NOISSUE - Archive

Signed-off-by: dusan <borovcanindusan1@gmail.com>
Add warning
2026-06-23 06:30:22 +00:00 · 2026-04-06 23:37:04 +02:00 · 2026-04-06 12:11:19 +02:00 · 2026-04-06 11:32:57 +02:00 · 2026-03-18 13:30:06 +01:00 · 2026-03-18 10:26:47 +01:00
200 changed files with 20709 additions and 3836 deletions
@@ -0,0 +1,181 @@
+<!--
+Copyright (c) Abstract Machines
+SPDX-License-Identifier: Apache-2.0
+-->
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Magistrala API Documentation</title>
+    <link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui.css">
+    <style>
+        body {
+            margin: 0;
+            padding: 0;
+        }
+        .topbar {
+            display: none;
+        }
+        .service-selector {
+            background: #1b1b1b;
+            padding: 20px;
+            text-align: center;
+        }
+        .service-selector h1 {
+            color: #fff;
+            margin: 0 0 15px 0;
+            font-family: sans-serif;
+        }
+        .service-dropdown-container {
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            gap: 10px;
+        }
+        .service-dropdown-container label {
+            color: #fff;
+            font-family: sans-serif;
+            font-size: 14px;
+            font-weight: 500;
+        }
+        .service-dropdown {
+            background: #2d2d2d;
+            color: white;
+            border: 1px solid #4990e2;
+            padding: 10px 40px 10px 15px;
+            border-radius: 4px;
+            cursor: pointer;
+            font-size: 14px;
+            font-weight: 500;
+            min-width: 200px;
+            appearance: none;
+            background-image: url('data:image/svg+xml;charset=UTF-8,<svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" viewBox="0 0 12 12"><path fill="%23ffffff" d="M6 9L1 4h10z"/></svg>');
+            background-repeat: no-repeat;
+            background-position: right 12px center;
+        }
+        .service-dropdown:hover {
+            background-color: #3a3a3a;
+            border-color: #357abd;
+        }
+        .service-dropdown:focus {
+            outline: none;
+            border-color: #4990e2;
+            box-shadow: 0 0 0 2px rgba(73, 144, 226, 0.3);
+        }
+
+        /* Responsive styles for mobile */
+        @media (max-width: 768px) {
+            .service-selector {
+                padding: 15px 10px;
+            }
+            .service-selector h1 {
+                font-size: 1.5rem;
+                margin: 0 0 12px 0;
+            }
+            .service-dropdown-container {
+                flex-direction: column;
+                gap: 8px;
+            }
+            .service-dropdown-container label {
+                font-size: 13px;
+            }
+            .service-dropdown {
+                width: 100%;
+                max-width: 300px;
+                min-width: auto;
+                font-size: 13px;
+                padding: 8px 35px 8px 12px;
+            }
+        }
+
+        @media (max-width: 480px) {
+            .service-selector h1 {
+                font-size: 1.25rem;
+            }
+            .service-dropdown {
+                max-width: 250px;
+            }
+        }
+    </style>
+</head>
+<body>
+    <div class="service-selector">
+        <h1>Magistrala API Documentation</h1>
+        <div class="service-dropdown-container">
+            <label for="serviceDropdown">Select Service:</label>
+            <select id="serviceDropdown" class="service-dropdown"></select>
+        </div>
+    </div>
+    <div id="swagger-ui"></div>
+
+    <script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui-bundle.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5.30.3/swagger-ui-standalone-preset.js"></script>
+    <script>
+        // Available API specifications
+        const APIs = APIS_PLACEHOLDER;
+
+        // Get the service from URL query parameter, default to first service
+        function getServiceFromURL() {
+            const params = new URLSearchParams(window.location.search);
+            const service = params.get('service');
+            return service && APIs.includes(service) ? service : APIs[0];
+        }
+
+        // Update URL with selected service
+        function updateURL(service) {
+            const url = new URL(window.location);
+            url.searchParams.set('service', service);
+            window.history.pushState({}, '', url);
+        }
+
+        // Create service selector dropdown
+        function createServiceDropdown() {
+            const dropdown = document.getElementById('serviceDropdown');
+            const currentService = getServiceFromURL();
+
+            APIs.forEach(api => {
+                const option = document.createElement('option');
+                option.value = api;
+                let serviceName = api.replace('.yaml', '').replace(/^\w/, c => c.toUpperCase());
+                if (serviceName.toLowerCase() === 'http') {
+                    serviceName = 'HTTP';
+                }
+                option.textContent = serviceName;
+                if (api === currentService) {
+                    option.selected = true;
+                }
+                dropdown.appendChild(option);
+            });
+
+            // Handle dropdown change
+            dropdown.addEventListener('change', (e) => {
+                const selectedApi = e.target.value;
+                loadSwaggerUI(selectedApi);
+                updateURL(selectedApi);
+            });
+        }
+
+        // Load Swagger UI with specified API spec
+        function loadSwaggerUI(apiSpec) {
+            SwaggerUIBundle({
+                url: apiSpec,
+                dom_id: '#swagger-ui',
+                deepLinking: true,
+                presets: [
+                    SwaggerUIBundle.presets.apis,
+                    SwaggerUIStandalonePreset
+                ],
+                plugins: [
+                    SwaggerUIBundle.plugins.DownloadUrl
+                ],
+                layout: "StandaloneLayout"
+            });
+        }
+
+        // Initialize
+        createServiceDropdown();
+        loadSwaggerUI(getServiceFromURL());
+    </script>
+</body>
+</html>
@@ -22,10 +22,14 @@ jobs:
        run: |
          git fetch --prune --unshallow --tags

+      - name: Get Go version from go.mod
+        id: go-version
+        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+
      - name: Install Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version: ${{ steps.go-version.outputs.version }}
          cache-dependency-path: "go.sum"

      - name: Set GOBIN
@@ -46,10 +50,10 @@ jobs:
          verbose: true

      - name: Set up Docker Build
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ secrets.DOCKER_USERNAME }}
@@ -8,6 +8,9 @@ on:
    branches:
      - main

+permissions:
+  contents: write
+
 jobs:
  swagger-ui:
    runs-on: ubuntu-latest
@@ -15,17 +18,28 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v6

-      - name: Swagger UI action
-        id: swagger-ui-action
-        uses: blokovi/swagger-ui-action@main
-        with:
-          dir: "./apidocs/openapi"
-          pattern: "*.yaml"
-          debug: "true"
+      - name: Build Swagger UI
+        run: |
+          # Create output directory
+          mkdir -p swagger-ui
+
+          # Copy OpenAPI YAML files and schemas directory
+          cp apidocs/openapi/*.yaml swagger-ui/
+          cp -r apidocs/openapi/schemas swagger-ui/
+
+          # Get list of YAML files
+          cd apidocs/openapi
+          YAML_FILES=$(ls *.yaml | jq -R -s -c 'split("\n")[:-1]')
+          cd ../..
+
+          # Generate index.html from template
+          sed "s|APIS_PLACEHOLDER|$YAML_FILES|g" .github/swagger-ui-template.html > swagger-ui/index.html
+
+          echo "Generated Swagger UI with APIs: $YAML_FILES"

      - name: Deploy to GitHub Pages
        uses: peaceiris/actions-gh-pages@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: swagger-ui
+          publish_dir: ./swagger-ui
          cname: docs.api.magistrala.absmach.eu
@@ -17,10 +17,14 @@ jobs:
      - name: Checkout Code
        uses: actions/checkout@v6

+      - name: Get Go version from go.mod
+        id: go-version
+        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version: ${{ steps.go-version.outputs.version }}
          cache-dependency-path: "go.sum"

      - name: Set GOBIN
@@ -47,7 +51,7 @@ jobs:
      - name: Run linters
        uses: golangci/golangci-lint-action@v9
        with:
-          version: v2.4.0
+          version: latest
          args: --config ./tools/config/.golangci.yaml

  run-tests:
@@ -61,14 +65,18 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Get Go version from go.mod
+        id: go-version
+        run: echo "version=$(grep '^go ' go.mod | awk '{print $2}')" >> $GITHUB_OUTPUT
+
      - name: Setup Go
        uses: actions/setup-go@v6
        with:
-          go-version: 1.25.x
+          go-version: ${{ steps.go-version.outputs.version }}
          cache-dependency-path: "go.sum"

      - name: Check for changes in specific paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@v4
        id: changes
        with:
          base: main
@@ -100,9 +108,6 @@ jobs:
            internal:
              - "internal/**"

-            pkg-errors:
-              - "pkg/errors/**"
-
            pkg-events:
              - "pkg/events/**"
              - "pkg/messaging/**"
@@ -136,7 +141,6 @@ jobs:
              - "alarms/**"
              - "cmd/alarms/**"

-
      - name: Create coverage directory
        run: |
          mkdir coverage
@@ -161,11 +165,6 @@ jobs:
        run: |
          go test --race -v -count=1 -coverprofile=coverage/internal.out ./internal/...

-      - name: Run pkg errors tests
-        if: steps.changes.outputs.pkg-errors == 'true' || steps.changes.outputs.workflow == 'true'
-        run: |
-          go test --race -v -count=1 -coverprofile=coverage/pkg-errors.out ./pkg/errors/...
-
      - name: Run pkg sdk tests
        if: steps.changes.outputs.pkg-sdk == 'true' || steps.changes.outputs.workflow == 'true'
        run: |
@@ -7,7 +7,7 @@
 	
 	[[drasko]]
 	Name	= "Drasko Draskovic"
-	Email	= "draasko.draskovic@abstractmachines.fr"
+	Email	= "draasko.draskovic@absmach.eu"
 	GitHub	= "drasko"

 # However, this role serves only in dead-lock events, or in a special and very rare cases
@@ -26,5 +26,5 @@
 
 	[[dusan]]
 	Name	= "Dusan Borovcanin"
-	Email	= "dusan.borovcanin@abstractmachines.fr"
+	Email	= "dusan.borovcanin@absmach.eu"
 	GitHub	= "dborovcanin"
@@ -7,7 +7,31 @@ SERVICES =  bootstrap provision re postgres-writer postgres-reader timescale-wri
 DOCKERS = $(addprefix docker_,$(SERVICES))
 DOCKERS_DEV = $(addprefix docker_dev_,$(SERVICES))
 CGO_ENABLED ?= 0
-GOARCH ?= amd64
+# Auto-detect architecture: use arm64 for Apple Silicon, default to amd64 otherwise
+UNAME_M := $(shell uname -m)
+ifeq ($(UNAME_M),arm64)
+    GOARCH ?= arm64
+else ifeq ($(UNAME_M),aarch64)
+    GOARCH ?= arm64
+else
+    GOARCH ?= amd64
+endif
+
+# Detect OS for sed compatibility: macOS (BSD sed) vs Linux (GNU sed)
+UNAME_S := $(shell uname -s)
+ifeq ($(UNAME_S),Darwin)
+    SED_INPLACE := sed -i ''
+else
+    SED_INPLACE := sed -i
+endif
+
+# For Apple Silicon: use amd64 platform for pre-built images (emulation via Rosetta)
+# This is needed because upstream stable images may not have ARM64 builds
+ifeq ($(UNAME_M),arm64)
+    DOCKER_PLATFORM := --platform linux/amd64
+else
+    DOCKER_PLATFORM :=
+endif
 VERSION ?= $(shell git describe --abbrev=0 --tags 2>/dev/null || echo 'unknown')
 COMMIT ?= $(shell git rev-parse HEAD)
 TIME ?= $(shell date +%F_%T)
@@ -20,7 +44,7 @@ DOCKER_COMPOSE_COMMANDS_SUPPORTED := up down config
 DEFAULT_DOCKER_COMPOSE_COMMAND  := up
 GRPC_MTLS_CERT_FILES_EXISTS = 0
 MOCKERY = $(GOBIN)/mockery
-MOCKERY_VERSION=3.5.3
+MOCKERY_VERSION=3.7.0
 PKG_PROTO_GEN_OUT_DIR=api/grpc
 INTERNAL_PROTO_DIR=internal/proto
 INTERNAL_PROTO_FILES := $(shell find $(INTERNAL_PROTO_DIR) -name "*.proto" | sed 's|$(INTERNAL_PROTO_DIR)/||')
@@ -71,6 +95,31 @@ define make_docker_dev
 		-f docker/Dockerfile.dev ./build
 endef

+define run_with_arch_detection
+	@echo "Detecting architecture..."
+	@if [ "$(DETECTED_ARCH)" = "arm64" ] || [ "$(DETECTED_ARCH)" = "aarch64" ]; then \
+		echo "ARM64 architecture detected."; \
+		git checkout $(1); \
+		GOARCH=arm64 $(MAKE) dockers; \
+		for svc in $(SERVICES); do \
+			docker tag ghcr.io/absmach/magistrala/$$svc ghcr.io/absmach/magistrala/$$svc:latest; \
+		done; \
+		sed -i.bak 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=latest/' docker/.env && rm -f docker/.env.bak; \
+		MG_ADDONS_CERTS_PATH_PREFIX="../." docker compose -f docker/docker-compose.yaml \
+			-f docker/addons/timescale-reader/docker-compose.yaml \
+			-f docker/addons/timescale-writer/docker-compose.yaml \
+			--env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	else \
+		echo "x86_64 architecture detected."; \
+		git checkout $(1); \
+		sed -i.bak 's/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=$(2)/' docker/.env && rm -f docker/.env.bak; \
+		MG_ADDONS_CERTS_PATH_PREFIX="../." docker compose -f docker/docker-compose.yaml \
+			-f docker/addons/timescale-reader/docker-compose.yaml \
+			-f docker/addons/timescale-writer/docker-compose.yaml \
+			--env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	fi
+endef
+
 ADDON_SERVICES = bootstrap provision certs timescale-reader timescale-writer postgres-reader postgres-writer

 EXTERNAL_SERVICES = prometheus
@@ -97,7 +146,7 @@ FILTERED_SERVICES = $(filter-out $(RUN_ADDON_ARGS), $(SERVICES))

 all: $(SERVICES)

-.PHONY: all $(SERVICES) dockers dockers_dev latest release run run_addons grpc_mtls_certs check_mtls check_certs test_api mocks
+.PHONY: all $(SERVICES) dockers dockers_dev latest release run_latest run_stable run_addons grpc_mtls_certs check_mtls check_certs test_api mocks

 clean:
 	rm -rf ${BUILD_DIR}
@@ -229,21 +278,21 @@ grpc_mtls_certs:

 check_tls:
 ifeq ($(GRPC_TLS),true)
-	@unset GRPC_MTLS
+	@bash -c 'unset GRPC_MTLS'
 	@echo "gRPC TLS is enabled"
 	GRPC_MTLS=
 else
-	@unset GRPC_TLS
+	@bash -c 'unset GRPC_TLS'
 	GRPC_TLS=
 endif

 check_mtls:
 ifeq ($(GRPC_MTLS),true)
-	@unset GRPC_TLS
+	@bash -c 'unset GRPC_TLS'
 	@echo "gRPC MTLS is enabled"
 	GRPC_TLS=
 else
-	@unset GRPC_MTLS
+	@bash -c 'unset GRPC_MTLS'
 	GRPC_MTLS=
 endif

@@ -259,14 +308,27 @@ endif
 fetch_supermq:
 	@./scripts/supermq.sh

- run: check_certs
-	MG_ADDONS_CERTS_PATH_PREFIX="../." docker compose -f docker/docker-compose.yaml \
+run_latest: check_certs
+	DOCKER_DEFAULT_PLATFORM=$(if $(DOCKER_PLATFORM),linux/amd64,) MG_ADDONS_CERTS_PATH_PREFIX="../." docker compose -f docker/docker-compose.yaml \
 		-f docker/addons/timescale-reader/docker-compose.yaml \
 		-f docker/addons/timescale-writer/docker-compose.yaml \
 		--env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)

+run_stable: check_certs
+	@version=$$(git describe --abbrev=0 --tags 2>/dev/null) || { echo "Error: No git tags found. Please create a release tag first (e.g., git tag v0.1.0) or use 'make run_latest' instead."; exit 1; }; \
+	echo "Using stable version: $$version"; \
+	git checkout $$version; \
+	$(SED_INPLACE) "s/^SMQ_RELEASE_TAG=.*/SMQ_RELEASE_TAG=$$version/" docker/supermq-docker/.env; \
+	$(SED_INPLACE) "s/^MG_RELEASE_TAG=.*/MG_RELEASE_TAG=$$version/" docker/.env; \
+	DOCKER_DEFAULT_PLATFORM=$(if $(DOCKER_PLATFORM),linux/amd64,) docker compose -f docker/docker-compose.yaml --env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args); \
+	DOCKER_DEFAULT_PLATFORM=$(if $(DOCKER_PLATFORM),linux/amd64,) MG_ADDONS_CERTS_PATH_PREFIX="../." docker compose -f docker/docker-compose.yaml \
+		-f docker/addons/timescale-reader/docker-compose.yaml \
+		-f docker/addons/timescale-writer/docker-compose.yaml \
+		--env-file docker/.env -p $(DOCKER_PROJECT) $(DOCKER_COMPOSE_COMMAND) $(args)
+
+
 run_addons: check_certs
 	$(foreach SVC,$(RUN_ADDON_ARGS),$(if $(filter $(SVC),$(ADDON_SERVICES) $(EXTERNAL_SERVICES)),,$(error Invalid Service $(SVC))))
 	@for SVC in $(RUN_ADDON_ARGS); do \
-		MG_ADDONS_CERTS_PATH_PREFIX="../."  docker compose -f docker/addons/$$SVC/docker-compose.yaml -p $(DOCKER_PROJECT) --env-file ./docker/.env $(DOCKER_COMPOSE_COMMAND) $(args) & \
+		DOCKER_DEFAULT_PLATFORM=$(if $(DOCKER_PLATFORM),linux/amd64,) MG_ADDONS_CERTS_PATH_PREFIX="../." docker compose -f docker/addons/$$SVC/docker-compose.yaml -p $(DOCKER_PROJECT) --env-file ./docker/.env $(DOCKER_COMPOSE_COMMAND) $(args) & \
 	done
@@ -1,118 +1,157 @@
+> [!WARNING]
+> This repository is obsolete. All of its content has been merged to [www.github.com/absmach/magistrala](https://www.github.com/absmach/magistrala).
+> Please use that repository for all active development.
+
 <div align="center">

-  # Magistrala
-  
-  **A Modern IoT Platform Built on SuperMQ**
-  
-  **Scalable • Secure • Open-Source**
-  
-  [![Check License Header](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml)
-  [![Continuous Delivery](https://github.com/absmach/magistrala/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/build.yaml)
-  [![Go Report Card](https://goreportcard.com/badge/github.com/absmach/magistrala)](https://goreportcard.com/report/github.com/absmach/magistrala)
-  [![Coverage](https://codecov.io/gh/absmach/magistrala/graph/badge.svg?token=SEMDAO3L09)](https://codecov.io/gh/absmach/magistrala)
-  [![License](https://img.shields.io/badge/license-Apache%202.0-blue?style=flat-square)](LICENSE)
-  [![Matrix](https://img.shields.io/matrix/magistrala:matrix.org?style=flat-square)](https://matrix.to/#/#magistrala:matrix.org)
-  
-  ### [Guide](https://docs.magistrala.absmach.eu) | [Contributing](CONTRIBUTING.md) | [Website](https://www.absmach.eu/magistrala) | [Chat](https://matrix.to/#/#magistrala:matrix.org)
+# SuperMQ

-  Made with ❤️ by [Abstract Machines](https://www.absmach.eu)
+### Planetary event-driven infrastructure
+
+**Made with ❤️ by [Abstract Machines](https://absmach.eu/)**
+
+[![Build Status](https://github.com/absmach/magistrala/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/build.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/absmach/magistrala)](https://goreportcard.com/report/github.com/absmach/magistrala)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/absmach/magistrala)
+[![Check License Header](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-license.yaml)
+[![Check Generated Files](https://github.com/absmach/magistrala/actions/workflows/check-generated-files.yaml/badge.svg?branch=main)](https://github.com/absmach/magistrala/actions/workflows/check-generated-files.yaml)
+[![Coverage](https://codecov.io/gh/absmach/magistrala/graph/badge.svg?token=nPCEr5nW8S)](https://codecov.io/gh/absmach/magistrala)
+[![License](https://img.shields.io/badge/license-Apache%20v2.0-blue.svg)](LICENSE)
+[![Matrix](https://img.shields.io/matrix/supermq%3Amatrix.org?label=Chat&style=flat&logo=matrix&logoColor=white)](https://matrix.to/#/#supermq:matrix.org)
+  
+### [Guide](https://magistrala.absmach.eu/docs/) | [Contributing](CONTRIBUTING.md) | [Website](https://absmach.eu/) | [Chat](https://matrix.to/#/#supermq:matrix.org)

 </div>

+## Introduction 📖

-## Introduction 🌍
+SuperMQ is a distributed, highly scalable, and secure open-source cloud platform for messaging and event-driven architecture (EDA). It is a planetarily distributed, highly scalable, and secure platform that serves as a robust foundation for building advanced real-time and reactive systems.

