Header{
-		Name:     "../escape.txt",
-		Mode:     0600,
-		Typeflag: tar.TypeReg,
-		Size:     int64(len("data")),
-	})
-	require.NoError(t, err)
-
-	_, err = tw.Write([]byte("data"))
-	require.NoError(t, err)
-	require.NoError(t, tw.Close())
-	require.NoError(t, gzw.Close())
-
-	_, err = ext.UnzipAndExtractBackup(&buf)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "invalid archive path")
-}
-
 func createArchive(files []string, fs filesystem.Interface) (string, error) {
 	outName := "output.tar.gz"
 	out, err := fs.Create(outName)
--- a/pkg/backup/actions/backup_pv_action.go
+++ b/pkg/backup/actions/backup_pv_action.go
@@ -76,8 +76,14 @@ func (a *PVCAction) Execute(item runtime.Unstructured, backup *v1.Backup) (runti
 		pvc.Spec.Selector = nil
 	}

-	// Clean stale Velero labels from PVC metadata and selector
-	a.cleanupStaleVeleroLabels(pvc, backup)
+	// remove label selectors with "velero.io/" prefixing in the key which is left by Velero restore
+	if pvc.Spec.Selector != nil && pvc.Spec.Selector.MatchLabels != nil {
+		for k := range pvc.Spec.Selector.MatchLabels {
+			if strings.HasPrefix(k, "velero.io/") {
+				delete(pvc.Spec.Selector.MatchLabels, k)
+			}
+		}
+	}

 	pvcMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&pvc)
 	if err != nil {
@@ -86,50 +92,3 @@ func (a *PVCAction) Execute(item runtime.Unstructured, backup *v1.Backup) (runti

 	return &unstructured.Unstructured{Object: pvcMap}, actionhelpers.RelatedItemsForPVC(pvc, a.log), nil
 }
-
-// cleanupStaleVeleroLabels removes stale Velero labels from both the PVC metadata
-// and the selector's match labels to ensure clean backups
-func (a *PVCAction) cleanupStaleVeleroLabels(pvc *corev1api.PersistentVolumeClaim, backup *v1.Backup) {
-	// Clean stale Velero labels from selector match labels
-	if pvc.Spec.Selector != nil && pvc.Spec.Selector.MatchLabels != nil {
-		for k := range pvc.Spec.Selector.MatchLabels {
-			if strings.HasPrefix(k, "velero.io/") {
-				a.log.Infof("Deleting stale Velero label %s from PVC %s selector", k, pvc.Name)
-				delete(pvc.Spec.Selector.MatchLabels, k)
-			}
-		}
-	}
-
-	// Clean stale Velero labels from main metadata
-	if pvc.Labels != nil {
-		for k, v := range pvc.Labels {
-			// Only remove labels that are clearly stale from previous operations
-			shouldRemove := false
-
-			// Always remove restore-name labels as these are from previous restores
-			if k == v1.RestoreNameLabel {
-				shouldRemove = true
-			}
-
-			if k == v1.MustIncludeAdditionalItemAnnotation {
-				shouldRemove = true
-			}
-
-			// Remove backup-name labels that don't match current backup
-			if k == v1.BackupNameLabel && v != backup.Name {
-				shouldRemove = true
-			}
-
-			// Remove volume-snapshot-name labels from previous CSI backups
-			// Note: If this backup creates new CSI snapshots, the CSI action will add them back
-			if k == v1.VolumeSnapshotLabel {
-				shouldRemove = true
-			}
-
-			if shouldRemove {
-				a.log.Infof("Deleting stale Velero label %s=%s from PVC %s", k, v, pvc.Name)
-				delete(pvc.Labels, k)
-			}
-		}
-	}
-}
--- a/pkg/backup/actions/backup_pv_action_test.go
+++ b/pkg/backup/actions/backup_pv_action_test.go
@@ -149,176 +149,3 @@ func TestBackupPVAction(t *testing.T) {
 	require.NoError(t, err)
 	assert.Empty(t, additional)
 }
-
-func TestCleanupStaleVeleroLabels(t *testing.T) {
-	tests := []struct {
-		name             string
-		inputPVC         *corev1api.PersistentVolumeClaim
-		backup           *v1.Backup
-		expectedLabels   map[string]string
-		expectedSelector *metav1.LabelSelector
-	}{
-		{
-			name: "removes restore-name labels",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-					Labels: map[string]string{
-						"velero.io/restore-name": "old-restore",
-						"app":                    "myapp",
-					},
-				},
-			},
-			backup: &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: map[string]string{
-				"app": "myapp",
-			},
-		},
-		{
-			name: "removes backup-name labels that don't match current backup",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-					Labels: map[string]string{
-						"velero.io/backup-name": "old-backup",
-						"app":                   "myapp",
-					},
-				},
-			},
-			backup: &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: map[string]string{
-				"app": "myapp",
-			},
-		},
-		{
-			name: "keeps backup-name labels that match current backup",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-					Labels: map[string]string{
-						"velero.io/backup-name": "current-backup",
-						"app":                   "myapp",
-					},
-				},
-			},
-			backup: &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: map[string]string{
-				"velero.io/backup-name": "current-backup",
-				"app":                   "myapp",
-			},
-		},
-		{
-			name: "removes volume-snapshot-name labels",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-					Labels: map[string]string{
-						"velero.io/volume-snapshot-name": "old-snapshot",
-						"app":                            "myapp",
-					},
-				},
-			},
-			backup: &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: map[string]string{
-				"app": "myapp",
-			},
-		},
-		{
-			name: "removes velero labels from selector match labels",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-				},
-				Spec: corev1api.PersistentVolumeClaimSpec{
-					Selector: &metav1.LabelSelector{
-						MatchLabels: map[string]string{
-							"velero.io/restore-name": "old-restore",
-							"velero.io/backup-name":  "old-backup",
-							"app":                    "myapp",
-						},
-					},
-				},
-			},
-			backup:         &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: nil,
-			expectedSelector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"app": "myapp",
-				},
-			},
-		},
-		{
-			name: "handles PVC with no labels",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-				},
-			},
-			backup:         &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: nil,
-		},
-		{
-			name: "handles PVC with no selector",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-					Labels: map[string]string{
-						"app": "myapp",
-					},
-				},
-			},
-			backup: &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: map[string]string{
-				"app": "myapp",
-			},
-			expectedSelector: nil,
-		},
-		{
-			name: "removes multiple stale velero labels",
-			inputPVC: &corev1api.PersistentVolumeClaim{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "test-pvc",
-					Labels: map[string]string{
-						"velero.io/restore-name":         "old-restore",
-						"velero.io/backup-name":          "old-backup",
-						"velero.io/volume-snapshot-name": "old-snapshot",
-						"app":                            "myapp",
-						"env":                            "prod",
-					},
-				},
-				Spec: corev1api.PersistentVolumeClaimSpec{
-					Selector: &metav1.LabelSelector{
-						MatchLabels: map[string]string{
-							"velero.io/restore-name": "old-restore",
-							"app":                    "myapp",
-						},
-					},
-				},
-			},
-			backup: &v1.Backup{ObjectMeta: metav1.ObjectMeta{Name: "current-backup"}},
-			expectedLabels: map[string]string{
-				"app": "myapp",
-				"env": "prod",
-			},
-			expectedSelector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"app": "myapp",
-				},
-			},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			action := NewPVCAction(velerotest.NewLogger())
-
-			// Create a copy of the input PVC to avoid modifying the test case
-			pvcCopy := tc.inputPVC.DeepCopy()
-
-			action.cleanupStaleVeleroLabels(pvcCopy, tc.backup)
-
-			assert.Equal(t, tc.expectedLabels, pvcCopy.Labels, "Labels should match expected values")
-			assert.Equal(t, tc.expectedSelector, pvcCopy.Spec.Selector, "Selector should match expected values")
-		})
-	}
-}
--- a/pkg/backup/actions/csi/pvc_action.go
+++ b/pkg/backup/actions/csi/pvc_action.go
@@ -24,7 +24,7 @@ import (

 	"k8s.io/client-go/util/retry"

-	volumegroupsnapshotv1beta2 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta2"
+	volumegroupsnapshotv1beta1 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1"
 	snapshotv1api "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumesnapshot/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -57,8 +57,6 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 	"github.com/vmware-tanzu/velero/pkg/util/csi"
 	kubeutil "github.com/vmware-tanzu/velero/pkg/util/kube"
-	podvolumeutil "github.com/vmware-tanzu/velero/pkg/util/podvolume"
-	vhutil "github.com/vmware-tanzu/velero/pkg/util/volumehelper"
 )

 // TODO: Replace hardcoded VolumeSnapshot finalizer strings with constants from
@@ -74,14 +72,6 @@ const (
 type pvcBackupItemAction struct {
 	log      logrus.FieldLogger
 	crClient crclient.Client
-
-	// pvcPodCache provides lazy per-namespace caching of PVC-to-Pod mappings.
-	// Since plugin instances are unique per backup (created via newPluginManager and
-	// cleaned up via CleanupClients at backup completion), we can safely cache this
-	// without mutex or backup UID tracking.
-	// This avoids the O(N*M) performance issue when there are many PVCs and pods.
-	// See issue #9179 and PR #9226 for details.
-	pvcPodCache *podvolumeutil.PVCPodCache
 }

 // AppliesTo returns information indicating that the PVCBackupItemAction
@@ -107,59 +97,6 @@ func (p *pvcBackupItemAction) validateBackup(backup velerov1api.Backup) (valid b
 	return true
 }

-// ensurePVCPodCacheForNamespace ensures the PVC-to-Pod cache is built for the given namespace.
-// This uses lazy per-namespace caching following the pattern from PR #9226.
-// Since plugin instances are unique per backup, we can safely cache without mutex or backup UID tracking.
-func (p *pvcBackupItemAction) ensurePVCPodCacheForNamespace(ctx context.Context, namespace string) error {
-	// Initialize cache if needed
-	if p.pvcPodCache == nil {
-		p.pvcPodCache = podvolumeutil.NewPVCPodCache()
-	}
-
-	// Build cache for namespace if not already done
-	if !p.pvcPodCache.IsNamespaceBuilt(namespace) {
-		p.log.Debugf("Building PVC-to-Pod cache for namespace %s", namespace)
-		if err := p.pvcPodCache.BuildCacheForNamespace(ctx, namespace, p.crClient); err != nil {
-			return errors.Wrapf(err, "failed to build PVC-to-Pod cache for namespace %s", namespace)
-		}
-	}
-	return nil
-}
-
-// getVolumeHelperWithCache creates a VolumeHelper using the pre-built PVC-to-Pod cache.
-// The cache should be ensured for the relevant namespace(s) before calling this.
-func (p *pvcBackupItemAction) getVolumeHelperWithCache(backup *velerov1api.Backup) (vhutil.VolumeHelper, error) {
-	// Create VolumeHelper with our lazy-built cache
-	vh, err := volumehelper.NewVolumeHelperWithCache(
-		*backup,
-		p.crClient,
-		p.log,
-		p.pvcPodCache,
-	)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to create VolumeHelper")
-	}
-	return vh, nil
-}
-
-// getOrCreateVolumeHelper returns a VolumeHelper with lazy per-namespace caching.
-// The VolumeHelper uses the pvcPodCache which is populated lazily as namespaces are encountered.
-// Callers should use ensurePVCPodCacheForNamespace before calling methods that need
-// PVC-to-Pod lookups for a specific namespace.
-// Since plugin instances are unique per backup (created via newPluginManager and
-// cleaned up via CleanupClients at backup completion), we can safely cache this.
-// See issue #9179 and PR #9226 for details.
-func (p *pvcBackupItemAction) getOrCreateVolumeHelper(backup *velerov1api.Backup) (vhutil.VolumeHelper, error) {
-	// Initialize the PVC-to-Pod cache if needed
-	if p.pvcPodCache == nil {
-		p.pvcPodCache = podvolumeutil.NewPVCPodCache()
-	}
-
-	// Return the VolumeHelper with our lazily-built cache
-	// The cache will be populated incrementally as namespaces are encountered
-	return p.getVolumeHelperWithCache(backup)
-}
-
 func (p *pvcBackupItemAction) validatePVCandPV(
 	pvc corev1api.PersistentVolumeClaim,
 	item runtime.Unstructured,
@@ -311,20 +248,12 @@ func (p *pvcBackupItemAction) Execute(
 		return item, nil, "", nil, nil
 	}

