chore(hermes): Remove git from build, vendor WH & Google protos (#2097)

* chore: remove git from build script, vendor wormhole and google protobufs

* chore: update gitignore

* fix: address pr comments

.pre-commit-config.yaml

@@ -3,11 +3,26 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: target_chains/sui/vendor/|patches/
+        exclude: >
+          (?x)^(
+            target_chains/sui/vendor/|
+            patches/|
+            apps/hermes/server/proto/vendor/
+          )
       - id: end-of-file-fixer
-        exclude: target_chains/sui/vendor/|patches/|apps/api-reference/public/currency-icons/
+        exclude: >
+          (?x)^(
+            target_chains/sui/vendor/|
+            patches/|
+            apps/api-reference/public/currency-icons/|
+            apps/hermes/server/proto/vendor/
+          )
       - id: check-added-large-files
-        exclude: target_chains/sui/vendor/|patches/
+        exclude: >
+          (?x)^(
+            target_chains/sui/vendor/|
+            patches/
+          )
   # Hook to format many type of files in the repo
   # including solidity contracts.
   - repo: https://github.com/pre-commit/mirrors-prettier

apps/hermes/server/.gitignore

@@ -5,6 +5,3 @@
 src/network/p2p.pb.go
 src/network/p2p.proto
 tools/
-
-# Ignore Wormhole cloned repo
-wormhole*/

apps/hermes/server/build.rs

@@ -1,58 +1,28 @@
-use std::{
-    env,
-    path::PathBuf,
-    process::Command,
-};
+use std::path::PathBuf;
 
+/// Custom build script to compile and include the wormhole protobufs into the source.
+/// The wormhole protobufs are vendored from the Wormhole git repository at https://github.com/wormhole-foundation/wormhole.git
+/// They reference other protobufs from the Google API repository at https://github.com/googleapis/googleapis.git , which are also vendored.
+/// Our copies live in `proto/vendor`.
 fn main() {
-    let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
+    let proto_dir = PathBuf::from("proto/vendor");
 
-    // Print OUT_DIR for debugging build issues.
-    println!("OUT_DIR={}", out_dir.display());
+    // Tell cargo to recompile if any .proto files change
+    println!("cargo:rerun-if-changed=proto/");
 
-    // We'll use git to pull in protobuf dependencies. This trick lets us use the Rust OUT_DIR
-    // directory as a mini-repo with wormhole and googleapis as remotes, so we can copy out the
-    // TREEISH paths we want.
-    let protobuf_setup = r#"
-        set -e
-        git init .
-        git clean -df
-        git remote add wormhole https://github.com/wormhole-foundation/wormhole.git || true
-        git remote add googleapis https://github.com/googleapis/googleapis.git || true
-        git fetch --depth=1 wormhole main
-        git fetch --depth=1 googleapis master
-        git reset
-        rm -rf proto/
-        git read-tree --prefix=proto/ -u wormhole/main:proto
-        git read-tree --prefix=proto/google/api/ -u googleapis/master:google/api
-    "#;
-
-    // Run each command to prepare the OUT_DIR with the protobuf definitions. We need to make sure
-    // to change the working directory to OUT_DIR, otherwise git will complain.
-    let output = Command::new("sh")
-        .args(["-c", protobuf_setup])
-        .current_dir(&out_dir)
-        .output()
-        .expect("failed to run protobuf setup commands");
-    if !output.status.success() {
-        panic!(
-            "failed to setup protobuf definitions: {}",
-            String::from_utf8_lossy(&output.stderr)
-        );
-    }
-
-    // We build the resulting protobuf definitions using Rust's prost_build crate, which generates
-    // Rust code from the protobuf definitions.
+    // Build the wormhole and google protobufs using Rust's prost_build crate.
+    // The generated Rust code is placed in the OUT_DIR (env var set by cargo).
+    // `network/wormhole.rs` then includes the generated code into the source while compilation is happening.
     tonic_build::configure()
         .build_server(false)
         .compile(
             &[
-                out_dir.join("proto/spy/v1/spy.proto"),
-                out_dir.join("proto/gossip/v1/gossip.proto"),
-                out_dir.join("proto/node/v1/node.proto"),
-                out_dir.join("proto/publicrpc/v1/publicrpc.proto"),
+                proto_dir.join("spy/v1/spy.proto"),
+                proto_dir.join("gossip/v1/gossip.proto"),
+                proto_dir.join("node/v1/node.proto"),
+                proto_dir.join("publicrpc/v1/publicrpc.proto"),
             ],
-            &[out_dir.join("proto")],
+            &[proto_dir],
         )
         .expect("failed to compile protobuf definitions");
 }

apps/hermes/server/proto/vendor/google/api/README.md

@@ -0,0 +1,36 @@
+## API Protos
+
+This folder contains the schema of the configuration model for Google's
+internal API serving platform, which handles routing, quotas, monitoring,
+logging, and the like.
+
+Google refers to this configuration colloquially as the "service config",
+and the `service.proto` file in this directory is the entry point for
+understanding these.
+
+## Using these protos
+
+To be honest, we probably open sourced way too much of this (basically by
+accident). There are a couple files in here you are most likely to be
+interested in: `http.proto`, `documentation.proto`, `auth.proto`, and
+`annotations.proto`.
+
+### HTTP and REST
+
+The `http.proto` file contains the `Http` message (which then is wrapped
+in an annotation in `annotations.proto`), which provides a specification
+for REST endpoints and verbs (`GET`, `POST`, etc.) on RPC methods.
+We recommend use of this annotation for describing the relationship
+between RPCs and REST endpoints.
+
+### Documentation
+
+The `documentation.proto` file contains a `Documentation` message which
+provides a mechanism to fully describe an API, allowing a tool to build
+structured documentation artifacts.
+
+### Authentication
+
+The `auth.proto` file contains descriptions of both authentication rules
+and authentication providers, allowing you to describe what your services
+expect and accept from clients.

apps/hermes/server/proto/vendor/google/api/annotations.proto

@@ -0,0 +1,31 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/http.proto";
+import "google/protobuf/descriptor.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "AnnotationsProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.MethodOptions {
+  // See `HttpRule`.
+  HttpRule http = 72295728;
+}

apps/hermes/server/proto/vendor/google/api/auth.proto

@@ -0,0 +1,237 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "AuthProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Authentication` defines the authentication configuration for API methods
+// provided by an API service.
+//
+// Example:
+//
+//     name: calendar.googleapis.com
+//     authentication:
+//       providers:
+//       - id: google_calendar_auth
+//         jwks_uri: https://www.googleapis.com/oauth2/v1/certs
+//         issuer: https://securetoken.google.com
+//       rules:
+//       - selector: "*"
+//         requirements:
+//           provider_id: google_calendar_auth
+//       - selector: google.calendar.Delegate
+//         oauth:
+//           canonical_scopes: https://www.googleapis.com/auth/calendar.read
+message Authentication {
+  // A list of authentication rules that apply to individual API methods.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated AuthenticationRule rules = 3;
+
+  // Defines a set of authentication providers that a service supports.
+  repeated AuthProvider providers = 4;
+}
+
+// Authentication rules for the service.
+//
+// By default, if a method has any authentication requirements, every request
+// must include a valid credential matching one of the requirements.
+// It's an error to include more than one kind of credential in a single
+// request.
+//
+// If a method doesn't have any auth requirements, request credentials will be
+// ignored.
+message AuthenticationRule {
+  // Selects the methods to which this rule applies.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // The requirements for OAuth credentials.
+  OAuthRequirements oauth = 2;
+
+  // If true, the service accepts API keys without any other credential.
+  // This flag only applies to HTTP and gRPC requests.
+  bool allow_without_credential = 5;
+
+  // Requirements for additional authentication providers.
+  repeated AuthRequirement requirements = 7;
+}
+
+// Specifies a location to extract JWT from an API request.
+message JwtLocation {
+  oneof in {
+    // Specifies HTTP header name to extract JWT token.
+    string header = 1;
+
+    // Specifies URL query parameter name to extract JWT token.
+    string query = 2;
+
+    // Specifies cookie name to extract JWT token.
+    string cookie = 4;
+  }
+
+  // The value prefix. The value format is "value_prefix{token}"
+  // Only applies to "in" header type. Must be empty for "in" query type.
+  // If not empty, the header value has to match (case sensitive) this prefix.
+  // If not matched, JWT will not be extracted. If matched, JWT will be
+  // extracted after the prefix is removed.
+  //
+  // For example, for "Authorization: Bearer {JWT}",
+  // value_prefix="Bearer " with a space at the end.
+  string value_prefix = 3;
+}
+
+// Configuration for an authentication provider, including support for
+// [JSON Web Token
+// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
+message AuthProvider {
+  // The unique identifier of the auth provider. It will be referred to by
+  // `AuthRequirement.provider_id`.
+  //
+  // Example: "bookstore_auth".
+  string id = 1;
+
+  // Identifies the principal that issued the JWT. See
+  // https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.1
+  // Usually a URL or an email address.
+  //
+  // Example: https://securetoken.google.com
+  // Example: 1234567-compute@developer.gserviceaccount.com
+  string issuer = 2;
+
+  // URL of the provider's public key set to validate signature of the JWT. See
+  // [OpenID
+  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+  // Optional if the key set document:
+  //  - can be retrieved from
+  //    [OpenID
+  //    Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html)
+  //    of the issuer.
+  //  - can be inferred from the email domain of the issuer (e.g. a Google
+  //  service account).
+  //
+  // Example: https://www.googleapis.com/oauth2/v1/certs
+  string jwks_uri = 3;
+
+  // The list of JWT
+  // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
+  // that are allowed to access. A JWT containing any of these audiences will
+  // be accepted. When this setting is absent, JWTs with audiences:
+  //   - "https://[service.name]/[google.protobuf.Api.name]"
+  //   - "https://[service.name]/"
+  // will be accepted.
+  // For example, if no audiences are in the setting, LibraryService API will
+  // accept JWTs with the following audiences:
+  //   -
+  //   https://library-example.googleapis.com/google.example.library.v1.LibraryService
+  //   - https://library-example.googleapis.com/
+  //
+  // Example:
+  //
+  //     audiences: bookstore_android.apps.googleusercontent.com,
+  //                bookstore_web.apps.googleusercontent.com
+  string audiences = 4;
+
+  // Redirect URL if JWT token is required but not present or is expired.
+  // Implement authorizationUrl of securityDefinitions in OpenAPI spec.
+  string authorization_url = 5;
+
+  // Defines the locations to extract the JWT.  For now it is only used by the
+  // Cloud Endpoints to store the OpenAPI extension [x-google-jwt-locations]
+  // (https://cloud.google.com/endpoints/docs/openapi/openapi-extensions#x-google-jwt-locations)
+  //
+  // JWT locations can be one of HTTP headers, URL query parameters or
+  // cookies. The rule is that the first match wins.
+  //
+  // If not specified,  default to use following 3 locations:
+  //    1) Authorization: Bearer
+  //    2) x-goog-iap-jwt-assertion
+  //    3) access_token query parameter
+  //
+  // Default locations can be specified as followings:
+  //    jwt_locations:
+  //    - header: Authorization
+  //      value_prefix: "Bearer "
+  //    - header: x-goog-iap-jwt-assertion
+  //    - query: access_token
+  repeated JwtLocation jwt_locations = 6;
+}
+
+// OAuth scopes are a way to define data and permissions on data. For example,
+// there are scopes defined for "Read-only access to Google Calendar" and
+// "Access to Cloud Platform". Users can consent to a scope for an application,
+// giving it permission to access that data on their behalf.
+//
+// OAuth scope specifications should be fairly coarse grained; a user will need
+// to see and understand the text description of what your scope means.
+//
+// In most cases: use one or at most two OAuth scopes for an entire family of
+// products. If your product has multiple APIs, you should probably be sharing
+// the OAuth scope across all of those APIs.
+//
+// When you need finer grained OAuth consent screens: talk with your product
+// management about how developers will use them in practice.
+//
+// Please note that even though each of the canonical scopes is enough for a
+// request to be accepted and passed to the backend, a request can still fail
+// due to the backend requiring additional scopes or permissions.
+message OAuthRequirements {
+  // The list of publicly documented OAuth scopes that are allowed access. An
+  // OAuth token containing any of these scopes will be accepted.
+  //
+  // Example:
+  //
+  //      canonical_scopes: https://www.googleapis.com/auth/calendar,
+  //                        https://www.googleapis.com/auth/calendar.read
+  string canonical_scopes = 1;
+}
+
+// User-defined authentication requirements, including support for
+// [JSON Web Token
+// (JWT)](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32).
+message AuthRequirement {
+  // [id][google.api.AuthProvider.id] from authentication provider.
+  //
+  // Example:
+  //
+  //     provider_id: bookstore_auth
+  string provider_id = 1;
+
+  // NOTE: This will be deprecated soon, once AuthProvider.audiences is
+  // implemented and accepted in all the runtime components.
+  //
+  // The list of JWT
+  // [audiences](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.1.3).
+  // that are allowed to access. A JWT containing any of these audiences will
+  // be accepted. When this setting is absent, only JWTs with audience
+  // "https://[Service_name][google.api.Service.name]/[API_name][google.protobuf.Api.name]"
+  // will be accepted. For example, if no audiences are in the setting,
+  // LibraryService API will only accept JWTs with the following audience
+  // "https://library-example.googleapis.com/google.example.library.v1.LibraryService".
+  //
+  // Example:
+  //
+  //     audiences: bookstore_android.apps.googleusercontent.com,
+  //                bookstore_web.apps.googleusercontent.com
+  string audiences = 2;
+}

apps/hermes/server/proto/vendor/google/api/backend.proto

@@ -0,0 +1,185 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "BackendProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Backend` defines the backend configuration for a service.
+message Backend {
+  // A list of API backend rules that apply to individual API methods.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated BackendRule rules = 1;
+}
+
+// A backend rule provides configuration for an individual API element.
+message BackendRule {
+  // Path Translation specifies how to combine the backend address with the
+  // request path in order to produce the appropriate forwarding URL for the
+  // request.
+  //
+  // Path Translation is applicable only to HTTP-based backends. Backends which
+  // do not accept requests over HTTP/HTTPS should leave `path_translation`
+  // unspecified.
+  enum PathTranslation {
+    PATH_TRANSLATION_UNSPECIFIED = 0;
+
+    // Use the backend address as-is, with no modification to the path. If the
+    // URL pattern contains variables, the variable names and values will be
+    // appended to the query string. If a query string parameter and a URL
+    // pattern variable have the same name, this may result in duplicate keys in
+    // the query string.
+    //
+    // # Examples
+    //
+    // Given the following operation config:
+    //
+    //     Method path:        /api/company/{cid}/user/{uid}
+    //     Backend address:    https://example.cloudfunctions.net/getUser
+    //
+    // Requests to the following request paths will call the backend at the
+    // translated path:
+    //
+    //     Request path: /api/company/widgetworks/user/johndoe
+    //     Translated:
+    //     https://example.cloudfunctions.net/getUser?cid=widgetworks&uid=johndoe
+    //
+    //     Request path: /api/company/widgetworks/user/johndoe?timezone=EST
+    //     Translated:
+    //     https://example.cloudfunctions.net/getUser?timezone=EST&cid=widgetworks&uid=johndoe
+    CONSTANT_ADDRESS = 1;
+
+    // The request path will be appended to the backend address.
+    //
+    // # Examples
+    //
+    // Given the following operation config:
+    //
+    //     Method path:        /api/company/{cid}/user/{uid}
+    //     Backend address:    https://example.appspot.com
+    //
+    // Requests to the following request paths will call the backend at the
+    // translated path:
+    //
+    //     Request path: /api/company/widgetworks/user/johndoe
+    //     Translated:
+    //     https://example.appspot.com/api/company/widgetworks/user/johndoe
+    //
+    //     Request path: /api/company/widgetworks/user/johndoe?timezone=EST
+    //     Translated:
+    //     https://example.appspot.com/api/company/widgetworks/user/johndoe?timezone=EST
+    APPEND_PATH_TO_ADDRESS = 2;
+  }
+
+  // Selects the methods to which this rule applies.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // The address of the API backend.
+  //
+  // The scheme is used to determine the backend protocol and security.
+  // The following schemes are accepted:
+  //
+  //    SCHEME        PROTOCOL    SECURITY
+  //    http://       HTTP        None
+  //    https://      HTTP        TLS
+  //    grpc://       gRPC        None
+  //    grpcs://      gRPC        TLS
+  //
+  // It is recommended to explicitly include a scheme. Leaving out the scheme
+  // may cause constrasting behaviors across platforms.
+  //
+  // If the port is unspecified, the default is:
+  // - 80 for schemes without TLS
+  // - 443 for schemes with TLS
+  //
+  // For HTTP backends, use [protocol][google.api.BackendRule.protocol]
+  // to specify the protocol version.
+  string address = 2;
+
+  // The number of seconds to wait for a response from a request. The default
+  // varies based on the request protocol and deployment environment.
+  double deadline = 3;
+
+  // Deprecated, do not use.
+  double min_deadline = 4 [deprecated = true];
+
+  // The number of seconds to wait for the completion of a long running
+  // operation. The default is no deadline.
+  double operation_deadline = 5;
+
+  PathTranslation path_translation = 6;
+
+  // Authentication settings used by the backend.
+  //
+  // These are typically used to provide service management functionality to
+  // a backend served on a publicly-routable URL. The `authentication`
+  // details should match the authentication behavior used by the backend.
+  //
+  // For example, specifying `jwt_audience` implies that the backend expects
+  // authentication via a JWT.
+  //
+  // When authentication is unspecified, the resulting behavior is the same
+  // as `disable_auth` set to `true`.
+  //
+  // Refer to https://developers.google.com/identity/protocols/OpenIDConnect for
+  // JWT ID token.
+  oneof authentication {
+    // The JWT audience is used when generating a JWT ID token for the backend.
+    // This ID token will be added in the HTTP "authorization" header, and sent
+    // to the backend.
+    string jwt_audience = 7;
+
+    // When disable_auth is true, a JWT ID token won't be generated and the
+    // original "Authorization" HTTP header will be preserved. If the header is
+    // used to carry the original token and is expected by the backend, this
+    // field must be set to true to preserve the header.
+    bool disable_auth = 8;
+  }
+
+  // The protocol used for sending a request to the backend.
+  // The supported values are "http/1.1" and "h2".
+  //
+  // The default value is inferred from the scheme in the
+  // [address][google.api.BackendRule.address] field:
+  //
+  //    SCHEME        PROTOCOL
+  //    http://       http/1.1
+  //    https://      http/1.1
+  //    grpc://       h2
+  //    grpcs://      h2
+  //
+  // For secure HTTP backends (https://) that support HTTP/2, set this field
+  // to "h2" for improved performance.
+  //
+  // Configuring this field to non-default values is only supported for secure
+  // HTTP backends. This field will be ignored for all other backends.
+  //
+  // See
+  // https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
+  // for more details on the supported values.
+  string protocol = 9;
+
+  // The map between request protocol and the backend address.
+  map<string, BackendRule> overrides_by_request_protocol = 10;
+}

apps/hermes/server/proto/vendor/google/api/billing.proto

@@ -0,0 +1,77 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "BillingProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Billing related configuration of the service.
+//
+// The following example shows how to configure monitored resources and metrics
+// for billing, `consumer_destinations` is the only supported destination and
+// the monitored resources need at least one label key
+// `cloud.googleapis.com/location` to indicate the location of the billing
+// usage, using different monitored resources between monitoring and billing is
+// recommended so they can be evolved independently:
+//
+//
+//     monitored_resources:
+//     - type: library.googleapis.com/billing_branch
+//       labels:
+//       - key: cloud.googleapis.com/location
+//         description: |
+//           Predefined label to support billing location restriction.
+//       - key: city
+//         description: |
+//           Custom label to define the city where the library branch is located
+//           in.
+//       - key: name
+//         description: Custom label to define the name of the library branch.
+//     metrics:
+//     - name: library.googleapis.com/book/borrowed_count
+//       metric_kind: DELTA
+//       value_type: INT64
+//       unit: "1"
+//     billing:
+//       consumer_destinations:
+//       - monitored_resource: library.googleapis.com/billing_branch
+//         metrics:
+//         - library.googleapis.com/book/borrowed_count
+message Billing {
+  // Configuration of a specific billing destination (Currently only support
+  // bill against consumer project).
+  message BillingDestination {
+    // The monitored resource type. The type must be defined in
+    // [Service.monitored_resources][google.api.Service.monitored_resources]
+    // section.
+    string monitored_resource = 1;
+
+    // Names of the metrics to report to this billing destination.
+    // Each name must be defined in
+    // [Service.metrics][google.api.Service.metrics] section.
+    repeated string metrics = 2;
+  }
+
+  // Billing configurations for sending metrics to the consumer project.
+  // There can be multiple consumer destinations per service, each one must have
+  // a different monitored resource type. A metric can be used in at most
+  // one consumer destination.
+  repeated BillingDestination consumer_destinations = 8;
+}