-Magistrala is a cutting-edge, open-source IoT cloud platform built on top of [SuperMQ](https://github.com/absmach/supermq). It serves as a robust middleware solution for building complex IoT applications. With Magistrala, you can connect and manage IoT devices seamlessly using multi-protocol support, all while ensuring security and scalability.
+## Why SuperMQ Stands Out 🚀

-### Key Benefits:
- **Unified IoT Management**: Connect sensors, actuators, and applications over various network protocols.
- **Scalability and Performance**: Designed to handle enterprise-grade IoT deployments.
- **Secure by Design**: Features such as mutual TLS authentication and fine-grained access control.
- **Open-Source Freedom**: Patent-free, community-driven, and designed for extensibility.
+SuperMQ bridges the gap between various network protocols (HTTP, MQTT, WebSocket, CoAP, and more) to provide a seamless messaging experience. Whether you're working on IoT solutions, real-time data pipelines, or event-driven systems, MagisSuperMQtrala has you covered. 🌐✨

+## Key Features 🌟

-## ✨ Features
+- **Multi-Protocol Connectivity**: HTTP, MQTT, WebSocket, CoAP, and more! 🌉
+- **Secure by Design**: Mutual TLS (mTLS) with X.509 Certificates, JWT support, and multi-protocol authorization. 🔒
+- **Fine-Grained Access Control**: Support for ABAC and RBAC policies. 📜
+- **Multi-Tenant**: Manage multiple domains seamlessly. 🏢
+- **Multi-User**: Unlimited organizational hierarchies for user management. 👥
+- **Application Management**: Group and share messaging clients for streamlined operations. 📱
+- **Ease of Use**: Simple and powerful communication channel management, grouping, and sharing. ✨
+- **Personal Access Tokens (PATs)**: Scoped and revocable tokens for enhanced security. 🔑
+- **Observability**: Integrated logging and instrumentation with Prometheus and OpenTelemetry. 📈
+- **Event Sourcing**: Build robust and scalable architectures. ⚡
+- **Edge and IoT Ready**: Supports MQTT and CoAP protocols for seamless IoT gateway and sensor communication and management. 🌍
+- **Developer-Friendly**: SDKs, CLI tools, and comprehensive documentation to get you started. 👩‍💻👨‍💻
+- **Production-Ready**: Container-based deployment using Docker and Kubernetes. 🐳☸️

- 🏢 **Multi-Tenancy**: Support for managing multiple independent domains seamlessly.
- 👥 **Multi-User Platform**: Unlimited organizational hierarchies and user roles for streamlined collaboration.
- 🌐 **Multi-Protocol Connectivity**: HTTP, MQTT, WebSocket, CoAP, and more (see [contrib repository](https://www.github.com/absmach/mg-contrib) for LoRa and OPC UA).
- 💻 **Device Management and Provisioning**: Including Zero-Touch provisioning for seamless device onboarding.
- 🛡️ **Mutual TLS Authentication (mTLS)**: Secure communication using X.509 certificates.
- 📜 **Fine-Grained Access Control**: Support for ABAC and RBAC policies.
- 💾 **Message Persistence**: Timescale and PostgreSQL support (see [contrib repository](https://www.github.com/absmach/mg-contrib) for Cassandra, InfluxDB, and MongoDB).
- 🔄 **Rules Engine (RE)**: Automate processes with flexible rules for decision-making.
- 🚨 **Alarms and Triggers**: Immediate notifications for critical IoT events.
- 📅 **Scheduled Actions**: Plan and execute tasks at predefined times.
- 📝 **Audit Logs**: Maintain a detailed history of platform activities for compliance and debugging.
- 📊 **Platform Logging and Instrumentation**: Integrated with Prometheus and OpenTelemetry.
- ⚡ **Event Sourcing**: Streamlined architecture for real-time IoT event processing.
- 🐳 **Container-Based Deployment**: Fully compatible with Docker and Kubernetes.
- 🌍 **Edge and IoT Ready**: Agent and Export services for managing remote IoT gateways.
- 🛠️ **Developer Tools**: Comprehensive SDK and CLI for efficient development.
- 🏗️ **Domain-Driven Design**: High-quality codebase and extensive test coverage.
+## Installation 🛠️

-
-## 🔧 Install
-
-Clone the repository and start the services:
+There are multiple ways to run SuperMQ.
+First, clone the repository and position to it:
+
+```bash
+git clone https://github.com/absmach/supermq.git
+cd supermq
+```
+
+To run the latest stable (tagged) version, use:
+
+```bash
+# Run with latest stable tagged version
+make run_stable
+```
+
+To run the latest version, use:
+
+```bash
+# Run with latest development version (from main branch)
+make run_latest
+```
+
+The `make run_stable` command will:
+- Checkout the repository to the latest git tag
+- Update the version in the environment configuration
+- Start the services with the stable release
+
+**Note:** After running `make run_stable`, you'll be on a detached HEAD state. To return to your working branch:
+
+```bash
+git checkout main
+```
+
+### Running on Apple Silicon (M1/M2/M3) Macs
+
+When running SuperMQ on Apple Silicon Macs, the Makefile will automatically detect your ARM64 architecture and build Docker images locally. 
+
+**If using Docker Desktop:**
+
+1. **Enable Apple Virtualization Framework**: In Docker Desktop, go to:
+   - Settings → General → Enable "Use the new Virtualization framework"
+   
+2. **Enable Rosetta for x86_64 Emulation**: In Docker Desktop, go to:
+   - Settings → General → Enable "Use Rosetta for x86_64/amd64 emulation on Apple Silicon"
+
+After enabling these options, restart Docker Desktop, then run `make run_stable` or `make run_latest` as usual.
+
+To manually run SuperMQ, clone the repository and start all core services:

 ```bash
-git clone https://github.com/absmach/magistrala.git
-cd magistrala
 docker compose -f docker/docker-compose.yaml --env-file docker/.env up
 ```

-Alternatively, use the Makefile for a simpler command:
+### Usage 📤📥

-```bash
-make run args=-d
-```
-
-## 📤 Usage
-
-#### Using the CLI:
-
-Check the health of a specific service using the CLI:
+**Using the CLI :**

 ```bash
 make cli
-./build/cli health <service>
+./build/supermq-cli status
 ```

-Replace `<service>` with the name of the service you want to check.
+This command retrieves the status of the SuperMQ server and outputs it to the console.

-#### Using Curl:
-
-Alternatively, use a simple HTTP GET request to check the platform's health:
+**Using HTTP with Curl :**

 ```bash
-curl -X GET http://localhost:8080/health
+curl -X GET http://localhost:8080/status
 ```

-For additional usage examples and advanced configurations, visit the [official documentation](https://docs.magistrala.absmach.eu).
+This request fetches the server status over HTTP and provides a JSON response.

+See our [CLI documentation](https://magistrala.absmach.eu/docs/dev-guide/cli/introduction-to-cli/) for more details.

-## 📚 Documentation
+## Documentation 📚

-Complete documentation is available at the [Magistrala official docs page](https://docs.magistrala.absmach.eu).
+The official documentation is hosted at [SuperMQ docs page](https://magistrala.absmach.eu/docs/).

-For CLI usage details, visit the [CLI Documentation](https://docs.magistrala.absmach.eu/cli).
+Documentation is auto-generated, check out the instructions in the [docs repository](https://github.com/absmach/magistrala-website).
+If you spot an error or a need for corrections, please let us know - or even better: send us a PR! 💌

+## Community and Contributing 🤝

-## 🌐 Community and Contributing
+Thank you for your interest in SuperMQ and the desire to contribute!

-Join the community and contribute to the future of IoT middleware:
+1. Take a look at our [open issues](https://github.com/absmach/magistrala/issues). The [good-first-issue](https://github.com/absmach/magistrala/labels/good-first-issue) label is specifically for issues that are great for getting started.
+2. Checkout the [contribution guide](CONTRIBUTING.md) to learn more about our style and conventions.
+3. Make your changes compatible to our workflow.

- [Open Issues](https://github.com/absmach/magistrala/issues)
- [Contribution Guide](CONTRIBUTING.md)
- [Matrix Chat](https://matrix.to/#/#magistrala:matrix.org)
+Join our community:

+- [Matrix Room](https://matrix.to/#/#supermq\:matrix.org)

-## 📜 License
+## Professional Support 💼

-Magistrala is open-source software licensed under the [Apache-2.0](LICENSE) license. Contributions are welcome and encouraged!
+Need help deploying SuperMQ or integrating it into your system? Reach out to **[Abstract Machines](https://absmach.eu/)** for professional support and guidance.

+## License 📜

-## 💼 Professional Support
+SuperMQ is open-source software licensed under the [Apache License 2.0](LICENSE). Contributions are welcome!

-Need help deploying Magistrala or integrating it into your systems? Contact **[Abstract Machines](https://www.absmach.eu)** for expert guidance and support.
+## Acknowledgments 🙌
+
+Special thanks to the amazing contributors who make SuperMQ possible. Check out the [MAINTAINERS](MAINTAINERS) file to see the team behind the magic.
+
+Ready to build the future of messaging and event-driven systems? Let's get started! 🚀
@@ -0,0 +1,197 @@
+# Alarms
+
+The Alarms service stores, manages and exposes alarms raised by rules and device activity. It consumes alarm events from the message broker, persists them to PostgreSQL, and provides an HTTP API for listing, viewing, updating, and deleting alarms with full authn/authz, metrics, and tracing support.
+
+## Configuration
+
+The service is configured using the following environment variables (values shown are from [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env) as consumed by [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml)):
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_ALARMS_LOG_LEVEL` | Log level for the service | `debug` |
+| `MG_ALARMS_HTTP_HOST` | HTTP host to bind | `alarms` |
+| `MG_ALARMS_HTTP_PORT` | HTTP port to bind | `8050` |
+| `MG_ALARMS_HTTP_SERVER_CERT` | Path to PEM-encoded HTTPS server certificate | "" |
+| `MG_ALARMS_HTTP_SERVER_KEY` | Path to PEM-encoded HTTPS server key | "" |
+| `MG_ALARMS_DB_HOST` | PostgreSQL host | `alarms-db` |
+| `MG_ALARMS_DB_PORT` | PostgreSQL port | `5432` |
+| `MG_ALARMS_DB_USER` | PostgreSQL user | `magistrala` |
+| `MG_ALARMS_DB_PASS` | PostgreSQL password | `magistrala` |
+| `MG_ALARMS_DB_NAME` | PostgreSQL database name | `alarms` |
+| `MG_ALARMS_DB_SSL_MODE` | PostgreSQL SSL mode | `disable` |
+| `MG_ALARMS_DB_SSL_CERT` | PostgreSQL SSL client cert | "" |
+| `MG_ALARMS_DB_SSL_KEY` | PostgreSQL SSL client key | "" |
+| `MG_ALARMS_DB_SSL_ROOT_CERT` | PostgreSQL SSL root cert | "" |
+| `MG_ALARMS_INSTANCE_ID` | Instance ID for tracing/health | "" |
+| `SMQ_MESSAGE_BROKER_URL` | Message broker URL for alarm ingestion | `nats://nats:4222` |
+| `SMQ_JAEGER_URL` | Jaeger collector endpoint | `http://jaeger:4318/v1/traces` |
+| `SMQ_JAEGER_TRACE_RATIO` | Trace sampling ratio | `1.0` |
+| `SMQ_AUTH_GRPC_URL` | Auth gRPC endpoint | `auth:7001` |
+| `SMQ_AUTH_GRPC_TIMEOUT` | Auth gRPC timeout | `300s` |
+| `SMQ_AUTH_GRPC_CLIENT_CERT` | Auth gRPC client cert path | `${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}` |
+| `SMQ_AUTH_GRPC_CLIENT_KEY` | Auth gRPC client key path | `${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}` |
+| `SMQ_AUTH_GRPC_SERVER_CA_CERTS` | Auth gRPC server CA path | `${GRPC_MTLS:+./ssl/certs/ca.crt}` |
+| `SMQ_DOMAINS_GRPC_URL` | Domains gRPC endpoint | `domains:7003` |
+| `SMQ_DOMAINS_GRPC_TIMEOUT` | Domains gRPC timeout | `300s` |
+| `SMQ_DOMAINS_GRPC_CLIENT_CERT` | Domains gRPC client cert path | `${GRPC_MTLS:+./ssl/certs/domains-grpc-client.crt}` |
+| `SMQ_DOMAINS_GRPC_CLIENT_KEY` | Domains gRPC client key path | `${GRPC_MTLS:+./ssl/certs/domains-grpc-client.key}` |
+| `SMQ_DOMAINS_GRPC_SERVER_CA_CERTS` | Domains gRPC server CA path | `${GRPC_MTLS:+./ssl/certs/ca.crt}` |
+| `SMQ_ALLOW_UNVERIFIED_USER` | Allow unverified users to access | `true` |
+
+## Features
+
+- **Alarm ingestion**: Consumes alarms from the message broker and persists them to PostgreSQL.
+- **Stateful updates**: Updates assignee, acknowledgment, resolution, and metadata fields.
+- **Filtering and paging**: Lists alarms by domain, rule, channel, client, subtopic, status, severity, and time range.
+- **Observability**: `/metrics` Prometheus endpoint and Jaeger tracing support.
+- **Auth and authorization**: Authn/authz enforced via gRPC auth and domains services.
+
+## Architecture
+
+### Runtime flow
+
+1. The message broker publishes alarm events under the `alarms.>` subject.
+2. The Alarms consumer decodes the event payload, enriches it with message metadata, validates it, and calls `CreateAlarm`.
+3. The repository writes to PostgreSQL while deduplicating repeated active alarms with the same severity.
+4. The HTTP API exposes list/view/update/delete operations with authn/authz, metrics, and tracing middleware.
+
+### Components
+
+- **HTTP API**: `alarms/api` exposes REST endpoints and health/metrics handlers.
+- **Service layer**: `alarms/service.go` validates requests and coordinates repository operations.
+- **Repository**: `alarms/postgres/alarms.go` implements persistence and filtering.
+- **Consumer**: `alarms/consumer` processes broker messages and creates alarms.
+- **Message broker**: `alarms/brokers` uses NATS JetStream with stream `alarms` and subject `alarms.>`.
+- **Migrations**: `alarms/postgres/init.go` defines the alarms schema and indexes.
+
+### Alarms table
+
+Defined in `alarms/postgres/init.go`:
+
+| Column | Type | Description |
+| --- | --- | --- |
+| `id` | `VARCHAR(36)` | Alarm UUID (primary key) |
+| `rule_id` | `VARCHAR(36)` | Rule ID that triggered the alarm |
+| `domain_id` | `VARCHAR(36)` | Domain ID |
+| `channel_id` | `VARCHAR(36)` | Channel ID |
+| `subtopic` | `TEXT` | Subtopic associated with the alarm |
+| `client_id` | `VARCHAR(36)` | Client ID |
+| `measurement` | `TEXT` | Measurement name |
+| `value` | `TEXT` | Measured value |
+| `unit` | `TEXT` | Measurement unit |
+| `threshold` | `TEXT` | Threshold value |
+| `cause` | `TEXT` | Cause/description |
+| `status` | `SMALLINT` | 0 = active, 1 = cleared |
+| `severity` | `SMALLINT` | Severity (0-100) |
+| `assignee_id` | `VARCHAR(36)` | Assignee ID |
+| `created_at` | `TIMESTAMPTZ` | Creation timestamp |
+| `updated_at` | `TIMESTAMPTZ` | Last update timestamp |
+| `updated_by` | `VARCHAR(36)` | User who updated |
+| `assigned_at` | `TIMESTAMPTZ` | When assigned |
+| `assigned_by` | `VARCHAR(36)` | Who assigned |
+| `acknowledged_at` | `TIMESTAMPTZ` | When acknowledged |
+| `acknowledged_by` | `VARCHAR(36)` | Who acknowledged |
+| `resolved_at` | `TIMESTAMPTZ` | When resolved |
+| `resolved_by` | `VARCHAR(36)` | Who resolved |
+| `metadata` | `JSONB` | Custom metadata |
+
+Index: `idx_alarms_state (domain_id, rule_id, channel_id, subtopic, client_id, measurement, created_at DESC)`
+
+## Deployment
+
+### Build and run locally
+
+```bash
+make alarms
+
+MG_ALARMS_LOG_LEVEL=debug \
+MG_ALARMS_HTTP_PORT=8050 \
+MG_ALARMS_DB_HOST=localhost \
+MG_ALARMS_DB_PORT=5432 \
+MG_ALARMS_DB_USER=magistrala \
+MG_ALARMS_DB_PASS=magistrala \
+MG_ALARMS_DB_NAME=alarms \
+SMQ_MESSAGE_BROKER_URL=nats://localhost:4222 \
+SMQ_AUTH_GRPC_URL=localhost:7001 \
+SMQ_AUTH_GRPC_TIMEOUT=300s \
+SMQ_DOMAINS_GRPC_URL=localhost:7003 \
+SMQ_DOMAINS_GRPC_TIMEOUT=300s \
+./build/alarms
+```
+
+### Docker Compose
+
+The service is available as a Docker container. Refer to [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml) for the `alarms` and `alarms-db` services and their environment variables. For a full local stack, make sure the auth, domains, and message broker services are also running.
+
+```bash
+docker compose -f docker/docker-compose.yaml up alarms alarms-db
+```
+
+### Health check
+
+```bash
+curl -X GET http://localhost:8050/health \
+  -H "accept: application/health+json"
+```
+
+## Testing
+
+```bash
+go test ./alarms/...
+```
+
+## Usage
+
+The Alarms service supports the following operations:
+
+| Operation | Method & Path | Description |
+| --- | --- | --- |
+| `listAlarms` | `GET /{domainID}/alarms` | List alarms with filters |
+| `viewAlarm` | `GET /{domainID}/alarms/{alarmID}` | Retrieve a single alarm |
+| `updateAlarm` | `PUT /{domainID}/alarms/{alarmID}` | Update alarm status/assignee/metadata |
+| `deleteAlarm` | `DELETE /{domainID}/alarms/{alarmID}` | Delete an alarm |
+| `health` | `GET /health` | Service health check |
+
+Alarm creation is driven by message broker events and is not exposed as an HTTP endpoint.
+
+### Example: List alarms
+
+```bash
+curl -X GET "http://localhost:8050/<domainID>/alarms?limit=10&offset=0&status=active&severity=50" \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: View an alarm
+
+```bash
+curl -X GET http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Update an alarm
+
+```bash
+curl -X PUT http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "status": "cleared",
+    "assignee_id": "<userID>",
+    "severity": 40,
+    "metadata": { "note": "cleared after inspection" }
+  }'
+```
+
+### Example: Delete an alarm
+
+```bash
+curl -X DELETE http://localhost:8050/<domainID>/alarms/<alarmID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Health check
+
+```bash
+curl -X GET http://localhost:8050/health \
+  -H "accept: application/health+json"
+```
@@ -72,6 +72,7 @@ type PageMetadata struct {
 	AssignedBy     string    `json:"assigned_by"     db:"assigned_by"`
 	AcknowledgedBy string    `json:"acknowledged_by" db:"acknowledged_by"`
 	ResolvedBy     string    `json:"resolved_by"     db:"resolved_by"`
+	UserID         string    `json:"user_id"         db:"user_id"`
 }