-	// Ensure PVC-to-Pod cache is built for this namespace (lazy per-namespace caching)
-	if err := p.ensurePVCPodCacheForNamespace(context.TODO(), pvc.Namespace); err != nil {
-		return nil, nil, "", nil, err
-	}
-
-	// Get or create the cached VolumeHelper for this backup
-	vh, err := p.getOrCreateVolumeHelper(backup)
-	if err != nil {
-		return nil, nil, "", nil, err
-	}
-
-	shouldSnapshot, err := vh.ShouldPerformSnapshot(
+	shouldSnapshot, err := volumehelper.ShouldPerformSnapshotWithBackup(
 		item,
 		kuberesource.PersistentVolumeClaims,
+		*backup,
+		p.crClient,
+		p.log,
 	)
 	if err != nil {
 		return nil, nil, "", nil, err
@@ -467,7 +396,7 @@ func (p *pvcBackupItemAction) Progress(
 		return progress, biav2.InvalidOperationIDError(operationID)
 	}

-	dataUpload, err := getDataUpload(context.Background(), p.crClient, backup.Namespace, operationID)
+	dataUpload, err := getDataUpload(context.Background(), p.crClient, operationID)
 	if err != nil {
 		p.log.Errorf(
 			"fail to get DataUpload for backup %s/%s by operation ID %s: %s",
@@ -512,7 +441,7 @@ func (p *pvcBackupItemAction) Cancel(operationID string, backup *velerov1api.Bac
 		return biav2.InvalidOperationIDError(operationID)
 	}

-	dataUpload, err := getDataUpload(context.Background(), p.crClient, backup.Namespace, operationID)
+	dataUpload, err := getDataUpload(context.Background(), p.crClient, operationID)
 	if err != nil {
 		p.log.Errorf(
 			"fail to get DataUpload for backup %s/%s: %s",
@@ -605,12 +534,10 @@ func createDataUpload(
 func getDataUpload(
 	ctx context.Context,
 	crClient crclient.Client,
-	namespace string,
 	operationID string,
 ) (*velerov2alpha1.DataUpload, error) {
 	dataUploadList := new(velerov2alpha1.DataUploadList)
 	err := crClient.List(ctx, dataUploadList, &crclient.ListOptions{
-		Namespace: namespace,
 		LabelSelector: labels.SelectorFromSet(
 			map[string]string{velerov1api.AsyncOperationIDLabel: operationID},
 		),
@@ -694,19 +621,8 @@ func (p *pvcBackupItemAction) getVolumeSnapshotReference(
 			return nil, errors.Wrapf(err, "failed to list PVCs in VolumeGroupSnapshot group %q in namespace %q", group, pvc.Namespace)
 		}

-		// Ensure PVC-to-Pod cache is built for this namespace (lazy per-namespace caching)
-		if err := p.ensurePVCPodCacheForNamespace(ctx, pvc.Namespace); err != nil {
-			return nil, errors.Wrapf(err, "failed to build PVC-to-Pod cache for namespace %s", pvc.Namespace)
-		}
-
-		// Get the cached VolumeHelper for filtering PVCs by volume policy
-		vh, err := p.getOrCreateVolumeHelper(backup)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to get VolumeHelper for filtering PVCs in group %q", group)
-		}
-
 		// Filter PVCs by volume policy
-		filteredPVCs, err := p.filterPVCsByVolumePolicy(groupedPVCs, vh)
+		filteredPVCs, err := p.filterPVCsByVolumePolicy(groupedPVCs, backup)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to filter PVCs by volume policy for VolumeGroupSnapshot group %q", group)
 		}
@@ -767,7 +683,7 @@ func (p *pvcBackupItemAction) getVolumeSnapshotReference(
 		}

 		// Re-fetch latest VGS to ensure status is populated after VGSC binding
-		latestVGS := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{}
+		latestVGS := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{}
 		if err := p.crClient.Get(ctx, crclient.ObjectKeyFromObject(newVGS), latestVGS); err != nil {
 			return nil, errors.Wrapf(err, "failed to re-fetch VolumeGroupSnapshot %s after VGSC binding wait", newVGS.Name)
 		}
@@ -842,12 +758,12 @@ func (p *pvcBackupItemAction) listGroupedPVCs(ctx context.Context, namespace, la

 func (p *pvcBackupItemAction) filterPVCsByVolumePolicy(
 	pvcs []corev1api.PersistentVolumeClaim,
-	vh vhutil.VolumeHelper,
+	backup *velerov1api.Backup,
 ) ([]corev1api.PersistentVolumeClaim, error) {
 	var filteredPVCs []corev1api.PersistentVolumeClaim

 	for _, pvc := range pvcs {
-		// Convert PVC to unstructured for ShouldPerformSnapshotWithVolumeHelper
+		// Convert PVC to unstructured for ShouldPerformSnapshotWithBackup
 		pvcMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&pvc)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to convert PVC %s/%s to unstructured", pvc.Namespace, pvc.Name)
@@ -855,10 +771,12 @@ func (p *pvcBackupItemAction) filterPVCsByVolumePolicy(
 		unstructuredPVC := &unstructured.Unstructured{Object: pvcMap}

 		// Check if this PVC should be snapshotted according to volume policies
-		// Uses the cached VolumeHelper for better performance with many PVCs/pods
-		shouldSnapshot, err := vh.ShouldPerformSnapshot(
+		shouldSnapshot, err := volumehelper.ShouldPerformSnapshotWithBackup(
 			unstructuredPVC,
 			kuberesource.PersistentVolumeClaims,
+			*backup,
+			p.crClient,
+			p.log,
 		)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to check volume policy for PVC %s/%s", pvc.Namespace, pvc.Name)
@@ -915,7 +833,7 @@ func (p *pvcBackupItemAction) determineVGSClass(
 	}

 	// 3. Fallback to label-based default
-	vgsClassList := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotClassList{}
+	vgsClassList := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotClassList{}
 	if err := p.crClient.List(ctx, vgsClassList); err != nil {
 		return "", errors.Wrap(err, "failed to list VolumeGroupSnapshotClasses")
 	}
@@ -944,22 +862,22 @@ func (p *pvcBackupItemAction) createVolumeGroupSnapshot(
 	backup *velerov1api.Backup,
 	pvc corev1api.PersistentVolumeClaim,
 	vgsLabelKey, vgsLabelValue, vgsClassName string,
-) (*volumegroupsnapshotv1beta2.VolumeGroupSnapshot, error) {
+) (*volumegroupsnapshotv1beta1.VolumeGroupSnapshot, error) {
 	vgsLabels := map[string]string{
 		velerov1api.BackupNameLabel: label.GetValidName(backup.Name),
 		velerov1api.BackupUIDLabel:  string(backup.UID),
 		vgsLabelKey:                 vgsLabelValue,
 	}

-	vgs := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	vgs := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: fmt.Sprintf("velero-%s-", vgsLabelValue),
 			Namespace:    pvc.Namespace,
 			Labels:       vgsLabels,
 		},
-		Spec: volumegroupsnapshotv1beta2.VolumeGroupSnapshotSpec{
+		Spec: volumegroupsnapshotv1beta1.VolumeGroupSnapshotSpec{
 			VolumeGroupSnapshotClassName: &vgsClassName,
-			Source: volumegroupsnapshotv1beta2.VolumeGroupSnapshotSource{
+			Source: volumegroupsnapshotv1beta1.VolumeGroupSnapshotSource{
 				Selector: &metav1.LabelSelector{
 					MatchLabels: map[string]string{
 						vgsLabelKey: vgsLabelValue,
@@ -987,7 +905,7 @@ func (p *pvcBackupItemAction) createVolumeGroupSnapshot(
 func (p *pvcBackupItemAction) waitForVGSAssociatedVS(
 	ctx context.Context,
 	groupedPVCs []corev1api.PersistentVolumeClaim,
-	vgs *volumegroupsnapshotv1beta2.VolumeGroupSnapshot,
+	vgs *volumegroupsnapshotv1beta1.VolumeGroupSnapshot,
 	timeout time.Duration,
 ) (map[string]*snapshotv1api.VolumeSnapshot, error) {
 	expected := len(groupedPVCs)
@@ -1030,10 +948,10 @@ func (p *pvcBackupItemAction) waitForVGSAssociatedVS(
 	return vsMap, nil
 }

-func hasOwnerReference(obj metav1.Object, vgs *volumegroupsnapshotv1beta2.VolumeGroupSnapshot) bool {
+func hasOwnerReference(obj metav1.Object, vgs *volumegroupsnapshotv1beta1.VolumeGroupSnapshot) bool {
 	for _, ref := range obj.GetOwnerReferences() {
 		if ref.Kind == kuberesource.VGSKind &&
-			ref.APIVersion == volumegroupsnapshotv1beta2.GroupName+"/"+volumegroupsnapshotv1beta2.SchemeGroupVersion.Version &&
+			ref.APIVersion == volumegroupsnapshotv1beta1.GroupName+"/"+volumegroupsnapshotv1beta1.SchemeGroupVersion.Version &&
 			ref.UID == vgs.UID {
 			return true
 		}
@@ -1044,7 +962,7 @@ func hasOwnerReference(obj metav1.Object, vgs *volumegroupsnapshotv1beta2.Volume
 func (p *pvcBackupItemAction) updateVGSCreatedVS(
 	ctx context.Context,
 	vsMap map[string]*snapshotv1api.VolumeSnapshot,
-	vgs *volumegroupsnapshotv1beta2.VolumeGroupSnapshot,
+	vgs *volumegroupsnapshotv1beta1.VolumeGroupSnapshot,
 	backup *velerov1api.Backup,
 ) error {
 	for pvcName, vs := range vsMap {
@@ -1087,7 +1005,7 @@ func (p *pvcBackupItemAction) updateVGSCreatedVS(
 	return nil
 }

-func (p *pvcBackupItemAction) patchVGSCDeletionPolicy(ctx context.Context, vgs *volumegroupsnapshotv1beta2.VolumeGroupSnapshot) error {
+func (p *pvcBackupItemAction) patchVGSCDeletionPolicy(ctx context.Context, vgs *volumegroupsnapshotv1beta1.VolumeGroupSnapshot) error {
 	if vgs == nil || vgs.Status == nil || vgs.Status.BoundVolumeGroupSnapshotContentName == nil {
 		return errors.New("VolumeGroupSnapshotContent name not found in VGS status")
 	}
@@ -1095,7 +1013,7 @@ func (p *pvcBackupItemAction) patchVGSCDeletionPolicy(ctx context.Context, vgs *
 	vgscName := vgs.Status.BoundVolumeGroupSnapshotContentName

 	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
-		vgsc := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent{}
+		vgsc := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent{}
 		if err := p.crClient.Get(ctx, crclient.ObjectKey{Name: *vgscName}, vgsc); err != nil {
 			return errors.Wrapf(err, "failed to get VolumeGroupSnapshotContent %s for VolumeGroupSnapshot %s/%s", *vgscName, vgs.Namespace, vgs.Name)
 		}
@@ -1114,9 +1032,9 @@ func (p *pvcBackupItemAction) patchVGSCDeletionPolicy(ctx context.Context, vgs *
 	})
 }

-func (p *pvcBackupItemAction) deleteVGSAndVGSC(ctx context.Context, vgs *volumegroupsnapshotv1beta2.VolumeGroupSnapshot) error {
+func (p *pvcBackupItemAction) deleteVGSAndVGSC(ctx context.Context, vgs *volumegroupsnapshotv1beta1.VolumeGroupSnapshot) error {
 	if vgs.Status != nil && vgs.Status.BoundVolumeGroupSnapshotContentName != nil {
-		vgsc := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent{
+		vgsc := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: *vgs.Status.BoundVolumeGroupSnapshotContentName,
 			},
@@ -1141,11 +1059,11 @@ func (p *pvcBackupItemAction) deleteVGSAndVGSC(ctx context.Context, vgs *volumeg

 func (p *pvcBackupItemAction) waitForVGSCBinding(
 	ctx context.Context,
-	vgs *volumegroupsnapshotv1beta2.VolumeGroupSnapshot,
+	vgs *volumegroupsnapshotv1beta1.VolumeGroupSnapshot,
 	timeout time.Duration,
 ) error {
 	return wait.PollUntilContextTimeout(ctx, time.Second, timeout, true, func(ctx context.Context) (bool, error) {
-		vgsRef := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{}
+		vgsRef := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{}
 		if err := p.crClient.Get(ctx, crclient.ObjectKeyFromObject(vgs), vgsRef); err != nil {
 			return false, err
 		}
@@ -1158,8 +1076,8 @@ func (p *pvcBackupItemAction) waitForVGSCBinding(
 	})
 }

-func (p *pvcBackupItemAction) getVGSByLabels(ctx context.Context, namespace string, labels map[string]string) (*volumegroupsnapshotv1beta2.VolumeGroupSnapshot, error) {
-	vgsList := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotList{}
+func (p *pvcBackupItemAction) getVGSByLabels(ctx context.Context, namespace string, labels map[string]string) (*volumegroupsnapshotv1beta1.VolumeGroupSnapshot, error) {
+	vgsList := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotList{}
 	if err := p.crClient.List(ctx, vgsList,
 		crclient.InNamespace(namespace),
 		crclient.MatchingLabels(labels),
--- a/pkg/backup/actions/csi/pvc_action_test.go
+++ b/pkg/backup/actions/csi/pvc_action_test.go
@@ -25,7 +25,7 @@ import (

