From 5cb0295fdc248dcdbedce2771a47fde67784fdba Mon Sep 17 00:00:00 2001
From: Wesley Miller <wmiller@specterops.io>
Date: Fri, 6 Dec 2024 11:27:12 -0500
Subject: [PATCH 01/11] BED-5060: Prevent user from changing their own
 role/auth (#984)

* BED-5060: Add check for if user is attempting to edit their own role/SSO

* BED-5060: Disable editing roles and auth method for oneself in UI

* BED-5060: Finished implementation of roles/sso guarding
Fix bug where user's password could get deleted
Fix bug with GetAuthSecret not returning errnotfound

* BED-5060: run prepare-for-codereview

* BED-5060: Fix API tests

* refactor: ensure audit secret audit logs are maintained

* BED-5060: add tests for new errors on the API
Adjust update user form to hide fields

* BED-5060: Fix whitespace

* BED-5060: Remove extraneous admin password

---------

Co-authored-by: Mistah J <26472282+mistahj67@users.noreply.github.com>
---
 cmd/api/src/api/error.go                      |   2 +
 cmd/api/src/api/v2/auth/auth.go               |  33 ++--
 cmd/api/src/api/v2/auth/auth_test.go          |  66 ++++++-
 cmd/api/src/database/auth.go                  |  15 +-
 cmd/api/src/database/auth_test.go             |  65 +++++++
 cmd/api/src/go.mod                            |  16 +-
 cmd/api/src/go.sum                            | 166 ++----------------
 .../UpdateUserDialog/UpdateUserDialog.tsx     |   4 +-
 .../UpdateUserForm/UpdateUserForm.tsx         |  31 +++-
 .../bh-shared-ui/src/views/Users/Users.tsx    |   1 +
 10 files changed, 208 insertions(+), 191 deletions(-)

diff --git a/cmd/api/src/api/error.go b/cmd/api/src/api/error.go
index aa5afac6d7..4827d1031a 100644
--- a/cmd/api/src/api/error.go
+++ b/cmd/api/src/api/error.go
@@ -60,6 +60,8 @@ const (
 	ErrorResponsePayloadUnmarshalError              = "error unmarshalling JSON payload"
 	ErrorResponseRequestTimeout                     = "request timed out"
 	ErrorResponseUserSelfDisable                    = "user attempted to disable themselves"
+	ErrorResponseUserSelfRoleChange                 = "user attempted to change own role"
+	ErrorResponseUserSelfSSOProviderChange          = "user attempted to change own SSO Provider"
 	ErrorResponseAGTagWhiteSpace                    = "asset group tags must not contain whitespace"
 	ErrorResponseAGNameTagEmpty                     = "asset group name or tag must not be empty"
 	ErrorResponseAGDuplicateName                    = "asset group name must be unique"
diff --git a/cmd/api/src/api/v2/auth/auth.go b/cmd/api/src/api/v2/auth/auth.go
index ee0373869e..b5073552ad 100644
--- a/cmd/api/src/api/v2/auth/auth.go
+++ b/cmd/api/src/api/v2/auth/auth.go
@@ -364,16 +364,6 @@ func (s ManagementResource) CreateUser(response http.ResponseWriter, request *ht
 	}
 }
 
-func (s ManagementResource) ensureUserHasNoAuthSecret(ctx context.Context, user model.User) error {
-	if user.AuthSecret != nil {
-		if err := s.db.DeleteAuthSecret(ctx, *user.AuthSecret); err != nil {
-			return api.FormatDatabaseError(err)
-		}
-	}
-
-	return nil
-}
-
 func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *http.Request) {
 	var (
 		updateUserRequest v2.UpdateUserRequest
@@ -400,8 +390,10 @@ func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *ht
 		user.PrincipalName = updateUserRequest.Principal
 		user.IsDisabled = updateUserRequest.IsDisabled
 
+		loggedInUser, _ := auth.GetUserFromAuthCtx(authCtx.AuthCtx)
+
 		if user.IsDisabled {
-			if loggedInUser, _ := auth.GetUserFromAuthCtx(authCtx.AuthCtx); user.ID == loggedInUser.ID {
+			if user.ID == loggedInUser.ID {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseUserSelfDisable, request), response)
 				return
 			} else if userSessions, err := s.db.LookupActiveSessionsByUser(request.Context(), user); err != nil {
@@ -419,9 +411,6 @@ func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *ht
 			if samlProviderID, err := serde.ParseInt32(updateUserRequest.SAMLProviderID); err != nil {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, fmt.Sprintf("SAML Provider ID must be a number: %v", err.Error()), request), response)
 				return
-			} else if err := s.ensureUserHasNoAuthSecret(request.Context(), user); err != nil {
-				api.HandleDatabaseError(request, response, err)
-				return
 			} else if provider, err := s.db.GetSAMLProvider(request.Context(), samlProviderID); err != nil {
 				api.HandleDatabaseError(request, response, err)
 				return
@@ -431,10 +420,7 @@ func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *ht
 				user.SSOProviderID = provider.SSOProviderID
 			}
 		} else if updateUserRequest.SSOProviderID.Valid {
-			if err := s.ensureUserHasNoAuthSecret(request.Context(), user); err != nil {
-				api.HandleDatabaseError(request, response, err)
-				return
-			} else if _, err := s.db.GetSSOProviderById(request.Context(), updateUserRequest.SSOProviderID.Int32); err != nil {
+			if _, err := s.db.GetSSOProviderById(request.Context(), updateUserRequest.SSOProviderID.Int32); err != nil {
 				api.HandleDatabaseError(request, response, err)
 				return
 			} else {
@@ -447,6 +433,17 @@ func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *ht
 			user.SSOProviderID = null.NewInt32(0, false)
 		}
 
+		// Prevent a user from modifying their own roles/permissions
+		if user.ID == loggedInUser.ID {
+			if !slices.Equal(roles.IDs(), loggedInUser.Roles.IDs()) {
+				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseUserSelfRoleChange, request), response)
+				return
+			} else if !user.SSOProviderID.Equal(loggedInUser.SSOProviderID) {
+				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseUserSelfSSOProviderChange, request), response)
+				return
+			}
+		}
+
 		if err := s.db.UpdateUser(request.Context(), user); err != nil {
 			api.HandleDatabaseError(request, response, err)
 		} else {
diff --git a/cmd/api/src/api/v2/auth/auth_test.go b/cmd/api/src/api/v2/auth/auth_test.go
index 83a2bdfd95..faef5730eb 100644
--- a/cmd/api/src/api/v2/auth/auth_test.go
+++ b/cmd/api/src/api/v2/auth/auth_test.go
@@ -165,6 +165,7 @@ func TestManagementResource_PutUserAuthSecret(t *testing.T) {
 
 func TestManagementResource_EnableUserSAML(t *testing.T) {
 	var (
+		adminUser         = model.User{Unique: model.Unique{ID: must.NewUUIDv4()}}
 		goodRoles         = []int32{0}
 		goodUserID        = must.NewUUIDv4()
 		badUserID         = must.NewUUIDv4()
@@ -172,6 +173,9 @@ func TestManagementResource_EnableUserSAML(t *testing.T) {
 		resources, mockDB = apitest.NewAuthManagementResource(mockCtrl)
 	)
 
+	bhCtx := ctx.Get(context.WithValue(context.Background(), ctx.ValueKey, &ctx.Context{}))
+	bhCtx.AuthCtx.Owner = adminUser
+
 	defer mockCtrl.Finish()
 
 	t.Run("Successfully update user with deprecated saml provider", func(t *testing.T) {
@@ -181,6 +185,7 @@ func TestManagementResource_EnableUserSAML(t *testing.T) {
 		mockDB.EXPECT().UpdateUser(gomock.Any(), gomock.Any()).Return(nil)
 
 		test.Request(t).
+			WithContext(bhCtx).
 			WithURLPathVars(map[string]string{"user_id": goodUserID.String()}).
 			WithBody(v2.UpdateUserRequest{
 				Principal:      "tester",
@@ -197,9 +202,9 @@ func TestManagementResource_EnableUserSAML(t *testing.T) {
 		mockDB.EXPECT().GetUser(gomock.Any(), badUserID).Return(model.User{AuthSecret: &model.AuthSecret{}}, nil)
 		mockDB.EXPECT().GetSAMLProvider(gomock.Any(), samlProviderID).Return(model.SAMLProvider{}, nil)
 		mockDB.EXPECT().UpdateUser(gomock.Any(), gomock.Any()).Return(nil)
-		mockDB.EXPECT().DeleteAuthSecret(gomock.Any(), gomock.Any()).Return(nil)
 
 		test.Request(t).
+			WithContext(bhCtx).
 			WithURLPathVars(map[string]string{"user_id": badUserID.String()}).
 			WithBody(v2.UpdateUserRequest{
 				Principal:      "tester",
@@ -218,6 +223,7 @@ func TestManagementResource_EnableUserSAML(t *testing.T) {
 		mockDB.EXPECT().UpdateUser(gomock.Any(), gomock.Any()).Return(nil)
 
 		test.Request(t).
+			WithContext(bhCtx).
 			WithURLPathVars(map[string]string{"user_id": goodUserID.String()}).
 			WithBody(v2.UpdateUserRequest{
 				Principal:     "tester",
@@ -1511,6 +1517,64 @@ func TestManagementResource_UpdateUser_SelfDisable(t *testing.T) {
 	require.Contains(t, response.Body.String(), api.ErrorResponseUserSelfDisable)
 }
 
+func TestManagementResource_UpdateUser_UserSelfModify(t *testing.T) {
+	var (
+		adminRole = model.Role{
+			Serial: model.Serial{
+				ID: 1,
+			},
+		}
+		goodRoles = []int32{1}
+		badRole   = model.Role{
+			Serial: model.Serial{
+				ID: 2,
+			},
+		}
+		badRoles          = []int32{2}
+		adminUser         = model.User{AuthSecret: defaultDigestAuthSecret(t, "currentPassword"), Unique: model.Unique{ID: must.NewUUIDv4()}, Roles: model.Roles{adminRole}}
+		mockCtrl          = gomock.NewController(t)
+		resources, mockDB = apitest.NewAuthManagementResource(mockCtrl)
+	)
+
+	bhCtx := ctx.Get(context.WithValue(context.Background(), ctx.ValueKey, &ctx.Context{}))
+	bhCtx.AuthCtx.Owner = adminUser
+
+	defer mockCtrl.Finish()
+
+	t.Run("Prevent users from changing their own SSO provider", func(t *testing.T) {
+		mockDB.EXPECT().GetRoles(gomock.Any(), gomock.Any()).Return(model.Roles{adminRole}, nil)
+		mockDB.EXPECT().GetUser(gomock.Any(), adminUser.ID).Return(adminUser, nil)
+		mockDB.EXPECT().GetSSOProviderById(gomock.Any(), ssoProviderID).Return(model.SSOProvider{}, nil)
+		test.Request(t).
+			WithContext(bhCtx).
+			WithURLPathVars(map[string]string{"user_id": adminUser.ID.String()}).
+			WithBody(v2.UpdateUserRequest{
+				Principal:     "tester",
+				Roles:         goodRoles,
+				SSOProviderID: null.Int32From(123),
+			}).
+			OnHandlerFunc(resources.UpdateUser).
+			Require().
+			ResponseStatusCode(http.StatusBadRequest)
+	})
+
+	t.Run("Prevent users from changing their own roles", func(t *testing.T) {
+		mockDB.EXPECT().GetRoles(gomock.Any(), gomock.Any()).Return(model.Roles{badRole}, nil)
+		mockDB.EXPECT().GetUser(gomock.Any(), adminUser.ID).Return(adminUser, nil)
+
+		test.Request(t).
+			WithContext(bhCtx).
+			WithURLPathVars(map[string]string{"user_id": adminUser.ID.String()}).
+			WithBody(v2.UpdateUserRequest{
+				Principal: "tester",
+				Roles:     badRoles,
+			}).
+			OnHandlerFunc(resources.UpdateUser).
+			Require().
+			ResponseStatusCode(http.StatusBadRequest)
+	})
+}
+
 func TestManagementResource_UpdateUser_LookupActiveSessionsError(t *testing.T) {
 	mockCtrl := gomock.NewController(t)
 	defer mockCtrl.Finish()
diff --git a/cmd/api/src/database/auth.go b/cmd/api/src/database/auth.go
index d65c358bf6..132114688a 100644
--- a/cmd/api/src/database/auth.go
+++ b/cmd/api/src/database/auth.go
@@ -282,6 +282,19 @@ func (s *BloodhoundDB) UpdateUser(ctx context.Context, user model.User) error {
 			return err
 		}
 
+		// AuthSecret must be manually retrieved and deleted
+		if user.AuthSecret == nil {
+			var authSecret model.AuthSecret
+			if err := tx.Raw("SELECT * FROM auth_secrets WHERE user_id = ?", user.ID).First(&authSecret).Error; err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+				return err
+			} else if authSecret.ID > 0 {
+				bhdb := NewBloodhoundDB(tx, s.idResolver)
+				if err := bhdb.DeleteAuthSecret(ctx, authSecret); err != nil {
+					return err
+				}
+			}
+		}
+
 		result := tx.WithContext(ctx).Save(&user)
 		return CheckError(result)
 	})
@@ -431,7 +444,7 @@ func (s *BloodhoundDB) CreateAuthSecret(ctx context.Context, authSecret model.Au
 func (s *BloodhoundDB) GetAuthSecret(ctx context.Context, id int32) (model.AuthSecret, error) {
 	var (
 		authSecret model.AuthSecret
-		result     = s.db.WithContext(ctx).Find(&authSecret, id)
+		result     = s.db.WithContext(ctx).First(&authSecret, id)
 	)
 
 	return authSecret, CheckError(result)
diff --git a/cmd/api/src/database/auth_test.go b/cmd/api/src/database/auth_test.go
index ec586c25e0..1170bd3b7b 100644
--- a/cmd/api/src/database/auth_test.go
+++ b/cmd/api/src/database/auth_test.go
@@ -213,6 +213,71 @@ func TestDatabase_CreateGetDeleteUser(t *testing.T) {
 	}
 }
 
+func TestDatabase_UpdateUserAuth(t *testing.T) {
+	var (
+		ctx          = context.Background()
+		dbInst, user = initAndCreateUser(t)
+		secret       = model.AuthSecret{
+			UserID:       user.ID,
+			Digest:       "digest",
+			DigestMethod: "fake",
+			ExpiresAt:    time.Now().Add(1 * time.Hour),
+		}
+		samlProvider = model.SAMLProvider{
+			Name:            "provider",
+			DisplayName:     "provider name",
+			IssuerURI:       "https://idp.example.com/idp.xml",
+			SingleSignOnURI: "https://idp.example.com/sso",
+		}
+	)
+
+	if newSecret, err := dbInst.CreateAuthSecret(ctx, secret); err != nil {
+		t.Fatalf("Failed to create auth secret: %v", err)
+	} else if err = test.VerifyAuditLogs(dbInst, model.AuditLogActionCreateAuthSecret, "secret_user_id", newSecret.UserID.String()); err != nil {
+		t.Fatalf("Failed to validate CreateAuthSecret audit logs:\n%v", err)
+	} else {
+		if newSAMLProvider, err := dbInst.CreateSAMLIdentityProvider(ctx, samlProvider); err != nil {
+			t.Fatalf("Failed to create SAML provider: %v", err)
+		} else if err = test.VerifyAuditLogs(dbInst, model.AuditLogActionCreateSAMLIdentityProvider, "saml_name", newSAMLProvider.Name); err != nil {
+			t.Fatalf("Failed to validate CreateSAMLIdentityProvider audit logs:\n%v", err)
+		} else {
+			user, err = dbInst.GetUser(ctx, user.ID)
+			if err != nil {
+				t.Fatalf("Failed looking up user by principal %s: %v", user.PrincipalName, err)
+			}
+
+			user.FirstName = null.StringFrom("friendly man")
+
+			if err := dbInst.UpdateUser(ctx, user); err != nil {
+				t.Fatalf("Failed to update user: %v", err)
+			} else if err = test.VerifyAuditLogs(dbInst, model.AuditLogActionUpdateUser, "principal_name", user.PrincipalName); err != nil {
+				t.Fatalf("Failed to validate UpdateUser audit logs:\n%v", err)
+			} else if updatedUser, err := dbInst.GetUser(ctx, user.ID); err != nil {
+				t.Fatalf("Failed looking up user by principal %s: %v", user.PrincipalName, err)
+			} else if updatedUser.AuthSecret == nil {
+				t.Fatalf("Failed to find authsecret for user %s", user.PrincipalName)
+			} else if _, err := dbInst.GetAuthSecret(ctx, updatedUser.AuthSecret.ID); err != nil {
+				t.Fatalf("Failed to get authsecret by id %d", updatedUser.AuthSecret.ID)
+			}
+
+			user.AuthSecret = nil
+			user.SSOProviderID = newSAMLProvider.SSOProviderID
+
+			if err := dbInst.UpdateUser(ctx, user); err != nil {
+				t.Fatalf("Failed to update user: %v", err)
+			} else if err = test.VerifyAuditLogs(dbInst, model.AuditLogActionUpdateUser, "principal_name", user.PrincipalName); err != nil {
+				t.Fatalf("Failed to validate UpdateUser audit logs:\n%v", err)
+			} else if updatedUser, err := dbInst.GetUser(ctx, user.ID); err != nil {
+				t.Fatalf("Failed looking up user by principal %s: %v", user.PrincipalName, err)
+			} else if updatedUser.AuthSecret != nil {
+				t.Fatalf("Found authsecret for user %s but expected it to be removed", user.PrincipalName)
+			} else if _, err := dbInst.GetAuthSecret(ctx, newSecret.ID); err == nil {
+				t.Fatalf("Found authsecret for id %d but expected it to be removed", newSecret.ID)
+			}
+		}
+	}
+}
+
 func TestDatabase_CreateGetDeleteAuthToken(t *testing.T) {
 	var (
 		ctx          = context.Background()
diff --git a/cmd/api/src/go.mod b/cmd/api/src/go.mod
index 604d304ee1..ff892ec33c 100644
--- a/cmd/api/src/go.mod
+++ b/cmd/api/src/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.8
 	github.com/gobeam/stringy v0.0.6
 	github.com/gofrs/uuid v4.4.0+incompatible
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/golang/mock v1.6.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
@@ -44,12 +44,11 @@ require (
 	github.com/unrolled/secure v1.13.0
 	go.uber.org/mock v0.2.0
 	golang.org/x/oauth2 v0.23.0
-	gorm.io/driver/postgres v1.3.8
-	gorm.io/gorm v1.23.8
+	gorm.io/driver/postgres v1.5.10
+	gorm.io/gorm v1.25.12
 )
 
 require (
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/beevik/etree v1.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
@@ -61,18 +60,12 @@ require (
 	github.com/go-pkgz/expirable-cache v1.0.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.14.3 // indirect
-	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgtype v1.14.4 // indirect
-	github.com/jackc/pgx/v4 v4.18.3 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jonboulle/clockwork v0.4.0 // indirect
-	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
@@ -82,6 +75,7 @@ require (
 	github.com/prometheus/procfs v0.11.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
diff --git a/cmd/api/src/go.sum b/cmd/api/src/go.sum
index decdd7d534..6f99642472 100644
--- a/cmd/api/src/go.sum
+++ b/cmd/api/src/go.sum
@@ -1,7 +1,3 @@
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/beevik/etree v1.2.0 h1:l7WETslUG/T+xOPs47dtd6jov2Ii/8/OjCldk5fYfQw=
 github.com/beevik/etree v1.2.0/go.mod h1:aiPf89g/1k3AShMVAzriilpcE4R/Vuor90y83zVZWFc=
@@ -16,13 +12,8 @@ github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/channelmeter/iso8601duration v0.0.0-20150204201828-8da3af7a2a61 h1:o64h9XF42kVEUuhuer2ehqrlX8rZmvQSU0+Vpj1rF6Q=
 github.com/channelmeter/iso8601duration v0.0.0-20150204201828-8da3af7a2a61/go.mod h1:Rp8e0DCtEKwXFOC6JPJQVTz8tuGoGvw6Xfexggh/ed0=
-github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
-github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
 github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo=
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
@@ -40,20 +31,17 @@ github.com/go-chi/chi/v5 v5.0.8 h1:lD+NLqFcAi1ovnVZpsnObHGW4xb4J8lNmoYVfECH1Y0=
 github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
 github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
-github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-pkgz/expirable-cache v0.0.3/go.mod h1:+IauqN00R2FqNRLCLA+X5YljQJrwB179PfiAoMPlTlQ=
 github.com/go-pkgz/expirable-cache v1.0.0 h1:ns5+1hjY8hntGv8bPaQd9Gr7Jyo+Uw5SLyII40aQdtA=
 github.com/go-pkgz/expirable-cache v1.0.0/go.mod h1:GTrEl0X+q0mPNqN6dtcQXksACnzCBQ5k/k1SwXJsZKs=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gobeam/stringy v0.0.6 h1:IboItevQArUAYUbjb7xmtGoJfN5Aqpk3/bVCd7JgWe0=
 github.com/gobeam/stringy v0.0.6/go.mod h1:W3620X9dJHf2FSZF5fRnWekHcHQjwmCz8ZQ2d1qloqE=
-github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
@@ -61,104 +49,40 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/schema v1.4.1 h1:jUg5hUjCSDZpNGLuXQOgIWGdlgrIdYvgQ0wZtdK1M3E=
 github.com/gorilla/schema v1.4.1/go.mod h1:Dg5SSm5PV60mhF2NFaTV1xuYYj8tV8NOPRo4FggUMnM=
-github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
-github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
-github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
-github.com/jackc/pgconn v0.0.0-20190420214824-7e0022ef6ba3/go.mod h1:jkELnwuX+w9qN5YIfX0fl88Ehu4XC3keFuOJJk9pcnA=
-github.com/jackc/pgconn v0.0.0-20190824142844-760dd75542eb/go.mod h1:lLjNuW/+OfW9/pnVKPazfWOgNfH2aPem8YQ7ilXGvJE=
-github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsUgOEh9hBm+xYTstcNHg7UPMVJqRfQxq4s=
-github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
-github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
-github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.12.1/go.mod h1:ZkhRC59Llhrq3oSfrikvwQ5NaxYExr6twkdkMLaKono=
-github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=
-github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=
-github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
-github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
-github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
-github.com/jackc/pgmock v0.0.0-20201204152224-4fe30f7445fd/go.mod h1:hrBW0Enj2AZTNpt/7Y5rr2xe/9Mn757Wtb2xeBzPv2c=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
-github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgproto3 v1.1.0/go.mod h1:eR5FA3leWg7p9aeAqi37XOTgTIbkABlvcPB3E5rlc78=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190420180111-c116219b62db/go.mod h1:bhq50y+xrl9n5mRYyCBFKkpRVTLYJVWeCc+mEAI3yXA=
-github.com/jackc/pgproto3/v2 v2.0.0-alpha1.0.20190609003834-432c2951c711/go.mod h1:uH0AWtUmuShn0bcesswc4aBTWGvw0cAxIJp+6OB//Wg=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.0-rc3.0.20190831210041-4c03ce451f29/go.mod h1:ryONWYqW6dqSg1Lw6vXNMXoBJhpzvWKnT95C46ckYeM=
-github.com/jackc/pgproto3/v2 v2.0.6/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.1.1/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.0/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=
-github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
-github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
-github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
-github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
-github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
-github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.11.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
-github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
-github.com/jackc/pgtype v1.14.4 h1:fKuNiCumbKTAIxQwXfB/nsrnkEI6bPJrrSiMKgbJ2j8=
-github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
-github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
-github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
-github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.16.1/go.mod h1:SIhx0D5hoADaiXZVyv+3gSm3LCIIINTVO0PficsvWGQ=
-github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA=
-github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs=
-github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
-github.com/jackc/puddle v1.3.0 h1:eHK/5clGOatcjX3oWGBO/MpxpbHzSwud5EWTSCI+MX0=
+github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jedib0t/go-pretty/v6 v6.4.6 h1:v6aG9h6Uby3IusSSEjHaZNXpHFhzqMmjXcPq1Rjl9Jw=
 github.com/jedib0t/go-pretty/v6 v6.4.6/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
-github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
 github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
-github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
-github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -186,26 +110,13 @@ github.com/prometheus/procfs v0.11.0/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPH
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
-github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
-github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
 github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
 github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
-github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -216,43 +127,19 @@ github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/teambition/rrule-go v1.8.2 h1:lIjpjvWTj9fFUZCmuoVDrKVOtdiyzbzc93qTmRVe/J8=
+github.com/teambition/rrule-go v1.8.2/go.mod h1:Ieq5AbrKGciP1V//Wq8ktsTXwSwJHDD5mD/wLBGl3p4=
 github.com/unrolled/secure v1.13.0 h1:sdr3Phw2+f8Px8HE5sd1EHdj1aV3yUwed/uZXChLFsk=
 github.com/unrolled/secure v1.13.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
-go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/mock v0.2.0 h1:TaP3xedm7JaAgScZO7tlvlKrqT0p7I6OsdGB5YNSMDU=
 go.uber.org/mock v0.2.0/go.mod h1:J0y0rp9L3xiff1+ZBfKxlC1fz2+aO16tw0tsDOixfuM=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
-go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
-go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190411191339-88737f569e3a/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
@@ -260,46 +147,26 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -313,16 +180,13 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/postgres v1.3.8 h1:8bEphSAB69t3odsCR4NDzt581iZEWQuRM27Cg6KgfPY=
-gorm.io/driver/postgres v1.3.8/go.mod h1:qB98Aj6AhRO/oyu/jmZsi/YM9g6UzVCjMxO/6frFvcA=
-gorm.io/gorm v1.23.6/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
-gorm.io/gorm v1.23.8 h1:h8sGJ+biDgBA1AD1Ha9gFCx7h8npU7AsLdlkX0n2TpE=
-gorm.io/gorm v1.23.8/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
+gorm.io/driver/postgres v1.5.10 h1:7Lggqempgy496c0WfHXsYWxk3Th+ZcW66/21QhVFdeE=
+gorm.io/driver/postgres v1.5.10/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
+gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
+gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
diff --git a/packages/javascript/bh-shared-ui/src/components/UpdateUserDialog/UpdateUserDialog.tsx b/packages/javascript/bh-shared-ui/src/components/UpdateUserDialog/UpdateUserDialog.tsx
index 53f82fc860..c75cb77af9 100644
--- a/packages/javascript/bh-shared-ui/src/components/UpdateUserDialog/UpdateUserDialog.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/UpdateUserDialog/UpdateUserDialog.tsx
@@ -25,9 +25,10 @@ const UpdateUserDialog: React.FC<{
     onExited?: () => void;
     onSave: (user: UpdateUserRequest) => Promise<any>;
     userId: string;
+    hasSelectedSelf: boolean;
     isLoading: boolean;
     error: any;
-}> = ({ open, onClose, onExited, userId, onSave, isLoading, error }) => {
+}> = ({ open, onClose, onExited, userId, onSave, hasSelectedSelf, isLoading, error }) => {
     const handleOnSave = (user: UpdateUserRequestForm) => {
         let parsedSSOProviderId: number | undefined = undefined;
         if (user.SSOProviderId) {
@@ -64,6 +65,7 @@ const UpdateUserDialog: React.FC<{
                 onCancel={onClose}
                 onSubmit={handleOnSave}
                 userId={userId}
+                hasSelectedSelf={hasSelectedSelf}
                 isLoading={isLoading}
                 error={error}
             />
diff --git a/packages/javascript/bh-shared-ui/src/components/UpdateUserForm/UpdateUserForm.tsx b/packages/javascript/bh-shared-ui/src/components/UpdateUserForm/UpdateUserForm.tsx
index 03f050b145..2792f12050 100644
--- a/packages/javascript/bh-shared-ui/src/components/UpdateUserForm/UpdateUserForm.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/UpdateUserForm/UpdateUserForm.tsx
@@ -41,9 +41,10 @@ const UpdateUserForm: React.FC<{
     onCancel: () => void;
     onSubmit: (user: UpdateUserRequestForm) => void;
     userId: string;
+    hasSelectedSelf: boolean;
     isLoading: boolean;
     error: any;
-}> = ({ onCancel, onSubmit, userId, isLoading, error }) => {
+}> = ({ onCancel, onSubmit, userId, hasSelectedSelf, isLoading, error }) => {
     const getUserQuery = useQuery(
         ['getUser', userId],
         ({ signal }) => apiClient.getUser(userId, { signal }).then((res) => res.data.data),
@@ -118,6 +119,7 @@ const UpdateUserForm: React.FC<{
             }}
             roles={getRolesQuery.data}
             SSOProviders={listSSOProvidersQuery.data}
+            hasSelectedSelf={hasSelectedSelf}
             isLoading={isLoading}
             error={error}
         />
@@ -130,9 +132,10 @@ const UpdateUserFormInner: React.FC<{
     initialData: UpdateUserRequestForm;
     roles: any[];
     SSOProviders?: SSOProvider[];
+    hasSelectedSelf: boolean;
     isLoading: boolean;
     error: any;
-}> = ({ onCancel, onSubmit, initialData, roles, SSOProviders, isLoading, error }) => {
+}> = ({ onCancel, onSubmit, initialData, roles, SSOProviders, hasSelectedSelf, isLoading, error }) => {
     const {
         control,
         handleSubmit,
@@ -247,7 +250,10 @@ const UpdateUserFormInner: React.FC<{
                                 }}
                                 render={({ field: { onChange, onBlur, value, ref } }) => (
                                     <FormControl>
-                                        <InputLabel id='authenticationMethod-label' sx={{ ml: '-14px', mt: '8px' }}>
+                                        <InputLabel
+                                            id='authenticationMethod-label'
+                                            sx={{ ml: '-14px', mt: '8px' }}
+                                            hidden={hasSelectedSelf}>
                                             Authentication Method
                                         </InputLabel>
                                         <Select
@@ -260,7 +266,8 @@ const UpdateUserFormInner: React.FC<{
                                             name='authenticationMethod'
                                             variant='standard'
                                             fullWidth
-                                            data-testid='update-user-dialog_select-authentication-method'>
+                                            data-testid='update-user-dialog_select-authentication-method'
+                                            hidden={hasSelectedSelf}>
                                             <MenuItem value='password'>Username / Password</MenuItem>
                                             {SSOProviders && SSOProviders.length > 0 && (
                                                 <MenuItem value='sso'>Single Sign-On (SSO)</MenuItem>
@@ -281,7 +288,10 @@ const UpdateUserFormInner: React.FC<{
                                     }}
                                     render={({ field: { onChange, onBlur, value, ref } }) => (
                                         <FormControl>
-                                            <InputLabel id='SSOProviderId-label' sx={{ ml: '-14px', mt: '8px' }}>
+                                            <InputLabel
+                                                id='SSOProviderId-label'
+                                                sx={{ ml: '-14px', mt: '8px' }}
+                                                hidden={hasSelectedSelf}>
                                                 SSO Provider
                                             </InputLabel>
                                             <Select
@@ -295,7 +305,8 @@ const UpdateUserFormInner: React.FC<{
                                                 name='SSOProviderId'
                                                 variant='standard'
                                                 fullWidth
-                                                data-testid='update-user-dialog_select-sso-provider'>
+                                                data-testid='update-user-dialog_select-sso-provider'
+                                                hidden={hasSelectedSelf}>
                                                 {SSOProviders?.map((SSOProvider: SSOProvider) => (
                                                     <MenuItem value={SSOProvider.id.toString()} key={SSOProvider.id}>
                                                         {SSOProvider.name}
@@ -319,7 +330,10 @@ const UpdateUserFormInner: React.FC<{
                             }}
                             render={({ field }) => (
                                 <FormControl>
-                                    <InputLabel id='role-label' sx={{ ml: '-14px', mt: '8px' }}>
+                                    <InputLabel
+                                        id='role-label'
+                                        sx={{ ml: '-14px', mt: '8px' }}
+                                        hidden={hasSelectedSelf}>
                                         Role
                                     </InputLabel>
                                     <Select
@@ -333,7 +347,8 @@ const UpdateUserFormInner: React.FC<{
                                         value={isNaN(field.value) ? '' : field.value.toString()}
                                         variant='standard'
                                         fullWidth
-                                        data-testid='update-user-dialog_select-role'>
+                                        data-testid='update-user-dialog_select-role'
+                                        hidden={hasSelectedSelf}>
                                         {roles.map((role: any) => (
                                             <MenuItem key={role.id} value={role.id.toString()}>
                                                 {role.name}
diff --git a/packages/javascript/bh-shared-ui/src/views/Users/Users.tsx b/packages/javascript/bh-shared-ui/src/views/Users/Users.tsx
index 12809920b0..720ab49d46 100644
--- a/packages/javascript/bh-shared-ui/src/views/Users/Users.tsx
+++ b/packages/javascript/bh-shared-ui/src/views/Users/Users.tsx
@@ -270,6 +270,7 @@ const Users = () => {
                 onClose={toggleUpdateUserDialog}
                 onExited={updateUserMutation.reset}
                 userId={selectedUserId!}
+                hasSelectedSelf={hasSelectedSelf}
                 onSave={updateUserMutation.mutateAsync}
                 isLoading={updateUserMutation.isLoading}
                 error={updateUserMutation.error}