 func (a Alarm) Validate() error {
@@ -116,6 +117,7 @@ type Repository interface {
 	CreateAlarm(ctx context.Context, alarm Alarm) (Alarm, error)
 	UpdateAlarm(ctx context.Context, alarm Alarm) (Alarm, error)
 	ViewAlarm(ctx context.Context, alarmID, domainID string) (Alarm, error)
-	ListAlarms(ctx context.Context, pm PageMetadata) (AlarmsPage, error)
+	ListAllAlarms(ctx context.Context, pm PageMetadata) (AlarmsPage, error)
+	ListUserAlarms(ctx context.Context, userID string, pm PageMetadata) (AlarmsPage, error)
 	DeleteAlarm(ctx context.Context, id string) error
 }
@@ -9,7 +9,7 @@ import (

 	"github.com/absmach/magistrala/alarms"
 	"github.com/absmach/magistrala/internal/testsutil"
-	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/absmach/supermq/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -16,7 +16,7 @@ import (

 func updateAlarmEndpoint(svc alarms.Service) endpoint.Endpoint {
 	return func(ctx context.Context, request any) (any, error) {
-		req := request.(alarmReq)
+		req := request.(updateAlarmReq)
 		if err := req.validate(); err != nil {
 			return alarmRes{}, errors.Wrap(apiutil.ErrValidation, err)
 		}
@@ -23,6 +23,21 @@ func (req alarmReq) validate() error {
 	return nil
 }

+type updateAlarmReq struct {
+	alarms.Alarm `json:",inline"`
+}
+
+func (req updateAlarmReq) validate() error {
+	if req.Alarm.ID == "" {
+		return errors.New("missing alarm id")
+	}
+	if req.Alarm.AssigneeID == "" && req.Alarm.AcknowledgedBy == "" && req.Alarm.ResolvedBy == "" && len(req.Alarm.Metadata) == 0 {
+		return errors.New("at least one of assignee_id, acknowledged_by, resolved_by, or metadata must be set")
+	}
+
+	return nil
+}
+
 type listAlarmsReq struct {
 	alarms.PageMetadata
 }
@@ -195,12 +195,12 @@ func decodeAlarmReq(_ context.Context, r *http.Request) (any, error) {

 func decodeUpdateAlarmReq(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), api.ContentType) {
-		return alarmReq{}, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return updateAlarmReq{}, apiutil.ErrUnsupportedContentType
 	}

-	req := alarmReq{}
+	req := updateAlarmReq{}
 	if err := json.NewDecoder(r.Body).Decode(&req.Alarm); err != nil {
-		return alarmReq{}, errors.Wrap(apiutil.ErrValidation, errors.Wrap(errors.ErrMalformedEntity, err))
+		return updateAlarmReq{}, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	req.Alarm.ID = chi.URLParam(r, "alarmID")
@@ -7,77 +7,89 @@ import (
 	"context"

 	"github.com/absmach/magistrala/alarms"
+	"github.com/absmach/magistrala/alarms/operations"
 	"github.com/absmach/supermq/auth"
 	"github.com/absmach/supermq/pkg/authn"
 	smqauthz "github.com/absmach/supermq/pkg/authz"
+	"github.com/absmach/supermq/pkg/errors"
+	svcerr "github.com/absmach/supermq/pkg/errors/service"
+	"github.com/absmach/supermq/pkg/permissions"
 	"github.com/absmach/supermq/pkg/policies"
 )

+var (
+	errDomainUpdateAlarms = errors.New("not authorized to update alarms in domain")
+	errDomainDeleteAlarms = errors.New("not authorized to delete alarms in domain")
+	errDomainViewAlarms   = errors.New("not authorized to view alarms in domain")
+)
+
 type authorizationMiddleware struct {
-	svc   alarms.Service
-	authz smqauthz.Authorization
+	svc         alarms.Service
+	authz       smqauthz.Authorization
+	entitiesOps permissions.EntitiesOperations[permissions.Operation]
 }

 var _ alarms.Service = (*authorizationMiddleware)(nil)

-func NewAuthorizationMiddleware(svc alarms.Service, authz smqauthz.Authorization) alarms.Service {
-	return &authorizationMiddleware{
-		svc:   svc,
-		authz: authz,
+func NewAuthorizationMiddleware(svc alarms.Service, authz smqauthz.Authorization, entitiesOps permissions.EntitiesOperations[permissions.Operation]) (alarms.Service, error) {
+	if err := entitiesOps.Validate(); err != nil {
+		return nil, err
 	}
+
+	return &authorizationMiddleware{
+		svc:         svc,
+		authz:       authz,
+		entitiesOps: entitiesOps,
+	}, nil
 }

-func (am *authorizationMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) (err error) {
+func (am *authorizationMiddleware) CreateAlarm(ctx context.Context, alarm alarms.Alarm) error {
 	return am.svc.CreateAlarm(ctx, alarm)
 }

-func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (dba alarms.Alarm, err error) {
-	// if assignee is present check if assignee is member of domain
-
-	req := smqauthz.PolicyReq{
-		Domain:      session.DomainID,
-		SubjectType: policies.UserType,
-		SubjectKind: policies.UsersKind,
-		Subject:     session.DomainUserID,
-		Permission:  policies.AdminPermission,
-		ObjectType:  policies.DomainType,
-		Object:      session.DomainID,
-	}
-
-	if err := am.authz.Authorize(ctx, req); err != nil {
-		return alarms.Alarm{}, err
+func (am *authorizationMiddleware) UpdateAlarm(ctx context.Context, session authn.Session, alarm alarms.Alarm) (alarms.Alarm, error) {
+	if len(alarm.Metadata) > 0 {
+		if err := am.authorize(ctx, operations.OpUpdateAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
 	}

 	if alarm.AssigneeID != "" {
-		domainUserId := auth.EncodeDomainUserID(session.DomainID, alarm.AssigneeID)
+		if err := am.authorize(ctx, operations.OpAssignAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+		domainUserID := auth.EncodeDomainUserID(session.DomainID, alarm.AssigneeID)
 		if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
 			Domain:      session.DomainID,
 			SubjectType: policies.UserType,
 			SubjectKind: policies.UsersKind,
-			Subject:     domainUserId,
+			Subject:     domainUserID,
 			Permission:  policies.MembershipPermission,
 			ObjectType:  policies.DomainType,
 			Object:      session.DomainID,
-		}); err != nil {
+		}, nil); err != nil {
 			return alarms.Alarm{}, err
 		}
 	}

+	if alarm.AcknowledgedBy != "" {
+		if err := am.authorize(ctx, operations.OpAcknowledgeAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
+	if alarm.ResolvedBy != "" {
+		if err := am.authorize(ctx, operations.OpResolveAlarm, session, policies.DomainType, session.DomainID); err != nil {
+			return alarms.Alarm{}, errors.Wrap(errDomainUpdateAlarms, err)
+		}
+	}
+
 	return am.svc.UpdateAlarm(ctx, session, alarm)
 }

 func (am *authorizationMiddleware) DeleteAlarm(ctx context.Context, session authn.Session, id string) error {
-	req := smqauthz.PolicyReq{
-		SubjectType: policies.UserType,
-		SubjectKind: policies.UsersKind,
-		Subject:     session.DomainUserID,
-		Permission:  policies.AdminPermission,
-		ObjectType:  policies.DomainType,
-		Object:      session.DomainID,
-	}
-
-	if err := am.authz.Authorize(ctx, req); err != nil {
-		return err
+	if err := am.authorize(ctx, operations.OpDeleteAlarm, session, policies.DomainType, session.DomainID); err != nil {
+		return errors.Wrap(errDomainDeleteAlarms, err)
 	}

 	return am.svc.DeleteAlarm(ctx, session, id)
@@ -88,17 +100,11 @@ func (am *authorizationMiddleware) ListAlarms(ctx context.Context, session authn
 		pm.DomainID = session.DomainID
 	}

-	req := smqauthz.PolicyReq{
-		Domain:      session.DomainID,
-		SubjectType: policies.UserType,
-		SubjectKind: policies.UsersKind,
-		Subject:     session.DomainUserID,
-		Permission:  policies.MembershipPermission,
-		ObjectType:  policies.DomainType,
-		Object:      session.DomainID,
-	}
-
-	if err := am.authz.Authorize(ctx, req); err != nil {
+	switch err := am.checkSuperAdmin(ctx, session); {
+	case err == nil:
+		session.SuperAdmin = true
+	case errors.Contains(err, svcerr.ErrSuperAdminAction):
+	default:
 		return alarms.AlarmsPage{}, err
 	}

@@ -106,19 +112,61 @@ func (am *authorizationMiddleware) ListAlarms(ctx context.Context, session authn
 }

 func (am *authorizationMiddleware) ViewAlarm(ctx context.Context, session authn.Session, id string) (alarms.Alarm, error) {
-	req := smqauthz.PolicyReq{
-		Domain:      session.DomainID,
-		SubjectType: policies.UserType,
-		SubjectKind: policies.UsersKind,
-		Subject:     session.DomainUserID,
-		Permission:  policies.MembershipPermission,
-		ObjectType:  policies.DomainType,
-		Object:      session.DomainID,
-	}
-
-	if err := am.authz.Authorize(ctx, req); err != nil {
-		return alarms.Alarm{}, err
+	if err := am.authorize(ctx, operations.OpViewAlarm, session, policies.DomainType, session.DomainID); err != nil {
+		return alarms.Alarm{}, errors.Wrap(errDomainViewAlarms, err)
 	}

 	return am.svc.ViewAlarm(ctx, session, id)
 }
+
+func (am *authorizationMiddleware) authorize(ctx context.Context, op permissions.Operation, session authn.Session, objType, obj string) error {
+	perm, err := am.entitiesOps.GetPermission(operations.EntityType, op)
+	if err != nil {
+		return err
+	}
+
+	pr := smqauthz.PolicyReq{
+		Domain:      session.DomainID,
+		SubjectType: policies.UserType,
+		SubjectKind: policies.UsersKind,
+		Subject:     session.DomainUserID,
+		Object:      obj,
+		ObjectType:  objType,
+		Permission:  perm.String(),
+	}
+
+	var pat *smqauthz.PATReq
+	if session.PatID != "" {
+		opName := am.entitiesOps.OperationName(operations.EntityType, op)
+		pat = &smqauthz.PATReq{
+			UserID:     session.UserID,
+			PatID:      session.PatID,
+			EntityID:   session.DomainID,
+			EntityType: operations.EntityType,
+			Operation:  opName,
+			Domain:     session.DomainID,
+		}
+	}
+
+	if err := am.authz.Authorize(ctx, pr, pat); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
+	if session.Role != authn.SuperAdminRole {
+		return svcerr.ErrSuperAdminAction
+	}
+	if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
+		SubjectType: policies.UserType,
+		Subject:     session.UserID,
+		Permission:  policies.AdminPermission,
+		ObjectType:  policies.PlatformType,
+		Object:      policies.SuperMQObject,
+	}, nil); err != nil {
+		return err
+	}
+	return nil
+}
@@ -165,12 +165,12 @@ func (_c *Repository_DeleteAlarm_Call) RunAndReturn(run func(ctx context.Context
 	return _c
 }

-// ListAlarms provides a mock function for the type Repository
-func (_mock *Repository) ListAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+// ListAllAlarms provides a mock function for the type Repository
+func (_mock *Repository) ListAllAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
 	ret := _mock.Called(ctx, pm)

 	if len(ret) == 0 {
-		panic("no return value specified for ListAlarms")
+		panic("no return value specified for ListAllAlarms")
 	}

 	var r0 alarms.AlarmsPage
@@ -191,19 +191,19 @@ func (_mock *Repository) ListAlarms(ctx context.Context, pm alarms.PageMetadata)
 	return r0, r1
 }

-// Repository_ListAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListAlarms'
-type Repository_ListAlarms_Call struct {
+// Repository_ListAllAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListAllAlarms'
+type Repository_ListAllAlarms_Call struct {
 	*mock.Call
 }

-// ListAlarms is a helper method to define mock.On call
+// ListAllAlarms is a helper method to define mock.On call
 //   - ctx context.Context
 //   - pm alarms.PageMetadata
-func (_e *Repository_Expecter) ListAlarms(ctx interface{}, pm interface{}) *Repository_ListAlarms_Call {
-	return &Repository_ListAlarms_Call{Call: _e.mock.On("ListAlarms", ctx, pm)}
+func (_e *Repository_Expecter) ListAllAlarms(ctx interface{}, pm interface{}) *Repository_ListAllAlarms_Call {
+	return &Repository_ListAllAlarms_Call{Call: _e.mock.On("ListAllAlarms", ctx, pm)}
 }

-func (_c *Repository_ListAlarms_Call) Run(run func(ctx context.Context, pm alarms.PageMetadata)) *Repository_ListAlarms_Call {
+func (_c *Repository_ListAllAlarms_Call) Run(run func(ctx context.Context, pm alarms.PageMetadata)) *Repository_ListAllAlarms_Call {
 	_c.Call.Run(func(args mock.Arguments) {
 		var arg0 context.Context
 		if args[0] != nil {
@@ -221,12 +221,84 @@ func (_c *Repository_ListAlarms_Call) Run(run func(ctx context.Context, pm alarm
 	return _c
 }

-func (_c *Repository_ListAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListAlarms_Call {
+func (_c *Repository_ListAllAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListAllAlarms_Call {
 	_c.Call.Return(alarmsPage, err)
 	return _c
 }

-func (_c *Repository_ListAlarms_Call) RunAndReturn(run func(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListAlarms_Call {
+func (_c *Repository_ListAllAlarms_Call) RunAndReturn(run func(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListAllAlarms_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// ListUserAlarms provides a mock function for the type Repository
+func (_mock *Repository) ListUserAlarms(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	ret := _mock.Called(ctx, userID, pm)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListUserAlarms")
+	}
+
+	var r0 alarms.AlarmsPage
+	var r1 error
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, alarms.PageMetadata) (alarms.AlarmsPage, error)); ok {
+		return returnFunc(ctx, userID, pm)
+	}
+	if returnFunc, ok := ret.Get(0).(func(context.Context, string, alarms.PageMetadata) alarms.AlarmsPage); ok {
+		r0 = returnFunc(ctx, userID, pm)
+	} else {
+		r0 = ret.Get(0).(alarms.AlarmsPage)
+	}
+	if returnFunc, ok := ret.Get(1).(func(context.Context, string, alarms.PageMetadata) error); ok {
+		r1 = returnFunc(ctx, userID, pm)
+	} else {
+		r1 = ret.Error(1)
+	}
+	return r0, r1
+}
+
+// Repository_ListUserAlarms_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListUserAlarms'
+type Repository_ListUserAlarms_Call struct {
+	*mock.Call
+}
+
+// ListUserAlarms is a helper method to define mock.On call
+//   - ctx context.Context
+//   - userID string
+//   - pm alarms.PageMetadata
+func (_e *Repository_Expecter) ListUserAlarms(ctx interface{}, userID interface{}, pm interface{}) *Repository_ListUserAlarms_Call {
+	return &Repository_ListUserAlarms_Call{Call: _e.mock.On("ListUserAlarms", ctx, userID, pm)}
+}
+
+func (_c *Repository_ListUserAlarms_Call) Run(run func(ctx context.Context, userID string, pm alarms.PageMetadata)) *Repository_ListUserAlarms_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		var arg0 context.Context
+		if args[0] != nil {
+			arg0 = args[0].(context.Context)
+		}
+		var arg1 string
+		if args[1] != nil {
+			arg1 = args[1].(string)
+		}
+		var arg2 alarms.PageMetadata
+		if args[2] != nil {
+			arg2 = args[2].(alarms.PageMetadata)
+		}
+		run(
+			arg0,
+			arg1,
+			arg2,
+		)
+	})
+	return _c
+}
+
+func (_c *Repository_ListUserAlarms_Call) Return(alarmsPage alarms.AlarmsPage, err error) *Repository_ListUserAlarms_Call {
+	_c.Call.Return(alarmsPage, err)
+	return _c
+}
+
+func (_c *Repository_ListUserAlarms_Call) RunAndReturn(run func(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error)) *Repository_ListUserAlarms_Call {
 	_c.Call.Return(run)
 	return _c
 }
@@ -0,0 +1,52 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package operations
+
+import "github.com/absmach/supermq/pkg/permissions"
+
+const EntityType = "alarm"
+
+// Alarm Operations.
+const (
+	OpViewAlarm permissions.Operation = iota
+	OpDeleteAlarm
+	OpListAlarms
+	OpAssignAlarm
+	OpAcknowledgeAlarm
+	OpResolveAlarm
+	OpUpdateAlarm
+)
+
+func OperationDetails() map[permissions.Operation]permissions.OperationDetails {
+	return map[permissions.Operation]permissions.OperationDetails{
+		OpViewAlarm: {
+			Name:               "view",
+			PermissionRequired: true,
+		},
+		OpDeleteAlarm: {
+			Name:               "delete",
+			PermissionRequired: true,
+		},
+		OpListAlarms: {
+			Name:               "list",
+			PermissionRequired: true,
+		},
+		OpAssignAlarm: {
+			Name:               "assign",
+			PermissionRequired: true,
+		},
+		OpAcknowledgeAlarm: {
+			Name:               "acknowledge",
+			PermissionRequired: true,
+		},
+		OpResolveAlarm: {
+			Name:               "resolve",
+			PermissionRequired: true,
+		},
+		OpUpdateAlarm: {
+			Name:               "update",
+			PermissionRequired: true,
+		},
+	}
+}
@@ -20,6 +20,10 @@ import (
 	"github.com/jmoiron/sqlx"
 )