 	"github.com/vmware-tanzu/velero/pkg/kuberesource"

-	volumegroupsnapshotv1beta2 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta2"
+	volumegroupsnapshotv1beta1 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1"
 	"github.com/stretchr/testify/assert"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -307,28 +307,6 @@ func TestProgress(t *testing.T) {
 			operationID: "testing",
 			expectedErr: "not found DataUpload for operationID testing",
 		},
-		{
-			name:   "DataUpload in different namespace is not found",
-			backup: builder.ForBackup("velero", "test").Result(),
-			dataUpload: &velerov2alpha1.DataUpload{
-				TypeMeta: metav1.TypeMeta{
-					Kind:       "DataUpload",
-					APIVersion: "v2alpha1",
-				},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "other-namespace",
-					Name:      "testing",
-					Labels: map[string]string{
-						velerov1api.AsyncOperationIDLabel: "testing",
-					},
-				},
-				Status: velerov2alpha1.DataUploadStatus{
-					Phase: velerov2alpha1.DataUploadPhaseFailed,
-				},
-			},
-			operationID: "testing",
-			expectedErr: "not found DataUpload for operationID testing",
-		},
 		{
 			name:   "DataUpload is found",
 			backup: builder.ForBackup("velero", "test").Result(),
@@ -397,15 +375,15 @@ func TestCancel(t *testing.T) {
 	tests := []struct {
 		name               string
 		backup             *velerov1api.Backup
-		dataUpload         *velerov2alpha1.DataUpload
+		dataUpload         velerov2alpha1.DataUpload
 		operationID        string
-		expectedErr        string
+		expectedErr        error
 		expectedDataUpload velerov2alpha1.DataUpload
 	}{
 		{
 			name:   "Cancel DataUpload",
 			backup: builder.ForBackup("velero", "test").Result(),
-			dataUpload: &velerov2alpha1.DataUpload{
+			dataUpload: velerov2alpha1.DataUpload{
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "DataUpload",
 					APIVersion: velerov2alpha1.SchemeGroupVersion.String(),
@@ -436,31 +414,6 @@ func TestCancel(t *testing.T) {
 				},
 			},
 		},
-		{
-			name:        "DataUpload cannot be found",
-			backup:      builder.ForBackup("velero", "test").Result(),
-			operationID: "testing",
-			expectedErr: "not found DataUpload for operationID testing",
-		},
-		{
-			name:   "DataUpload in different namespace is not found",
-			backup: builder.ForBackup("velero", "test").Result(),
-			dataUpload: &velerov2alpha1.DataUpload{
-				TypeMeta: metav1.TypeMeta{
-					Kind:       "DataUpload",
-					APIVersion: velerov2alpha1.SchemeGroupVersion.String(),
-				},
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "other-namespace",
-					Name:      "testing",
-					Labels: map[string]string{
-						velerov1api.AsyncOperationIDLabel: "testing",
-					},
-				},
-			},
-			operationID: "testing",
-			expectedErr: "not found DataUpload for operationID testing",
-		},
 	}

 	for _, tc := range tests {
@@ -473,23 +426,17 @@ func TestCancel(t *testing.T) {
 				crClient: crClient,
 			}

-			if tc.dataUpload != nil {
-				err := crClient.Create(t.Context(), tc.dataUpload)
-				require.NoError(t, err)
-			}
+			err := crClient.Create(t.Context(), &tc.dataUpload)
+			require.NoError(t, err)

-			err := pvcBIA.Cancel(tc.operationID, tc.backup)
-			if tc.expectedErr != "" {
-				require.EqualError(t, err, tc.expectedErr)
-			} else {
-				require.NoError(t, err)
+			err = pvcBIA.Cancel(tc.operationID, tc.backup)
+			require.NoError(t, err)

-				du := new(velerov2alpha1.DataUpload)
-				err = crClient.Get(t.Context(), crclient.ObjectKey{Namespace: tc.dataUpload.Namespace, Name: tc.dataUpload.Name}, du)
-				require.NoError(t, err)
+			du := new(velerov2alpha1.DataUpload)
+			err = crClient.Get(t.Context(), crclient.ObjectKey{Namespace: tc.dataUpload.Namespace, Name: tc.dataUpload.Name}, du)
+			require.NoError(t, err)

-				require.True(t, cmp.Equal(tc.expectedDataUpload, *du, cmpopts.IgnoreFields(velerov2alpha1.DataUpload{}, "ResourceVersion")))
-			}
+			require.True(t, cmp.Equal(tc.expectedDataUpload, *du, cmpopts.IgnoreFields(velerov2alpha1.DataUpload{}, "ResourceVersion")))
 		})
 	}
 }
@@ -895,13 +842,7 @@ volumePolicies:
 				crClient: client,
 			}

-			// Create a VolumeHelper using the same method the plugin would use
-			vh, err := action.getOrCreateVolumeHelper(backup)
-			require.NoError(t, err)
-			require.NotNil(t, vh)
-
-			// Test with the pre-created VolumeHelper
-			result, err := action.filterPVCsByVolumePolicy(tt.pvcs, vh)
+			result, err := action.filterPVCsByVolumePolicy(tt.pvcs, backup)
 			if tt.expectError {
 				require.Error(t, err)
 			} else {
@@ -919,111 +860,6 @@ volumePolicies:
 	}
 }

-// TestFilterPVCsByVolumePolicyWithVolumeHelper tests filterPVCsByVolumePolicy when a
-// pre-created VolumeHelper is passed (non-nil). This exercises the cached path used
-// by the CSI PVC BIA plugin for better performance.
-func TestFilterPVCsByVolumePolicyWithVolumeHelper(t *testing.T) {
-	// Create test PVCs and PVs
-	pvcs := []corev1api.PersistentVolumeClaim{
-		{
-			ObjectMeta: metav1.ObjectMeta{Name: "pvc-csi", Namespace: "ns-1"},
-			Spec: corev1api.PersistentVolumeClaimSpec{
-				VolumeName:       "pv-csi",
-				StorageClassName: pointer.String("sc-csi"),
-			},
-			Status: corev1api.PersistentVolumeClaimStatus{Phase: corev1api.ClaimBound},
-		},
-		{
-			ObjectMeta: metav1.ObjectMeta{Name: "pvc-nfs", Namespace: "ns-1"},
-			Spec: corev1api.PersistentVolumeClaimSpec{
-				VolumeName:       "pv-nfs",
-				StorageClassName: pointer.String("sc-nfs"),
-			},
-			Status: corev1api.PersistentVolumeClaimStatus{Phase: corev1api.ClaimBound},
-		},
-	}
-
-	pvs := []corev1api.PersistentVolume{
-		{
-			ObjectMeta: metav1.ObjectMeta{Name: "pv-csi"},
-			Spec: corev1api.PersistentVolumeSpec{
-				PersistentVolumeSource: corev1api.PersistentVolumeSource{
-					CSI: &corev1api.CSIPersistentVolumeSource{Driver: "csi-driver"},
-				},
-			},
-		},
-		{
-			ObjectMeta: metav1.ObjectMeta{Name: "pv-nfs"},
-			Spec: corev1api.PersistentVolumeSpec{
-				PersistentVolumeSource: corev1api.PersistentVolumeSource{
-					NFS: &corev1api.NFSVolumeSource{
-						Server: "nfs-server",
-						Path:   "/export",
-					},
-				},
-			},
-		},
-	}
-
-	// Create fake client with PVs
-	objs := []runtime.Object{}
-	for i := range pvs {
-		objs = append(objs, &pvs[i])
-	}
-	client := velerotest.NewFakeControllerRuntimeClient(t, objs...)
-
-	// Create backup with volume policy that skips NFS volumes
-	volumePolicyStr := `
-version: v1
-volumePolicies:
- conditions:
-    nfs: {}
-  action:
-    type: skip
-`
-	cm := &corev1api.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "volume-policy",
-			Namespace: "velero",
-		},
-		Data: map[string]string{
-			"volume-policy": volumePolicyStr,
-		},
-	}
-	require.NoError(t, client.Create(t.Context(), cm))
-
-	backup := &velerov1api.Backup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-backup",
-			Namespace: "velero",
-		},
-		Spec: velerov1api.BackupSpec{
-			ResourcePolicy: &corev1api.TypedLocalObjectReference{
-				Kind: "ConfigMap",
-				Name: "volume-policy",
-			},
-		},
-	}
-
-	action := &pvcBackupItemAction{
-		log:      velerotest.NewLogger(),
-		crClient: client,
-	}
-
-	// Create a VolumeHelper using the same method the plugin would use
-	vh, err := action.getOrCreateVolumeHelper(backup)
-	require.NoError(t, err)
-	require.NotNil(t, vh)
-
-	// Test with the pre-created VolumeHelper (non-nil path)
-	result, err := action.filterPVCsByVolumePolicy(pvcs, vh)
-	require.NoError(t, err)
-
-	// Should filter out the NFS PVC, leaving only the CSI PVC
-	require.Len(t, result, 1)
-	require.Equal(t, "pvc-csi", result[0].Name)
-}
-
 func TestDetermineCSIDriver(t *testing.T) {
 	tests := []struct {
 		name           string
@@ -1174,7 +1010,7 @@ func TestDetermineVGSClass(t *testing.T) {
 		name             string
 		backup           *velerov1api.Backup
 		pvc              *corev1api.PersistentVolumeClaim
-		existingVGSClass []volumegroupsnapshotv1beta2.VolumeGroupSnapshotClass
+		existingVGSClass []volumegroupsnapshotv1beta1.VolumeGroupSnapshotClass
 		expectError      bool
 		expectResult     string
 	}{
@@ -1206,7 +1042,7 @@ func TestDetermineVGSClass(t *testing.T) {
 			name:   "Default label-based match",
 			pvc:    &corev1api.PersistentVolumeClaim{},
 			backup: &velerov1api.Backup{},
-			existingVGSClass: []volumegroupsnapshotv1beta2.VolumeGroupSnapshotClass{
+			existingVGSClass: []volumegroupsnapshotv1beta1.VolumeGroupSnapshotClass{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:   "default-class",
@@ -1227,7 +1063,7 @@ func TestDetermineVGSClass(t *testing.T) {
 			name:   "Multiple matching VGS classes",
 			pvc:    &corev1api.PersistentVolumeClaim{},
 			backup: &velerov1api.Backup{},
-			existingVGSClass: []volumegroupsnapshotv1beta2.VolumeGroupSnapshotClass{
+			existingVGSClass: []volumegroupsnapshotv1beta1.VolumeGroupSnapshotClass{
 				{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:   "class1",
@@ -1257,7 +1093,7 @@ func TestDetermineVGSClass(t *testing.T) {

 			client := velerotest.NewFakeControllerRuntimeClient(t, initObjs...)
 			logger := logrus.New()
-			require.NoError(t, volumegroupsnapshotv1beta2.AddToScheme(client.Scheme()))
+			require.NoError(t, volumegroupsnapshotv1beta1.AddToScheme(client.Scheme()))

 			action := &pvcBackupItemAction{crClient: client, log: logger}

@@ -1316,13 +1152,13 @@ func TestCreateVolumeGroupSnapshot(t *testing.T) {
 	assert.Equal(t, string(testBackup.UID), vgs.Labels[velerov1api.BackupUIDLabel])

 	// Check that it exists in fake client
-	retrieved := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{}
+	retrieved := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{}
 	err = crClient.Get(t.Context(), crclient.ObjectKey{Name: vgs.Name, Namespace: vgs.Namespace}, retrieved)
 	require.NoError(t, err)
 }

 func TestWaitForVGSAssociatedVS(t *testing.T) {
-	vgs := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	vgs := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-vgs",
 			Namespace: "test-ns",
@@ -1335,7 +1171,7 @@ func TestWaitForVGSAssociatedVS(t *testing.T) {
 		if owned {
 			refs = []metav1.OwnerReference{
 				{
-					APIVersion: "groupsnapshot.storage.k8s.io/v1beta2",
+					APIVersion: "groupsnapshot.storage.k8s.io/v1beta1",
 					Kind:       "VolumeGroupSnapshot",
 					Name:       vgs.Name,
 					UID:        vgs.UID,
@@ -1482,7 +1318,7 @@ func TestUpdateVGSCreatedVS(t *testing.T) {
 		},
 	}