From a420a325f7759fe9a5a81b949ff65af8510c3481 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?=
 <12843299+JonasBK@users.noreply.github.com>
Date: Mon, 9 Dec 2024 19:37:50 +0100
Subject: [PATCH 02/11] Fix: EnrollOnBehalfOf logic issue (#1002)

---
 .../src/analysis/ad/adcs_integration_test.go  |  85 +++++-
 cmd/api/src/test/integration/harnesses.go     |  99 +++++--
 .../harnesses/enrollonbehalfof-1.json         |  88 +++---
 .../harnesses/enrollonbehalfof-1.svg          |  19 +-
 .../harnesses/enrollonbehalfof-2.json         | 242 +++++++----------
 .../harnesses/enrollonbehalfof-2.svg          |  19 +-
 .../harnesses/enrollonbehalfof-3.json         | 256 ++++++++++++++++++
 .../harnesses/enrollonbehalfof-3.svg          |   1 +
 packages/go/analysis/ad/adcs.go               |  37 +--
 packages/go/analysis/ad/esc3.go               | 115 ++++----
 10 files changed, 636 insertions(+), 325 deletions(-)
 create mode 100644 cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.json
 create mode 100644 cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg

diff --git a/cmd/api/src/analysis/ad/adcs_integration_test.go b/cmd/api/src/analysis/ad/adcs_integration_test.go
index 39e9bd9213..5a85fe3ed2 100644
--- a/cmd/api/src/analysis/ad/adcs_integration_test.go
+++ b/cmd/api/src/analysis/ad/adcs_integration_test.go
@@ -447,63 +447,75 @@ func TestTrustedForNTAuth(t *testing.T) {
 func TestEnrollOnBehalfOf(t *testing.T) {
 	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
 	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
-		harness.EnrollOnBehalfOfHarnessOne.Setup(testContext)
+		harness.EnrollOnBehalfOfHarness1.Setup(testContext)
 		return nil
 	}, func(harness integration.HarnessDetails, db graph.Database) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
 		v1Templates := make([]*graph.Node, 0)
+		v2Templates := make([]*graph.Node, 0)
+
 		for _, template := range certTemplates {
 			if version, err := template.Properties.Get(ad.SchemaVersion.String()).Float64(); err != nil {
 				continue
 			} else if version == 1 {
 				v1Templates = append(v1Templates, template)
 			} else if version >= 2 {
-				continue
+				v2Templates = append(v2Templates, template)
 			}
 		}
 
 		require.Nil(t, err)
 
 		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
-			results, err := ad2.EnrollOnBehalfOfVersionOne(tx, v1Templates, certTemplates)
+			results, err := ad2.EnrollOnBehalfOfVersionOne(tx, v1Templates, certTemplates, harness.EnrollOnBehalfOfHarness1.Domain1)
 			require.Nil(t, err)
 
 			require.Len(t, results, 3)
 
 			require.Contains(t, results, analysis.CreatePostRelationshipJob{
-				FromID: harness.EnrollOnBehalfOfHarnessOne.CertTemplate11.ID,
-				ToID:   harness.EnrollOnBehalfOfHarnessOne.CertTemplate12.ID,
+				FromID: harness.EnrollOnBehalfOfHarness1.CertTemplate11.ID,
+				ToID:   harness.EnrollOnBehalfOfHarness1.CertTemplate12.ID,
 				Kind:   ad.EnrollOnBehalfOf,
 			})
 
 			require.Contains(t, results, analysis.CreatePostRelationshipJob{
-				FromID: harness.EnrollOnBehalfOfHarnessOne.CertTemplate13.ID,
-				ToID:   harness.EnrollOnBehalfOfHarnessOne.CertTemplate12.ID,
+				FromID: harness.EnrollOnBehalfOfHarness1.CertTemplate13.ID,
+				ToID:   harness.EnrollOnBehalfOfHarness1.CertTemplate12.ID,
 				Kind:   ad.EnrollOnBehalfOf,
 			})
 
 			require.Contains(t, results, analysis.CreatePostRelationshipJob{
-				FromID: harness.EnrollOnBehalfOfHarnessOne.CertTemplate12.ID,
-				ToID:   harness.EnrollOnBehalfOfHarnessOne.CertTemplate12.ID,
+				FromID: harness.EnrollOnBehalfOfHarness1.CertTemplate12.ID,
+				ToID:   harness.EnrollOnBehalfOfHarness1.CertTemplate12.ID,
 				Kind:   ad.EnrollOnBehalfOf,
 			})
 
 			return nil
 		})
+
+		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
+			results, err := ad2.EnrollOnBehalfOfVersionTwo(tx, v2Templates, certTemplates, harness.EnrollOnBehalfOfHarness1.Domain1)
+			require.Nil(t, err)
+
+			require.Len(t, results, 0)
+
+			return nil
+		})
 	})
 
 	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
-		harness.EnrollOnBehalfOfHarnessTwo.Setup(testContext)
+		harness.EnrollOnBehalfOfHarness2.Setup(testContext)
 		return nil
 	}, func(harness integration.HarnessDetails, db graph.Database) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
+		v1Templates := make([]*graph.Node, 0)
 		v2Templates := make([]*graph.Node, 0)
 
 		for _, template := range certTemplates {
 			if version, err := template.Properties.Get(ad.SchemaVersion.String()).Float64(); err != nil {
 				continue
 			} else if version == 1 {
-				continue
+				v1Templates = append(v1Templates, template)
 			} else if version >= 2 {
 				v2Templates = append(v2Templates, template)
 			}
@@ -512,15 +524,60 @@ func TestEnrollOnBehalfOf(t *testing.T) {
 		require.Nil(t, err)
 
 		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
-			results, err := ad2.EnrollOnBehalfOfVersionTwo(tx, v2Templates, certTemplates)
+			results, err := ad2.EnrollOnBehalfOfVersionOne(tx, v1Templates, certTemplates, harness.EnrollOnBehalfOfHarness2.Domain2)
+			require.Nil(t, err)
+
+			require.Len(t, results, 0)
+			return nil
+		})
+
+		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
+			results, err := ad2.EnrollOnBehalfOfVersionTwo(tx, v2Templates, certTemplates, harness.EnrollOnBehalfOfHarness2.Domain2)
 			require.Nil(t, err)
 
 			require.Len(t, results, 1)
 			require.Contains(t, results, analysis.CreatePostRelationshipJob{
-				FromID: harness.EnrollOnBehalfOfHarnessTwo.CertTemplate21.ID,
-				ToID:   harness.EnrollOnBehalfOfHarnessTwo.CertTemplate23.ID,
+				FromID: harness.EnrollOnBehalfOfHarness2.CertTemplate21.ID,
+				ToID:   harness.EnrollOnBehalfOfHarness2.CertTemplate23.ID,
 				Kind:   ad.EnrollOnBehalfOf,
 			})
+			return nil
+		})
+	})
+
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
+		harness.EnrollOnBehalfOfHarness3.Setup(testContext)
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
+		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - EnrollOnBehalfOf 3")
+
+		_, enterpriseCertAuthorities, certTemplates, domains, cache, err := FetchADCSPrereqs(db)
+		require.Nil(t, err)
+
+		if err := ad2.PostEnrollOnBehalfOf(domains, enterpriseCertAuthorities, certTemplates, cache, operation); err != nil {
+			t.Logf("failed post processing for %s: %v", ad.EnrollOnBehalfOf.String(), err)
+		}
+		err = operation.Done()
+		require.Nil(t, err)
+
+		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
+			if startNodes, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria {
+				return query.Kind(query.Relationship(), ad.EnrollOnBehalfOf)
+			})); err != nil {
+				t.Fatalf("error fetching EnrollOnBehalfOf edges in integration test; %v", err)
+			} else if endNodes, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria {
+				return query.Kind(query.Relationship(), ad.EnrollOnBehalfOf)
+			})); err != nil {
+				t.Fatalf("error fetching EnrollOnBehalfOf edges in integration test; %v", err)
+			} else {
+				require.Len(t, startNodes, 2)
+				require.True(t, startNodes.Contains(harness.EnrollOnBehalfOfHarness3.CertTemplate11))
+				require.True(t, startNodes.Contains(harness.EnrollOnBehalfOfHarness3.CertTemplate12))
+
+				require.Len(t, endNodes, 2)
+				require.True(t, startNodes.Contains(harness.EnrollOnBehalfOfHarness3.CertTemplate12))
+				require.True(t, startNodes.Contains(harness.EnrollOnBehalfOfHarness3.CertTemplate12))
+			}
 
 			return nil
 		})
diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go
index 637aebc7c0..dede7f384a 100644
--- a/cmd/api/src/test/integration/harnesses.go
+++ b/cmd/api/src/test/integration/harnesses.go
@@ -1595,7 +1595,7 @@ func (s *ADCSESC1HarnessAuthUsers) Setup(graphTestContext *GraphTestContext) {
 	graphTestContext.UpdateNode(s.AuthUsers)
 }
 
-type EnrollOnBehalfOfHarnessTwo struct {
+type EnrollOnBehalfOfHarness2 struct {
 	Domain2        *graph.Node
 	AuthStore2     *graph.Node
 	RootCA2        *graph.Node
@@ -1604,10 +1604,9 @@ type EnrollOnBehalfOfHarnessTwo struct {
 	CertTemplate22 *graph.Node
 	CertTemplate23 *graph.Node
 	CertTemplate24 *graph.Node
-	CertTemplate25 *graph.Node
 }
 
-func (s *EnrollOnBehalfOfHarnessTwo) Setup(gt *GraphTestContext) {
+func (s *EnrollOnBehalfOfHarness2) Setup(gt *GraphTestContext) {
 	certRequestAgentEKU := make([]string, 0)
 	certRequestAgentEKU = append(certRequestAgentEKU, adAnalysis.EkuCertRequestAgent)
 	emptyAppPolicies := make([]string, 0)
@@ -1623,7 +1622,7 @@ func (s *EnrollOnBehalfOfHarnessTwo) Setup(gt *GraphTestContext) {
 		SubjectAltRequireUPN:    false,
 		SubjectAltRequireSPN:    false,
 		NoSecurityExtension:     false,
-		SchemaVersion:           1,
+		SchemaVersion:           2,
 		AuthorizedSignatures:    0,
 		EffectiveEKUs:           certRequestAgentEKU,
 		ApplicationPolicies:     emptyAppPolicies,
@@ -1635,7 +1634,7 @@ func (s *EnrollOnBehalfOfHarnessTwo) Setup(gt *GraphTestContext) {
 		SubjectAltRequireUPN:    false,
 		SubjectAltRequireSPN:    false,
 		NoSecurityExtension:     false,
-		SchemaVersion:           1,
+		SchemaVersion:           2,
 		AuthorizedSignatures:    0,
 		EffectiveEKUs:           []string{adAnalysis.EkuCertRequestAgent, adAnalysis.EkuAnyPurpose},
 		ApplicationPolicies:     emptyAppPolicies,
@@ -1664,18 +1663,6 @@ func (s *EnrollOnBehalfOfHarnessTwo) Setup(gt *GraphTestContext) {
 		EffectiveEKUs:           emptyAppPolicies,
 		ApplicationPolicies:     emptyAppPolicies,
 	})
-	s.CertTemplate25 = gt.NewActiveDirectoryCertTemplate("certtemplate2-5", sid, CertTemplateData{
-		RequiresManagerApproval: false,
-		AuthenticationEnabled:   false,
-		EnrolleeSuppliesSubject: false,
-		SubjectAltRequireUPN:    false,
-		SubjectAltRequireSPN:    false,
-		NoSecurityExtension:     false,
-		SchemaVersion:           1,
-		AuthorizedSignatures:    1,
-		EffectiveEKUs:           emptyAppPolicies,
-		ApplicationPolicies:     emptyAppPolicies,
-	})
 
 	gt.NewRelationship(s.AuthStore2, s.Domain2, ad.NTAuthStoreFor)
 	gt.NewRelationship(s.RootCA2, s.Domain2, ad.RootCAFor)
@@ -1685,10 +1672,9 @@ func (s *EnrollOnBehalfOfHarnessTwo) Setup(gt *GraphTestContext) {
 	gt.NewRelationship(s.CertTemplate22, s.EnterpriseCA2, ad.PublishedTo)
 	gt.NewRelationship(s.CertTemplate23, s.EnterpriseCA2, ad.PublishedTo)
 	gt.NewRelationship(s.CertTemplate24, s.EnterpriseCA2, ad.PublishedTo)
-	gt.NewRelationship(s.CertTemplate25, s.EnterpriseCA2, ad.PublishedTo)
 }
 
-type EnrollOnBehalfOfHarnessOne struct {
+type EnrollOnBehalfOfHarness1 struct {
 	Domain1        *graph.Node
 	AuthStore1     *graph.Node
 	RootCA1        *graph.Node
@@ -1698,7 +1684,7 @@ type EnrollOnBehalfOfHarnessOne struct {
 	CertTemplate13 *graph.Node
 }
 
-func (s *EnrollOnBehalfOfHarnessOne) Setup(gt *GraphTestContext) {
+func (s *EnrollOnBehalfOfHarness1) Setup(gt *GraphTestContext) {
 	sid := RandomDomainSID()
 	anyPurposeEkus := make([]string, 0)
 	anyPurposeEkus = append(anyPurposeEkus, adAnalysis.EkuAnyPurpose)
@@ -1753,6 +1739,74 @@ func (s *EnrollOnBehalfOfHarnessOne) Setup(gt *GraphTestContext) {
 	gt.NewRelationship(s.CertTemplate13, s.EnterpriseCA1, ad.PublishedTo)
 }
 