+const alarmColumns = `alarms.id, alarms.rule_id, alarms.domain_id, alarms.channel_id, alarms.client_id, alarms.subtopic, alarms.measurement, alarms.value, alarms.unit,
+alarms.threshold, alarms.cause, alarms.status, alarms.severity, alarms.assignee_id, alarms.created_at, alarms.updated_at, alarms.updated_by, alarms.assigned_at, 
+alarms.assigned_by, alarms.acknowledged_at, alarms.acknowledged_by, alarms.resolved_at, alarms.resolved_by, alarms.metadata`
+
 type repository struct {
 	db *sqlx.DB
 }
@@ -130,7 +134,9 @@ func (r *repository) UpdateAlarm(ctx context.Context, alarm alarms.Alarm) (alarm
 	}

 	q := fmt.Sprintf(`UPDATE alarms SET %s updated_by = :updated_by, updated_at = :updated_at WHERE id = :id
-		RETURNING id, rule_id, measurement, value, unit, cause, status, domain_id, assignee_id, metadata, created_at, updated_by, updated_at, resolved_by, resolved_at;`, upq)
+		RETURNING id, rule_id, domain_id, channel_id, client_id, subtopic, measurement, value, unit, threshold, 
+		cause, status, severity, assignee_id, assigned_at, assigned_by, acknowledged_at, acknowledged_by, 
+		resolved_by, resolved_at, metadata, created_at, updated_by, updated_at;`, upq)

 	dba, err := toDBAlarm(alarm)
 	if err != nil {
@@ -181,32 +187,49 @@ func (r *repository) ViewAlarm(ctx context.Context, alarmID, domainID string) (a
 	return alarm, nil
 }

-func (r *repository) ListAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+func (r *repository) ListAllAlarms(ctx context.Context, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
 	query, err := pageQuery(pm)
 	if err != nil {
 		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
 	}

+	comQuery := fmt.Sprintf(`SELECT %s FROM alarms %s`, alarmColumns, query)
+
+	return r.alarmsPage(ctx, comQuery, pm)
+}
+
+func (r *repository) ListUserAlarms(ctx context.Context, userID string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
+	query, err := pageQuery(pm)
+	if err != nil {
+		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
+	}
+
+	pm.UserID = userID
+	comQuery := fmt.Sprintf(`SELECT DISTINCT %s
+		FROM alarms
+		INNER JOIN rules_roles rr ON rr.entity_id = alarms.rule_id
+		INNER JOIN rules_role_members rrm ON rrm.role_id = rr.id AND rrm.member_id = :user_id
+		%s`, alarmColumns, query)
+
+	return r.alarmsPage(ctx, comQuery, pm)
+}
+
+func (r *repository) alarmsPage(ctx context.Context, comQuery string, pm alarms.PageMetadata) (alarms.AlarmsPage, error) {
 	dir := api.DescDir
 	if pm.Dir == api.AscDir {
 		dir = api.AscDir
 	}

-	orderClause := ""
-
+	var orderClause string
 	switch pm.Order {
 	case api.CreatedAtOrder:
 		orderClause = fmt.Sprintf("ORDER BY created_at %s, id %s", dir, dir)
-	case api.UpdatedAtOrder:
-		orderClause = fmt.Sprintf("ORDER BY COALESCE(updated_at, created_at) %s, id %s", dir, dir)
 	default:
 		orderClause = fmt.Sprintf("ORDER BY COALESCE(updated_at, created_at) %s, id %s", dir, dir)
 	}

-	q := fmt.Sprintf(`SELECT id, rule_id, domain_id, channel_id, client_id, subtopic, measurement, value, unit,
-			threshold, cause, status, severity, assignee_id, created_at, updated_at, updated_by, assigned_at,
-			assigned_by, acknowledged_at, acknowledged_by, resolved_at, resolved_by, metadata
-			FROM alarms %s %s LIMIT :limit OFFSET :offset;`, query, orderClause)
+	q := fmt.Sprintf(`SELECT * FROM (%s) AS sub_query %s LIMIT :limit OFFSET :offset;`, comQuery, orderClause)
+	cq := fmt.Sprintf(`SELECT COUNT(*) AS total_count FROM (%s) AS sub_query;`, comQuery)

 	rows, err := r.db.NamedQueryContext(ctx, q, pm)
 	if err != nil {
@@ -229,8 +252,7 @@ func (r *repository) ListAlarms(ctx context.Context, pm alarms.PageMetadata) (al
 		items = append(items, a)
 	}

-	q = fmt.Sprintf(`SELECT COUNT(*) FROM alarms %s;`, query)
-	total, err := postgres.Total(ctx, r.db, q, pm)
+	total, err := postgres.Total(ctx, r.db, cq, pm)
 	if err != nil {
 		return alarms.AlarmsPage{}, errors.Wrap(repoerr.ErrViewEntity, err)
 	}
@@ -442,49 +464,49 @@ func toAlarm(dbr dbAlarm) (alarms.Alarm, error) {
 func pageQuery(pm alarms.PageMetadata) (string, error) {
 	var query []string
 	if pm.DomainID != "" {
-		query = append(query, "domain_id = :domain_id")
+		query = append(query, "alarms.domain_id = :domain_id")
 	}
 	if pm.RuleID != "" {
-		query = append(query, "rule_id = :rule_id")
+		query = append(query, "alarms.rule_id = :rule_id")
 	}
 	if pm.ChannelID != "" {
-		query = append(query, "channel_id = :channel_id")
+		query = append(query, "alarms.channel_id = :channel_id")
 	}
 	if pm.Subtopic != "" {
-		query = append(query, "subtopic = :subtopic")
+		query = append(query, "alarms.subtopic = :subtopic")
 	}
 	if pm.ClientID != "" {
-		query = append(query, "client_id = :client_id")
+		query = append(query, "alarms.client_id = :client_id")
 	}
 	if pm.Measurement != "" {
-		query = append(query, "measurement = :measurement")
+		query = append(query, "alarms.measurement = :measurement")
 	}
 	if pm.Status != alarms.AllStatus {
-		query = append(query, "status = :status")
+		query = append(query, "alarms.status = :status")
 	}
 	if pm.Severity != math.MaxUint8 {
-		query = append(query, "severity = :severity")
+		query = append(query, "alarms.severity = :severity")
 	}
 	if pm.AssigneeID != "" {
-		query = append(query, "assignee_id = :assignee_id")
+		query = append(query, "alarms.assignee_id = :assignee_id")
 	}
 	if pm.UpdatedBy != "" {
-		query = append(query, "updated_by = :updated_by")
+		query = append(query, "alarms.updated_by = :updated_by")
 	}
 	if pm.ResolvedBy != "" {
-		query = append(query, "resolved_by = :resolved_by")
+		query = append(query, "alarms.resolved_by = :resolved_by")
 	}
 	if pm.AcknowledgedBy != "" {
-		query = append(query, "acknowledged_by = :acknowledged_by")
+		query = append(query, "alarms.acknowledged_by = :acknowledged_by")
 	}
 	if pm.AssignedBy != "" {
-		query = append(query, "assigned_by = :assigned_by")
+		query = append(query, "alarms.assigned_by = :assigned_by")
 	}
 	if !pm.CreatedFrom.IsZero() {
-		query = append(query, "created_at >= :created_from")
+		query = append(query, "alarms.created_at >= :created_from")
 	}
 	if !pm.CreatedTo.IsZero() {
-		query = append(query, "created_at <= :created_to")
+		query = append(query, "alarms.created_at <= :created_to")
 	}

 	var emq string
@@ -34,11 +34,11 @@ func TestCreateAlarm(t *testing.T) {
 	repo := postgres.NewAlarmsRepo(db)

 	alarm := alarms.Alarm{
-		ID:          generateUUID(&testing.T{}),
-		RuleID:      generateUUID(&testing.T{}),
-		DomainID:    generateUUID(&testing.T{}),
-		ChannelID:   generateUUID(&testing.T{}),
-		ClientID:    generateUUID(&testing.T{}),
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
 		Subtopic:    namegen.Generate(),
 		Measurement: namegen.Generate(),
 		Value:       namegen.Generate(),
@@ -46,8 +46,8 @@ func TestCreateAlarm(t *testing.T) {
 		Threshold:   namegen.Generate(),
 		Cause:       namegen.Generate(),
 		Status:      0,
-		AssigneeID:  generateUUID(&testing.T{}),
-		CreatedAt:   time.Now().Local(),
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
 		Metadata: map[string]any{
 			"key": "value",
 		},
@@ -71,10 +71,10 @@ func TestCreateAlarm(t *testing.T) {
 		{
 			desc: "missing rule id",
 			alarm: alarms.Alarm{
-				ID:          generateUUID(&testing.T{}),
-				DomainID:    generateUUID(&testing.T{}),
-				ChannelID:   generateUUID(&testing.T{}),
-				ClientID:    generateUUID(&testing.T{}),
+				ID:          generateUUID(t),
+				DomainID:    generateUUID(t),
+				ChannelID:   generateUUID(t),
+				ClientID:    generateUUID(t),
 				Subtopic:    namegen.Generate(),
 				Measurement: namegen.Generate(),
 				Value:       namegen.Generate(),
@@ -82,8 +82,8 @@ func TestCreateAlarm(t *testing.T) {
 				Threshold:   namegen.Generate(),
 				Cause:       namegen.Generate(),
 				Status:      0,
-				AssigneeID:  generateUUID(&testing.T{}),
-				CreatedAt:   time.Now().Local(),
+				AssigneeID:  generateUUID(t),
+				CreatedAt:   time.Now().UTC(),

 				Metadata: map[string]any{
 					"key": "value",
@@ -94,10 +94,10 @@ func TestCreateAlarm(t *testing.T) {
 		{
 			desc: "invalid alarm",
 			alarm: alarms.Alarm{
-				ID:          generateUUID(&testing.T{}),
-				DomainID:    generateUUID(&testing.T{}),
-				ChannelID:   generateUUID(&testing.T{}),
-				ClientID:    generateUUID(&testing.T{}),
+				ID:          generateUUID(t),
+				DomainID:    generateUUID(t),
+				ChannelID:   generateUUID(t),
+				ClientID:    generateUUID(t),
 				Subtopic:    namegen.Generate(),
 				Measurement: namegen.Generate(),
 				Value:       namegen.Generate(),
@@ -105,8 +105,8 @@ func TestCreateAlarm(t *testing.T) {
 				Threshold:   namegen.Generate(),
 				Cause:       namegen.Generate(),
 				Status:      0,
-				AssigneeID:  generateUUID(&testing.T{}),
-				CreatedAt:   time.Now().Local(),
+				AssigneeID:  generateUUID(t),
+				CreatedAt:   time.Now().UTC(),

 				Metadata: map[string]any{
 					"key": make(chan int),
@@ -129,17 +129,17 @@ func TestCreateAlarm(t *testing.T) {

 				return
 			}
-			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
-			require.NotEmpty(t, alarm.ID)
-			require.Equal(t, tc.alarm.RuleID, alarm.RuleID)
-			require.Equal(t, tc.alarm.Measurement, alarm.Measurement)
-			require.Equal(t, tc.alarm.Value, alarm.Value)
-			require.Equal(t, tc.alarm.Unit, alarm.Unit)
-			require.Equal(t, tc.alarm.Cause, alarm.Cause)
-			require.Equal(t, tc.alarm.Status, alarm.Status)
-			require.Equal(t, tc.alarm.DomainID, alarm.DomainID)
-			require.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
-			require.Equal(t, tc.alarm.Metadata, alarm.Metadata)
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.alarm.RuleID, alarm.RuleID)
+			assert.Equal(t, tc.alarm.Measurement, alarm.Measurement)
+			assert.Equal(t, tc.alarm.Value, alarm.Value)
+			assert.Equal(t, tc.alarm.Unit, alarm.Unit)
+			assert.Equal(t, tc.alarm.Cause, alarm.Cause)
+			assert.Equal(t, tc.alarm.Status, alarm.Status)
+			assert.Equal(t, tc.alarm.DomainID, alarm.DomainID)
+			assert.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
+			assert.Equal(t, tc.alarm.Metadata, alarm.Metadata)
 		})
 	}
 }
@@ -153,19 +153,19 @@ func TestUpdateAlarm(t *testing.T) {
 	repo := postgres.NewAlarmsRepo(db)

 	alarm := alarms.Alarm{
-		ID:          generateUUID(&testing.T{}),
-		RuleID:      generateUUID(&testing.T{}),
-		DomainID:    generateUUID(&testing.T{}),
-		ChannelID:   generateUUID(&testing.T{}),
-		ClientID:    generateUUID(&testing.T{}),
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
 		Measurement: namegen.Generate(),
 		Value:       namegen.Generate(),
 		Unit:        namegen.Generate(),
 		Threshold:   namegen.Generate(),
 		Cause:       namegen.Generate(),
 		Status:      0,
-		AssigneeID:  generateUUID(&testing.T{}),
-		CreatedAt:   time.Now().Local(),
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
 		Metadata: map[string]any{
 			"key": "value",
 		},
@@ -181,15 +181,19 @@ func TestUpdateAlarm(t *testing.T) {
 		{
 			desc: "valid alarm",
 			alarm: alarms.Alarm{
-				ID:         alarm.ID,
-				Status:     alarms.ActiveStatus,
-				DomainID:   alarm.DomainID,
-				AssigneeID: generateUUID(&testing.T{}),
-				CreatedAt:  alarm.CreatedAt,
-				UpdatedAt:  time.Now().Local(),
-				UpdatedBy:  generateUUID(&testing.T{}),
-				ResolvedAt: time.Now().Local(),
-				ResolvedBy: generateUUID(&testing.T{}),
+				ID:             alarm.ID,
+				Status:         alarms.ClearedStatus,
+				DomainID:       alarm.DomainID,
+				AssigneeID:     generateUUID(t),
+				AssignedBy:     generateUUID(t),
+				AssignedAt:     time.Now().UTC(),
+				AcknowledgedBy: generateUUID(t),
+				AcknowledgedAt: time.Now().UTC(),
+				CreatedAt:      alarm.CreatedAt,
+				UpdatedAt:      time.Now().UTC(),
+				UpdatedBy:      generateUUID(t),
+				ResolvedAt:     time.Now().UTC(),
+				ResolvedBy:     generateUUID(t),
 				Metadata: map[string]any{
 					"key": "value",
 				},
@@ -199,7 +203,7 @@ func TestUpdateAlarm(t *testing.T) {
 		{
 			desc: "non existing alarm",
 			alarm: alarms.Alarm{
-				ID: generateUUID(&testing.T{}),
+				ID: generateUUID(t),
 			},
 			err: repoerr.ErrNotFound,
 		},
@@ -207,11 +211,11 @@ func TestUpdateAlarm(t *testing.T) {
 			desc: "invalid alarm",
 			alarm: alarms.Alarm{
 				ID:         alarm.ID,
-				RuleID:     generateUUID(&testing.T{}),
+				RuleID:     generateUUID(t),
 				Status:     0,
-				DomainID:   generateUUID(&testing.T{}),
+				DomainID:   generateUUID(t),
 				AssigneeID: strings.Repeat("a", 40),
-				CreatedAt:  time.Now().Local(),
+				CreatedAt:  time.Now().UTC(),
 				Metadata: map[string]any{
 					"key": "value",
 				},
@@ -233,12 +237,15 @@ func TestUpdateAlarm(t *testing.T) {

 				return
 			}
-			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
-			require.NotEmpty(t, alarm.ID)
-			require.Equal(t, tc.alarm.Status, alarm.Status)
-			require.Equal(t, tc.alarm.DomainID, alarm.DomainID)
-			require.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
-			require.Equal(t, tc.alarm.Metadata, alarm.Metadata)
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.alarm.Status, alarm.Status)
+			assert.Equal(t, tc.alarm.DomainID, alarm.DomainID)
+			assert.Equal(t, tc.alarm.AssigneeID, alarm.AssigneeID)
+			assert.Equal(t, tc.alarm.UpdatedBy, alarm.UpdatedBy)
+			assert.Equal(t, tc.alarm.ResolvedBy, alarm.ResolvedBy)
+			assert.Equal(t, tc.alarm.AcknowledgedBy, alarm.AcknowledgedBy)
+			assert.Equal(t, tc.alarm.Metadata, alarm.Metadata)
 		})
 	}
 }
@@ -252,19 +259,19 @@ func TestViewAlarm(t *testing.T) {
 	repo := postgres.NewAlarmsRepo(db)

 	alarm := alarms.Alarm{
-		ID:          generateUUID(&testing.T{}),
-		RuleID:      generateUUID(&testing.T{}),
-		DomainID:    generateUUID(&testing.T{}),
-		ChannelID:   generateUUID(&testing.T{}),
-		ClientID:    generateUUID(&testing.T{}),
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
 		Measurement: namegen.Generate(),
 		Value:       namegen.Generate(),
 		Unit:        namegen.Generate(),
 		Threshold:   namegen.Generate(),
 		Cause:       namegen.Generate(),
 		Status:      0,
-		AssigneeID:  generateUUID(&testing.T{}),
-		CreatedAt:   time.Now().Local(),
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
 		Metadata: map[string]any{
 			"key": "value",
 		},
@@ -286,14 +293,14 @@ func TestViewAlarm(t *testing.T) {
 		},
 		{
 			desc:     "non existing alarm id",
-			id:       generateUUID(&testing.T{}),
+			id:       generateUUID(t),
 			domainID: alarm.DomainID,
 			err:      repoerr.ErrNotFound,
 		},
 		{
 			desc:     "non existing domain id",
 			id:       alarm.ID,
-			domainID: generateUUID(&testing.T{}),
+			domainID: generateUUID(t),
 			err:      repoerr.ErrNotFound,
 		},
 	}
@@ -306,9 +313,9 @@ func TestViewAlarm(t *testing.T) {