apps/hermes/server/proto/vendor/google/api/client.proto

@@ -0,0 +1,456 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/launch_stage.proto";
+import "google/protobuf/descriptor.proto";
+import "google/protobuf/duration.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "ClientProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.MethodOptions {
+  // A definition of a client library method signature.
+  //
+  // In client libraries, each proto RPC corresponds to one or more methods
+  // which the end user is able to call, and calls the underlying RPC.
+  // Normally, this method receives a single argument (a struct or instance
+  // corresponding to the RPC request object). Defining this field will
+  // add one or more overloads providing flattened or simpler method signatures
+  // in some languages.
+  //
+  // The fields on the method signature are provided as a comma-separated
+  // string.
+  //
+  // For example, the proto RPC and annotation:
+  //
+  //   rpc CreateSubscription(CreateSubscriptionRequest)
+  //       returns (Subscription) {
+  //     option (google.api.method_signature) = "name,topic";
+  //   }
+  //
+  // Would add the following Java overload (in addition to the method accepting
+  // the request object):
+  //
+  //   public final Subscription createSubscription(String name, String topic)
+  //
+  // The following backwards-compatibility guidelines apply:
+  //
+  //   * Adding this annotation to an unannotated method is backwards
+  //     compatible.
+  //   * Adding this annotation to a method which already has existing
+  //     method signature annotations is backwards compatible if and only if
+  //     the new method signature annotation is last in the sequence.
+  //   * Modifying or removing an existing method signature annotation is
+  //     a breaking change.
+  //   * Re-ordering existing method signature annotations is a breaking
+  //     change.
+  repeated string method_signature = 1051;
+}
+
+extend google.protobuf.ServiceOptions {
+  // The hostname for this service.
+  // This should be specified with no prefix or protocol.
+  //
+  // Example:
+  //
+  //   service Foo {
+  //     option (google.api.default_host) = "foo.googleapi.com";
+  //     ...
+  //   }
+  string default_host = 1049;
+
+  // OAuth scopes needed for the client.
+  //
+  // Example:
+  //
+  //   service Foo {
+  //     option (google.api.oauth_scopes) = \
+  //       "https://www.googleapis.com/auth/cloud-platform";
+  //     ...
+  //   }
+  //
+  // If there is more than one scope, use a comma-separated string:
+  //
+  // Example:
+  //
+  //   service Foo {
+  //     option (google.api.oauth_scopes) = \
+  //       "https://www.googleapis.com/auth/cloud-platform,"
+  //       "https://www.googleapis.com/auth/monitoring";
+  //     ...
+  //   }
+  string oauth_scopes = 1050;
+
+  // The API version of this service, which should be sent by version-aware
+  // clients to the service. This allows services to abide by the schema and
+  // behavior of the service at the time this API version was deployed.
+  // The format of the API version must be treated as opaque by clients.
+  // Services may use a format with an apparent structure, but clients must
+  // not rely on this to determine components within an API version, or attempt
+  // to construct other valid API versions. Note that this is for upcoming
+  // functionality and may not be implemented for all services.
+  //
+  // Example:
+  //
+  //   service Foo {
+  //     option (google.api.api_version) = "v1_20230821_preview";
+  //   }
+  string api_version = 525000001;
+}
+
+// Required information for every language.
+message CommonLanguageSettings {
+  // Link to automatically generated reference documentation.  Example:
+  // https://cloud.google.com/nodejs/docs/reference/asset/latest
+  string reference_docs_uri = 1 [deprecated = true];
+
+  // The destination where API teams want this client library to be published.
+  repeated ClientLibraryDestination destinations = 2;
+
+  // Configuration for which RPCs should be generated in the GAPIC client.
+  SelectiveGapicGeneration selective_gapic_generation = 3;
+}
+
+// Details about how and where to publish client libraries.
+message ClientLibrarySettings {
+  // Version of the API to apply these settings to. This is the full protobuf
+  // package for the API, ending in the version element.
+  // Examples: "google.cloud.speech.v1" and "google.spanner.admin.database.v1".
+  string version = 1;
+
+  // Launch stage of this version of the API.
+  LaunchStage launch_stage = 2;
+
+  // When using transport=rest, the client request will encode enums as
+  // numbers rather than strings.
+  bool rest_numeric_enums = 3;
+
+  // Settings for legacy Java features, supported in the Service YAML.
+  JavaSettings java_settings = 21;
+
+  // Settings for C++ client libraries.
+  CppSettings cpp_settings = 22;
+
+  // Settings for PHP client libraries.
+  PhpSettings php_settings = 23;
+
+  // Settings for Python client libraries.
+  PythonSettings python_settings = 24;
+
+  // Settings for Node client libraries.
+  NodeSettings node_settings = 25;
+
+  // Settings for .NET client libraries.
+  DotnetSettings dotnet_settings = 26;
+
+  // Settings for Ruby client libraries.
+  RubySettings ruby_settings = 27;
+
+  // Settings for Go client libraries.
+  GoSettings go_settings = 28;
+}
+
+// This message configures the settings for publishing [Google Cloud Client
+// libraries](https://cloud.google.com/apis/docs/cloud-client-libraries)
+// generated from the service config.
+message Publishing {
+  // A list of API method settings, e.g. the behavior for methods that use the
+  // long-running operation pattern.
+  repeated MethodSettings method_settings = 2;
+
+  // Link to a *public* URI where users can report issues.  Example:
+  // https://issuetracker.google.com/issues/new?component=190865&template=1161103
+  string new_issue_uri = 101;
+
+  // Link to product home page.  Example:
+  // https://cloud.google.com/asset-inventory/docs/overview
+  string documentation_uri = 102;
+
+  // Used as a tracking tag when collecting data about the APIs developer
+  // relations artifacts like docs, packages delivered to package managers,
+  // etc.  Example: "speech".
+  string api_short_name = 103;
+
+  // GitHub label to apply to issues and pull requests opened for this API.
+  string github_label = 104;
+
+  // GitHub teams to be added to CODEOWNERS in the directory in GitHub
+  // containing source code for the client libraries for this API.
+  repeated string codeowner_github_teams = 105;
+
+  // A prefix used in sample code when demarking regions to be included in
+  // documentation.
+  string doc_tag_prefix = 106;
+
+  // For whom the client library is being published.
+  ClientLibraryOrganization organization = 107;
+
+  // Client library settings.  If the same version string appears multiple
+  // times in this list, then the last one wins.  Settings from earlier
+  // settings with the same version string are discarded.
+  repeated ClientLibrarySettings library_settings = 109;
+
+  // Optional link to proto reference documentation.  Example:
+  // https://cloud.google.com/pubsub/lite/docs/reference/rpc
+  string proto_reference_documentation_uri = 110;
+
+  // Optional link to REST reference documentation.  Example:
+  // https://cloud.google.com/pubsub/lite/docs/reference/rest
+  string rest_reference_documentation_uri = 111;
+}
+
+// Settings for Java client libraries.
+message JavaSettings {
+  // The package name to use in Java. Clobbers the java_package option
+  // set in the protobuf. This should be used **only** by APIs
+  // who have already set the language_settings.java.package_name" field
+  // in gapic.yaml. API teams should use the protobuf java_package option
+  // where possible.
+  //
+  // Example of a YAML configuration::
+  //
+  //  publishing:
+  //    java_settings:
+  //      library_package: com.google.cloud.pubsub.v1
+  string library_package = 1;
+
+  // Configure the Java class name to use instead of the service's for its
+  // corresponding generated GAPIC client. Keys are fully-qualified
+  // service names as they appear in the protobuf (including the full
+  // the language_settings.java.interface_names" field in gapic.yaml. API
+  // teams should otherwise use the service name as it appears in the
+  // protobuf.
+  //
+  // Example of a YAML configuration::
+  //
+  //  publishing:
+  //    java_settings:
+  //      service_class_names:
+  //        - google.pubsub.v1.Publisher: TopicAdmin
+  //        - google.pubsub.v1.Subscriber: SubscriptionAdmin
+  map<string, string> service_class_names = 2;
+
+  // Some settings.
+  CommonLanguageSettings common = 3;
+}
+
+// Settings for C++ client libraries.
+message CppSettings {
+  // Some settings.
+  CommonLanguageSettings common = 1;
+}
+
+// Settings for Php client libraries.
+message PhpSettings {
+  // Some settings.
+  CommonLanguageSettings common = 1;
+}
+
+// Settings for Python client libraries.
+message PythonSettings {
+  // Experimental features to be included during client library generation.
+  // These fields will be deprecated once the feature graduates and is enabled
+  // by default.
+  message ExperimentalFeatures {
+    // Enables generation of asynchronous REST clients if `rest` transport is
+    // enabled. By default, asynchronous REST clients will not be generated.
+    // This feature will be enabled by default 1 month after launching the
+    // feature in preview packages.
+    bool rest_async_io_enabled = 1;
+  }
+
+  // Some settings.
+  CommonLanguageSettings common = 1;
+
+  // Experimental features to be included during client library generation.
+  ExperimentalFeatures experimental_features = 2;
+}
+
+// Settings for Node client libraries.
+message NodeSettings {
+  // Some settings.
+  CommonLanguageSettings common = 1;
+}
+
+// Settings for Dotnet client libraries.
+message DotnetSettings {
+  // Some settings.
+  CommonLanguageSettings common = 1;
+
+  // Map from original service names to renamed versions.
+  // This is used when the default generated types
+  // would cause a naming conflict. (Neither name is
+  // fully-qualified.)
+  // Example: Subscriber to SubscriberServiceApi.
+  map<string, string> renamed_services = 2;
+
+  // Map from full resource types to the effective short name
+  // for the resource. This is used when otherwise resource
+  // named from different services would cause naming collisions.
+  // Example entry:
+  // "datalabeling.googleapis.com/Dataset": "DataLabelingDataset"
+  map<string, string> renamed_resources = 3;
+
+  // List of full resource types to ignore during generation.
+  // This is typically used for API-specific Location resources,
+  // which should be handled by the generator as if they were actually
+  // the common Location resources.
+  // Example entry: "documentai.googleapis.com/Location"
+  repeated string ignored_resources = 4;
+
+  // Namespaces which must be aliased in snippets due to
+  // a known (but non-generator-predictable) naming collision
+  repeated string forced_namespace_aliases = 5;
+
+  // Method signatures (in the form "service.method(signature)")
+  // which are provided separately, so shouldn't be generated.
+  // Snippets *calling* these methods are still generated, however.
+  repeated string handwritten_signatures = 6;
+}
+
+// Settings for Ruby client libraries.
+message RubySettings {
+  // Some settings.
+  CommonLanguageSettings common = 1;
+}
+
+// Settings for Go client libraries.
+message GoSettings {
+  // Some settings.
+  CommonLanguageSettings common = 1;
+}
+
+// Describes the generator configuration for a method.
+message MethodSettings {
+  // Describes settings to use when generating API methods that use the
+  // long-running operation pattern.
+  // All default values below are from those used in the client library
+  // generators (e.g.
+  // [Java](https://github.com/googleapis/gapic-generator-java/blob/04c2faa191a9b5a10b92392fe8482279c4404803/src/main/java/com/google/api/generator/gapic/composer/common/RetrySettingsComposer.java)).
+  message LongRunning {
+    // Initial delay after which the first poll request will be made.
+    // Default value: 5 seconds.
+    google.protobuf.Duration initial_poll_delay = 1;
+
+    // Multiplier to gradually increase delay between subsequent polls until it
+    // reaches max_poll_delay.
+    // Default value: 1.5.
+    float poll_delay_multiplier = 2;
+
+    // Maximum time between two subsequent poll requests.
+    // Default value: 45 seconds.
+    google.protobuf.Duration max_poll_delay = 3;
+
+    // Total polling timeout.
+    // Default value: 5 minutes.
+    google.protobuf.Duration total_poll_timeout = 4;
+  }
+
+  // The fully qualified name of the method, for which the options below apply.
+  // This is used to find the method to apply the options.
+  //
+  // Example:
+  //
+  //    publishing:
+  //      method_settings:
+  //      - selector: google.storage.control.v2.StorageControl.CreateFolder
+  //        # method settings for CreateFolder...
+  string selector = 1;
+
+  // Describes settings to use for long-running operations when generating
+  // API methods for RPCs. Complements RPCs that use the annotations in
+  // google/longrunning/operations.proto.
+  //
+  // Example of a YAML configuration::
+  //
+  //    publishing:
+  //      method_settings:
+  //      - selector: google.cloud.speech.v2.Speech.BatchRecognize
+  //        long_running:
+  //          initial_poll_delay: 60s # 1 minute
+  //          poll_delay_multiplier: 1.5
+  //          max_poll_delay: 360s # 6 minutes
+  //          total_poll_timeout: 54000s # 90 minutes
+  LongRunning long_running = 2;
+
+  // List of top-level fields of the request message, that should be
+  // automatically populated by the client libraries based on their
+  // (google.api.field_info).format. Currently supported format: UUID4.
+  //
+  // Example of a YAML configuration:
+  //
+  //    publishing:
+  //      method_settings:
+  //      - selector: google.example.v1.ExampleService.CreateExample
+  //        auto_populated_fields:
+  //        - request_id
+  repeated string auto_populated_fields = 3;
+}
+
+// The organization for which the client libraries are being published.
+// Affects the url where generated docs are published, etc.
+enum ClientLibraryOrganization {
+  // Not useful.
+  CLIENT_LIBRARY_ORGANIZATION_UNSPECIFIED = 0;
+
+  // Google Cloud Platform Org.
+  CLOUD = 1;
+
+  // Ads (Advertising) Org.
+  ADS = 2;
+
+  // Photos Org.
+  PHOTOS = 3;
+
+  // Street View Org.
+  STREET_VIEW = 4;
+
+  // Shopping Org.
+  SHOPPING = 5;
+
+  // Geo Org.
+  GEO = 6;
+
+  // Generative AI - https://developers.generativeai.google
+  GENERATIVE_AI = 7;
+}
+
+// To where should client libraries be published?
+enum ClientLibraryDestination {
+  // Client libraries will neither be generated nor published to package
+  // managers.
+  CLIENT_LIBRARY_DESTINATION_UNSPECIFIED = 0;
+
+  // Generate the client library in a repo under github.com/googleapis,
+  // but don't publish it to package managers.
+  GITHUB = 10;
+
+  // Publish the library to package managers like nuget.org and npmjs.com.
+  PACKAGE_MANAGER = 20;
+}
+
+// This message is used to configure the generation of a subset of the RPCs in
+// a service for client libraries.
+message SelectiveGapicGeneration {
+  // An allowlist of the fully qualified names of RPCs that should be included
+  // on public client surfaces.
+  repeated string methods = 1;
+}

apps/hermes/server/proto/vendor/google/api/config_change.proto

@@ -0,0 +1,84 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/configchange;configchange";
+option java_multiple_files = true;
+option java_outer_classname = "ConfigChangeProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Output generated from semantically comparing two versions of a service
+// configuration.
+//
+// Includes detailed information about a field that have changed with
+// applicable advice about potential consequences for the change, such as
+// backwards-incompatibility.
+message ConfigChange {
+  // Object hierarchy path to the change, with levels separated by a '.'
+  // character. For repeated fields, an applicable unique identifier field is
+  // used for the index (usually selector, name, or id). For maps, the term
+  // 'key' is used. If the field has no unique identifier, the numeric index
+  // is used.
+  // Examples:
+  // - visibility.rules[selector=="google.LibraryService.ListBooks"].restriction
+  // - quota.metric_rules[selector=="google"].metric_costs[key=="reads"].value
+  // - logging.producer_destinations[0]
+  string element = 1;
+
+  // Value of the changed object in the old Service configuration,
+  // in JSON format. This field will not be populated if ChangeType == ADDED.
+  string old_value = 2;
+
+  // Value of the changed object in the new Service configuration,
+  // in JSON format. This field will not be populated if ChangeType == REMOVED.
+  string new_value = 3;
+
+  // The type for this change, either ADDED, REMOVED, or MODIFIED.
+  ChangeType change_type = 4;
+
+  // Collection of advice provided for this change, useful for determining the
+  // possible impact of this change.
+  repeated Advice advices = 5;
+}
+
+// Generated advice about this change, used for providing more
+// information about how a change will affect the existing service.
+message Advice {
+  // Useful description for why this advice was applied and what actions should
+  // be taken to mitigate any implied risks.
+  string description = 2;
+}
+
+// Classifies set of possible modifications to an object in the service
+// configuration.
+enum ChangeType {
+  // No value was provided.
+  CHANGE_TYPE_UNSPECIFIED = 0;
+
+  // The changed object exists in the 'new' service configuration, but not
+  // in the 'old' service configuration.
+  ADDED = 1;
+
+  // The changed object exists in the 'old' service configuration, but not
+  // in the 'new' service configuration.
+  REMOVED = 2;
+
+  // The changed object exists in both service configurations, but its value
+  // is different.
+  MODIFIED = 3;
+}

apps/hermes/server/proto/vendor/google/api/consumer.proto

@@ -0,0 +1,82 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "ConsumerProto";
+option java_package = "com.google.api";
+
+// A descriptor for defining project properties for a service. One service may
+// have many consumer projects, and the service may want to behave differently
+// depending on some properties on the project. For example, a project may be
+// associated with a school, or a business, or a government agency, a business
+// type property on the project may affect how a service responds to the client.
+// This descriptor defines which properties are allowed to be set on a project.
+//
+// Example:
+//
+//    project_properties:
+//      properties:
+//      - name: NO_WATERMARK
+//        type: BOOL
+//        description: Allows usage of the API without watermarks.
+//      - name: EXTENDED_TILE_CACHE_PERIOD
+//        type: INT64
+message ProjectProperties {
+  // List of per consumer project-specific properties.
+  repeated Property properties = 1;
+}
+
+// Defines project properties.
+//
+// API services can define properties that can be assigned to consumer projects
+// so that backends can perform response customization without having to make
+// additional calls or maintain additional storage. For example, Maps API
+// defines properties that controls map tile cache period, or whether to embed a
+// watermark in a result.
+//
+// These values can be set via API producer console. Only API providers can
+// define and set these properties.
+message Property {
+  // Supported data type of the property values
+  enum PropertyType {
+    // The type is unspecified, and will result in an error.
+    UNSPECIFIED = 0;
+
+    // The type is `int64`.
+    INT64 = 1;
+
+    // The type is `bool`.
+    BOOL = 2;
+
+    // The type is `string`.
+    STRING = 3;
+
+    // The type is 'double'.
+    DOUBLE = 4;
+  }
+
+  // The name of the property (a.k.a key).
+  string name = 1;
+
+  // The type of this property.
+  PropertyType type = 2;
+
+  // The description of the property
+  string description = 3;
+}

apps/hermes/server/proto/vendor/google/api/context.proto

@@ -0,0 +1,92 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "ContextProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Context` defines which contexts an API requests.
+//
+// Example:
+//
+//     context:
+//       rules:
+//       - selector: "*"
+//         requested:
+//         - google.rpc.context.ProjectContext
+//         - google.rpc.context.OriginContext
+//
+// The above specifies that all methods in the API request
+// `google.rpc.context.ProjectContext` and
+// `google.rpc.context.OriginContext`.
+//
+// Available context types are defined in package
+// `google.rpc.context`.
+//
+// This also provides mechanism to allowlist any protobuf message extension that
+// can be sent in grpc metadata using “x-goog-ext-<extension_id>-bin” and
+// “x-goog-ext-<extension_id>-jspb” format. For example, list any service
+// specific protobuf types that can appear in grpc metadata as follows in your
+// yaml file:
+//
+// Example:
+//
+//     context:
+//       rules:
+//        - selector: "google.example.library.v1.LibraryService.CreateBook"
+//          allowed_request_extensions:
+//          - google.foo.v1.NewExtension
+//          allowed_response_extensions:
+//          - google.foo.v1.NewExtension
+//
+// You can also specify extension ID instead of fully qualified extension name
+// here.
+message Context {
+  // A list of RPC context rules that apply to individual API methods.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated ContextRule rules = 1;
+}
+
+// A context rule provides information about the context for an individual API
+// element.
+message ContextRule {
+  // Selects the methods to which this rule applies.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // A list of full type names of requested contexts, only the requested context
+  // will be made available to the backend.
+  repeated string requested = 2;
+
+  // A list of full type names of provided contexts. It is used to support
+  // propagating HTTP headers and ETags from the response extension.
+  repeated string provided = 3;
+
+  // A list of full type names or extension IDs of extensions allowed in grpc
+  // side channel from client to backend.
+  repeated string allowed_request_extensions = 4;
+
+  // A list of full type names or extension IDs of extensions allowed in grpc
+  // side channel from backend to client.
+  repeated string allowed_response_extensions = 5;
+}

apps/hermes/server/proto/vendor/google/api/control.proto

@@ -0,0 +1,41 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/policy.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "ControlProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Selects and configures the service controller used by the service.
+//
+// Example:
+//
+//     control:
+//       environment: servicecontrol.googleapis.com
+message Control {
+  // The service controller environment to use. If empty, no control plane
+  // feature (like quota and billing) will be enabled. The recommended value for
+  // most services is servicecontrol.googleapis.com
+  string environment = 1;
+
+  // Defines policies applying to the API methods of the service.
+  repeated MethodPolicy method_policies = 4;
+}

apps/hermes/server/proto/vendor/google/api/distribution.proto

@@ -0,0 +1,213 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/any.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/distribution;distribution";
+option java_multiple_files = true;
+option java_outer_classname = "DistributionProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Distribution` contains summary statistics for a population of values. It
+// optionally contains a histogram representing the distribution of those values
+// across a set of buckets.
+//
+// The summary statistics are the count, mean, sum of the squared deviation from
+// the mean, the minimum, and the maximum of the set of population of values.
+// The histogram is based on a sequence of buckets and gives a count of values
+// that fall into each bucket. The boundaries of the buckets are given either
+// explicitly or by formulas for buckets of fixed or exponentially increasing
+// widths.
+//
+// Although it is not forbidden, it is generally a bad idea to include
+// non-finite values (infinities or NaNs) in the population of values, as this
+// will render the `mean` and `sum_of_squared_deviation` fields meaningless.
+message Distribution {
+  // The range of the population values.
+  message Range {
+    // The minimum of the population values.
+    double min = 1;
+
+    // The maximum of the population values.
+    double max = 2;
+  }
+
+  // `BucketOptions` describes the bucket boundaries used to create a histogram
+  // for the distribution. The buckets can be in a linear sequence, an
+  // exponential sequence, or each bucket can be specified explicitly.
+  // `BucketOptions` does not include the number of values in each bucket.
+  //
+  // A bucket has an inclusive lower bound and exclusive upper bound for the
+  // values that are counted for that bucket. The upper bound of a bucket must
+  // be strictly greater than the lower bound. The sequence of N buckets for a
+  // distribution consists of an underflow bucket (number 0), zero or more
+  // finite buckets (number 1 through N - 2) and an overflow bucket (number N -
+  // 1). The buckets are contiguous: the lower bound of bucket i (i > 0) is the
+  // same as the upper bound of bucket i - 1. The buckets span the whole range
+  // of finite values: lower bound of the underflow bucket is -infinity and the
+  // upper bound of the overflow bucket is +infinity. The finite buckets are
+  // so-called because both bounds are finite.
+  message BucketOptions {
+    // Specifies a linear sequence of buckets that all have the same width
+    // (except overflow and underflow). Each bucket represents a constant
+    // absolute uncertainty on the specific value in the bucket.
+    //
+    // There are `num_finite_buckets + 2` (= N) buckets. Bucket `i` has the
+    // following boundaries:
+    //
+    //    Upper bound (0 <= i < N-1):     offset + (width * i).
+    //
+    //    Lower bound (1 <= i < N):       offset + (width * (i - 1)).
+    message Linear {
+      // Must be greater than 0.
+      int32 num_finite_buckets = 1;
+
+      // Must be greater than 0.
+      double width = 2;
+
+      // Lower bound of the first bucket.
+      double offset = 3;
+    }
+
+    // Specifies an exponential sequence of buckets that have a width that is
+    // proportional to the value of the lower bound. Each bucket represents a
+    // constant relative uncertainty on a specific value in the bucket.
+    //
+    // There are `num_finite_buckets + 2` (= N) buckets. Bucket `i` has the
+    // following boundaries:
+    //
+    //    Upper bound (0 <= i < N-1):     scale * (growth_factor ^ i).
+    //
+    //    Lower bound (1 <= i < N):       scale * (growth_factor ^ (i - 1)).
+    message Exponential {
+      // Must be greater than 0.
+      int32 num_finite_buckets = 1;
+
+      // Must be greater than 1.
+      double growth_factor = 2;
+
+      // Must be greater than 0.
+      double scale = 3;
+    }
+
+    // Specifies a set of buckets with arbitrary widths.
+    //
+    // There are `size(bounds) + 1` (= N) buckets. Bucket `i` has the following
+    // boundaries:
+    //
+    //    Upper bound (0 <= i < N-1):     bounds[i]
+    //    Lower bound (1 <= i < N);       bounds[i - 1]
+    //
+    // The `bounds` field must contain at least one element. If `bounds` has
+    // only one element, then there are no finite buckets, and that single
+    // element is the common boundary of the overflow and underflow buckets.
+    message Explicit {
+      // The values must be monotonically increasing.
+      repeated double bounds = 1;
+    }
+
+    // Exactly one of these three fields must be set.
+    oneof options {
+      // The linear bucket.
+      Linear linear_buckets = 1;
+
+      // The exponential buckets.
+      Exponential exponential_buckets = 2;
+
+      // The explicit buckets.
+      Explicit explicit_buckets = 3;
+    }
+  }
+
+  // Exemplars are example points that may be used to annotate aggregated
+  // distribution values. They are metadata that gives information about a
+  // particular value added to a Distribution bucket, such as a trace ID that
+  // was active when a value was added. They may contain further information,
+  // such as a example values and timestamps, origin, etc.
+  message Exemplar {
+    // Value of the exemplar point. This value determines to which bucket the
+    // exemplar belongs.
+    double value = 1;
+
+    // The observation (sampling) time of the above value.
+    google.protobuf.Timestamp timestamp = 2;
+
+    // Contextual information about the example value. Examples are:
+    //
+    //   Trace: type.googleapis.com/google.monitoring.v3.SpanContext
+    //
+    //   Literal string: type.googleapis.com/google.protobuf.StringValue
+    //
+    //   Labels dropped during aggregation:
+    //     type.googleapis.com/google.monitoring.v3.DroppedLabels
+    //
+    // There may be only a single attachment of any given message type in a
+    // single exemplar, and this is enforced by the system.
+    repeated google.protobuf.Any attachments = 3;
+  }
+
+  // The number of values in the population. Must be non-negative. This value
+  // must equal the sum of the values in `bucket_counts` if a histogram is
+  // provided.
+  int64 count = 1;
+
+  // The arithmetic mean of the values in the population. If `count` is zero
+  // then this field must be zero.
+  double mean = 2;
+
+  // The sum of squared deviations from the mean of the values in the
+  // population. For values x_i this is:
+  //
+  //     Sum[i=1..n]((x_i - mean)^2)
+  //
+  // Knuth, "The Art of Computer Programming", Vol. 2, page 232, 3rd edition
+  // describes Welford's method for accumulating this sum in one pass.
+  //
+  // If `count` is zero then this field must be zero.
+  double sum_of_squared_deviation = 3;
+
+  // If specified, contains the range of the population values. The field
+  // must not be present if the `count` is zero.
+  Range range = 4;
+
+  // Defines the histogram bucket boundaries. If the distribution does not
+  // contain a histogram, then omit this field.
+  BucketOptions bucket_options = 6;
+
+  // The number of values in each bucket of the histogram, as described in
+  // `bucket_options`. If the distribution does not have a histogram, then omit
+  // this field. If there is a histogram, then the sum of the values in
+  // `bucket_counts` must equal the value in the `count` field of the
+  // distribution.
+  //
+  // If present, `bucket_counts` should contain N values, where N is the number
+  // of buckets specified in `bucket_options`. If you supply fewer than N
+  // values, the remaining values are assumed to be 0.
+  //
+  // The order of the values in `bucket_counts` follows the bucket numbering
+  // schemes described for the three bucket types. The first value must be the
+  // count for the underflow bucket (number 0). The next N-2 values are the
+  // counts for the finite buckets (number 1 through N-2). The N'th value in
+  // `bucket_counts` is the count for the overflow bucket (number N-1).
+  repeated int64 bucket_counts = 7;
+
+  // Must be in increasing order of `value` field.
+  repeated Exemplar exemplars = 10;
+}

apps/hermes/server/proto/vendor/google/api/documentation.proto

@@ -0,0 +1,168 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "DocumentationProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Documentation` provides the information for describing a service.
+//
+// Example:
+// <pre><code>documentation:
+//   summary: >
+//     The Google Calendar API gives access
+//     to most calendar features.
+//   pages:
+//   - name: Overview
+//     content: &#40;== include google/foo/overview.md ==&#41;
+//   - name: Tutorial
+//     content: &#40;== include google/foo/tutorial.md ==&#41;
+//     subpages:
+//     - name: Java
+//       content: &#40;== include google/foo/tutorial_java.md ==&#41;
+//   rules:
+//   - selector: google.calendar.Calendar.Get
+//     description: >
+//       ...
+//   - selector: google.calendar.Calendar.Put
+//     description: >
+//       ...
+// </code></pre>
+// Documentation is provided in markdown syntax. In addition to
+// standard markdown features, definition lists, tables and fenced
+// code blocks are supported. Section headers can be provided and are
+// interpreted relative to the section nesting of the context where
+// a documentation fragment is embedded.
+//
+// Documentation from the IDL is merged with documentation defined
+// via the config at normalization time, where documentation provided
+// by config rules overrides IDL provided.
+//
+// A number of constructs specific to the API platform are supported
+// in documentation text.
+//
+// In order to reference a proto element, the following
+// notation can be used:
+// <pre><code>&#91;fully.qualified.proto.name]&#91;]</code></pre>
+// To override the display text used for the link, this can be used:
+// <pre><code>&#91;display text]&#91;fully.qualified.proto.name]</code></pre>
+// Text can be excluded from doc using the following notation:
+// <pre><code>&#40;-- internal comment --&#41;</code></pre>
+//
+// A few directives are available in documentation. Note that
+// directives must appear on a single line to be properly
+// identified. The `include` directive includes a markdown file from
+// an external source:
+// <pre><code>&#40;== include path/to/file ==&#41;</code></pre>
+// The `resource_for` directive marks a message to be the resource of
+// a collection in REST view. If it is not specified, tools attempt
+// to infer the resource from the operations in a collection:
+// <pre><code>&#40;== resource_for v1.shelves.books ==&#41;</code></pre>
+// The directive `suppress_warning` does not directly affect documentation
+// and is documented together with service config validation.
+message Documentation {
+  // A short description of what the service does. The summary must be plain
+  // text. It becomes the overview of the service displayed in Google Cloud
+  // Console.
+  // NOTE: This field is equivalent to the standard field `description`.
+  string summary = 1;
+
+  // The top level pages for the documentation set.
+  repeated Page pages = 5;
+
+  // A list of documentation rules that apply to individual API elements.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated DocumentationRule rules = 3;
+
+  // The URL to the root of documentation.
+  string documentation_root_url = 4;
+
+  // Specifies the service root url if the default one (the service name
+  // from the yaml file) is not suitable. This can be seen in any fully
+  // specified service urls as well as sections that show a base that other
+  // urls are relative to.
+  string service_root_url = 6;
+
+  // Declares a single overview page. For example:
+  // <pre><code>documentation:
+  //   summary: ...
+  //   overview: &#40;== include overview.md ==&#41;
+  // </code></pre>
+  // This is a shortcut for the following declaration (using pages style):
+  // <pre><code>documentation:
+  //   summary: ...
+  //   pages:
+  //   - name: Overview
+  //     content: &#40;== include overview.md ==&#41;
+  // </code></pre>
+  // Note: you cannot specify both `overview` field and `pages` field.
+  string overview = 2;
+}
+
+// A documentation rule provides information about individual API elements.
+message DocumentationRule {
+  // The selector is a comma-separated list of patterns for any element such as
+  // a method, a field, an enum value. Each pattern is a qualified name of the
+  // element which may end in "*", indicating a wildcard. Wildcards are only
+  // allowed at the end and for a whole component of the qualified name,
+  // i.e. "foo.*" is ok, but not "foo.b*" or "foo.*.bar". A wildcard will match
+  // one or more components. To specify a default for all applicable elements,
+  // the whole pattern "*" is used.
+  string selector = 1;
+
+  // Description of the selected proto element (e.g. a message, a method, a
+  // 'service' definition, or a field). Defaults to leading & trailing comments
+  // taken from the proto source definition of the proto element.
+  string description = 2;
+
+  // Deprecation description of the selected element(s). It can be provided if
+  // an element is marked as `deprecated`.
+  string deprecation_description = 3;
+}
+
+// Represents a documentation page. A page can contain subpages to represent
+// nested documentation set structure.
+message Page {
+  // The name of the page. It will be used as an identity of the page to
+  // generate URI of the page, text of the link to this page in navigation,
+  // etc. The full page name (start from the root page name to this page
+  // concatenated with `.`) can be used as reference to the page in your
+  // documentation. For example:
+  // <pre><code>pages:
+  // - name: Tutorial
+  //   content: &#40;== include tutorial.md ==&#41;
+  //   subpages:
+  //   - name: Java
+  //     content: &#40;== include tutorial_java.md ==&#41;
+  // </code></pre>
+  // You can reference `Java` page using Markdown reference link syntax:
+  // `[Java][Tutorial.Java]`.
+  string name = 1;
+
+  // The Markdown content of the page. You can use <code>&#40;== include {path}
+  // ==&#41;</code> to include content from a Markdown file. The content can be
+  // used to produce the documentation page such as HTML format page.
+  string content = 2;
+
+  // Subpages of this page. The order of subpages specified here will be
+  // honored in the generated docset.
+  repeated Page subpages = 3;
+}