+type EnrollOnBehalfOfHarness3 struct {
+	Domain1        *graph.Node
+	AuthStore1     *graph.Node
+	RootCA1        *graph.Node
+	EnterpriseCA1  *graph.Node
+	EnterpriseCA2  *graph.Node
+	CertTemplate11 *graph.Node
+	CertTemplate12 *graph.Node
+	CertTemplate13 *graph.Node
+}
+
+func (s *EnrollOnBehalfOfHarness3) Setup(gt *GraphTestContext) {
+	sid := RandomDomainSID()
+	anyPurposeEkus := make([]string, 0)
+	anyPurposeEkus = append(anyPurposeEkus, adAnalysis.EkuAnyPurpose)
+	emptyAppPolicies := make([]string, 0)
+	s.Domain1 = gt.NewActiveDirectoryDomain("domain1", sid, false, true)
+	s.AuthStore1 = gt.NewActiveDirectoryNTAuthStore("authstore1", sid)
+	s.RootCA1 = gt.NewActiveDirectoryRootCA("rca1", sid)
+	s.EnterpriseCA1 = gt.NewActiveDirectoryEnterpriseCA("eca1", sid)
+	s.EnterpriseCA2 = gt.NewActiveDirectoryEnterpriseCA("eca2", sid)
+	s.CertTemplate11 = gt.NewActiveDirectoryCertTemplate("certtemplate1-1", sid, CertTemplateData{
+		RequiresManagerApproval: false,
+		AuthenticationEnabled:   false,
+		EnrolleeSuppliesSubject: false,
+		SubjectAltRequireUPN:    false,
+		SubjectAltRequireSPN:    false,
+		NoSecurityExtension:     false,
+		SchemaVersion:           2,
+		AuthorizedSignatures:    0,
+		EffectiveEKUs:           anyPurposeEkus,
+		ApplicationPolicies:     emptyAppPolicies,
+	})
+	s.CertTemplate12 = gt.NewActiveDirectoryCertTemplate("certtemplate1-2", sid, CertTemplateData{
+		RequiresManagerApproval: false,
+		AuthenticationEnabled:   false,
+		EnrolleeSuppliesSubject: false,
+		SubjectAltRequireUPN:    false,
+		SubjectAltRequireSPN:    false,
+		NoSecurityExtension:     false,
+		SchemaVersion:           1,
+		AuthorizedSignatures:    0,
+		EffectiveEKUs:           anyPurposeEkus,
+		ApplicationPolicies:     emptyAppPolicies,
+	})
+	s.CertTemplate13 = gt.NewActiveDirectoryCertTemplate("certtemplate1-3", sid, CertTemplateData{
+		RequiresManagerApproval: false,
+		AuthenticationEnabled:   false,
+		EnrolleeSuppliesSubject: false,
+		SubjectAltRequireUPN:    false,
+		SubjectAltRequireSPN:    false,
+		NoSecurityExtension:     false,
+		SchemaVersion:           2,
+		AuthorizedSignatures:    0,
+		EffectiveEKUs:           anyPurposeEkus,
+		ApplicationPolicies:     emptyAppPolicies,
+	})
+
+	gt.NewRelationship(s.AuthStore1, s.Domain1, ad.NTAuthStoreFor)
+	gt.NewRelationship(s.RootCA1, s.Domain1, ad.RootCAFor)
+	gt.NewRelationship(s.EnterpriseCA1, s.AuthStore1, ad.TrustedForNTAuth)
+	gt.NewRelationship(s.EnterpriseCA1, s.RootCA1, ad.EnterpriseCAFor)
+	gt.NewRelationship(s.EnterpriseCA2, s.RootCA1, ad.EnterpriseCAFor)
+	gt.NewRelationship(s.CertTemplate11, s.EnterpriseCA1, ad.PublishedTo)
+	gt.NewRelationship(s.CertTemplate12, s.EnterpriseCA1, ad.PublishedTo)
+	gt.NewRelationship(s.CertTemplate13, s.EnterpriseCA2, ad.PublishedTo)
+}
+
 type ADCSGoldenCertHarness struct {
 	NTAuthStore1  *graph.Node
 	RootCA1       *graph.Node
@@ -8437,8 +8491,9 @@ type HarnessDetails struct {
 	ShortcutHarnessEveryone2                        ShortcutHarnessEveryone2
 	ADCSESC1Harness                                 ADCSESC1Harness
 	ADCSESC1HarnessAuthUsers                        ADCSESC1HarnessAuthUsers
-	EnrollOnBehalfOfHarnessOne                      EnrollOnBehalfOfHarnessOne
-	EnrollOnBehalfOfHarnessTwo                      EnrollOnBehalfOfHarnessTwo
+	EnrollOnBehalfOfHarness1                        EnrollOnBehalfOfHarness1
+	EnrollOnBehalfOfHarness2                        EnrollOnBehalfOfHarness2
+	EnrollOnBehalfOfHarness3                        EnrollOnBehalfOfHarness3
 	ADCSGoldenCertHarness                           ADCSGoldenCertHarness
 	IssuedSignedByHarness                           IssuedSignedByHarness
 	EnterpriseCAForHarness                          EnterpriseCAForHarness
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.json b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.json
index cc51045b70..9232e6f121 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.json
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.json
@@ -54,10 +54,10 @@
   },
   "nodes": [
     {
-      "id": "n1",
+      "id": "n0",
       "position": {
-        "x": 729.9551990267428,
-        "y": -4
+        "x": 675.9551990267428,
+        "y": 50
       },
       "caption": "Domain1",
       "labels": [],
@@ -67,10 +67,10 @@
       }
     },
     {
-      "id": "n2",
+      "id": "n1",
       "position": {
-        "x": 129,
-        "y": 273.97628342478527
+        "x": 75,
+        "y": 327.97628342478527
       },
       "caption": "CertTemplate1-1",
       "labels": [],
@@ -83,10 +83,10 @@
       }
     },
     {
-      "id": "n3",
+      "id": "n2",
       "position": {
-        "x": 487.6313891898351,
-        "y": -4
+        "x": 433.6313891898351,
+        "y": 50
       },
       "caption": "NTAuthStore1",
       "labels": [],
@@ -96,10 +96,10 @@
       }
     },
     {
-      "id": "n4",
+      "id": "n3",
       "position": {
-        "x": 487.6313891898351,
-        "y": 273.97628342478527
+        "x": 433.6313891898351,
+        "y": 327.97628342478527
       },
       "caption": "EnterpriseCA1",
       "labels": [],
@@ -109,10 +109,10 @@
       }
     },
     {
-      "id": "n5",
+      "id": "n4",
       "position": {
-        "x": 230.03558347937087,
-        "y": 551.9525668495705
+        "x": 176.03558347937087,
+        "y": 605.9525668495705
       },
       "caption": "CertTemplate1-2",
       "labels": [],
@@ -125,10 +125,10 @@
       }
     },
     {
-      "id": "n6",
+      "id": "n5",
       "position": {
-        "x": 508.01086036954564,
-        "y": 551.2045130499298
+        "x": 454.01086036954564,
+        "y": 605.2045130499298
       },
       "caption": "CertTemplate1-3",
       "labels": [],
@@ -141,10 +141,10 @@
       }
     },
     {
-      "id": "n7",
+      "id": "n6",
       "position": {
-        "x": 729.9551990267428,
-        "y": 273.97628342478527
+        "x": 675.9551990267428,
+        "y": 327.97628342478527
       },
       "caption": "RootCA1",
       "labels": [],
@@ -157,64 +157,64 @@
   "relationships": [
     {
       "id": "n0",
-      "fromId": "n3",
-      "toId": "n1",
+      "fromId": "n2",
+      "toId": "n0",
       "type": "NTAuthStoreFor",
       "properties": {},
       "style": {}
     },
     {
       "id": "n1",
-      "fromId": "n4",
-      "toId": "n3",
+      "fromId": "n3",
+      "toId": "n2",
       "type": "TrustedForNTAuth",
       "properties": {},
       "style": {}
     },
     {
       "id": "n2",
-      "fromId": "n2",
-      "toId": "n4",
+      "fromId": "n1",
+      "toId": "n3",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
       "id": "n3",
-      "fromId": "n5",
-      "toId": "n4",
+      "fromId": "n4",
+      "toId": "n3",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
       "id": "n4",
-      "fromId": "n6",
-      "toId": "n4",
+      "fromId": "n5",
+      "toId": "n3",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
       "id": "n5",
-      "fromId": "n7",
-      "toId": "n1",
+      "fromId": "n6",
+      "toId": "n0",
       "type": "RootCAFor",
       "properties": {},
       "style": {}
     },
     {
       "id": "n6",
-      "fromId": "n4",
-      "toId": "n7",
+      "fromId": "n3",
+      "toId": "n6",
       "type": "EnterpriseCAFor",
       "properties": {},
       "style": {}
     },
     {
       "id": "n7",
-      "fromId": "n2",
-      "toId": "n5",
+      "fromId": "n1",
+      "toId": "n4",
       "type": "EnrollOnBehalfOf",
       "properties": {},
       "style": {
@@ -223,13 +223,23 @@
     },
     {
       "id": "n8",
-      "fromId": "n6",
-      "toId": "n5",
+      "fromId": "n5",
+      "toId": "n4",
       "type": "EnrollOnBehalfOf",
       "properties": {},
       "style": {
         "arrow-color": "#68ccca"
       }
+    },
+    {
+      "id": "n9",
+      "type": "EnrollOnBehalfOf",
+      "style": {
+        "arrow-color": "#68ccca"
+      },
+      "properties": {},
+      "fromId": "n4",
+      "toId": "n4"
     }
   ]
 }
\ No newline at end of file
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg
index a86d80d2f0..6fcfa6838d 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg
@@ -1,18 +1 @@
-<!--
-Copyright 2023 Specter Ops, Inc.
-
-Licensed under the Apache License, Version 2.0
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
--->
-<svg xmlns="http://www.w3.org/2000/svg" width="930" height="688" viewBox="0 0 930 688"><defs><style type="text/css"/></defs><g transform="translate(145.48131104527477 58) scale(1)"><g class="relationship"><g transform="translate(487.6313891898351 -4) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(596.3622187994148 -4) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.92499923706055 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.8499984741211" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(487.6313891898351 273.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(487.6313891898351 147.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-73.59166717529297 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="147.18333435058594" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(129 273.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 274.7692385720868 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(299.6313891898351 0) rotate(0)" stroke="none"/></g><g transform="translate(295.8846192860434 273.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(230.03558347937087 551.9525668495705) rotate(-47.179262552307804)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 295.11860518164553 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(319.9807557993938 0) rotate(0)" stroke="none"/></g><g transform="translate(350.3839996231144 422.0824187567895) rotate(-47.179262552307804) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(508.01086036954564 551.2045130499298) rotate(-94.20433793162489)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.1141328070369 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.9762834247852 0) rotate(0)" stroke="none"/></g><g transform="translate(498.7324929650218 424.9880206451286) rotate(85.7956620683751) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(729.9551990267428 273.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(729.9551990267428 147.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.00833511352539 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.01667022705078" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(487.6313891898351 273.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(596.3622187994148 273.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-66.17499923706055 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="132.3499984741211" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(129 273.97628342478527) rotate(70.02539571192277)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 211.90634546605278 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(236.7684960838011 0) rotate(0)" stroke="none"/></g><g transform="translate(175.27129164336606 401.2811520398451) rotate(70.02539571192277) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.65833282470703 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="141.31666564941406" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(508.01086036954564 551.2045130499298) rotate(179.84581282700933)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 194.11413280703684 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(218.97628342478515 0) rotate(0)" stroke="none"/></g><g transform="translate(381.45425222119184 551.545087048647) rotate(359.84581282700935) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.65833282470703 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="141.31666564941406" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="729.9551990267428" cy="-4" r="52"/></g><g transform="translate(729.9551990267428 -4)"><g transform="scale(0.40234434765624993) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="129" cy="273.97628342478527" r="52"/></g><g transform="translate(129 273.97628342478527)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-234.88333129882812 0)" fill="white"><rect x="0" y="0" width="234.88333129882812" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="121.7666654586792" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="125.93333196640015" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="121.7666654586792" y="33.3" stroke="none" text-anchor="end">ekus:</text><text xml:space="preserve" x="125.93333196640015" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="487.6313891898351" cy="-4" r="52"/></g><g transform="translate(487.6313891898351 -4)"><g transform="scale(0.26953198046874993) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="487.6313891898351" cy="273.97628342478527" r="52"/></g><g transform="translate(487.6313891898351 273.97628342478527)"><g transform="scale(0.26367261132812503) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="230.03558347937087" cy="551.9525668495705" r="52"/></g><g transform="translate(230.03558347937087 551.9525668495705)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-234.88333129882812 0)" fill="white"><rect x="0" y="0" width="234.88333129882812" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="121.7666654586792" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="125.93333196640015" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="121.7666654586792" y="33.3" stroke="none" text-anchor="end">ekus:</text><text xml:space="preserve" x="125.93333196640015" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="508.01086036954564" cy="551.2045130499298" r="52"/></g><g transform="translate(508.01086036954564 551.2045130499298)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(39.59797974644666 39.597979746446654)"><g transform="translate(0 0)"><g transform="translate(0 0)" fill="white"><rect x="0" y="0" width="234.88333129882812" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="121.7666654586792" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="125.93333196640015" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="121.7666654586792" y="33.3" stroke="none" text-anchor="end">ekus:</text><text xml:space="preserve" x="125.93333196640015" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="729.9551990267428" cy="273.97628342478527" r="52"/></g><g transform="translate(729.9551990267428 273.97628342478527)"><g transform="scale(0.42578182421875) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">RootCA1</text></g></g></g></g></g></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="921" height="845" viewBox="0 0 921 845"><defs><style type="text/css"/></defs><g transform="translate(190.30110474644664 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 274.7692385720868 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(299.6313891898351 0) rotate(0)" stroke="none"/></g><g transform="translate(241.8846192860434 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(176.03558347937087 605.9525668495705) rotate(-47.179262552307804)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 295.11860518164553 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(319.9807557993938 0) rotate(0)" stroke="none"/></g><g transform="translate(296.3839996231144 476.0824187567895) rotate(-47.179262552307804) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(454.01086036954564 605.2045130499298) rotate(-94.20433793162489)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.1141328070369 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.9762834247852 0) rotate(0)" stroke="none"/></g><g transform="translate(444.7324929650218 478.9880206451286) rotate(85.7956620683751) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(70.02539571192277)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 211.90634546605278 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(236.7684960838011 0) rotate(0)" stroke="none"/></g><g transform="translate(121.27129164336606 455.2811520398451) rotate(70.02539571192277) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(454.01086036954564 605.2045130499298) rotate(179.84581282700933)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 194.11413280703684 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(218.97628342478515 0) rotate(0)" stroke="none"/></g><g transform="translate(327.45425222119184 605.545087048647) rotate(359.84581282700935) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(176.03558347937087 605.9525668495705) rotate(124.93560426946605)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(46.615459702719136 791.2265033912118) rotate(34.93560426946605) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="327.97628342478527" r="52"/></g><g transform="translate(75 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="176.03558347937087" cy="605.9525668495705" r="52"/></g><g transform="translate(176.03558347937087 605.9525668495705)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="454.01086036954564" cy="605.2045130499298" r="52"/></g><g transform="translate(454.01086036954564 605.2045130499298)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(39.59797974644666 39.597979746446654)"><g transform="translate(0 0)"><g transform="translate(0 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.json b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.json
index ee3e2a4b43..607f78cbef 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.json
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.json
@@ -1,10 +1,63 @@
 {
+  "style": {
+    "font-family": "sans-serif",
+    "background-color": "#ffffff",
+    "background-image": "",
+    "background-size": "100%",
+    "node-color": "#ffffff",
+    "border-width": 4,
+    "border-color": "#000000",
+    "radius": 50,
+    "node-padding": 5,
+    "node-margin": 2,
+    "outside-position": "auto",
+    "node-icon-image": "",
+    "node-background-image": "",
+    "icon-position": "inside",
+    "icon-size": 64,
+    "caption-position": "inside",
+    "caption-max-width": 200,
+    "caption-color": "#000000",
+    "caption-font-size": 50,
+    "caption-font-weight": "normal",
+    "label-position": "inside",
+    "label-display": "pill",
+    "label-color": "#000000",
+    "label-background-color": "#ffffff",
+    "label-border-color": "#000000",
+    "label-border-width": 4,
+    "label-font-size": 40,
+    "label-padding": 5,
+    "label-margin": 4,
+    "directionality": "directed",
+    "detail-position": "inline",
+    "detail-orientation": "parallel",
+    "arrow-width": 5,
+    "arrow-color": "#000000",
+    "margin-start": 5,
+    "margin-end": 5,
+    "margin-peer": 20,
+    "attachment-start": "normal",
+    "attachment-end": "normal",
+    "relationship-icon-image": "",
+    "type-color": "#000000",
+    "type-background-color": "#ffffff",
+    "type-border-color": "#000000",
+    "type-border-width": 0,
+    "type-font-size": 16,
+    "type-padding": 5,
+    "property-position": "outside",
+    "property-alignment": "colon",
+    "property-color": "#000000",
+    "property-font-size": 16,
+    "property-font-weight": "normal"
+  },
   "nodes": [
     {
       "id": "n0",
       "position": {
-        "x": -569.1685177598522,
-        "y": -1021.0927494329366
+        "x": 657.3454879680903,
+        "y": 50
       },
       "caption": "Domain2",
       "labels": [],
@@ -14,10 +67,10 @@
       }
     },
     {
-      "id": "n2",
+      "id": "n1",
       "position": {
-        "x": -811.4923275967599,
-        "y": -1021.0927494329366
+        "x": 415.0216781311826,
+        "y": 50
       },
       "caption": "NTAuthStore2",
       "labels": [],
@@ -27,10 +80,10 @@
       }
     },
     {
-      "id": "n5",
+      "id": "n2",
       "position": {
-        "x": -811.4923275967599,
-        "y": -743.1164660081513
+        "x": 415.0216781311826,
+        "y": 327.97628342478527
       },
       "caption": "EnterpriseCA2",
       "labels": [],
@@ -40,10 +93,10 @@
       }
     },
     {
-      "id": "n13",
+      "id": "n3",
       "position": {
-        "x": -569.1685177598522,
-        "y": -743.1164660081513
+        "x": 657.3454879680903,
+        "y": 327.97628342478527
       },
       "caption": "RootCA2",
       "labels": [],
@@ -53,40 +106,42 @@
       }
     },
     {
-      "id": "n14",
+      "id": "n4",
       "position": {
-        "x": -1151.5140057279425,
-        "y": -743.1164660081513
+        "x": 75,
+        "y": 327.97628342478527
       },
       "caption": "CertTemplate2-1",
       "labels": [],
       "properties": {
-        "effectiveekus": "[\"1.3.6.1.4.1.311.20.2.1\"]"
+        "effectiveekus": "[\"1.3.6.1.4.1.311.20.2.1\"]",
+        "schemaversion": "2"
       },
       "style": {
         "node-color": "#fda1ff"
       }
     },
     {
-      "id": "n15",
+      "id": "n5",
       "position": {
-        "x": -1151.5140057279425,
-        "y": -546.8048586088046
+        "x": 75,
+        "y": 524.287890824132
       },
       "caption": "CertTemplate2-2",
       "labels": [],
       "properties": {
-        "effectiveekus": "[\"1.3.6.1.4.1.311.20.2.1\", \"2.5.29.37.0\"]"
+        "effectiveekus": "[\"1.3.6.1.4.1.311.20.2.1\", \"2.5.29.37.0\"]",
+        "schemaversion": "2"
       },
       "style": {
         "node-color": "#fda1ff"
       }
     },
     {
-      "id": "n16",
+      "id": "n6",
       "position": {
-        "x": -981.5031666623508,
-        "y": -448.6490549091318
+        "x": 245.01083906559165,
+        "y": 622.4436945238048
       },
       "caption": "CertTemplate2-3",
       "labels": [],
@@ -101,10 +156,10 @@
       }
     },
     {
-      "id": "n17",
+      "id": "n7",
       "position": {
-        "x": -695.4923275967599,
-        "y": -448.6490549091318
+        "x": 531.0216781311826,
+        "y": 622.4436945238048
       },
       "caption": "CertTemplate2-4",
       "labels": [],
@@ -117,29 +172,12 @@
       "style": {
         "node-color": "#fda1ff"
       }
-    },
-    {
-      "id": "n18",
-      "position": {
-        "x": -517.02491649774,
-        "y": -448.6490549091315
-      },
-      "caption": "CertTemplate2-5",
-      "labels": [],
-      "properties": {
-        "effectiveekus": "[]",
-        "schemaversion": "1",
-        "subjectaltrequiresupn": "true"
-      },
-      "style": {
-        "node-color": "#fda1ff"
-      }
     }
   ],
   "relationships": [
     {
       "id": "n0",
-      "fromId": "n2",
+      "fromId": "n1",
       "toId": "n0",
       "type": "NTAuthStoreFor",
       "properties": {},
@@ -147,141 +185,69 @@
     },
     {
       "id": "n1",
-      "fromId": "n5",
-      "toId": "n2",
+      "fromId": "n2",
+      "toId": "n1",
       "type": "TrustedForNTAuth",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n9",
-      "fromId": "n13",
+      "id": "n2",
+      "fromId": "n3",
       "toId": "n0",
       "type": "RootCAFor",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n10",
-      "fromId": "n5",
-      "toId": "n13",
+      "id": "n3",
+      "fromId": "n2",
+      "toId": "n3",
       "type": "EnterpriseCAFor",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n11",
-      "fromId": "n14",
-      "toId": "n5",
-      "type": "PublishedTo",
-      "properties": {},
-      "style": {}
-    },
-    {
-      "id": "n12",
-      "fromId": "n15",
-      "toId": "n5",
+      "id": "n4",
+      "fromId": "n4",
+      "toId": "n2",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n13",
-      "fromId": "n16",
-      "toId": "n5",
+      "id": "n5",
+      "fromId": "n5",
+      "toId": "n2",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n14",
-      "fromId": "n17",
-      "toId": "n5",
+      "id": "n6",
+      "fromId": "n6",
+      "toId": "n2",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n15",
-      "type": "EnrollOnBehalfOf",
-      "style": {
-        "arrow-color": "#a4dd00"
-      },
-      "properties": {},
-      "toId": "n16",
-      "fromId": "n14"
-    },
-    {
-      "id": "n16",
-      "fromId": "n18",
-      "toId": "n5",
+      "id": "n7",
+      "fromId": "n7",
+      "toId": "n2",
       "type": "PublishedTo",
       "properties": {},
       "style": {}
     },
     {
-      "id": "n17",
-      "fromId": "n18",
-      "toId": "n18",
+      "id": "n8",
+      "fromId": "n4",
+      "toId": "n6",
       "type": "EnrollOnBehalfOf",
       "properties": {},
       "style": {
-        "type-color": "#4d4d4d",
         "arrow-color": "#a4dd00"
       }
     }
-  ],
-  "style": {
-    "font-family": "sans-serif",
-    "background-color": "#ffffff",
-    "background-image": "",
-    "background-size": "100%",
-    "node-color": "#ffffff",
-    "border-width": 4,
-    "border-color": "#000000",
-    "radius": 50,
-    "node-padding": 5,
-    "node-margin": 2,
-    "outside-position": "auto",
-    "node-icon-image": "",
-    "node-background-image": "",
-    "icon-position": "inside",
-    "icon-size": 64,
-    "caption-position": "inside",
-    "caption-max-width": 200,
-    "caption-color": "#000000",
-    "caption-font-size": 50,
-    "caption-font-weight": "normal",
-    "label-position": "inside",
-    "label-display": "pill",
-    "label-color": "#000000",
-    "label-background-color": "#ffffff",
-    "label-border-color": "#000000",
-    "label-border-width": 4,
-    "label-font-size": 40,
-    "label-padding": 5,
-    "label-margin": 4,
-    "directionality": "directed",
-    "detail-position": "inline",
-    "detail-orientation": "parallel",
-    "arrow-width": 5,
-    "arrow-color": "#000000",
-    "margin-start": 5,
-    "margin-end": 5,
-    "margin-peer": 20,
-    "attachment-start": "normal",
-    "attachment-end": "normal",
-    "relationship-icon-image": "",
-    "type-color": "#000000",
-    "type-background-color": "#ffffff",
-    "type-border-color": "#000000",
-    "type-border-width": 0,
-    "type-font-size": 16,
-    "type-padding": 5,
-    "property-position": "outside",
-    "property-alignment": "colon",
-    "property-color": "#000000",
-    "property-font-size": 16,
-    "property-font-weight": "normal"
-  }
+  ]
 }
\ No newline at end of file
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg
index dd203c5b22..d8d8ec0fcb 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg
@@ -1,18 +1 @@
-<!--
-Copyright 2023 Specter Ops, Inc.
-
-Licensed under the Apache License, Version 2.0
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
--->
-<svg xmlns="http://www.w3.org/2000/svg" width="1263" height="846" viewBox="0 0 1263 846"><defs><style type="text/css"/></defs><g transform="translate(1526.8119709785396 1075.0927494329367) scale(1)"><g class="relationship"><g transform="translate(-811.4923275967599 -1021.0927494329366) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(-702.7614979871802 -1021.0927494329366) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.92499923706055 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.8499984741211" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(-811.4923275967599 -743.1164660081513) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(-811.4923275967599 -869.6735324116697) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-73.59166717529297 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="147.18333435058594" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(-569.1685177598522 -743.1164660081513) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(-569.1685177598522 -869.6735324116697) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.00833511352539 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.01667022705078" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(-811.4923275967599 -743.1164660081513) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(-702.7614979871802 -743.1164660081513) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-66.17499923706055 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="132.3499984741211" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(-1151.5140057279425 -743.1164660081513) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.15952751343434 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.0216781311826 0) rotate(0)" stroke="none"/></g><g transform="translate(-993.9342419712253 -743.1164660081513) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(-1151.5140057279425 -546.8048586088046) rotate(-30.000000000000014)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 308.7610641809449 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(333.62321479869325 0) rotate(0)" stroke="none"/></g><g transform="translate(-992.2687936761937 -638.7451246540409) rotate(-30.000000000000014) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(-981.5031666623508 -448.6490549091318) rotate(-60.00000000000002)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.1595275134339 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.02167813118217 0) rotate(0)" stroke="none"/></g><g transform="translate(-902.7132847839924 -585.117133444799) rotate(-60.00000000000002) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(-695.4923275967599 -448.6490549091318) rotate(-111.50104465455937)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 232.62964421958858 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(257.4917948373369 0) rotate(0)" stroke="none"/></g><g transform="translate(-748.936112366692 -584.3167526723655) rotate(68.49895534544063) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(-1151.5140057279425 -743.1164660081513) rotate(59.99999999999992)" stroke-width="5" stroke="#a4dd00"><path d="M 59 0 L 256.1595275134342 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#a4dd00" transform="translate(281.0216781311825 0) rotate(0)" stroke="none"/></g><g transform="translate(-1072.7241238495837 -606.648387472484) rotate(59.99999999999992) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.65833282470703 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="141.31666564941406" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(-517.02491649774 -448.6490549091315) rotate(-135)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 332.5776558353792 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(357.43980645312746 0) rotate(0)" stroke="none"/></g><g transform="translate(-655.4685243989044 -587.0926628102959) rotate(45) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-50.766666412353516 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="101.53333282470703" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(-517.02491649774 -448.6490549091315) rotate(45.00000000000005)" stroke-width="5" stroke="#a4dd00"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#a4dd00" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(-357.2187839495804 -288.84292236097167) rotate(315.00000000000006) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.65833282470703 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="141.31666564941406" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#4d4d4d">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="-569.1685177598522" cy="-1021.0927494329366" r="52"/></g><g transform="translate(-569.1685177598522 -1021.0927494329366)"><g transform="scale(0.40234434765624993) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">Domain2</text></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="-811.4923275967599" cy="-1021.0927494329366" r="52"/></g><g transform="translate(-811.4923275967599 -1021.0927494329366)"><g transform="scale(0.26953198046874993) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">NTAuthStore2</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="-811.4923275967599" cy="-743.1164660081513" r="52"/></g><g transform="translate(-811.4923275967599 -743.1164660081513)"><g transform="scale(0.26367261132812503) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">EnterpriseCA2</text></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="-569.1685177598522" cy="-743.1164660081513" r="52"/></g><g transform="translate(-569.1685177598522 -743.1164660081513)"><g transform="scale(0.42578182421875) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">RootCA2</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-1151.5140057279425" cy="-743.1164660081513" r="52"/></g><g transform="translate(-1151.5140057279425 -743.1164660081513)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate2-1</text></g></g></g><g transform="translate(-39.597979746446654 -58.79797974644666)"><g transform="translate(0 0)"><g transform="translate(-233.00000381469727 0)" fill="white"><rect x="0" y="0" width="233.00000381469727" height="19.2" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="43.566664695739746" y="14.1" stroke="none">ekus:</text><text xml:space="preserve" x="47.73333120346069" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-1151.5140057279425" cy="-546.8048586088046" r="52"/></g><g transform="translate(-1151.5140057279425 -546.8048586088046)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate2-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-335.6999855041504 0)" fill="white"><rect x="0" y="0" width="335.6999855041504" height="19.2" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="43.566664695739746" y="14.1" stroke="none">ekus:</text><text xml:space="preserve" x="47.73333120346069" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1", "2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-981.5031666623508" cy="-448.6490549091318" r="52"/></g><g transform="translate(-981.5031666623508 -448.6490549091318)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate2-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-179.16666793823242 0)" fill="white"><rect x="0" y="0" width="358.33333587646484" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="168.89999675750732" y="14.1" stroke="none">ekus:</text><text xml:space="preserve" x="173.06666326522827" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="168.89999675750732" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="173.06666326522827" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="168.89999675750732" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="173.06666326522827" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="168.89999675750732" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="173.06666326522827" y="71.7" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-695.4923275967599" cy="-448.6490549091318" r="52"/></g><g transform="translate(-695.4923275967599 -448.6490549091318)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate2-4</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-93.88333177566528 0)" fill="white"><rect x="0" y="0" width="187.76666355133057" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="168.89999675750732" y="14.1" stroke="none">ekus:</text><text xml:space="preserve" x="173.06666326522827" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="168.89999675750732" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="173.06666326522827" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="168.89999675750732" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="173.06666326522827" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="168.89999675750732" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="173.06666326522827" y="71.7" stroke="none" text-anchor="start">[]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-517.02491649774" cy="-448.6490549091315" r="52"/></g><g transform="translate(-517.02491649774 -448.6490549091315)"><g transform="scale(0.228516396484375) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="14.5" stroke="none">CertTemplate2-5</text></g></g></g><g transform="translate(39.59797974644666 39.597979746446654)"><g transform="translate(0 0)"><g transform="translate(0 0)" fill="white"><rect x="0" y="0" width="212.68333435058594" height="57.599999999999994" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="173.066668510437" y="14.1" stroke="none">ekus:</text><text xml:space="preserve" x="177.23333501815796" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="173.066668510437" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="177.23333501815796" y="33.3" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="173.066668510437" y="52.5" stroke="none" text-anchor="end">subjectaltrequiresupn:</text><text xml:space="preserve" x="177.23333501815796" y="52.5" stroke="none" text-anchor="start">true</text></g></g></g></g></g></g></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="1077" height="760" viewBox="0 0 1077 760"><defs><style type="text/css"/></defs><g transform="translate(365.05110474644664 4) scale(1)"><g class="relationship"><g transform="translate(415.0216781311826 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(523.7525077407623 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(415.0216781311826 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(415.0216781311826 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(657.3454879680903 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(657.3454879680903 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(415.0216781311826 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(523.7525077407623 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.15952751343434 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.0216781311826 0) rotate(0)" stroke="none"/></g><g transform="translate(232.57976375671717 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(75 524.287890824132) rotate(-30.000000000000014)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 308.7610641809449 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(333.62321479869325 0) rotate(0)" stroke="none"/></g><g transform="translate(234.2452120517488 432.3476247788957) rotate(-30.000000000000014) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(245.01083906559165 622.4436945238048) rotate(-60.00000000000002)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.1595275134339 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.02167813118217 0) rotate(0)" stroke="none"/></g><g transform="translate(323.80072094395007 485.9756159881375) rotate(-60.00000000000002) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(531.0216781311826 622.4436945238048) rotate(-111.50104465455937)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 232.62964421958858 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(257.4917948373369 0) rotate(0)" stroke="none"/></g><g transform="translate(477.5778933612505 486.77599676057105) rotate(68.49895534544063) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(59.99999999999992)" stroke-width="5" stroke="#a4dd00"><path d="M 59 0 L 256.1595275134342 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#a4dd00" transform="translate(281.0216781311825 0) rotate(0)" stroke="none"/></g><g transform="translate(153.78988187835876 464.4443619604525) rotate(59.99999999999992) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="657.3454879680903" cy="50" r="52"/></g><g transform="translate(657.3454879680903 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain2</text></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="415.0216781311826" cy="50" r="52"/></g><g transform="translate(415.0216781311826 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore2</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="415.0216781311826" cy="327.97628342478527" r="52"/></g><g transform="translate(415.0216781311826 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="657.3454879680903" cy="327.97628342478527" r="52"/></g><g transform="translate(657.3454879680903 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA2</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="327.97628342478527" r="52"/></g><g transform="translate(75 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-300.1328125 0)" fill="white"><rect x="0" y="0" width="300.1328125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">2</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="524.287890824132" r="52"/></g><g transform="translate(75 524.287890824132)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-400.453125 0)" fill="white"><rect x="0" y="0" width="400.453125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1", "2.5.29.37.0"]</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">2</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="245.01083906559165" cy="622.4436945238048" r="52"/></g><g transform="translate(245.01083906559165 622.4436945238048)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-170.53515625 0)" fill="white"><rect x="0" y="0" width="341.0703125" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="157.4296875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="161.875" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="157.4296875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="161.875" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="157.4296875" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="161.875" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="157.4296875" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="161.875" y="71.7" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="531.0216781311826" cy="622.4436945238048" r="52"/></g><g transform="translate(531.0216781311826 622.4436945238048)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-4</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-87.609375 0)" fill="white"><rect x="0" y="0" width="175.21875" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="157.4296875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="161.875" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="157.4296875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="161.875" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="157.4296875" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="161.875" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="157.4296875" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="161.875" y="71.7" stroke="none" text-anchor="start">[]</text></g></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.json b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.json
new file mode 100644
index 0000000000..e0537e9ec6
--- /dev/null
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.json
@@ -0,0 +1,256 @@
+{
+  "style": {
+    "font-family": "sans-serif",
+    "background-color": "#ffffff",
+    "background-image": "",
+    "background-size": "100%",
+    "node-color": "#ffffff",
+    "border-width": 4,
+    "border-color": "#000000",
+    "radius": 50,
+    "node-padding": 5,
+    "node-margin": 2,
+    "outside-position": "auto",
+    "node-icon-image": "",
+    "node-background-image": "",
+    "icon-position": "inside",
+    "icon-size": 64,
+    "caption-position": "inside",
+    "caption-max-width": 200,
+    "caption-color": "#000000",
+    "caption-font-size": 50,
+    "caption-font-weight": "normal",
+    "label-position": "inside",
+    "label-display": "pill",
+    "label-color": "#000000",
+    "label-background-color": "#ffffff",
+    "label-border-color": "#000000",
+    "label-border-width": 4,
+    "label-font-size": 40,
+    "label-padding": 5,
+    "label-margin": 4,
+    "directionality": "directed",
+    "detail-position": "inline",
+    "detail-orientation": "parallel",
+    "arrow-width": 5,
+    "arrow-color": "#000000",
+    "margin-start": 5,
+    "margin-end": 5,
+    "margin-peer": 20,
+    "attachment-start": "normal",
+    "attachment-end": "normal",
+    "relationship-icon-image": "",
+    "type-color": "#000000",
+    "type-background-color": "#ffffff",
+    "type-border-color": "#000000",
+    "type-border-width": 0,
+    "type-font-size": 16,
+    "type-padding": 5,
+    "property-position": "outside",
+    "property-alignment": "colon",
+    "property-color": "#000000",
+    "property-font-size": 16,
+    "property-font-weight": "normal"
+  },
+  "nodes": [
+    {
+      "id": "n0",
+      "position": {
+        "x": 675.9551990267428,
+        "y": 50
+      },
+      "caption": "Domain1",
+      "labels": [],
+      "properties": {},
+      "style": {
+        "node-color": "#68ccca"
+      }
+    },
+    {
+      "id": "n1",
+      "position": {
+        "x": -44.95912785436991,
+        "y": 327.97628342478527
+      },
+      "caption": "CertTemplate1-1",
+      "labels": [],
+      "properties": {
+        "schemaversion": "2",
+        "effectiveekus": "[\"2.5.29.37.0\"]"
+      },
+      "style": {
+        "node-color": "#fda1ff"
+      }
+    },
+    {
+      "id": "n2",
+      "position": {
+        "x": 433.6313891898351,
+        "y": 50
+      },
+      "caption": "NTAuthStore1",
+      "labels": [],
+      "properties": {},
+      "style": {
+        "node-color": "#7b64ff"
+      }
+    },
+    {
+      "id": "n3",
+      "position": {
+        "x": 433.6313891898351,
+        "y": 327.97628342478527
+      },
+      "caption": "EnterpriseCA1",
+      "labels": [],
+      "properties": {},
+      "style": {
+        "node-color": "#b0bc00"
+      }
+    },
+    {
+      "id": "n4",
+      "position": {
+        "x": 194.3361306677326,
+        "y": 557.3609078601627
+      },
+      "caption": "CertTemplate1-2",
+      "labels": [],
+      "properties": {
+        "schemaversion": "1",
+        "effectiveekus": "[\"2.5.29.37.0\"]"
+      },
+      "style": {
+        "node-color": "#fda1ff"
+      }
+    },
+    {
+      "id": "n5",
+      "position": {
+        "x": 433.6313891898351,
+        "y": 796.6561663822652
+      },
+      "caption": "CertTemplate1-3",
+      "labels": [],
+      "properties": {
+        "schemaversion": "2",
+        "effectiveekus": "[\"2.5.29.37.0\"]"
+      },
+      "style": {
+        "node-color": "#fda1ff"
+      }
+    },
+    {
+      "id": "n6",
+      "position": {
+        "x": 675.9551990267428,
+        "y": 327.97628342478527
+      },
+      "caption": "RootCA1",
+      "labels": [],
+      "properties": {},
+      "style": {
+        "node-color": "#e27300"
+      }
+    },
+    {
+      "id": "n7",
+      "position": {
+        "x": 433.6313891898351,
+        "y": 500.5114025285298
+      },
+      "caption": "EnterpriseCA2",
+      "style": {
+        "node-color": "#b0bc00"
+      },
+      "labels": [],
+      "properties": {}
+    }
+  ],
+  "relationships": [
+    {
+      "id": "n0",
+      "fromId": "n2",
+      "toId": "n0",
+      "type": "NTAuthStoreFor",
+      "properties": {},
+      "style": {}
+    },
+    {
+      "id": "n1",
+      "fromId": "n3",
+      "toId": "n2",
+      "type": "TrustedForNTAuth",
+      "properties": {},
+      "style": {}
+    },
+    {
+      "id": "n2",
+      "fromId": "n1",
+      "toId": "n3",
+      "type": "PublishedTo",
+      "properties": {},
+      "style": {}
+    },
+    {
+      "id": "n3",
+      "fromId": "n4",
+      "toId": "n3",
+      "type": "PublishedTo",
+      "properties": {},
+      "style": {}
+    },
+    {
+      "id": "n5",
+      "fromId": "n6",
+      "toId": "n0",
+      "type": "RootCAFor",
+      "properties": {},
+      "style": {}
+    },
+    {
+      "id": "n6",
+      "fromId": "n3",
+      "toId": "n6",
+      "type": "EnterpriseCAFor",
+      "properties": {},
+      "style": {}
+    },
+    {
+      "id": "n7",
+      "fromId": "n1",
+      "toId": "n4",
+      "type": "EnrollOnBehalfOf",
+      "properties": {},
+      "style": {
+        "arrow-color": "#68ccca"
+      }
+    },
+    {
+      "id": "n12",
+      "type": "PublishedTo",
+      "fromId": "n5",
+      "toId": "n7",
+      "style": {},
+      "properties": {}
+    },
+    {
+      "id": "n13",
+      "type": "EnterpriseCAFor",
+      "fromId": "n7",
+      "toId": "n6",
+      "style": {},
+      "properties": {}
+    },
+    {
+      "id": "n14",
+      "type": "EnrollOnBehalfOf",
+      "style": {
+        "arrow-color": "#68ccca"
+      },
+      "properties": {},
+      "fromId": "n4",
+      "toId": "n4"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
new file mode 100644
index 0000000000..d7192c6074
--- /dev/null
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1057" height="896" viewBox="0 0 1057 896"><defs><style type="text/css"/></defs><g transform="translate(326.6622528543699 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 394.7283664264567 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(419.590517044205 0) rotate(0)" stroke="none"/></g><g transform="translate(181.90505535885845 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(-43.78861262620303)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(305.009794318264 451.27089618105714) rotate(-43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(43.78861262620303)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(65.71453579616153 434.0662951038908) rotate(43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 796.6561663822652) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 212.28261323598704 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(237.14476385373536 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 661.0148597642717) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 500.5114025285298) rotate(-35.45095495632252)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 213.6091860485213 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(238.47133666626962 0) rotate(0)" stroke="none"/></g><g transform="translate(544.6667872556458 421.45393952928924) rotate(-35.45095495632252) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(90)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(194.3361306677326 783.3609078601627) rotate(360) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-44.95912785436991" cy="327.97628342478527" r="52"/></g><g transform="translate(-44.95912785436991 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-56 -19.199999999999992)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="194.3361306677326" cy="557.3609078601627" r="52"/></g><g transform="translate(194.3361306677326 557.3609078601627)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="796.6561663822652" r="52"/></g><g transform="translate(433.6313891898351 796.6561663822652)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="500.5114025285298" r="52"/></g><g transform="translate(433.6313891898351 500.5114025285298)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/packages/go/analysis/ad/adcs.go b/packages/go/analysis/ad/adcs.go
index 537b0b0770..ac1f9a76cb 100644
--- a/packages/go/analysis/ad/adcs.go
+++ b/packages/go/analysis/ad/adcs.go
@@ -47,30 +47,33 @@ func PostADCS(ctx context.Context, db graph.Database, groupExpansions impact.Pat
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed fetching domain nodes: %w", err)
 	} else if step1Stats, err := postADCSPreProcessStep1(ctx, db, enterpriseCertAuthorities, rootCertAuthorities, aiaCertAuthorities, certTemplates); err != nil {
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed adcs pre-processing step 1: %w", err)
-	} else if step2Stats, err := postADCSPreProcessStep2(ctx, db, certTemplates); err != nil {
-		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed adcs pre-processing step 2: %w", err)
 	} else {
-		operation := analysis.NewPostRelationshipOperation(ctx, db, "ADCS Post Processing")
-
-		operation.Stats.Merge(step1Stats)
-		operation.Stats.Merge(step2Stats)
-
 		var cache = NewADCSCache()
 		cache.BuildCache(ctx, db, enterpriseCertAuthorities, certTemplates, domains)
 
-		for _, domain := range domains {
-			innerDomain := domain
+		if step2Stats, err := postADCSPreProcessStep2(ctx, db, domains, enterpriseCertAuthorities, certTemplates, cache); err != nil {
+			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed adcs pre-processing step 2: %w", err)
+		} else {
+
+			operation := analysis.NewPostRelationshipOperation(ctx, db, "ADCS Post Processing")
+
+			operation.Stats.Merge(step1Stats)
+			operation.Stats.Merge(step2Stats)
 
-			for _, enterpriseCA := range enterpriseCertAuthorities {
-				innerEnterpriseCA := enterpriseCA
+			for _, domain := range domains {
+				innerDomain := domain
 
-				if cache.DoesCAChainProperlyToDomain(innerEnterpriseCA, innerDomain) {
-					processEnterpriseCAWithValidCertChainToDomain(innerEnterpriseCA, innerDomain, groupExpansions, cache, operation)
+				for _, enterpriseCA := range enterpriseCertAuthorities {
+					innerEnterpriseCA := enterpriseCA
+
+					if cache.DoesCAChainProperlyToDomain(innerEnterpriseCA, innerDomain) {
+						processEnterpriseCAWithValidCertChainToDomain(innerEnterpriseCA, innerDomain, groupExpansions, cache, operation)
+					}
 				}
 			}
-		}
+			return &operation.Stats, operation.Done()
 
-		return &operation.Stats, operation.Done()
+		}
 	}
 }
 
@@ -97,10 +100,10 @@ func postADCSPreProcessStep1(ctx context.Context, db graph.Database, enterpriseC
 }
 