-	vgs := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	vgs := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-vgs",
 			Namespace: "ns",
@@ -1495,7 +1331,7 @@ func TestUpdateVGSCreatedVS(t *testing.T) {
 		if withVGSOwner {
 			refs = []metav1.OwnerReference{
 				{
-					APIVersion: "groupsnapshot.storage.k8s.io/v1beta2",
+					APIVersion: "groupsnapshot.storage.k8s.io/v1beta1",
 					Kind:       "VolumeGroupSnapshot",
 					Name:       vgs.Name,
 					UID:        vgs.UID,
@@ -1614,18 +1450,18 @@ func TestPatchVGSCDeletionPolicy(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			vgsc := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent{
+			vgsc := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent{
 				ObjectMeta: metav1.ObjectMeta{Name: "test-vgsc"},
-				Spec: volumegroupsnapshotv1beta2.VolumeGroupSnapshotContentSpec{
+				Spec: volumegroupsnapshotv1beta1.VolumeGroupSnapshotContentSpec{
 					DeletionPolicy: tt.initialPolicy,
 				},
 			}
-			vgs := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+			vgs := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-vgs",
 					Namespace: "ns",
 				},
-				Status: &volumegroupsnapshotv1beta2.VolumeGroupSnapshotStatus{
+				Status: &volumegroupsnapshotv1beta1.VolumeGroupSnapshotStatus{
 					BoundVolumeGroupSnapshotContentName: pointer.String("test-vgsc"),
 				},
 			}
@@ -1643,7 +1479,7 @@ func TestPatchVGSCDeletionPolicy(t *testing.T) {
 			}
 			require.NoError(t, err)

-			updated := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent{}
+			updated := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent{}
 			err = client.Get(t.Context(), crclient.ObjectKey{Name: "test-vgsc"}, updated)
 			require.NoError(t, err)
 			require.Equal(t, tt.expectedPolicy, updated.Spec.DeletionPolicy)
@@ -1652,20 +1488,20 @@ func TestPatchVGSCDeletionPolicy(t *testing.T) {
 }

 func TestDeleteVGSAndVGSC(t *testing.T) {
-	makeVGS := func(name, namespace string, boundVGSCName *string) *volumegroupsnapshotv1beta2.VolumeGroupSnapshot {
-		return &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	makeVGS := func(name, namespace string, boundVGSCName *string) *volumegroupsnapshotv1beta1.VolumeGroupSnapshot {
+		return &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
 			},
-			Status: &volumegroupsnapshotv1beta2.VolumeGroupSnapshotStatus{
+			Status: &volumegroupsnapshotv1beta1.VolumeGroupSnapshotStatus{
 				BoundVolumeGroupSnapshotContentName: boundVGSCName,
 			},
 		}
 	}

-	makeVGSC := func(name string) *volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent {
-		return &volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent{
+	makeVGSC := func(name string) *volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent {
+		return &volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 			},
@@ -1674,8 +1510,8 @@ func TestDeleteVGSAndVGSC(t *testing.T) {

 	tests := []struct {
 		name             string
-		vgs              *volumegroupsnapshotv1beta2.VolumeGroupSnapshot
-		existingVGSC     *volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent
+		vgs              *volumegroupsnapshotv1beta1.VolumeGroupSnapshot
+		existingVGSC     *volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent
 		expectVGSCDelete bool
 		expectVGSDelete  bool
 	}{
@@ -1721,13 +1557,13 @@ func TestDeleteVGSAndVGSC(t *testing.T) {

 			// Check VGSC is deleted
 			if tt.expectVGSCDelete {
-				got := &volumegroupsnapshotv1beta2.VolumeGroupSnapshotContent{}
+				got := &volumegroupsnapshotv1beta1.VolumeGroupSnapshotContent{}
 				err = client.Get(t.Context(), crclient.ObjectKey{Name: "test-vgsc"}, got)
 				assert.True(t, apierrors.IsNotFound(err), "expected VGSC to be deleted")
 			}

 			// Check VGS is deleted
-			gotVGS := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{}
+			gotVGS := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{}
 			err = client.Get(t.Context(), crclient.ObjectKey{Name: "test-vgs", Namespace: "ns"}, gotVGS)
 			assert.True(t, apierrors.IsNotFound(err), "expected VGS to be deleted")
 		})
@@ -1822,8 +1658,8 @@ func TestFindExistingVSForBackup(t *testing.T) {
 }

 func TestWaitForVGSCBinding(t *testing.T) {
-	makeVGS := func(name string, withStatus bool) *volumegroupsnapshotv1beta2.VolumeGroupSnapshot {
-		vgs := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	makeVGS := func(name string, withStatus bool) *volumegroupsnapshotv1beta1.VolumeGroupSnapshot {
+		vgs := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: "ns",
@@ -1831,7 +1667,7 @@ func TestWaitForVGSCBinding(t *testing.T) {
 		}
 		if withStatus {
 			contentName := "vgsc-123"
-			vgs.Status = &volumegroupsnapshotv1beta2.VolumeGroupSnapshotStatus{
+			vgs.Status = &volumegroupsnapshotv1beta1.VolumeGroupSnapshotStatus{
 				BoundVolumeGroupSnapshotContentName: &contentName,
 			}
 		}
@@ -1840,7 +1676,7 @@ func TestWaitForVGSCBinding(t *testing.T) {

 	tests := []struct {
 		name      string
-		vgs       *volumegroupsnapshotv1beta2.VolumeGroupSnapshot
+		vgs       *volumegroupsnapshotv1beta1.VolumeGroupSnapshot
 		expectErr bool
 	}{
 		{
@@ -1883,8 +1719,8 @@ func TestGetVGSByLabels(t *testing.T) {
 	labelVal := "backup-123"
 	testLabels := map[string]string{labelKey: labelVal}

-	makeVGS := func(name string, labels map[string]string) *volumegroupsnapshotv1beta2.VolumeGroupSnapshot {
-		return &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	makeVGS := func(name string, labels map[string]string) *volumegroupsnapshotv1beta1.VolumeGroupSnapshot {
+		return &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: "test-ns",
@@ -1969,7 +1805,7 @@ func (f *failingClient) List(ctx context.Context, list crclient.ObjectList, opts
 }

 func TestHasOwnerReference(t *testing.T) {
-	vgs := &volumegroupsnapshotv1beta2.VolumeGroupSnapshot{
+	vgs := &volumegroupsnapshotv1beta1.VolumeGroupSnapshot{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-vgs",
 			Namespace: "test-ns",
@@ -1986,7 +1822,7 @@ func TestHasOwnerReference(t *testing.T) {
 			name: "match kind, apiversion, uid",
 			ownerRef: metav1.OwnerReference{
 				Kind:       kuberesource.VGSKind,
-				APIVersion: volumegroupsnapshotv1beta2.GroupName + "/" + volumegroupsnapshotv1beta2.SchemeGroupVersion.Version,
+				APIVersion: volumegroupsnapshotv1beta1.GroupName + "/" + volumegroupsnapshotv1beta1.SchemeGroupVersion.Version,
 				UID:        vgs.UID,
 			},
 			expect: true,
@@ -1995,7 +1831,7 @@ func TestHasOwnerReference(t *testing.T) {
 			name: "mismatch kind",
 			ownerRef: metav1.OwnerReference{
 				Kind:       "other-kind",
-				APIVersion: volumegroupsnapshotv1beta2.GroupName + "/" + volumegroupsnapshotv1beta2.SchemeGroupVersion.Version,
+				APIVersion: volumegroupsnapshotv1beta1.GroupName + "/" + volumegroupsnapshotv1beta1.SchemeGroupVersion.Version,
 				UID:        vgs.UID,
 			},
 			expect: false,
@@ -2013,7 +1849,7 @@ func TestHasOwnerReference(t *testing.T) {
 			name: "mismatch uid",
 			ownerRef: metav1.OwnerReference{
 				Kind:       kuberesource.VGSKind,
-				APIVersion: volumegroupsnapshotv1beta2.GroupName + "/" + volumegroupsnapshotv1beta2.SchemeGroupVersion.Version,
+				APIVersion: volumegroupsnapshotv1beta1.GroupName + "/" + volumegroupsnapshotv1beta1.SchemeGroupVersion.Version,
 				UID:        "wrong-uid",
 			},
 			expect: false,
@@ -2123,42 +1959,3 @@ func TestPVCRequestSize(t *testing.T) {
 		})
 	}
 }
-
-// TestGetOrCreateVolumeHelper tests the VolumeHelper and PVC-to-Pod cache behavior.
-// Since plugin instances are unique per backup (created via newPluginManager and
-// cleaned up via CleanupClients at backup completion), we verify that the pvcPodCache
-// is properly initialized and reused across calls.
-func TestGetOrCreateVolumeHelper(t *testing.T) {
-	client := velerotest.NewFakeControllerRuntimeClient(t)
-	action := &pvcBackupItemAction{
-		log:      velerotest.NewLogger(),
-		crClient: client,
-	}
-	backup := &velerov1api.Backup{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-backup",
-			Namespace: "velero",
-			UID:       types.UID("test-uid-1"),
-		},
-	}
-
-	// Initially, pvcPodCache should be nil
-	require.Nil(t, action.pvcPodCache, "pvcPodCache should be nil initially")
-
-	// Get VolumeHelper first time - should create new cache and VolumeHelper
-	vh1, err := action.getOrCreateVolumeHelper(backup)
-	require.NoError(t, err)
-	require.NotNil(t, vh1)
-
-	// pvcPodCache should now be initialized
-	require.NotNil(t, action.pvcPodCache, "pvcPodCache should be initialized after first call")
-	cache1 := action.pvcPodCache
-
-	// Get VolumeHelper second time - should reuse the same cache
-	vh2, err := action.getOrCreateVolumeHelper(backup)
-	require.NoError(t, err)
-	require.NotNil(t, vh2)
-
-	// The pvcPodCache should be the same instance
-	require.Same(t, cache1, action.pvcPodCache, "Expected same pvcPodCache instance on repeated calls")
-}
--- a/pkg/backup/actions/csi/volumesnapshot_action.go
+++ b/pkg/backup/actions/csi/volumesnapshot_action.go
@@ -151,12 +151,6 @@ func (p *volumeSnapshotBackupItemAction) Execute(
 				annotations[velerov1api.VolumeSnapshotRestoreSize] = resource.NewQuantity(
 					*vsc.Status.RestoreSize, resource.BinarySI).String()
 			}
-
-			// Capture VolumeGroupSnapshotHandle to create stub VGSC during restore
-			// for CSI drivers that populate this field (e.g., Ceph RBD).
-			if vsc.Status.VolumeGroupSnapshotHandle != nil {
-				annotations[velerov1api.VolumeGroupSnapshotHandleAnnotation] = *vsc.Status.VolumeGroupSnapshotHandle
-			}
 		}

 		p.log.Infof("Patching VolumeSnapshotContent %s with velero BackupNameLabel",
--- a/pkg/backup/backed_up_items_map.go
+++ b/pkg/backup/backed_up_items_map.go
@@ -98,14 +98,6 @@ func (m *backedUpItemsMap) AddItem(key itemKey) {
 	m.totalItems[key] = struct{}{}
 }

-func (m *backedUpItemsMap) DeleteItem(key itemKey) {
-	m.Lock()
-	defer m.Unlock()
-
-	delete(m.backedUpItems, key)
-	delete(m.totalItems, key)
-}
-
 func (m *backedUpItemsMap) AddItemToTotal(key itemKey) {
 	m.Lock()
 	defer m.Unlock()
--- a/pkg/backup/backup.go
+++ b/pkg/backup/backup.go
@@ -187,7 +187,7 @@ func getNamespaceIncludesExcludesAndArgoCDNamespaces(backup *velerov1api.Backup,
 		Excludes(backup.Spec.ExcludedNamespaces...)