apps/hermes/server/proto/vendor/google/api/endpoint.proto

@@ -0,0 +1,69 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "EndpointProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Endpoint` describes a network address of a service that serves a set of
+// APIs. It is commonly known as a service endpoint. A service may expose
+// any number of service endpoints, and all service endpoints share the same
+// service definition, such as quota limits and monitoring metrics.
+//
+// Example:
+//
+//     type: google.api.Service
+//     name: library-example.googleapis.com
+//     endpoints:
+//       # Declares network address `https://library-example.googleapis.com`
+//       # for service `library-example.googleapis.com`. The `https` scheme
+//       # is implicit for all service endpoints. Other schemes may be
+//       # supported in the future.
+//     - name: library-example.googleapis.com
+//       allow_cors: false
+//     - name: content-staging-library-example.googleapis.com
+//       # Allows HTTP OPTIONS calls to be passed to the API frontend, for it
+//       # to decide whether the subsequent cross-origin request is allowed
+//       # to proceed.
+//       allow_cors: true
+message Endpoint {
+  // The canonical name of this endpoint.
+  string name = 1;
+
+  // Aliases for this endpoint, these will be served by the same UrlMap as the
+  // parent endpoint, and will be provisioned in the GCP stack for the Regional
+  // Endpoints.
+  repeated string aliases = 2;
+
+  // The specification of an Internet routable address of API frontend that will
+  // handle requests to this [API
+  // Endpoint](https://cloud.google.com/apis/design/glossary). It should be
+  // either a valid IPv4 address or a fully-qualified domain name. For example,
+  // "8.8.8.8" or "myservice.appspot.com".
+  string target = 101;
+
+  // Allowing
+  // [CORS](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing), aka
+  // cross-domain traffic, would allow the backends served from this endpoint to
+  // receive and respond to HTTP OPTIONS requests. The response will be used by
+  // the browser to determine whether the subsequent cross-origin request is
+  // allowed to proceed.
+  bool allow_cors = 5;
+}

apps/hermes/server/proto/vendor/google/api/error_reason.proto

@@ -0,0 +1,622 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/error_reason;error_reason";
+option java_multiple_files = true;
+option java_outer_classname = "ErrorReasonProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Defines the supported values for `google.rpc.ErrorInfo.reason` for the
+// `googleapis.com` error domain. This error domain is reserved for [Service
+// Infrastructure](https://cloud.google.com/service-infrastructure/docs/overview).
+// For each error info of this domain, the metadata key "service" refers to the
+// logical identifier of an API service, such as "pubsub.googleapis.com". The
+// "consumer" refers to the entity that consumes an API Service. It typically is
+// a Google project that owns the client application or the server resource,
+// such as "projects/123". Other metadata keys are specific to each error
+// reason. For more information, see the definition of the specific error
+// reason.
+enum ErrorReason {
+  // Do not use this default value.
+  ERROR_REASON_UNSPECIFIED = 0;
+
+  // The request is calling a disabled service for a consumer.
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" contacting
+  // "pubsub.googleapis.com" service which is disabled:
+  //
+  //     { "reason": "SERVICE_DISABLED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "pubsub.googleapis.com"
+  //       }
+  //     }
+  //
+  // This response indicates the "pubsub.googleapis.com" has been disabled in
+  // "projects/123".
+  SERVICE_DISABLED = 1;
+
+  // The request whose associated billing account is disabled.
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to contact
+  // "pubsub.googleapis.com" service because the associated billing account is
+  // disabled:
+  //
+  //     { "reason": "BILLING_DISABLED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "pubsub.googleapis.com"
+  //       }
+  //     }
+  //
+  // This response indicates the billing account associated has been disabled.
+  BILLING_DISABLED = 2;
+
+  // The request is denied because the provided [API
+  // key](https://cloud.google.com/docs/authentication/api-keys) is invalid. It
+  // may be in a bad format, cannot be found, or has been expired).
+  //
+  // Example of an ErrorInfo when the request is contacting
+  // "storage.googleapis.com" service with an invalid API key:
+  //
+  //     { "reason": "API_KEY_INVALID",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //       }
+  //     }
+  API_KEY_INVALID = 3;
+
+  // The request is denied because it violates [API key API
+  // restrictions](https://cloud.google.com/docs/authentication/api-keys#adding_api_restrictions).
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to call the
+  // "storage.googleapis.com" service because this service is restricted in the
+  // API key:
+  //
+  //     { "reason": "API_KEY_SERVICE_BLOCKED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  API_KEY_SERVICE_BLOCKED = 4;
+
+  // The request is denied because it violates [API key HTTP
+  // restrictions](https://cloud.google.com/docs/authentication/api-keys#adding_http_restrictions).
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to call
+  // "storage.googleapis.com" service because the http referrer of the request
+  // violates API key HTTP restrictions:
+  //
+  //     { "reason": "API_KEY_HTTP_REFERRER_BLOCKED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com",
+  //       }
+  //     }
+  API_KEY_HTTP_REFERRER_BLOCKED = 7;
+
+  // The request is denied because it violates [API key IP address
+  // restrictions](https://cloud.google.com/docs/authentication/api-keys#adding_application_restrictions).
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to call
+  // "storage.googleapis.com" service because the caller IP of the request
+  // violates API key IP address restrictions:
+  //
+  //     { "reason": "API_KEY_IP_ADDRESS_BLOCKED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com",
+  //       }
+  //     }
+  API_KEY_IP_ADDRESS_BLOCKED = 8;
+
+  // The request is denied because it violates [API key Android application
+  // restrictions](https://cloud.google.com/docs/authentication/api-keys#adding_application_restrictions).
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to call
+  // "storage.googleapis.com" service because the request from the Android apps
+  // violates the API key Android application restrictions:
+  //
+  //     { "reason": "API_KEY_ANDROID_APP_BLOCKED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  API_KEY_ANDROID_APP_BLOCKED = 9;
+
+  // The request is denied because it violates [API key iOS application
+  // restrictions](https://cloud.google.com/docs/authentication/api-keys#adding_application_restrictions).
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to call
+  // "storage.googleapis.com" service because the request from the iOS apps
+  // violates the API key iOS application restrictions:
+  //
+  //     { "reason": "API_KEY_IOS_APP_BLOCKED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  API_KEY_IOS_APP_BLOCKED = 13;
+
+  // The request is denied because there is not enough rate quota for the
+  // consumer.
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to contact
+  // "pubsub.googleapis.com" service because consumer's rate quota usage has
+  // reached the maximum value set for the quota limit
+  // "ReadsPerMinutePerProject" on the quota metric
+  // "pubsub.googleapis.com/read_requests":
+  //
+  //     { "reason": "RATE_LIMIT_EXCEEDED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "pubsub.googleapis.com",
+  //         "quota_metric": "pubsub.googleapis.com/read_requests",
+  //         "quota_limit": "ReadsPerMinutePerProject"
+  //       }
+  //     }
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" checks quota on
+  // the service "dataflow.googleapis.com" and hits the organization quota
+  // limit "DefaultRequestsPerMinutePerOrganization" on the metric
+  // "dataflow.googleapis.com/default_requests".
+  //
+  //     { "reason": "RATE_LIMIT_EXCEEDED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "dataflow.googleapis.com",
+  //         "quota_metric": "dataflow.googleapis.com/default_requests",
+  //         "quota_limit": "DefaultRequestsPerMinutePerOrganization"
+  //       }
+  //     }
+  RATE_LIMIT_EXCEEDED = 5;
+
+  // The request is denied because there is not enough resource quota for the
+  // consumer.
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to contact
+  // "compute.googleapis.com" service because consumer's resource quota usage
+  // has reached the maximum value set for the quota limit "VMsPerProject"
+  // on the quota metric "compute.googleapis.com/vms":
+  //
+  //     { "reason": "RESOURCE_QUOTA_EXCEEDED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "compute.googleapis.com",
+  //         "quota_metric": "compute.googleapis.com/vms",
+  //         "quota_limit": "VMsPerProject"
+  //       }
+  //     }
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" checks resource
+  // quota on the service "dataflow.googleapis.com" and hits the organization
+  // quota limit "jobs-per-organization" on the metric
+  // "dataflow.googleapis.com/job_count".
+  //
+  //     { "reason": "RESOURCE_QUOTA_EXCEEDED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "dataflow.googleapis.com",
+  //         "quota_metric": "dataflow.googleapis.com/job_count",
+  //         "quota_limit": "jobs-per-organization"
+  //       }
+  //     }
+  RESOURCE_QUOTA_EXCEEDED = 6;
+
+  // The request whose associated billing account address is in a tax restricted
+  // location, violates the local tax restrictions when creating resources in
+  // the restricted region.
+  //
+  // Example of an ErrorInfo when creating the Cloud Storage Bucket in the
+  // container "projects/123" under a tax restricted region
+  // "locations/asia-northeast3":
+  //
+  //     { "reason": "LOCATION_TAX_POLICY_VIOLATED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com",
+  //         "location": "locations/asia-northeast3"
+  //       }
+  //     }
+  //
+  // This response indicates creating the Cloud Storage Bucket in
+  // "locations/asia-northeast3" violates the location tax restriction.
+  LOCATION_TAX_POLICY_VIOLATED = 10;
+
+  // The request is denied because the caller does not have required permission
+  // on the user project "projects/123" or the user project is invalid. For more
+  // information, check the [userProject System
+  // Parameters](https://cloud.google.com/apis/docs/system-parameters).
+  //
+  // Example of an ErrorInfo when the caller is calling Cloud Storage service
+  // with insufficient permissions on the user project:
+  //
+  //     { "reason": "USER_PROJECT_DENIED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  USER_PROJECT_DENIED = 11;
+
+  // The request is denied because the consumer "projects/123" is suspended due
+  // to Terms of Service(Tos) violations. Check [Project suspension
+  // guidelines](https://cloud.google.com/resource-manager/docs/project-suspension-guidelines)
+  // for more information.
+  //
+  // Example of an ErrorInfo when calling Cloud Storage service with the
+  // suspended consumer "projects/123":
+  //
+  //     { "reason": "CONSUMER_SUSPENDED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  CONSUMER_SUSPENDED = 12;
+
+  // The request is denied because the associated consumer is invalid. It may be
+  // in a bad format, cannot be found, or have been deleted.
+  //
+  // Example of an ErrorInfo when calling Cloud Storage service with the
+  // invalid consumer "projects/123":
+  //
+  //     { "reason": "CONSUMER_INVALID",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  CONSUMER_INVALID = 14;
+
+  // The request is denied because it violates [VPC Service
+  // Controls](https://cloud.google.com/vpc-service-controls/docs/overview).
+  // The 'uid' field is a random generated identifier that customer can use it
+  // to search the audit log for a request rejected by VPC Service Controls. For
+  // more information, please refer [VPC Service Controls
+  // Troubleshooting](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#unique-id)
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to call
+  // Cloud Storage service because the request is prohibited by the VPC Service
+  // Controls.
+  //
+  //     { "reason": "SECURITY_POLICY_VIOLATED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "uid": "123456789abcde",
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  SECURITY_POLICY_VIOLATED = 15;
+
+  // The request is denied because the provided access token has expired.
+  //
+  // Example of an ErrorInfo when the request is calling Cloud Storage service
+  // with an expired access token:
+  //
+  //     { "reason": "ACCESS_TOKEN_EXPIRED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject"
+  //       }
+  //     }
+  ACCESS_TOKEN_EXPIRED = 16;
+
+  // The request is denied because the provided access token doesn't have at
+  // least one of the acceptable scopes required for the API. Please check
+  // [OAuth 2.0 Scopes for Google
+  // APIs](https://developers.google.com/identity/protocols/oauth2/scopes) for
+  // the list of the OAuth 2.0 scopes that you might need to request to access
+  // the API.
+  //
+  // Example of an ErrorInfo when the request is calling Cloud Storage service
+  // with an access token that is missing required scopes:
+  //
+  //     { "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject"
+  //       }
+  //     }
+  ACCESS_TOKEN_SCOPE_INSUFFICIENT = 17;
+
+  // The request is denied because the account associated with the provided
+  // access token is in an invalid state, such as disabled or deleted.
+  // For more information, see https://cloud.google.com/docs/authentication.
+  //
+  // Warning: For privacy reasons, the server may not be able to disclose the
+  // email address for some accounts. The client MUST NOT depend on the
+  // availability of the `email` attribute.
+  //
+  // Example of an ErrorInfo when the request is to the Cloud Storage API with
+  // an access token that is associated with a disabled or deleted [service
+  // account](http://cloud/iam/docs/service-accounts):
+  //
+  //     { "reason": "ACCOUNT_STATE_INVALID",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject",
+  //         "email": "user@123.iam.gserviceaccount.com"
+  //       }
+  //     }
+  ACCOUNT_STATE_INVALID = 18;
+
+  // The request is denied because the type of the provided access token is not
+  // supported by the API being called.
+  //
+  // Example of an ErrorInfo when the request is to the Cloud Storage API with
+  // an unsupported token type.
+  //
+  //     { "reason": "ACCESS_TOKEN_TYPE_UNSUPPORTED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject"
+  //       }
+  //     }
+  ACCESS_TOKEN_TYPE_UNSUPPORTED = 19;
+
+  // The request is denied because the request doesn't have any authentication
+  // credentials. For more information regarding the supported authentication
+  // strategies for Google Cloud APIs, see
+  // https://cloud.google.com/docs/authentication.
+  //
+  // Example of an ErrorInfo when the request is to the Cloud Storage API
+  // without any authentication credentials.
+  //
+  //     { "reason": "CREDENTIALS_MISSING",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject"
+  //       }
+  //     }
+  CREDENTIALS_MISSING = 20;
+
+  // The request is denied because the provided project owning the resource
+  // which acts as the [API
+  // consumer](https://cloud.google.com/apis/design/glossary#api_consumer) is
+  // invalid. It may be in a bad format or empty.
+  //
+  // Example of an ErrorInfo when the request is to the Cloud Functions API,
+  // but the offered resource project in the request in a bad format which can't
+  // perform the ListFunctions method.
+  //
+  //     { "reason": "RESOURCE_PROJECT_INVALID",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "cloudfunctions.googleapis.com",
+  //         "method":
+  //         "google.cloud.functions.v1.CloudFunctionsService.ListFunctions"
+  //       }
+  //     }
+  RESOURCE_PROJECT_INVALID = 21;
+
+  // The request is denied because the provided session cookie is missing,
+  // invalid or failed to decode.
+  //
+  // Example of an ErrorInfo when the request is calling Cloud Storage service
+  // with a SID cookie which can't be decoded.
+  //
+  //     { "reason": "SESSION_COOKIE_INVALID",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject",
+  //         "cookie": "SID"
+  //       }
+  //     }
+  SESSION_COOKIE_INVALID = 23;
+
+  // The request is denied because the user is from a Google Workspace customer
+  // that blocks their users from accessing a particular service.
+  //
+  // Example scenario: https://support.google.com/a/answer/9197205?hl=en
+  //
+  // Example of an ErrorInfo when access to Google Cloud Storage service is
+  // blocked by the Google Workspace administrator:
+  //
+  //     { "reason": "USER_BLOCKED_BY_ADMIN",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "storage.googleapis.com",
+  //         "method": "google.storage.v1.Storage.GetObject",
+  //       }
+  //     }
+  USER_BLOCKED_BY_ADMIN = 24;
+
+  // The request is denied because the resource service usage is restricted
+  // by administrators according to the organization policy constraint.
+  // For more information see
+  // https://cloud.google.com/resource-manager/docs/organization-policy/restricting-services.
+  //
+  // Example of an ErrorInfo when access to Google Cloud Storage service is
+  // restricted by Resource Usage Restriction policy:
+  //
+  //     { "reason": "RESOURCE_USAGE_RESTRICTION_VIOLATED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/project-123",
+  //         "service": "storage.googleapis.com"
+  //       }
+  //     }
+  RESOURCE_USAGE_RESTRICTION_VIOLATED = 25;
+
+  // Unimplemented. Do not use.
+  //
+  // The request is denied because it contains unsupported system parameters in
+  // URL query parameters or HTTP headers. For more information,
+  // see https://cloud.google.com/apis/docs/system-parameters
+  //
+  // Example of an ErrorInfo when access "pubsub.googleapis.com" service with
+  // a request header of "x-goog-user-ip":
+  //
+  //     { "reason": "SYSTEM_PARAMETER_UNSUPPORTED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "service": "pubsub.googleapis.com"
+  //         "parameter": "x-goog-user-ip"
+  //       }
+  //     }
+  SYSTEM_PARAMETER_UNSUPPORTED = 26;
+
+  // The request is denied because it violates Org Restriction: the requested
+  // resource does not belong to allowed organizations specified in
+  // "X-Goog-Allowed-Resources" header.
+  //
+  // Example of an ErrorInfo when accessing a GCP resource that is restricted by
+  // Org Restriction for "pubsub.googleapis.com" service.
+  //
+  // {
+  //   reason: "ORG_RESTRICTION_VIOLATION"
+  //   domain: "googleapis.com"
+  //   metadata {
+  //     "consumer":"projects/123456"
+  //     "service": "pubsub.googleapis.com"
+  //   }
+  // }
+  ORG_RESTRICTION_VIOLATION = 27;
+
+  // The request is denied because "X-Goog-Allowed-Resources" header is in a bad
+  // format.
+  //
+  // Example of an ErrorInfo when
+  // accessing "pubsub.googleapis.com" service with an invalid
+  // "X-Goog-Allowed-Resources" request header.
+  //
+  // {
+  //   reason: "ORG_RESTRICTION_HEADER_INVALID"
+  //   domain: "googleapis.com"
+  //   metadata {
+  //     "consumer":"projects/123456"
+  //     "service": "pubsub.googleapis.com"
+  //   }
+  // }
+  ORG_RESTRICTION_HEADER_INVALID = 28;
+
+  // Unimplemented. Do not use.
+  //
+  // The request is calling a service that is not visible to the consumer.
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" contacting
+  //  "pubsub.googleapis.com" service which is not visible to the consumer.
+  //
+  //     { "reason": "SERVICE_NOT_VISIBLE",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "pubsub.googleapis.com"
+  //       }
+  //     }
+  //
+  // This response indicates the "pubsub.googleapis.com" is not visible to
+  // "projects/123" (or it may not exist).
+  SERVICE_NOT_VISIBLE = 29;
+
+  // The request is related to a project for which GCP access is suspended.
+  //
+  // Example of an ErrorInfo when the consumer "projects/123" fails to contact
+  // "pubsub.googleapis.com" service because GCP access is suspended:
+  //
+  //     { "reason": "GCP_SUSPENDED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "pubsub.googleapis.com"
+  //       }
+  //     }
+  //
+  // This response indicates the associated GCP account has been suspended.
+  GCP_SUSPENDED = 30;
+
+  // The request violates the location policies when creating resources in
+  // the restricted region.
+  //
+  // Example of an ErrorInfo when creating the Cloud Storage Bucket by
+  // "projects/123" for service storage.googleapis.com:
+  //
+  //     { "reason": "LOCATION_POLICY_VIOLATED",
+  //       "domain": "googleapis.com",
+  //       "metadata": {
+  //         "consumer": "projects/123",
+  //         "service": "storage.googleapis.com",
+  //       }
+  //     }
+  //
+  // This response indicates creating the Cloud Storage Bucket in
+  // "locations/asia-northeast3" violates at least one location policy.
+  // The troubleshooting guidance is provided in the Help links.
+  LOCATION_POLICY_VIOLATED = 31;
+
+  // The request is denied because origin request header is missing.
+  //
+  // Example of an ErrorInfo when
+  // accessing "pubsub.googleapis.com" service with an empty "Origin" request
+  // header.
+  //
+  // {
+  //   reason: "MISSING_ORIGIN"
+  //   domain: "googleapis.com"
+  //   metadata {
+  //     "consumer":"projects/123456"
+  //     "service": "pubsub.googleapis.com"
+  //   }
+  // }
+  MISSING_ORIGIN = 33;
+
+  // The request is denied because the request contains more than one credential
+  // type that are individually acceptable, but not together. The customer
+  // should retry their request with only one set of credentials.
+  //
+  // Example of an ErrorInfo when
+  // accessing "pubsub.googleapis.com" service with overloaded credentials.
+  //
+  // {
+  //   reason: "OVERLOADED_CREDENTIALS"
+  //   domain: "googleapis.com"
+  //   metadata {
+  //     "consumer":"projects/123456"
+  //     "service": "pubsub.googleapis.com"
+  //   }
+  // }
+  OVERLOADED_CREDENTIALS = 34;
+}

apps/hermes/server/proto/vendor/google/api/field_behavior.proto

@@ -0,0 +1,104 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "FieldBehaviorProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.FieldOptions {
+  // A designation of a specific field behavior (required, output only, etc.)
+  // in protobuf messages.
+  //
+  // Examples:
+  //
+  //   string name = 1 [(google.api.field_behavior) = REQUIRED];
+  //   State state = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+  //   google.protobuf.Duration ttl = 1
+  //     [(google.api.field_behavior) = INPUT_ONLY];
+  //   google.protobuf.Timestamp expire_time = 1
+  //     [(google.api.field_behavior) = OUTPUT_ONLY,
+  //      (google.api.field_behavior) = IMMUTABLE];
+  repeated google.api.FieldBehavior field_behavior = 1052 [packed = false];
+}
+
+// An indicator of the behavior of a given field (for example, that a field
+// is required in requests, or given as output but ignored as input).
+// This **does not** change the behavior in protocol buffers itself; it only
+// denotes the behavior and may affect how API tooling handles the field.
+//
+// Note: This enum **may** receive new values in the future.
+enum FieldBehavior {
+  // Conventional default for enums. Do not use this.
+  FIELD_BEHAVIOR_UNSPECIFIED = 0;
+
+  // Specifically denotes a field as optional.
+  // While all fields in protocol buffers are optional, this may be specified
+  // for emphasis if appropriate.
+  OPTIONAL = 1;
+
+  // Denotes a field as required.
+  // This indicates that the field **must** be provided as part of the request,
+  // and failure to do so will cause an error (usually `INVALID_ARGUMENT`).
+  REQUIRED = 2;
+
+  // Denotes a field as output only.
+  // This indicates that the field is provided in responses, but including the
+  // field in a request does nothing (the server *must* ignore it and
+  // *must not* throw an error as a result of the field's presence).
+  OUTPUT_ONLY = 3;
+
+  // Denotes a field as input only.
+  // This indicates that the field is provided in requests, and the
+  // corresponding field is not included in output.
+  INPUT_ONLY = 4;
+
+  // Denotes a field as immutable.
+  // This indicates that the field may be set once in a request to create a
+  // resource, but may not be changed thereafter.
+  IMMUTABLE = 5;
+
+  // Denotes that a (repeated) field is an unordered list.
+  // This indicates that the service may provide the elements of the list
+  // in any arbitrary  order, rather than the order the user originally
+  // provided. Additionally, the list's order may or may not be stable.
+  UNORDERED_LIST = 6;
+
+  // Denotes that this field returns a non-empty default value if not set.
+  // This indicates that if the user provides the empty value in a request,
+  // a non-empty value will be returned. The user will not be aware of what
+  // non-empty value to expect.
+  NON_EMPTY_DEFAULT = 7;
+
+  // Denotes that the field in a resource (a message annotated with
+  // google.api.resource) is used in the resource name to uniquely identify the
+  // resource. For AIP-compliant APIs, this should only be applied to the
+  // `name` field on the resource.
+  //
+  // This behavior should not be applied to references to other resources within
+  // the message.
+  //
+  // The identifier field of resources often have different field behavior
+  // depending on the request it is embedded in (e.g. for Create methods name
+  // is optional and unused, while for Update methods it is required). Instead
+  // of method-specific annotations, only `IDENTIFIER` is required.
+  IDENTIFIER = 8;
+}