 // postADCSPreProcessStep2 Processes the edges that are dependent on those processed in postADCSPreProcessStep1
-func postADCSPreProcessStep2(ctx context.Context, db graph.Database, certTemplates []*graph.Node) (*analysis.AtomicPostProcessingStats, error) {
+func postADCSPreProcessStep2(ctx context.Context, db graph.Database, domains, enterpriseCertAuthorities, certTemplates []*graph.Node, cache ADCSCache) (*analysis.AtomicPostProcessingStats, error) {
 	operation := analysis.NewPostRelationshipOperation(ctx, db, "ADCS Post Processing Step 2")
 
-	if err := PostEnrollOnBehalfOf(certTemplates, operation); err != nil {
+	if err := PostEnrollOnBehalfOf(domains, enterpriseCertAuthorities, certTemplates, cache, operation); err != nil {
 		operation.Done()
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed post processing for %s: %w", ad.EnrollOnBehalfOf.String(), err)
 	} else {
diff --git a/packages/go/analysis/ad/esc3.go b/packages/go/analysis/ad/esc3.go
index 2406e0081b..28abe1fcec 100644
--- a/packages/go/analysis/ad/esc3.go
+++ b/packages/go/analysis/ad/esc3.go
@@ -142,60 +142,71 @@ func PostADCSESC3(ctx context.Context, tx graph.Transaction, outC chan<- analysi
 	return nil
 }
 
-func PostEnrollOnBehalfOf(certTemplates []*graph.Node, operation analysis.StatTrackedOperation[analysis.CreatePostRelationshipJob]) error {
+func PostEnrollOnBehalfOf(domains, enterpriseCertAuthorities, certTemplates []*graph.Node, cache ADCSCache, operation analysis.StatTrackedOperation[analysis.CreatePostRelationshipJob]) error {
 	versionOneTemplates := make([]*graph.Node, 0)
 	versionTwoTemplates := make([]*graph.Node, 0)
-
 	for _, node := range certTemplates {
 		if version, err := node.Properties.Get(ad.SchemaVersion.String()).Float64(); errors.Is(err, graph.ErrPropertyNotFound) {
 			log.Warnf("Did not get schema version for cert template %d: %v", node.ID, err)
 		} else if err != nil {
 			log.Errorf("Error getting schema version for cert template %d: %v", node.ID, err)
+		} else if version == 1 {
+			versionOneTemplates = append(versionOneTemplates, node)
+		} else if version >= 2 {
+			versionTwoTemplates = append(versionTwoTemplates, node)
 		} else {
-			if version == 1 {
-				versionOneTemplates = append(versionOneTemplates, node)
-			} else if version >= 2 {
-				versionTwoTemplates = append(versionTwoTemplates, node)
-			} else {
-				log.Warnf("Got cert template %d with an invalid version %d", node.ID, version)
-			}
+			log.Warnf("Got cert template %d with an invalid version %d", node.ID, version)
 		}
 	}
 
-	operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
-		if results, err := EnrollOnBehalfOfVersionTwo(tx, versionTwoTemplates, certTemplates); err != nil {
-			return err
-		} else {
-			for _, result := range results {
-				if !channels.Submit(ctx, outC, result) {
-					return nil
-				}
-			}
+	for _, domain := range domains {
+		innerDomain := domain
 
-			return nil
-		}
-	})
+		for _, enterpriseCA := range enterpriseCertAuthorities {
+			innerEnterpriseCA := enterpriseCA
 
-	operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
-		if results, err := EnrollOnBehalfOfVersionOne(tx, versionOneTemplates, certTemplates); err != nil {
-			return err
-		} else {
-			for _, result := range results {
-				if !channels.Submit(ctx, outC, result) {
+			if cache.DoesCAChainProperlyToDomain(innerEnterpriseCA, innerDomain) {
+				if publishedCertTemplates := cache.GetPublishedTemplateCache(enterpriseCA.ID); len(publishedCertTemplates) == 0 {
 					return nil
+				} else {
+					operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
+						if results, err := EnrollOnBehalfOfVersionTwo(tx, versionTwoTemplates, publishedCertTemplates, innerDomain); err != nil {
+							return err
+						} else {
+							for _, result := range results {
+								if !channels.Submit(ctx, outC, result) {
+									return nil
+								}
+							}
+
+							return nil
+						}
+					})
+
+					operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
+						if results, err := EnrollOnBehalfOfVersionOne(tx, versionOneTemplates, publishedCertTemplates, innerDomain); err != nil {
+							return err
+						} else {
+							for _, result := range results {
+								if !channels.Submit(ctx, outC, result) {
+									return nil
+								}
+							}
+
+							return nil
+						}
+					})
 				}
 			}
-
-			return nil
 		}
-	})
+	}
 
 	return nil
 }
 
-func EnrollOnBehalfOfVersionTwo(tx graph.Transaction, versionTwoCertTemplates, allCertTemplates []*graph.Node) ([]analysis.CreatePostRelationshipJob, error) {
+func EnrollOnBehalfOfVersionTwo(tx graph.Transaction, versionTwoCertTemplates, publishedTemplates []*graph.Node, domainNode *graph.Node) ([]analysis.CreatePostRelationshipJob, error) {
 	results := make([]analysis.CreatePostRelationshipJob, 0)
-	for _, certTemplateOne := range allCertTemplates {
+	for _, certTemplateOne := range publishedTemplates {
 		if hasBadEku, err := certTemplateHasEku(certTemplateOne, EkuAnyPurpose); errors.Is(err, graph.ErrPropertyNotFound) {
 			log.Warnf("Did not get EffectiveEKUs for cert template %d: %v", certTemplateOne.ID, err)
 		} else if err != nil {
@@ -208,12 +219,6 @@ func EnrollOnBehalfOfVersionTwo(tx graph.Transaction, versionTwoCertTemplates, a
 			log.Errorf("Error getting EffectiveEKUs for cert template %d: %v", certTemplateOne.ID, err)
 		} else if !hasEku {
 			continue
-		} else if domainNode, err := getDomainForCertTemplate(tx, certTemplateOne); err != nil {
-			log.Errorf("Error getting domain node for cert template %d: %v", certTemplateOne.ID, err)
-		} else if isLinked, err := DoesCertTemplateLinkToDomain(tx, certTemplateOne, domainNode); err != nil {
-			log.Errorf("Error fetching paths from cert template %d to domain: %v", certTemplateOne.ID, err)
-		} else if !isLinked {
-			continue
 		} else {
 			for _, certTemplateTwo := range versionTwoCertTemplates {
 				if certTemplateOne.ID == certTemplateTwo.ID {
@@ -260,10 +265,10 @@ func certTemplateHasEku(certTemplate *graph.Node, targetEkus ...string) (bool, e
 	}
 }
 
-func EnrollOnBehalfOfVersionOne(tx graph.Transaction, versionOneCertTemplates []*graph.Node, allCertTemplates []*graph.Node) ([]analysis.CreatePostRelationshipJob, error) {
+func EnrollOnBehalfOfVersionOne(tx graph.Transaction, versionOneCertTemplates []*graph.Node, publishedTemplates []*graph.Node, domainNode *graph.Node) ([]analysis.CreatePostRelationshipJob, error) {
 	results := make([]analysis.CreatePostRelationshipJob, 0)
 
-	for _, certTemplateOne := range allCertTemplates {
+	for _, certTemplateOne := range publishedTemplates {
 		//prefilter as much as we can first
 		if hasEku, err := certTemplateHasEkuOrAll(certTemplateOne, EkuCertRequestAgent, EkuAnyPurpose); errors.Is(err, graph.ErrPropertyNotFound) {
 			log.Warnf("Error checking ekus for certtemplate %d: %v", certTemplateOne.ID, err)
@@ -271,12 +276,6 @@ func EnrollOnBehalfOfVersionOne(tx graph.Transaction, versionOneCertTemplates []
 			log.Errorf("Error checking ekus for certtemplate %d: %v", certTemplateOne.ID, err)
 		} else if !hasEku {
 			continue
-		} else if domainNode, err := getDomainForCertTemplate(tx, certTemplateOne); err != nil {
-			log.Errorf("Error getting domain node for certtemplate %d: %v", certTemplateOne.ID, err)
-		} else if hasPath, err := DoesCertTemplateLinkToDomain(tx, certTemplateOne, domainNode); err != nil {
-			log.Errorf("Error fetching paths from certtemplate %d to domain: %v", certTemplateOne.ID, err)
-		} else if !hasPath {
-			continue
 		} else {
 			for _, certTemplateTwo := range versionOneCertTemplates {
 				if hasPath, err := DoesCertTemplateLinkToDomain(tx, certTemplateTwo, domainNode); err != nil {
@@ -359,19 +358,9 @@ func certTemplateHasEkuOrAll(certTemplate *graph.Node, targetEkus ...string) (bo
 	}
 }
 
-func getDomainForCertTemplate(tx graph.Transaction, certTemplate *graph.Node) (*graph.Node, error) {
-	if domainSid, err := certTemplate.Properties.Get(ad.DomainSID.String()).String(); err != nil {
-		return &graph.Node{}, err
-	} else if domainNode, err := analysis.FetchNodeByObjectID(tx, domainSid); err != nil {
-		return &graph.Node{}, err
-	} else {
-		return domainNode, nil
-	}
-}
-
 func GetADCSESC3EdgeComposition(ctx context.Context, db graph.Database, edge *graph.Relationship) (graph.PathSet, error) {
 	/*
-		MATCH p1 = (x)-[:MemberOf*0..]->()-[:GenericAll|Enroll|AllExtendedRights]->(ct1:CertTemplate)-[:PublishedTo]->(eca1:EnterpriseCA)
+		MATCH p1 = (x)-[:MemberOf*0..]->()-[:GenericAll|Enroll|AllExtendedRights]->(ct1:CertTemplate)-[:PublishedTo]->(eca1:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(d)
 		WHERE x.objectid = "S-1-5-21-83094068-830424655-2031507174-500"
 		AND d.objectid = "S-1-5-21-83094068-830424655-2031507174"
 		AND ct1.requiresmanagerapproval = false
@@ -483,7 +472,7 @@ func GetADCSESC3EdgeComposition(ctx context.Context, db graph.Database, edge *gr
 	for _, n := range startNodes.Slice() {
 		if err := traversalInst.BreadthFirst(ctx, traversal.Plan{
 			Root: n,
-			Driver: ADCSESC3Path1Pattern(enterpriseCANodes).Do(func(terminal *graph.PathSegment) error {
+			Driver: ADCSESC3Path1Pattern(edge.EndID, enterpriseCANodes).Do(func(terminal *graph.PathSegment) error {
 				certTemplateNode := terminal.Search(func(nextSegment *graph.PathSegment) bool {
 					return nextSegment.Node.Kinds.ContainsOneOf(ad.CertTemplate)
 				})
@@ -673,7 +662,7 @@ func GetADCSESC3EdgeComposition(ctx context.Context, db graph.Database, edge *gr
 	return paths, nil
 }
 
-func ADCSESC3Path1Pattern(enterpriseCAs cardinality.Duplex[uint64]) traversal.PatternContinuation {
+func ADCSESC3Path1Pattern(domainId graph.ID, enterpriseCAs cardinality.Duplex[uint64]) traversal.PatternContinuation {
 	return traversal.NewPattern().OutboundWithDepth(0, 0, query.And(
 		query.Kind(query.Relationship(), ad.MemberOf),
 		query.Kind(query.End(), ad.Group),
@@ -696,6 +685,14 @@ func ADCSESC3Path1Pattern(enterpriseCAs cardinality.Duplex[uint64]) traversal.Pa
 			query.KindIn(query.Relationship(), ad.PublishedTo),
 			query.InIDs(query.End(), graph.DuplexToGraphIDs(enterpriseCAs)...),
 			query.Kind(query.End(), ad.EnterpriseCA),
+		)).
+		Outbound(query.And(
+			query.KindIn(query.Relationship(), ad.TrustedForNTAuth),
+			query.Kind(query.End(), ad.NTAuthStore),
+		)).
+		Outbound(query.And(
+			query.KindIn(query.Relationship(), ad.NTAuthStoreFor),
+			query.Equals(query.EndID(), domainId),
 		))
 }
 

From b4bd50cffb5470ef0836d3ca1df88f650b9a4344 Mon Sep 17 00:00:00 2001
From: John Hopper <jhopper@specterops.io>
Date: Wed, 11 Dec 2024 12:18:51 -0800
Subject: [PATCH 03/11] BED-5091 - Merge stage `v6.3.0` (#1009)

* set  ff to true for 6.3.0 migration file (#999)

* CySQL Updates (#1005)

* feat: BED-5146 - support toString and toInt

* feat: BED-5130 - support instant type components epochseconds and epocmillis for datetimes

* fix: BED-5149, BED-5148 - implement cypher size function and rework type inference handling

* fix: BED-5138 - apply dangling constraints to projection select for all shortest path queries

* fix: BED-5130 - use numeric type casts to ensure that no loss of precision takes place

* fix: BED-5154 - switch entity references in translation to int8[] and index values to int (#1006)

---------

Co-authored-by: Arianna Cooper <acooper@specterops.io>
---
 .../src/api/v2/datapipe_integration_test.go   |   4 +-
 .../database/migration/migrations/v6.3.0.sql  |   3 +
 packages/go/cypher/models/cypher/functions.go |  17 ++
 .../go/cypher/models/pgsql/format/format.go   |  27 +++-
 packages/go/cypher/models/pgsql/functions.go  |   2 +
 .../go/cypher/models/pgsql/identifiers.go     |  15 ++
 packages/go/cypher/models/pgsql/model.go      |  23 ++-
 packages/go/cypher/models/pgsql/pgtypes.go    |  82 +++++++++-
 .../pgsql/test/translation_cases/nodes.sql    |  65 +++++++-
 .../translation_cases/pattern_binding.sql     |  16 +-
 .../translation_cases/pattern_expansion.sql   |  28 ++--
 .../test/translation_cases/shortest_paths.sql |  25 ++-
 .../models/pgsql/translate/expansion.go       |  17 +-
 .../models/pgsql/translate/expression.go      | 150 ++++++++++++------
 .../models/pgsql/translate/expression_test.go |   2 +-
 .../models/pgsql/translate/projection.go      |   2 +-
 .../models/pgsql/translate/translation.go     |  70 ++++++++
 .../models/pgsql/translate/translator.go      |  85 +++++-----
 packages/go/cypher/models/walk/walk_cypher.go |   8 +-
 packages/go/cypher/models/walk/walk_pgsql.go  |  10 ++
 .../dawgs/drivers/pg/query/sql/schema_up.sql  |   1 -
 packages/go/dawgs/drivers/pg/types.go         |  73 ++++++++-
 22 files changed, 593 insertions(+), 132 deletions(-)

diff --git a/cmd/api/src/api/v2/datapipe_integration_test.go b/cmd/api/src/api/v2/datapipe_integration_test.go
index e992a312ae..8caf3500a4 100644
--- a/cmd/api/src/api/v2/datapipe_integration_test.go
+++ b/cmd/api/src/api/v2/datapipe_integration_test.go
@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     http://www.apache.org/licenses/LICENSE2.0
+//     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
-// SPDXLicenseIdentifier: Apache2.0
+// SPDX-License-Identifier: Apache-2.0
 
 //go:build serial_integration
 // +build serial_integration
diff --git a/cmd/api/src/database/migration/migrations/v6.3.0.sql b/cmd/api/src/database/migration/migrations/v6.3.0.sql
index b21d0632cc..c44a919ced 100644
--- a/cmd/api/src/database/migration/migrations/v6.3.0.sql
+++ b/cmd/api/src/database/migration/migrations/v6.3.0.sql
@@ -33,3 +33,6 @@ UPDATE feature_flags SET enabled = true WHERE key = 'updated_posture_page';
 
 -- Fix users in bad state due to sso bug
 DELETE FROM auth_secrets WHERE id IN (SELECT auth_secrets.id FROM auth_secrets JOIN users ON users.id = auth_secrets.user_id WHERE users.sso_provider_id IS NOT NULL);
+
+-- Set the `oidc_support` feature flag to true
+UPDATE feature_flags SET enabled = true WHERE key = 'oidc_support';
\ No newline at end of file
diff --git a/packages/go/cypher/models/cypher/functions.go b/packages/go/cypher/models/cypher/functions.go
index 1ffed87f99..c6dce37f2b 100644
--- a/packages/go/cypher/models/cypher/functions.go
+++ b/packages/go/cypher/models/cypher/functions.go
@@ -30,4 +30,21 @@ const (
 	NodeLabelsFunction         = "labels"
 	EdgeTypeFunction           = "type"
 	StringSplitToArrayFunction = "split"
+	ToStringFunction           = "tostring"
+	ToIntegerFunction          = "toint"
+	ListSizeFunction           = "size"
+
+	// ITTC - Instant Type; Temporal Component (https://neo4j.com/docs/cypher-manual/current/functions/temporal/)
+	ITTCYear              = "year"
+	ITTCMonth             = "month"
+	ITTCDay               = "day"
+	ITTCHour              = "hour"
+	ITTCMinute            = "minute"
+	ITTCSecond            = "second"
+	ITTCMillisecond       = "millisecond"
+	ITTCMicrosecond       = "microsecond"
+	ITTCNanosecond        = "nanosecond"
+	ITTCTimeZone          = "timezone"
+	ITTCEpochSeconds      = "epochseconds"
+	ITTCEpochMilliseconds = "epochmillis"
 )
diff --git a/packages/go/cypher/models/pgsql/format/format.go b/packages/go/cypher/models/pgsql/format/format.go
index ac2caeaf21..4280aef044 100644
--- a/packages/go/cypher/models/pgsql/format/format.go
+++ b/packages/go/cypher/models/pgsql/format/format.go
@@ -137,6 +137,12 @@ func formatValue(builder *OutputBuilder, value any) error {
 	case bool:
 		builder.Write(strconv.FormatBool(typedValue))
 
+	case float32:
+		builder.Write(strconv.FormatFloat(float64(typedValue), 'f', -1, 64))
+
+	case float64:
+		builder.Write(strconv.FormatFloat(typedValue, 'f', -1, 64))
+
 	default:
 		return fmt.Errorf("unsupported literal type: %T", value)
 	}
@@ -482,8 +488,27 @@ func formatNode(builder *OutputBuilder, rootExpr pgsql.SyntaxNode) error {
 				exprStack = append(exprStack, pgsql.FormattingLiteral("not "))
 			}
 
+		case pgsql.ProjectionFrom:
+			for idx, projection := range typedNextExpr.Projection {
+				if idx > 0 {
+					builder.Write(", ")
+				}
+
+				if err := formatNode(builder, projection); err != nil {
+					return err
+				}
+			}
+
+			if len(typedNextExpr.From) > 0 {
+				builder.Write(" from ")
+
+				if err := formatFromClauses(builder, typedNextExpr.From); err != nil {
+					return err
+				}
+			}
+
 		default:
-			return fmt.Errorf("unsupported node type: %T", nextExpr)
+			return fmt.Errorf("unable to format pgsql node type: %T", nextExpr)
 		}
 	}
 
diff --git a/packages/go/cypher/models/pgsql/functions.go b/packages/go/cypher/models/pgsql/functions.go
index 92bb29f247..be5267764a 100644
--- a/packages/go/cypher/models/pgsql/functions.go
+++ b/packages/go/cypher/models/pgsql/functions.go
@@ -24,6 +24,7 @@ const (
 	FunctionJSONBToTextArray       Identifier = "jsonb_to_text_array"
 	FunctionJSONBArrayElementsText Identifier = "jsonb_array_elements_text"
 	FunctionJSONBBuildObject       Identifier = "jsonb_build_object"
+	FunctionJSONBArrayLength       Identifier = "jsonb_array_length"
 	FunctionArrayLength            Identifier = "array_length"
 	FunctionArrayAggregate         Identifier = "array_agg"
 	FunctionMin                    Identifier = "min"
@@ -41,4 +42,5 @@ const (
 	FunctionCount                  Identifier = "count"
 	FunctionStringToArray          Identifier = "string_to_array"
 	FunctionEdgesToPath            Identifier = "edges_to_path"
+	FunctionExtract                Identifier = "extract"
 )
diff --git a/packages/go/cypher/models/pgsql/identifiers.go b/packages/go/cypher/models/pgsql/identifiers.go
index 4e19ab092a..582290bd93 100644
--- a/packages/go/cypher/models/pgsql/identifiers.go
+++ b/packages/go/cypher/models/pgsql/identifiers.go
@@ -25,8 +25,23 @@ import (
 
 const (
 	WildcardIdentifier Identifier = "*"
+	EpochIdentifier    Identifier = "epoch"
 )
 
+var reservedIdentifiers = []Identifier{
+	EpochIdentifier,
+}
+
+func IsReservedIdentifier(identifier Identifier) bool {
+	for _, reservedIdentifier := range reservedIdentifiers {
+		if identifier == reservedIdentifier {
+			return true
+		}
+	}
+
+	return false
+}
+
 func AsOptionalIdentifier(identifier Identifier) models.Optional[Identifier] {
 	return models.ValueOptional(identifier)
 }
diff --git a/packages/go/cypher/models/pgsql/model.go b/packages/go/cypher/models/pgsql/model.go
index acc97590b4..c890a855e0 100644
--- a/packages/go/cypher/models/pgsql/model.go
+++ b/packages/go/cypher/models/pgsql/model.go
@@ -403,9 +403,17 @@ type AnyExpression struct {
 }
 
 func NewAnyExpression(inner Expression) AnyExpression {
-	return AnyExpression{
+	newAnyExpression := AnyExpression{
 		Expression: inner,
 	}
+
+	// This is a guard to prevent recursive wrapping of an expression in an Any expression
+	switch innerTypeHint := inner.(type) {
+	case TypeHinted:
+		newAnyExpression.CastType = innerTypeHint.TypeHint()
+	}
+
+	return newAnyExpression
 }
 
 func (s AnyExpression) AsExpression() Expression {
@@ -972,6 +980,19 @@ func (s Projection) NodeType() string {
 	return "projection"
 }
 
+type ProjectionFrom struct {
+	Projection Projection
+	From       []FromClause
+}
+
+func (s ProjectionFrom) NodeType() string {
+	return "projection from"
+}
+
+func (s ProjectionFrom) AsExpression() Expression {
+	return s
+}
+
 // Select is a SQL expression that is evaluated to fetch data.
 type Select struct {
 	Distinct   bool
diff --git a/packages/go/cypher/models/pgsql/pgtypes.go b/packages/go/cypher/models/pgsql/pgtypes.go
index de4a12ba6f..8839e37971 100644
--- a/packages/go/cypher/models/pgsql/pgtypes.go
+++ b/packages/go/cypher/models/pgsql/pgtypes.go
@@ -93,6 +93,8 @@ const (
 	TextArray                DataType = "text[]"
 	JSONB                    DataType = "jsonb"
 	JSONBArray               DataType = "jsonb[]"
+	Numeric                  DataType = "numeric"
+	NumericArray             DataType = "numeric[]"
 	Date                     DataType = "date"
 	TimeWithTimeZone         DataType = "time with time zone"
 	TimeWithoutTimeZone      DataType = "time without time zone"
@@ -109,7 +111,8 @@ const (
 	ExpansionTerminalNode DataType = "expansion_terminal_node"
 )
 
-func (s DataType) Convert(other DataType) (DataType, bool) {
+// TODO: operator, while unused, is part of a refactor for this function to make it operator aware
+func (s DataType) Compatible(other DataType, operator Operator) (DataType, bool) {
 	if s == other {
 		return s, true
 	}
@@ -132,6 +135,12 @@ func (s DataType) Convert(other DataType) (DataType, bool) {
 		case Float8:
 			return Float8, true
 
+		case Float4Array:
+			return Float4, true
+
+		case Float8Array:
+			return Float8, true
+
 		case Text:
 			return Text, true
 		}
@@ -141,6 +150,21 @@ func (s DataType) Convert(other DataType) (DataType, bool) {
 		case Float4:
 			return Float8, true
 
+		case Float4Array, Float8Array:
+			return Float8, true
+
+		case Text:
+			return Text, true
+		}
+
+	case Numeric:
+		switch other {
+		case Float4, Float8, Int2, Int4, Int8:
+			return Numeric, true
+
+		case Float4Array, Float8Array, NumericArray:
+			return Numeric, true
+
 		case Text:
 			return Text, true
 		}
@@ -156,6 +180,15 @@ func (s DataType) Convert(other DataType) (DataType, bool) {
 		case Int8:
 			return Int8, true
 
+		case Int2Array:
+			return Int2, true
+
+		case Int4Array:
+			return Int4, true
+
+		case Int8Array:
+			return Int8, true
+
 		case Text:
 			return Text, true
 		}
@@ -168,6 +201,12 @@ func (s DataType) Convert(other DataType) (DataType, bool) {
 		case Int8:
 			return Int8, true
 
+		case Int2Array, Int4Array:
+			return Int4, true
+
+		case Int8Array:
+			return Int8, true
+
 		case Text:
 			return Text, true
 		}
@@ -177,9 +216,42 @@ func (s DataType) Convert(other DataType) (DataType, bool) {
 		case Int2, Int4, Int8:
 			return Int8, true
 
+		case Int2Array, Int4Array, Int8Array:
+			return Int8, true
+
+		case Text:
+			return Text, true
+		}
+
+	case Int:
+		switch other {
+		case Int2, Int4, Int:
+			return Int, true
+
+		case Int8:
+			return Int8, true
+
 		case Text:
 			return Text, true
 		}
+
+	case Int2Array:
+		switch other {
+		case Int2Array, Int4Array, Int8Array:
+			return other, true
+		}
+
+	case Int4Array:
+		switch other {
+		case Int4Array, Int8Array:
+			return other, true
+		}
+
+	case Float4Array:
+		switch other {
+		case Float4Array, Float8Array:
+			return other, true
+		}
 	}
 
 	return UnsetDataType, false
@@ -207,7 +279,7 @@ func (s DataType) MatchesOneOf(others ...DataType) bool {
 
 func (s DataType) IsArrayType() bool {
 	switch s {
-	case Int2Array, Int4Array, Int8Array, Float4Array, Float8Array, TextArray:
+	case Int2Array, Int4Array, Int8Array, Float4Array, Float8Array, TextArray, JSONBArray, NodeCompositeArray, EdgeCompositeArray, NumericArray:
 		return true
 	}
 
@@ -239,6 +311,8 @@ func (s DataType) ToArrayType() (DataType, error) {
 		return Float8Array, nil
 	case Text, TextArray:
 		return TextArray, nil
+	case Numeric, NumericArray:
+		return NumericArray, nil
 	default:
 		return UnknownDataType, ErrNoAvailableArrayDataType
 	}
@@ -258,8 +332,10 @@ func (s DataType) ArrayBaseType() (DataType, error) {
 		return Float8, nil
 	case TextArray:
 		return Text, nil
+	case NumericArray:
+		return Numeric, nil
 	default:
-		return UnknownDataType, ErrNonArrayDataType
+		return s, nil
 	}
 }
 
diff --git a/packages/go/cypher/models/pgsql/test/translation_cases/nodes.sql b/packages/go/cypher/models/pgsql/test/translation_cases/nodes.sql
index 8c18b2ed0b..69b09a8b98 100644
--- a/packages/go/cypher/models/pgsql/test/translation_cases/nodes.sql
+++ b/packages/go/cypher/models/pgsql/test/translation_cases/nodes.sql
@@ -82,7 +82,7 @@ with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0 from
      s1 as (select s0.n0 as n0, (n1.id, n1.kind_ids, n1.properties)::nodecomposite as n1
             from s0,
                  node n1
-            where (s0.n0).id = any (jsonb_to_text_array(n1.properties -> 'captured_ids')::int4[]))
+            where (s0.n0).id = any (jsonb_to_text_array(n1.properties -> 'captured_ids')::int8[]))
 select s1.n0 as s, s1.n1 as e
 from s1;
 
@@ -498,3 +498,66 @@ with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
             where n0.properties ->> 'system_tags' like '%' || ('text')::text)
 select s0.n0 as n
 from s0;
+
+-- case: match (n:NodeKind1) where toString(n.functionallevel) in ['2008 R2','2012','2008','2003','2003 Interim','2000 Mixed/Native'] return n
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where n0.kind_ids operator (pg_catalog.&&) array [1]::int2[]
+              and (n0.properties -> 'functionallevel')::text = any
+                  (array ['2008 R2', '2012', '2008', '2003', '2003 Interim', '2000 Mixed/Native']::text[]))
+select s0.n0 as n
+from s0;
+
+-- case: match (n:NodeKind1) where toInt(n.value) in [1, 2, 3, 4] return n
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where n0.kind_ids operator (pg_catalog.&&) array [1]::int2[]
+              and (n0.properties -> 'value')::int8 = any (array [1, 2, 3, 4]::int8[]))
+select s0.n0 as n
+from s0;
+
+-- case: match (u:NodeKind1) where u.pwdlastset < (datetime().epochseconds - (365 * 86400)) and not u.pwdlastset IN [-1.0, 0.0] return u limit 100
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where n0.kind_ids operator (pg_catalog.&&) array [1]::int2[]
+              and (n0.properties -> 'pwdlastset')::numeric <
+                  (extract(epoch from now()::timestamp with time zone)::numeric - (365 * 86400))
+              and not (n0.properties -> 'pwdlastset')::float8 = any (array [- 1, 0]::float8[]))
+select s0.n0 as u
+from s0
+limit 100;
+
+-- case: match (u:NodeKind1) where u.pwdlastset < (datetime().epochmillis - (365 * 86400000)) and not u.pwdlastset IN [-1.0, 0.0] return u limit 100
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where n0.kind_ids operator (pg_catalog.&&) array [1]::int2[]
+              and (n0.properties -> 'pwdlastset')::numeric <
+                  (extract(epoch from now()::timestamp with time zone)::numeric * 1000 - (365 * 86400000))
+              and not (n0.properties -> 'pwdlastset')::float8 = any (array [- 1, 0]::float8[]))
+select s0.n0 as u
+from s0
+limit 100;
+
+-- case: match (n:NodeKind1) where size(n.array_value) > 0 return n
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where n0.kind_ids operator (pg_catalog.&&) array [1]::int2[]
+              and jsonb_array_length(n0.properties -> 'array_value')::int > 0)
+select s0.n0 as n
+from s0;
+
+-- case: match (n) where 1 in n.array return n
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where 1 = any (jsonb_to_text_array(n0.properties -> 'array')::int8[]))
+select s0.n0 as n
+from s0;
+
+-- case: match (n) where $p in n.array or $f in n.array return n
+-- cypher_params: {"p": 1, "f": "text"}
+with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0
+            from node n0
+            where @pi0::float8 = any (jsonb_to_text_array(n0.properties -> 'array')::float8[])
+               or @pi1::text = any (jsonb_to_text_array(n0.properties -> 'array')::text[]))
+select s0.n0 as n
+from s0;
diff --git a/packages/go/cypher/models/pgsql/test/translation_cases/pattern_binding.sql b/packages/go/cypher/models/pgsql/test/translation_cases/pattern_binding.sql
index 2c85c05023..4cb3465067 100644
--- a/packages/go/cypher/models/pgsql/test/translation_cases/pattern_binding.sql
+++ b/packages/go/cypher/models/pgsql/test/translation_cases/pattern_binding.sql
@@ -21,7 +21,7 @@ with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite
             from edge e0
                    join node n0 on n0.id = e0.start_id
                    join node n1 on n1.id = e0.end_id)
-select edges_to_path(variadic array [(s0.e0).id]::int4[])::pathcomposite as p
+select edges_to_path(variadic array [(s0.e0).id]::int8[])::pathcomposite as p
 from s0;
 