 				return
 			}
-			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
-			require.NotEmpty(t, alarm.ID)
-			require.Equal(t, tc.id, alarm.ID)
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.NotEmpty(t, alarm.ID)
+			assert.Equal(t, tc.id, alarm.ID)
 		})
 	}
 }
@@ -322,19 +329,19 @@ func TestListAlarms(t *testing.T) {
 	items := make([]alarms.Alarm, 1000)
 	for i := range 1000 {
 		items[i] = alarms.Alarm{
-			ID:          generateUUID(&testing.T{}),
-			RuleID:      generateUUID(&testing.T{}),
-			DomainID:    generateUUID(&testing.T{}),
-			ChannelID:   generateUUID(&testing.T{}),
-			ClientID:    generateUUID(&testing.T{}),
+			ID:          generateUUID(t),
+			RuleID:      generateUUID(t),
+			DomainID:    generateUUID(t),
+			ChannelID:   generateUUID(t),
+			ClientID:    generateUUID(t),
 			Measurement: namegen.Generate(),
 			Value:       namegen.Generate(),
 			Unit:        namegen.Generate(),
 			Threshold:   namegen.Generate(),
 			Cause:       namegen.Generate(),
 			Status:      0,
-			AssigneeID:  generateUUID(&testing.T{}),
-			CreatedAt:   time.Now().Local(),
+			AssigneeID:  generateUUID(t),
+			CreatedAt:   time.Now().UTC(),
 			Metadata: map[string]any{
 				"key": "value",
 			},
@@ -388,7 +395,7 @@ func TestListAlarms(t *testing.T) {
 			pm: alarms.PageMetadata{
 				Offset:     0,
 				Limit:      10,
-				AssigneeID: generateUUID(&testing.T{}),
+				AssigneeID: generateUUID(t),
 			},
 			response: []alarms.Alarm{},
 			err:      nil,
@@ -396,14 +403,192 @@ func TestListAlarms(t *testing.T) {
 	}
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
-			alarms, err := repo.ListAlarms(context.Background(), tc.pm)
+			alarms, err := repo.ListAllAlarms(context.Background(), tc.pm)
 			if tc.err != nil {
 				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))

 				return
 			}
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.Equal(t, len(tc.response), len(alarms.Alarms))
+		})
+	}
+}
+
+func TestListUserAlarms(t *testing.T) {
+	t.Cleanup(func() {
+		_, err := db.Exec("DELETE FROM alarms")
+		require.Nil(t, err, fmt.Sprintf("clean alarms unexpected error: %s", err))
+		_, err = db.Exec("DELETE FROM rules")
+		require.Nil(t, err, fmt.Sprintf("clean rules unexpected error: %s", err))
+	})
+
+	repo := postgres.NewAlarmsRepo(db)
+
+	domainID := generateUUID(t)
+	userID := generateUUID(t)
+	otherUserID := generateUUID(t)
+	adminUserID := generateUUID(t)
+
+	// Create 10 rules and 10 alarms referencing them.
+	// Assign userID to the first 6 rules via role membership.
+	var ruleIDs []string
+	var createdAlarms []alarms.Alarm
+	for i := range 10 {
+		ruleID := generateUUID(t)
+		_, err := db.Exec(`INSERT INTO rules (id, name, domain_id, status, logic_type, logic_value) VALUES ($1, $2, $3, 0, 0, '')`,
+			ruleID, fmt.Sprintf("rule-%d", i), domainID)
+		require.Nil(t, err, fmt.Sprintf("insert rule unexpected error: %s", err))
+		ruleIDs = append(ruleIDs, ruleID)
+
+		alarm := alarms.Alarm{
+			ID:          generateUUID(t),
+			RuleID:      ruleID,
+			DomainID:    domainID,
+			ChannelID:   generateUUID(t),
+			ClientID:    generateUUID(t),
+			Measurement: namegen.Generate(),
+			Value:       namegen.Generate(),
+			Unit:        namegen.Generate(),
+			Threshold:   namegen.Generate(),
+			Cause:       namegen.Generate(),
+			Status:      0,
+			AssigneeID:  generateUUID(t),
+			CreatedAt:   time.Now().UTC().Add(time.Duration(i) * time.Minute),
+		}
+		alarm, err = repo.CreateAlarm(context.Background(), alarm)
+		require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+		createdAlarms = append(createdAlarms, alarm)
+	}
+
+	// Assign userID to the first 6 rules via rules_roles + rules_role_members.
+	userRoleIDs := make([]string, 6)
+	for i := range 6 {
+		roleID := generateUUID(t)
+		userRoleIDs[i] = roleID
+		_, err := db.Exec(`INSERT INTO rules_roles (id, name, entity_id) VALUES ($1, $2, $3)`, roleID, "admin", ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_roles unexpected error: %s", err))
+		_, err = db.Exec(`INSERT INTO rules_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, roleID, userID, ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_role_members unexpected error: %s", err))
+	}
+
+	for i := range 10 {
+		var roleID string
+		if i < 6 {
+			roleID = userRoleIDs[i]
+		} else {
+			roleID = generateUUID(t)
+			_, err := db.Exec(`INSERT INTO rules_roles (id, name, entity_id) VALUES ($1, $2, $3)`, roleID, "admin", ruleIDs[i])
+			require.Nil(t, err, fmt.Sprintf("insert rules_roles unexpected error: %s", err))
+		}
+		_, err := db.Exec(`INSERT INTO rules_role_members (role_id, member_id, entity_id) VALUES ($1, $2, $3)`, roleID, adminUserID, ruleIDs[i])
+		require.Nil(t, err, fmt.Sprintf("insert rules_role_members unexpected error: %s", err))
+	}
+
+	_ = createdAlarms
+
+	cases := []struct {
+		desc   string
+		userID string
+		pm     alarms.PageMetadata
+		count  int
+		err    error
+	}{
+		{
+			desc:   "list user alarms returns only accessible alarms",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 6,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with limit",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  3,
+			},
+			count: 3,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with offset",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 4,
+				Limit:  100,
+			},
+			count: 2,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with domain filter",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				DomainID: domainID,
+				Offset:   0,
+				Limit:    100,
+			},
+			count: 6,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms with non-existing domain returns 0",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				DomainID: generateUUID(t),
+				Offset:   0,
+				Limit:    100,
+			},
+			count: 0,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for user with no role assignments returns 0",
+			userID: otherUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 0,
+			err:   nil,
+		},
+		{
+			desc:   "list alarms for admin user with role on all rules returns all alarms",
+			userID: adminUserID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+			},
+			count: 10,
+			err:   nil,
+		},
+		{
+			desc:   "list user alarms ordered by created_at ascending",
+			userID: userID,
+			pm: alarms.PageMetadata{
+				Offset: 0,
+				Limit:  100,
+				Order:  "created_at",
+				Dir:    "asc",
+			},
+			count: 6,
+			err:   nil,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.desc, func(t *testing.T) {
+			page, err := repo.ListUserAlarms(context.Background(), tc.userID, tc.pm)
+			if tc.err != nil {
+				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
+				return
+			}
 			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
-			require.Equal(t, len(tc.response), len(alarms.Alarms))
+			assert.Equal(t, tc.count, len(page.Alarms), fmt.Sprintf("%s: expected %d alarms, got %d", tc.desc, tc.count, len(page.Alarms)))
 		})
 	}
 }
@@ -417,19 +602,19 @@ func TestDeleteAlarm(t *testing.T) {
 	repo := postgres.NewAlarmsRepo(db)

 	alarm := alarms.Alarm{
-		ID:          generateUUID(&testing.T{}),
-		RuleID:      generateUUID(&testing.T{}),
-		DomainID:    generateUUID(&testing.T{}),
-		ChannelID:   generateUUID(&testing.T{}),
-		ClientID:    generateUUID(&testing.T{}),
+		ID:          generateUUID(t),
+		RuleID:      generateUUID(t),
+		DomainID:    generateUUID(t),
+		ChannelID:   generateUUID(t),
+		ClientID:    generateUUID(t),
 		Measurement: namegen.Generate(),
 		Value:       namegen.Generate(),
 		Unit:        namegen.Generate(),
 		Threshold:   namegen.Generate(),
 		Cause:       namegen.Generate(),
 		Status:      0,
-		AssigneeID:  generateUUID(&testing.T{}),
-		CreatedAt:   time.Now().Local(),
+		AssigneeID:  generateUUID(t),
+		CreatedAt:   time.Now().UTC(),
 		Metadata: map[string]any{
 			"key": "value",
 		},
@@ -449,7 +634,7 @@ func TestDeleteAlarm(t *testing.T) {
 		},
 		{
 			desc: "non existing alarm",
-			id:   generateUUID(&testing.T{}),
+			id:   generateUUID(t),
 			err:  repoerr.ErrNotFound,
 		},
 	}
@@ -462,7 +647,7 @@ func TestDeleteAlarm(t *testing.T) {

 				return
 			}
-			require.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
+			assert.Nil(t, err, fmt.Sprintf("unexpected error: %s", err))
 		})
 	}
 }
@@ -4,13 +4,16 @@
 package postgres

 import (
+	rpostgres "github.com/absmach/magistrala/re/postgres"
+	"github.com/absmach/supermq/pkg/errors"
+	repoerr "github.com/absmach/supermq/pkg/errors/repository"
 	_ "github.com/jackc/pgx/v5/stdlib" // required for SQL access
 	migrate "github.com/rubenv/sql-migrate"
 )

-// Migration of Users service.
-func Migration() *migrate.MemoryMigrationSource {
-	return &migrate.MemoryMigrationSource{
+// Migration of Alarms service.
+func Migration() (*migrate.MemoryMigrationSource, error) {
+	alarmsMigration := &migrate.MemoryMigrationSource{
 		Migrations: []*migrate.Migration{
 			{
 				Id: "alarms_01",
@@ -50,4 +53,13 @@ func Migration() *migrate.MemoryMigrationSource {
 			},
 		},
 	}
+
+	rulesMigration, err := rpostgres.Migration()
+	if err != nil {
+		return &migrate.MemoryMigrationSource{}, errors.Wrap(repoerr.ErrRoleMigration, err)
+	}
+
+	alarmsMigration.Migrations = append(alarmsMigration.Migrations, rulesMigration.Migrations...)
+
+	return alarmsMigration, nil
 }
@@ -75,7 +75,11 @@ func TestMain(m *testing.M) {
 		SSLRootCert: "",
 	}

-	if db, err = postgres.Setup(dbConfig, *apostgres.Migration()); err != nil {
+	migration, err := apostgres.Migration()
+	if err != nil {
+		log.Fatalf("Could not get migration: %s", err)
+	}
+	if db, err = postgres.Setup(dbConfig, *migration); err != nil {
 		log.Fatalf("Could not setup test DB connection: %s", err)
 	}

@@ -43,6 +43,7 @@ func (s *service) CreateAlarm(ctx context.Context, alarm Alarm) error {
 	if _, err = s.repo.CreateAlarm(ctx, alarm); err != nil && err != repoerr.ErrNotFound {
 		return err
 	}
+
 	return nil
 }

@@ -51,7 +52,10 @@ func (s *service) ViewAlarm(ctx context.Context, session authn.Session, alarmID
 }

 func (s *service) ListAlarms(ctx context.Context, session authn.Session, pm PageMetadata) (AlarmsPage, error) {
-	return s.repo.ListAlarms(ctx, pm)
+	if session.SuperAdmin {
+		return s.repo.ListAllAlarms(ctx, pm)
+	}
+	return s.repo.ListUserAlarms(ctx, session.UserID, pm)
 }

 func (s *service) DeleteAlarm(ctx context.Context, session authn.Session, alarmID string) error {
@@ -6,14 +6,13 @@ package alarms_test
 import (
 	"context"
 	"fmt"
-	"math"
 	"testing"
 	"time"

 	"github.com/absmach/magistrala/alarms"
 	"github.com/absmach/magistrala/alarms/mocks"
-	"github.com/absmach/magistrala/pkg/errors"
 	"github.com/absmach/supermq/pkg/authn"
+	"github.com/absmach/supermq/pkg/errors"
 	repoerr "github.com/absmach/supermq/pkg/errors/repository"
 	"github.com/absmach/supermq/pkg/uuid"
 	"github.com/stretchr/testify/assert"
@@ -22,9 +21,13 @@ import (

 var idp = uuid.New()

+func newService(t *testing.T, repo *mocks.Repository) alarms.Service {
+	return alarms.NewService(idp, repo)
+}
+
 func TestCreateAlarm(t *testing.T) {
 	repo := new(mocks.Repository)
-	svc := alarms.NewService(idp, repo)
+	svc := newService(t, repo)
 	ts := time.Now()
 	cases := []struct {
 		desc  string
@@ -69,33 +72,16 @@ func TestCreateAlarm(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			repoCall := repo.On("CreateAlarm", context.Background(), mock.Anything).Return(tc.alarm, tc.err)
-			repoCall1 := repo.On("ListAlarms", context.Background(), alarms.PageMetadata{
-				Offset: 0, Limit: 1,
-				DomainID:    tc.alarm.DomainID,
-				ChannelID:   tc.alarm.ChannelID,
-				ClientID:    tc.alarm.ClientID,
-				Subtopic:    tc.alarm.Subtopic,
-				Measurement: tc.alarm.Measurement,
-				RuleID:      tc.alarm.RuleID,
-				Status:      alarms.AllStatus,
-				Severity:    math.MaxUint8,
-				CreatedTo:   tc.alarm.CreatedAt,
-			}).Return(alarms.AlarmsPage{}, tc.err)
 			err := svc.CreateAlarm(context.Background(), tc.alarm)
-			if tc.err != nil {
-				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
-
-				return
-			}
+			assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
 			repoCall.Unset()
-			repoCall1.Unset()
 		})
 	}
 }

 func TestViewAlarm(t *testing.T) {
 	repo := new(mocks.Repository)
-	svc := alarms.NewService(idp, repo)
+	svc := newService(t, repo)

 	cases := []struct {
 		desc     string
@@ -134,7 +120,7 @@ func TestViewAlarm(t *testing.T) {

 func TestUpdateAlarm(t *testing.T) {
 	repo := new(mocks.Repository)
-	svc := alarms.NewService(idp, repo)
+	svc := newService(t, repo)

 	cases := []struct {
 		desc  string
@@ -192,7 +178,7 @@ func TestUpdateAlarm(t *testing.T) {

 func TestListAlarms(t *testing.T) {
 	repo := new(mocks.Repository)
-	svc := alarms.NewService(idp, repo)
+	svc := newService(t, repo)

 	cases := []struct {
 		desc string
@@ -219,7 +205,7 @@ func TestListAlarms(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.desc, func(t *testing.T) {
 			s := authn.Session{DomainID: tc.pm.DomainID}
-			repoCall := repo.On("ListAlarms", context.Background(), tc.pm).Return(tc.page, tc.err)
+			repoCall := repo.On("ListUserAlarms", context.Background(), s.UserID, tc.pm).Return(tc.page, tc.err)
 			_, err := svc.ListAlarms(context.Background(), s, tc.pm)
 			if tc.err != nil {
 				assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", tc.desc, tc.err, err))
@@ -233,7 +219,7 @@ func TestListAlarms(t *testing.T) {

 func TestDeleteAlarm(t *testing.T) {
 	repo := new(mocks.Repository)
-	svc := alarms.NewService(idp, repo)
+	svc := newService(t, repo)

 	cases := []struct {
 		desc string
@@ -9,7 +9,7 @@ info:
  contact:
    name: Magistrala Team
    url: 'https://github.com/absmach/magistrala'
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  description: |
    MQTT adapter provides an MQTT API for sending messages through the platform. MQTT adapter uses [mProxy](https://github.com/absmach/mproxy) for proxying traffic between client and MQTT broker.
    Additionally, the MQTT adapter and the message broker are replicating the traffic between brokers.
@@ -10,7 +10,7 @@ info:
  contact:
    name: Magistrala Team
    url: 'https://github.com/absmach/magistrala'
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
    url: 'https://github.com/absmach/magistrala/blob/main/LICENSE'
@@ -2,4 +2,4 @@

 This folder contains an OpenAPI specifications for Magistrala API.

-View specification in Swagger UI at [docs.api.magistrala.abstractmachines.fr](https://docs.api.magistrala.abstractmachines.fr)
+View specification in Swagger UI at [docs.api.magistrala.absmach.eu](https://docs.api.magistrala.absmach.eu)
@@ -9,11 +9,11 @@ info:
    Some useful links:
    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
    url: https://github.com/absmach/magistrala/blob/main/LICENSE
-  version: 0.15.1
+  version: 0.18.5

 servers:
  - url: http://localhost:8050
@@ -9,11 +9,11 @@ info:
    Some useful links:
    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
    url: https://github.com/absmach/magistrala/blob/main/LICENSE
-  version: 0.15.1
+  version: 0.18.5

 servers:
  - url: http://localhost:9013
@@ -9,11 +9,11 @@ info:
    Some useful links:
    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
    url: https://github.com/absmach/magistrala/blob/main/LICENSE
-  version: 0.15.1
+  version: 0.18.5

 servers:
  - url: http://localhost:9014
@@ -9,11 +9,11 @@ info:
    Some useful links:
    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
    url: https://github.com/absmach/magistrala/blob/main/LICENSE
-  version: 0.15.1
+  version: 0.18.5

 servers:
  - url: http://localhost:9003
@@ -6,7 +6,7 @@ info:
  title: Magistrala Reports Service API
  description: |
    HTTP API for managing reports service.
-  version: 0.15.1
+  version: 0.18.5
 servers:
  - url: http://localhost:9017
 tags:
@@ -9,11 +9,11 @@ info:
    Some useful links:
    - [The Magistrala repository](https://github.com/absmach/magistrala)
  contact:
-    email: info@abstractmachines.fr
+    email: info@absmach.eu
  license:
    name: Apache 2.0
    url: https://github.com/absmach/magistrala/blob/main/LICENSE
-  version: 0.15.1
+  version: 0.18.5

 servers:
  - url: http://localhost:9008
@@ -119,4 +119,4 @@ Setting `SMQ_AUTH_GRPC_CLIENT_CERT` and `SMQ_AUTH_GRPC_CLIENT_KEY` will enable T

 ## Usage

-For more information about service capabilities and its usage, please check out the [API documentation](https://docs.api.magistrala.abstractmachines.fr/?urls.primaryName=bootstrap.yaml).
+For more information about service capabilities and its usage, please check out the [API documentation](https://docs.api.magistrala.absmach.eu/?urls.primaryName=bootstrap.yaml).
@@ -89,11 +89,11 @@ var (
 		CACert:       "newca",
 	}