apps/hermes/server/proto/vendor/google/api/field_info.proto

@@ -0,0 +1,106 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "FieldInfoProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.FieldOptions {
+  // Rich semantic descriptor of an API field beyond the basic typing.
+  //
+  // Examples:
+  //
+  //     string request_id = 1 [(google.api.field_info).format = UUID4];
+  //     string old_ip_address = 2 [(google.api.field_info).format = IPV4];
+  //     string new_ip_address = 3 [(google.api.field_info).format = IPV6];
+  //     string actual_ip_address = 4 [
+  //       (google.api.field_info).format = IPV4_OR_IPV6
+  //     ];
+  //     google.protobuf.Any generic_field = 5 [
+  //       (google.api.field_info).referenced_types = {type_name: "ActualType"},
+  //       (google.api.field_info).referenced_types = {type_name: "OtherType"},
+  //     ];
+  //     google.protobuf.Any generic_user_input = 5 [
+  //       (google.api.field_info).referenced_types = {type_name: "*"},
+  //     ];
+  google.api.FieldInfo field_info = 291403980;
+}
+
+// Rich semantic information of an API field beyond basic typing.
+message FieldInfo {
+  // The standard format of a field value. The supported formats are all backed
+  // by either an RFC defined by the IETF or a Google-defined AIP.
+  enum Format {
+    // Default, unspecified value.
+    FORMAT_UNSPECIFIED = 0;
+
+    // Universally Unique Identifier, version 4, value as defined by
+    // https://datatracker.ietf.org/doc/html/rfc4122. The value may be
+    // normalized to entirely lowercase letters. For example, the value
+    // `F47AC10B-58CC-0372-8567-0E02B2C3D479` would be normalized to
+    // `f47ac10b-58cc-0372-8567-0e02b2c3d479`.
+    UUID4 = 1;
+
+    // Internet Protocol v4 value as defined by [RFC
+    // 791](https://datatracker.ietf.org/doc/html/rfc791). The value may be
+    // condensed, with leading zeros in each octet stripped. For example,
+    // `001.022.233.040` would be condensed to `1.22.233.40`.
+    IPV4 = 2;
+
+    // Internet Protocol v6 value as defined by [RFC
+    // 2460](https://datatracker.ietf.org/doc/html/rfc2460). The value may be
+    // normalized to entirely lowercase letters with zeros compressed, following
+    // [RFC 5952](https://datatracker.ietf.org/doc/html/rfc5952). For example,
+    // the value `2001:0DB8:0::0` would be normalized to `2001:db8::`.
+    IPV6 = 3;
+
+    // An IP address in either v4 or v6 format as described by the individual
+    // values defined herein. See the comments on the IPV4 and IPV6 types for
+    // allowed normalizations of each.
+    IPV4_OR_IPV6 = 4;
+  }
+
+  // The standard format of a field value. This does not explicitly configure
+  // any API consumer, just documents the API's format for the field it is
+  // applied to.
+  Format format = 1;
+
+  // The type(s) that the annotated, generic field may represent.
+  //
+  // Currently, this must only be used on fields of type `google.protobuf.Any`.
+  // Supporting other generic types may be considered in the future.
+  repeated TypeReference referenced_types = 2;
+}
+
+// A reference to a message type, for use in [FieldInfo][google.api.FieldInfo].
+message TypeReference {
+  // The name of the type that the annotated, generic field may represent.
+  // If the type is in the same protobuf package, the value can be the simple
+  // message name e.g., `"MyMessage"`. Otherwise, the value must be the
+  // fully-qualified message name e.g., `"google.library.v1.Book"`.
+  //
+  // If the type(s) are unknown to the service (e.g. the field accepts generic
+  // user input), use the wildcard `"*"` to denote this behavior.
+  //
+  // See [AIP-202](https://google.aip.dev/202#type-references) for more details.
+  string type_name = 1;
+}

apps/hermes/server/proto/vendor/google/api/http.proto

@@ -0,0 +1,371 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "HttpProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Defines the HTTP configuration for an API service. It contains a list of
+// [HttpRule][google.api.HttpRule], each specifying the mapping of an RPC method
+// to one or more HTTP REST API methods.
+message Http {
+  // A list of HTTP configuration rules that apply to individual API methods.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated HttpRule rules = 1;
+
+  // When set to true, URL path parameters will be fully URI-decoded except in
+  // cases of single segment matches in reserved expansion, where "%2F" will be
+  // left encoded.
+  //
+  // The default behavior is to not decode RFC 6570 reserved characters in multi
+  // segment matches.
+  bool fully_decode_reserved_expansion = 2;
+}
+
+// gRPC Transcoding
+//
+// gRPC Transcoding is a feature for mapping between a gRPC method and one or
+// more HTTP REST endpoints. It allows developers to build a single API service
+// that supports both gRPC APIs and REST APIs. Many systems, including [Google
+// APIs](https://github.com/googleapis/googleapis),
+// [Cloud Endpoints](https://cloud.google.com/endpoints), [gRPC
+// Gateway](https://github.com/grpc-ecosystem/grpc-gateway),
+// and [Envoy](https://github.com/envoyproxy/envoy) proxy support this feature
+// and use it for large scale production services.
+//
+// `HttpRule` defines the schema of the gRPC/REST mapping. The mapping specifies
+// how different portions of the gRPC request message are mapped to the URL
+// path, URL query parameters, and HTTP request body. It also controls how the
+// gRPC response message is mapped to the HTTP response body. `HttpRule` is
+// typically specified as an `google.api.http` annotation on the gRPC method.
+//
+// Each mapping specifies a URL path template and an HTTP method. The path
+// template may refer to one or more fields in the gRPC request message, as long
+// as each field is a non-repeated field with a primitive (non-message) type.
+// The path template controls how fields of the request message are mapped to
+// the URL path.
+//
+// Example:
+//
+//     service Messaging {
+//       rpc GetMessage(GetMessageRequest) returns (Message) {
+//         option (google.api.http) = {
+//             get: "/v1/{name=messages/*}"
+//         };
+//       }
+//     }
+//     message GetMessageRequest {
+//       string name = 1; // Mapped to URL path.
+//     }
+//     message Message {
+//       string text = 1; // The resource content.
+//     }
+//
+// This enables an HTTP REST to gRPC mapping as below:
+//
+// - HTTP: `GET /v1/messages/123456`
+// - gRPC: `GetMessage(name: "messages/123456")`
+//
+// Any fields in the request message which are not bound by the path template
+// automatically become HTTP query parameters if there is no HTTP request body.
+// For example:
+//
+//     service Messaging {
+//       rpc GetMessage(GetMessageRequest) returns (Message) {
+//         option (google.api.http) = {
+//             get:"/v1/messages/{message_id}"
+//         };
+//       }
+//     }
+//     message GetMessageRequest {
+//       message SubMessage {
+//         string subfield = 1;
+//       }
+//       string message_id = 1; // Mapped to URL path.
+//       int64 revision = 2;    // Mapped to URL query parameter `revision`.
+//       SubMessage sub = 3;    // Mapped to URL query parameter `sub.subfield`.
+//     }
+//
+// This enables a HTTP JSON to RPC mapping as below:
+//
+// - HTTP: `GET /v1/messages/123456?revision=2&sub.subfield=foo`
+// - gRPC: `GetMessage(message_id: "123456" revision: 2 sub:
+// SubMessage(subfield: "foo"))`
+//
+// Note that fields which are mapped to URL query parameters must have a
+// primitive type or a repeated primitive type or a non-repeated message type.
+// In the case of a repeated type, the parameter can be repeated in the URL
+// as `...?param=A&param=B`. In the case of a message type, each field of the
+// message is mapped to a separate parameter, such as
+// `...?foo.a=A&foo.b=B&foo.c=C`.
+//
+// For HTTP methods that allow a request body, the `body` field
+// specifies the mapping. Consider a REST update method on the
+// message resource collection:
+//
+//     service Messaging {
+//       rpc UpdateMessage(UpdateMessageRequest) returns (Message) {
+//         option (google.api.http) = {
+//           patch: "/v1/messages/{message_id}"
+//           body: "message"
+//         };
+//       }
+//     }
+//     message UpdateMessageRequest {
+//       string message_id = 1; // mapped to the URL
+//       Message message = 2;   // mapped to the body
+//     }
+//
+// The following HTTP JSON to RPC mapping is enabled, where the
+// representation of the JSON in the request body is determined by
+// protos JSON encoding:
+//
+// - HTTP: `PATCH /v1/messages/123456 { "text": "Hi!" }`
+// - gRPC: `UpdateMessage(message_id: "123456" message { text: "Hi!" })`
+//
+// The special name `*` can be used in the body mapping to define that
+// every field not bound by the path template should be mapped to the
+// request body.  This enables the following alternative definition of
+// the update method:
+//
+//     service Messaging {
+//       rpc UpdateMessage(Message) returns (Message) {
+//         option (google.api.http) = {
+//           patch: "/v1/messages/{message_id}"
+//           body: "*"
+//         };
+//       }
+//     }
+//     message Message {
+//       string message_id = 1;
+//       string text = 2;
+//     }
+//
+//
+// The following HTTP JSON to RPC mapping is enabled:
+//
+// - HTTP: `PATCH /v1/messages/123456 { "text": "Hi!" }`
+// - gRPC: `UpdateMessage(message_id: "123456" text: "Hi!")`
+//
+// Note that when using `*` in the body mapping, it is not possible to
+// have HTTP parameters, as all fields not bound by the path end in
+// the body. This makes this option more rarely used in practice when
+// defining REST APIs. The common usage of `*` is in custom methods
+// which don't use the URL at all for transferring data.
+//
+// It is possible to define multiple HTTP methods for one RPC by using
+// the `additional_bindings` option. Example:
+//
+//     service Messaging {
+//       rpc GetMessage(GetMessageRequest) returns (Message) {
+//         option (google.api.http) = {
+//           get: "/v1/messages/{message_id}"
+//           additional_bindings {
+//             get: "/v1/users/{user_id}/messages/{message_id}"
+//           }
+//         };
+//       }
+//     }
+//     message GetMessageRequest {
+//       string message_id = 1;
+//       string user_id = 2;
+//     }
+//
+// This enables the following two alternative HTTP JSON to RPC mappings:
+//
+// - HTTP: `GET /v1/messages/123456`
+// - gRPC: `GetMessage(message_id: "123456")`
+//
+// - HTTP: `GET /v1/users/me/messages/123456`
+// - gRPC: `GetMessage(user_id: "me" message_id: "123456")`
+//
+// Rules for HTTP mapping
+//
+// 1. Leaf request fields (recursive expansion nested messages in the request
+//    message) are classified into three categories:
+//    - Fields referred by the path template. They are passed via the URL path.
+//    - Fields referred by the [HttpRule.body][google.api.HttpRule.body]. They
+//    are passed via the HTTP
+//      request body.
+//    - All other fields are passed via the URL query parameters, and the
+//      parameter name is the field path in the request message. A repeated
+//      field can be represented as multiple query parameters under the same
+//      name.
+//  2. If [HttpRule.body][google.api.HttpRule.body] is "*", there is no URL
+//  query parameter, all fields
+//     are passed via URL path and HTTP request body.
+//  3. If [HttpRule.body][google.api.HttpRule.body] is omitted, there is no HTTP
+//  request body, all
+//     fields are passed via URL path and URL query parameters.
+//
+// Path template syntax
+//
+//     Template = "/" Segments [ Verb ] ;
+//     Segments = Segment { "/" Segment } ;
+//     Segment  = "*" | "**" | LITERAL | Variable ;
+//     Variable = "{" FieldPath [ "=" Segments ] "}" ;
+//     FieldPath = IDENT { "." IDENT } ;
+//     Verb     = ":" LITERAL ;
+//
+// The syntax `*` matches a single URL path segment. The syntax `**` matches
+// zero or more URL path segments, which must be the last part of the URL path
+// except the `Verb`.
+//
+// The syntax `Variable` matches part of the URL path as specified by its
+// template. A variable template must not contain other variables. If a variable
+// matches a single path segment, its template may be omitted, e.g. `{var}`
+// is equivalent to `{var=*}`.
+//
+// The syntax `LITERAL` matches literal text in the URL path. If the `LITERAL`
+// contains any reserved character, such characters should be percent-encoded
+// before the matching.
+//
+// If a variable contains exactly one path segment, such as `"{var}"` or
+// `"{var=*}"`, when such a variable is expanded into a URL path on the client
+// side, all characters except `[-_.~0-9a-zA-Z]` are percent-encoded. The
+// server side does the reverse decoding. Such variables show up in the
+// [Discovery
+// Document](https://developers.google.com/discovery/v1/reference/apis) as
+// `{var}`.
+//
+// If a variable contains multiple path segments, such as `"{var=foo/*}"`
+// or `"{var=**}"`, when such a variable is expanded into a URL path on the
+// client side, all characters except `[-_.~/0-9a-zA-Z]` are percent-encoded.
+// The server side does the reverse decoding, except "%2F" and "%2f" are left
+// unchanged. Such variables show up in the
+// [Discovery
+// Document](https://developers.google.com/discovery/v1/reference/apis) as
+// `{+var}`.
+//
+// Using gRPC API Service Configuration
+//
+// gRPC API Service Configuration (service config) is a configuration language
+// for configuring a gRPC service to become a user-facing product. The
+// service config is simply the YAML representation of the `google.api.Service`
+// proto message.
+//
+// As an alternative to annotating your proto file, you can configure gRPC
+// transcoding in your service config YAML files. You do this by specifying a
+// `HttpRule` that maps the gRPC method to a REST endpoint, achieving the same
+// effect as the proto annotation. This can be particularly useful if you
+// have a proto that is reused in multiple services. Note that any transcoding
+// specified in the service config will override any matching transcoding
+// configuration in the proto.
+//
+// The following example selects a gRPC method and applies an `HttpRule` to it:
+//
+//     http:
+//       rules:
+//         - selector: example.v1.Messaging.GetMessage
+//           get: /v1/messages/{message_id}/{sub.subfield}
+//
+// Special notes
+//
+// When gRPC Transcoding is used to map a gRPC to JSON REST endpoints, the
+// proto to JSON conversion must follow the [proto3
+// specification](https://developers.google.com/protocol-buffers/docs/proto3#json).
+//
+// While the single segment variable follows the semantics of
+// [RFC 6570](https://tools.ietf.org/html/rfc6570) Section 3.2.2 Simple String
+// Expansion, the multi segment variable **does not** follow RFC 6570 Section
+// 3.2.3 Reserved Expansion. The reason is that the Reserved Expansion
+// does not expand special characters like `?` and `#`, which would lead
+// to invalid URLs. As the result, gRPC Transcoding uses a custom encoding
+// for multi segment variables.
+//
+// The path variables **must not** refer to any repeated or mapped field,
+// because client libraries are not capable of handling such variable expansion.
+//
+// The path variables **must not** capture the leading "/" character. The reason
+// is that the most common use case "{var}" does not capture the leading "/"
+// character. For consistency, all path variables must share the same behavior.
+//
+// Repeated message fields must not be mapped to URL query parameters, because
+// no client library can support such complicated mapping.
+//
+// If an API needs to use a JSON array for request or response body, it can map
+// the request or response body to a repeated field. However, some gRPC
+// Transcoding implementations may not support this feature.
+message HttpRule {
+  // Selects a method to which this rule applies.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // Determines the URL pattern is matched by this rules. This pattern can be
+  // used with any of the {get|put|post|delete|patch} methods. A custom method
+  // can be defined using the 'custom' field.
+  oneof pattern {
+    // Maps to HTTP GET. Used for listing and getting information about
+    // resources.
+    string get = 2;
+
+    // Maps to HTTP PUT. Used for replacing a resource.
+    string put = 3;
+
+    // Maps to HTTP POST. Used for creating a resource or performing an action.
+    string post = 4;
+
+    // Maps to HTTP DELETE. Used for deleting a resource.
+    string delete = 5;
+
+    // Maps to HTTP PATCH. Used for updating a resource.
+    string patch = 6;
+
+    // The custom pattern is used for specifying an HTTP method that is not
+    // included in the `pattern` field, such as HEAD, or "*" to leave the
+    // HTTP method unspecified for this rule. The wild-card rule is useful
+    // for services that provide content to Web (HTML) clients.
+    CustomHttpPattern custom = 8;
+  }
+
+  // The name of the request field whose value is mapped to the HTTP request
+  // body, or `*` for mapping all request fields not captured by the path
+  // pattern to the HTTP body, or omitted for not having any HTTP request body.
+  //
+  // NOTE: the referred field must be present at the top-level of the request
+  // message type.
+  string body = 7;
+
+  // Optional. The name of the response field whose value is mapped to the HTTP
+  // response body. When omitted, the entire response message will be used
+  // as the HTTP response body.
+  //
+  // NOTE: The referred field must be present at the top-level of the response
+  // message type.
+  string response_body = 12;
+
+  // Additional HTTP bindings for the selector. Nested bindings must
+  // not contain an `additional_bindings` field themselves (that is,
+  // the nesting may only be one level deep).
+  repeated HttpRule additional_bindings = 11;
+}
+
+// A custom pattern is used for defining custom HTTP verb.
+message CustomHttpPattern {
+  // The name of this custom HTTP verb.
+  string kind = 1;
+
+  // The path matched by this custom verb.
+  string path = 2;
+}

apps/hermes/server/proto/vendor/google/api/httpbody.proto

@@ -0,0 +1,81 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/any.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/httpbody;httpbody";
+option java_multiple_files = true;
+option java_outer_classname = "HttpBodyProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Message that represents an arbitrary HTTP body. It should only be used for
+// payload formats that can't be represented as JSON, such as raw binary or
+// an HTML page.
+//
+//
+// This message can be used both in streaming and non-streaming API methods in
+// the request as well as the response.
+//
+// It can be used as a top-level request field, which is convenient if one
+// wants to extract parameters from either the URL or HTTP template into the
+// request fields and also want access to the raw HTTP body.
+//
+// Example:
+//
+//     message GetResourceRequest {
+//       // A unique request id.
+//       string request_id = 1;
+//
+//       // The raw HTTP body is bound to this field.
+//       google.api.HttpBody http_body = 2;
+//
+//     }
+//
+//     service ResourceService {
+//       rpc GetResource(GetResourceRequest)
+//         returns (google.api.HttpBody);
+//       rpc UpdateResource(google.api.HttpBody)
+//         returns (google.protobuf.Empty);
+//
+//     }
+//
+// Example with streaming methods:
+//
+//     service CaldavService {
+//       rpc GetCalendar(stream google.api.HttpBody)
+//         returns (stream google.api.HttpBody);
+//       rpc UpdateCalendar(stream google.api.HttpBody)
+//         returns (stream google.api.HttpBody);
+//
+//     }
+//
+// Use of this type only changes how the request and response bodies are
+// handled, all other features will continue to work unchanged.
+message HttpBody {
+  // The HTTP Content-Type header value specifying the content type of the body.
+  string content_type = 1;
+
+  // The HTTP request/response body as raw binary.
+  bytes data = 2;
+
+  // Application specific response metadata. Must be set in the first response
+  // for streaming APIs.
+  repeated google.protobuf.Any extensions = 3;
+}

apps/hermes/server/proto/vendor/google/api/label.proto

@@ -0,0 +1,48 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/label;label";
+option java_multiple_files = true;
+option java_outer_classname = "LabelProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// A description of a label.
+message LabelDescriptor {
+  // Value types that can be used as label values.
+  enum ValueType {
+    // A variable-length string. This is the default.
+    STRING = 0;
+
+    // Boolean; true or false.
+    BOOL = 1;
+
+    // A 64-bit signed integer.
+    INT64 = 2;
+  }
+
+  // The label key.
+  string key = 1;
+
+  // The type of data that can be assigned to the label.
+  ValueType value_type = 2;
+
+  // A human-readable description for the label.
+  string description = 3;
+}

apps/hermes/server/proto/vendor/google/api/launch_stage.proto

@@ -0,0 +1,72 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api;api";
+option java_multiple_files = true;
+option java_outer_classname = "LaunchStageProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// The launch stage as defined by [Google Cloud Platform
+// Launch Stages](https://cloud.google.com/terms/launch-stages).
+enum LaunchStage {
+  // Do not use this default value.
+  LAUNCH_STAGE_UNSPECIFIED = 0;
+
+  // The feature is not yet implemented. Users can not use it.
+  UNIMPLEMENTED = 6;
+
+  // Prelaunch features are hidden from users and are only visible internally.
+  PRELAUNCH = 7;
+
+  // Early Access features are limited to a closed group of testers. To use
+  // these features, you must sign up in advance and sign a Trusted Tester
+  // agreement (which includes confidentiality provisions). These features may
+  // be unstable, changed in backward-incompatible ways, and are not
+  // guaranteed to be released.
+  EARLY_ACCESS = 1;
+
+  // Alpha is a limited availability test for releases before they are cleared
+  // for widespread use. By Alpha, all significant design issues are resolved
+  // and we are in the process of verifying functionality. Alpha customers
+  // need to apply for access, agree to applicable terms, and have their
+  // projects allowlisted. Alpha releases don't have to be feature complete,
+  // no SLAs are provided, and there are no technical support obligations, but
+  // they will be far enough along that customers can actually use them in
+  // test environments or for limited-use tests -- just like they would in
+  // normal production cases.
+  ALPHA = 2;
+
+  // Beta is the point at which we are ready to open a release for any
+  // customer to use. There are no SLA or technical support obligations in a
+  // Beta release. Products will be complete from a feature perspective, but
+  // may have some open outstanding issues. Beta releases are suitable for
+  // limited production use cases.
+  BETA = 3;
+
+  // GA features are open to all developers and are considered stable and
+  // fully qualified for production use.
+  GA = 4;
+
+  // Deprecated features are scheduled to be shut down and removed. For more
+  // information, see the "Deprecation Policy" section of our [Terms of
+  // Service](https://cloud.google.com/terms/)
+  // and the [Google Cloud Platform Subject to the Deprecation
+  // Policy](https://cloud.google.com/terms/deprecation) documentation.
+  DEPRECATED = 5;
+}

apps/hermes/server/proto/vendor/google/api/log.proto

@@ -0,0 +1,54 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/label.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "LogProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// A description of a log type. Example in YAML format:
+//
+//     - name: library.googleapis.com/activity_history
+//       description: The history of borrowing and returning library items.
+//       display_name: Activity
+//       labels:
+//       - key: /customer_id
+//         description: Identifier of a library customer
+message LogDescriptor {
+  // The name of the log. It must be less than 512 characters long and can
+  // include the following characters: upper- and lower-case alphanumeric
+  // characters [A-Za-z0-9], and punctuation characters including
+  // slash, underscore, hyphen, period [/_-.].
+  string name = 1;
+
+  // The set of labels that are available to describe a specific log entry.
+  // Runtime requests that contain labels not specified here are
+  // considered invalid.
+  repeated LabelDescriptor labels = 2;
+
+  // A human-readable description of this log. This information appears in
+  // the documentation and can contain details.
+  string description = 3;
+
+  // The human-readable name for this log. This information appears on
+  // the user interface and should be concise.
+  string display_name = 4;
+}

apps/hermes/server/proto/vendor/google/api/logging.proto

@@ -0,0 +1,81 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "LoggingProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Logging configuration of the service.
+//
+// The following example shows how to configure logs to be sent to the
+// producer and consumer projects. In the example, the `activity_history`
+// log is sent to both the producer and consumer projects, whereas the
+// `purchase_history` log is only sent to the producer project.
+//
+//     monitored_resources:
+//     - type: library.googleapis.com/branch
+//       labels:
+//       - key: /city
+//         description: The city where the library branch is located in.
+//       - key: /name
+//         description: The name of the branch.
+//     logs:
+//     - name: activity_history
+//       labels:
+//       - key: /customer_id
+//     - name: purchase_history
+//     logging:
+//       producer_destinations:
+//       - monitored_resource: library.googleapis.com/branch
+//         logs:
+//         - activity_history
+//         - purchase_history
+//       consumer_destinations:
+//       - monitored_resource: library.googleapis.com/branch
+//         logs:
+//         - activity_history
+message Logging {
+  // Configuration of a specific logging destination (the producer project
+  // or the consumer project).
+  message LoggingDestination {
+    // The monitored resource type. The type must be defined in the
+    // [Service.monitored_resources][google.api.Service.monitored_resources]
+    // section.
+    string monitored_resource = 3;
+
+    // Names of the logs to be sent to this destination. Each name must
+    // be defined in the [Service.logs][google.api.Service.logs] section. If the
+    // log name is not a domain scoped name, it will be automatically prefixed
+    // with the service name followed by "/".
+    repeated string logs = 1;
+  }
+
+  // Logging configurations for sending logs to the producer project.
+  // There can be multiple producer destinations, each one must have a
+  // different monitored resource type. A log can be used in at most
+  // one producer destination.
+  repeated LoggingDestination producer_destinations = 1;
+
+  // Logging configurations for sending logs to the consumer project.
+  // There can be multiple consumer destinations, each one must have a
+  // different monitored resource type. A log can be used in at most
+  // one consumer destination.
+  repeated LoggingDestination consumer_destinations = 2;
+}