 -- case: match p = ()-[r1]->()-[r2]->(e) return e
@@ -92,7 +92,7 @@ with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite
                  edge e1
                    join node n2 on (n2.properties -> 'is_target')::bool and n2.id = e1.start_id
             where (s0.n1).id = e1.end_id)
-select edges_to_path(variadic array [(s1.e0).id, (s1.e1).id]::int4[])::pathcomposite as p
+select edges_to_path(variadic array [(s1.e0).id, (s1.e1).id]::int8[])::pathcomposite as p
 from s1;
 
 -- case: match p = ()-[*..]->() return p limit 1
@@ -126,7 +126,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id)
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0
 limit 1;
@@ -162,7 +162,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied),
      s1 as (select s0.e0                                                                     as e0,
                    s0.ep0                                                                    as ep0,
@@ -174,7 +174,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
                  edge e1
                    join node n2 on n2.id = e1.end_id
             where (s0.n1).id = e1.start_id)
-select edges_to_path(variadic array [(s1.e1).id]::int4[] || s1.ep0)::pathcomposite as p
+select edges_to_path(variadic array [(s1.e1).id]::int8[] || s1.ep0)::pathcomposite as p
 from s1
 limit 1;
 
@@ -220,8 +220,8 @@ with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite
                  ex0
                    join edge e1 on e1.id = any (ex0.path)
                    join node n1 on n1.id = ex0.root_id
-                   join node n2 on e1.id = ex0.path[array_length(ex0.path, 1)::int4] and n2.id = e1.end_id)
-select s1.e0 as e, edges_to_path(variadic array [(s1.e0).id]::int4[] || s1.ep0)::pathcomposite as p
+                   join node n2 on e1.id = ex0.path[array_length(ex0.path, 1)::int] and n2.id = e1.end_id)
+select s1.e0 as e, edges_to_path(variadic array [(s1.e0).id]::int8[] || s1.ep0)::pathcomposite as p
 from s1;
 
 -- case: match p = (m:NodeKind1)-[:EdgeKind1]->(c:NodeKind2) where m.objectid ends with "-513" and not toUpper(c.operatingsystem) contains "SERVER" return p limit 1000
@@ -235,6 +235,6 @@ with s0 as (select (n0.id, n0.kind_ids, n0.properties)::nodecomposite
                                    not upper(n1.properties ->> 'operatingsystem')::text like '%SERVER%' and
                                    n1.id = e0.end_id
             where e0.kind_id = any (array [11]::int2[]))
-select edges_to_path(variadic array [(s0.e0).id]::int4[])::pathcomposite as p
+select edges_to_path(variadic array [(s0.e0).id]::int8[])::pathcomposite as p
 from s0
 limit 1000;
diff --git a/packages/go/cypher/models/pgsql/test/translation_cases/pattern_expansion.sql b/packages/go/cypher/models/pgsql/test/translation_cases/pattern_expansion.sql
index e49a4e0e84..87da96d391 100644
--- a/packages/go/cypher/models/pgsql/test/translation_cases/pattern_expansion.sql
+++ b/packages/go/cypher/models/pgsql/test/translation_cases/pattern_expansion.sql
@@ -45,7 +45,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id)
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id)
 select s0.n0 as n, s0.n1 as e
 from s0;
 
@@ -80,7 +80,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select s0.n1 as e
 from s0;
@@ -119,7 +119,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select s0.n1 as e
 from s0;
@@ -155,7 +155,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select s0.n0 as n
 from s0;
@@ -191,7 +191,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied),
      s1 as (select s0.e0                                                                     as e0,
                    s0.ep0                                                                    as ep0,
@@ -237,7 +237,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied),
      s1 as (select s0.e0                                                                     as e0,
                    s0.ep0                                                                    as ep0,
@@ -286,7 +286,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
                  ex1
                    join edge e2 on e2.id = any (ex1.path)
                    join node n2 on n2.id = ex1.root_id
-                   join node n3 on e2.id = ex1.path[array_length(ex1.path, 1)::int4] and n3.id = e2.end_id)
+                   join node n3 on e2.id = ex1.path[array_length(ex1.path, 1)::int] and n3.id = e2.end_id)
 select s2.n3 as l
 from s2;
 
@@ -332,7 +332,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0
@@ -372,7 +372,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied
               and n0.id <> n1.id)
 select edges_to_path(variadic ep0)::pathcomposite as p
@@ -422,7 +422,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0;
@@ -463,7 +463,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.start_id)
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.start_id)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0
 limit 10;
@@ -505,7 +505,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.start_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.start_id
             where ex0.satisfied),
      s1 as (with recursive ex1(root_id, next_id, depth, satisfied, is_cycle, path) as (select e1.start_id,
                                                                                               e1.end_id,
@@ -544,7 +544,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
                  ex1
                    join edge e1 on e1.id = any (ex1.path)
                    join node n1 on n1.id = ex1.root_id
-                   join node n2 on e1.id = ex1.path[array_length(ex1.path, 1)::int4] and n2.id = e1.start_id)
+                   join node n2 on e1.id = ex1.path[array_length(ex1.path, 1)::int] and n2.id = e1.start_id)
 select edges_to_path(variadic s1.ep1 || s1.ep0)::pathcomposite as p
 from s1
 limit 10;
@@ -593,7 +593,7 @@ with s0 as (with recursive ex0(root_id, next_id, depth, satisfied, is_cycle, pat
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0
diff --git a/packages/go/cypher/models/pgsql/test/translation_cases/shortest_paths.sql b/packages/go/cypher/models/pgsql/test/translation_cases/shortest_paths.sql
index 5544c30586..b7035887f1 100644
--- a/packages/go/cypher/models/pgsql/test/translation_cases/shortest_paths.sql
+++ b/packages/go/cypher/models/pgsql/test/translation_cases/shortest_paths.sql
@@ -28,7 +28,7 @@ with s0 as (with ex0(root_id, next_id, depth, satisfied, is_cycle, path)
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id)
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0;
 
@@ -46,7 +46,28 @@ with s0 as (with ex0(root_id, next_id, depth, satisfied, is_cycle, path)
             from ex0
                    join edge e0 on e0.id = any (ex0.path)
                    join node n0 on n0.id = ex0.root_id
-                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int4] and n1.id = e0.end_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
             where ex0.satisfied)
 select edges_to_path(variadic ep0)::pathcomposite as p
 from s0;
+
+-- case: match p=shortestPath((n:NodeKind1)-[:EdgeKind1*1..]->(m)) where 'admin_tier_0' in split(m.system_tags, ' ') and n.objectid ends with '-513' and n<>m return p limit 1000
+-- cypher_params: {}
+-- pgsql_params: {"pi0":"insert into next_pathspace (root_id, next_id, depth, satisfied, is_cycle, path) select e0.start_id, e0.end_id, 1, 'admin_tier_0' = any (string_to_array(n1.properties ->> 'system_tags', ' ')::text[]), e0.start_id = e0.end_id, array [e0.id] from edge e0 join node n0 on n0.kind_ids operator (pg_catalog.&&) array [1]::int2[] and n0.properties ->> 'objectid' like '%-513' and n0.id = e0.start_id join node n1 on n1.id = e0.end_id where e0.kind_id = any (array [11]::int2[]);", "pi1":"insert into next_pathspace (root_id, next_id, depth, satisfied, is_cycle, path) select ex0.root_id, e0.end_id, ex0.depth + 1, 'admin_tier_0' = any (string_to_array(n1.properties ->> 'system_tags', ' ')::text[]), e0.id = any (ex0.path), ex0.path || e0.id from pathspace ex0 join edge e0 on e0.start_id = ex0.next_id join node n1 on n1.id = e0.end_id where ex0.depth < 5 and not ex0.is_cycle and e0.kind_id = any (array [11]::int2[]);"}
+with s0 as (with ex0(root_id, next_id, depth, satisfied, is_cycle, path)
+                   as (select * from asp_harness(@pi0::text, @pi1::text, 5))
+            select (n0.id, n0.kind_ids, n0.properties)::nodecomposite as n0,
+                   (select array_agg((e0.id, e0.start_id, e0.end_id, e0.kind_id, e0.properties)::edgecomposite)
+                    from edge e0
+                    where e0.id = any (ex0.path))                     as e0,
+                   ex0.path                                           as ep0,
+                   (n1.id, n1.kind_ids, n1.properties)::nodecomposite as n1
+            from ex0
+                   join edge e0 on e0.id = any (ex0.path)
+                   join node n0 on n0.id = ex0.root_id
+                   join node n1 on e0.id = ex0.path[array_length(ex0.path, 1)::int] and n1.id = e0.end_id
+            where ex0.satisfied
+              and n0.id <> n1.id)
+select edges_to_path(variadic ep0)::pathcomposite as p
+from s0
+limit 1000;
diff --git a/packages/go/cypher/models/pgsql/translate/expansion.go b/packages/go/cypher/models/pgsql/translate/expansion.go
index 872b66c2bb..e819d7cb07 100644
--- a/packages/go/cypher/models/pgsql/translate/expansion.go
+++ b/packages/go/cypher/models/pgsql/translate/expansion.go
@@ -320,7 +320,7 @@ func (s *Translator) buildAllShortestPathsExpansionRoot(part *PatternPart, trave
 									pgsql.CompoundIdentifier{traversalStep.Expansion.Value.Binding.Identifier, expansionPath},
 									pgsql.NewLiteral(1, pgsql.Int8),
 								},
-								CastType: pgsql.Int4,
+								CastType: pgsql.Int,
 							},
 						},
 					},
@@ -417,8 +417,15 @@ func (s *Translator) buildAllShortestPathsExpansionRoot(part *PatternPart, trave
 					),
 				}
 
-				// Make sure to only accept paths that are satisfied
-				expansion.ProjectionStatement.Where = pgsql.CompoundIdentifier{traversalStep.Expansion.Value.Binding.Identifier, expansionSatisfied}
+				// Constraints that target the terminal node may crop up here where it's finally in scope. Additionally,
+				// only accept paths that are marked satisfied from the recursive descent CTE
+				if constraints, err := consumeConstraintsFrom(traversalStep.Expansion.Value.Frame.Visible, s.treeTranslator.IdentifierConstraints); err != nil {
+					return pgsql.Query{}, err
+				} else if projectionConstraints, err := ConjoinExpressions([]pgsql.Expression{pgsql.CompoundIdentifier{traversalStep.Expansion.Value.Binding.Identifier, expansionSatisfied}, constraints.Expression}); err != nil {
+					return pgsql.Query{}, err
+				} else {
+					expansion.ProjectionStatement.Where = projectionConstraints
+				}
 			}
 		} else {
 			expansion.PrimerStatement.Projection = []pgsql.SelectItem{
@@ -653,7 +660,7 @@ func (s *Translator) buildExpansionPatternRoot(part *PatternPart, traversalStep
 									pgsql.CompoundIdentifier{traversalStep.Expansion.Value.Binding.Identifier, expansionPath},
 									pgsql.NewLiteral(1, pgsql.Int8),
 								},
-								CastType: pgsql.Int4,
+								CastType: pgsql.Int,
 							},
 						},
 					},
@@ -940,7 +947,7 @@ func (s *Translator) buildExpansionPatternStep(part *PatternPart, traversalStep
 									pgsql.CompoundIdentifier{traversalStep.Expansion.Value.Binding.Identifier, expansionPath},
 									pgsql.NewLiteral(1, pgsql.Int8),
 								},
-								CastType: pgsql.Int4,
+								CastType: pgsql.Int,
 							},
 						},
 					},
diff --git a/packages/go/cypher/models/pgsql/translate/expression.go b/packages/go/cypher/models/pgsql/translate/expression.go
index 1da57810e6..1fdd24a364 100644
--- a/packages/go/cypher/models/pgsql/translate/expression.go
+++ b/packages/go/cypher/models/pgsql/translate/expression.go
@@ -31,8 +31,15 @@ type PropertyLookup struct {
 }
 
 func asPropertyLookup(expression pgsql.Expression) (*pgsql.BinaryExpression, bool) {
-	if binaryExpression, isBinaryExpression := expression.(*pgsql.BinaryExpression); isBinaryExpression {
-		return binaryExpression, pgsql.OperatorIsPropertyLookup(binaryExpression.Operator)
+	switch typedExpression := expression.(type) {
+	case pgsql.AnyExpression:
+		// This is here to unwrap Any expressions that have been passed in as a property lookup. This is
+		// common when dealing with array operators. In the future this check should be handled by the
+		// caller to simplify the logic here.
+		return asPropertyLookup(typedExpression.Expression)
+
+	case *pgsql.BinaryExpression:
+		return typedExpression, pgsql.OperatorIsPropertyLookup(typedExpression.Operator)
 	}
 
 	return nil, false
@@ -64,10 +71,17 @@ func ExtractSyntaxNodeReferences(root pgsql.SyntaxNode) (*pgsql.IdentifierSet, e
 		func(node pgsql.SyntaxNode, errorHandler walk.CancelableErrorHandler) {
 			switch typedNode := node.(type) {
 			case pgsql.Identifier:
-				dependencies.Add(typedNode)
+				// Filter for reserved identifiers
+				if !pgsql.IsReservedIdentifier(typedNode) {
+					dependencies.Add(typedNode)
+				}
 
 			case pgsql.CompoundIdentifier:
-				dependencies.Add(typedNode.Root())
+				identifier := typedNode.Root()
+
+				if !pgsql.IsReservedIdentifier(identifier) {
+					dependencies.Add(identifier)
+				}
 			}
 		},
 	))
@@ -83,7 +97,6 @@ func applyUnaryExpressionTypeHints(expression *pgsql.UnaryExpression) error {
 
 func rewritePropertyLookupOperator(propertyLookup *pgsql.BinaryExpression, dataType pgsql.DataType) pgsql.Expression {
 	if dataType.IsArrayType() {
-		// This property lookup needs to be coerced into an array type using a function
 		return pgsql.FunctionCall{
 			Function:   pgsql.FunctionJSONBToTextArray,
 			Parameters: []pgsql.Expression{propertyLookup},
@@ -126,7 +139,7 @@ func inferBinaryExpressionType(expression *pgsql.BinaryExpression) (pgsql.DataTy
 
 	if isLeftHinted {
 		if isRightHinted {
-			if higherLevelHint, matchesOrConverts := leftHint.Convert(rightHint); !matchesOrConverts {
+			if higherLevelHint, matchesOrConverts := leftHint.Compatible(rightHint, expression.Operator); !matchesOrConverts {
 				return pgsql.UnsetDataType, fmt.Errorf("left and right operands for binary expression \"%s\" are not compatible: %s != %s", expression.Operator, leftHint, rightHint)
 			} else {
 				return higherLevelHint, nil
@@ -136,44 +149,52 @@ func inferBinaryExpressionType(expression *pgsql.BinaryExpression) (pgsql.DataTy
 		} else if inferredRightHint == pgsql.UnknownDataType {
 			// Assume the right side is convertable and return the left operand hint
 			return leftHint, nil
-		} else if upcastHint, matchesOrConverts := leftHint.Convert(inferredRightHint); !matchesOrConverts {
+		} else if upcastHint, matchesOrConverts := leftHint.Compatible(inferredRightHint, expression.Operator); !matchesOrConverts {
 			return pgsql.UnsetDataType, fmt.Errorf("left and right operands for binary expression \"%s\" are not compatible: %s != %s", expression.Operator, leftHint, inferredRightHint)
 		} else {
 			return upcastHint, nil
 		}
 	} else if isRightHinted {
 		// There's no left type, attempt to infer it
-		if inferredLeftHint, err := InferExpressionType(expression.ROperand); err != nil {
+		if inferredLeftHint, err := InferExpressionType(expression.LOperand); err != nil {
 			return pgsql.UnsetDataType, err
 		} else if inferredLeftHint == pgsql.UnknownDataType {
 			// Assume the right side is convertable and return the left operand hint
 			return rightHint, nil
-		} else if upcastHint, matchesOrConverts := rightHint.Convert(inferredLeftHint); !matchesOrConverts {
-			return pgsql.UnsetDataType, fmt.Errorf("left and right operands for binary expression \"%s\" are not compatible: %s != %s", expression.Operator, leftHint, inferredLeftHint)
+		} else if upcastHint, matchesOrConverts := rightHint.Compatible(inferredLeftHint, expression.Operator); !matchesOrConverts {
+			return pgsql.UnsetDataType, fmt.Errorf("left and right operands for binary expression \"%s\" are not compatible: %s != %s", expression.Operator, rightHint, inferredLeftHint)
 		} else {
 			return upcastHint, nil
 		}
-	} else if inferredLeftHint, err := InferExpressionType(expression.LOperand); err != nil {
-		return pgsql.UnsetDataType, err
-	} else if inferredRightHint, err := InferExpressionType(expression.ROperand); err != nil {
-		return pgsql.UnsetDataType, err
-	} else if inferredLeftHint == pgsql.UnknownDataType && inferredRightHint == pgsql.UnknownDataType {
-		// If neither side has type information then check the operator to see if it implies some type hinting
+	} else {
+		// If neither side has specific type information then check the operator to see if it implies some type
+		// hinting before resorting to inference
 		switch expression.Operator {
 		case pgsql.OperatorStartsWith, pgsql.OperatorContains, pgsql.OperatorEndsWith:
 			// String operations imply the operands must be text
 			return pgsql.Text, nil
 
-		// TODO: Boolean inference for OperatorAnd and OperatorOr may want to be plumbed here
+		case pgsql.OperatorAnd, pgsql.OperatorOr:
+			// Boolean operators that the operands must be boolean
+			return pgsql.Boolean, nil
 
 		default:
-			// Unable to infer any type information
-			return pgsql.UnknownDataType, nil
+			// The operator does not imply specific type information onto the operands. Attempt to infer any
+			// information as a last ditch effort to type the AST nodes
+			if inferredLeftHint, err := InferExpressionType(expression.LOperand); err != nil {
+				return pgsql.UnsetDataType, err
+			} else if inferredRightHint, err := InferExpressionType(expression.ROperand); err != nil {
+				return pgsql.UnsetDataType, err
+			} else if inferredLeftHint == pgsql.UnknownDataType && inferredRightHint == pgsql.UnknownDataType {
+				// Unable to infer any type information, this may be resolved elsewhere so this is not explicitly
+				// an error condition
+				return pgsql.UnknownDataType, nil
+			} else if higherLevelHint, matchesOrConverts := inferredLeftHint.Compatible(inferredRightHint, expression.Operator); !matchesOrConverts {
+				return pgsql.UnsetDataType, fmt.Errorf("left and right operands for binary expression \"%s\" are not compatible: %s != %s", expression.Operator, inferredLeftHint, inferredRightHint)
+			} else {
+				return higherLevelHint, nil
+			}
 		}
-	} else if higherLevelHint, matchesOrConverts := inferredLeftHint.Convert(inferredRightHint); !matchesOrConverts {
-		return pgsql.UnsetDataType, fmt.Errorf("left and right operands for binary expression \"%s\" are not compatible: %s != %s", expression.Operator, leftHint, inferredLeftHint)
-	} else {
-		return higherLevelHint, nil
 	}
 }
 
@@ -191,7 +212,7 @@ func InferExpressionType(expression pgsql.Expression) (pgsql.DataType, error) {
 		// Infer type information for well known column names
 		switch typedExpression[1] {
 		case pgsql.ColumnGraphID, pgsql.ColumnID, pgsql.ColumnStartID, pgsql.ColumnEndID:
-			return pgsql.Int4, nil
+			return pgsql.Int8, nil
 
 		case pgsql.ColumnKindID:
 			return pgsql.Int2, nil
@@ -215,13 +236,18 @@ func InferExpressionType(expression pgsql.Expression) (pgsql.DataType, error) {
 			// This is unknown, not unset meaning that it can be re-cast by future inference inspections
 			return pgsql.UnknownDataType, nil
 
-		case pgsql.OperatorAnd, pgsql.OperatorOr:
+		case pgsql.OperatorAnd, pgsql.OperatorOr, pgsql.OperatorEquals, pgsql.OperatorGreaterThan, pgsql.OperatorGreaterThanOrEqualTo,
+			pgsql.OperatorLessThan, pgsql.OperatorLessThanOrEqualTo, pgsql.OperatorIn, pgsql.OperatorJSONBFieldExists,
+			pgsql.OperatorLike, pgsql.OperatorILike, pgsql.OperatorPGArrayOverlap:
 			return pgsql.Boolean, nil
 
 		default:
 			return inferBinaryExpressionType(typedExpression)
 		}
 
+	case pgsql.Parenthetical:
+		return InferExpressionType(typedExpression.Expression)
+
 	default:
 		log.Infof("unable to infer type hint for expression type: %T", expression)
 		return pgsql.UnknownDataType, nil
@@ -263,31 +289,65 @@ func TypeCastExpression(expression pgsql.Expression, dataType pgsql.DataType) (p
 	return pgsql.NewTypeCast(expression, dataType), nil
 }
 
-func rewritePropertyLookupOperands(expression *pgsql.BinaryExpression, expressionTypeHint pgsql.DataType) error {
-	if leftPropertyLookup, isPropertyLookup := asPropertyLookup(expression.LOperand); isPropertyLookup {
-		if lookupRequiresElementType(expressionTypeHint, expression.Operator, expression.ROperand) {
-			// Take the base type of the array type hint: <unit> in <collection>
-			if arrayBaseType, err := expressionTypeHint.ArrayBaseType(); err != nil {
-				return err
-			} else {
-				expressionTypeHint = arrayBaseType
-			}
-		}
+func rewritePropertyLookupOperands(expression *pgsql.BinaryExpression) error {
+	var (
+		leftPropertyLookup, hasLeftPropertyLookup   = asPropertyLookup(expression.LOperand)
+		rightPropertyLookup, hasRightPropertyLookup = asPropertyLookup(expression.ROperand)
+	)
 
-		expression.LOperand = rewritePropertyLookupOperator(leftPropertyLookup, expressionTypeHint)
+	// Don't rewrite direct property comparisons
+	if hasLeftPropertyLookup && hasRightPropertyLookup {
+		return nil
 	}
 
-	if rightPropertyLookup, isPropertyLookup := asPropertyLookup(expression.ROperand); isPropertyLookup {
-		if lookupRequiresElementType(expressionTypeHint, expression.Operator, expression.LOperand) {
-			// Take the base type of the array type hint: <unit> in <collection>
-			if arrayBaseType, err := expressionTypeHint.ArrayBaseType(); err != nil {
+	if hasLeftPropertyLookup {
+		// This check exists here to prevent from overwriting a property lookup that's part of a <value> in <list>
+		// binary expression. This may want for better ergonomics in the future
+		if anyExpression, isAnyExpression := expression.ROperand.(pgsql.AnyExpression); isAnyExpression {
+			if arrayBaseType, err := anyExpression.CastType.ArrayBaseType(); err != nil {
 				return err
 			} else {
-				expressionTypeHint = arrayBaseType
+				expression.LOperand = rewritePropertyLookupOperator(leftPropertyLookup, arrayBaseType)
+			}
+		} else if rOperandTypeHint, err := InferExpressionType(expression.ROperand); err != nil {
+			return err
+		} else {
+			switch expression.Operator {
+			case pgsql.OperatorIn:
+				if arrayBaseType, err := rOperandTypeHint.ArrayBaseType(); err != nil {
+					return err
+				} else {
+					expression.LOperand = rewritePropertyLookupOperator(leftPropertyLookup, arrayBaseType)
+				}
+
+			case pgsql.OperatorStartsWith, pgsql.OperatorEndsWith, pgsql.OperatorContains, pgsql.OperatorRegexMatch:
+				expression.LOperand = rewritePropertyLookupOperator(leftPropertyLookup, pgsql.Text)
+
+			default:
+				expression.LOperand = rewritePropertyLookupOperator(leftPropertyLookup, rOperandTypeHint)
 			}
 		}
+	}
+
+	if hasRightPropertyLookup {
+		if lOperandTypeHint, err := InferExpressionType(expression.LOperand); err != nil {
+			return err
+		} else {
+			switch expression.Operator {
+			case pgsql.OperatorIn:
+				if arrayType, err := lOperandTypeHint.ToArrayType(); err != nil {
+					return err
+				} else {
+					expression.ROperand = rewritePropertyLookupOperator(rightPropertyLookup, arrayType)
+				}
+
+			case pgsql.OperatorStartsWith, pgsql.OperatorEndsWith, pgsql.OperatorContains, pgsql.OperatorRegexMatch:
+				expression.ROperand = rewritePropertyLookupOperator(rightPropertyLookup, pgsql.Text)
 
-		expression.ROperand = rewritePropertyLookupOperator(rightPropertyLookup, expressionTypeHint)
+			default:
+				expression.ROperand = rewritePropertyLookupOperator(rightPropertyLookup, lOperandTypeHint)
+			}
+		}
 	}
 
 	return nil
@@ -301,11 +361,7 @@ func applyBinaryExpressionTypeHints(expression *pgsql.BinaryExpression) error {
 		return nil
 	}
 
-	if expressionTypeHint, err := InferExpressionType(expression); err != nil {
-		return err
-	} else {
-		return rewritePropertyLookupOperands(expression, expressionTypeHint)
-	}
+	return rewritePropertyLookupOperands(expression)
 }
 
 type Builder struct {
diff --git a/packages/go/cypher/models/pgsql/translate/expression_test.go b/packages/go/cypher/models/pgsql/translate/expression_test.go
index 802c9eab75..1e514ce38e 100644
--- a/packages/go/cypher/models/pgsql/translate/expression_test.go
+++ b/packages/go/cypher/models/pgsql/translate/expression_test.go
@@ -72,7 +72,7 @@ func TestInferExpressionType(t *testing.T) {
 			),
 		),
 	}, {
-		ExpectedType: pgsql.Text,
+		ExpectedType: pgsql.Boolean,
 		Expression: pgsql.NewBinaryExpression(
 			mustAsLiteral("123"),
 			pgsql.OperatorIn,
diff --git a/packages/go/cypher/models/pgsql/translate/projection.go b/packages/go/cypher/models/pgsql/translate/projection.go
index 6bf21f4920..5b3259dfbd 100644
--- a/packages/go/cypher/models/pgsql/translate/projection.go
+++ b/packages/go/cypher/models/pgsql/translate/projection.go
@@ -197,7 +197,7 @@ func buildProjection(alias pgsql.Identifier, projected *BoundIdentifier, scope *
 				pgsql.OperatorConcatenate,
 				pgsql.ArrayLiteral{
 					Values:   edgeReferences,
-					CastType: pgsql.Int4Array,
+					CastType: pgsql.Int8Array,
 				},
 			)
 		}
diff --git a/packages/go/cypher/models/pgsql/translate/translation.go b/packages/go/cypher/models/pgsql/translate/translation.go
index 03eb58cd20..5bc71308a9 100644
--- a/packages/go/cypher/models/pgsql/translate/translation.go
+++ b/packages/go/cypher/models/pgsql/translate/translation.go
@@ -60,6 +60,76 @@ func (s *Translator) translateRemoveItem(removeItem *cypher.RemoveItem) error {
 	return nil
 }
 
+func (s *Translator) translatePropertyLookup(lookup *cypher.PropertyLookup) {
+	if translatedAtom, err := s.treeTranslator.Pop(); err != nil {
+		s.SetError(err)
+	} else {
+		switch typedTranslatedAtom := translatedAtom.(type) {
+		case pgsql.Identifier:
+			if fieldIdentifierLiteral, err := pgsql.AsLiteral(lookup.Symbols[0]); err != nil {
+				s.SetError(err)
+			} else {
+				s.treeTranslator.Push(pgsql.CompoundIdentifier{typedTranslatedAtom, pgsql.ColumnProperties})
+				s.treeTranslator.Push(fieldIdentifierLiteral)
+
+				if err := s.treeTranslator.PopPushOperator(s.query.Scope, pgsql.OperatorPropertyLookup); err != nil {
+					s.SetError(err)
+				}
+			}
+
+		case pgsql.FunctionCall:
+			if fieldIdentifierLiteral, err := pgsql.AsLiteral(lookup.Symbols[0]); err != nil {
+				s.SetError(err)
+			} else if componentName, typeOK := fieldIdentifierLiteral.Value.(string); !typeOK {
+				s.SetErrorf("expected a string component name in translated literal but received type: %T", fieldIdentifierLiteral.Value)
+			} else {
+				switch typedTranslatedAtom.Function {
+				case pgsql.FunctionCurrentDate, pgsql.FunctionLocalTime, pgsql.FunctionCurrentTime, pgsql.FunctionLocalTimestamp, pgsql.FunctionNow:
+					switch componentName {
+					case cypher.ITTCEpochSeconds:
+						s.treeTranslator.Push(pgsql.FunctionCall{
+							Function: pgsql.FunctionExtract,
+							Parameters: []pgsql.Expression{pgsql.ProjectionFrom{
+								Projection: []pgsql.SelectItem{
+									pgsql.EpochIdentifier,
+								},
+								From: []pgsql.FromClause{{
+									Source: translatedAtom,
+								}},
+							}},
+							CastType: pgsql.Numeric,
+						})
+
+					case cypher.ITTCEpochMilliseconds:
+						s.treeTranslator.Push(pgsql.NewBinaryExpression(
+							pgsql.FunctionCall{
+								Function: pgsql.FunctionExtract,
+								Parameters: []pgsql.Expression{pgsql.ProjectionFrom{
+									Projection: []pgsql.SelectItem{
+										pgsql.EpochIdentifier,
+									},
+									From: []pgsql.FromClause{{
+										Source: translatedAtom,
+									}},
+								}},
+								CastType: pgsql.Numeric,
+							},
+							pgsql.OperatorMultiply,
+							pgsql.NewLiteral(1000, pgsql.Int4),
+						))
+
+					default:
+						s.SetErrorf("unsupported date time instant type component %s from function call %s", componentName, typedTranslatedAtom.Function)
+					}
+
+				default:
+					s.SetErrorf("unsupported instant type component %s from function call %s", componentName, typedTranslatedAtom.Function)
+				}
+			}
+		}
+	}
+}
+
 func (s *Translator) translateSetItem(setItem *cypher.SetItem) error {
 	if operator, err := translateCypherAssignmentOperator(setItem.Operator); err != nil {
 		return err
diff --git a/packages/go/cypher/models/pgsql/translate/translator.go b/packages/go/cypher/models/pgsql/translate/translator.go
index 68b057f5f6..02fa92daca 100644
--- a/packages/go/cypher/models/pgsql/translate/translator.go
+++ b/packages/go/cypher/models/pgsql/translate/translator.go
@@ -128,7 +128,7 @@ func (s *Translator) Enter(expression cypher.SyntaxNode) {
 	case *cypher.RegularQuery, *cypher.SingleQuery, *cypher.PatternElement, *cypher.Return,
 		*cypher.Comparison, *cypher.Skip, *cypher.Limit, cypher.Operator, *cypher.ArithmeticExpression,
 		*cypher.NodePattern, *cypher.RelationshipPattern, *cypher.Remove, *cypher.Set,
-		*cypher.ReadingClause, *cypher.UnaryAddOrSubtractExpression:
+		*cypher.ReadingClause, *cypher.UnaryAddOrSubtractExpression, *cypher.PropertyLookup:
 	// No operation for these syntax nodes
 
 	case *cypher.Negation:
@@ -259,27 +259,6 @@ func (s *Translator) Enter(expression cypher.SyntaxNode) {
 	case *cypher.FunctionInvocation:
 		s.pushState(StateTranslatingNestedExpression)
 