-	missingIDRes  = toJSON(apiutil.ErrorRes{Err: apiutil.ErrMissingID.Error(), Msg: apiutil.ErrValidation.Error()})
-	missingKeyRes = toJSON(apiutil.ErrorRes{Err: apiutil.ErrBearerKey.Error(), Msg: apiutil.ErrValidation.Error()})
-	bsErrorRes    = toJSON(apiutil.ErrorRes{Msg: bootstrap.ErrBootstrap.Error()})
-	extKeyRes     = toJSON(apiutil.ErrorRes{Msg: bootstrap.ErrExternalKey.Error()})
-	extSecKeyRes  = toJSON(apiutil.ErrorRes{Msg: bootstrap.ErrExternalKeySecure.Error()})
+	missingIDRes              = toJSON(apiutil.ErrMissingID)
+	missingKeyRes             = toJSON(apiutil.ErrBearerKey)
+	unknownExternalIDErrorRes = toJSON(svcerr.ErrNotFound)
+	extKeyRes                 = toJSON(bootstrap.ErrExternalKey)
+	extSecKeyRes              = toJSON(bootstrap.ErrExternalKeySecure)
 )

 type testRequest struct {
@@ -257,7 +257,7 @@ func TestAdd(t *testing.T) {
 			domainID:    domainID,
 			token:       validToken,
 			contentType: contentType,
-			status:      http.StatusConflict,
+			status:      http.StatusBadRequest,
 			location:    "",
 			err:         svcerr.ErrConflict,
 		},
@@ -267,7 +267,7 @@ func TestAdd(t *testing.T) {
 			domainID:    domainID,
 			token:       validToken,
 			contentType: contentType,
-			status:      http.StatusConflict,
+			status:      http.StatusBadRequest,
 			location:    "",
 			err:         svcerr.ErrConflict,
 		},
@@ -277,7 +277,7 @@ func TestAdd(t *testing.T) {
 			domainID:    domainID,
 			token:       validToken,
 			contentType: contentType,
-			status:      http.StatusConflict,
+			status:      http.StatusBadRequest,
 			location:    "",
 			err:         svcerr.ErrConflict,
 		},
@@ -1190,9 +1190,9 @@ func TestBootstrap(t *testing.T) {
 			externalID:  unknown,
 			externalKey: c.ExternalKey,
 			status:      http.StatusNotFound,
-			res:         bsErrorRes,
+			res:         unknownExternalIDErrorRes,
 			secure:      false,
-			err:         bootstrap.ErrBootstrap,
+			err:         svcerr.ErrNotFound,
 		},
 		{
 			desc:        "bootstrap a Client with an empty ID",
@@ -1201,7 +1201,7 @@ func TestBootstrap(t *testing.T) {
 			status:      http.StatusBadRequest,
 			res:         missingIDRes,
 			secure:      false,
-			err:         errors.Wrap(bootstrap.ErrBootstrap, svcerr.ErrMalformedEntity),
+			err:         apiutil.ErrMissingID,
 		},
 		{
 			desc:        "bootstrap a Client with unknown key",
@@ -1210,16 +1210,16 @@ func TestBootstrap(t *testing.T) {
 			status:      http.StatusForbidden,
 			res:         extKeyRes,
 			secure:      false,
-			err:         errors.Wrap(bootstrap.ErrExternalKey, errors.New("")),
+			err:         bootstrap.ErrExternalKey,
 		},
 		{
 			desc:        "bootstrap a Client with an empty key",
 			externalID:  c.ExternalID,
 			externalKey: "",
-			status:      http.StatusBadRequest,
+			status:      http.StatusUnauthorized,
 			res:         missingKeyRes,
 			secure:      false,
-			err:         errors.Wrap(bootstrap.ErrBootstrap, svcerr.ErrAuthentication),
+			err:         apiutil.ErrBearerKey,
 		},
 		{
 			desc:        "bootstrap known Client",
@@ -11,7 +11,6 @@ import (
 	"net/url"
 	"strings"

-	mgapi "github.com/absmach/magistrala/api"
 	"github.com/absmach/magistrala/bootstrap"
 	"github.com/absmach/supermq"
 	api "github.com/absmach/supermq/api/http"
@@ -43,7 +42,7 @@ var (
 // MakeHandler returns a HTTP handler for API endpoints.
 func MakeHandler(svc bootstrap.Service, authn smqauthn.AuthNMiddleware, reader bootstrap.ConfigReader, logger *slog.Logger, instanceID string) http.Handler {
 	opts := []kithttp.ServerOption{
-		kithttp.ServerErrorEncoder(apiutil.LoggingErrorEncoder(logger, mgapi.EncodeError)),
+		kithttp.ServerErrorEncoder(apiutil.LoggingErrorEncoder(logger, api.EncodeError)),
 	}

 	r := chi.NewRouter()
@@ -129,14 +128,14 @@ func MakeHandler(svc bootstrap.Service, authn smqauthn.AuthNMiddleware, reader b

 func decodeAddRequest(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
-		return nil, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return nil, apiutil.ErrUnsupportedContentType
 	}

 	req := addReq{
 		token: apiutil.ExtractBearerToken(r),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, errors.Wrap(apiutil.ErrValidation, errors.Wrap(err, errors.ErrMalformedEntity))
+		return nil, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	return req, nil
@@ -144,14 +143,14 @@ func decodeAddRequest(_ context.Context, r *http.Request) (any, error) {

 func decodeUpdateRequest(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
-		return nil, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return nil, apiutil.ErrUnsupportedContentType
 	}

 	req := updateReq{
 		id: chi.URLParam(r, "configID"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, errors.Wrap(apiutil.ErrValidation, errors.Wrap(err, errors.ErrMalformedEntity))
+		return nil, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	return req, nil
@@ -159,14 +158,14 @@ func decodeUpdateRequest(_ context.Context, r *http.Request) (any, error) {

 func decodeUpdateCertRequest(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
-		return nil, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return nil, apiutil.ErrUnsupportedContentType
 	}

 	req := updateCertReq{
 		clientID: chi.URLParam(r, "certID"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, errors.Wrap(apiutil.ErrValidation, errors.Wrap(err, errors.ErrMalformedEntity))
+		return nil, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	return req, nil
@@ -174,7 +173,7 @@ func decodeUpdateCertRequest(_ context.Context, r *http.Request) (any, error) {

 func decodeUpdateConnRequest(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
-		return nil, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return nil, apiutil.ErrUnsupportedContentType
 	}

 	req := updateConnReq{
@@ -182,7 +181,7 @@ func decodeUpdateConnRequest(_ context.Context, r *http.Request) (any, error) {
 		id:    chi.URLParam(r, "connID"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, errors.Wrap(apiutil.ErrValidation, errors.Wrap(err, errors.ErrMalformedEntity))
+		return nil, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	return req, nil
@@ -224,7 +223,7 @@ func decodeBootstrapRequest(_ context.Context, r *http.Request) (any, error) {

 func decodeStateRequest(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
-		return nil, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return nil, apiutil.ErrUnsupportedContentType
 	}

 	req := changeStateReq{
@@ -232,7 +231,7 @@ func decodeStateRequest(_ context.Context, r *http.Request) (any, error) {
 		id:    chi.URLParam(r, "clientID"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, errors.Wrap(apiutil.ErrValidation, errors.Wrap(err, errors.ErrMalformedEntity))
+		return nil, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	return req, nil
@@ -127,7 +127,7 @@ func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, adminID
 		Permission:  policies.AdminPermission,
 		ObjectType:  policies.PlatformType,
 		Object:      policies.SuperMQObject,
-	}); err != nil {
+	}, nil); err != nil {
 		return err
 	}
 	return nil
@@ -143,7 +143,7 @@ func (am *authorizationMiddleware) authorize(ctx context.Context, domain, subjTy
 		ObjectType:  objType,
 		Object:      obj,
 	}
-	if err := am.authz.Authorize(ctx, req); err != nil {
+	if err := am.authz.Authorize(ctx, req, nil); err != nil {
 		return err
 	}
 	return nil
@@ -104,7 +104,7 @@ func (cr configRepository) RetrieveByID(ctx context.Context, domainID, id string
 	}

 	if !row.Next() {
-		return bootstrap.Config{}, errors.Wrap(repoerr.ErrNotFound, sql.ErrNoRows)
+		return bootstrap.Config{}, repoerr.ErrNotFound
 	}

 	if err := row.StructScan(&dbcfg); err != nil {
@@ -205,7 +205,7 @@ func (cr configRepository) RetrieveByExternalID(ctx context.Context, externalID
 	}

 	if !row.Next() {
-		return bootstrap.Config{}, errors.Wrap(repoerr.ErrNotFound, sql.ErrNoRows)
+		return bootstrap.Config{}, repoerr.ErrNotFound
 	}

 	if err := row.StructScan(&dbcfg); err != nil {
@@ -275,7 +275,7 @@ func (cr configRepository) Update(ctx context.Context, cfg bootstrap.Config) err
 }

 func (cr configRepository) UpdateCert(ctx context.Context, domainID, clientID, clientCert, clientKey, caCert string) (bootstrap.Config, error) {
-	q := `UPDATE configs SET client_cert = :client_cert, client_key = :client_key, ca_cert = :ca_cert WHERE magistrala_client = :magistrala_client AND domain_id = :domain_id 
+	q := `UPDATE configs SET client_cert = :client_cert, client_key = :client_key, ca_cert = :ca_cert WHERE magistrala_client = :magistrala_client AND domain_id = :domain_id
 	RETURNING magistrala_client, client_cert, client_key, ca_cert`

 	dbcfg := dbConfig{
@@ -436,7 +436,7 @@ func (cr configRepository) UpdateChannel(ctx context.Context, c bootstrap.Channe
 		return errors.Wrap(repoerr.ErrUpdateEntity, err)
 	}

-	q := `UPDATE channels SET name = :name, metadata = :metadata, updated_at = :updated_at, updated_by = :updated_by 
+	q := `UPDATE channels SET name = :name, metadata = :metadata, updated_at = :updated_at, updated_by = :updated_by
 			WHERE magistrala_channel = :magistrala_channel`
 	if _, err = cr.db.NamedExecContext(ctx, q, dbch); err != nil {
 		return errors.Wrap(errUpdateChannels, err)
@@ -24,19 +24,19 @@ var (
 	ErrClients = errors.New("failed to receive response from Clients service")

 	// ErrExternalKey indicates a non-existent bootstrap configuration for given external key.
-	ErrExternalKey = errors.New("failed to get bootstrap configuration for given external key")
+	ErrExternalKey = errors.NewAuthZError("failed to get bootstrap configuration for given external key")

 	// ErrExternalKeySecure indicates error in getting bootstrap configuration for given encrypted external key.
-	ErrExternalKeySecure = errors.New("failed to get bootstrap configuration for given encrypted external key")
+	ErrExternalKeySecure = errors.NewAuthZError("failed to get bootstrap configuration for given encrypted external key")

 	// ErrBootstrap indicates error in getting bootstrap configuration.
 	ErrBootstrap = errors.New("failed to read bootstrap configuration")

 	// ErrAddBootstrap indicates error in adding bootstrap configuration.
-	ErrAddBootstrap = errors.New("failed to add bootstrap configuration")
+	ErrAddBootstrap = errors.NewServiceError("failed to add bootstrap configuration")

 	// ErrBootstrapState indicates an invalid bootstrap state.
-	ErrBootstrapState = errors.New("invalid bootstrap state")
+	ErrBootstrapState = errors.NewRequestError("invalid bootstrap state")

 	// ErrNotInSameDomain indicates entities are not in the same domain.
 	errNotInSameDomain = errors.New("entities are not in the same domain")
@@ -8,5 +8,5 @@
 // SuperMQ Users service.
 //
 // For more details about tracing instrumentation for SuperMQ messaging refer
-// to the documentation at https://docs.supermq.abstractmachines.fr/tracing/.
+// to the documentation at https://docs.supermq.absmach.eu/tracing/.
 package tracing
@@ -15,17 +15,23 @@ import (
 	"github.com/absmach/magistrala/alarms/brokers"
 	"github.com/absmach/magistrala/alarms/consumer"
 	"github.com/absmach/magistrala/alarms/middleware"
+	"github.com/absmach/magistrala/alarms/operations"
 	alarmsRepo "github.com/absmach/magistrala/alarms/postgres"
 	"github.com/absmach/magistrala/pkg/prometheus"
+	rconsumer "github.com/absmach/magistrala/pkg/re/events/consumer"
+	rpostgres "github.com/absmach/magistrala/re/postgres"
+	dpostgres "github.com/absmach/supermq/domains/postgres"
 	smqlog "github.com/absmach/supermq/logger"
 	smqauthn "github.com/absmach/supermq/pkg/authn"
 	"github.com/absmach/supermq/pkg/authn/authsvc"
 	authsvcAuthz "github.com/absmach/supermq/pkg/authz/authsvc"
+	dconsumer "github.com/absmach/supermq/pkg/domains/events/consumer"
 	domainsAuthz "github.com/absmach/supermq/pkg/domains/grpcclient"
 	"github.com/absmach/supermq/pkg/grpcclient"
 	"github.com/absmach/supermq/pkg/jaeger"
 	"github.com/absmach/supermq/pkg/messaging"
 	brokerstracing "github.com/absmach/supermq/pkg/messaging/brokers/tracing"
+	"github.com/absmach/supermq/pkg/permissions"
 	"github.com/absmach/supermq/pkg/postgres"
 	"github.com/absmach/supermq/pkg/server"
 	httpserver "github.com/absmach/supermq/pkg/server/http"
@@ -42,14 +48,18 @@ const (
 	defDB            = "alarms"
 	defSvcHTTPPort   = "8050"
 	envPrefixDomains = "SMQ_DOMAINS_GRPC_"
+	alarmEntity      = "alarm"
 )

 type config struct {
-	LogLevel   string  `env:"MG_ALARMS_LOG_LEVEL"    envDefault:"info"`
-	BrokerURL  string  `env:"SMQ_MESSAGE_BROKER_URL" envDefault:"nats://localhost:4222"`
-	InstanceID string  `env:"MG_ALARMS_INSTANCE_ID"  envDefault:""`
-	JaegerURL  url.URL `env:"SMQ_JAEGER_URL"         envDefault:"http://localhost:4318/v1/traces"`
-	TraceRatio float64 `env:"SMQ_JAEGER_TRACE_RATIO" envDefault:"1.0"`
+	LogLevel        string  `env:"MG_ALARMS_LOG_LEVEL"    envDefault:"info"`
+	BrokerURL       string  `env:"SMQ_MESSAGE_BROKER_URL" envDefault:"nats://localhost:4222"`
+	InstanceID      string  `env:"MG_ALARMS_INSTANCE_ID"  envDefault:""`
+	JaegerURL       url.URL `env:"SMQ_JAEGER_URL"         envDefault:"http://localhost:4318/v1/traces"`
+	TraceRatio      float64 `env:"SMQ_JAEGER_TRACE_RATIO" envDefault:"1.0"`
+	ESURL           string  `env:"SMQ_ES_URL"             envDefault:"nats://localhost:4222"`
+	ESConsumerName  string  `env:"MG_ALARMS_EVENT_CONSUMER" envDefault:"alarms"`
+	PermissionsFile string  `env:"SMQ_PERMISSIONS_FILE"             envDefault:"permission.yaml"`
 }

 func main() {
@@ -87,7 +97,14 @@ func main() {
 		logger.Error(err.Error())
 	}

-	db, err := postgres.Setup(dbConfig, *alarmsRepo.Migration())
+	migrations, err := alarmsRepo.Migration()
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to load migrations: %s", err))
+		exitCode = 1
+		return
+	}
+
+	db, err := postgres.Setup(dbConfig, *migrations)
 	if err != nil {
 		logger.Error(err.Error())
 		exitCode = 1
@@ -138,11 +155,63 @@ func main() {

 	logger.Info("AuthZ successfully connected to auth gRPC server " + authzHandler.Secure())

+	ddatabase := postgres.NewDatabase(db, dbConfig, tracer)
+	drepo := dpostgres.NewRepository(ddatabase)
+
+	if err := dconsumer.DomainsEventsSubscribe(ctx, drepo, cfg.ESURL, cfg.ESConsumerName, logger); err != nil {
+		logger.Error(fmt.Sprintf("failed to create domains event store : %s", err))
+		exitCode = 1
+		return
+	}
+
+	rdatabase := postgres.NewDatabase(db, dbConfig, tracer)
+	rrepo := rpostgres.NewRepository(rdatabase)
+
+	if err := rconsumer.RulesEventsSubscribe(ctx, rrepo, cfg.ESURL, cfg.ESConsumerName, logger); err != nil {
+		logger.Error(fmt.Sprintf("failed to subscribe to rules events: %s", err))
+		exitCode = 1
+		return
+	}
+
 	idp := uuid.New()

 	svc := alarms.NewService(idp, repo)

-	svc = middleware.NewAuthorizationMiddleware(svc, authz)
+	permConfig, err := permissions.ParsePermissionsFile(cfg.PermissionsFile)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to parse permissions file: %s", err))
+		exitCode = 1
+		return
+	}
+
+	alarmOps, _, err := permConfig.GetEntityPermissions(alarmEntity)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to get alarm permissions: %s", err))
+		exitCode = 1
+		return
+	}
+
+	entitiesOps, err := permissions.NewEntitiesOperations(
+		permissions.EntitiesPermission{
+			operations.EntityType: alarmOps,
+		},
+		permissions.EntitiesOperationDetails[permissions.Operation]{
+			operations.EntityType: operations.OperationDetails(),
+		},
+	)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to create entity operations: %s", err))
+		exitCode = 1
+		return
+	}
+
+	svc, err = middleware.NewAuthorizationMiddleware(svc, authz, entitiesOps)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to create authorization middleware: %s", err))
+		exitCode = 1
+		return
+	}
+
 	svc = middleware.NewLoggingMiddleware(logger, svc)
 	counter, latency := prometheus.MakeMetrics("alarms", "api")
 	svc = middleware.NewMetricsMiddleware(counter, latency, svc)
@@ -17,11 +17,15 @@ import (
 	mgsdk "github.com/absmach/magistrala/pkg/sdk"
 	"github.com/absmach/magistrala/provision"
 	httpapi "github.com/absmach/magistrala/provision/api"
+	"github.com/absmach/magistrala/provision/middleware"
 	"github.com/absmach/supermq"
 	"github.com/absmach/supermq/channels"
 	"github.com/absmach/supermq/clients"
 	smqlog "github.com/absmach/supermq/logger"
+	smqauthn "github.com/absmach/supermq/pkg/authn"
+	authnsvc "github.com/absmach/supermq/pkg/authn/authsvc"
 	"github.com/absmach/supermq/pkg/errors"
+	"github.com/absmach/supermq/pkg/grpcclient"
 	"github.com/absmach/supermq/pkg/server"
 	httpserver "github.com/absmach/supermq/pkg/server/http"
 	"github.com/absmach/supermq/pkg/uuid"
@@ -30,8 +34,9 @@ import (
 )

 const (
-	svcName     = "provision"
-	contentType = "application/json"
+	svcName       = "provision"
+	contentType   = "application/json"
+	envPrefixAuth = "SMQ_AUTH_GRPC_"
 )

 var (
@@ -65,6 +70,24 @@ func main() {
 		}
 	}

+	grpcCfg := grpcclient.Config{}
+	if err := env.ParseWithOptions(&grpcCfg, env.Options{Prefix: envPrefixAuth}); err != nil {
+		logger.Error(fmt.Sprintf("failed to load auth gRPC client configuration : %s", err))
+		exitCode = 1
+
+		return
+	}
+	authn, authnClient, err := authnsvc.NewAuthentication(ctx, grpcCfg)
+	if err != nil {
+		logger.Error(err.Error())
+		exitCode = 1
+
+		return
+	}
+	defer authnClient.Close()
+	logger.Info("AuthN successfully connected to auth gRPC server " + authnClient.Secure())
+	am := smqauthn.NewAuthNMiddleware(authn)
+
 	if cfgFromFile, err := loadConfigFromFile(cfg.File); err != nil {
 		logger.Warn(fmt.Sprintf("Continue with settings from env, failed to load from: %s: %s", cfg.File, err))
 	} else {
@@ -76,9 +99,10 @@ func main() {