apps/hermes/server/proto/vendor/google/api/metric.proto

@@ -0,0 +1,287 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/label.proto";
+import "google/api/launch_stage.proto";
+import "google/protobuf/duration.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/metric;metric";
+option java_multiple_files = true;
+option java_outer_classname = "MetricProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Defines a metric type and its schema. Once a metric descriptor is created,
+// deleting or altering it stops data collection and makes the metric type's
+// existing data unusable.
+//
+message MetricDescriptor {
+  // The kind of measurement. It describes how the data is reported.
+  // For information on setting the start time and end time based on
+  // the MetricKind, see [TimeInterval][google.monitoring.v3.TimeInterval].
+  enum MetricKind {
+    // Do not use this default value.
+    METRIC_KIND_UNSPECIFIED = 0;
+
+    // An instantaneous measurement of a value.
+    GAUGE = 1;
+
+    // The change in a value during a time interval.
+    DELTA = 2;
+
+    // A value accumulated over a time interval.  Cumulative
+    // measurements in a time series should have the same start time
+    // and increasing end times, until an event resets the cumulative
+    // value to zero and sets a new start time for the following
+    // points.
+    CUMULATIVE = 3;
+  }
+
+  // The value type of a metric.
+  enum ValueType {
+    // Do not use this default value.
+    VALUE_TYPE_UNSPECIFIED = 0;
+
+    // The value is a boolean.
+    // This value type can be used only if the metric kind is `GAUGE`.
+    BOOL = 1;
+
+    // The value is a signed 64-bit integer.
+    INT64 = 2;
+
+    // The value is a double precision floating point number.
+    DOUBLE = 3;
+
+    // The value is a text string.
+    // This value type can be used only if the metric kind is `GAUGE`.
+    STRING = 4;
+
+    // The value is a [`Distribution`][google.api.Distribution].
+    DISTRIBUTION = 5;
+
+    // The value is money.
+    MONEY = 6;
+  }
+
+  // Additional annotations that can be used to guide the usage of a metric.
+  message MetricDescriptorMetadata {
+    // The resource hierarchy level of the timeseries data of a metric.
+    enum TimeSeriesResourceHierarchyLevel {
+      // Do not use this default value.
+      TIME_SERIES_RESOURCE_HIERARCHY_LEVEL_UNSPECIFIED = 0;
+
+      // Scopes a metric to a project.
+      PROJECT = 1;
+
+      // Scopes a metric to an organization.
+      ORGANIZATION = 2;
+
+      // Scopes a metric to a folder.
+      FOLDER = 3;
+    }
+
+    // Deprecated. Must use the
+    // [MetricDescriptor.launch_stage][google.api.MetricDescriptor.launch_stage]
+    // instead.
+    LaunchStage launch_stage = 1 [deprecated = true];
+
+    // The sampling period of metric data points. For metrics which are written
+    // periodically, consecutive data points are stored at this time interval,
+    // excluding data loss due to errors. Metrics with a higher granularity have
+    // a smaller sampling period.
+    google.protobuf.Duration sample_period = 2;
+
+    // The delay of data points caused by ingestion. Data points older than this
+    // age are guaranteed to be ingested and available to be read, excluding
+    // data loss due to errors.
+    google.protobuf.Duration ingest_delay = 3;
+
+    // The scope of the timeseries data of the metric.
+    repeated TimeSeriesResourceHierarchyLevel
+        time_series_resource_hierarchy_level = 4;
+  }
+
+  // The resource name of the metric descriptor.
+  string name = 1;
+
+  // The metric type, including its DNS name prefix. The type is not
+  // URL-encoded. All user-defined metric types have the DNS name
+  // `custom.googleapis.com` or `external.googleapis.com`. Metric types should
+  // use a natural hierarchical grouping. For example:
+  //
+  //     "custom.googleapis.com/invoice/paid/amount"
+  //     "external.googleapis.com/prometheus/up"
+  //     "appengine.googleapis.com/http/server/response_latencies"
+  string type = 8;
+
+  // The set of labels that can be used to describe a specific
+  // instance of this metric type. For example, the
+  // `appengine.googleapis.com/http/server/response_latencies` metric
+  // type has a label for the HTTP response code, `response_code`, so
+  // you can look at latencies for successful responses or just
+  // for responses that failed.
+  repeated LabelDescriptor labels = 2;
+
+  // Whether the metric records instantaneous values, changes to a value, etc.
+  // Some combinations of `metric_kind` and `value_type` might not be supported.
+  MetricKind metric_kind = 3;
+
+  // Whether the measurement is an integer, a floating-point number, etc.
+  // Some combinations of `metric_kind` and `value_type` might not be supported.
+  ValueType value_type = 4;
+
+  // The units in which the metric value is reported. It is only applicable
+  // if the `value_type` is `INT64`, `DOUBLE`, or `DISTRIBUTION`. The `unit`
+  // defines the representation of the stored metric values.
+  //
+  // Different systems might scale the values to be more easily displayed (so a
+  // value of `0.02kBy` _might_ be displayed as `20By`, and a value of
+  // `3523kBy` _might_ be displayed as `3.5MBy`). However, if the `unit` is
+  // `kBy`, then the value of the metric is always in thousands of bytes, no
+  // matter how it might be displayed.
+  //
+  // If you want a custom metric to record the exact number of CPU-seconds used
+  // by a job, you can create an `INT64 CUMULATIVE` metric whose `unit` is
+  // `s{CPU}` (or equivalently `1s{CPU}` or just `s`). If the job uses 12,005
+  // CPU-seconds, then the value is written as `12005`.
+  //
+  // Alternatively, if you want a custom metric to record data in a more
+  // granular way, you can create a `DOUBLE CUMULATIVE` metric whose `unit` is
+  // `ks{CPU}`, and then write the value `12.005` (which is `12005/1000`),
+  // or use `Kis{CPU}` and write `11.723` (which is `12005/1024`).
+  //
+  // The supported units are a subset of [The Unified Code for Units of
+  // Measure](https://unitsofmeasure.org/ucum.html) standard:
+  //
+  // **Basic units (UNIT)**
+  //
+  // * `bit`   bit
+  // * `By`    byte
+  // * `s`     second
+  // * `min`   minute
+  // * `h`     hour
+  // * `d`     day
+  // * `1`     dimensionless
+  //
+  // **Prefixes (PREFIX)**
+  //
+  // * `k`     kilo    (10^3)
+  // * `M`     mega    (10^6)
+  // * `G`     giga    (10^9)
+  // * `T`     tera    (10^12)
+  // * `P`     peta    (10^15)
+  // * `E`     exa     (10^18)
+  // * `Z`     zetta   (10^21)
+  // * `Y`     yotta   (10^24)
+  //
+  // * `m`     milli   (10^-3)
+  // * `u`     micro   (10^-6)
+  // * `n`     nano    (10^-9)
+  // * `p`     pico    (10^-12)
+  // * `f`     femto   (10^-15)
+  // * `a`     atto    (10^-18)
+  // * `z`     zepto   (10^-21)
+  // * `y`     yocto   (10^-24)
+  //
+  // * `Ki`    kibi    (2^10)
+  // * `Mi`    mebi    (2^20)
+  // * `Gi`    gibi    (2^30)
+  // * `Ti`    tebi    (2^40)
+  // * `Pi`    pebi    (2^50)
+  //
+  // **Grammar**
+  //
+  // The grammar also includes these connectors:
+  //
+  // * `/`    division or ratio (as an infix operator). For examples,
+  //          `kBy/{email}` or `MiBy/10ms` (although you should almost never
+  //          have `/s` in a metric `unit`; rates should always be computed at
+  //          query time from the underlying cumulative or delta value).
+  // * `.`    multiplication or composition (as an infix operator). For
+  //          examples, `GBy.d` or `k{watt}.h`.
+  //
+  // The grammar for a unit is as follows:
+  //
+  //     Expression = Component { "." Component } { "/" Component } ;
+  //
+  //     Component = ( [ PREFIX ] UNIT | "%" ) [ Annotation ]
+  //               | Annotation
+  //               | "1"
+  //               ;
+  //
+  //     Annotation = "{" NAME "}" ;
+  //
+  // Notes:
+  //
+  // * `Annotation` is just a comment if it follows a `UNIT`. If the annotation
+  //    is used alone, then the unit is equivalent to `1`. For examples,
+  //    `{request}/s == 1/s`, `By{transmitted}/s == By/s`.
+  // * `NAME` is a sequence of non-blank printable ASCII characters not
+  //    containing `{` or `}`.
+  // * `1` represents a unitary [dimensionless
+  //    unit](https://en.wikipedia.org/wiki/Dimensionless_quantity) of 1, such
+  //    as in `1/s`. It is typically used when none of the basic units are
+  //    appropriate. For example, "new users per day" can be represented as
+  //    `1/d` or `{new-users}/d` (and a metric value `5` would mean "5 new
+  //    users). Alternatively, "thousands of page views per day" would be
+  //    represented as `1000/d` or `k1/d` or `k{page_views}/d` (and a metric
+  //    value of `5.3` would mean "5300 page views per day").
+  // * `%` represents dimensionless value of 1/100, and annotates values giving
+  //    a percentage (so the metric values are typically in the range of 0..100,
+  //    and a metric value `3` means "3 percent").
+  // * `10^2.%` indicates a metric contains a ratio, typically in the range
+  //    0..1, that will be multiplied by 100 and displayed as a percentage
+  //    (so a metric value `0.03` means "3 percent").
+  string unit = 5;
+
+  // A detailed description of the metric, which can be used in documentation.
+  string description = 6;
+
+  // A concise name for the metric, which can be displayed in user interfaces.
+  // Use sentence case without an ending period, for example "Request count".
+  // This field is optional but it is recommended to be set for any metrics
+  // associated with user-visible concepts, such as Quota.
+  string display_name = 7;
+
+  // Optional. Metadata which can be used to guide usage of the metric.
+  MetricDescriptorMetadata metadata = 10;
+
+  // Optional. The launch stage of the metric definition.
+  LaunchStage launch_stage = 12;
+
+  // Read-only. If present, then a [time
+  // series][google.monitoring.v3.TimeSeries], which is identified partially by
+  // a metric type and a
+  // [MonitoredResourceDescriptor][google.api.MonitoredResourceDescriptor], that
+  // is associated with this metric type can only be associated with one of the
+  // monitored resource types listed here.
+  repeated string monitored_resource_types = 13;
+}
+
+// A specific metric, identified by specifying values for all of the
+// labels of a [`MetricDescriptor`][google.api.MetricDescriptor].
+message Metric {
+  // An existing metric type, see
+  // [google.api.MetricDescriptor][google.api.MetricDescriptor]. For example,
+  // `custom.googleapis.com/invoice/paid/amount`.
+  string type = 3;
+
+  // The set of label values that uniquely identify this metric. All
+  // labels listed in the `MetricDescriptor` must be assigned values.
+  map<string, string> labels = 2;
+}

apps/hermes/server/proto/vendor/google/api/monitored_resource.proto

@@ -0,0 +1,130 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/label.proto";
+import "google/api/launch_stage.proto";
+import "google/protobuf/struct.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/monitoredres;monitoredres";
+option java_multiple_files = true;
+option java_outer_classname = "MonitoredResourceProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// An object that describes the schema of a
+// [MonitoredResource][google.api.MonitoredResource] object using a type name
+// and a set of labels.  For example, the monitored resource descriptor for
+// Google Compute Engine VM instances has a type of
+// `"gce_instance"` and specifies the use of the labels `"instance_id"` and
+// `"zone"` to identify particular VM instances.
+//
+// Different APIs can support different monitored resource types. APIs generally
+// provide a `list` method that returns the monitored resource descriptors used
+// by the API.
+//
+message MonitoredResourceDescriptor {
+  // Optional. The resource name of the monitored resource descriptor:
+  // `"projects/{project_id}/monitoredResourceDescriptors/{type}"` where
+  // {type} is the value of the `type` field in this object and
+  // {project_id} is a project ID that provides API-specific context for
+  // accessing the type.  APIs that do not use project information can use the
+  // resource name format `"monitoredResourceDescriptors/{type}"`.
+  string name = 5;
+
+  // Required. The monitored resource type. For example, the type
+  // `"cloudsql_database"` represents databases in Google Cloud SQL.
+  //  For a list of types, see [Monitored resource
+  //  types](https://cloud.google.com/monitoring/api/resources)
+  // and [Logging resource
+  // types](https://cloud.google.com/logging/docs/api/v2/resource-list).
+  string type = 1;
+
+  // Optional. A concise name for the monitored resource type that might be
+  // displayed in user interfaces. It should be a Title Cased Noun Phrase,
+  // without any article or other determiners. For example,
+  // `"Google Cloud SQL Database"`.
+  string display_name = 2;
+
+  // Optional. A detailed description of the monitored resource type that might
+  // be used in documentation.
+  string description = 3;
+
+  // Required. A set of labels used to describe instances of this monitored
+  // resource type. For example, an individual Google Cloud SQL database is
+  // identified by values for the labels `"database_id"` and `"zone"`.
+  repeated LabelDescriptor labels = 4;
+
+  // Optional. The launch stage of the monitored resource definition.
+  LaunchStage launch_stage = 7;
+}
+
+// An object representing a resource that can be used for monitoring, logging,
+// billing, or other purposes. Examples include virtual machine instances,
+// databases, and storage devices such as disks. The `type` field identifies a
+// [MonitoredResourceDescriptor][google.api.MonitoredResourceDescriptor] object
+// that describes the resource's schema. Information in the `labels` field
+// identifies the actual resource and its attributes according to the schema.
+// For example, a particular Compute Engine VM instance could be represented by
+// the following object, because the
+// [MonitoredResourceDescriptor][google.api.MonitoredResourceDescriptor] for
+// `"gce_instance"` has labels
+// `"project_id"`, `"instance_id"` and `"zone"`:
+//
+//     { "type": "gce_instance",
+//       "labels": { "project_id": "my-project",
+//                   "instance_id": "12345678901234",
+//                   "zone": "us-central1-a" }}
+message MonitoredResource {
+  // Required. The monitored resource type. This field must match
+  // the `type` field of a
+  // [MonitoredResourceDescriptor][google.api.MonitoredResourceDescriptor]
+  // object. For example, the type of a Compute Engine VM instance is
+  // `gce_instance`. Some descriptors include the service name in the type; for
+  // example, the type of a Datastream stream is
+  // `datastream.googleapis.com/Stream`.
+  string type = 1;
+
+  // Required. Values for all of the labels listed in the associated monitored
+  // resource descriptor. For example, Compute Engine VM instances use the
+  // labels `"project_id"`, `"instance_id"`, and `"zone"`.
+  map<string, string> labels = 2;
+}
+
+// Auxiliary metadata for a [MonitoredResource][google.api.MonitoredResource]
+// object. [MonitoredResource][google.api.MonitoredResource] objects contain the
+// minimum set of information to uniquely identify a monitored resource
+// instance. There is some other useful auxiliary metadata. Monitoring and
+// Logging use an ingestion pipeline to extract metadata for cloud resources of
+// all types, and store the metadata in this message.
+message MonitoredResourceMetadata {
+  // Output only. Values for predefined system metadata labels.
+  // System labels are a kind of metadata extracted by Google, including
+  // "machine_image", "vpc", "subnet_id",
+  // "security_group", "name", etc.
+  // System label values can be only strings, Boolean values, or a list of
+  // strings. For example:
+  //
+  //     { "name": "my-test-instance",
+  //       "security_group": ["a", "b", "c"],
+  //       "spot_instance": false }
+  google.protobuf.Struct system_labels = 1;
+
+  // Output only. A map of user-defined metadata labels.
+  map<string, string> user_labels = 2;
+}

apps/hermes/server/proto/vendor/google/api/monitoring.proto

@@ -0,0 +1,107 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "MonitoringProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Monitoring configuration of the service.
+//
+// The example below shows how to configure monitored resources and metrics
+// for monitoring. In the example, a monitored resource and two metrics are
+// defined. The `library.googleapis.com/book/returned_count` metric is sent
+// to both producer and consumer projects, whereas the
+// `library.googleapis.com/book/num_overdue` metric is only sent to the
+// consumer project.
+//
+//     monitored_resources:
+//     - type: library.googleapis.com/Branch
+//       display_name: "Library Branch"
+//       description: "A branch of a library."
+//       launch_stage: GA
+//       labels:
+//       - key: resource_container
+//         description: "The Cloud container (ie. project id) for the Branch."
+//       - key: location
+//         description: "The location of the library branch."
+//       - key: branch_id
+//         description: "The id of the branch."
+//     metrics:
+//     - name: library.googleapis.com/book/returned_count
+//       display_name: "Books Returned"
+//       description: "The count of books that have been returned."
+//       launch_stage: GA
+//       metric_kind: DELTA
+//       value_type: INT64
+//       unit: "1"
+//       labels:
+//       - key: customer_id
+//         description: "The id of the customer."
+//     - name: library.googleapis.com/book/num_overdue
+//       display_name: "Books Overdue"
+//       description: "The current number of overdue books."
+//       launch_stage: GA
+//       metric_kind: GAUGE
+//       value_type: INT64
+//       unit: "1"
+//       labels:
+//       - key: customer_id
+//         description: "The id of the customer."
+//     monitoring:
+//       producer_destinations:
+//       - monitored_resource: library.googleapis.com/Branch
+//         metrics:
+//         - library.googleapis.com/book/returned_count
+//       consumer_destinations:
+//       - monitored_resource: library.googleapis.com/Branch
+//         metrics:
+//         - library.googleapis.com/book/returned_count
+//         - library.googleapis.com/book/num_overdue
+message Monitoring {
+  // Configuration of a specific monitoring destination (the producer project
+  // or the consumer project).
+  message MonitoringDestination {
+    // The monitored resource type. The type must be defined in
+    // [Service.monitored_resources][google.api.Service.monitored_resources]
+    // section.
+    string monitored_resource = 1;
+
+    // Types of the metrics to report to this monitoring destination.
+    // Each type must be defined in
+    // [Service.metrics][google.api.Service.metrics] section.
+    repeated string metrics = 2;
+  }
+
+  // Monitoring configurations for sending metrics to the producer project.
+  // There can be multiple producer destinations. A monitored resource type may
+  // appear in multiple monitoring destinations if different aggregations are
+  // needed for different sets of metrics associated with that monitored
+  // resource type. A monitored resource and metric pair may only be used once
+  // in the Monitoring configuration.
+  repeated MonitoringDestination producer_destinations = 1;
+
+  // Monitoring configurations for sending metrics to the consumer project.
+  // There can be multiple consumer destinations. A monitored resource type may
+  // appear in multiple monitoring destinations if different aggregations are
+  // needed for different sets of metrics associated with that monitored
+  // resource type. A monitored resource and metric pair may only be used once
+  // in the Monitoring configuration.
+  repeated MonitoringDestination consumer_destinations = 2;
+}

apps/hermes/server/proto/vendor/google/api/policy.proto

@@ -0,0 +1,83 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/descriptor.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "PolicyProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.FieldOptions {
+  // See [FieldPolicy][].
+  google.api.FieldPolicy field_policy = 158361448;
+}
+
+extend google.protobuf.MethodOptions {
+  // See [MethodPolicy][].
+  google.api.MethodPolicy method_policy = 161893301;
+}
+
+// Google API Policy Annotation
+//
+// This message defines a simple API policy annotation that can be used to
+// annotate API request and response message fields with applicable policies.
+// One field may have multiple applicable policies that must all be satisfied
+// before a request can be processed. This policy annotation is used to
+// generate the overall policy that will be used for automatic runtime
+// policy enforcement and documentation generation.
+message FieldPolicy {
+  // Selects one or more request or response message fields to apply this
+  // `FieldPolicy`.
+  //
+  // When a `FieldPolicy` is used in proto annotation, the selector must
+  // be left as empty. The service config generator will automatically fill
+  // the correct value.
+  //
+  // When a `FieldPolicy` is used in service config, the selector must be a
+  // comma-separated string with valid request or response field paths,
+  // such as "foo.bar" or "foo.bar,foo.baz".
+  string selector = 1;
+
+  // Specifies the required permission(s) for the resource referred to by the
+  // field. It requires the field contains a valid resource reference, and
+  // the request must pass the permission checks to proceed. For example,
+  // "resourcemanager.projects.get".
+  string resource_permission = 2;
+
+  // Specifies the resource type for the resource referred to by the field.
+  string resource_type = 3;
+}
+
+// Defines policies applying to an RPC method.
+message MethodPolicy {
+  // Selects a method to which these policies should be enforced, for example,
+  // "google.pubsub.v1.Subscriber.CreateSubscription".
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  //
+  // NOTE: This field must not be set in the proto annotation. It will be
+  // automatically filled by the service config compiler .
+  string selector = 9;
+
+  // Policies that are applicable to the request message.
+  repeated FieldPolicy request_policies = 2;
+}

apps/hermes/server/proto/vendor/google/api/quota.proto

@@ -0,0 +1,184 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "QuotaProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Quota configuration helps to achieve fairness and budgeting in service
+// usage.
+//
+// The metric based quota configuration works this way:
+// - The service configuration defines a set of metrics.
+// - For API calls, the quota.metric_rules maps methods to metrics with
+//   corresponding costs.
+// - The quota.limits defines limits on the metrics, which will be used for
+//   quota checks at runtime.
+//
+// An example quota configuration in yaml format:
+//
+//    quota:
+//      limits:
+//
+//      - name: apiWriteQpsPerProject
+//        metric: library.googleapis.com/write_calls
+//        unit: "1/min/{project}"  # rate limit for consumer projects
+//        values:
+//          STANDARD: 10000
+//
+//
+//      (The metric rules bind all methods to the read_calls metric,
+//       except for the UpdateBook and DeleteBook methods. These two methods
+//       are mapped to the write_calls metric, with the UpdateBook method
+//       consuming at twice rate as the DeleteBook method.)
+//      metric_rules:
+//      - selector: "*"
+//        metric_costs:
+//          library.googleapis.com/read_calls: 1
+//      - selector: google.example.library.v1.LibraryService.UpdateBook
+//        metric_costs:
+//          library.googleapis.com/write_calls: 2
+//      - selector: google.example.library.v1.LibraryService.DeleteBook
+//        metric_costs:
+//          library.googleapis.com/write_calls: 1
+//
+//  Corresponding Metric definition:
+//
+//      metrics:
+//      - name: library.googleapis.com/read_calls
+//        display_name: Read requests
+//        metric_kind: DELTA
+//        value_type: INT64
+//
+//      - name: library.googleapis.com/write_calls
+//        display_name: Write requests
+//        metric_kind: DELTA
+//        value_type: INT64
+//
+//
+message Quota {
+  // List of QuotaLimit definitions for the service.
+  repeated QuotaLimit limits = 3;
+
+  // List of MetricRule definitions, each one mapping a selected method to one
+  // or more metrics.
+  repeated MetricRule metric_rules = 4;
+}
+
+// Bind API methods to metrics. Binding a method to a metric causes that
+// metric's configured quota behaviors to apply to the method call.
+message MetricRule {
+  // Selects the methods to which this rule applies.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // Metrics to update when the selected methods are called, and the associated
+  // cost applied to each metric.
+  //
+  // The key of the map is the metric name, and the values are the amount
+  // increased for the metric against which the quota limits are defined.
+  // The value must not be negative.
+  map<string, int64> metric_costs = 2;
+}
+
+// `QuotaLimit` defines a specific limit that applies over a specified duration
+// for a limit type. There can be at most one limit for a duration and limit
+// type combination defined within a `QuotaGroup`.
+message QuotaLimit {
+  // Name of the quota limit.
+  //
+  // The name must be provided, and it must be unique within the service. The
+  // name can only include alphanumeric characters as well as '-'.
+  //
+  // The maximum length of the limit name is 64 characters.
+  string name = 6;
+
+  // Optional. User-visible, extended description for this quota limit.
+  // Should be used only when more context is needed to understand this limit
+  // than provided by the limit's display name (see: `display_name`).
+  string description = 2;
+
+  // Default number of tokens that can be consumed during the specified
+  // duration. This is the number of tokens assigned when a client
+  // application developer activates the service for his/her project.
+  //
+  // Specifying a value of 0 will block all requests. This can be used if you
+  // are provisioning quota to selected consumers and blocking others.
+  // Similarly, a value of -1 will indicate an unlimited quota. No other
+  // negative values are allowed.
+  //
+  // Used by group-based quotas only.
+  int64 default_limit = 3;
+
+  // Maximum number of tokens that can be consumed during the specified
+  // duration. Client application developers can override the default limit up
+  // to this maximum. If specified, this value cannot be set to a value less
+  // than the default limit. If not specified, it is set to the default limit.
+  //
+  // To allow clients to apply overrides with no upper bound, set this to -1,
+  // indicating unlimited maximum quota.
+  //
+  // Used by group-based quotas only.
+  int64 max_limit = 4;
+
+  // Free tier value displayed in the Developers Console for this limit.
+  // The free tier is the number of tokens that will be subtracted from the
+  // billed amount when billing is enabled.
+  // This field can only be set on a limit with duration "1d", in a billable
+  // group; it is invalid on any other limit. If this field is not set, it
+  // defaults to 0, indicating that there is no free tier for this service.
+  //
+  // Used by group-based quotas only.
+  int64 free_tier = 7;
+
+  // Duration of this limit in textual notation. Must be "100s" or "1d".
+  //
+  // Used by group-based quotas only.
+  string duration = 5;
+
+  // The name of the metric this quota limit applies to. The quota limits with
+  // the same metric will be checked together during runtime. The metric must be
+  // defined within the service config.
+  string metric = 8;
+
+  // Specify the unit of the quota limit. It uses the same syntax as
+  // [Metric.unit][]. The supported unit kinds are determined by the quota
+  // backend system.
+  //
+  // Here are some examples:
+  // * "1/min/{project}" for quota per minute per project.
+  //
+  // Note: the order of unit components is insignificant.
+  // The "1" at the beginning is required to follow the metric unit syntax.
+  string unit = 9;
+
+  // Tiered limit values. You must specify this as a key:value pair, with an
+  // integer value that is the maximum number of requests allowed for the
+  // specified unit. Currently only STANDARD is supported.
+  map<string, int64> values = 10;
+
+  // User-visible display name for this limit.
+  // Optional. If not set, the UI will provide a default display name based on
+  // the quota configuration. This field can be used to override the default
+  // display name generated from the configuration.
+  string display_name = 12;
+}