-	case *cypher.PropertyLookup:
-		if variable, isVariable := typedExpression.Atom.(*cypher.Variable); !isVariable {
-			s.SetErrorf("expected variable for property lookup reference but found type: %T", typedExpression.Atom)
-		} else if resolved, isResolved := s.query.Scope.LookupString(variable.Symbol); !isResolved {
-			s.SetErrorf("unable to resolve identifier: %s", variable.Symbol)
-		} else {
-			switch currentState := s.currentState(); currentState {
-			case StateTranslatingNestedExpression:
-				// TODO: Cypher does not support nested property references so the Symbols slice should be a string
-				if fieldIdentifierLiteral, err := pgsql.AsLiteral(typedExpression.Symbols[0]); err != nil {
-					s.SetError(err)
-				} else {
-					s.treeTranslator.Push(pgsql.CompoundIdentifier{resolved.Identifier, pgsql.ColumnProperties})
-					s.treeTranslator.Push(fieldIdentifierLiteral)
-				}
-
-			default:
-				s.SetErrorf("invalid state \"%s\" for cypher AST node %T", s.currentState(), expression)
-			}
-		}
-
 	case *cypher.Order:
 		s.pushState(StateTranslatingOrderBy)
 
@@ -610,6 +589,31 @@ func (s *Translator) Exit(expression cypher.SyntaxNode) {
 				})
 			}
 
+		case cypher.ListSizeFunction:
+			if typedExpression.NumArguments() > 1 {
+				s.SetError(fmt.Errorf("expected only one argument for cypher function: %s", typedExpression.Name))
+			} else if argument, err := s.treeTranslator.Pop(); err != nil {
+				s.SetError(err)
+			} else {
+				var functionCall pgsql.FunctionCall
+
+				if _, isPropertyLookup := asPropertyLookup(argument); isPropertyLookup {
+					functionCall = pgsql.FunctionCall{
+						Function:   pgsql.FunctionJSONBArrayLength,
+						Parameters: []pgsql.Expression{argument},
+						CastType:   pgsql.Int,
+					}
+				} else {
+					functionCall = pgsql.FunctionCall{
+						Function:   pgsql.FunctionArrayLength,
+						Parameters: []pgsql.Expression{argument, pgsql.NewLiteral(1, pgsql.Int)},
+						CastType:   pgsql.Int,
+					}
+				}
+
+				s.treeTranslator.Push(functionCall)
+			}
+
 		case cypher.ToUpperFunction:
 			if typedExpression.NumArguments() > 1 {
 				s.SetError(fmt.Errorf("expected only one argument for cypher function: %s", typedExpression.Name))
@@ -628,6 +632,24 @@ func (s *Translator) Exit(expression cypher.SyntaxNode) {
 				})
 			}
 
+		case cypher.ToStringFunction:
+			if typedExpression.NumArguments() > 1 {
+				s.SetError(fmt.Errorf("expected only one argument for cypher function: %s", typedExpression.Name))
+			} else if argument, err := s.treeTranslator.Pop(); err != nil {
+				s.SetError(err)
+			} else {
+				s.treeTranslator.Push(pgsql.NewTypeCast(argument, pgsql.Text))
+			}
+
+		case cypher.ToIntegerFunction:
+			if typedExpression.NumArguments() > 1 {
+				s.SetError(fmt.Errorf("expected only one argument for cypher function: %s", typedExpression.Name))
+			} else if argument, err := s.treeTranslator.Pop(); err != nil {
+				s.SetError(err)
+			} else {
+				s.treeTranslator.Push(pgsql.NewTypeCast(argument, pgsql.Int8))
+			}
+
 		default:
 			s.SetErrorf("unknown cypher function: %s", typedExpression.Name)
 		}
@@ -715,24 +737,7 @@ func (s *Translator) Exit(expression cypher.SyntaxNode) {
 		}
 
 	case *cypher.PropertyLookup:
-		switch currentState := s.currentState(); currentState {
-		case StateTranslatingNestedExpression:
-			if err := s.treeTranslator.PopPushOperator(s.query.Scope, pgsql.OperatorPropertyLookup); err != nil {
-				s.SetError(err)
-			}
-
-		case StateTranslatingProjection:
-			if nextExpression, err := s.treeTranslator.Pop(); err != nil {
-				s.SetError(err)
-			} else if selectItem, isProjection := nextExpression.(pgsql.SelectItem); !isProjection {
-				s.SetErrorf("invalid type for select item: %T", nextExpression)
-			} else {
-				s.projections.CurrentProjection().SelectItem = selectItem
-			}
-
-		default:
-			s.SetErrorf("invalid state \"%s\" for cypher AST node %T", s.currentState(), expression)
-		}
+		s.translatePropertyLookup(typedExpression)
 
 	case *cypher.PartialComparison:
 		switch currentState := s.currentState(); currentState {
diff --git a/packages/go/cypher/models/walk/walk_cypher.go b/packages/go/cypher/models/walk/walk_cypher.go
index ee7d0a581a..f7f5a35c6d 100644
--- a/packages/go/cypher/models/walk/walk_cypher.go
+++ b/packages/go/cypher/models/walk/walk_cypher.go
@@ -36,12 +36,18 @@ func cypherSyntaxNodeSliceTypeConvert[F any, FS []F](fs FS) ([]cypher.SyntaxNode
 func newCypherWalkCursor(node cypher.SyntaxNode) (*Cursor[cypher.SyntaxNode], error) {
 	switch typedNode := node.(type) {
 	// Types with no AST branches
-	case *cypher.RangeQuantifier, *cypher.PropertyLookup, cypher.Operator, *cypher.KindMatcher,
+	case *cypher.RangeQuantifier, cypher.Operator, *cypher.KindMatcher,
 		*cypher.Limit, *cypher.Skip, graph.Kinds, *cypher.Parameter:
 		return &Cursor[cypher.SyntaxNode]{
 			Node: node,
 		}, nil
 
+	case *cypher.PropertyLookup:
+		return &Cursor[cypher.SyntaxNode]{
+			Node:     node,
+			Branches: []cypher.SyntaxNode{typedNode.Atom},
+		}, nil
+
 	case *cypher.MapItem:
 		return &Cursor[cypher.SyntaxNode]{
 			Node:     node,
diff --git a/packages/go/cypher/models/walk/walk_pgsql.go b/packages/go/cypher/models/walk/walk_pgsql.go
index 65df9c7cce..29924ae140 100644
--- a/packages/go/cypher/models/walk/walk_pgsql.go
+++ b/packages/go/cypher/models/walk/walk_pgsql.go
@@ -321,6 +321,16 @@ func newSQLWalkCursor(node pgsql.SyntaxNode) (*Cursor[pgsql.SyntaxNode], error)
 			Branches: []pgsql.SyntaxNode{typedNode.Subquery},
 		}, nil
 
+	case pgsql.ProjectionFrom:
+		if branches, err := pgsqlSyntaxNodeSliceTypeConvert(typedNode.From); err != nil {
+			return nil, err
+		} else {
+			return &Cursor[pgsql.SyntaxNode]{
+				Node:     node,
+				Branches: append([]pgsql.SyntaxNode{typedNode.Projection}, branches...),
+			}, nil
+		}
+
 	default:
 		return nil, fmt.Errorf("unable to negotiate sql type %T into a translation cursor", node)
 	}
diff --git a/packages/go/dawgs/drivers/pg/query/sql/schema_up.sql b/packages/go/dawgs/drivers/pg/query/sql/schema_up.sql
index 3ba6038445..3876967d2c 100644
--- a/packages/go/dawgs/drivers/pg/query/sql/schema_up.sql
+++ b/packages/go/dawgs/drivers/pg/query/sql/schema_up.sql
@@ -190,7 +190,6 @@ execute procedure delete_node_edges();
 alter table edge
   alter column properties set storage main;
 
-
 -- Index on the graph ID of each edge.
 create index if not exists edge_graph_id_index on edge using btree (graph_id);
 
diff --git a/packages/go/dawgs/drivers/pg/types.go b/packages/go/dawgs/drivers/pg/types.go
index a0305b84af..3ce3ae9f01 100644
--- a/packages/go/dawgs/drivers/pg/types.go
+++ b/packages/go/dawgs/drivers/pg/types.go
@@ -60,11 +60,76 @@ func castMapValueAsSliceOf[T any](compositeMap map[string]any, key string) ([]T,
 func castAndAssignMapValue[T any](compositeMap map[string]any, key string, dst *T) error {
 	if src, hasKey := compositeMap[key]; !hasKey {
 		return fmt.Errorf("composite map does not contain expected key %s", key)
-	} else if typed, typeOK := src.(T); !typeOK {
-		var empty T
-		return fmt.Errorf("expected type %T but received %T", empty, src)
 	} else {
-		*dst = typed
+		switch typedSrc := src.(type) {
+		case int8:
+			switch typedDst := any(dst).(type) {
+			case *int8:
+				*typedDst = typedSrc
+			case *int16:
+				*typedDst = int16(typedSrc)
+			case *int32:
+				*typedDst = int32(typedSrc)
+			case *int64:
+				*typedDst = int64(typedSrc)
+			case *int:
+				*typedDst = int(typedSrc)
+			default:
+				return fmt.Errorf("unable to cast and assign value type: %T", src)
+			}
+
+		case int16:
+			switch typedDst := any(dst).(type) {
+			case *int16:
+				*typedDst = typedSrc
+			case *int32:
+				*typedDst = int32(typedSrc)
+			case *int64:
+				*typedDst = int64(typedSrc)
+			case *int:
+				*typedDst = int(typedSrc)
+			default:
+				return fmt.Errorf("unable to cast and assign value type: %T", src)
+			}
+
+		case int32:
+			switch typedDst := any(dst).(type) {
+			case *int32:
+				*typedDst = typedSrc
+			case *int64:
+				*typedDst = int64(typedSrc)
+			case *int:
+				*typedDst = int(typedSrc)
+			default:
+				return fmt.Errorf("unable to cast and assign value type: %T", src)
+			}
+
+		case int64:
+			switch typedDst := any(dst).(type) {
+			case *int64:
+				*typedDst = typedSrc
+			case *int:
+				*typedDst = int(typedSrc)
+			default:
+				return fmt.Errorf("unable to cast and assign value type: %T", src)
+			}
+
+		case int:
+			switch typedDst := any(dst).(type) {
+			case *int64:
+				*typedDst = int64(typedSrc)
+			case *int:
+				*typedDst = typedSrc
+			default:
+				return fmt.Errorf("unable to cast and assign value type: %T", src)
+			}
+
+		case T:
+			*dst = typedSrc
+
+		default:
+			return fmt.Errorf("unable to cast and assign value type: %T", src)
+		}
 	}
 
 	return nil

From 21ec93c4be48a3eaa6b5e339f5ee893fabdaa37c Mon Sep 17 00:00:00 2001
From: Wesley Miller <wmiller@specterops.io>
Date: Thu, 12 Dec 2024 16:47:11 -0500
Subject: [PATCH 04/11] BED-5065: Display better error messages when creating a
 new user (#1001)

* BED-5065: initial change

* BED-5065: adjust where error is being checked in db
Adjust where error is being checked on api

* BED-5065: Add error checking

* BED-5065: Make error text look better

* BED-5065: Add null checks to error

* BED-5065: Move error logic out of helper functions

* BED-5065: Add missing error checks

* BED-5065: Add field specific error to principal name
Move error check to useEffect

* BED-5065: Remove extraneous error type

Co-authored-by: mistahj67 <26472282+mistahj67@users.noreply.github.com>

---------

Co-authored-by: mistahj67 <26472282+mistahj67@users.noreply.github.com>
---
 cmd/api/src/api/error.go                      |  1 +
 cmd/api/src/api/v2/auth/auth.go               | 12 ++++++++--
 cmd/api/src/database/auth.go                  | 17 +++++++++++++-
 cmd/api/src/database/db.go                    |  5 +++--
 cmd/api/src/database/helper.go                |  3 ++-
 .../CreateUserForm/CreateUserForm.tsx         | 22 ++++++++++++++-----
 6 files changed, 48 insertions(+), 12 deletions(-)

diff --git a/cmd/api/src/api/error.go b/cmd/api/src/api/error.go
index 4827d1031a..92f763595f 100644
--- a/cmd/api/src/api/error.go
+++ b/cmd/api/src/api/error.go
@@ -66,6 +66,7 @@ const (
 	ErrorResponseAGNameTagEmpty                     = "asset group name or tag must not be empty"
 	ErrorResponseAGDuplicateName                    = "asset group name must be unique"
 	ErrorResponseAGDuplicateTag                     = "asset group tag must be unique"
+	ErrorResponseUserDuplicatePrincipal             = "principal name must be unique"
 	ErrorResponseDetailsUniqueViolation             = "unique constraint was violated"
 	ErrorResponseDetailsNotImplemented              = "All good things to those who wait. Not implemented."
 
diff --git a/cmd/api/src/api/v2/auth/auth.go b/cmd/api/src/api/v2/auth/auth.go
index b5073552ad..4bf96ec3b7 100644
--- a/cmd/api/src/api/v2/auth/auth.go
+++ b/cmd/api/src/api/v2/auth/auth.go
@@ -356,7 +356,11 @@ func (s ManagementResource) CreateUser(response http.ResponseWriter, request *ht
 		}
 
 		if newUser, err := s.db.CreateUser(request.Context(), userTemplate); err != nil {
-			api.HandleDatabaseError(request, response, err)
+			if errors.Is(err, database.ErrDuplicateUserPrincipal) {
+				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusConflict, api.ErrorResponseUserDuplicatePrincipal, request), response)
+			} else {
+				api.HandleDatabaseError(request, response, err)
+			}
 		} else {
 			api.WriteBasicResponse(request.Context(), newUser, http.StatusOK, response)
 		}
@@ -445,7 +449,11 @@ func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *ht
 		}
 
 		if err := s.db.UpdateUser(request.Context(), user); err != nil {
-			api.HandleDatabaseError(request, response, err)
+			if errors.Is(err, database.ErrDuplicateUserPrincipal) {
+				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusConflict, api.ErrorResponseUserDuplicatePrincipal, request), response)
+			} else {
+				api.HandleDatabaseError(request, response, err)
+			}
 		} else {
 			response.WriteHeader(http.StatusOK)
 		}
diff --git a/cmd/api/src/database/auth.go b/cmd/api/src/database/auth.go
index 132114688a..8dc48ec748 100644
--- a/cmd/api/src/database/auth.go
+++ b/cmd/api/src/database/auth.go
@@ -264,7 +264,15 @@ func (s *BloodhoundDB) CreateUser(ctx context.Context, user model.User) (model.U
 		Model:  &updatedUser,
 	}
 	return updatedUser, s.AuditableTransaction(ctx, auditEntry, func(tx *gorm.DB) error {
-		return CheckError(tx.WithContext(ctx).Create(&updatedUser))
+		result := tx.WithContext(ctx).Create(&updatedUser)
+
+		if result.Error != nil {
+			if strings.Contains(result.Error.Error(), "duplicate key value violates unique constraint \"users_principal_name_key\"") {
+				return fmt.Errorf("%w: %v", ErrDuplicateUserPrincipal, tx.Error)
+			}
+		}
+
+		return CheckError(result)
 	})
 }
 
@@ -296,6 +304,13 @@ func (s *BloodhoundDB) UpdateUser(ctx context.Context, user model.User) error {
 		}
 
 		result := tx.WithContext(ctx).Save(&user)
+
+		if result.Error != nil {
+			if strings.Contains(result.Error.Error(), "duplicate key value violates unique constraint \"users_principal_name_key\"") {
+				return fmt.Errorf("%w: %v", ErrDuplicateUserPrincipal, tx.Error)
+			}
+		}
+
 		return CheckError(result)
 	})
 }
diff --git a/cmd/api/src/database/db.go b/cmd/api/src/database/db.go
index 19c792f2c5..b22813eddd 100644
--- a/cmd/api/src/database/db.go
+++ b/cmd/api/src/database/db.go
@@ -44,8 +44,9 @@ const (
 )
 
 var (
-	ErrDuplicateAGName = errors.New("duplicate asset group name")
-	ErrDuplicateAGTag  = errors.New("duplicate asset group tag")
+	ErrDuplicateAGName        = errors.New("duplicate asset group name")
+	ErrDuplicateAGTag         = errors.New("duplicate asset group tag")
+	ErrDuplicateUserPrincipal = errors.New("duplicate user principal name")
 )
 
 func IsUnexpectedDatabaseError(err error) bool {
diff --git a/cmd/api/src/database/helper.go b/cmd/api/src/database/helper.go
index fd361a075d..263bb27c68 100644
--- a/cmd/api/src/database/helper.go
+++ b/cmd/api/src/database/helper.go
@@ -17,8 +17,9 @@
 package database
 
 import (
+	"errors"
+
 	"github.com/gofrs/uuid"
-	"github.com/specterops/bloodhound/errors"
 	"gorm.io/gorm"
 )
 
diff --git a/packages/javascript/bh-shared-ui/src/components/CreateUserForm/CreateUserForm.tsx b/packages/javascript/bh-shared-ui/src/components/CreateUserForm/CreateUserForm.tsx
index 5557c6ce66..bbb5084917 100644
--- a/packages/javascript/bh-shared-ui/src/components/CreateUserForm/CreateUserForm.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/CreateUserForm/CreateUserForm.tsx
@@ -16,6 +16,7 @@
 
 import { Button } from '@bloodhoundenterprise/doodleui';
 import {
+    Alert,
     Checkbox,
     DialogActions,
     DialogContent,
@@ -48,6 +49,7 @@ const CreateUserForm: React.FC<{
         handleSubmit,
         setValue,
         formState: { errors },
+        setError,
     } = useForm<CreateUserRequestForm>({
         defaultValues: {
             emailAddress: '',
@@ -67,7 +69,15 @@ const CreateUserForm: React.FC<{
         if (authenticationMethod === 'password') {
             setValue('SSOProviderId', undefined);
         }
-    }, [authenticationMethod, setValue]);
+
+        if (error) {
+            if (error.response?.data?.errors[0]?.message == 'principal name must be unique') {
+                setError('principal', { type: 'custom', message: 'Principal name is already in use.' });
+            } else {
+                setError('generic', { type: 'custom', message: 'An unexpected error occurred. Please try again.' });
+            }
+        }
+    }, [authenticationMethod, setValue, error, setError]);
 
     const getRolesQuery = useQuery(['getRoles'], ({ signal }) =>
         apiClient.getRoles({ signal }).then((res) => res.data?.data?.roles)
@@ -335,14 +345,14 @@ const CreateUserForm: React.FC<{
                                     )}
                                 />
                             </Grid>
+                            {!!errors.generic && (
+                                <Grid item xs={12}>
+                                    <Alert severity='error'>{errors.generic.message}</Alert>
+                                </Grid>
+                            )}
                         </Grid>
                     </DialogContent>
                     <DialogActions>
-                        {error && (
-                            <FormHelperText error style={{ margin: 0 }}>
-                                An unexpected error occurred. Please try again.
-                            </FormHelperText>
-                        )}
                         <Button
                             type='button'
                             variant={'tertiary'}

From 6f725b0903f379b6e613b13072f1a65a8baf37ca Mon Sep 17 00:00:00 2001
From: Wesley Miller <wmiller@specterops.io>
Date: Thu, 12 Dec 2024 17:20:05 -0500
Subject: [PATCH 05/11] BED-5172: Update crypto version (#1013)

---
 cmd/api/src/go.mod           |  8 +++---
 cmd/api/src/go.sum           | 16 +++++------
 packages/go/bomenc/go.mod    |  2 +-
 packages/go/bomenc/go.sum    |  2 +-
 packages/go/crypto/go.mod    |  4 +--
 packages/go/crypto/go.sum    | 40 +++++++++++++++++++++++++--
 packages/go/cypher/go.mod    |  4 +--
 packages/go/cypher/go.sum    | 53 ++++++++++++++++++++++++++++++++++--
 packages/go/dawgs/go.mod     |  8 +++---
 packages/go/dawgs/go.sum     | 16 +++++------
 packages/go/log/go.mod       |  2 +-
 packages/go/log/go.sum       |  2 +-
 packages/go/schemagen/go.mod |  2 +-
 packages/go/schemagen/go.sum |  2 +-
 packages/go/stbernard/go.mod |  2 +-
 packages/go/stbernard/go.sum |  2 +-
 16 files changed, 125 insertions(+), 40 deletions(-)

diff --git a/cmd/api/src/go.mod b/cmd/api/src/go.mod
index ff892ec33c..51e2dbfeea 100644
--- a/cmd/api/src/go.mod
+++ b/cmd/api/src/go.mod
@@ -74,10 +74,10 @@ require (
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.11.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	golang.org/x/crypto v0.27.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/cmd/api/src/go.sum b/cmd/api/src/go.sum
index 6f99642472..9161780858 100644
--- a/cmd/api/src/go.sum
+++ b/cmd/api/src/go.sum
@@ -135,8 +135,8 @@ go.uber.org/mock v0.2.0 h1:TaP3xedm7JaAgScZO7tlvlKrqT0p7I6OsdGB5YNSMDU=
 go.uber.org/mock v0.2.0/go.mod h1:J0y0rp9L3xiff1+ZBfKxlC1fz2+aO16tw0tsDOixfuM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -146,21 +146,21 @@ golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff --git a/packages/go/bomenc/go.mod b/packages/go/bomenc/go.mod
index c1e8ebf7bd..6f7fe1a8eb 100644
--- a/packages/go/bomenc/go.mod
+++ b/packages/go/bomenc/go.mod
@@ -20,7 +20,7 @@ go 1.23
 
 require (
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/text v0.18.0
+	golang.org/x/text v0.21.0
 )
 
 require (
diff --git a/packages/go/bomenc/go.sum b/packages/go/bomenc/go.sum
index 3e84498e0a..7fcaa2c601 100644
--- a/packages/go/bomenc/go.sum
+++ b/packages/go/bomenc/go.sum
@@ -7,7 +7,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/packages/go/crypto/go.mod b/packages/go/crypto/go.mod
index ff03e14748..61063b295d 100644
--- a/packages/go/crypto/go.mod
+++ b/packages/go/crypto/go.mod
@@ -21,7 +21,7 @@ go 1.23
 require (
 	github.com/shirou/gopsutil/v3 v3.23.5
 	go.uber.org/mock v0.2.0
-	golang.org/x/crypto v0.27.0
+	golang.org/x/crypto v0.31.0
 )
 
 require (
@@ -33,5 +33,5 @@ require (
 	github.com/tklauser/go-sysconf v0.3.11 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 )
diff --git a/packages/go/crypto/go.sum b/packages/go/crypto/go.sum
index dc2f5e9e19..dd1ce8732d 100644
--- a/packages/go/crypto/go.sum
+++ b/packages/go/crypto/go.sum
@@ -1,15 +1,51 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
+github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/lufia/plan9stats v0.0.0-20230326075908-cb1d2100619a h1:N9zuLhTvBSRt0gWSiJswwQ2HqDmtX/ZCDJURnKUt1Ik=
+github.com/lufia/plan9stats v0.0.0-20230326075908-cb1d2100619a/go.mod h1:JKx41uQRwqlTZabZc+kILPrO/3jlKnQ2Z8b7YiVw5cE=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b h1:0LFwY6Q3gMACTjAbMZBjXAqTOzOwFaj2Ld6cjeQ7Rig=
+github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/shirou/gopsutil/v3 v3.23.5 h1:5SgDCeQ0KW0S4N0znjeM/eFHXXOKyv2dVNgRq/c9P6Y=
+github.com/shirou/gopsutil/v3 v3.23.5/go.mod h1:Ng3Maa27Q2KARVJ0SPZF5NdrQSC3XHKP8IIWrHgMeLY=
+github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
+github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
+github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
+github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4=
 github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
+github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
+github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 go.uber.org/mock v0.2.0 h1:TaP3xedm7JaAgScZO7tlvlKrqT0p7I6OsdGB5YNSMDU=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+go.uber.org/mock v0.2.0/go.mod h1:J0y0rp9L3xiff1+ZBfKxlC1fz2+aO16tw0tsDOixfuM=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/packages/go/cypher/go.mod b/packages/go/cypher/go.mod
index e4f805dd35..346cf73bec 100644
--- a/packages/go/cypher/go.mod
+++ b/packages/go/cypher/go.mod
@@ -40,10 +40,10 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
-	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
 	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/cypher/go.sum b/packages/go/cypher/go.sum
index a1c6e3f20f..605bc2827f 100644
--- a/packages/go/cypher/go.sum
+++ b/packages/go/cypher/go.sum
@@ -1,10 +1,12 @@
 cuelang.org/go v0.5.0 h1:D6N0UgTGJCOxFKU8RU+qYvavKNsVc/+ZobmifStVJzU=
+cuelang.org/go v0.5.0/go.mod h1:okjJBHFQFer+a41sAe2SaGm1glWS8oEb6CmJvn5Zdws=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/apd/v2 v2.0.2 h1:weh8u7Cneje73dDh+2tEVLUvyBc89iwepWCD8b8034E=
+github.com/cockroachdb/apd/v2 v2.0.2/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
@@ -18,9 +20,12 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
+github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jackc/chunkreader v1.0.0 h1:4s39bBR8ByfqH+DKm8rQA3E1LHZWB9XWcrz8fqaZbe0=
 github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
 github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
@@ -54,21 +59,25 @@ github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwX
 github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
 github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01CGwFsrv11mJRHWJ6aifDLfdV3aVjFF0zg=
 github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
 github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
 github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
 github.com/jackc/pgtype v1.14.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgtype v1.14.4 h1:fKuNiCumbKTAIxQwXfB/nsrnkEI6bPJrrSiMKgbJ2j8=
+github.com/jackc/pgtype v1.14.4/go.mod h1:aKeozOde08iifGosdJpz9MBZonJOUJxqNpPBcMJTlVA=
 github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
 github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
+github.com/jackc/pgx/v4 v4.18.2/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
 github.com/jackc/pgx/v4 v4.18.3 h1:dE2/TrEsGX3RBprb3qryqSV9Y60iZN1C6i8IrmW9/BA=
 github.com/jackc/pgx/v4 v4.18.3/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
+github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -94,9 +103,12 @@ github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=
+github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20220428173112-74888fd59c2b h1:zd/2RNzIRkoGGMjE+YIsZ85CnDIz672JK2F3Zl4vux4=
@@ -115,12 +127,19 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -142,19 +161,32 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU=
 golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -167,14 +199,28 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
@@ -182,7 +228,10 @@ golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/packages/go/dawgs/go.mod b/packages/go/dawgs/go.mod
index 95eb4da381..13da6db949 100644
--- a/packages/go/dawgs/go.mod
+++ b/packages/go/dawgs/go.mod
@@ -46,11 +46,11 @@ require (
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rs/zerolog v1.29.1 // indirect
-	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
diff --git a/packages/go/dawgs/go.sum b/packages/go/dawgs/go.sum
index 21a57bd44f..107f082462 100644
--- a/packages/go/dawgs/go.sum
+++ b/packages/go/dawgs/go.sum
@@ -177,8 +177,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU=
 golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -198,8 +198,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -221,8 +221,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -238,8 +238,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
diff --git a/packages/go/log/go.mod b/packages/go/log/go.mod
index 14bf323275..e3d1d6b2b0 100644
--- a/packages/go/log/go.mod
+++ b/packages/go/log/go.mod
@@ -26,5 +26,5 @@ require (
 require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 )
diff --git a/packages/go/log/go.sum b/packages/go/log/go.sum
index e8d621962c..e1c34020d9 100644
--- a/packages/go/log/go.sum
+++ b/packages/go/log/go.sum
@@ -17,4 +17,4 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
diff --git a/packages/go/schemagen/go.mod b/packages/go/schemagen/go.mod
index 808eca5c05..4ee5d53d4c 100644
--- a/packages/go/schemagen/go.mod
+++ b/packages/go/schemagen/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/schemagen/go.sum b/packages/go/schemagen/go.sum
index 5121091e77..df58c700f5 100644
--- a/packages/go/schemagen/go.sum
+++ b/packages/go/schemagen/go.sum
@@ -43,7 +43,7 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/packages/go/stbernard/go.mod b/packages/go/stbernard/go.mod
index 114394a3f0..efdbf8a014 100644
--- a/packages/go/stbernard/go.mod
+++ b/packages/go/stbernard/go.mod
@@ -34,7 +34,7 @@ require (
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rs/zerolog v1.29.1 // indirect
-	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/stbernard/go.sum b/packages/go/stbernard/go.sum
index aa0d158c16..f836146a7a 100644
--- a/packages/go/stbernard/go.sum
+++ b/packages/go/stbernard/go.sum
@@ -31,7 +31,7 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

From d7025fff7c3df73633e9d384c124027305ecface Mon Sep 17 00:00:00 2001
From: Justin Wu <93353412+iustinum@users.noreply.github.com>
Date: Fri, 13 Dec 2024 12:03:57 -0800
Subject: [PATCH 06/11] BED-4624: Single commit for PR (#1003)