 	// Expand wildcards if needed
-	if err := includesExcludes.ExpandIncludesExcludes(true); err != nil {
+	if err := includesExcludes.ExpandIncludesExcludes(); err != nil {
 		return nil, []string{}, err
 	}

@@ -286,7 +286,7 @@ func (kb *kubernetesBackupper) BackupWithResolvers(
 		expandedExcludes := backupRequest.NamespaceIncludesExcludes.GetExcludes()

 		// Get the final namespace list after wildcard expansion
-		wildcardResult, err := backupRequest.NamespaceIncludesExcludes.ResolveNamespaceList(true)
+		wildcardResult, err := backupRequest.NamespaceIncludesExcludes.ResolveNamespaceList()
 		if err != nil {
 			log.WithError(err).Errorf("error resolving namespace list")
 			return err
@@ -408,28 +408,6 @@ func (kb *kubernetesBackupper) BackupWithResolvers(
 	}
 	backupRequest.Status.Progress = &velerov1api.BackupProgress{TotalItems: len(items)}

-	// Resolve namespaces for PVC-to-Pod cache building in volumehelper.
-	// See issue #9179 for details.
-	namespaces, err := backupRequest.NamespaceIncludesExcludes.ResolveNamespaceList(true)
-	if err != nil {
-		log.WithError(err).Error("Failed to resolve namespace list for PVC-to-Pod cache")
-		return err
-	}
-
-	volumeHelperImpl, err := volumehelper.NewVolumeHelperImplWithNamespaces(
-		backupRequest.ResPolicies,
-		backupRequest.Spec.SnapshotVolumes,
-		log,
-		kb.kbClient,
-		boolptr.IsSetToTrue(backupRequest.Spec.DefaultVolumesToFsBackup),
-		!backupRequest.ResourceIncludesExcludes.ShouldInclude(kuberesource.PersistentVolumeClaims.String()),
-		namespaces,
-	)
-	if err != nil {
-		log.WithError(err).Error("Failed to build PVC-to-Pod cache for volume policy lookups")
-		return err
-	}
-
 	itemBackupper := &itemBackupper{
 		backupRequest:            backupRequest,
 		tarWriter:                tw,
@@ -443,8 +421,15 @@ func (kb *kubernetesBackupper) BackupWithResolvers(
 		itemHookHandler: &hook.DefaultItemHookHandler{
 			PodCommandExecutor: kb.podCommandExecutor,
 		},
-		hookTracker:         hook.NewHookTracker(),
-		volumeHelperImpl:    volumeHelperImpl,
+		hookTracker: hook.NewHookTracker(),
+		volumeHelperImpl: volumehelper.NewVolumeHelperImpl(
+			backupRequest.ResPolicies,
+			backupRequest.Spec.SnapshotVolumes,
+			log,
+			kb.kbClient,
+			boolptr.IsSetToTrue(backupRequest.Spec.DefaultVolumesToFsBackup),
+			!backupRequest.ResourceIncludesExcludes.ShouldInclude(kuberesource.PersistentVolumeClaims.String()),
+		),
 		kubernetesBackupper: kb,
 	}

--- a/pkg/backup/backup_test.go
+++ b/pkg/backup/backup_test.go
@@ -36,7 +36,6 @@ import (
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	corev1api "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -282,8 +281,8 @@ func TestBackupOldResourceFiltering(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.Pods(
-					builder.ForPod("foo", "bar").Phase(corev1api.PodRunning).Result(),
-					builder.ForPod("zoo", "raz").Phase(corev1api.PodRunning).Result(),
+					builder.ForPod("foo", "bar").Result(),
+					builder.ForPod("zoo", "raz").Result(),
 				),
 				test.Deployments(
 					builder.ForDeployment("foo", "bar").Result(),
@@ -981,6 +980,28 @@ func TestCRDInclusion(t *testing.T) {
 				"resources/volumesnapshotlocations.velero.io/v1-preferredversion/namespaces/foo/vsl-1.json",
 			},
 		},
+		{
+			name: "include cluster resources=auto includes CRDs with CRs when backing up selected namespaces",
+			backup: defaultBackup().
+				IncludedNamespaces("foo").
+				Result(),
+			apiResources: []*test.APIResource{
+				test.CRDs(
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
+				),
+				test.VSLs(
+					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
+				),
+			},
+			want: []string{
+				"resources/customresourcedefinitions.apiextensions.k8s.io/cluster/volumesnapshotlocations.velero.io.json",
+				"resources/volumesnapshotlocations.velero.io/namespaces/foo/vsl-1.json",
+				"resources/customresourcedefinitions.apiextensions.k8s.io/v1beta1-preferredversion/cluster/volumesnapshotlocations.velero.io.json",
+				"resources/volumesnapshotlocations.velero.io/v1-preferredversion/namespaces/foo/vsl-1.json",
+			},
+		},
 		{
 			name: "include-cluster-resources=false excludes all CRDs when backing up selected namespaces",
 			backup: defaultBackup().
@@ -4275,12 +4296,6 @@ func (h *harness) addItems(t *testing.T, resource *test.APIResource) {
 		unstructuredObj := &unstructured.Unstructured{Object: obj}

 		if resource.Namespaced {
-			namespace := &corev1api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: item.GetNamespace()}}
-			err = h.backupper.kbClient.Create(t.Context(), namespace)
-			if err != nil && !apierrors.IsAlreadyExists(err) {
-				require.NoError(t, err)
-			}
-
 			_, err = h.DynamicClient.Resource(resource.GVR()).Namespace(item.GetNamespace()).Create(t.Context(), unstructuredObj, metav1.CreateOptions{})
 		} else {
 			_, err = h.DynamicClient.Resource(resource.GVR()).Create(t.Context(), unstructuredObj, metav1.CreateOptions{})
@@ -4331,7 +4346,7 @@ func newSnapshotLocation(ns, name, provider string) *velerov1.VolumeSnapshotLoca
 }

 func defaultBackup() *builder.BackupBuilder {
-	return builder.ForBackup(velerov1.DefaultNamespace, "backup-1").DefaultVolumesToFsBackup(false).IncludedNamespaces("*")
+	return builder.ForBackup(velerov1.DefaultNamespace, "backup-1").DefaultVolumesToFsBackup(false)
 }

 func toUnstructuredOrFail(t *testing.T, obj any) map[string]any {
@@ -5407,6 +5422,8 @@ func TestBackupNamespaces(t *testing.T) {
 			want: []string{
 				"resources/namespaces/cluster/ns-1.json",
 				"resources/namespaces/v1-preferredversion/cluster/ns-1.json",
+				"resources/namespaces/cluster/ns-3.json",
+				"resources/namespaces/v1-preferredversion/cluster/ns-3.json",
 			},
 		},
 		{
@@ -5440,6 +5457,10 @@ func TestBackupNamespaces(t *testing.T) {
 			want: []string{
 				"resources/namespaces/cluster/ns-1.json",
 				"resources/namespaces/v1-preferredversion/cluster/ns-1.json",
+				"resources/namespaces/cluster/ns-2.json",
+				"resources/namespaces/v1-preferredversion/cluster/ns-2.json",
+				"resources/namespaces/cluster/ns-3.json",
+				"resources/namespaces/v1-preferredversion/cluster/ns-3.json",
 				"resources/deployments.apps/namespaces/ns-1/deploy-1.json",
 				"resources/deployments.apps/v1-preferredversion/namespaces/ns-1/deploy-1.json",
 			},
--- a/pkg/backup/item_backupper.go
+++ b/pkg/backup/item_backupper.go
@@ -40,6 +40,7 @@ import (
 	"github.com/vmware-tanzu/velero/internal/hook"
 	"github.com/vmware-tanzu/velero/internal/resourcepolicies"
 	"github.com/vmware-tanzu/velero/internal/volume"
+	"github.com/vmware-tanzu/velero/internal/volumehelper"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/archive"
 	"github.com/vmware-tanzu/velero/pkg/client"
@@ -53,7 +54,6 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/podvolume"
 	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 	csiutil "github.com/vmware-tanzu/velero/pkg/util/csi"
-	"github.com/vmware-tanzu/velero/pkg/util/volumehelper"
 )

 const (
@@ -244,14 +244,6 @@ func (ib *itemBackupper) backupItemInternal(logger logrus.FieldLogger, obj runti
 		return false, itemFiles, kubeerrs.NewAggregate(backupErrs)
 	}

-	// If err is nil and updatedObj is nil, it means the item is skipped by plugin action,
-	// we should return here to avoid backing up the item, and avoid potential NPE in the following code.
-	if updatedObj == nil {
-		log.Infof("Remove item from the backup's backupItems list and totalItems list because it's skipped by plugin action.")
-		ib.backupRequest.BackedUpItems.DeleteItem(key)
-		return false, itemFiles, nil
-	}
-
 	itemFiles = append(itemFiles, additionalItemFiles...)
 	obj = updatedObj
 	if metadata, err = meta.Accessor(obj); err != nil {
@@ -406,13 +398,6 @@ func (ib *itemBackupper) executeActions(
 		}

 		u := &unstructured.Unstructured{Object: updatedItem.UnstructuredContent()}
-
-		if _, ok := u.GetAnnotations()[velerov1api.SkipFromBackupAnnotation]; ok {
-			log.Infof("Resource (groupResource=%s, namespace=%s, name=%s) is skipped from backup by action %s.",
-				groupResource.String(), namespace, name, actionName)
-			return nil, itemFiles, nil
-		}
-
 		if actionName == csiBIAPluginName {
 			if additionalItemIdentifiers == nil && u.GetAnnotations()[velerov1api.SkippedNoCSIPVAnnotation] == "true" {
 				// snapshot was skipped by CSI plugin
@@ -702,14 +687,15 @@ func (ib *itemBackupper) getMatchAction(obj runtime.Unstructured, groupResource
 			return nil, errors.WithStack(err)
 		}

-		var pv *corev1api.PersistentVolume
-		if pvName := pvc.Spec.VolumeName; pvName != "" {
-			pv = &corev1api.PersistentVolume{}
-			if err := ib.kbClient.Get(context.Background(), kbClient.ObjectKey{Name: pvName}, pv); err != nil {
-				return nil, errors.WithStack(err)
-			}
+		pvName := pvc.Spec.VolumeName
+		if pvName == "" {
+			return nil, errors.Errorf("PVC has no volume backing this claim")
+		}
+
+		pv := &corev1api.PersistentVolume{}
+		if err := ib.kbClient.Get(context.Background(), kbClient.ObjectKey{Name: pvName}, pv); err != nil {
+			return nil, errors.WithStack(err)
 		}
-		// If pv is nil for unbound PVCs - policy matching will use PVC-only conditions
 		vfd := resourcepolicies.NewVolumeFilterData(pv, nil, pvc)
 		return ib.backupRequest.ResPolicies.GetMatchAction(vfd)
 	}
@@ -723,10 +709,7 @@ func (ib *itemBackupper) trackSkippedPV(obj runtime.Unstructured, groupResource
 	if name, err := getPVName(obj, groupResource); len(name) > 0 && err == nil {
 		ib.backupRequest.SkippedPVTracker.Track(name, approach, reason)
 	} else if err != nil {
-		// Log at info level for tracking purposes. This is not an error because
-		// it's expected for some resources (e.g., PVCs in Pending or Lost phase)
-		// to not have a PV name. This occurs when volume policy skips unbound PVCs.
-		log.WithError(err).Infof("unable to get PV name, skip tracking.")
+		log.WithError(err).Warnf("unable to get PV name, skip tracking.")
 	}
 }

@@ -736,17 +719,6 @@ func (ib *itemBackupper) unTrackSkippedPV(obj runtime.Unstructured, groupResourc
 	if name, err := getPVName(obj, groupResource); len(name) > 0 && err == nil {
 		ib.backupRequest.SkippedPVTracker.Untrack(name)
 	} else if err != nil {
-		// For PVCs in Pending or Lost phase, it's expected that there's no PV name.
-		// Log at debug level instead of warning to reduce noise.
-		if groupResource == kuberesource.PersistentVolumeClaims {
-			pvc := new(corev1api.PersistentVolumeClaim)
-			if convErr := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.UnstructuredContent(), pvc); convErr == nil {
-				if pvc.Status.Phase == corev1api.ClaimPending || pvc.Status.Phase == corev1api.ClaimLost {
-					log.WithError(err).Debugf("unable to get PV name for %s PVC, skip untracking.", pvc.Status.Phase)
-					return
-				}
-			}
-		}
 		log.WithError(err).Warnf("unable to get PV name, skip untracking.")
 	}
 }
--- a/pkg/backup/item_backupper_test.go
+++ b/pkg/backup/item_backupper_test.go
@@ -17,15 +17,12 @@ limitations under the License.
 package backup

 import (
-	"bytes"
 	"testing"

 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	ctrlfake "sigs.k8s.io/controller-runtime/pkg/client/fake"

-	"github.com/vmware-tanzu/velero/internal/resourcepolicies"
 	"github.com/vmware-tanzu/velero/pkg/kuberesource"