apps/hermes/server/proto/vendor/google/api/resource.proto

@@ -0,0 +1,243 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/descriptor.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "ResourceProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.FieldOptions {
+  // An annotation that describes a resource reference, see
+  // [ResourceReference][].
+  google.api.ResourceReference resource_reference = 1055;
+}
+
+extend google.protobuf.FileOptions {
+  // An annotation that describes a resource definition without a corresponding
+  // message; see [ResourceDescriptor][].
+  repeated google.api.ResourceDescriptor resource_definition = 1053;
+}
+
+extend google.protobuf.MessageOptions {
+  // An annotation that describes a resource definition, see
+  // [ResourceDescriptor][].
+  google.api.ResourceDescriptor resource = 1053;
+}
+
+// A simple descriptor of a resource type.
+//
+// ResourceDescriptor annotates a resource message (either by means of a
+// protobuf annotation or use in the service config), and associates the
+// resource's schema, the resource type, and the pattern of the resource name.
+//
+// Example:
+//
+//     message Topic {
+//       // Indicates this message defines a resource schema.
+//       // Declares the resource type in the format of {service}/{kind}.
+//       // For Kubernetes resources, the format is {api group}/{kind}.
+//       option (google.api.resource) = {
+//         type: "pubsub.googleapis.com/Topic"
+//         pattern: "projects/{project}/topics/{topic}"
+//       };
+//     }
+//
+// The ResourceDescriptor Yaml config will look like:
+//
+//     resources:
+//     - type: "pubsub.googleapis.com/Topic"
+//       pattern: "projects/{project}/topics/{topic}"
+//
+// Sometimes, resources have multiple patterns, typically because they can
+// live under multiple parents.
+//
+// Example:
+//
+//     message LogEntry {
+//       option (google.api.resource) = {
+//         type: "logging.googleapis.com/LogEntry"
+//         pattern: "projects/{project}/logs/{log}"
+//         pattern: "folders/{folder}/logs/{log}"
+//         pattern: "organizations/{organization}/logs/{log}"
+//         pattern: "billingAccounts/{billing_account}/logs/{log}"
+//       };
+//     }
+//
+// The ResourceDescriptor Yaml config will look like:
+//
+//     resources:
+//     - type: 'logging.googleapis.com/LogEntry'
+//       pattern: "projects/{project}/logs/{log}"
+//       pattern: "folders/{folder}/logs/{log}"
+//       pattern: "organizations/{organization}/logs/{log}"
+//       pattern: "billingAccounts/{billing_account}/logs/{log}"
+message ResourceDescriptor {
+  // A description of the historical or future-looking state of the
+  // resource pattern.
+  enum History {
+    // The "unset" value.
+    HISTORY_UNSPECIFIED = 0;
+
+    // The resource originally had one pattern and launched as such, and
+    // additional patterns were added later.
+    ORIGINALLY_SINGLE_PATTERN = 1;
+
+    // The resource has one pattern, but the API owner expects to add more
+    // later. (This is the inverse of ORIGINALLY_SINGLE_PATTERN, and prevents
+    // that from being necessary once there are multiple patterns.)
+    FUTURE_MULTI_PATTERN = 2;
+  }
+
+  // A flag representing a specific style that a resource claims to conform to.
+  enum Style {
+    // The unspecified value. Do not use.
+    STYLE_UNSPECIFIED = 0;
+
+    // This resource is intended to be "declarative-friendly".
+    //
+    // Declarative-friendly resources must be more strictly consistent, and
+    // setting this to true communicates to tools that this resource should
+    // adhere to declarative-friendly expectations.
+    //
+    // Note: This is used by the API linter (linter.aip.dev) to enable
+    // additional checks.
+    DECLARATIVE_FRIENDLY = 1;
+  }
+
+  // The resource type. It must be in the format of
+  // {service_name}/{resource_type_kind}. The `resource_type_kind` must be
+  // singular and must not include version numbers.
+  //
+  // Example: `storage.googleapis.com/Bucket`
+  //
+  // The value of the resource_type_kind must follow the regular expression
+  // /[A-Za-z][a-zA-Z0-9]+/. It should start with an upper case character and
+  // should use PascalCase (UpperCamelCase). The maximum number of
+  // characters allowed for the `resource_type_kind` is 100.
+  string type = 1;
+
+  // Optional. The relative resource name pattern associated with this resource
+  // type. The DNS prefix of the full resource name shouldn't be specified here.
+  //
+  // The path pattern must follow the syntax, which aligns with HTTP binding
+  // syntax:
+  //
+  //     Template = Segment { "/" Segment } ;
+  //     Segment = LITERAL | Variable ;
+  //     Variable = "{" LITERAL "}" ;
+  //
+  // Examples:
+  //
+  //     - "projects/{project}/topics/{topic}"
+  //     - "projects/{project}/knowledgeBases/{knowledge_base}"
+  //
+  // The components in braces correspond to the IDs for each resource in the
+  // hierarchy. It is expected that, if multiple patterns are provided,
+  // the same component name (e.g. "project") refers to IDs of the same
+  // type of resource.
+  repeated string pattern = 2;
+
+  // Optional. The field on the resource that designates the resource name
+  // field. If omitted, this is assumed to be "name".
+  string name_field = 3;
+
+  // Optional. The historical or future-looking state of the resource pattern.
+  //
+  // Example:
+  //
+  //     // The InspectTemplate message originally only supported resource
+  //     // names with organization, and project was added later.
+  //     message InspectTemplate {
+  //       option (google.api.resource) = {
+  //         type: "dlp.googleapis.com/InspectTemplate"
+  //         pattern:
+  //         "organizations/{organization}/inspectTemplates/{inspect_template}"
+  //         pattern: "projects/{project}/inspectTemplates/{inspect_template}"
+  //         history: ORIGINALLY_SINGLE_PATTERN
+  //       };
+  //     }
+  History history = 4;
+
+  // The plural name used in the resource name and permission names, such as
+  // 'projects' for the resource name of 'projects/{project}' and the permission
+  // name of 'cloudresourcemanager.googleapis.com/projects.get'. One exception
+  // to this is for Nested Collections that have stuttering names, as defined
+  // in [AIP-122](https://google.aip.dev/122#nested-collections), where the
+  // collection ID in the resource name pattern does not necessarily directly
+  // match the `plural` value.
+  //
+  // It is the same concept of the `plural` field in k8s CRD spec
+  // https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
+  //
+  // Note: The plural form is required even for singleton resources. See
+  // https://aip.dev/156
+  string plural = 5;
+
+  // The same concept of the `singular` field in k8s CRD spec
+  // https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
+  // Such as "project" for the `resourcemanager.googleapis.com/Project` type.
+  string singular = 6;
+
+  // Style flag(s) for this resource.
+  // These indicate that a resource is expected to conform to a given
+  // style. See the specific style flags for additional information.
+  repeated Style style = 10;
+}
+
+// Defines a proto annotation that describes a string field that refers to
+// an API resource.
+message ResourceReference {
+  // The resource type that the annotated field references.
+  //
+  // Example:
+  //
+  //     message Subscription {
+  //       string topic = 2 [(google.api.resource_reference) = {
+  //         type: "pubsub.googleapis.com/Topic"
+  //       }];
+  //     }
+  //
+  // Occasionally, a field may reference an arbitrary resource. In this case,
+  // APIs use the special value * in their resource reference.
+  //
+  // Example:
+  //
+  //     message GetIamPolicyRequest {
+  //       string resource = 2 [(google.api.resource_reference) = {
+  //         type: "*"
+  //       }];
+  //     }
+  string type = 1;
+
+  // The resource type of a child collection that the annotated field
+  // references. This is useful for annotating the `parent` field that
+  // doesn't have a fixed resource type.
+  //
+  // Example:
+  //
+  //     message ListLogEntriesRequest {
+  //       string parent = 1 [(google.api.resource_reference) = {
+  //         child_type: "logging.googleapis.com/LogEntry"
+  //       };
+  //     }
+  string child_type = 2;
+}

apps/hermes/server/proto/vendor/google/api/routing.proto

@@ -0,0 +1,461 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations";
+option java_multiple_files = true;
+option java_outer_classname = "RoutingProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.MethodOptions {
+  // See RoutingRule.
+  google.api.RoutingRule routing = 72295729;
+}
+
+// Specifies the routing information that should be sent along with the request
+// in the form of routing header.
+// **NOTE:** All service configuration rules follow the "last one wins" order.
+//
+// The examples below will apply to an RPC which has the following request type:
+//
+// Message Definition:
+//
+//     message Request {
+//       // The name of the Table
+//       // Values can be of the following formats:
+//       // - `projects/<project>/tables/<table>`
+//       // - `projects/<project>/instances/<instance>/tables/<table>`
+//       // - `region/<region>/zones/<zone>/tables/<table>`
+//       string table_name = 1;
+//
+//       // This value specifies routing for replication.
+//       // It can be in the following formats:
+//       // - `profiles/<profile_id>`
+//       // - a legacy `profile_id` that can be any string
+//       string app_profile_id = 2;
+//     }
+//
+// Example message:
+//
+//     {
+//       table_name: projects/proj_foo/instances/instance_bar/table/table_baz,
+//       app_profile_id: profiles/prof_qux
+//     }
+//
+// The routing header consists of one or multiple key-value pairs. Every key
+// and value must be percent-encoded, and joined together in the format of
+// `key1=value1&key2=value2`.
+// In the examples below I am skipping the percent-encoding for readablity.
+//
+// Example 1
+//
+// Extracting a field from the request to put into the routing header
+// unchanged, with the key equal to the field name.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // Take the `app_profile_id`.
+//       routing_parameters {
+//         field: "app_profile_id"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params: app_profile_id=profiles/prof_qux
+//
+// Example 2
+//
+// Extracting a field from the request to put into the routing header
+// unchanged, with the key different from the field name.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // Take the `app_profile_id`, but name it `routing_id` in the header.
+//       routing_parameters {
+//         field: "app_profile_id"
+//         path_template: "{routing_id=**}"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params: routing_id=profiles/prof_qux
+//
+// Example 3
+//
+// Extracting a field from the request to put into the routing
+// header, while matching a path template syntax on the field's value.
+//
+// NB: it is more useful to send nothing than to send garbage for the purpose
+// of dynamic routing, since garbage pollutes cache. Thus the matching.
+//
+// Sub-example 3a
+//
+// The field matches the template.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // Take the `table_name`, if it's well-formed (with project-based
+//       // syntax).
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{table_name=projects/*/instances/*/**}"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params:
+//     table_name=projects/proj_foo/instances/instance_bar/table/table_baz
+//
+// Sub-example 3b
+//
+// The field does not match the template.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // Take the `table_name`, if it's well-formed (with region-based
+//       // syntax).
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{table_name=regions/*/zones/*/**}"
+//       }
+//     };
+//
+// result:
+//
+//     <no routing header will be sent>
+//
+// Sub-example 3c
+//
+// Multiple alternative conflictingly named path templates are
+// specified. The one that matches is used to construct the header.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // Take the `table_name`, if it's well-formed, whether
+//       // using the region- or projects-based syntax.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{table_name=regions/*/zones/*/**}"
+//       }
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{table_name=projects/*/instances/*/**}"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params:
+//     table_name=projects/proj_foo/instances/instance_bar/table/table_baz
+//
+// Example 4
+//
+// Extracting a single routing header key-value pair by matching a
+// template syntax on (a part of) a single request field.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // Take just the project id from the `table_name` field.
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{routing_id=projects/*}/**"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params: routing_id=projects/proj_foo
+//
+// Example 5
+//
+// Extracting a single routing header key-value pair by matching
+// several conflictingly named path templates on (parts of) a single request
+// field. The last template to match "wins" the conflict.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // If the `table_name` does not have instances information,
+//       // take just the project id for routing.
+//       // Otherwise take project + instance.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{routing_id=projects/*}/**"
+//       }
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{routing_id=projects/*/instances/*}/**"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params:
+//     routing_id=projects/proj_foo/instances/instance_bar
+//
+// Example 6
+//
+// Extracting multiple routing header key-value pairs by matching
+// several non-conflicting path templates on (parts of) a single request field.
+//
+// Sub-example 6a
+//
+// Make the templates strict, so that if the `table_name` does not
+// have an instance information, nothing is sent.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // The routing code needs two keys instead of one composite
+//       // but works only for the tables with the "project-instance" name
+//       // syntax.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{project_id=projects/*}/instances/*/**"
+//       }
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "projects/*/{instance_id=instances/*}/**"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params:
+//     project_id=projects/proj_foo&instance_id=instances/instance_bar
+//
+// Sub-example 6b
+//
+// Make the templates loose, so that if the `table_name` does not
+// have an instance information, just the project id part is sent.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // The routing code wants two keys instead of one composite
+//       // but will work with just the `project_id` for tables without
+//       // an instance in the `table_name`.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{project_id=projects/*}/**"
+//       }
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "projects/*/{instance_id=instances/*}/**"
+//       }
+//     };
+//
+// result (is the same as 6a for our example message because it has the instance
+// information):
+//
+//     x-goog-request-params:
+//     project_id=projects/proj_foo&instance_id=instances/instance_bar
+//
+// Example 7
+//
+// Extracting multiple routing header key-value pairs by matching
+// several path templates on multiple request fields.
+//
+// NB: note that here there is no way to specify sending nothing if one of the
+// fields does not match its template. E.g. if the `table_name` is in the wrong
+// format, the `project_id` will not be sent, but the `routing_id` will be.
+// The backend routing code has to be aware of that and be prepared to not
+// receive a full complement of keys if it expects multiple.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // The routing needs both `project_id` and `routing_id`
+//       // (from the `app_profile_id` field) for routing.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{project_id=projects/*}/**"
+//       }
+//       routing_parameters {
+//         field: "app_profile_id"
+//         path_template: "{routing_id=**}"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params:
+//     project_id=projects/proj_foo&routing_id=profiles/prof_qux
+//
+// Example 8
+//
+// Extracting a single routing header key-value pair by matching
+// several conflictingly named path templates on several request fields. The
+// last template to match "wins" the conflict.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // The `routing_id` can be a project id or a region id depending on
+//       // the table name format, but only if the `app_profile_id` is not set.
+//       // If `app_profile_id` is set it should be used instead.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{routing_id=projects/*}/**"
+//       }
+//       routing_parameters {
+//          field: "table_name"
+//          path_template: "{routing_id=regions/*}/**"
+//       }
+//       routing_parameters {
+//         field: "app_profile_id"
+//         path_template: "{routing_id=**}"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params: routing_id=profiles/prof_qux
+//
+// Example 9
+//
+// Bringing it all together.
+//
+// annotation:
+//
+//     option (google.api.routing) = {
+//       // For routing both `table_location` and a `routing_id` are needed.
+//       //
+//       // table_location can be either an instance id or a region+zone id.
+//       //
+//       // For `routing_id`, take the value of `app_profile_id`
+//       // - If it's in the format `profiles/<profile_id>`, send
+//       // just the `<profile_id>` part.
+//       // - If it's any other literal, send it as is.
+//       // If the `app_profile_id` is empty, and the `table_name` starts with
+//       // the project_id, send that instead.
+//
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "projects/*/{table_location=instances/*}/tables/*"
+//       }
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{table_location=regions/*/zones/*}/tables/*"
+//       }
+//       routing_parameters {
+//         field: "table_name"
+//         path_template: "{routing_id=projects/*}/**"
+//       }
+//       routing_parameters {
+//         field: "app_profile_id"
+//         path_template: "{routing_id=**}"
+//       }
+//       routing_parameters {
+//         field: "app_profile_id"
+//         path_template: "profiles/{routing_id=*}"
+//       }
+//     };
+//
+// result:
+//
+//     x-goog-request-params:
+//     table_location=instances/instance_bar&routing_id=prof_qux
+message RoutingRule {
+  // A collection of Routing Parameter specifications.
+  // **NOTE:** If multiple Routing Parameters describe the same key
+  // (via the `path_template` field or via the `field` field when
+  // `path_template` is not provided), "last one wins" rule
+  // determines which Parameter gets used.
+  // See the examples for more details.
+  repeated RoutingParameter routing_parameters = 2;
+}
+
+// A projection from an input message to the GRPC or REST header.
+message RoutingParameter {
+  // A request field to extract the header key-value pair from.
+  string field = 1;
+
+  // A pattern matching the key-value field. Optional.
+  // If not specified, the whole field specified in the `field` field will be
+  // taken as value, and its name used as key. If specified, it MUST contain
+  // exactly one named segment (along with any number of unnamed segments) The
+  // pattern will be matched over the field specified in the `field` field, then
+  // if the match is successful:
+  // - the name of the single named segment will be used as a header name,
+  // - the match value of the segment will be used as a header value;
+  // if the match is NOT successful, nothing will be sent.
+  //
+  // Example:
+  //
+  //               -- This is a field in the request message
+  //              |   that the header value will be extracted from.
+  //              |
+  //              |                     -- This is the key name in the
+  //              |                    |   routing header.
+  //              V                    |
+  //     field: "table_name"           v
+  //     path_template: "projects/*/{table_location=instances/*}/tables/*"
+  //                                                ^            ^
+  //                                                |            |
+  //       In the {} brackets is the pattern that --             |
+  //       specifies what to extract from the                    |
+  //       field as a value to be sent.                          |
+  //                                                             |
+  //      The string in the field must match the whole pattern --
+  //      before brackets, inside brackets, after brackets.
+  //
+  // When looking at this specific example, we can see that:
+  // - A key-value pair with the key `table_location`
+  //   and the value matching `instances/*` should be added
+  //   to the x-goog-request-params routing header.
+  // - The value is extracted from the request message's `table_name` field
+  //   if it matches the full pattern specified:
+  //   `projects/*/instances/*/tables/*`.
+  //
+  // **NB:** If the `path_template` field is not provided, the key name is
+  // equal to the field name, and the whole field should be sent as a value.
+  // This makes the pattern for the field and the value functionally equivalent
+  // to `**`, and the configuration
+  //
+  //     {
+  //       field: "table_name"
+  //     }
+  //
+  // is a functionally equivalent shorthand to:
+  //
+  //     {
+  //       field: "table_name"
+  //       path_template: "{table_name=**}"
+  //     }
+  //
+  // See Example 1 for more details.
+  string path_template = 2;
+}

apps/hermes/server/proto/vendor/google/api/service.proto

@@ -0,0 +1,191 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/api/auth.proto";
+import "google/api/backend.proto";
+import "google/api/billing.proto";
+import "google/api/client.proto";
+import "google/api/context.proto";
+import "google/api/control.proto";
+import "google/api/documentation.proto";
+import "google/api/endpoint.proto";
+import "google/api/http.proto";
+import "google/api/log.proto";
+import "google/api/logging.proto";
+import "google/api/metric.proto";
+import "google/api/monitored_resource.proto";
+import "google/api/monitoring.proto";
+import "google/api/quota.proto";
+import "google/api/source_info.proto";
+import "google/api/system_parameter.proto";
+import "google/api/usage.proto";
+import "google/protobuf/api.proto";
+import "google/protobuf/type.proto";
+import "google/protobuf/wrappers.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "ServiceProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// `Service` is the root object of Google API service configuration (service
+// config). It describes the basic information about a logical service,
+// such as the service name and the user-facing title, and delegates other
+// aspects to sub-sections. Each sub-section is either a proto message or a
+// repeated proto message that configures a specific aspect, such as auth.
+// For more information, see each proto message definition.
+//
+// Example:
+//
+//     type: google.api.Service
+//     name: calendar.googleapis.com
+//     title: Google Calendar API
+//     apis:
+//     - name: google.calendar.v3.Calendar
+//
+//     visibility:
+//       rules:
+//       - selector: "google.calendar.v3.*"
+//         restriction: PREVIEW
+//     backend:
+//       rules:
+//       - selector: "google.calendar.v3.*"
+//         address: calendar.example.com
+//
+//     authentication:
+//       providers:
+//       - id: google_calendar_auth
+//         jwks_uri: https://www.googleapis.com/oauth2/v1/certs
+//         issuer: https://securetoken.google.com
+//       rules:
+//       - selector: "*"
+//         requirements:
+//           provider_id: google_calendar_auth
+message Service {
+  // The service name, which is a DNS-like logical identifier for the
+  // service, such as `calendar.googleapis.com`. The service name
+  // typically goes through DNS verification to make sure the owner
+  // of the service also owns the DNS name.
+  string name = 1;
+
+  // The product title for this service, it is the name displayed in Google
+  // Cloud Console.
+  string title = 2;
+
+  // The Google project that owns this service.
+  string producer_project_id = 22;
+
+  // A unique ID for a specific instance of this message, typically assigned
+  // by the client for tracking purpose. Must be no longer than 63 characters
+  // and only lower case letters, digits, '.', '_' and '-' are allowed. If
+  // empty, the server may choose to generate one instead.
+  string id = 33;
+
+  // A list of API interfaces exported by this service. Only the `name` field
+  // of the [google.protobuf.Api][google.protobuf.Api] needs to be provided by
+  // the configuration author, as the remaining fields will be derived from the
+  // IDL during the normalization process. It is an error to specify an API
+  // interface here which cannot be resolved against the associated IDL files.
+  repeated google.protobuf.Api apis = 3;
+
+  // A list of all proto message types included in this API service.
+  // Types referenced directly or indirectly by the `apis` are automatically
+  // included.  Messages which are not referenced but shall be included, such as
+  // types used by the `google.protobuf.Any` type, should be listed here by
+  // name by the configuration author. Example:
+  //
+  //     types:
+  //     - name: google.protobuf.Int32
+  repeated google.protobuf.Type types = 4;
+
+  // A list of all enum types included in this API service.  Enums referenced
+  // directly or indirectly by the `apis` are automatically included.  Enums
+  // which are not referenced but shall be included should be listed here by
+  // name by the configuration author. Example:
+  //
+  //     enums:
+  //     - name: google.someapi.v1.SomeEnum
+  repeated google.protobuf.Enum enums = 5;
+
+  // Additional API documentation.
+  Documentation documentation = 6;
+
+  // API backend configuration.
+  Backend backend = 8;
+
+  // HTTP configuration.
+  Http http = 9;
+
+  // Quota configuration.
+  Quota quota = 10;
+
+  // Auth configuration.
+  Authentication authentication = 11;
+
+  // Context configuration.
+  Context context = 12;
+
+  // Configuration controlling usage of this service.
+  Usage usage = 15;
+
+  // Configuration for network endpoints.  If this is empty, then an endpoint
+  // with the same name as the service is automatically generated to service all
+  // defined APIs.
+  repeated Endpoint endpoints = 18;
+
+  // Configuration for the service control plane.
+  Control control = 21;
+
+  // Defines the logs used by this service.
+  repeated LogDescriptor logs = 23;
+
+  // Defines the metrics used by this service.
+  repeated MetricDescriptor metrics = 24;
+
+  // Defines the monitored resources used by this service. This is required
+  // by the [Service.monitoring][google.api.Service.monitoring] and
+  // [Service.logging][google.api.Service.logging] configurations.
+  repeated MonitoredResourceDescriptor monitored_resources = 25;
+
+  // Billing configuration.
+  Billing billing = 26;
+
+  // Logging configuration.
+  Logging logging = 27;
+
+  // Monitoring configuration.
+  Monitoring monitoring = 28;
+
+  // System parameter configuration.
+  SystemParameters system_parameters = 29;
+
+  // Output only. The source information for this configuration if available.
+  SourceInfo source_info = 37;
+
+  // Settings for [Google Cloud Client
+  // libraries](https://cloud.google.com/apis/docs/cloud-client-libraries)
+  // generated from APIs defined as protocol buffers.
+  Publishing publishing = 45;
+
+  // Obsolete. Do not use.
+  //
+  // This field has no semantic meaning. The service config compiler always
+  // sets this field to `3`.
+  google.protobuf.UInt32Value config_version = 20;
+}

apps/hermes/server/proto/vendor/google/api/source_info.proto

@@ -0,0 +1,31 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/any.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "SourceInfoProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Source information used to create a Service Config
+message SourceInfo {
+  // All files used during config generation.
+  repeated google.protobuf.Any source_files = 1;
+}

apps/hermes/server/proto/vendor/google/api/system_parameter.proto

@@ -0,0 +1,96 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "SystemParameterProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// ### System parameter configuration
+//
+// A system parameter is a special kind of parameter defined by the API
+// system, not by an individual API. It is typically mapped to an HTTP header
+// and/or a URL query parameter. This configuration specifies which methods
+// change the names of the system parameters.
+message SystemParameters {
+  // Define system parameters.
+  //
+  // The parameters defined here will override the default parameters
+  // implemented by the system. If this field is missing from the service
+  // config, default system parameters will be used. Default system parameters
+  // and names is implementation-dependent.
+  //
+  // Example: define api key for all methods
+  //
+  //     system_parameters
+  //       rules:
+  //         - selector: "*"
+  //           parameters:
+  //             - name: api_key
+  //               url_query_parameter: api_key
+  //
+  //
+  // Example: define 2 api key names for a specific method.
+  //
+  //     system_parameters
+  //       rules:
+  //         - selector: "/ListShelves"
+  //           parameters:
+  //             - name: api_key
+  //               http_header: Api-Key1
+  //             - name: api_key
+  //               http_header: Api-Key2
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated SystemParameterRule rules = 1;
+}
+
+// Define a system parameter rule mapping system parameter definitions to
+// methods.
+message SystemParameterRule {
+  // Selects the methods to which this rule applies. Use '*' to indicate all
+  // methods in all APIs.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // Define parameters. Multiple names may be defined for a parameter.
+  // For a given method call, only one of them should be used. If multiple
+  // names are used the behavior is implementation-dependent.
+  // If none of the specified names are present the behavior is
+  // parameter-dependent.
+  repeated SystemParameter parameters = 2;
+}
+
+// Define a parameter's name and location. The parameter may be passed as either
+// an HTTP header or a URL query parameter, and if both are passed the behavior
+// is implementation-dependent.
+message SystemParameter {
+  // Define the name of the parameter, such as "api_key" . It is case sensitive.
+  string name = 1;
+
+  // Define the HTTP header name to use for the parameter. It is case
+  // insensitive.
+  string http_header = 2;
+
+  // Define the URL query parameter name to use for the parameter. It is case
+  // sensitive.
+  string url_query_parameter = 3;
+}