 	SDKCfg := mgsdk.Config{
 		UsersURL:        cfg.Server.UsersURL,
+		ChannelsURL:     cfg.Server.ChannelsURL,
 		ClientsURL:      cfg.Server.ClientsURL,
 		BootstrapURL:    cfg.Server.MgBSURL,
-		CertsURL:        cfg.Server.MgCertsURL,
+		CertsURL:        cfg.Server.CertsURL,
 		MsgContentType:  contentType,
 		TLSVerification: cfg.Server.TLS,
 	}
@@ -91,10 +115,10 @@ func main() {
 	cSdk := csdk.NewSDK(csdkConf)

 	svc := provision.New(cfg, mgSdk, cSdk, logger)
-	svc = httpapi.NewLoggingMiddleware(svc, logger)
+	svc = middleware.NewLogging(svc, logger)

-	httpServerConfig := server.Config{Host: "", Port: cfg.Server.HTTPPort, KeyFile: cfg.Server.ServerKey, CertFile: cfg.Server.ServerCert}
-	hs := httpserver.NewServer(ctx, cancel, svcName, httpServerConfig, httpapi.MakeHandler(svc, logger, cfg.InstanceID), logger)
+	httpServerConfig := server.Config{Host: "", Port: cfg.Server.Port, KeyFile: cfg.Server.ServerKey, CertFile: cfg.Server.ServerCert}
+	hs := httpserver.NewServer(ctx, cancel, svcName, httpServerConfig, httpapi.MakeHandler(svc, am, logger, cfg.InstanceID), logger)

 	if cfg.SendTelemetry {
 		chc := chclient.New(svcName, supermq.Version, logger, cancel)
@@ -20,33 +20,47 @@ import (
 	"github.com/absmach/magistrala/internal/email"
 	"github.com/absmach/magistrala/pkg/emailer"
 	pkglog "github.com/absmach/magistrala/pkg/logger"
+	"github.com/absmach/magistrala/pkg/prometheus"
 	"github.com/absmach/magistrala/pkg/ticker"
 	"github.com/absmach/magistrala/re"
 	httpapi "github.com/absmach/magistrala/re/api"
 	"github.com/absmach/magistrala/re/events"
 	"github.com/absmach/magistrala/re/middleware"
+	"github.com/absmach/magistrala/re/operations"
 	repg "github.com/absmach/magistrala/re/postgres"
 	grpcClient "github.com/absmach/magistrala/readers/api/grpc"
 	"github.com/absmach/supermq"
+	dpostgres "github.com/absmach/supermq/domains/postgres"
 	smqlog "github.com/absmach/supermq/logger"
 	smqauthn "github.com/absmach/supermq/pkg/authn"
 	authnsvc "github.com/absmach/supermq/pkg/authn/authsvc"
 	mgauthz "github.com/absmach/supermq/pkg/authz"
 	authzsvc "github.com/absmach/supermq/pkg/authz/authsvc"
 	"github.com/absmach/supermq/pkg/callout"
+	dconsumer "github.com/absmach/supermq/pkg/domains/events/consumer"
 	domainsAuthz "github.com/absmach/supermq/pkg/domains/grpcclient"
 	"github.com/absmach/supermq/pkg/grpcclient"
 	jaegerclient "github.com/absmach/supermq/pkg/jaeger"
 	"github.com/absmach/supermq/pkg/messaging"
 	smqbrokers "github.com/absmach/supermq/pkg/messaging/brokers"
 	brokerstracing "github.com/absmach/supermq/pkg/messaging/brokers/tracing"
+	"github.com/absmach/supermq/pkg/permissions"
+	"github.com/absmach/supermq/pkg/policies"
+	"github.com/absmach/supermq/pkg/policies/spicedb"
 	pgclient "github.com/absmach/supermq/pkg/postgres"
+	"github.com/absmach/supermq/pkg/roles"
 	"github.com/absmach/supermq/pkg/server"
 	httpserver "github.com/absmach/supermq/pkg/server/http"
+	spicedbdecoder "github.com/absmach/supermq/pkg/spicedb"
 	"github.com/absmach/supermq/pkg/uuid"
+	"github.com/authzed/authzed-go/v1"
+	"github.com/authzed/grpcutil"
 	"github.com/caarlos0/env/v11"
 	"github.com/go-chi/chi/v5"
+	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 )

 const (
@@ -67,15 +81,21 @@ const (
 const channBuffer = 256

 type config struct {
-	LogLevel         string        `env:"MG_RE_LOG_LEVEL"           envDefault:"info"`
-	InstanceID       string        `env:"MG_RE_INSTANCE_ID"         envDefault:""`
-	JaegerURL        url.URL       `env:"SMQ_JAEGER_URL"             envDefault:"http://localhost:4318/v1/traces"`
-	SendTelemetry    bool          `env:"SMQ_SEND_TELEMETRY"         envDefault:"true"`
-	ESURL            string        `env:"SMQ_ES_URL"                 envDefault:"nats://localhost:4222"`
-	CacheURL         string        `env:"MG_RE_CACHE_URL"           envDefault:"redis://localhost:6379/0"`
-	CacheKeyDuration time.Duration `env:"MG_RE_CACHE_KEY_DURATION"  envDefault:"10m"`
-	TraceRatio       float64       `env:"SMQ_JAEGER_TRACE_RATIO"     envDefault:"1.0"`
-	BrokerURL        string        `env:"SMQ_MESSAGE_BROKER_URL"     envDefault:"nats://localhost:4222"`
+	LogLevel            string        `env:"MG_RE_LOG_LEVEL"             envDefault:"info"`
+	InstanceID          string        `env:"MG_RE_INSTANCE_ID"           envDefault:""`
+	JaegerURL           url.URL       `env:"SMQ_JAEGER_URL"              envDefault:"http://localhost:4318/v1/traces"`
+	SendTelemetry       bool          `env:"SMQ_SEND_TELEMETRY"          envDefault:"true"`
+	ESURL               string        `env:"SMQ_ES_URL"                  envDefault:"nats://localhost:4222"`
+	ESConsumerName      string        `env:"MG_RE_EVENT_CONSUMER"        envDefault:"rules_engine"`
+	CacheURL            string        `env:"MG_RE_CACHE_URL"             envDefault:"redis://localhost:6379/0"`
+	CacheKeyDuration    time.Duration `env:"MG_RE_CACHE_KEY_DURATION"    envDefault:"10m"`
+	TraceRatio          float64       `env:"SMQ_JAEGER_TRACE_RATIO"      envDefault:"1.0"`
+	BrokerURL           string        `env:"SMQ_MESSAGE_BROKER_URL"      envDefault:"nats://localhost:4222"`
+	SpicedbHost         string        `env:"SMQ_SPICEDB_HOST"            envDefault:"localhost"`
+	SpicedbPort         string        `env:"SMQ_SPICEDB_PORT"            envDefault:"50051"`
+	SpicedbPreSharedKey string        `env:"SMQ_SPICEDB_PRE_SHARED_KEY"  envDefault:"12345678"`
+	SpicedbSchemaFile   string        `env:"SMQ_SPICEDB_SCHEMA_FILE"     envDefault:"schema.zed"`
+	PermissionsFile     string        `env:"SMQ_PERMISSIONS_FILE"        envDefault:"permission.yaml"`
 }

 func main() {
@@ -126,7 +146,14 @@ func main() {

 		return
 	}
-	db, err := pgclient.Setup(dbConfig, *repg.Migration())
+	migration, err := repg.Migration()
+	if err != nil {
+		logger.Error(err.Error())
+		exitCode = 1
+
+		return
+	}
+	db, err := pgclient.Setup(dbConfig, *migration)
 	if err != nil {
 		logger.Error(err.Error())
 		exitCode = 1
@@ -238,6 +265,16 @@ func main() {
 	logger.Info("AuthZ  successfully connected to auth gRPC server " + authnClient.Secure())

 	database := pgclient.NewDatabase(db, dbConfig, tracer)
+
+	ddatabase := pgclient.NewDatabase(db, dbConfig, tracer)
+	drepo := dpostgres.NewRepository(ddatabase)
+
+	if err := dconsumer.DomainsEventsSubscribe(ctx, drepo, cfg.ESURL, cfg.ESConsumerName, logger); err != nil {
+		logger.Error(fmt.Sprintf("failed to create domains event store : %s", err))
+		exitCode = 1
+		return
+	}
+
 	regrpcCfg := grpcclient.Config{}
 	if err := env.ParseWithOptions(&regrpcCfg, env.Options{Prefix: envPrefixGrpc}); err != nil {
 		logger.Error(fmt.Sprintf("failed to load clients gRPC client configuration : %s", err))
@@ -255,7 +292,7 @@ func main() {
 	readersClient := grpcClient.NewReadersClient(client.Connection(), regrpcCfg.Timeout)
 	logger.Info("Readers gRPC client successfully connected to readers gRPC server " + client.Secure())

-	svc, err := newService(ctx, database, runInfo, msgSub, writersPub, alarmsPub, authz, ec, logger, readersClient, callout, cfg)
+	svc, err := newService(ctx, cfg, database, runInfo, msgSub, writersPub, alarmsPub, authz, ec, logger, readersClient, callout, tracer)
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to create services: %s", err))
 		exitCode = 1
@@ -307,7 +344,7 @@ func main() {
 	}
 }

-func newService(ctx context.Context, db pgclient.Database, runInfo chan pkglog.RunInfo, rePubSub messaging.PubSub, writersPub, alarmsPub messaging.Publisher, authz mgauthz.Authorization, ec email.Config, logger *slog.Logger, readersClient grpcReadersV1.ReadersServiceClient, callout callout.Callout, cfg config) (re.Service, error) {
+func newService(ctx context.Context, cfg config, db pgclient.Database, runInfo chan pkglog.RunInfo, rePubSub messaging.PubSub, writersPub, alarmsPub messaging.Publisher, authz mgauthz.Authorization, ec email.Config, logger *slog.Logger, readersClient grpcReadersV1.ReadersServiceClient, callout callout.Callout, tracer trace.Tracer) (re.Service, error) {
 	repo := repg.NewRepository(db)
 	idp := uuid.New()

@@ -316,17 +353,93 @@ func newService(ctx context.Context, db pgclient.Database, runInfo chan pkglog.R
 		logger.Error(fmt.Sprintf("failed to configure e-mailing util: %s", err.Error()))
 	}

-	csvc := re.NewService(repo, runInfo, idp, rePubSub, writersPub, alarmsPub, ticker.NewTicker(time.Second*30), emailerClient, readersClient)
+	policyService, err := newSpiceDBPolicyServiceEvaluator(cfg, logger)
+	if err != nil {
+		return nil, err
+	}
+	logger.Info("Policy service successfully connected to SpiceDB gRPC server")
+
+	availableActions, builtInRoles, err := availableActionsAndBuiltInRoles(cfg.SpicedbSchemaFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get available actions and built-in roles: %w", err)
+	}
+
+	csvc, err := re.NewService(repo, runInfo, policyService, idp, rePubSub, writersPub, alarmsPub, ticker.NewTicker(time.Second*30), emailerClient, readersClient, availableActions, builtInRoles)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create RE service: %w", err)
+	}
+
 	csvc, err = events.NewEventStoreMiddleware(ctx, csvc, cfg.ESURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to init re event store middleware: %w", err)
 	}

-	csvc, err = middleware.AuthorizationMiddleware(csvc, authz, callout)
+	permConfig, err := permissions.ParsePermissionsFile(cfg.PermissionsFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse permissions file: %w", err)
+	}
+
+	ruleOps, ruleRoleOps, err := permConfig.GetEntityPermissions(operations.EntityType)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get rule permissions: %w", err)
+	}
+
+	entitiesOps, err := permissions.NewEntitiesOperations(
+		permissions.EntitiesPermission{
+			operations.EntityType: ruleOps,
+		},
+		permissions.EntitiesOperationDetails[permissions.Operation]{
+			operations.EntityType: operations.OperationDetails(),
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create entities operations: %w", err)
+	}
+
+	roleOps, err := permissions.NewOperations(roles.Operations(), ruleRoleOps)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create role operations: %w", err)
+	}
+
+	csvc, err = middleware.AuthorizationMiddleware(csvc, authz, entitiesOps, roleOps)
+	if err != nil {
+		return nil, err
+	}
+	csvc, err = middleware.NewCallout(csvc, callout, entitiesOps, roleOps)
 	if err != nil {
 		return nil, err
 	}
 	csvc = middleware.LoggingMiddleware(csvc, logger)
+	counter, latency := prometheus.MakeMetrics("re", "api")
+	csvc = middleware.NewMetricsMiddleware(counter, latency, csvc)
+	csvc = middleware.NewTracingMiddleware(tracer, csvc)

 	return csvc, nil
 }
+
+func newSpiceDBPolicyServiceEvaluator(cfg config, logger *slog.Logger) (policies.Service, error) {
+	client, err := authzed.NewClientWithExperimentalAPIs(
+		fmt.Sprintf("%s:%s", cfg.SpicedbHost, cfg.SpicedbPort),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpcutil.WithInsecureBearerToken(cfg.SpicedbPreSharedKey),
+	)
+	if err != nil {
+		return nil, err
+	}
+	ps := spicedb.NewPolicyService(client, logger)
+
+	return ps, nil
+}
+
+func availableActionsAndBuiltInRoles(spicedbSchemaFile string) ([]roles.Action, map[roles.BuiltInRoleName][]roles.Action, error) {
+	availableActions, err := spicedbdecoder.GetActionsFromSchema(spicedbSchemaFile, operations.EntityType)
+	if err != nil {
+		return []roles.Action{}, map[roles.BuiltInRoleName][]roles.Action{}, err
+	}
+
+	builtInRoles := map[roles.BuiltInRoleName][]roles.Action{
+		re.BuiltInRoleAdmin: availableActions,
+	}
+
+	return availableActions, builtInRoles, err
+}
@@ -19,40 +19,57 @@ import (
 	"github.com/absmach/magistrala/internal/email"
 	"github.com/absmach/magistrala/pkg/emailer"
 	pkglog "github.com/absmach/magistrala/pkg/logger"
+	"github.com/absmach/magistrala/pkg/prometheus"
 	"github.com/absmach/magistrala/pkg/ticker"
 	grpcClient "github.com/absmach/magistrala/readers/api/grpc"
 	"github.com/absmach/magistrala/reports"
 	httpapi "github.com/absmach/magistrala/reports/api"
 	"github.com/absmach/magistrala/reports/middleware"
+	"github.com/absmach/magistrala/reports/operations"
 	repg "github.com/absmach/magistrala/reports/postgres"
 	"github.com/absmach/supermq"
+	dpostgres "github.com/absmach/supermq/domains/postgres"
 	smqlog "github.com/absmach/supermq/logger"
 	smqauthn "github.com/absmach/supermq/pkg/authn"
 	authnsvc "github.com/absmach/supermq/pkg/authn/authsvc"
 	mgauthz "github.com/absmach/supermq/pkg/authz"
 	authzsvc "github.com/absmach/supermq/pkg/authz/authsvc"
+	"github.com/absmach/supermq/pkg/callout"
+	dconsumer "github.com/absmach/supermq/pkg/domains/events/consumer"
 	domainsAuthz "github.com/absmach/supermq/pkg/domains/grpcclient"
 	"github.com/absmach/supermq/pkg/grpcclient"
 	jaegerclient "github.com/absmach/supermq/pkg/jaeger"
+	"github.com/absmach/supermq/pkg/permissions"
+	"github.com/absmach/supermq/pkg/policies"
+	"github.com/absmach/supermq/pkg/policies/spicedb"
 	pgclient "github.com/absmach/supermq/pkg/postgres"
+	"github.com/absmach/supermq/pkg/roles"
 	"github.com/absmach/supermq/pkg/server"
 	httpserver "github.com/absmach/supermq/pkg/server/http"
+	spicedbdecoder "github.com/absmach/supermq/pkg/spicedb"
 	"github.com/absmach/supermq/pkg/uuid"
+	"github.com/authzed/authzed-go/v1"
+	"github.com/authzed/grpcutil"
 	"github.com/caarlos0/env/v11"
 	"github.com/go-chi/chi/v5"
+	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 )

 const (
 	svcName          = "reports"
 	envPrefixDB      = "MG_REPORTS_DB_"
 	envPrefixHTTP    = "MG_REPORTS_HTTP_"
+	envPrefixCallout = "MG_REPORTS_CALLOUT_"
 	envPrefixAuth    = "SMQ_AUTH_GRPC_"
 	defDB            = "repo"
 	defSvcHTTPPort   = "9017"
 	envPrefixGrpc    = "MG_TIMESCALE_READER_GRPC_"
 	envPrefixDomains = "SMQ_DOMAINS_GRPC_"
 	templatePath     = "template/reports_default_template.html"
+	reportEntity     = "report"
 )

 // We use a buffered channel to prevent blocking, as logging is an expensive operation.
@@ -67,10 +84,16 @@ type config struct {
 	JaegerURL           url.URL `env:"SMQ_JAEGER_URL"                 envDefault:"http://localhost:4318/v1/traces"`
 	SendTelemetry       bool    `env:"SMQ_SEND_TELEMETRY"             envDefault:"true"`
 	ESURL               string  `env:"SMQ_ES_URL"                     envDefault:"nats://localhost:4222"`
+	ESConsumerName      string  `env:"MG_REPORTS_EVENT_CONSUMER"      envDefault:"reports"`
 	TraceRatio          float64 `env:"SMQ_JAEGER_TRACE_RATIO"         envDefault:"1.0"`
 	BrokerURL           string  `env:"SMQ_MESSAGE_BROKER_URL"         envDefault:"nats://localhost:4222"`
 	DefaultTemplatePath string  `env:"MG_REPORTS_DEFAULT_TEMPLATE"    envDefault:""`
 	ConverterURL        string  `env:"MG_PDF_CONVERTER_URL"           envDefault:"http://localhost:4000/pdf"`
+	SpicedbHost         string  `env:"SMQ_SPICEDB_HOST"               envDefault:"localhost"`
+	SpicedbPort         string  `env:"SMQ_SPICEDB_PORT"               envDefault:"50051"`
+	SpicedbPreSharedKey string  `env:"SMQ_SPICEDB_PRE_SHARED_KEY"     envDefault:"12345678"`
+	SpicedbSchemaFile   string  `env:"SMQ_SPICEDB_SCHEMA_FILE"        envDefault:"schema.zed"`
+	PermissionsFile     string  `env:"SMQ_PERMISSIONS_FILE"           envDefault:"permission.yaml"`
 }

 func main() {
@@ -131,6 +154,13 @@ func main() {
 		return
 	}

+	callCfg := callout.Config{}
+	if err := env.ParseWithOptions(&callCfg, env.Options{Prefix: envPrefixCallout}); err != nil {
+		logger.Error(fmt.Sprintf("failed to parse callout config : %s", err))
+		exitCode = 1
+		return
+	}
+
 	dbConfig := pgclient.Config{Name: defDB}
 	if err := env.ParseWithOptions(&dbConfig, env.Options{Prefix: envPrefixDB}); err != nil {
 		logger.Error(err.Error())
@@ -139,7 +169,15 @@ func main() {
 		return
 	}