---
 cmd/api/src/api/v2/auth/oidc.go               | 50 ++++++++++++++-----
 cmd/api/src/api/v2/auth/saml.go               | 36 +++++++++----
 cmd/api/src/api/v2/auth/sso.go                | 16 ++++++
 .../harnesses/enrollonbehalfof-3.svg          |  2 +-
 4 files changed, 80 insertions(+), 24 deletions(-)

diff --git a/cmd/api/src/api/v2/auth/oidc.go b/cmd/api/src/api/v2/auth/oidc.go
index 76bd695ccd..21729a3ea8 100644
--- a/cmd/api/src/api/v2/auth/oidc.go
+++ b/cmd/api/src/api/v2/auth/oidc.go
@@ -21,6 +21,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/specterops/bloodhound/log"
+
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/specterops/bloodhound/headers"
 	"github.com/specterops/bloodhound/src/api"
@@ -96,11 +98,17 @@ func getRedirectURL(request *http.Request, provider model.SSOProvider) string {
 
 func (s ManagementResource) OIDCLoginHandler(response http.ResponseWriter, request *http.Request, ssoProvider model.SSOProvider) {
 	if ssoProvider.OIDCProvider == nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusNotFound, api.ErrorResponseDetailsResourceNotFound, request), response)
+		// SSO misconfiguration scenario
+		redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 	} else if state, err := config.GenerateRandomBase64String(77); err != nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, api.ErrorResponseDetailsInternalServerError, request), response)
+		log.Errorf("[OIDC] Failed to generate state: %v", err)
+		// Technical issues scenario
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else if provider, err := oidc.NewProvider(request.Context(), ssoProvider.OIDCProvider.Issuer); err != nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+		log.Errorf("[OIDC] Failed to create OIDC provider: %v", err)
+		// SSO misconfiguration or technical issue
+		// Treat this as a misconfiguration scenario
+		redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 	} else {
 		conf := &oauth2.Config{
 			ClientID:    ssoProvider.OIDCProvider.ClientID,
@@ -135,17 +143,25 @@ func (s ManagementResource) OIDCCallbackHandler(response http.ResponseWriter, re
 	)
 
 	if ssoProvider.OIDCProvider == nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusNotFound, api.ErrorResponseDetailsResourceNotFound, request), response)
+		// SSO misconfiguration scenario
+		redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 	} else if len(code) == 0 {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "missing code", request), response)
+		// Missing authorization code implies a credentials or form issue
+		// Not explicitly covered, treat as technical issue
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else if pkceVerifier, err := request.Cookie(api.AuthPKCECookieName); err != nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "missing pkce verifier", request), response)
+		// Missing PKCE verifier - likely a technical or config issue
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else if len(state) == 0 {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "missing state", request), response)
+		// Missing state parameter - treat as technical issue
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else if stateCookie, err := request.Cookie(api.AuthStateCookieName); err != nil || stateCookie.Value != state[0] {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "bad state", request), response)
+		// Invalid state - treat as technical issue or misconfiguration
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else if provider, err := oidc.NewProvider(request.Context(), ssoProvider.OIDCProvider.Issuer); err != nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+		log.Errorf("[OIDC] Failed to create OIDC provider: %v", err)
+		// SSO misconfiguration scenario
+		redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 	} else {
 		var (
 			oidcVerifier = provider.Verifier(&oidc.Config{ClientID: ssoProvider.OIDCProvider.ClientID})
@@ -157,11 +173,16 @@ func (s ManagementResource) OIDCCallbackHandler(response http.ResponseWriter, re
 		)
 
 		if token, err := oauth2Conf.Exchange(request.Context(), code[0], oauth2.VerifierOption(pkceVerifier.Value)); err != nil {
-			api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusForbidden, api.ErrorResponseDetailsForbidden, request), response)
+			log.Errorf("[OIDC] Token exchange failed: %v", err)
+			// SAML credentials issue equivalent for OIDC authentication
+			redirectToLoginPage(response, request, "Your SSO was unable to authenticate your user, please contact your Administrator")
 		} else if rawIDToken, ok := token.Extra("id_token").(string); !ok { // Extract the ID Token from OAuth2 token
-			api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "missing id token", request), response)
+			// Missing ID token - credentials issue
+			redirectToLoginPage(response, request, "Your SSO was unable to authenticate your user, please contact your Administrator")
 		} else if idToken, err := oidcVerifier.Verify(request.Context(), rawIDToken); err != nil {
-			api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "invalid id token", request), response)
+			log.Errorf("[OIDC] ID token verification failed: %v", err)
+			// Credentials issue scenario
+			redirectToLoginPage(response, request, "Your SSO was unable to authenticate your user, please contact your Administrator")
 		} else {
 			// Extract custom claims
 			var claims struct {
@@ -172,7 +193,10 @@ func (s ManagementResource) OIDCCallbackHandler(response http.ResponseWriter, re
 				Verified    bool   `json:"email_verified"`
 			}
 			if err := idToken.Claims(&claims); err != nil {
-				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+				log.Errorf("[OIDC] Failed to parse claims: %v", err)
+				// Technical or credentials issue
+				// Not explicitly covered; treat as a technical issue
+				redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 			} else {
 				s.authenticator.CreateSSOSession(request, response, claims.Email, ssoProvider)
 			}
diff --git a/cmd/api/src/api/v2/auth/saml.go b/cmd/api/src/api/v2/auth/saml.go
index 41827e3f6c..736f4590b6 100644
--- a/cmd/api/src/api/v2/auth/saml.go
+++ b/cmd/api/src/api/v2/auth/saml.go
@@ -302,9 +302,13 @@ func (s ManagementResource) ServeSigningCertificate(response http.ResponseWriter
 // HandleStartAuthFlow is called to start the SAML authentication process.
 func (s ManagementResource) SAMLLoginHandler(response http.ResponseWriter, request *http.Request, ssoProvider model.SSOProvider) {
 	if ssoProvider.SAMLProvider == nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusNotFound, api.ErrorResponseDetailsResourceNotFound, request), response)
+		// SAML misconfiguration scenario
+		redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
+
 	} else if serviceProvider, err := auth.NewServiceProvider(*ctx.Get(request.Context()).Host, s.config, *ssoProvider.SAMLProvider); err != nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+		log.Errorf("[SAML] Service provider creation failed: %v", err)
+		// Technical issues scenario
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else {
 		var (
 			binding         = saml.HTTPRedirectBinding
@@ -318,13 +322,16 @@ func (s ManagementResource) SAMLLoginHandler(response http.ResponseWriter, reque
 		// TODO: add actual relay state support - BED-5071
 		if authReq, err := serviceProvider.MakeAuthenticationRequest(bindingLocation, binding, saml.HTTPPostBinding); err != nil {
 			log.Errorf("[SAML] Failed creating SAML authentication request: %v", err)
-			api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, api.ErrorResponseDetailsInternalServerError, request), response)
+			// SAML misconfiguration or technical issue
+			// Since this likely indicates a configuration problem, we treat it as a misconfiguration scenario
+			redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 		} else {
 			switch binding {
 			case saml.HTTPRedirectBinding:
 				if redirectURL, err := authReq.Redirect("", &serviceProvider); err != nil {
 					log.Errorf("[SAML] Failed to format a redirect for SAML provider %s: %v", serviceProvider.EntityID, err)
-					api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, api.ErrorResponseDetailsInternalServerError, request), response)
+					// Likely a technical or configuration issue
+					redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 				} else {
 					response.Header().Add(headers.Location.String(), redirectURL.String())
 					response.WriteHeader(http.StatusFound)
@@ -337,11 +344,14 @@ func (s ManagementResource) SAMLLoginHandler(response http.ResponseWriter, reque
 
 				if _, err := response.Write([]byte(fmt.Sprintf(authInitiationContentBodyFormat, authReq.Post("")))); err != nil {
 					log.Errorf("[SAML] Failed to write response with HTTP POST binding: %v", err)
+					// Technical issues scenario
+					redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 				}
 
 			default:
 				log.Errorf("[SAML] Unhandled binding type %s", binding)
-				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, api.ErrorResponseDetailsInternalServerError, request), response)
+				// Treating unknown binding as a misconfiguration
+				redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 			}
 		}
 	}
@@ -350,13 +360,17 @@ func (s ManagementResource) SAMLLoginHandler(response http.ResponseWriter, reque
 // HandleStartAuthFlow is called to start the SAML authentication process.
 func (s ManagementResource) SAMLCallbackHandler(response http.ResponseWriter, request *http.Request, ssoProvider model.SSOProvider) {
 	if ssoProvider.SAMLProvider == nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusNotFound, api.ErrorResponseDetailsResourceNotFound, request), response)
+		// SAML misconfiguration
+		redirectToLoginPage(response, request, "Your SSO Connection failed, please contact your Administrator")
 	} else if serviceProvider, err := auth.NewServiceProvider(*ctx.Get(request.Context()).Host, s.config, *ssoProvider.SAMLProvider); err != nil {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+		log.Errorf("[SAML] Service provider creation failed: %v", err)
+		redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 	} else {
 		if err := request.ParseForm(); err != nil {
 			log.Errorf("[SAML] Failed to parse form POST: %v", err)
-			api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "form POST is malformed", request), response)
+			// Technical issues or invalid form data
+			// This is not covered by acceptance criteria directly; treat as technical issue
+			redirectToLoginPage(response, request, "We’re having trouble connecting. Please check your internet and try again.")
 		} else {
 			if assertion, err := serviceProvider.ParseResponse(request, nil); err != nil {
 				var typedErr *saml.InvalidResponseError
@@ -366,10 +380,12 @@ func (s ManagementResource) SAMLCallbackHandler(response http.ResponseWriter, re
 				default:
 					log.Errorf("[SAML] Failed to parse ACS response for provider %s: %v", ssoProvider.SAMLProvider.IssuerURI, err)
 				}
-				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusUnauthorized, api.ErrorResponseDetailsAuthenticationInvalid, request), response)
+				// SAML credentials issue scenario (authentication failed)
+				redirectToLoginPage(response, request, "Your SSO was unable to authenticate your user, please contact your Administrator")
 			} else if principalName, err := ssoProvider.SAMLProvider.GetSAMLUserPrincipalNameFromAssertion(assertion); err != nil {
 				log.Errorf("[SAML] Failed to lookup user for SAML provider %s: %v", ssoProvider.Name, err)
-				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "session assertion does not meet the requirements for user lookup", request), response)
+				// SAML credentials issue scenario again
+				redirectToLoginPage(response, request, "Your SSO was unable to authenticate your user, please contact your Administrator")
 			} else {
 				s.authenticator.CreateSSOSession(request, response, principalName, ssoProvider)
 			}
diff --git a/cmd/api/src/api/v2/auth/sso.go b/cmd/api/src/api/v2/auth/sso.go
index a31efcfe92..ead4542865 100644
--- a/cmd/api/src/api/v2/auth/sso.go
+++ b/cmd/api/src/api/v2/auth/sso.go
@@ -23,6 +23,8 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/specterops/bloodhound/headers"
+
 	"github.com/gorilla/mux"
 	"github.com/specterops/bloodhound/src/api"
 	"github.com/specterops/bloodhound/src/auth"
@@ -228,3 +230,17 @@ func (s ManagementResource) SSOCallbackHandler(response http.ResponseWriter, req
 		}
 	}
 }
+
+func redirectToLoginPage(response http.ResponseWriter, request *http.Request, errorMessage string) {
+	hostURL := *ctx.FromRequest(request).Host
+	redirectURL := api.URLJoinPath(hostURL, api.UserInterfacePath)
+
+	// Optionally, include the error message as a query parameter or in session storage
+	query := redirectURL.Query()
+	query.Set("error", errorMessage)
+	redirectURL.RawQuery = query.Encode()
+
+	// Redirect to the login page
+	response.Header().Add(headers.Location.String(), redirectURL.String())
+	response.WriteHeader(http.StatusFound)
+}
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
index d7192c6074..e93ece036f 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="1057" height="896" viewBox="0 0 1057 896"><defs><style type="text/css"/></defs><g transform="translate(326.6622528543699 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 394.7283664264567 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(419.590517044205 0) rotate(0)" stroke="none"/></g><g transform="translate(181.90505535885845 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(-43.78861262620303)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(305.009794318264 451.27089618105714) rotate(-43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(43.78861262620303)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(65.71453579616153 434.0662951038908) rotate(43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 796.6561663822652) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 212.28261323598704 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(237.14476385373536 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 661.0148597642717) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 500.5114025285298) rotate(-35.45095495632252)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 213.6091860485213 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(238.47133666626962 0) rotate(0)" stroke="none"/></g><g transform="translate(544.6667872556458 421.45393952928924) rotate(-35.45095495632252) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(90)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(194.3361306677326 783.3609078601627) rotate(360) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-44.95912785436991" cy="327.97628342478527" r="52"/></g><g transform="translate(-44.95912785436991 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-56 -19.199999999999992)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="194.3361306677326" cy="557.3609078601627" r="52"/></g><g transform="translate(194.3361306677326 557.3609078601627)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="796.6561663822652" r="52"/></g><g transform="translate(433.6313891898351 796.6561663822652)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="500.5114025285298" r="52"/></g><g transform="translate(433.6313891898351 500.5114025285298)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g></g></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" width="1057" height="896" viewBox="0 0 1057 896"><defs><style type="text/css"/></defs><g transform="translate(326.6622528543699 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 394.7283664264567 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(419.590517044205 0) rotate(0)" stroke="none"/></g><g transform="translate(181.90505535885845 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(-43.78861262620303)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(305.009794318264 451.27089618105714) rotate(-43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(43.78861262620303)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(65.71453579616153 434.0662951038908) rotate(43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 796.6561663822652) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 212.28261323598704 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(237.14476385373536 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 661.0148597642717) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 500.5114025285298) rotate(-35.45095495632252)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 213.6091860485213 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(238.47133666626962 0) rotate(0)" stroke="none"/></g><g transform="translate(544.6667872556458 421.45393952928924) rotate(-35.45095495632252) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(90)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(194.3361306677326 783.3609078601627) rotate(360) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-44.95912785436991" cy="327.97628342478527" r="52"/></g><g transform="translate(-44.95912785436991 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-56 -19.199999999999992)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="194.3361306677326" cy="557.3609078601627" r="52"/></g><g transform="translate(194.3361306677326 557.3609078601627)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="796.6561663822652" r="52"/></g><g transform="translate(433.6313891898351 796.6561663822652)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="500.5114025285298" r="52"/></g><g transform="translate(433.6313891898351 500.5114025285298)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g></g></svg>

From c9bb3523ab7f7c99eef326b7ba690103358e729b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?=
 <12843299+JonasBK@users.noreply.github.com>
Date: Tue, 17 Dec 2024 17:15:52 +0100
Subject: [PATCH 07/11] update default tier zero (#1022)

---
 packages/go/analysis/ad/ad.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/packages/go/analysis/ad/ad.go b/packages/go/analysis/ad/ad.go
index adebd73c16..9baf5d72be 100644
--- a/packages/go/analysis/ad/ad.go
+++ b/packages/go/analysis/ad/ad.go
@@ -53,8 +53,6 @@ const (
 	EnterpriseKeyAdminsGroupSIDSuffix         = "-527"
 	AdministratorsGroupSIDSuffix              = "-544"
 	BackupOperatorsGroupSIDSuffix             = "-551"
-	PerformanceLogUsersSIDSuffix              = "-559"
-	DCOMUsersSIDSuffix                        = "-562"
 	AuthenticatedUsersSuffix                  = "-S-1-5-11"
 	EveryoneSuffix                            = "-S-1-1-0"
 	AdminSDHolderDNPrefix                     = "CN=ADMINSDHOLDER,CN=SYSTEM,"
@@ -73,8 +71,6 @@ func TierZeroWellKnownSIDSuffixes() []string {
 		EnterpriseKeyAdminsGroupSIDSuffix,
 		BackupOperatorsGroupSIDSuffix,
 		AdministratorsGroupSIDSuffix,
-		DCOMUsersSIDSuffix,
-		PerformanceLogUsersSIDSuffix,
 	}
 }
 

From 60ef1fd703e02f2273ee0cef035e9dc6fc6354e3 Mon Sep 17 00:00:00 2001
From: Reuben Lifshay <rlifshay@specterops.io>
Date: Thu, 19 Dec 2024 10:04:56 -0800
Subject: [PATCH 08/11] BED-4841: fix: fall back to ObjectID when DomainSID is
 missing while loading foreign members (#1029)

* fix: fall back to ObjectID when DomainSID is missing while loading foreign members

* chore: split out DomainSID retrival code into getNodeDomainSIDOrObjectID
---
 packages/go/analysis/ad/queries.go | 46 ++++++++++++++++++------------
 1 file changed, 28 insertions(+), 18 deletions(-)

diff --git a/packages/go/analysis/ad/queries.go b/packages/go/analysis/ad/queries.go
index edcfb01225..6b0c2797d6 100644
--- a/packages/go/analysis/ad/queries.go
+++ b/packages/go/analysis/ad/queries.go
@@ -653,7 +653,7 @@ func FetchDCSyncerPaths(tx graph.Transaction, node *graph.Node) (graph.PathSet,
 }
 
 func FetchForeignGPOControllers(tx graph.Transaction, node *graph.Node, skip, limit int) (graph.NodeSet, error) {
-	if domainSID, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
+	if domainSID, err := getNodeDomainSIDOrObjectID(node); err != nil {
 		return nil, err
 	} else if gpoIDs, err := ops.FetchNodeIDs(tx.Nodes().Filterf(func() graph.Criteria {
 		return query.And(
@@ -707,7 +707,7 @@ func FetchForeignGPOControllers(tx graph.Transaction, node *graph.Node, skip, li
 }
 
 func FetchForeignGPOControllerPaths(tx graph.Transaction, node *graph.Node) (graph.PathSet, error) {
-	if domainSID, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
+	if domainSID, err := getNodeDomainSIDOrObjectID(node); err != nil {
 		return nil, err
 	} else if gpoIDs, err := ops.FetchNodeIDs(tx.Nodes().Filterf(func() graph.Criteria {
 		return query.And(
@@ -760,15 +760,15 @@ func FetchForeignGPOControllerPaths(tx graph.Transaction, node *graph.Node) (gra
 }
 
 func FetchForeignAdmins(tx graph.Transaction, node *graph.Node, skip, limit int) (graph.NodeSet, error) {
-	if domainSid, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
+	if domainSID, err := getNodeDomainSIDOrObjectID(node); err != nil {
 		return nil, err
 	} else {
 		if directAdmins, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria {
 			return query.And(
 				query.Kind(query.End(), ad.Computer),
 				query.Kind(query.Relationship(), ad.AdminTo),
-				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSid),
-				query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSid)),
+				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSID),
+				query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSID)),
 			)
 		})); err != nil {
 			return nil, err
@@ -776,7 +776,7 @@ func FetchForeignAdmins(tx graph.Transaction, node *graph.Node, skip, limit int)
 			return query.And(
 				query.Kind(query.Start(), ad.Group),
 				query.Kind(query.Relationship(), ad.AdminTo),
-				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSid),
+				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSID),
 				query.Kind(query.End(), ad.Computer),
 			)
 		})); err != nil {
@@ -791,7 +791,7 @@ func FetchForeignAdmins(tx graph.Transaction, node *graph.Node, skip, limit int)
 					BranchQuery: func() graph.Criteria {
 						return query.Or(
 							query.Kind(query.Start(), ad.Group),
-							query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSid)),
+							query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSID)),
 						)
 					},
 				}); err != nil {
@@ -808,15 +808,15 @@ func FetchForeignAdmins(tx graph.Transaction, node *graph.Node, skip, limit int)
 }
 
 func FetchForeignAdminPaths(tx graph.Transaction, node *graph.Node) (graph.PathSet, error) {
-	if domainSid, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
+	if domainSID, err := getNodeDomainSIDOrObjectID(node); err != nil {
 		return nil, err
 	} else {
 		if directAdmins, err := ops.FetchPathSet(tx.Relationships().Filterf(func() graph.Criteria {
 			return query.And(
 				query.Kind(query.End(), ad.Computer),
 				query.Kind(query.Relationship(), ad.AdminTo),
-				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSid),
-				query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSid)),
+				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSID),
+				query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSID)),
 			)
 		})); err != nil {
 			return nil, err
@@ -824,7 +824,7 @@ func FetchForeignAdminPaths(tx graph.Transaction, node *graph.Node) (graph.PathS
 			return query.And(
 				query.Kind(query.Start(), ad.Group),
 				query.Kind(query.Relationship(), ad.AdminTo),
-				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSid),
+				query.Equals(query.EndProperty(ad.DomainSID.String()), domainSID),
 				query.Kind(query.End(), ad.Computer),
 			)
 		})); err != nil {
@@ -839,7 +839,7 @@ func FetchForeignAdminPaths(tx graph.Transaction, node *graph.Node) (graph.PathS
 					BranchQuery: func() graph.Criteria {
 						return query.Or(
 							query.Kind(query.Start(), ad.Group),
-							query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSid)),
+							query.Not(query.Equals(query.StartProperty(ad.DomainSID.String()), domainSID)),
 						)
 					},
 				}); err != nil {
@@ -859,12 +859,12 @@ func FetchForeignAdminPaths(tx graph.Transaction, node *graph.Node) (graph.PathS
 func CreateForeignEntityMembershipListDelegate(kind graph.Kind) analysis.ListDelegate {
 	return func(tx graph.Transaction, node *graph.Node, skip, limit int) (graph.NodeSet, error) {
 		foreignNodes := graph.NewNodeSet()
-		if domainSid, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
+		if domainSID, err := getNodeDomainSIDOrObjectID(node); err != nil {
 			return nil, err
 		} else if nodes, err := ops.FetchNodes(tx.Nodes().Filterf(func() graph.Criteria {
 			return query.And(
 				query.Kind(query.Node(), ad.Group),
-				query.Equals(query.NodeProperty(ad.DomainSID.String()), domainSid),
+				query.Equals(query.NodeProperty(ad.DomainSID.String()), domainSID),
 			)
 		})); err != nil {
 			return nil, err
@@ -881,7 +881,7 @@ func CreateForeignEntityMembershipListDelegate(kind graph.Kind) analysis.ListDel
 						return false
 					} else if s, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
 						return false
-					} else if s == domainSid {
+					} else if s == domainSID {
 						return false
 					} else {
 						return true
@@ -902,12 +902,12 @@ func CreateForeignEntityMembershipPathDelegate(kind graph.Kind) analysis.PathDel
 	return func(tx graph.Transaction, node *graph.Node) (graph.PathSet, error) {
 		foreignPaths := graph.NewPathSet()
 
-		if domainSid, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
+		if domainSID, err := getNodeDomainSIDOrObjectID(node); err != nil {
 			return nil, err
 		} else if nodes, err := ops.FetchNodes(tx.Nodes().Filterf(func() graph.Criteria {
 			return query.And(
 				query.Kind(query.Node(), ad.Group),
-				query.Equals(query.NodeProperty(ad.DomainSID.String()), domainSid),
+				query.Equals(query.NodeProperty(ad.DomainSID.String()), domainSID),
 			)
 		})); err != nil {
 			return nil, err
@@ -924,7 +924,7 @@ func CreateForeignEntityMembershipPathDelegate(kind graph.Kind) analysis.PathDel
 						return false
 					} else if s, err := node.Properties.Get(ad.DomainSID.String()).String(); err != nil {
 						return false
-					} else if s == domainSid {
+					} else if s == domainSID {
 						return false
 					} else {
 						return true
@@ -1735,3 +1735,13 @@ func FetchAuthUsersAndEveryoneGroups(tx graph.Transaction, domainSID string) (gr
 		)
 	}))
 }
+
+func getNodeDomainSIDOrObjectID(node *graph.Node) (string, error) {
+	if sid, err := node.Properties.Get(ad.DomainSID.String()).String(); err == nil {
+		return sid, nil
+	} else if sid, err := node.Properties.Get(common.ObjectID.String()).String(); err == nil {
+		return sid, nil
+	} else {
+		return "", err
+	}
+}

From 31369416421c270ec1cf9cac89ab30e010340e8c Mon Sep 17 00:00:00 2001
From: Alyx Holms <aholms@specterops.io>
Date: Thu, 19 Dec 2024 16:18:37 -0700
Subject: [PATCH 09/11] BED-5204: Resolve CVE-2024-45338 (#1031)

* fix: CVE fixed by bumping Cuelang to latest (CVE was an indirect import from cue)

* chore: add missing license headers

* fix: bump x/net the rest of the way to v0.33.0
---
 cmd/api/src/go.mod                            |  1 +
 cmd/api/src/go.sum                            |  2 +-
 .../harnesses/enrollonbehalfof-1.svg          | 19 +++++++-
 .../harnesses/enrollonbehalfof-2.svg          | 19 +++++++-
 .../harnesses/enrollonbehalfof-3.svg          | 17 +++++++
 packages/cue/cue.mod/module.cue               |  4 ++
 packages/go/analysis/go.mod                   |  2 +-
 packages/go/analysis/go.sum                   |  2 +-
 packages/go/bomenc/go.mod                     |  2 +-
 packages/go/bomenc/go.sum                     |  2 +-
 packages/go/cache/go.mod                      |  2 +-
 packages/go/cache/go.sum                      |  2 +-
 packages/go/cypher/go.mod                     | 14 ++----
 packages/go/cypher/go.sum                     | 39 +++++++---------
 packages/go/dawgs/go.mod                      |  3 +-
 packages/go/dawgs/go.sum                      |  9 ++--
 packages/go/ein/go.mod                        |  2 +-
 packages/go/ein/go.sum                        |  2 +-
 packages/go/errors/go.mod                     |  2 +-
 packages/go/errors/go.sum                     |  3 +-
 packages/go/lab/go.mod                        |  2 +-
 packages/go/lab/go.sum                        |  3 +-
 packages/go/schemagen/go.mod                  | 26 +++++------
 packages/go/schemagen/go.sum                  | 45 +++++++------------
 packages/go/slicesext/go.mod                  |  2 +-
 packages/go/slicesext/go.sum                  |  3 +-
 packages/go/stbernard/go.mod                  |  4 +-
 packages/go/stbernard/go.sum                  |  7 ++-
 28 files changed, 134 insertions(+), 106 deletions(-)