apps/hermes/server/proto/vendor/google/api/usage.proto

@@ -0,0 +1,96 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+option go_package = "google.golang.org/genproto/googleapis/api/serviceconfig;serviceconfig";
+option java_multiple_files = true;
+option java_outer_classname = "UsageProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+// Configuration controlling usage of a service.
+message Usage {
+  // Requirements that must be satisfied before a consumer project can use the
+  // service. Each requirement is of the form <service.name>/<requirement-id>;
+  // for example 'serviceusage.googleapis.com/billing-enabled'.
+  //
+  // For Google APIs, a Terms of Service requirement must be included here.
+  // Google Cloud APIs must include "serviceusage.googleapis.com/tos/cloud".
+  // Other Google APIs should include
+  // "serviceusage.googleapis.com/tos/universal". Additional ToS can be
+  // included based on the business needs.
+  repeated string requirements = 1;
+
+  // A list of usage rules that apply to individual API methods.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated UsageRule rules = 6;
+
+  // The full resource name of a channel used for sending notifications to the
+  // service producer.
+  //
+  // Google Service Management currently only supports
+  // [Google Cloud Pub/Sub](https://cloud.google.com/pubsub) as a notification
+  // channel. To use Google Cloud Pub/Sub as the channel, this must be the name
+  // of a Cloud Pub/Sub topic that uses the Cloud Pub/Sub topic name format
+  // documented in https://cloud.google.com/pubsub/docs/overview.
+  string producer_notification_channel = 7;
+}
+
+// Usage configuration rules for the service.
+//
+// NOTE: Under development.
+//
+//
+// Use this rule to configure unregistered calls for the service. Unregistered
+// calls are calls that do not contain consumer project identity.
+// (Example: calls that do not contain an API key).
+// By default, API methods do not allow unregistered calls, and each method call
+// must be identified by a consumer project identity. Use this rule to
+// allow/disallow unregistered calls.
+//
+// Example of an API that wants to allow unregistered calls for entire service.
+//
+//     usage:
+//       rules:
+//       - selector: "*"
+//         allow_unregistered_calls: true
+//
+// Example of a method that wants to allow unregistered calls.
+//
+//     usage:
+//       rules:
+//       - selector: "google.example.library.v1.LibraryService.CreateBook"
+//         allow_unregistered_calls: true
+message UsageRule {
+  // Selects the methods to which this rule applies. Use '*' to indicate all
+  // methods in all APIs.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // If true, the selected method allows unregistered calls, e.g. calls
+  // that don't identify any user or application.
+  bool allow_unregistered_calls = 2;
+
+  // If true, the selected method should skip service control and the control
+  // plane features, such as quota and billing, will not be available.
+  // This flag is used by Google Cloud Endpoints to bypass checks for internal
+  // methods, such as service health check methods.
+  bool skip_service_control = 3;
+}

apps/hermes/server/proto/vendor/google/api/visibility.proto

@@ -0,0 +1,113 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.api;
+
+import "google/protobuf/descriptor.proto";
+
+option cc_enable_arenas = true;
+option go_package = "google.golang.org/genproto/googleapis/api/visibility;visibility";
+option java_multiple_files = true;
+option java_outer_classname = "VisibilityProto";
+option java_package = "com.google.api";
+option objc_class_prefix = "GAPI";
+
+extend google.protobuf.EnumOptions {
+  // See `VisibilityRule`.
+  google.api.VisibilityRule enum_visibility = 72295727;
+}
+
+extend google.protobuf.EnumValueOptions {
+  // See `VisibilityRule`.
+  google.api.VisibilityRule value_visibility = 72295727;
+}
+
+extend google.protobuf.FieldOptions {
+  // See `VisibilityRule`.
+  google.api.VisibilityRule field_visibility = 72295727;
+}
+
+extend google.protobuf.MessageOptions {
+  // See `VisibilityRule`.
+  google.api.VisibilityRule message_visibility = 72295727;
+}
+
+extend google.protobuf.MethodOptions {
+  // See `VisibilityRule`.
+  google.api.VisibilityRule method_visibility = 72295727;
+}
+
+extend google.protobuf.ServiceOptions {
+  // See `VisibilityRule`.
+  google.api.VisibilityRule api_visibility = 72295727;
+}
+
+// `Visibility` restricts service consumer's access to service elements,
+// such as whether an application can call a visibility-restricted method.
+// The restriction is expressed by applying visibility labels on service
+// elements. The visibility labels are elsewhere linked to service consumers.
+//
+// A service can define multiple visibility labels, but a service consumer
+// should be granted at most one visibility label. Multiple visibility
+// labels for a single service consumer are not supported.
+//
+// If an element and all its parents have no visibility label, its visibility
+// is unconditionally granted.
+//
+// Example:
+//
+//     visibility:
+//       rules:
+//       - selector: google.calendar.Calendar.EnhancedSearch
+//         restriction: PREVIEW
+//       - selector: google.calendar.Calendar.Delegate
+//         restriction: INTERNAL
+//
+// Here, all methods are publicly visible except for the restricted methods
+// EnhancedSearch and Delegate.
+message Visibility {
+  // A list of visibility rules that apply to individual API elements.
+  //
+  // **NOTE:** All service configuration rules follow "last one wins" order.
+  repeated VisibilityRule rules = 1;
+}
+
+// A visibility rule provides visibility configuration for an individual API
+// element.
+message VisibilityRule {
+  // Selects methods, messages, fields, enums, etc. to which this rule applies.
+  //
+  // Refer to [selector][google.api.DocumentationRule.selector] for syntax
+  // details.
+  string selector = 1;
+
+  // A comma-separated list of visibility labels that apply to the `selector`.
+  // Any of the listed labels can be used to grant the visibility.
+  //
+  // If a rule has multiple labels, removing one of the labels but not all of
+  // them can break clients.
+  //
+  // Example:
+  //
+  //     visibility:
+  //       rules:
+  //       - selector: google.calendar.Calendar.EnhancedSearch
+  //         restriction: INTERNAL, PREVIEW
+  //
+  // Removing INTERNAL from this restriction will break clients that rely on
+  // this method and only had access to it through INTERNAL.
+  string restriction = 2;
+}

apps/hermes/server/proto/vendor/gossip/v1/gossip.proto

@@ -0,0 +1,241 @@
+syntax = "proto3";
+
+package gossip.v1;
+
+option go_package = "github.com/certusone/wormhole/node/pkg/proto/gossip/v1;gossipv1";
+
+message GossipMessage {
+  oneof message {
+    SignedObservation signed_observation = 2;
+    SignedHeartbeat signed_heartbeat = 3;
+    SignedVAAWithQuorum signed_vaa_with_quorum = 4;
+    SignedObservationRequest signed_observation_request = 5;
+    SignedChainGovernorConfig signed_chain_governor_config = 8;
+    SignedChainGovernorStatus signed_chain_governor_status = 9;
+    SignedQueryRequest signed_query_request = 10;
+    SignedQueryResponse signed_query_response = 11;
+    SignedObservationBatch signed_observation_batch = 12;
+  }
+}
+
+message SignedHeartbeat {
+  // Serialized Heartbeat message.
+  bytes heartbeat = 1;
+
+  // ECDSA signature using the node's guardian public key.
+  bytes signature = 2;
+
+  // Guardian address that signed this payload (truncated Eth address).
+  // This is already contained in Heartbeat, however, we want to verify
+  // the payload before we deserialize it.
+  bytes guardian_addr = 3;
+}
+
+// P2P gossip heartbeats for network introspection purposes.
+message Heartbeat {
+  // The node's arbitrarily chosen, untrusted nodeName.
+  string node_name = 1;
+  // A monotonic counter that resets to zero on startup.
+  int64 counter = 2;
+  // UNIX wall time.
+  int64 timestamp = 3;
+
+  message Network {
+    // Canonical chain ID.
+    uint32 id = 1;
+    // Consensus height of the node.
+    int64 height = 2;
+    // Chain-specific human-readable representation of the bridge contract address.
+    string contract_address = 3;
+    // Connection error count
+    uint64 error_count = 4;
+    // Safe block height of the node, if supported.
+    int64 safe_height = 5;
+    // Finalized block height of the node, if supported.
+    int64 finalized_height = 6;
+  }
+  repeated Network networks = 4;
+
+  // Human-readable representation of the current bridge node release.
+  string version = 5;
+
+  // Human-readable representation of the guardian key's address.
+  string guardian_addr = 6;
+
+  // UNIX boot timestamp.
+  int64 boot_timestamp = 7;
+
+  // List of features enabled on this node.
+  repeated string features = 8;
+
+  // (Optional) libp2p address of this node.
+  bytes p2p_node_id = 9;
+}
+
+// A SignedObservation is a signed statement by a given guardian node
+// that they observed a given event.
+//
+// Observations always result from an external, final event being observed.
+// Examples are emitted messages in finalized blocks on a block or guardian set changes
+// injected by node operators after reaching off-chain consensus.
+//
+// The event is uniquely identified by its hashed (tx_hash, nonce, values...) tuple.
+//
+// Other nodes will verify the signature. Once any node has observed a quorum of
+// guardians submitting valid signatures for a given hash, they can be assembled into a VAA.
+//
+// Messages without valid signature are dropped unceremoniously.
+message SignedObservation {
+  // Guardian pubkey as truncated eth address.
+  bytes addr = 1;
+  // The observation's deterministic, unique hash.
+  bytes hash = 2;
+  // ECSDA signature of the hash using the node's guardian key.
+  bytes signature = 3;
+  // Transaction hash this observation was made from.
+  // Optional, included for observability.
+  bytes tx_hash = 4;
+  // Message ID (chain/emitter/seq) for this observation.
+  // Optional, included for observability.
+  string message_id = 5;
+}
+
+// A SignedVAAWithQuorum message is sent by nodes whenever one of the VAAs they observed
+// reached a 2/3+ quorum to be considered valid. Signed VAAs are broadcasted to the gossip
+// network to allow nodes to persist them even if they failed to observe the signature.
+message SignedVAAWithQuorum {
+  bytes vaa = 1;
+}
+
+// Any guardian can send a SignedObservationRequest to the network to request
+// all guardians to re-observe a given transaction. This is rate-limited to one
+// request per second per guardian to prevent abuse.
+//
+// In the current implementation, this is only implemented for Solana.
+// For Solana, the tx_hash is the account address of the transaction's message account.
+message SignedObservationRequest {
+  // Serialized observation request.
+  bytes observation_request = 1;
+
+  // Signature
+  bytes signature = 2;
+  bytes guardian_addr = 3;
+}
+
+message ObservationRequest {
+  uint32 chain_id = 1;
+  bytes tx_hash = 2;
+}
+
+// This message is published every five minutes.
+message SignedChainGovernorConfig {
+  // Serialized ChainGovernorConfig message.
+  bytes config = 1;
+
+  // ECDSA signature using the node's guardian key.
+  bytes signature = 2;
+
+  // Guardian address that signed this payload (truncated Eth address).
+  bytes guardian_addr = 3;
+}
+
+message ChainGovernorConfig {
+  message Chain {
+    uint32 chain_id = 1;
+    uint64 notional_limit = 2;
+    uint64 big_transaction_size = 3;
+  }
+
+  message Token {
+    uint32 origin_chain_id = 1;
+    string origin_address = 2; // human-readable hex-encoded (leading 0x)
+    float price = 3;
+  }
+
+  string node_name = 1;
+  int64 counter = 2;
+  int64 timestamp = 3;
+  repeated Chain chains = 4;
+  repeated Token tokens = 5;
+  bool flow_cancel_enabled = 6;
+}
+
+// This message is published every minute.
+message SignedChainGovernorStatus {
+  // Serialized ChainGovernorStatus message.
+  bytes status = 1;
+
+  // ECDSA signature using the node's guardian key.
+  bytes signature = 2;
+
+  // Guardian address that signed this payload (truncated Eth address).
+  bytes guardian_addr = 3;
+}
+
+message ChainGovernorStatus {
+  message EnqueuedVAA {
+    uint64 sequence = 1; // Chain and emitter address are assumed.
+    uint32 release_time = 2;
+    uint64 notional_value = 3;
+    string tx_hash = 4;
+  }
+
+  message Emitter {
+    string emitter_address = 1; // human-readable hex-encoded (leading 0x)
+    uint64 total_enqueued_vaas = 2;
+    repeated EnqueuedVAA enqueued_vaas = 3; // Only the first 20 will be included.
+  }
+
+  message Chain {
+    uint32 chain_id = 1;
+    uint64 remaining_available_notional = 2;
+    repeated Emitter emitters = 3;
+    int64 small_tx_net_notional_value = 4;
+    uint64 small_tx_outgoing_notional_value = 5;
+    uint64 flow_cancel_notional_value = 6;
+  }
+
+  string node_name = 1;
+  int64 counter = 2;
+  int64 timestamp = 3;
+  repeated Chain chains = 4;
+}
+
+message SignedQueryRequest {
+  // Serialized QueryRequest message.
+  bytes query_request = 1;
+
+  // ECDSA signature using the requestor's public key.
+  bytes signature = 2;
+}
+
+message SignedQueryResponse {
+  // Serialized QueryResponse message.
+  bytes query_response = 1;
+
+  // ECDSA signature using the node's guardian public key.
+  bytes signature = 2;
+}
+
+// A SignedObservationBatch is a signed statement by a given guardian node that they observed a number of events.
+message SignedObservationBatch {
+  // Guardian pubkey as truncated eth address.
+  bytes addr = 1;
+  // The set of observations in this batch. Note that the default max message size in libp2p before fragmentation is 1MB.
+  // If we limit this array to 4000 entries, that gives us a marshaled message size of 800K, which is safely below that limit.
+  repeated Observation observations = 2;
+}
+
+// Observation defines a single observation that is contained in SignedObservationBatch
+message Observation {
+  // The observation's deterministic, unique hash.
+  bytes hash = 1;
+  // ECSDA signature of the hash using the node's guardian key.
+  bytes signature = 2;
+  // Transaction hash this observation was made from.
+  // Optional, included for observability.
+  bytes tx_hash = 3;
+  // Message ID (chain/emitter/seq) for this observation.
+  // Optional, included for observability.
+  string message_id = 4;
+}

apps/hermes/server/proto/vendor/node/v1/node.proto

@@ -0,0 +1,451 @@
+syntax = "proto3";
+
+package node.v1;
+
+option go_package = "github.com/certusone/wormhole/node/pkg/proto/node/v1;nodev1";
+
+import "gossip/v1/gossip.proto";
+
+// NodePrivilegedService exposes an administrative API. It runs on a UNIX socket and is authenticated
+// using Linux filesystem permissions.
+service NodePrivilegedService {
+  // InjectGovernanceVAA injects a governance VAA into the guardian node.
+  // The node will inject the VAA into the aggregator and sign/broadcast the VAA signature.
+  //
+  // A consensus majority of nodes on the network will have to inject the VAA within the
+  // VAA timeout window for it to reach consensus.
+  //
+  rpc InjectGovernanceVAA (InjectGovernanceVAARequest) returns (InjectGovernanceVAAResponse);
+
+  // FindMissingMessages will detect message sequence gaps in the local VAA store for a
+  // specific emitter chain and address. Start and end slots are the lowest and highest
+  // sequence numbers available in the local store, respectively.
+  //
+  // An error is returned if more than 1000 gaps are found.
+  rpc FindMissingMessages (FindMissingMessagesRequest) returns (FindMissingMessagesResponse);
+
+  // SendObservationRequest broadcasts a signed observation request to the gossip network
+  // using the node's guardian key. The network rate limits these requests to one per second.
+  // Requests at higher rates will fail silently.
+  rpc SendObservationRequest (SendObservationRequestRequest) returns (SendObservationRequestResponse);
+
+  // ChainGovernorStatus displays the status of the chain governor.
+  rpc ChainGovernorStatus (ChainGovernorStatusRequest) returns (ChainGovernorStatusResponse);
+
+  // ChainGovernorReload clears the chain governor history and reloads it from the database.
+  rpc ChainGovernorReload (ChainGovernorReloadRequest) returns (ChainGovernorReloadResponse);
+
+  // ChainGovernorDropPendingVAA drops a VAA from the chain governor pending list.
+  rpc ChainGovernorDropPendingVAA (ChainGovernorDropPendingVAARequest) returns (ChainGovernorDropPendingVAAResponse);
+
+  // ChainGovernorReleasePendingVAA release a VAA from the chain governor pending list, publishing it immediately.
+  rpc ChainGovernorReleasePendingVAA (ChainGovernorReleasePendingVAARequest) returns (ChainGovernorReleasePendingVAAResponse);
+
+  // ChainGovernorResetReleaseTimer resets the release timer for a chain governor pending VAA to the configured maximum.
+  rpc ChainGovernorResetReleaseTimer (ChainGovernorResetReleaseTimerRequest) returns (ChainGovernorResetReleaseTimerResponse);
+
+  // PurgePythNetVaas deletes PythNet VAAs from the database that are more than the specified number of days old.
+  rpc PurgePythNetVaas (PurgePythNetVaasRequest) returns (PurgePythNetVaasResponse);
+
+  // SignExistingVAA signs an existing VAA for a new guardian set using the local guardian key.
+  rpc SignExistingVAA (SignExistingVAARequest) returns (SignExistingVAAResponse);
+
+  // DumpRPCs returns the RPCs being used by the guardian
+  rpc DumpRPCs (DumpRPCsRequest) returns (DumpRPCsResponse);
+
+  // GetMissingVAAs returns the VAAs from a cloud function that need to be reobserved.
+  rpc GetAndObserveMissingVAAs (GetAndObserveMissingVAAsRequest) returns (GetAndObserveMissingVAAsResponse);
+}
+
+message InjectGovernanceVAARequest {
+  // Index of the current guardian set.
+  uint32 current_set_index = 1;
+
+  // List of governance VAA messages to inject.
+  repeated GovernanceMessage messages = 2;
+
+  // UNIX wall time in seconds
+  uint32 timestamp = 3;
+}
+
+message GovernanceMessage {
+  // Sequence number. This is critical for replay protection - make sure the sequence number
+  // is unique for every new manually injected governance VAA. Sequences are tracked
+  // by emitter, and manually injected VAAs all use a single hardcoded emitter.
+  //
+  // We use random sequence numbers for the manual emitter.
+  uint64 sequence = 2;
+
+  // Random nonce for disambiguation. Must be identical across all nodes.
+  uint32 nonce = 3;
+
+  oneof payload{
+    // Core module
+
+    GuardianSetUpdate guardian_set = 10;
+    ContractUpgrade contract_upgrade = 11;
+
+    // Token bridge, NFT module, and Wormhole Relayer module (for the first two)
+
+    BridgeRegisterChain bridge_register_chain = 12;
+    BridgeUpgradeContract bridge_contract_upgrade = 13;
+
+    // Core, Token bridge, and NFT module
+    RecoverChainId recover_chain_id = 27;
+
+    // Wormchain
+
+    WormchainStoreCode wormchain_store_code = 14;
+    WormchainInstantiateContract wormchain_instantiate_contract = 15;
+    WormchainMigrateContract wormchain_migrate_contract = 16;
+    WormchainWasmInstantiateAllowlist wormchain_wasm_instantiate_allowlist = 23;
+
+    // Gateway
+    GatewayScheduleUpgrade gateway_schedule_upgrade = 24;
+    GatewayCancelUpgrade gateway_cancel_upgrade = 25;
+    GatewayIbcComposabilityMwSetContract gateway_ibc_composability_mw_set_contract = 26;
+
+    // Global Accountant
+    AccountantModifyBalance accountant_modify_balance = 17;
+
+    // Circle Integration
+    CircleIntegrationUpdateWormholeFinality circle_integration_update_wormhole_finality = 18;
+    CircleIntegrationRegisterEmitterAndDomain circle_integration_register_emitter_and_domain = 19;
+    CircleIntegrationUpgradeContractImplementation circle_integration_upgrade_contract_implementation = 20;
+
+    // IBC Receiver Integration
+    IbcUpdateChannelChain ibc_update_channel_chain = 21;
+    // Wormhole Relayer module
+    WormholeRelayerSetDefaultDeliveryProvider wormhole_relayer_set_default_delivery_provider = 22;
+
+    // Generic governance
+    EvmCall evm_call = 28;
+    SolanaCall solana_call = 29;
+  }
+}
+
+message InjectGovernanceVAAResponse {
+  // Canonical digests of the submitted VAAs.
+  repeated bytes digests = 1;
+}
+
+// GuardianSet represents a new guardian set to be submitted to and signed by the node.
+// During the genesis procedure, this data structure will be assembled using off-chain collaborative tooling
+// like GitHub using a human-readable encoding, so readability is a concern.
+message GuardianSetUpdate {
+  // List of guardian set members.
+  message Guardian {
+    // Guardian key pubkey. Stored as hex string with 0x prefix for human readability -
+    // this is the canonical Ethereum representation.
+    string pubkey = 1;
+    // Optional descriptive name. Not stored on any chain, purely informational.
+    string name = 2;
+  };
+  repeated Guardian guardians = 3;
+}
+
+// GuardianKey specifies the on-disk format for a node's guardian key.
+message GuardianKey {
+  // data is the binary representation of the secp256k1 private key.
+  bytes data = 1;
+  // Whether this key is deterministically generated and unsuitable for production mode.
+  bool unsafe_deterministic_key = 2;
+}
+
+message BridgeRegisterChain {
+  // Module identifier of the token or NFT bridge (typically "TokenBridge" or "NFTBridge")
+  string module = 1;
+
+  // ID of the chain to be registered.
+  uint32 chain_id = 2;
+
+  // Hex-encoded emitter address to be registered (without leading 0x).
+  string emitter_address = 3;
+}
+
+enum ModificationKind {
+  MODIFICATION_KIND_UNSPECIFIED = 0;
+  MODIFICATION_KIND_ADD = 1;
+  MODIFICATION_KIND_SUBTRACT = 2;
+}
+
+message AccountantModifyBalance {
+  // Module identifier of the accountant "GlobalAccountant"
+  string module = 1;
+  // ID of the chain to receive this modify.
+  uint32 target_chain_id = 2;
+
+  // The sequence number of this modification.  Each modification must be
+  // uniquely identifiable just by its sequnce number.
+  uint64 sequence = 3;
+  // U16 chain id of the account to be modified.
+  uint32 chain_id = 4;
+  // U16 the chain id of the native chain for the token.
+  uint32 token_chain = 5;
+  // The address of the token on its native chain, hex string encoded.
+  string token_address = 6;
+  // The kind of modification to be made.
+  ModificationKind kind = 7;
+  // The amount to be modified.  This should be a decimal formatted string indicating the
+  // "raw" amount, not adjusted by the decimals of the token.
+  string amount = 8;
+  // A human-readable reason for the modification (max 32 bytes).
+  string reason = 9;
+}
+
+// ContractUpgrade represents a Wormhole contract update to be submitted to and signed by the node.
+message ContractUpgrade {
+  // ID of the chain where the Wormhole contract should be updated (uint16).
+  uint32 chain_id = 1;
+
+  // Hex-encoded address (without leading 0x) address of the new program/contract.
+  string new_contract = 2;
+}
+
+message BridgeUpgradeContract {
+  // Module identifier of the token or NFT bridge (typically "TokenBridge" or "NFTBridge").
+  string module = 1;
+
+  // ID of the chain where the bridge contract should be updated (uint16).
+  uint32 target_chain_id = 2;
+
+  // Hex-encoded address (without leading 0x) of the new program/contract.
+  string new_contract = 3;
+}
+
+message RecoverChainId {
+  // Module identifier
+  string module = 1;
+
+  // The EVM chain ID of the chain to be recovered
+  // This should be a decimal formatted integer string (Uint256)
+  string evm_chain_id = 2;
+
+  // The new chain ID to be used for the chain
+  uint32 new_chain_id = 3;
+}
+
+message WormchainStoreCode {
+  // payload is the hex string of the sha3 256 hash of the wasm binary being uploaded
+  string wasm_hash = 1;
+}
+
+message WormchainInstantiateContract {
+  // CodeID is the reference to the stored WASM code
+  uint64 code_id = 1;
+
+  // Label is optional metadata to be stored with a contract instance.
+  string label = 2;
+
+  // Json encoded message to be passed to the contract on instantiation
+  string instantiation_msg = 3;
+}
+
+message WormchainMigrateContract {
+  // CodeID is the reference to the stored WASM code that the contract should migrate to.
+  uint64 code_id = 1;
+
+  // The address of the contract being migrated.
+  string contract = 2;
+
+  // Msg json encoded message to be passed to the contract on migration
+  string instantiation_msg = 3;
+}
+
+enum WormchainWasmInstantiateAllowlistAction {
+  WORMCHAIN_WASM_INSTANTIATE_ALLOWLIST_ACTION_UNSPECIFIED = 0;
+  WORMCHAIN_WASM_INSTANTIATE_ALLOWLIST_ACTION_ADD = 1;
+  WORMCHAIN_WASM_INSTANTIATE_ALLOWLIST_ACTION_DELETE = 2;
+}
+
+message WormchainWasmInstantiateAllowlist {
+  // CodeID is the reference to the stored WASM code.
+  uint64 code_id = 1;
+
+  // The address of the contract that is allowlisted to call wasm instantiate without a VAA.
+  string contract = 2;
+
+  // Specifying whether to add or delete the allowlist entry
+  WormchainWasmInstantiateAllowlistAction action = 3;
+}
+
+message GatewayIbcComposabilityMwSetContract {
+    // The address of the contract that is set in the ibc composability middleware.
+    string contract = 1;
+}
+
+message GatewayScheduleUpgrade {
+  // Name of the upgrade
+  string name = 1;
+
+  // Height of the upgrade halt
+  uint64 height = 2;
+}
+
+message GatewayCancelUpgrade {}
+
+message CircleIntegrationUpdateWormholeFinality {
+  uint32 finality = 1;
+  uint32 target_chain_id = 2;
+}
+
+message CircleIntegrationRegisterEmitterAndDomain {
+  uint32 foreign_emitter_chain_id = 1;
+  string foreign_emitter_address = 2;
+  uint32 circle_domain = 3;
+  uint32 target_chain_id = 4;
+}
+
+message CircleIntegrationUpgradeContractImplementation {
+  string new_implementation_address = 1;
+  uint32 target_chain_id = 2;
+}
+
+enum IbcUpdateChannelChainModule {
+  IBC_UPDATE_CHANNEL_CHAIN_MODULE_UNSPECIFIED = 0;
+  IBC_UPDATE_CHANNEL_CHAIN_MODULE_RECEIVER = 1;
+  IBC_UPDATE_CHANNEL_CHAIN_MODULE_TRANSLATOR = 2;
+}
+
+message IbcUpdateChannelChain {
+  // Chain ID that this governance VAA should be redeemed on
+  uint32 target_chain_id = 1;
+  // IBC channel ID
+  string channel_id = 2;
+  // ChainID corresponding to the IBC channel
+  uint32 chain_id = 3;
+  // Specifying which governance module this message is for
+  IbcUpdateChannelChainModule module = 4;
+}
+
+message WormholeRelayerSetDefaultDeliveryProvider {
+  // ID of the chain of the Wormhole Relayer contract where the default delivery provider should be updated (uint16).
+  uint32 chain_id = 1;
+
+  // Hex-encoded address (without leading 0x) of the new default delivery provider contract address.
+  string new_default_delivery_provider_address = 2;
+}
+
+message FindMissingMessagesRequest {
+  // Emitter chain ID to iterate.
+  uint32 emitter_chain = 1;
+  // Hex-encoded (without leading 0x) emitter address to iterate.
+  string emitter_address = 2;
+  // Whether to attempt to backfill missing messages from a list of remote nodes.
+  bool rpc_backfill = 3;
+  // List of remote nodes to backfill from.
+  repeated string backfill_nodes = 4;
+}
+
+message FindMissingMessagesResponse {
+  // List of missing sequence numbers.
+  repeated string missing_messages = 1;
+
+  // Range processed
+  uint64 first_sequence = 2;
+  uint64 last_sequence = 3;
+}
+
+message SendObservationRequestRequest {
+  gossip.v1.ObservationRequest observation_request = 1;
+}
+
+message SendObservationRequestResponse {}
+
+message ChainGovernorStatusRequest {}
+
+message ChainGovernorStatusResponse {
+  string response = 1;
+}
+
+message ChainGovernorReloadRequest {}
+
+message ChainGovernorReloadResponse {
+  string response = 1;
+}
+
+message ChainGovernorDropPendingVAARequest {
+  string vaa_id = 1;
+}
+
+message ChainGovernorDropPendingVAAResponse {
+  string response = 1;
+}
+
+message ChainGovernorReleasePendingVAARequest {
+  string vaa_id = 1;
+}
+
+message ChainGovernorReleasePendingVAAResponse {
+  string response = 1;
+}
+
+message ChainGovernorResetReleaseTimerRequest {
+  string vaa_id = 1;
+  uint32 num_days = 2;
+}
+
+message ChainGovernorResetReleaseTimerResponse {
+  string response = 1;
+}
+
+message PurgePythNetVaasRequest {
+  uint64 days_old = 1;
+  bool log_only = 2;
+}
+
+message PurgePythNetVaasResponse {
+  string response = 1;
+}
+
+message SignExistingVAARequest {
+  bytes vaa = 1;
+  repeated string new_guardian_addrs = 2;
+  uint32 new_guardian_set_index = 3;
+}
+
+message SignExistingVAAResponse {
+  bytes vaa = 1;
+}
+
+message DumpRPCsRequest {}
+
+message DumpRPCsResponse {
+  map<string, string> response = 1;
+}
+
+message GetAndObserveMissingVAAsRequest {
+  string url = 1;
+  string api_key = 2;
+}
+
+message GetAndObserveMissingVAAsResponse {
+  string response =1;
+}
+
+// EvmCall represents a generic EVM call that can be executed by the generalized governance contract.
+message EvmCall {
+  // ID of the chain where the action should be executed (uint16).
+  uint32 chain_id = 1;
+
+  // Address of the governance contract (eth address starting with 0x)
+  string governance_contract = 2;
+
+  // Address of the governed contract (eth address starting with 0x)
+  string target_contract = 3;
+
+  // ABI-encoded calldata to be passed on to the governed contract (hex encoded)
+  string abi_encoded_call = 4;
+}
+
+// SolanaCall represents a generic Solana call that can be executed by the generalized governance contract.
+message SolanaCall {
+  // ID of the chain where the action should be executed (uint16).
+  uint32 chain_id = 1;
+
+  // Address of the governance contract (solana address)
+  string governance_contract = 2;
+
+  // Encoded instruction data to be passed on to the governed contract (hex encoded)
+  string encoded_instruction = 3;
+}