 	"github.com/stretchr/testify/assert"
@@ -272,225 +269,3 @@ func TestAddVolumeInfo(t *testing.T) {
 		})
 	}
 }
-
-func TestGetMatchAction_PendingLostPVC(t *testing.T) {
-	scheme := runtime.NewScheme()
-	require.NoError(t, corev1api.AddToScheme(scheme))
-
-	// Create resource policies that skip Pending/Lost PVCs
-	resPolicies := &resourcepolicies.ResourcePolicies{
-		Version: "v1",
-		VolumePolicies: []resourcepolicies.VolumePolicy{
-			{
-				Conditions: map[string]any{
-					"pvcPhase": []string{"Pending", "Lost"},
-				},
-				Action: resourcepolicies.Action{
-					Type: resourcepolicies.Skip,
-				},
-			},
-		},
-	}
-	policies := &resourcepolicies.Policies{}
-	err := policies.BuildPolicy(resPolicies)
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name           string
-		pvc            *corev1api.PersistentVolumeClaim
-		pv             *corev1api.PersistentVolume
-		expectedAction *resourcepolicies.Action
-		expectError    bool
-	}{
-		{
-			name: "Pending PVC with no VolumeName should match pvcPhase policy",
-			pvc: builder.ForPersistentVolumeClaim("ns", "pending-pvc").
-				StorageClass("test-sc").
-				Phase(corev1api.ClaimPending).
-				Result(),
-			pv:             nil,
-			expectedAction: &resourcepolicies.Action{Type: resourcepolicies.Skip},
-			expectError:    false,
-		},
-		{
-			name: "Lost PVC with no VolumeName should match pvcPhase policy",
-			pvc: builder.ForPersistentVolumeClaim("ns", "lost-pvc").
-				StorageClass("test-sc").
-				Phase(corev1api.ClaimLost).
-				Result(),
-			pv:             nil,
-			expectedAction: &resourcepolicies.Action{Type: resourcepolicies.Skip},
-			expectError:    false,
-		},
-		{
-			name: "Bound PVC with VolumeName and matching PV should not match pvcPhase policy",
-			pvc: builder.ForPersistentVolumeClaim("ns", "bound-pvc").
-				StorageClass("test-sc").
-				VolumeName("test-pv").
-				Phase(corev1api.ClaimBound).
-				Result(),
-			pv:             builder.ForPersistentVolume("test-pv").StorageClass("test-sc").Result(),
-			expectedAction: nil,
-			expectError:    false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Build fake client with PV if present
-			clientBuilder := ctrlfake.NewClientBuilder().WithScheme(scheme)
-			if tc.pv != nil {
-				clientBuilder = clientBuilder.WithObjects(tc.pv)
-			}
-			fakeClient := clientBuilder.Build()
-
-			ib := &itemBackupper{
-				kbClient: fakeClient,
-				backupRequest: &Request{
-					ResPolicies: policies,
-				},
-			}
-
-			// Convert PVC to unstructured
-			pvcData, err := runtime.DefaultUnstructuredConverter.ToUnstructured(tc.pvc)
-			require.NoError(t, err)
-			obj := &unstructured.Unstructured{Object: pvcData}
-
-			action, err := ib.getMatchAction(obj, kuberesource.PersistentVolumeClaims, csiBIAPluginName)
-			if tc.expectError {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-
-			if tc.expectedAction == nil {
-				assert.Nil(t, action)
-			} else {
-				require.NotNil(t, action)
-				assert.Equal(t, tc.expectedAction.Type, action.Type)
-			}
-		})
-	}
-}
-
-func TestTrackSkippedPV_PendingLostPVC(t *testing.T) {
-	testCases := []struct {
-		name string
-		pvc  *corev1api.PersistentVolumeClaim
-	}{
-		{
-			name: "Pending PVC should log at info level",
-			pvc: builder.ForPersistentVolumeClaim("ns", "pending-pvc").
-				Phase(corev1api.ClaimPending).
-				Result(),
-		},
-		{
-			name: "Lost PVC should log at info level",
-			pvc: builder.ForPersistentVolumeClaim("ns", "lost-pvc").
-				Phase(corev1api.ClaimLost).
-				Result(),
-		},
-		{
-			name: "Bound PVC without VolumeName should log at info level",
-			pvc: builder.ForPersistentVolumeClaim("ns", "bound-pvc").
-				Phase(corev1api.ClaimBound).
-				Result(),
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			ib := &itemBackupper{
-				backupRequest: &Request{
-					SkippedPVTracker: NewSkipPVTracker(),
-				},
-			}
-
-			// Set up log capture
-			logOutput := &bytes.Buffer{}
-			logger := logrus.New()
-			logger.SetOutput(logOutput)
-			logger.SetLevel(logrus.DebugLevel)
-
-			// Convert PVC to unstructured
-			pvcData, err := runtime.DefaultUnstructuredConverter.ToUnstructured(tc.pvc)
-			require.NoError(t, err)
-			obj := &unstructured.Unstructured{Object: pvcData}
-
-			ib.trackSkippedPV(obj, kuberesource.PersistentVolumeClaims, "", "test reason", logger)
-
-			logStr := logOutput.String()
-			assert.Contains(t, logStr, "level=info")
-			assert.Contains(t, logStr, "unable to get PV name, skip tracking.")
-		})
-	}
-}
-
-func TestUnTrackSkippedPV_PendingLostPVC(t *testing.T) {
-	testCases := []struct {
-		name               string
-		pvc                *corev1api.PersistentVolumeClaim
-		expectWarningLog   bool
-		expectDebugMessage string
-	}{
-		{
-			name: "Pending PVC should log at debug level, not warning",
-			pvc: builder.ForPersistentVolumeClaim("ns", "pending-pvc").
-				Phase(corev1api.ClaimPending).
-				Result(),
-			expectWarningLog:   false,
-			expectDebugMessage: "unable to get PV name for Pending PVC, skip untracking.",
-		},
-		{
-			name: "Lost PVC should log at debug level, not warning",
-			pvc: builder.ForPersistentVolumeClaim("ns", "lost-pvc").
-				Phase(corev1api.ClaimLost).
-				Result(),
-			expectWarningLog:   false,
-			expectDebugMessage: "unable to get PV name for Lost PVC, skip untracking.",
-		},
-		{
-			name: "Bound PVC without VolumeName should log warning",
-			pvc: builder.ForPersistentVolumeClaim("ns", "bound-pvc").
-				Phase(corev1api.ClaimBound).
-				Result(),
-			expectWarningLog:   true,
-			expectDebugMessage: "",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			ib := &itemBackupper{
-				backupRequest: &Request{
-					SkippedPVTracker: NewSkipPVTracker(),
-				},
-			}
-
-			// Set up log capture
-			logOutput := &bytes.Buffer{}
-			logger := logrus.New()
-			logger.SetOutput(logOutput)
-			logger.SetLevel(logrus.DebugLevel)
-
-			// Convert PVC to unstructured
-			pvcData, err := runtime.DefaultUnstructuredConverter.ToUnstructured(tc.pvc)
-			require.NoError(t, err)
-			obj := &unstructured.Unstructured{Object: pvcData}
-
-			ib.unTrackSkippedPV(obj, kuberesource.PersistentVolumeClaims, logger)
-
-			logStr := logOutput.String()
-			if tc.expectWarningLog {
-				assert.Contains(t, logStr, "level=warning")
-				assert.Contains(t, logStr, "unable to get PV name, skip untracking.")
-			} else {
-				assert.NotContains(t, logStr, "level=warning")
-				if tc.expectDebugMessage != "" {
-					assert.Contains(t, logStr, "level=debug")
-					assert.Contains(t, logStr, tc.expectDebugMessage)
-				}
-			}
-		})
-	}
-}
--- a/pkg/backup/item_collector.go
+++ b/pkg/backup/item_collector.go
@@ -633,19 +633,22 @@ func coreGroupResourcePriority(resource string) int {
 }

 // getNamespacesToList examines ie and resolves the includes and excludes to a full list of
-// namespaces to list. If ie is nil, the result is just "" (list across all namespaces).
-// Otherwise, the result is a list of every included namespace minus all excluded ones.
-// Because the namespace IE filter is expanded from 1.18, there is no need to consider
-// wildcard characters anymore.
+// namespaces to list. If ie is nil or it includes *, the result is just "" (list across all
+// namespaces). Otherwise, the result is a list of every included namespace minus all excluded ones.
 func getNamespacesToList(ie *collections.NamespaceIncludesExcludes) []string {
 	if ie == nil {
 		return []string{""}
 	}

+	if ie.ShouldInclude("*") {
+		// "" means all namespaces
+		return []string{""}
+	}
+
 	var list []string
-	for _, n := range ie.GetIncludes() {
-		if ie.ShouldInclude(n) {
-			list = append(list, n)
+	for _, i := range ie.GetIncludes() {
+		if ie.ShouldInclude(i) {
+			list = append(list, i)
 		}
 	}

--- a/pkg/builder/backup_storage_location_builder.go
+++ b/pkg/builder/backup_storage_location_builder.go
@@ -93,15 +93,6 @@ func (b *BackupStorageLocationBuilder) CACert(val []byte) *BackupStorageLocation
 	return b
 }

-// CACertRef sets the BackupStorageLocation's object storage CACertRef (Secret reference).
-func (b *BackupStorageLocationBuilder) CACertRef(selector *corev1api.SecretKeySelector) *BackupStorageLocationBuilder {
-	if b.object.Spec.StorageType.ObjectStorage == nil {
-		b.object.Spec.StorageType.ObjectStorage = new(velerov1api.ObjectStorageLocation)
-	}
-	b.object.Spec.ObjectStorage.CACertRef = selector
-	return b
-}
-
 // Default sets the BackupStorageLocation's is default or not
 func (b *BackupStorageLocationBuilder) Default(isDefault bool) *BackupStorageLocationBuilder {
 	b.object.Spec.Default = isDefault
--- a/pkg/builder/container_builder.go
+++ b/pkg/builder/container_builder.go
@@ -22,8 +22,6 @@ import (

 	corev1api "k8s.io/api/core/v1"
 	apimachineryRuntime "k8s.io/apimachinery/pkg/runtime"
-
-	"github.com/vmware-tanzu/velero/pkg/label"
 )

 // ContainerBuilder builds Container objects
@@ -47,9 +45,9 @@ func ForPluginContainer(image string, pullPolicy corev1api.PullPolicy) *Containe
 	return ForContainer(getName(image), image).PullPolicy(pullPolicy).VolumeMounts(volumeMount)
 }

-// getName returns the 'name' component of a docker image that includes the entire string
-// except the registry name, and transforms the combined string into a DNS-1123 compatible name
-// that fits within the 63-character limit for Kubernetes container names.
+// getName returns the 'name' component of a docker
+// image that includes the entire string except the registry name, and transforms the combined
+// string into a RFC-1123 compatible name.
 func getName(image string) string {
 	slashIndex := strings.Index(image, "/")
 	slashCount := 0
@@ -85,10 +83,7 @@ func getName(image string) string {
 	re := strings.NewReplacer("/", "-",
 		"_", "-",
 		".", "-")
-	name := re.Replace(image[start:end])
-
-	// Ensure the name doesn't exceed Kubernetes container name length limit
-	return label.GetValidName(name)
+	return re.Replace(image[start:end])
 }

 // Result returns the built Container.
--- a/pkg/builder/container_builder_test.go
+++ b/pkg/builder/container_builder_test.go
@@ -100,50 +100,3 @@ func TestGetName(t *testing.T) {
 		})
 	}
 }
-
-func TestGetNameWithLongPaths(t *testing.T) {
-	tests := []struct {
-		name     string
-		image    string
-		validate func(t *testing.T, result string)
-	}{
-		{
-			name:  "plugin with deeply nested repository path exceeding 63 characters",
-			image: "arohcpsvcdev.azurecr.io/redhat-user-workloads/ocp-art-tenant/oadp-hypershift-oadp-plugin-main@sha256:adb840bf3890b4904a8cdda1a74c82cf8d96c52eba9944ac10e795335d6fd450",
-			validate: func(t *testing.T, result string) {
-				t.Helper()
-				// Should not exceed DNS-1123 label limit of 63 characters
-				assert.LessOrEqual(t, len(result), 63, "Container name must satisfy DNS-1123 label constraints (max 63 chars)")
-				// Should be exactly 63 characters (truncated with hash)
-				assert.Len(t, result, 63)
-				// Should be deterministic
-				result2 := getName("arohcpsvcdev.azurecr.io/redhat-user-workloads/ocp-art-tenant/oadp-hypershift-oadp-plugin-main@sha256:adb840bf3890b4904a8cdda1a74c82cf8d96c52eba9944ac10e795335d6fd450")
-				assert.Equal(t, result, result2)
-			},
-		},
-		{
-			name:  "plugin with normal path length (should remain unchanged)",
-			image: "arohcpsvcdev.azurecr.io/konveyor/velero-plugin-for-microsoft-azure@sha256:b2db5f09da514e817a74c992dcca5f90b77c2ab0b2797eba947d224271d6070e",
-			validate: func(t *testing.T, result string) {
-				t.Helper()
-				assert.Equal(t, "konveyor-velero-plugin-for-microsoft-azure", result)
-				assert.LessOrEqual(t, len(result), 63)
-			},
-		},
-		{
-			name:  "very long nested path",
-			image: "registry.example.com/org/team/project/subproject/component/service/application-name-with-many-words:v1.2.3",
-			validate: func(t *testing.T, result string) {
-				t.Helper()
-				assert.LessOrEqual(t, len(result), 63)
-			},
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			result := getName(test.image)
-			test.validate(t, result)
-		})
-	}
-}
--- a/pkg/client/factory.go
+++ b/pkg/client/factory.go
@@ -19,7 +19,7 @@ package client
 import (
 	"os"

-	volumegroupsnapshotv1beta2 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta2"
+	volumegroupsnapshotv1beta1 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1"