diff --git a/cmd/api/src/go.mod b/cmd/api/src/go.mod
index 51e2dbfeea..2203e16d6f 100644
--- a/cmd/api/src/go.mod
+++ b/cmd/api/src/go.mod
@@ -74,6 +74,7 @@ require (
 	github.com/prometheus/common v0.44.0 // indirect
 	github.com/prometheus/procfs v0.11.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
diff --git a/cmd/api/src/go.sum b/cmd/api/src/go.sum
index 9161780858..ec6d1c37b4 100644
--- a/cmd/api/src/go.sum
+++ b/cmd/api/src/go.sum
@@ -112,7 +112,7 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
 github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg
index 6fcfa6838d..4f22563a8b 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-1.svg
@@ -1 +1,18 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="921" height="845" viewBox="0 0 921 845"><defs><style type="text/css"/></defs><g transform="translate(190.30110474644664 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 274.7692385720868 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(299.6313891898351 0) rotate(0)" stroke="none"/></g><g transform="translate(241.8846192860434 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(176.03558347937087 605.9525668495705) rotate(-47.179262552307804)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 295.11860518164553 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(319.9807557993938 0) rotate(0)" stroke="none"/></g><g transform="translate(296.3839996231144 476.0824187567895) rotate(-47.179262552307804) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(454.01086036954564 605.2045130499298) rotate(-94.20433793162489)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.1141328070369 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.9762834247852 0) rotate(0)" stroke="none"/></g><g transform="translate(444.7324929650218 478.9880206451286) rotate(85.7956620683751) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(70.02539571192277)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 211.90634546605278 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(236.7684960838011 0) rotate(0)" stroke="none"/></g><g transform="translate(121.27129164336606 455.2811520398451) rotate(70.02539571192277) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(454.01086036954564 605.2045130499298) rotate(179.84581282700933)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 194.11413280703684 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(218.97628342478515 0) rotate(0)" stroke="none"/></g><g transform="translate(327.45425222119184 605.545087048647) rotate(359.84581282700935) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(176.03558347937087 605.9525668495705) rotate(124.93560426946605)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(46.615459702719136 791.2265033912118) rotate(34.93560426946605) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="327.97628342478527" r="52"/></g><g transform="translate(75 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="176.03558347937087" cy="605.9525668495705" r="52"/></g><g transform="translate(176.03558347937087 605.9525668495705)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="454.01086036954564" cy="605.2045130499298" r="52"/></g><g transform="translate(454.01086036954564 605.2045130499298)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(39.59797974644666 39.597979746446654)"><g transform="translate(0 0)"><g transform="translate(0 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g></g></svg>
\ No newline at end of file
+<!--
+Copyright 2024 Specter Ops, Inc.
+
+Licensed under the Apache License, Version 2.0
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<svg xmlns="http://www.w3.org/2000/svg" width="921" height="845" viewBox="0 0 921 845"><defs><style type="text/css"/></defs><g transform="translate(190.30110474644664 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 274.7692385720868 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(299.6313891898351 0) rotate(0)" stroke="none"/></g><g transform="translate(241.8846192860434 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(176.03558347937087 605.9525668495705) rotate(-47.179262552307804)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 295.11860518164553 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(319.9807557993938 0) rotate(0)" stroke="none"/></g><g transform="translate(296.3839996231144 476.0824187567895) rotate(-47.179262552307804) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(454.01086036954564 605.2045130499298) rotate(-94.20433793162489)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.1141328070369 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.9762834247852 0) rotate(0)" stroke="none"/></g><g transform="translate(444.7324929650218 478.9880206451286) rotate(85.7956620683751) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(70.02539571192277)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 211.90634546605278 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(236.7684960838011 0) rotate(0)" stroke="none"/></g><g transform="translate(121.27129164336606 455.2811520398451) rotate(70.02539571192277) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(454.01086036954564 605.2045130499298) rotate(179.84581282700933)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 194.11413280703684 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(218.97628342478515 0) rotate(0)" stroke="none"/></g><g transform="translate(327.45425222119184 605.545087048647) rotate(359.84581282700935) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(176.03558347937087 605.9525668495705) rotate(124.93560426946605)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(46.615459702719136 791.2265033912118) rotate(34.93560426946605) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="327.97628342478527" r="52"/></g><g transform="translate(75 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="176.03558347937087" cy="605.9525668495705" r="52"/></g><g transform="translate(176.03558347937087 605.9525668495705)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="454.01086036954564" cy="605.2045130499298" r="52"/></g><g transform="translate(454.01086036954564 605.2045130499298)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(39.59797974644666 39.597979746446654)"><g transform="translate(0 0)"><g transform="translate(0 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g></g></svg>
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg
index d8d8ec0fcb..96181905f2 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-2.svg
@@ -1 +1,18 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="1077" height="760" viewBox="0 0 1077 760"><defs><style type="text/css"/></defs><g transform="translate(365.05110474644664 4) scale(1)"><g class="relationship"><g transform="translate(415.0216781311826 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(523.7525077407623 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(415.0216781311826 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(415.0216781311826 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(657.3454879680903 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(657.3454879680903 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(415.0216781311826 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(523.7525077407623 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.15952751343434 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.0216781311826 0) rotate(0)" stroke="none"/></g><g transform="translate(232.57976375671717 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(75 524.287890824132) rotate(-30.000000000000014)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 308.7610641809449 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(333.62321479869325 0) rotate(0)" stroke="none"/></g><g transform="translate(234.2452120517488 432.3476247788957) rotate(-30.000000000000014) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(245.01083906559165 622.4436945238048) rotate(-60.00000000000002)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.1595275134339 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.02167813118217 0) rotate(0)" stroke="none"/></g><g transform="translate(323.80072094395007 485.9756159881375) rotate(-60.00000000000002) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(531.0216781311826 622.4436945238048) rotate(-111.50104465455937)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 232.62964421958858 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(257.4917948373369 0) rotate(0)" stroke="none"/></g><g transform="translate(477.5778933612505 486.77599676057105) rotate(68.49895534544063) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(59.99999999999992)" stroke-width="5" stroke="#a4dd00"><path d="M 59 0 L 256.1595275134342 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#a4dd00" transform="translate(281.0216781311825 0) rotate(0)" stroke="none"/></g><g transform="translate(153.78988187835876 464.4443619604525) rotate(59.99999999999992) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="657.3454879680903" cy="50" r="52"/></g><g transform="translate(657.3454879680903 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain2</text></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="415.0216781311826" cy="50" r="52"/></g><g transform="translate(415.0216781311826 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore2</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="415.0216781311826" cy="327.97628342478527" r="52"/></g><g transform="translate(415.0216781311826 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="657.3454879680903" cy="327.97628342478527" r="52"/></g><g transform="translate(657.3454879680903 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA2</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="327.97628342478527" r="52"/></g><g transform="translate(75 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-300.1328125 0)" fill="white"><rect x="0" y="0" width="300.1328125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">2</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="524.287890824132" r="52"/></g><g transform="translate(75 524.287890824132)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-400.453125 0)" fill="white"><rect x="0" y="0" width="400.453125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1", "2.5.29.37.0"]</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">2</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="245.01083906559165" cy="622.4436945238048" r="52"/></g><g transform="translate(245.01083906559165 622.4436945238048)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-170.53515625 0)" fill="white"><rect x="0" y="0" width="341.0703125" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="157.4296875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="161.875" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="157.4296875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="161.875" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="157.4296875" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="161.875" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="157.4296875" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="161.875" y="71.7" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="531.0216781311826" cy="622.4436945238048" r="52"/></g><g transform="translate(531.0216781311826 622.4436945238048)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-4</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-87.609375 0)" fill="white"><rect x="0" y="0" width="175.21875" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="157.4296875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="161.875" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="157.4296875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="161.875" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="157.4296875" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="161.875" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="157.4296875" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="161.875" y="71.7" stroke="none" text-anchor="start">[]</text></g></g></g></g></g></g></g></svg>
\ No newline at end of file
+<!--
+Copyright 2024 Specter Ops, Inc.
+
+Licensed under the Apache License, Version 2.0
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+-->
+<svg xmlns="http://www.w3.org/2000/svg" width="1077" height="760" viewBox="0 0 1077 760"><defs><style type="text/css"/></defs><g transform="translate(365.05110474644664 4) scale(1)"><g class="relationship"><g transform="translate(415.0216781311826 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(523.7525077407623 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(415.0216781311826 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(415.0216781311826 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(657.3454879680903 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(657.3454879680903 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(415.0216781311826 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(523.7525077407623 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.15952751343434 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.0216781311826 0) rotate(0)" stroke="none"/></g><g transform="translate(232.57976375671717 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(75 524.287890824132) rotate(-30.000000000000014)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 308.7610641809449 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(333.62321479869325 0) rotate(0)" stroke="none"/></g><g transform="translate(234.2452120517488 432.3476247788957) rotate(-30.000000000000014) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(245.01083906559165 622.4436945238048) rotate(-60.00000000000002)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 256.1595275134339 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(281.02167813118217 0) rotate(0)" stroke="none"/></g><g transform="translate(323.80072094395007 485.9756159881375) rotate(-60.00000000000002) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(531.0216781311826 622.4436945238048) rotate(-111.50104465455937)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 232.62964421958858 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(257.4917948373369 0) rotate(0)" stroke="none"/></g><g transform="translate(477.5778933612505 486.77599676057105) rotate(68.49895534544063) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(75 327.97628342478527) rotate(59.99999999999992)" stroke-width="5" stroke="#a4dd00"><path d="M 59 0 L 256.1595275134342 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#a4dd00" transform="translate(281.0216781311825 0) rotate(0)" stroke="none"/></g><g transform="translate(153.78988187835876 464.4443619604525) rotate(59.99999999999992) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="657.3454879680903" cy="50" r="52"/></g><g transform="translate(657.3454879680903 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain2</text></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="415.0216781311826" cy="50" r="52"/></g><g transform="translate(415.0216781311826 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore2</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="415.0216781311826" cy="327.97628342478527" r="52"/></g><g transform="translate(415.0216781311826 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="657.3454879680903" cy="327.97628342478527" r="52"/></g><g transform="translate(657.3454879680903 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA2</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="327.97628342478527" r="52"/></g><g transform="translate(75 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-1</text></g></g></g><g transform="translate(-39.597979746446654 -77.99797974644666)"><g transform="translate(0 0)"><g transform="translate(-300.1328125 0)" fill="white"><rect x="0" y="0" width="300.1328125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">2</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="75" cy="524.287890824132" r="52"/></g><g transform="translate(75 524.287890824132)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-2</text></g></g></g><g transform="translate(-39.597979746446654 39.59797974644666)"><g transform="translate(0 0)"><g transform="translate(-400.453125 0)" fill="white"><rect x="0" y="0" width="400.453125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1", "2.5.29.37.0"]</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">2</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="245.01083906559165" cy="622.4436945238048" r="52"/></g><g transform="translate(245.01083906559165 622.4436945238048)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-170.53515625 0)" fill="white"><rect x="0" y="0" width="341.0703125" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="157.4296875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="161.875" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="157.4296875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="161.875" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="157.4296875" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="161.875" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="157.4296875" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="161.875" y="71.7" stroke="none" text-anchor="start">["1.3.6.1.4.1.311.20.2.1"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="531.0216781311826" cy="622.4436945238048" r="52"/></g><g transform="translate(531.0216781311826 622.4436945238048)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate2-4</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-87.609375 0)" fill="white"><rect x="0" y="0" width="175.21875" height="76.8" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="157.4296875" y="14.1" stroke="none">effectiveekus:</text><text xml:space="preserve" x="161.875" y="14.1" stroke="none" text-anchor="start">[]</text><text xml:space="preserve" x="157.4296875" y="33.3" stroke="none" text-anchor="end">schemaversion:</text><text xml:space="preserve" x="161.875" y="33.3" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="157.4296875" y="52.5" stroke="none" text-anchor="end">authorizedsignatures:</text><text xml:space="preserve" x="161.875" y="52.5" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="157.4296875" y="71.7" stroke="none" text-anchor="end">applicationpolicies:</text><text xml:space="preserve" x="161.875" y="71.7" stroke="none" text-anchor="start">[]</text></g></g></g></g></g></g></g></svg>
diff --git a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
index e93ece036f..42dced49a9 100644
--- a/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
+++ b/cmd/api/src/test/integration/harnesses/enrollonbehalfof-3.svg
@@ -1 +1,18 @@
+<!--
+Copyright 2024 Specter Ops, Inc.
+
+Licensed under the Apache License, Version 2.0
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+-->
 <svg xmlns="http://www.w3.org/2000/svg" width="1057" height="896" viewBox="0 0 1057 896"><defs><style type="text/css"/></defs><g transform="translate(326.6622528543699 4) scale(1)"><g class="relationship"><g transform="translate(433.6313891898351 50) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 50) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-62.6484375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="125.296875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">NTAuthStoreFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-70.3515625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="140.703125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">TrustedForNTAuth</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 394.7283664264567 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(419.590517044205 0) rotate(0)" stroke="none"/></g><g transform="translate(181.90505535885845 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(-43.78861262620303)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(305.009794318264 451.27089618105714) rotate(-43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(675.9551990267428 327.97628342478527) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 194.11413280703695 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(218.97628342478527 0) rotate(0)" stroke="none"/></g><g transform="translate(675.9551990267428 201.41921702126677) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-45.01171875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="90.0234375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">RootCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 327.97628342478527) rotate(0)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 158.4616592191594 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(183.32380983690769 0) rotate(0)" stroke="none"/></g><g transform="translate(542.3622187994148 327.97628342478527) rotate(0) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(-44.95912785436991 327.97628342478527) rotate(43.78861262620303)" stroke-width="5" stroke="#68ccca"><path d="M 59 0 L 247.61865829661255 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="translate(272.48080891436086 0) rotate(0)" stroke="none"/></g><g transform="translate(65.71453579616153 434.0662951038908) rotate(43.78861262620303) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 796.6561663822652) rotate(-90)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 212.28261323598704 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(237.14476385373536 0) rotate(0)" stroke="none"/></g><g transform="translate(433.6313891898351 661.0148597642717) rotate(90) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-48.5859375 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="97.171875" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">PublishedTo</text></g></g></g></g><g class="relationship"><g transform="translate(433.6313891898351 500.5114025285298) rotate(-35.45095495632252)" stroke-width="5" stroke="#000000"><path d="M 59 0 L 213.6091860485213 0"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#000000" transform="translate(238.47133666626962 0) rotate(0)" stroke="none"/></g><g transform="translate(544.6667872556458 421.45393952928924) rotate(-35.45095495632252) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-64.57421875 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="129.1484375" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnterpriseCAFor</text></g></g></g></g><g class="relationship"><g transform="translate(194.3361306677326 557.3609078601627) rotate(90)" stroke-width="5" stroke="#68ccca"><path d="M 58.695178092152055 -5.989663490593892 L 95.96898050729241 -9.793341079425122 A 40 40 0 0 1 100.0297693144747 -10 L 118 -10 L 226 -10 A 10 10 0 0 1 236 -1.7763568394002505e-15 L 236 0 L 236 1.7763568394002505e-15 A 10 10 0 0 1 226 10 L 118 10 L 100.0297693144747 10 A 40 40 0 0 0 95.96898050729241 9.793341079425122 L 83.42887907965451 8.513662064369711 L 83.42887907965451 8.513662064369711"/><polygon points="-24.8621506177483,0 -27.62461179749811,9.20820393249937 0,0 -27.62461179749811,-9.20820393249937" fill="#68ccca" transform="rotate(185.8266894420084) translate(-59 0)" stroke="none"/></g><g transform="translate(194.3361306677326 783.3609078601627) rotate(360) translate(0 -13)"><g transform="translate(0 0)"><g transform="translate(-67.25390625 0)" fill="#ffffff" stroke="#000000" stroke-width="0"><rect x="0" y="0" width="134.5078125" height="26" rx="5" ry="5" stroke="none"/><text xml:space="preserve" x="5" y="17.5" stroke="none" text-anchor="left" font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000">EnrollOnBehalfOf</text></g></g></g></g><g class="node"><g fill="#68ccca" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="50" r="52"/></g><g transform="translate(675.9551990267428 50)"><g transform="scale(0.4296880703125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">Domain1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="-44.95912785436991" cy="327.97628342478527" r="52"/></g><g transform="translate(-44.95912785436991 327.97628342478527)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-1</text></g></g></g><g transform="translate(-56 -19.199999999999992)"><g transform="translate(0 0)"><g transform="translate(-225.703125 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#7b64ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="50" r="52"/></g><g transform="translate(433.6313891898351 50)"><g transform="scale(0.28125071874999996) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">NTAuthStore1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="327.97628342478527" r="52"/></g><g transform="translate(433.6313891898351 327.97628342478527)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA1</text></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="194.3361306677326" cy="557.3609078601627" r="52"/></g><g transform="translate(194.3361306677326 557.3609078601627)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-2</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">1</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#fda1ff" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="796.6561663822652" r="52"/></g><g transform="translate(433.6313891898351 796.6561663822652)"><g transform="scale(0.24023513476562502) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">CertTemplate1-3</text></g></g></g><g transform="translate(3.429011037612589e-15 56)"><g transform="translate(0 0)"><g transform="translate(-112.8515625 0)" fill="white"><rect x="0" y="0" width="225.703125" height="38.4" rx="0" ry="0" stroke="none"/><g font-family="sans-serif" font-size="16" font-weight="normal" fill="#000000" text-anchor="end"><text xml:space="preserve" x="116.4921875" y="14.1" stroke="none">schemaversion:</text><text xml:space="preserve" x="120.9375" y="14.1" stroke="none" text-anchor="start">2</text><text xml:space="preserve" x="116.4921875" y="33.3" stroke="none" text-anchor="end">effectiveekus:</text><text xml:space="preserve" x="120.9375" y="33.3" stroke="none" text-anchor="start">["2.5.29.37.0"]</text></g></g></g></g></g></g><g class="node"><g fill="#e27300" stroke="#000000" stroke-width="4"><circle cx="675.9551990267428" cy="327.97628342478527" r="52"/></g><g transform="translate(675.9551990267428 327.97628342478527)"><g transform="scale(0.421875578125) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">RootCA1</text></g></g></g></g></g><g class="node"><g fill="#b0bc00" stroke="#000000" stroke-width="4"><circle cx="433.6313891898351" cy="500.5114025285298" r="52"/></g><g transform="translate(433.6313891898351 500.5114025285298)"><g transform="scale(0.27148510351562494) translate(0 0)"><g transform="translate(0 0)"><g font-family="sans-serif" font-size="50" font-weight="normal" fill="#000000" text-anchor="middle"><text xml:space="preserve" x="0" y="13" stroke="none">EnterpriseCA2</text></g></g></g></g></g></g></svg>
diff --git a/packages/cue/cue.mod/module.cue b/packages/cue/cue.mod/module.cue
index 43bb38273a..2e0ec79100 100644
--- a/packages/cue/cue.mod/module.cue
+++ b/packages/cue/cue.mod/module.cue
@@ -15,3 +15,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 module: "pkg.specterops.io/schemas"
+
+language: {
+  version: "v0.9.2"
+}
\ No newline at end of file
diff --git a/packages/go/analysis/go.mod b/packages/go/analysis/go.mod
index 24a8720894..9b4779d11c 100644
--- a/packages/go/analysis/go.mod
+++ b/packages/go/analysis/go.mod
@@ -31,7 +31,7 @@ require (
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/analysis/go.sum b/packages/go/analysis/go.sum
index 1def85bd5b..1432357b6d 100644
--- a/packages/go/analysis/go.sum
+++ b/packages/go/analysis/go.sum
@@ -6,7 +6,7 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 go.uber.org/mock v0.2.0 h1:TaP3xedm7JaAgScZO7tlvlKrqT0p7I6OsdGB5YNSMDU=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/packages/go/bomenc/go.mod b/packages/go/bomenc/go.mod
index 6f7fe1a8eb..fc0dee73a8 100644
--- a/packages/go/bomenc/go.mod
+++ b/packages/go/bomenc/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/bomenc/go.sum b/packages/go/bomenc/go.sum
index 7fcaa2c601..e4809269fc 100644
--- a/packages/go/bomenc/go.sum
+++ b/packages/go/bomenc/go.sum
@@ -4,7 +4,7 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
diff --git a/packages/go/cache/go.mod b/packages/go/cache/go.mod
index 4165e9a4da..0c6f586990 100644
--- a/packages/go/cache/go.mod
+++ b/packages/go/cache/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/cache/go.sum b/packages/go/cache/go.sum
index faab3ea4f0..f1fae94b2b 100644
--- a/packages/go/cache/go.sum
+++ b/packages/go/cache/go.sum
@@ -3,7 +3,7 @@ github.com/hashicorp/golang-lru v0.6.0 h1:uL2shRDx7RTrOrTCUZEGP/wJUFiUI8QT6E7z5o
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/packages/go/cypher/go.mod b/packages/go/cypher/go.mod
index 346cf73bec..c9df2349dd 100644
--- a/packages/go/cypher/go.mod
+++ b/packages/go/cypher/go.mod
@@ -19,30 +19,24 @@ module github.com/specterops/bloodhound/cypher
 go 1.23
 
 require (
-	cuelang.org/go v0.5.0
+	cuelang.org/go v0.11.1
 	github.com/antlr4-go/antlr/v4 v4.13.0
 	github.com/jackc/pgtype v1.14.4
 	github.com/stretchr/testify v1.9.0
 )
 
 require (
-	github.com/cockroachdb/apd/v2 v2.0.2 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/golang/glog v1.0.0 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/pgx/v4 v4.18.3 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
-	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
-	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/packages/go/cypher/go.sum b/packages/go/cypher/go.sum
index 605bc2827f..841448dc01 100644
--- a/packages/go/cypher/go.sum
+++ b/packages/go/cypher/go.sum
@@ -1,31 +1,27 @@
-cuelang.org/go v0.5.0 h1:D6N0UgTGJCOxFKU8RU+qYvavKNsVc/+ZobmifStVJzU=
-cuelang.org/go v0.5.0/go.mod h1:okjJBHFQFer+a41sAe2SaGm1glWS8oEb6CmJvn5Zdws=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240906074133-82eb438dd565 h1:R5wwEcbEZSBmeyg91MJZTxfd7WpBo2jPof3AYjRbxwY=
+cuelang.org/go v0.11.1 h1:pV+49MX1mmvDm8Qh3Za3M786cty8VKPWzQ1Ho4gZRP0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/cockroachdb/apd/v2 v2.0.2 h1:weh8u7Cneje73dDh+2tEVLUvyBc89iwepWCD8b8034E=
-github.com/cockroachdb/apd/v2 v2.0.2/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw=
+github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
+github.com/emicklei/proto v1.13.2 h1:z/etSFO3uyXeuEsVPzfl56WNgzcvIr42aQazXaQmFZY=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/jackc/chunkreader v1.0.0 h1:4s39bBR8ByfqH+DKm8rQA3E1LHZWB9XWcrz8fqaZbe0=
 github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
 github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
@@ -102,20 +98,15 @@ github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
-github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=
-github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/protocolbuffers/txtpbfmt v0.0.0-20220428173112-74888fd59c2b h1:zd/2RNzIRkoGGMjE+YIsZ85CnDIz672JK2F3Zl4vux4=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20240823084532-8e6b51fa9bef h1:ej+64jiny5VETZTqcc1GFVAPEtaSk6U1D0kKC2MS5Yc=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
@@ -173,6 +164,7 @@ golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKG
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -182,11 +174,12 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -232,7 +225,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200103221440-774c71fcf114/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/packages/go/dawgs/go.mod b/packages/go/dawgs/go.mod
index 13da6db949..368f2c5e72 100644
--- a/packages/go/dawgs/go.mod
+++ b/packages/go/dawgs/go.mod
@@ -40,11 +40,12 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/rs/zerolog v1.29.1 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
diff --git a/packages/go/dawgs/go.sum b/packages/go/dawgs/go.sum
index 107f082462..ce13f5e21b 100644
--- a/packages/go/dawgs/go.sum
+++ b/packages/go/dawgs/go.sum
@@ -1,4 +1,4 @@
-cuelang.org/go v0.5.0 h1:D6N0UgTGJCOxFKU8RU+qYvavKNsVc/+ZobmifStVJzU=
+cuelang.org/go v0.11.1 h1:pV+49MX1mmvDm8Qh3Za3M786cty8VKPWzQ1Ho4gZRP0=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/RoaringBitmap/roaring v1.9.4 h1:yhEIoH4YezLYT04s1nHehNO64EKFTop/wBhxv2QzDdQ=
@@ -11,7 +11,7 @@ github.com/bits-and-blooms/bitset v1.12.0 h1:U/q1fAF7xXRhFCrhROzIfffYnu+dlS38vCZ
 github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/cockroachdb/apd/v2 v2.0.2 h1:weh8u7Cneje73dDh+2tEVLUvyBc89iwepWCD8b8034E=
+github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
@@ -112,18 +112,16 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=
 github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
 github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
 github.com/neo4j/neo4j-go-driver/v5 v5.9.0 h1:TYxT0RSiwnvVFia90V7TLnRXv8HkdQQ6rTUaPVoyZ+w=
 github.com/neo4j/neo4j-go-driver/v5 v5.9.0/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
@@ -186,6 +184,7 @@ golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKG
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
diff --git a/packages/go/ein/go.mod b/packages/go/ein/go.mod
index 763134d8a9..6acde6e65a 100644
--- a/packages/go/ein/go.mod
+++ b/packages/go/ein/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/ein/go.sum b/packages/go/ein/go.sum
index 62ba24415c..880d2e7c9d 100644
--- a/packages/go/ein/go.sum
+++ b/packages/go/ein/go.sum
@@ -4,7 +4,7 @@ github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/packages/go/errors/go.mod b/packages/go/errors/go.mod
index b57356e74f..1d5e501bd8 100644
--- a/packages/go/errors/go.mod
+++ b/packages/go/errors/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/errors/go.sum b/packages/go/errors/go.sum
index 982327c4a7..1ececf5ff8 100644
--- a/packages/go/errors/go.sum
+++ b/packages/go/errors/go.sum
@@ -12,8 +12,7 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/packages/go/lab/go.mod b/packages/go/lab/go.mod
index f2b78dd6ef..e0f3949fd9 100644
--- a/packages/go/lab/go.mod
+++ b/packages/go/lab/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/lab/go.sum b/packages/go/lab/go.sum
index 982327c4a7..1ececf5ff8 100644
--- a/packages/go/lab/go.sum
+++ b/packages/go/lab/go.sum
@@ -12,8 +12,7 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/packages/go/schemagen/go.mod b/packages/go/schemagen/go.mod
index 4ee5d53d4c..6d305857aa 100644
--- a/packages/go/schemagen/go.mod
+++ b/packages/go/schemagen/go.mod
@@ -19,25 +19,25 @@ module github.com/specterops/bloodhound/schemagen
 go 1.23
 
 require (
-	cuelang.org/go v0.5.0
+	cuelang.org/go v0.11.1
 	github.com/dave/jennifer v1.6.1
 )
 
 require (
-	github.com/cockroachdb/apd/v2 v2.0.2 // indirect
-	github.com/emicklei/proto v1.10.0 // indirect
-	github.com/golang/glog v1.0.0 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20240906074133-82eb438dd565 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/emicklei/proto v1.13.2 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/protocolbuffers/txtpbfmt v0.0.0-20220428173112-74888fd59c2b // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
-	github.com/stretchr/testify v1.9.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20240823084532-8e6b51fa9bef // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/packages/go/schemagen/go.sum b/packages/go/schemagen/go.sum
index df58c700f5..76b7e82947 100644
--- a/packages/go/schemagen/go.sum
+++ b/packages/go/schemagen/go.sum
@@ -1,21 +1,14 @@
-cuelang.org/go v0.5.0 h1:D6N0UgTGJCOxFKU8RU+qYvavKNsVc/+ZobmifStVJzU=
-cuelang.org/go v0.5.0/go.mod h1:okjJBHFQFer+a41sAe2SaGm1glWS8oEb6CmJvn5Zdws=
-github.com/cockroachdb/apd/v2 v2.0.2 h1:weh8u7Cneje73dDh+2tEVLUvyBc89iwepWCD8b8034E=
-github.com/cockroachdb/apd/v2 v2.0.2/go.mod h1:DDxRlzC2lo3/vSlmSoS7JkqbbrARPuFOGr0B9pvN3Gw=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240906074133-82eb438dd565 h1:R5wwEcbEZSBmeyg91MJZTxfd7WpBo2jPof3AYjRbxwY=
+cuelang.org/go v0.11.1 h1:pV+49MX1mmvDm8Qh3Za3M786cty8VKPWzQ1Ho4gZRP0=
+github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
 github.com/dave/jennifer v1.6.1 h1:T4T/67t6RAA5AIV6+NP8Uk/BIsXgDoqEowgycdQQLuk=
 github.com/dave/jennifer v1.6.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
-github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/emicklei/proto v1.13.2 h1:z/etSFO3uyXeuEsVPzfl56WNgzcvIr42aQazXaQmFZY=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -29,24 +22,20 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
-github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=
-github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/protocolbuffers/txtpbfmt v0.0.0-20220428173112-74888fd59c2b h1:zd/2RNzIRkoGGMjE+YIsZ85CnDIz672JK2F3Zl4vux4=
-github.com/protocolbuffers/txtpbfmt v0.0.0-20220428173112-74888fd59c2b/go.mod h1:KjY0wibdYKc4DYkerHSbguaf3JeIPGhNJBp2BNiFH78=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20240823084532-8e6b51fa9bef h1:ej+64jiny5VETZTqcc1GFVAPEtaSk6U1D0kKC2MS5Yc=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/packages/go/slicesext/go.mod b/packages/go/slicesext/go.mod
index 4e0a55bdba..e86da598d6 100644
--- a/packages/go/slicesext/go.mod
+++ b/packages/go/slicesext/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/packages/go/slicesext/go.sum b/packages/go/slicesext/go.sum
index 982327c4a7..1ececf5ff8 100644
--- a/packages/go/slicesext/go.sum
+++ b/packages/go/slicesext/go.sum
@@ -12,8 +12,7 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/packages/go/stbernard/go.mod b/packages/go/stbernard/go.mod
index efdbf8a014..1eaa44b462 100644
--- a/packages/go/stbernard/go.mod
+++ b/packages/go/stbernard/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/specterops/bloodhound/log v0.0.0-00010101000000-000000000000
 	github.com/specterops/bloodhound/slicesext v0.0.0-00010101000000-000000000000
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/mod v0.17.0
+	golang.org/x/mod v0.21.0
 )
 
 require (
@@ -35,7 +35,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rs/zerolog v1.29.1 // indirect
 	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
+	golang.org/x/tools v0.26.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
diff --git a/packages/go/stbernard/go.sum b/packages/go/stbernard/go.sum
index f836146a7a..6473633265 100644
--- a/packages/go/stbernard/go.sum
+++ b/packages/go/stbernard/go.sum
@@ -20,19 +20,18 @@ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.1 h1:cO+d60CHkknCbvzEWxP0S9K6KqyTjrCNUy1LdQLCGPc=
 github.com/rs/zerolog v1.29.1/go.mod h1:Le6ESbR7hc+DP6Lt1THiV8CQSdkkNrd3R0XbEgp3ZBU=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

From 67e986c0d652663ec4eec095d1ce78695b284f93 Mon Sep 17 00:00:00 2001
From: Ben Waples <bwaples@specterops.io>
Date: Thu, 19 Dec 2024 17:21:03 -0800
Subject: [PATCH 10/11] feat: GET /details API client can send multiple sort_by
 query params (#1032)

---
 .../js-client-library/src/client.ts           | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/packages/javascript/js-client-library/src/client.ts b/packages/javascript/js-client-library/src/client.ts
index 22a3f1908a..eaf6c08b83 100644
--- a/packages/javascript/js-client-library/src/client.ts
+++ b/packages/javascript/js-client-library/src/client.ts
@@ -534,17 +534,22 @@ class BHEAPIClient {
         skip: number,
         limit: number,
         filterAccepted?: boolean,
-        sortBy?: string,
+        sortBy?: string | string[],
         options?: types.RequestOptions
     ) => {
-        const params: types.RiskDetailsRequest = {
-            finding: finding,
-            skip: skip,
-            limit: limit,
-            sort_by: sortBy,
-        };
+        const params = new URLSearchParams();
+        params.append('finding', finding);
+        params.append('skip', skip.toString());
+        params.append('limit', limit.toString());
+        if (sortBy) {
+            if (typeof sortBy === 'string') {
+                params.append('sort_by', sortBy);
+            } else {
+                sortBy.forEach((sort) => params.append('sort_by', sort));
+            }
+        }
 
-        if (typeof filterAccepted === 'boolean') params.Accepted = `eq:${filterAccepted}`;
+        if (typeof filterAccepted === 'boolean') params.append('Accepted', `eq:${filterAccepted}`);
 
         return this.baseClient.get(
             `/api/v2/domains/${domainId}/details`,

From 4f5d10e4301f8055a4517efa8f6354165de1ede0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?=
 <12843299+JonasBK@users.noreply.github.com>
Date: Fri, 20 Dec 2024 08:54:23 +0100
Subject: [PATCH 11/11] update default tier zero (#1030)

---
 packages/go/analysis/ad/ad.go | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/packages/go/analysis/ad/ad.go b/packages/go/analysis/ad/ad.go
index 9baf5d72be..48b85cfc0a 100644
--- a/packages/go/analysis/ad/ad.go
+++ b/packages/go/analysis/ad/ad.go
@@ -56,7 +56,6 @@ const (
 	AuthenticatedUsersSuffix                  = "-S-1-5-11"
 	EveryoneSuffix                            = "-S-1-1-0"
 	AdminSDHolderDNPrefix                     = "CN=ADMINSDHOLDER,CN=SYSTEM,"
-	DnsAdminsDNPrefix                         = "CN=DNSADMINS,"
 )
 
 func TierZeroWellKnownSIDSuffixes() []string {
@@ -99,22 +98,6 @@ func FetchWellKnownTierZeroEntities(ctx context.Context, db graph.Database, doma
 			}
 		}
 
-		// DnsAdmins
-		if err := tx.Nodes().Filterf(func() graph.Criteria {
-			return query.And(
-				query.KindIn(query.Node(), ad.Group),
-				query.StringStartsWith(query.NodeProperty(ad.DistinguishedName.String()), DnsAdminsDNPrefix),
-				query.Equals(query.NodeProperty(ad.DomainSID.String()), domainSID),
-			)
-		}).Fetch(func(cursor graph.Cursor[*graph.Node]) error {
-			for node := range cursor.Chan() {
-				nodes.Add(node)
-			}
-			return cursor.Error()
-		}); err != nil {
-			return err
-		}
-
 		// AdminSDHolder
 		if err := tx.Nodes().Filterf(func() graph.Criteria {
 			return query.And(