apps/hermes/server/proto/vendor/prometheus/v1/remote.proto

@@ -0,0 +1,93 @@
+// Copyright 2016 Prometheus Team
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// NOTICE: THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL
+// Changes were made to use go protobuf instead of gogo protobuf.
+// Original code is here: https://github.com/prometheus/prometheus/blob/e4ec263bcc11493953c75d1b2e7bc78fd0463e05/prompb/remote.proto
+
+syntax = "proto3";
+package prometheus.v1;
+
+//option go_package = "prompb";
+option go_package = "github.com/certusone/wormhole/node/pkg/proto/prometheus/v1;prometheusv1";
+
+import "prometheus/v1/types.proto";
+//import "gogoproto/gogo.proto";
+
+message WriteRequest {
+  repeated prometheus.v1.TimeSeries timeseries = 1 ;
+  // Cortex uses this field to determine the source of the write request.
+  // We reserve it to avoid any compatibility issues.
+  reserved  2;
+  repeated prometheus.v1.MetricMetadata metadata = 3 ;
+}
+
+// ReadRequest represents a remote read request.
+message ReadRequest {
+  repeated Query queries = 1;
+
+  enum ResponseType {
+    // Server will return a single ReadResponse message with matched series that includes list of raw samples.
+    // It's recommended to use streamed response types instead.
+    //
+    // Response headers:
+    // Content-Type: "application/x-protobuf"
+    // Content-Encoding: "snappy"
+    RESPONSE_TYPE_SAMPLES_UNSPECIFIED = 0;
+    // Server will stream a delimited ChunkedReadResponse message that
+    // contains XOR or HISTOGRAM(!) encoded chunks for a single series.
+    // Each message is following varint size and fixed size bigendian
+    // uint32 for CRC32 Castagnoli checksum.
+    //
+    // Response headers:
+    // Content-Type: "application/x-streamed-protobuf; proto=prometheus.ChunkedReadResponse"
+    // Content-Encoding: ""
+    RESPONSE_TYPE_STREAMED_XOR_CHUNKS = 1;
+  }
+
+  // accepted_response_types allows negotiating the content type of the response.
+  //
+  // Response types are taken from the list in the FIFO order. If no response type in `accepted_response_types` is
+  // implemented by server, error is returned.
+  // For request that do not contain `accepted_response_types` field the SAMPLES response type will be used.
+  repeated ResponseType accepted_response_types = 2;
+}
+
+// ReadResponse is a response when response_type equals SAMPLES.
+message ReadResponse {
+  // In same order as the request's queries.
+  repeated QueryResult results = 1;
+}
+
+message Query {
+  int64 start_timestamp_ms = 1;
+  int64 end_timestamp_ms = 2;
+  repeated prometheus.v1.LabelMatcher matchers = 3;
+  prometheus.v1.ReadHints hints = 4;
+}
+
+message QueryResult {
+  // Samples within a time series must be ordered by time.
+  repeated prometheus.v1.TimeSeries timeseries = 1;
+}
+
+// ChunkedReadResponse is a response when response_type equals STREAMED_XOR_CHUNKS.
+// We strictly stream full series after series, optionally split by time. This means that a single frame can contain
+// partition of the single series, but once a new series is started to be streamed it means that no more chunks will
+// be sent for previous one. Series are returned sorted in the same way TSDB block are internally.
+message ChunkedReadResponse {
+  repeated prometheus.v1.ChunkedSeries chunked_series = 1;
+
+  // query_index represents an index of the query from ReadRequest.queries these chunks relates to.
+  int64 query_index = 2;
+}

apps/hermes/server/proto/vendor/prometheus/v1/types.proto

@@ -0,0 +1,192 @@
+// Copyright 2017 Prometheus Team
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// NOTICE: THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL
+// Changes were made to use go protobuf instead of gogo protobuf.
+// Original code is here: https://github.com/prometheus/prometheus/blob/e4ec263bcc11493953c75d1b2e7bc78fd0463e05/prompb/types.proto
+
+syntax = "proto3";
+package prometheus.v1;
+
+//option go_package = "prompb";
+option go_package = "github.com/certusone/wormhole/node/pkg/proto/prometheus/v1;prometheusv1";
+
+//import "gogoproto/gogo.proto";
+
+message MetricMetadata {
+  enum MetricType {
+    METRIC_TYPE_UNKNOWN_UNSPECIFIED        = 0;
+    METRIC_TYPE_COUNTER        = 1;
+    METRIC_TYPE_GAUGE          = 2;
+    METRIC_TYPE_HISTOGRAM      = 3;
+    METRIC_TYPE_GAUGEHISTOGRAM = 4;
+    METRIC_TYPE_SUMMARY        = 5;
+    METRIC_TYPE_INFO           = 6;
+    METRIC_TYPE_STATESET       = 7;
+  }
+
+  // Represents the metric type, these match the set from Prometheus.
+  // Refer to model/textparse/interface.go for details.
+  MetricType type = 1;
+  string metric_family_name = 2;
+  string help = 4;
+  string unit = 5;
+}
+
+message Sample {
+  double value    = 1;
+  // timestamp is in ms format, see model/timestamp/timestamp.go for
+  // conversion from time.Time to Prometheus timestamp.
+  int64 timestamp = 2;
+}
+
+message Exemplar {
+  // Optional, can be empty.
+  repeated Label labels = 1 ;
+  double value = 2;
+  // timestamp is in ms format, see model/timestamp/timestamp.go for
+  // conversion from time.Time to Prometheus timestamp.
+  int64 timestamp = 3;
+}
+
+// A native histogram, also known as a sparse histogram.
+// Original design doc:
+// https://docs.google.com/document/d/1cLNv3aufPZb3fNfaJgdaRBZsInZKKIHo9E6HinJVbpM/edit
+// The appendix of this design doc also explains the concept of float
+// histograms. This Histogram message can represent both, the usual
+// integer histogram as well as a float histogram.
+message Histogram {
+  enum ResetHint {
+    RESET_HINT_UNKNOWN_UNSPECIFIED = 0; // Need to test for a counter reset explicitly.
+    RESET_HINT_YES     = 1; // This is the 1st histogram after a counter reset.
+    RESET_HINT_NO      = 2; // There was no counter reset between this and the previous Histogram.
+    RESET_HINT_GAUGE   = 3; // This is a gauge histogram where counter resets don't happen.
+  }
+
+  oneof count { // Count of observations in the histogram.
+    uint64 count_int   = 1;
+    double count_float = 2;
+  }
+  double sum = 3; // Sum of observations in the histogram.
+  // The schema defines the bucket schema. Currently, valid numbers
+  // are -4 <= n <= 8. They are all for base-2 bucket schemas, where 1
+  // is a bucket boundary in each case, and then each power of two is
+  // divided into 2^n logarithmic buckets. Or in other words, each
+  // bucket boundary is the previous boundary times 2^(2^-n). In the
+  // future, more bucket schemas may be added using numbers < -4 or >
+  // 8.
+  sint32 schema             = 4;
+  double zero_threshold     = 5; // Breadth of the zero bucket.
+  oneof zero_count { // Count in zero bucket.
+    uint64 zero_count_int     = 6;
+    double zero_count_float   = 7;
+  }
+
+  // Negative Buckets.
+  repeated BucketSpan negative_spans =  8 ;
+  // Use either "negative_deltas" or "negative_counts", the former for
+  // regular histograms with integer counts, the latter for float
+  // histograms.
+  repeated sint64 negative_deltas    =  9; // Count delta of each bucket compared to previous one (or to zero for 1st bucket).
+  repeated double negative_counts    = 10; // Absolute count of each bucket.
+
+  // Positive Buckets.
+  repeated BucketSpan positive_spans = 11 ;
+  // Use either "positive_deltas" or "positive_counts", the former for
+  // regular histograms with integer counts, the latter for float
+  // histograms.
+  repeated sint64 positive_deltas    = 12; // Count delta of each bucket compared to previous one (or to zero for 1st bucket).
+  repeated double positive_counts    = 13; // Absolute count of each bucket.
+
+  ResetHint reset_hint               = 14;
+  // timestamp is in ms format, see model/timestamp/timestamp.go for
+  // conversion from time.Time to Prometheus timestamp.
+  int64 timestamp = 15;
+}
+
+// A BucketSpan defines a number of consecutive buckets with their
+// offset. Logically, it would be more straightforward to include the
+// bucket counts in the Span. However, the protobuf representation is
+// more compact in the way the data is structured here (with all the
+// buckets in a single array separate from the Spans).
+message BucketSpan {
+  sint32 offset = 1; // Gap to previous span, or starting point for 1st span (which can be negative).
+  uint32 length = 2; // Length of consecutive buckets.
+}
+
+// TimeSeries represents samples and labels for a single time series.
+message TimeSeries {
+  // For a timeseries to be valid, and for the samples and exemplars
+  // to be ingested by the remote system properly, the labels field is required.
+  repeated Label labels         = 1 ;
+  repeated Sample samples       = 2 ;
+  repeated Exemplar exemplars   = 3 ;
+  repeated Histogram histograms = 4 ;
+}
+
+message Label {
+  string name  = 1;
+  string value = 2;
+}
+
+message Labels {
+  repeated Label labels = 1 ;
+}
+
+// Matcher specifies a rule, which can match or set of labels or not.
+message LabelMatcher {
+  enum Type {
+    TYPE_EQ_UNSPECIFIED  = 0;
+    TYPE_NEQ = 1;
+    TYPE_RE  = 2;
+    TYPE_NRE = 3;
+  }
+  Type type    = 1;
+  string name  = 2;
+  string value = 3;
+}
+
+message ReadHints {
+  int64 step_ms = 1;  // Query step size in milliseconds.
+  string func = 2;    // String representation of surrounding function or aggregation.
+  int64 start_ms = 3; // Start time in milliseconds.
+  int64 end_ms = 4;   // End time in milliseconds.
+  repeated string grouping = 5; // List of label names used in aggregation.
+  bool by = 6; // Indicate whether it is without or by.
+  int64 range_ms = 7; // Range vector selector range in milliseconds.
+}
+
+// Chunk represents a TSDB chunk.
+// Time range [min, max] is inclusive.
+message Chunk {
+  int64 min_time_ms = 1;
+  int64 max_time_ms = 2;
+
+  // We require this to match chunkenc.Encoding.
+  enum Encoding {
+    ENCODING_UNKNOWN_UNSPECIFIED         = 0;
+    ENCODING_XOR             = 1;
+    ENCODING_HISTOGRAM       = 2;
+    ENCODING_FLOAT_HISTOGRAM = 3;
+  }
+  Encoding type  = 3;
+  bytes data     = 4;
+}
+
+// ChunkedSeries represents single, encoded time series.
+message ChunkedSeries {
+  // Labels should be sorted.
+  repeated Label labels = 1 ;
+  // Chunks will be in start time order and may overlap.
+  repeated Chunk chunks = 2 ;
+}

apps/hermes/server/proto/vendor/publicrpc/v1/publicrpc.proto

@@ -0,0 +1,228 @@
+syntax = "proto3";
+
+package publicrpc.v1;
+
+option go_package = "github.com/certusone/wormhole/node/pkg/proto/publicrpc/v1;publicrpcv1";
+
+import "gossip/v1/gossip.proto";
+import "google/api/annotations.proto";
+
+enum ChainID {
+  CHAIN_ID_UNSPECIFIED = 0;
+  CHAIN_ID_SOLANA = 1;
+  CHAIN_ID_ETHEREUM = 2;
+  CHAIN_ID_TERRA = 3;
+  CHAIN_ID_BSC = 4;
+  CHAIN_ID_POLYGON = 5;
+  CHAIN_ID_AVALANCHE = 6;
+  CHAIN_ID_OASIS = 7;
+  CHAIN_ID_ALGORAND = 8;
+  CHAIN_ID_AURORA = 9;
+  CHAIN_ID_FANTOM = 10;
+  CHAIN_ID_KARURA = 11;
+  CHAIN_ID_ACALA = 12;
+  CHAIN_ID_KLAYTN = 13;
+  CHAIN_ID_CELO = 14;
+  CHAIN_ID_NEAR = 15;
+  CHAIN_ID_MOONBEAM = 16;
+  // OBSOLETE: CHAIN_ID_NEON = 17;
+  CHAIN_ID_TERRA2 = 18;
+  CHAIN_ID_INJECTIVE = 19;
+  CHAIN_ID_OSMOSIS = 20;
+  CHAIN_ID_SUI = 21;
+  CHAIN_ID_APTOS = 22;
+  CHAIN_ID_ARBITRUM = 23;
+  CHAIN_ID_OPTIMISM = 24;
+  CHAIN_ID_GNOSIS = 25;
+  CHAIN_ID_PYTHNET = 26;
+  CHAIN_ID_XPLA = 28;
+  CHAIN_ID_BTC = 29;
+  CHAIN_ID_BASE = 30;
+  CHAIN_ID_SEI = 32;
+  CHAIN_ID_ROOTSTOCK = 33;
+  CHAIN_ID_SCROLL = 34;
+  CHAIN_ID_MANTLE = 35;
+  CHAIN_ID_BLAST = 36;
+  CHAIN_ID_XLAYER = 37;
+  CHAIN_ID_LINEA = 38;
+  CHAIN_ID_BERACHAIN = 39;
+  CHAIN_ID_SEIEVM = 40;
+  CHAIN_ID_SNAXCHAIN = 43;
+  CHAIN_ID_UNICHAIN = 44;
+  CHAIN_ID_WORLDCHAIN = 45;
+  CHAIN_ID_WORMCHAIN = 3104;
+  CHAIN_ID_COSMOSHUB = 4000;
+  CHAIN_ID_EVMOS = 4001;
+  CHAIN_ID_KUJIRA = 4002;
+  CHAIN_ID_NEUTRON = 4003;
+  CHAIN_ID_CELESTIA = 4004;
+  CHAIN_ID_STARGAZE = 4005;
+  CHAIN_ID_SEDA = 4006;
+  CHAIN_ID_DYMENSION = 4007;
+  CHAIN_ID_PROVENANCE = 4008;
+  CHAIN_ID_SEPOLIA = 10002;
+  CHAIN_ID_ARBITRUM_SEPOLIA = 10003;
+  CHAIN_ID_BASE_SEPOLIA = 10004;
+  CHAIN_ID_OPTIMISM_SEPOLIA = 10005;
+  CHAIN_ID_HOLESKY = 10006;
+  CHAIN_ID_POLYGON_SEPOLIA = 10007;
+  CHAIN_ID_MONAD_DEVNET = 10008;
+}
+
+// MessageID is a VAA's globally unique identifier (see data availability design document).
+message MessageID {
+  // Emitter chain ID.
+  ChainID emitter_chain = 1;
+  // Hex-encoded (without leading 0x) emitter address.
+  string emitter_address = 2;
+  // Sequence number for (emitter_chain, emitter_address).
+  uint64 sequence = 3;
+}
+
+// PublicRPCService service exposes endpoints to be consumed externally; GUIs, historical record keeping, etc.
+service PublicRPCService {
+  // GetLastHeartbeats returns the last heartbeat received for each guardian node in the
+  // node's active guardian set. Heartbeats received by nodes not in the guardian set are ignored.
+  // The heartbeat value is null if no heartbeat has yet been received.
+  rpc GetLastHeartbeats (GetLastHeartbeatsRequest) returns (GetLastHeartbeatsResponse) {
+    option (google.api.http) = {
+      get: "/v1/heartbeats"
+    };
+  }
+
+  rpc GetSignedVAA (GetSignedVAARequest) returns (GetSignedVAAResponse) {
+    option (google.api.http) = {
+      get: "/v1/signed_vaa/{message_id.emitter_chain}/{message_id.emitter_address}/{message_id.sequence}"
+    };
+  }
+
+  rpc GetCurrentGuardianSet (GetCurrentGuardianSetRequest) returns (GetCurrentGuardianSetResponse) {
+    option (google.api.http) = {
+      get: "/v1/guardianset/current"
+    };
+  }
+
+  rpc GovernorGetAvailableNotionalByChain (GovernorGetAvailableNotionalByChainRequest) returns (GovernorGetAvailableNotionalByChainResponse) {
+    option (google.api.http) = {
+      get: "/v1/governor/available_notional_by_chain"
+    };
+  }
+
+  rpc GovernorGetEnqueuedVAAs (GovernorGetEnqueuedVAAsRequest) returns (GovernorGetEnqueuedVAAsResponse) {
+    option (google.api.http) = {
+      get: "/v1/governor/enqueued_vaas"
+    };
+  }
+
+  rpc GovernorIsVAAEnqueued (GovernorIsVAAEnqueuedRequest) returns (GovernorIsVAAEnqueuedResponse) {
+    option (google.api.http) = {
+      get: "/v1/governor/is_vaa_enqueued/{message_id.emitter_chain}/{message_id.emitter_address}/{message_id.sequence}"
+    };
+  }
+
+  rpc GovernorGetTokenList (GovernorGetTokenListRequest) returns (GovernorGetTokenListResponse) {
+    option (google.api.http) = {
+      get: "/v1/governor/token_list"
+    };
+  }
+
+}
+
+message GetSignedVAARequest {
+  MessageID message_id = 1;
+}
+
+message GetSignedVAAResponse {
+  bytes vaa_bytes = 1;
+}
+
+message GetLastHeartbeatsRequest {
+}
+
+message GetLastHeartbeatsResponse {
+  message Entry {
+    // Verified, hex-encoded (with leading 0x) guardian address. This is the guardian address
+    // which signed this heartbeat. The GuardianAddr field inside the heartbeat
+    // is NOT verified - remote nodes can put arbitrary data in it.
+    string verified_guardian_addr = 1;
+
+    // Base58-encoded libp2p node address that sent this heartbeat, used to
+    // distinguish between multiple nodes running for the same guardian.
+    string p2p_node_addr = 2;
+
+    // Raw heartbeat received from the network. Data is only as trusted
+    // as the guardian node that sent it - none of the fields are verified.
+    gossip.v1.Heartbeat raw_heartbeat = 3;
+  }
+
+  repeated Entry entries = 1;
+}
+
+message GetCurrentGuardianSetRequest {
+}
+
+message GetCurrentGuardianSetResponse {
+  GuardianSet guardian_set = 1;
+}
+
+message GuardianSet {
+  // Guardian set index
+  uint32 index = 1;
+  // List of guardian addresses as human-readable hex-encoded (leading 0x) addresses.
+  repeated string addresses = 2;
+}
+
+message GovernorGetAvailableNotionalByChainRequest {
+}
+
+message GovernorGetAvailableNotionalByChainResponse {
+  message Entry {
+    uint32 chain_id = 1;
+    uint64 remaining_available_notional = 2;
+    uint64 notional_limit = 3;
+    uint64 big_transaction_size = 4;
+  }
+
+  // There is an entry for each chain that is being governed.
+  // Chains that are not being governed are not listed, and assumed to be unlimited.
+  repeated Entry entries = 1;
+}
+
+message GovernorGetEnqueuedVAAsRequest {
+}
+
+message GovernorGetEnqueuedVAAsResponse {
+  message Entry {
+    uint32 emitter_chain = 1;
+    string emitter_address = 2; // human-readable hex-encoded (leading 0x)
+    uint64 sequence = 3;
+    uint32 release_time = 4;
+    uint64 notional_value = 5;
+    string tx_hash = 6;
+  }
+
+  // There is an entry for each enqueued vaa.
+  repeated Entry entries = 1;
+}
+
+message GovernorIsVAAEnqueuedRequest {
+  MessageID message_id = 1;
+}
+
+message GovernorIsVAAEnqueuedResponse {
+  bool is_enqueued = 1;
+}
+
+message GovernorGetTokenListRequest {
+}
+
+message GovernorGetTokenListResponse {
+  message Entry {
+    uint32 origin_chain_id = 1;
+    string origin_address = 2; // human-readable hex-encoded (leading 0x)
+    float price = 3;
+  }
+
+  // There is an entry for each token that applies to the notional TVL calcuation.
+  repeated Entry entries = 1;
+}

apps/hermes/server/proto/vendor/spy/v1/spy.proto

@@ -0,0 +1,64 @@
+syntax = "proto3";
+
+package spy.v1;
+
+option go_package = "github.com/certusone/wormhole/node/pkg/proto/spy/v1;spyv1";
+
+import "google/api/annotations.proto";
+import "gossip/v1/gossip.proto";
+import "publicrpc/v1/publicrpc.proto";
+
+// SpyRPCService exposes a gossip introspection service, allowing sniffing of gossip messages.
+service SpyRPCService {
+  // SubscribeSignedVAA returns a stream of signed VAA messages received on the network.
+  rpc SubscribeSignedVAA (SubscribeSignedVAARequest) returns (stream SubscribeSignedVAAResponse) {
+    option (google.api.http) = {
+      post: "/v1:subscribe_signed_vaa"
+      body: "*"
+    };
+  }
+}
+
+// A MessageFilter represents an exact match for an emitter.
+message EmitterFilter {
+  // Source chain
+  publicrpc.v1.ChainID chain_id = 1;
+  // Hex-encoded (without leading 0x) emitter address.
+  string emitter_address = 2;
+}
+
+
+message BatchFilter {
+  // Source chain
+  publicrpc.v1.ChainID chain_id = 1;
+  // Native transaction identifier bytes.
+  bytes tx_id = 2;
+  // Nonce of the messages in the batch.
+  uint32 nonce = 3;
+}
+
+message BatchTransactionFilter {
+  // Source chain
+  publicrpc.v1.ChainID chain_id = 1;
+  // Native transaction identifier bytes.
+  bytes tx_id = 2;
+}
+
+message FilterEntry {
+  oneof filter {
+    EmitterFilter emitter_filter = 1;
+    BatchFilter batch_filter = 2;
+    BatchTransactionFilter batch_transaction_filter = 3;
+  }
+}
+
+message SubscribeSignedVAARequest {
+  // List of filters to apply to the stream (OR).
+  // If empty, all messages are streamed.
+  repeated FilterEntry filters = 1;
+}
+
+message SubscribeSignedVAAResponse {
+  // Raw VAA bytes
+  bytes vaa_bytes = 1;
+}