 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
@@ -168,7 +168,7 @@ func (f *factory) KubebuilderClient() (kbclient.Client, error) {
 	if err := snapshotv1api.AddToScheme(scheme); err != nil {
 		return nil, err
 	}
-	if err := volumegroupsnapshotv1beta2.AddToScheme(scheme); err != nil {
+	if err := volumegroupsnapshotv1beta1.AddToScheme(scheme); err != nil {
 		return nil, err
 	}
 	kubebuilderClient, err := kbclient.New(clientConfig, kbclient.Options{
@@ -207,7 +207,7 @@ func (f *factory) KubebuilderWatchClient() (kbclient.WithWatch, error) {
 	if err := snapshotv1api.AddToScheme(scheme); err != nil {
 		return nil, err
 	}
-	if err := volumegroupsnapshotv1beta2.AddToScheme(scheme); err != nil {
+	if err := volumegroupsnapshotv1beta1.AddToScheme(scheme); err != nil {
 		return nil, err
 	}
 	kubebuilderWatchClient, err := kbclient.NewWithWatch(clientConfig, kbclient.Options{
--- a/pkg/cmd/cli/install/install.go
+++ b/pkg/cmd/cli/install/install.go
@@ -81,7 +81,6 @@ type Options struct {
 	DefaultVolumesToFsBackup        bool
 	UploaderType                    string
 	DefaultSnapshotMoveData         bool
-	CSISnapshotEarlyFrequentPolling bool
 	DisableInformerCache            bool
 	ScheduleSkipImmediately         bool
 	PodResources                    kubeutil.PodResources
@@ -142,7 +141,6 @@ func (o *Options) BindFlags(flags *pflag.FlagSet) {
 	flags.BoolVar(&o.DefaultVolumesToFsBackup, "default-volumes-to-fs-backup", o.DefaultVolumesToFsBackup, "Bool flag to configure Velero server to use pod volume file system backup by default for all volumes on all backups. Optional.")
 	flags.StringVar(&o.UploaderType, "uploader-type", o.UploaderType, fmt.Sprintf("The type of uploader to transfer the data of pod volumes, supported value: '%s'", uploader.KopiaType))
 	flags.BoolVar(&o.DefaultSnapshotMoveData, "default-snapshot-move-data", o.DefaultSnapshotMoveData, "Bool flag to configure Velero server to move data by default for all snapshots supporting data movement. Optional.")
-	flags.BoolVar(&o.CSISnapshotEarlyFrequentPolling, "csi-snapshot-early-frequent-polling", o.CSISnapshotEarlyFrequentPolling, "Bool flag to configure Velero server to use early frequent polling by default for all CSI snapshots. Optional.")
 	flags.BoolVar(&o.DisableInformerCache, "disable-informer-cache", o.DisableInformerCache, "Disable informer cache for Get calls on restore. With this enabled, it will speed up restore in cases where there are backup resources which already exist in the cluster, but for very large clusters this will increase velero memory usage. Default is false (don't disable). Optional.")
 	flags.BoolVar(&o.ScheduleSkipImmediately, "schedule-skip-immediately", o.ScheduleSkipImmediately, "Skip the first scheduled backup immediately after creating a schedule. Default is false (don't skip).")
 	flags.BoolVar(&o.NodeAgentDisableHostPath, "node-agent-disable-host-path", o.NodeAgentDisableHostPath, "Don't mount the pod volume host path to node-agent. Optional. Pod volume host path mount is required by fs-backup but could be disabled for other backup methods.")
@@ -240,17 +238,16 @@ func NewInstallOptions() *Options {
 		NodeAgentPodCPULimit:      install.DefaultNodeAgentPodCPULimit,
 		NodeAgentPodMemLimit:      install.DefaultNodeAgentPodMemLimit,
 		// Default to creating a VSL unless we're told otherwise
-		UseVolumeSnapshots:              true,
-		NoDefaultBackupLocation:         false,
-		CRDsOnly:                        false,
-		DefaultVolumesToFsBackup:        false,
-		UploaderType:                    uploader.KopiaType,
-		DefaultSnapshotMoveData:         false,
-		CSISnapshotEarlyFrequentPolling: false,
-		DisableInformerCache:            false,
-		ScheduleSkipImmediately:         false,
-		kubeletRootDir:                  install.DefaultKubeletRootDir,
-		NodeAgentDisableHostPath:        false,
+		UseVolumeSnapshots:       true,
+		NoDefaultBackupLocation:  false,
+		CRDsOnly:                 false,
+		DefaultVolumesToFsBackup: false,
+		UploaderType:             uploader.KopiaType,
+		DefaultSnapshotMoveData:  false,
+		DisableInformerCache:     false,
+		ScheduleSkipImmediately:  false,
+		kubeletRootDir:           install.DefaultKubeletRootDir,
+		NodeAgentDisableHostPath: false,
 	}
 }

@@ -278,21 +275,11 @@ func (o *Options) AsVeleroOptions() (*install.VeleroOptions, error) {
 			return nil, err
 		}
 	}
-	veleroPodResources, err := kubeutil.ParseCPUAndMemoryResources(
-		o.VeleroPodCPURequest,
-		o.VeleroPodMemRequest,
-		o.VeleroPodCPULimit,
-		o.VeleroPodMemLimit,
-	)
+	veleroPodResources, err := kubeutil.ParseResourceRequirements(o.VeleroPodCPURequest, o.VeleroPodMemRequest, o.VeleroPodCPULimit, o.VeleroPodMemLimit)
 	if err != nil {
 		return nil, err
 	}
-	nodeAgentPodResources, err := kubeutil.ParseCPUAndMemoryResources(
-		o.NodeAgentPodCPURequest,
-		o.NodeAgentPodMemRequest,
-		o.NodeAgentPodCPULimit,
-		o.NodeAgentPodMemLimit,
-	)
+	nodeAgentPodResources, err := kubeutil.ParseResourceRequirements(o.NodeAgentPodCPURequest, o.NodeAgentPodMemRequest, o.NodeAgentPodCPULimit, o.NodeAgentPodMemLimit)
 	if err != nil {
 		return nil, err
 	}
@@ -327,7 +314,6 @@ func (o *Options) AsVeleroOptions() (*install.VeleroOptions, error) {
 		DefaultVolumesToFsBackup:        o.DefaultVolumesToFsBackup,
 		UploaderType:                    o.UploaderType,
 		DefaultSnapshotMoveData:         o.DefaultSnapshotMoveData,
-		CSISnapshotEarlyFrequentPolling: o.CSISnapshotEarlyFrequentPolling,
 		DisableInformerCache:            o.DisableInformerCache,
 		ScheduleSkipImmediately:         o.ScheduleSkipImmediately,
 		PodResources:                    o.PodResources,
@@ -385,8 +371,8 @@ This is useful as a starting point for more customized installations.

  # velero install --provider azure --plugins velero/velero-plugin-for-microsoft-azure:v1.0.0 --bucket $BLOB_CONTAINER --secret-file ./credentials-velero --backup-location-config resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,storageAccount=$AZURE_STORAGE_ACCOUNT_ID[,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID] --snapshot-location-config apiTimeout=<YOUR_TIMEOUT>[,resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID]`,
 		Run: func(c *cobra.Command, args []string) {
-			cmd.CheckError(o.Complete(args, f))
 			cmd.CheckError(o.Validate(c, args, f))
+			cmd.CheckError(o.Complete(args, f))
 			cmd.CheckError(o.Run(c, f))
 		},
 	}
--- a/pkg/cmd/cli/install/install_test.go
+++ b/pkg/cmd/cli/install/install_test.go
@@ -17,18 +17,11 @@ limitations under the License.
 package install

 import (
-	"context"
 	"testing"

-	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	corev1api "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	factorymocks "github.com/vmware-tanzu/velero/pkg/client/mocks"
-	velerotest "github.com/vmware-tanzu/velero/pkg/test"
 )

 func TestPriorityClassNameFlag(t *testing.T) {
@@ -98,168 +91,3 @@ func TestPriorityClassNameFlag(t *testing.T) {
 		})
 	}
 }
-
-// makeValidateCmd returns a minimal *cobra.Command that satisfies output.ValidateFlags.
-func makeValidateCmd() *cobra.Command {
-	c := &cobra.Command{}
-	// output.ValidateFlags only inspects the "output" flag; add it so validation passes.
-	c.Flags().StringP("output", "o", "", "output format")
-	return c
-}
-
-// configMapInNamespace builds a ConfigMap with a single JSON data entry in the given namespace.
-func configMapInNamespace(namespace, name, jsonValue string) *corev1api.ConfigMap {
-	return &corev1api.ConfigMap{
-		ObjectMeta: metav1.ObjectMeta{
-			Namespace: namespace,
-			Name:      name,
-		},
-		Data: map[string]string{
-			"config": jsonValue,
-		},
-	}
-}
-
-// TestValidateConfigMapsUseFactoryNamespace verifies that Validate resolves the target
-// namespace correctly for all three ConfigMap flags.
-//
-// The fix (Option B) calls Complete before Validate in NewCommand so that o.Namespace is
-// populated from f.Namespace() before VerifyJSONConfigs runs. Tests mirror that order by
-// calling Complete before Validate.
-func TestValidateConfigMapsUseFactoryNamespace(t *testing.T) {
-	const targetNS = "tenant-b"
-	const defaultNS = "default"
-
-	// Shared options that satisfy every other validation gate:
-	//   - NoDefaultBackupLocation=true + UseVolumeSnapshots=false skips provider/bucket/plugins checks
-	//   - NoSecret=true satisfies the secret-file check
-	baseOptions := func() *Options {
-		o := NewInstallOptions()
-		o.NoDefaultBackupLocation = true
-		o.UseVolumeSnapshots = false
-		o.NoSecret = true
-		return o
-	}
-
-	tests := []struct {
-		name       string
-		setupOpts  func(o *Options, cmName string)
-		cmJSON     string
-		wantErrMsg string // substring expected in error; empty means success
-	}{
-		{
-			name: "NodeAgentConfigMap found in factory namespace",
-			setupOpts: func(o *Options, cmName string) {
-				o.NodeAgentConfigMap = cmName
-			},
-			cmJSON: `{}`,
-		},
-		{
-			name: "NodeAgentConfigMap not found when only in default namespace",
-			setupOpts: func(o *Options, cmName string) {
-				o.NodeAgentConfigMap = cmName
-			},
-			cmJSON:     `{}`,
-			wantErrMsg: "--node-agent-configmap specified ConfigMap",
-		},
-		{
-			name: "RepoMaintenanceJobConfigMap found in factory namespace",
-			setupOpts: func(o *Options, cmName string) {
-				o.RepoMaintenanceJobConfigMap = cmName
-			},
-			cmJSON: `{}`,
-		},
-		{
-			name: "RepoMaintenanceJobConfigMap not found when only in default namespace",
-			setupOpts: func(o *Options, cmName string) {
-				o.RepoMaintenanceJobConfigMap = cmName
-			},
-			cmJSON:     `{}`,
-			wantErrMsg: "--repo-maintenance-job-configmap specified ConfigMap",
-		},
-		{
-			name: "BackupRepoConfigMap found in factory namespace",
-			setupOpts: func(o *Options, cmName string) {
-				o.BackupRepoConfigMap = cmName
-			},
-			cmJSON: `{}`,
-		},
-		{
-			name: "BackupRepoConfigMap not found when only in default namespace",
-			setupOpts: func(o *Options, cmName string) {
-				o.BackupRepoConfigMap = cmName
-			},
-			cmJSON:     `{}`,
-			wantErrMsg: "--backup-repository-configmap specified ConfigMap",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			const cmName = "my-config"
-
-			// Decide where to place the ConfigMap:
-			// "not found" cases put it in "default", so the factory namespace lookup misses it.
-			cmNamespace := targetNS
-			if tc.wantErrMsg != "" {
-				cmNamespace = defaultNS
-			}
-
-			cm := configMapInNamespace(cmNamespace, cmName, tc.cmJSON)
-			kbClient := velerotest.NewFakeControllerRuntimeClient(t, cm)
-
-			f := &factorymocks.Factory{}
-			f.On("Namespace").Return(targetNS)
-			f.On("KubebuilderClient").Return(kbClient, nil)
-
-			o := baseOptions()
-			tc.setupOpts(o, cmName)
-
-			// Mirror the NewCommand call order: Complete populates o.Namespace before Validate runs.
-			require.NoError(t, o.Complete([]string{}, f))
-
-			c := makeValidateCmd()
-			c.SetContext(context.Background())
-
-			err := o.Validate(c, []string{}, f)
-
-			if tc.wantErrMsg == "" {
-				require.NoError(t, err)
-			} else {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tc.wantErrMsg)
-			}
-		})
-	}
-}
-
-// TestNewCommandRunClosureOrder covers the Run closure in NewCommand (the lines that were
-// reordered by the fix: Complete → Validate → Run).
-//
-// The closure uses CheckError which calls os.Exit on any error, so the only safe path is one
-// where all three steps return nil. DryRun=true causes o.Run to return after PrintWithFormat
-// (which is a no-op when no --output flag is set) without touching any cluster clients.
-func TestNewCommandRunClosureOrder(t *testing.T) {
-	const targetNS = "tenant-b"
-	const cmName = "my-config"
-
-	cm := configMapInNamespace(targetNS, cmName, `{}`)
-	kbClient := velerotest.NewFakeControllerRuntimeClient(t, cm)
-
-	f := &factorymocks.Factory{}
-	f.On("Namespace").Return(targetNS)
-	f.On("KubebuilderClient").Return(kbClient, nil)
-
-	c := NewCommand(f)
-	c.SetArgs([]string{
-		"--no-default-backup-location",
-		"--use-volume-snapshots=false",
-		"--no-secret",
-		"--dry-run",
-		"--node-agent-configmap", cmName,
-	})
-
-	// Execute drives the full Run closure: Complete populates o.Namespace, Validate
-	// looks up the ConfigMap in targetNS (succeeds), Run returns early via DryRun.
-	require.NoError(t, c.Execute())
-}
--- a/pkg/cmd/cli/nodeagent/server.go
+++ b/pkg/cmd/cli/nodeagent/server.go
@@ -323,25 +323,7 @@ func (s *nodeAgentServer) run() {

 	podResources := corev1api.ResourceRequirements{}
 	if s.dataPathConfigs != nil && s.dataPathConfigs.PodResources != nil {
-		// To make the PodResources ConfigMap without ephemeral storage request/limit backward compatible,
-		// need to avoid set value as empty, because empty string will cause parsing error.
-		ephemeralStorageRequest := constant.DefaultEphemeralStorageRequest
-		if s.dataPathConfigs.PodResources.EphemeralStorageRequest != "" {
-			ephemeralStorageRequest = s.dataPathConfigs.PodResources.EphemeralStorageRequest
-		}
-		ephemeralStorageLimit := constant.DefaultEphemeralStorageLimit
-		if s.dataPathConfigs.PodResources.EphemeralStorageLimit != "" {
-			ephemeralStorageLimit = s.dataPathConfigs.PodResources.EphemeralStorageLimit
-		}
-
-		if res, err := kube.ParseResourceRequirements(
-			s.dataPathConfigs.PodResources.CPURequest,
-			s.dataPathConfigs.PodResources.MemoryRequest,
-			ephemeralStorageRequest,
-			s.dataPathConfigs.PodResources.CPULimit,
-			s.dataPathConfigs.PodResources.MemoryLimit,
-			ephemeralStorageLimit,
-		); err != nil {
+		if res, err := kube.ParseResourceRequirements(s.dataPathConfigs.PodResources.CPURequest, s.dataPathConfigs.PodResources.MemoryRequest, s.dataPathConfigs.PodResources.CPULimit, s.dataPathConfigs.PodResources.MemoryLimit); err != nil {
 			s.logger.WithError(err).Warn("Pod resource requirements are invalid, ignore")
 		} else {
 			podResources = res
@@ -358,74 +340,30 @@ func (s *nodeAgentServer) run() {
 		}
 	}

-	var cachePVCConfig *velerotypes.CachePVC
 	if s.dataPathConfigs != nil && s.dataPathConfigs.CachePVCConfig != nil {
 		if err := s.validateCachePVCConfig(*s.dataPathConfigs.CachePVCConfig); err != nil {
 			s.logger.WithError(err).Warnf("Ignore cache config %v", s.dataPathConfigs.CachePVCConfig)
 		} else {
-			cachePVCConfig = s.dataPathConfigs.CachePVCConfig
 			s.logger.Infof("Using cache volume configs %v", s.dataPathConfigs.CachePVCConfig)
 		}
 	}

-	var podLabels map[string]string
-	if s.dataPathConfigs != nil && len(s.dataPathConfigs.PodLabels) > 0 {
-		podLabels = s.dataPathConfigs.PodLabels
-		s.logger.Infof("Using customized pod labels %+v", podLabels)
-	}
-
-	var podAnnotations map[string]string
-	if s.dataPathConfigs != nil && len(s.dataPathConfigs.PodAnnotations) > 0 {
-		podAnnotations = s.dataPathConfigs.PodAnnotations
-		s.logger.Infof("Using customized pod annotations %+v", podAnnotations)
+	var cachePVCConfig *velerotypes.CachePVC
+	if s.dataPathConfigs != nil && s.dataPathConfigs.CachePVCConfig != nil {
+		cachePVCConfig = s.dataPathConfigs.CachePVCConfig
+		s.logger.Infof("Using customized cachePVC config %v", cachePVCConfig)
 	}

 	if s.backupRepoConfigs != nil {
 		s.logger.Infof("Using backup repo config %v", s.backupRepoConfigs)
-	} else if cachePVCConfig != nil {
-		s.logger.Info("Backup repo config is not provided, using default values for cache volume configs")
 	}

-	pvbReconciler := controller.NewPodVolumeBackupReconciler(
-		s.mgr.GetClient(),
-		s.mgr,
-		s.kubeClient,
-		s.dataPathMgr,
-		s.vgdpCounter,
-		s.nodeName,
-		s.config.dataMoverPrepareTimeout,
-		s.config.resourceTimeout,
-		podResources,
-		s.metrics,
-		s.logger,
-		dataMovePriorityClass,
-		privilegedFsBackup,
-		podLabels,
-		podAnnotations,
-	)
+	pvbReconciler := controller.NewPodVolumeBackupReconciler(s.mgr.GetClient(), s.mgr, s.kubeClient, s.dataPathMgr, s.vgdpCounter, s.nodeName, s.config.dataMoverPrepareTimeout, s.config.resourceTimeout, podResources, s.metrics, s.logger, dataMovePriorityClass, privilegedFsBackup)
 	if err := pvbReconciler.SetupWithManager(s.mgr); err != nil {
 		s.logger.Fatal(err, "unable to create controller", "controller", constant.ControllerPodVolumeBackup)
 	}

-	pvrReconciler := controller.NewPodVolumeRestoreReconciler(
-		s.mgr.GetClient(),
-		s.mgr,
-		s.kubeClient,
-		s.dataPathMgr,
-		s.vgdpCounter,
-		s.nodeName,
-		s.config.dataMoverPrepareTimeout,
-		s.config.resourceTimeout,
-		s.backupRepoConfigs,
-		cachePVCConfig,
-		podResources,
-		s.logger,
-		dataMovePriorityClass,
-		privilegedFsBackup,
-		s.repoConfigMgr,
-		podLabels,
-		podAnnotations,
-	)
+	pvrReconciler := controller.NewPodVolumeRestoreReconciler(s.mgr.GetClient(), s.mgr, s.kubeClient, s.dataPathMgr, s.vgdpCounter, s.nodeName, s.config.dataMoverPrepareTimeout, s.config.resourceTimeout, s.backupRepoConfigs, cachePVCConfig, podResources, s.logger, dataMovePriorityClass, privilegedFsBackup, s.repoConfigMgr)
 	if err := pvrReconciler.SetupWithManager(s.mgr); err != nil {
 		s.logger.WithError(err).Fatal("Unable to create the pod volume restore controller")
 	}
@@ -450,8 +388,6 @@ func (s *nodeAgentServer) run() {
 		s.logger,
 		s.metrics,
 		dataMovePriorityClass,
-		podLabels,
-		podAnnotations,
 	)
 	if err := dataUploadReconciler.SetupWithManager(s.mgr); err != nil {
 		s.logger.WithError(err).Fatal("Unable to create the data upload controller")
@@ -480,8 +416,6 @@ func (s *nodeAgentServer) run() {
 		s.metrics,
 		dataMovePriorityClass,
 		s.repoConfigMgr,
-		podLabels,
-		podAnnotations,
 	)

 	if err := dataDownloadReconciler.SetupWithManager(s.mgr); err != nil {
--- a/pkg/cmd/server/config/config.go
+++ b/pkg/cmd/server/config/config.go
@@ -115,11 +115,7 @@ var (
 			"datauploads.velero.io",
 			"persistentvolumes",
 			"persistentvolumeclaims",
-			"clusterroles",
-			"roles",
 			"serviceaccounts",
-			"clusterrolebindings",
-			"rolebindings",
 			"secrets",
 			"configmaps",
 			"limitranges",
--- a/pkg/cmd/server/server.go
+++ b/pkg/cmd/server/server.go
@@ -27,7 +27,7 @@ import (
 	"time"

 	logrusr "github.com/bombsimon/logrusr/v3"
-	volumegroupsnapshotv1beta2 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta2"
+	volumegroupsnapshotv1beta1 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumegroupsnapshot/v1beta1"
 	snapshotv1api "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumesnapshot/v1"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -247,7 +247,7 @@ func newServer(f client.Factory, config *config.Config, logger *logrus.Logger) (
 		cancelFunc()
 		return nil, err
 	}
-	if err := volumegroupsnapshotv1beta2.AddToScheme(scheme); err != nil {
+	if err := volumegroupsnapshotv1beta1.AddToScheme(scheme); err != nil {
 		cancelFunc()
 		return nil, err
 	}
@@ -558,7 +558,7 @@ func (s *server) runControllers(defaultVolumeSnapshotLocations map[string]string
 		return clientmgmt.NewManager(logger, s.logLevel, s.pluginRegistry)
 	}

-	backupStoreGetter := persistence.NewObjectBackupStoreGetterWithSecretStore(s.credentialFileStore, s.credentialSecretStore)
+	backupStoreGetter := persistence.NewObjectBackupStoreGetter(s.credentialFileStore)

 	backupTracker := controller.NewBackupTracker()

--- a/pkg/cmd/util/cacert/bsl_cacert.go
+++ b/pkg/cmd/util/cacert/bsl_cacert.go
@@ -20,9 +20,7 @@ import (
 	"context"

 	"github.com/pkg/errors"
-	corev1api "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
 	kbclient "sigs.k8s.io/controller-runtime/pkg/client"

 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -54,7 +52,6 @@ func GetCACertFromRestore(ctx context.Context, client kbclient.Client, namespace
 }

 // GetCACertFromBSL fetches a BackupStorageLocation directly and returns its cacert
-// Priority order: caCertRef (from Secret) > caCert (inline, deprecated)
 func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
 	if bslName == "" {
 		return "", nil
@@ -74,44 +71,7 @@ func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bs
 		return "", errors.Wrapf(err, "error getting backup storage location %s", bslName)
 	}

-	if bsl.Spec.ObjectStorage == nil {
-		return "", nil
-	}
-
-	// Prefer caCertRef over inline caCert
-	if bsl.Spec.ObjectStorage.CACertRef != nil {
-		// Fetch certificate from Secret
-		secret := &corev1api.Secret{}
-		secretKey := types.NamespacedName{
-			Name:      bsl.Spec.ObjectStorage.CACertRef.Name,
-			Namespace: namespace,
-		}
-
-		if err := client.Get(ctx, secretKey, secret); err != nil {
-			if apierrors.IsNotFound(err) {
-				return "", errors.Errorf("certificate secret %s not found in namespace %s",
-					bsl.Spec.ObjectStorage.CACertRef.Name, namespace)
-			}
-			return "", errors.Wrapf(err, "error getting certificate secret %s",
-				bsl.Spec.ObjectStorage.CACertRef.Name)
-		}
-
-		keyName := bsl.Spec.ObjectStorage.CACertRef.Key
-		if keyName == "" {
-			return "", errors.New("caCertRef key is empty")
-		}
-
-		certData, ok := secret.Data[keyName]
-		if !ok {
-			return "", errors.Errorf("key %s not found in secret %s",
-				keyName, bsl.Spec.ObjectStorage.CACertRef.Name)
-		}
-
-		return string(certData), nil
-	}
-
-	// Fall back to inline caCert (deprecated)
-	if len(bsl.Spec.ObjectStorage.CACert) > 0 {
+	if bsl.Spec.ObjectStorage != nil && len(bsl.Spec.ObjectStorage.CACert) > 0 {
 		return string(bsl.Spec.ObjectStorage.CACert), nil
 	}

--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				Add `--apply` flag to `install` command, allowing usage of Kubernetes apply to make changes to existing installs
				`@@ -0,0 +1 @@`
				`Fix issue #7725, add design for backup repo cache configuration`
				`@@ -0,0 +1 @@`
				`feat: Permit specifying annotations for the BackupPVC`
				`@@ -0,0 +1 @@`
				`Fix issue #9229, don't attach backupPVC to the source node`
				`@@ -0,0 +1 @@`
				`Update AzureAD Microsoft Authentication Library to v1.5.0`
				`@@ -0,0 +1 @@`
				`Protect VolumeSnapshot field from race condition during multi-thread backup`
				`@@ -0,0 +1 @@`
				`Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment`
				`@@ -0,0 +1 @@`
				`Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases`
				`@@ -0,0 +1 @@`
				`Fix issue #7904, remove the code and doc for PVC node selection`
				`@@ -0,0 +1 @@`
				`Implement concurrency control for cache of native VolumeSnapshotter plugin.`