-	db, err := pgclient.Setup(dbConfig, *repg.Migration())
+	migration, err := repg.Migration()
+	if err != nil {
+		logger.Error(err.Error())
+		exitCode = 1
+
+		return
+	}
+
+	db, err := pgclient.Setup(dbConfig, *migration)
 	if err != nil {
 		logger.Error(err.Error())
 		exitCode = 1
@@ -170,6 +208,13 @@ func main() {
 		return
 	}

+	callout, err := callout.New(callCfg)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to create new callout: %s", err))
+		exitCode = 1
+		return
+	}
+
 	grpcCfg := grpcclient.Config{}
 	if err := env.ParseWithOptions(&grpcCfg, env.Options{Prefix: envPrefixAuth}); err != nil {
 		logger.Error(fmt.Sprintf("failed to load auth gRPC client configuration : %s", err))
@@ -211,6 +256,15 @@ func main() {
 	defer authzClient.Close()
 	logger.Info("AuthZ  successfully connected to auth gRPC server " + authnClient.Secure())

+	ddatabase := pgclient.NewDatabase(db, dbConfig, tracer)
+	drepo := dpostgres.NewRepository(ddatabase)
+
+	if err := dconsumer.DomainsEventsSubscribe(ctx, drepo, cfg.ESURL, cfg.ESConsumerName, logger); err != nil {
+		logger.Error(fmt.Sprintf("failed to create domains event store : %s", err))
+		exitCode = 1
+		return
+	}
+
 	database := pgclient.NewDatabase(db, dbConfig, tracer)
 	regrpcCfg := grpcclient.Config{}
 	if err := env.ParseWithOptions(&regrpcCfg, env.Options{Prefix: envPrefixGrpc}); err != nil {
@@ -231,7 +285,7 @@ func main() {

 	runInfo := make(chan pkglog.RunInfo, channBuffer)

-	svc, err := newService(database, runInfo, authz, ec, logger, readersClient, template, cfg.ConverterURL)
+	svc, err := newService(cfg, database, runInfo, authz, ec, logger, readersClient, template, callout, tracer)
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to create services: %s", err))
 		exitCode = 1
@@ -271,21 +325,97 @@ func main() {
 	}
 }

-func newService(db pgclient.Database, runInfo chan pkglog.RunInfo, authz mgauthz.Authorization, ec email.Config, logger *slog.Logger, readersClient grpcReadersV1.ReadersServiceClient, template reports.ReportTemplate, converterURL string) (reports.Service, error) {
+func newService(cfg config, db pgclient.Database, runInfo chan pkglog.RunInfo, authz mgauthz.Authorization, ec email.Config, logger *slog.Logger, readersClient grpcReadersV1.ReadersServiceClient, template reports.ReportTemplate, callout callout.Callout, tracer trace.Tracer) (reports.Service, error) {
 	repo := repg.NewRepository(db)
 	idp := uuid.New()

-	emailerClient, err := emailer.New(&ec)
+	emailClient, err := emailer.New(&ec)
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to configure e-mailing util: %s", err.Error()))
 	}

-	csvc := reports.NewService(repo, runInfo, idp, ticker.NewTicker(time.Second*30), emailerClient, readersClient, template, converterURL)
-	csvc, err = middleware.AuthorizationMiddleware(csvc, authz)
+	policyService, err := newSpiceDBPolicyServiceEvaluator(cfg, logger)
+	if err != nil {
+		return nil, err
+	}
+	logger.Info("Policy service successfully connected to SpiceDB gRPC server")
+
+	availableActions, builtInRoles, err := availableActionsAndBuiltInRoles(cfg.SpicedbSchemaFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get available actions and built-in roles: %w", err)
+	}
+
+	csvc, err := reports.NewService(repo, runInfo, policyService, idp, ticker.NewTicker(time.Second*30), emailClient, readersClient, template, cfg.ConverterURL, availableActions, builtInRoles)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create reports service: %w", err)
+	}
+
+	permConfig, err := permissions.ParsePermissionsFile(cfg.PermissionsFile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse permissions file: %w", err)
+	}
+
+	reportOps, reportRoleOps, err := permConfig.GetEntityPermissions(reportEntity)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get report permissions: %w", err)
+	}
+
+	entitiesOps, err := permissions.NewEntitiesOperations(
+		permissions.EntitiesPermission{
+			operations.EntityType: reportOps,
+		},
+		permissions.EntitiesOperationDetails[permissions.Operation]{
+			operations.EntityType: operations.OperationDetails(),
+		},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create entities operations: %w", err)
+	}
+
+	roleOps, err := permissions.NewOperations(roles.Operations(), reportRoleOps)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create role operations: %w", err)
+	}
+
+	csvc, err = middleware.AuthorizationMiddleware(csvc, authz, entitiesOps, roleOps)
+	if err != nil {
+		return nil, err
+	}
+	csvc, err = middleware.NewCallout(csvc, callout, entitiesOps, roleOps)
 	if err != nil {
 		return nil, err
 	}
 	csvc = middleware.LoggingMiddleware(csvc, logger)
+	counter, latency := prometheus.MakeMetrics("reports", "api")
+	csvc = middleware.NewMetricsMiddleware(counter, latency, csvc)
+	csvc = middleware.NewTracingMiddleware(tracer, csvc)

 	return csvc, nil
 }
+
+func newSpiceDBPolicyServiceEvaluator(cfg config, logger *slog.Logger) (policies.Service, error) {
+	client, err := authzed.NewClientWithExperimentalAPIs(
+		fmt.Sprintf("%s:%s", cfg.SpicedbHost, cfg.SpicedbPort),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpcutil.WithInsecureBearerToken(cfg.SpicedbPreSharedKey),
+	)
+	if err != nil {
+		return nil, err
+	}
+	ps := spicedb.NewPolicyService(client, logger)
+
+	return ps, nil
+}
+
+func availableActionsAndBuiltInRoles(spicedbSchemaFile string) ([]roles.Action, map[roles.BuiltInRoleName][]roles.Action, error) {
+	availableActions, err := spicedbdecoder.GetActionsFromSchema(spicedbSchemaFile, reportEntity)
+	if err != nil {
+		return []roles.Action{}, map[roles.BuiltInRoleName][]roles.Action{}, err
+	}
+
+	builtInRoles := map[roles.BuiltInRoleName][]roles.Action{
+		reports.BuiltInRoleAdmin: availableActions,
+	}
+
+	return availableActions, builtInRoles, err
+}
@@ -13,6 +13,6 @@ For an in-depth explanation of the usage of `consumers`, as well as thorough
 understanding of SuperMQ, please check out the [official documentation][doc].

 For more information about service capabilities and its usage, please check out
-the [API documentation](https://docs.api.supermq.abstractmachines.fr/?urls.primaryName=consumers-notifiers-openapi.yaml).
+the [API documentation](https://docs.api.supermq.absmach.eu/?urls.primaryName=consumers-notifiers-openapi.yaml).

-[doc]: https://docs.supermq.abstractmachines.fr
+[doc]: https://docs.supermq.absmach.eu
@@ -1,23 +1,182 @@
-# Notifiers service
+# Notifiers

-Notifiers service provides a service for sending notifications using Notifiers.
-Notifiers service can be configured to use different types of Notifiers to send
-different types of notifications such as SMS messages, emails, or push notifications.
-Service is extensible so that new implementations of Notifiers can be easily added.
-Notifiers **are not standalone services** but rather dependencies used by Notifiers service
-for sending notifications over specific protocols.
+The Notifiers service manages notification subscriptions and dispatches alerts for incoming messages. It stores subscription records (topic + contact), exposes an HTTP API for CRUD operations, and consumes SuperMQ messages to fan out notifications via notifier implementations (SMTP for email, SMPP for SMS). Notifiers are dependencies used by the service, not standalone services.

 ## Configuration

-The service is configured using the environment variables.
-The environment variables needed for service configuration depend on the underlying Notifier.
-An example of the service configuration for SMTP Notifier can be found [in SMTP Notifier documentation](smtp/README.md).
-Note that any unset variables will be replaced with their
-default values.
+The service is configured using environment variables. Values shown are from [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env) when available; otherwise defaults come from code or notifier-specific docs.

+### SMTP notifier (email)
+
+Used by `consumers/notifiers/smtp` via `internal/email`.
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_EMAIL_HOST` | SMTP host | `smtp.mailtrap.io` |
+| `MG_EMAIL_PORT` | SMTP port | `2525` |
+| `MG_EMAIL_USERNAME` | SMTP username | `18bf7f70705139` |
+| `MG_EMAIL_PASSWORD` | SMTP password | `2b0d302e775b1e` |
+| `MG_EMAIL_FROM_ADDRESS` | Default from address (used if `from` is empty) | `from@example.com` |
+| `MG_EMAIL_FROM_NAME` | Default from name | `Example` |
+| `MG_EMAIL_TEMPLATE` | Email template path | `email.tmpl` |
+
+### SMPP notifier (SMS)
+
+#### SMPP transport settings
+
+Defined in `consumers/notifiers/smpp/config.go`.
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_SMPP_ADDRESS` | SMPP address in `host:port` format | "" |
+| `MG_SMPP_USERNAME` | SMPP username | "" |
+| `MG_SMPP_PASSWORD` | SMPP password | "" |
+| `MG_SMPP_SYSTEM_TYPE` | SMPP system type | "" |
+| `MG_SMPP_SRC_ADDR_TON` | SMPP source address TON | `0` |
+| `MG_SMPP_DST_ADDR_TON` | SMPP source address NPI | `0` |
+| `MG_SMPP_SRC_ADDR_NPI` | SMPP destination address TON | `0` |
+| `MG_SMPP_DST_ADDR_NPI` | SMPP destination address NPI | `0` |
+
+Note: The SMPP env tags are mapped exactly as defined in `consumers/notifiers/smpp/config.go`.
+
+#### SMPP notifier service settings
+
+Defined in `consumers/notifiers/smpp/README.md`.
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_SMPP_NOTIFIER_LOG_LEVEL` | Log level for SMPP notifier | `info` |
+| `MG_SMPP_NOTIFIER_FROM_ADDRESS` | From address for SMS notifications | "" |
+| `MG_SMPP_NOTIFIER_CONFIG_PATH` | Config file path for message broker subjects and payload type | `/config.toml` |
+| `MG_SMPP_NOTIFIER_HTTP_HOST` | Service HTTP host | `localhost` |
+| `MG_SMPP_NOTIFIER_HTTP_PORT` | Service HTTP port | `9014` |
+| `MG_SMPP_NOTIFIER_HTTP_SERVER_CERT` | Service HTTP server certificate path | "" |
+| `MG_SMPP_NOTIFIER_HTTP_SERVER_KEY` | Service HTTP server key path | "" |
+| `MG_SMPP_NOTIFIER_DB_HOST` | Database host address | `localhost` |
+| `MG_SMPP_NOTIFIER_DB_PORT` | Database host port | `5432` |
+| `MG_SMPP_NOTIFIER_DB_USER` | Database user | `magistrala` |
+| `MG_SMPP_NOTIFIER_DB_PASS` | Database password | `magistrala` |
+| `MG_SMPP_NOTIFIER_DB_NAME` | Database name | `subscriptions` |
+| `MG_SMPP_NOTIFIER_DB_SSL_MODE` | DB SSL mode (disable, require, verify-ca, verify-full) | `disable` |
+| `MG_SMPP_NOTIFIER_DB_SSL_CERT` | DB SSL client cert path | "" |
+| `MG_SMPP_NOTIFIER_DB_SSL_KEY` | DB SSL client key path | "" |
+| `MG_SMPP_NOTIFIER_DB_SSL_ROOT_CERT` | DB SSL root cert path | "" |
+| `SMQ_AUTH_GRPC_URL` | Auth gRPC URL | `localhost:7001` |
+| `SMQ_AUTH_GRPC_TIMEOUT` | Auth gRPC timeout | `1s` |
+| `MG_AUTH_GRPC_CLIENT_TLS` | Auth client TLS flag | `false` |
+| `MG_AUTH_GRPC_CA_CERT` | Auth client CA certs path | "" |
+| `SMQ_MESSAGE_BROKER_URL` | Message broker URL | `nats://127.0.0.1:4222` |
+| `SMQ_JAEGER_URL` | Jaeger tracing URL | `http://jaeger:14268/api/traces` |
+| `SMQ_SEND_TELEMETRY` | Send telemetry to Magistrala call-home server | `true` |
+| `MG_SMPP_NOTIFIER_INSTANCE_ID` | SMPP notifier instance ID | "" |
+
+## Features
+
+- **Subscription management**: Create, view, list, and remove notification subscriptions.
+- **Topic-based dispatch**: Matches subscriptions by topic and fan-outs to contacts.
+- **Multiple notifier backends**: SMTP (email) and SMPP (SMS) implementations are available.
+- **Observability**: Exposes `/metrics` and `/health` endpoints.
+- **Uniqueness guardrails**: Prevents duplicate subscriptions for the same topic/contact pair.
+
+## Architecture
+
+### Runtime flow
+
+1. Clients register subscriptions through the HTTP API (`topic` + `contact`).
+2. The service authenticates the token, assigns an owner ID, and persists the subscription.
+3. When a message arrives, the service builds the topic as `channel` or `channel.subtopic`, retrieves matching subscriptions, and gathers contacts.
+4. The notifier implementation sends notifications using the configured backend.
+
+### Components
+
+- **HTTP API**: `consumers/notifiers/api` exposes `/subscriptions`, `/health`, and `/metrics`.
+- **Service layer**: `consumers/notifiers/service.go` handles authn, ID creation, and notification dispatch.
+- **Repository**: `consumers/notifiers/postgres` persists subscriptions and supports filtering.
+- **Notifier implementations**: `consumers/notifiers/smtp` (email) and `consumers/notifiers/smpp` (SMS).
+- **Email agent**: `internal/email` manages SMTP connectivity and template rendering.
+
+### Subscriptions table
+
+Defined in `consumers/notifiers/postgres/init.go`:
+
+| Column | Type | Description |
+| --- | --- | --- |
+| `id` | `VARCHAR(254)` | Subscription identifier (primary key) |
+| `owner_id` | `VARCHAR(254)` | Owner ID derived from the auth token |
+| `contact` | `VARCHAR(254)` | Notification contact (email or phone) |
+| `topic` | `TEXT` | Topic to match (`channel` or `channel.subtopic`) |
+
+Constraint: `UNIQUE(topic, contact)`
+
+## Deployment
+
+The Notifiers service is provided as a consumer package. It is typically wired into a notifier-specific binary that provides the HTTP server and message broker subscription. For the SMPP notifier runtime configuration, see `consumers/notifiers/smpp/README.md`.
+
+### Health check
+
+```bash
+curl -X GET http://localhost:9014/health \
+  -H "accept: application/health+json"
+```
+
+## Testing
+
+```bash
+go test ./consumers/notifiers/...
+```

 ## Usage

-Subscriptions service will start consuming messages and sending notifications when a message is received.
+The Notifiers service supports the following operations (see `apidocs/openapi/notifiers.yaml`):

-[doc]: https://docs.supermq.abstractmachines.fr
+| Operation | Method & Path | Description |
+| --- | --- | --- |
+| `createSubscription` | `POST /subscriptions` | Create a new subscription |
+| `listSubscriptions` | `GET /subscriptions` | List subscriptions with filters |
+| `viewSubscription` | `GET /subscriptions/{id}` | Retrieve a subscription |
+| `removeSubscription` | `DELETE /subscriptions/{id}` | Delete a subscription |
+| `health` | `GET /health` | Service health check |
+
+### Example: Create a subscription
+
+```bash
+curl -X POST http://localhost:9014/subscriptions \
+  -H "Authorization: Bearer <your_access_token>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "topic": "channel.subtopic",
+    "contact": "user@example.com"
+  }'
+```
+
+### Example: List subscriptions
+
+```bash
+curl -X GET "http://localhost:9014/subscriptions?topic=channel.subtopic&contact=user@example.com&limit=20&offset=0" \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: View a subscription
+
+```bash
+curl -X GET http://localhost:9014/subscriptions/<subscriptionID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Remove a subscription
+
+```bash
+curl -X DELETE http://localhost:9014/subscriptions/<subscriptionID> \
+  -H "Authorization: Bearer <your_access_token>"
+```
+
+### Example: Health check
+
+```bash
+curl -X GET http://localhost:9014/health \
+  -H "accept: application/health+json"
+```
+
+For an in-depth explanation of the Notifiers, see the [official documentation][doc].
+
+[doc]: https://docs.magistrala.absmach.eu/dev-guide/consumers/#notifiers
@@ -38,10 +38,10 @@ const (
 )

 var (
-	notFoundRes   = toJSON(apiutil.ErrorRes{Msg: svcerr.ErrNotFound.Error()})
-	unauthRes     = toJSON(apiutil.ErrorRes{Msg: svcerr.ErrAuthentication.Error()})
-	invalidRes    = toJSON(apiutil.ErrorRes{Err: apiutil.ErrInvalidQueryParams.Error(), Msg: apiutil.ErrValidation.Error()})
-	missingTokRes = toJSON(apiutil.ErrorRes{Err: apiutil.ErrBearerToken.Error(), Msg: apiutil.ErrValidation.Error()})
+	notFoundRes   = toJSON(svcerr.ErrNotFound)
+	unauthRes     = toJSON(svcerr.ErrAuthentication)
+	invalidRes    = toJSON(apiutil.ErrInvalidQueryParams)
+	missingTokRes = toJSON(apiutil.ErrBearerToken)
 )

 type testRequest struct {
@@ -119,7 +119,7 @@ func TestCreate(t *testing.T) {
 			req:         data,
 			contentType: contentType,
 			auth:        token,
-			status:      http.StatusConflict,
+			status:      http.StatusBadRequest,
 			location:    "",
 			err:         svcerr.ErrConflict,
 		},
@@ -83,12 +83,12 @@ func MakeHandler(svc notifiers.Service, logger *slog.Logger, instanceID string)

 func decodeCreate(_ context.Context, r *http.Request) (any, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
-		return nil, errors.Wrap(apiutil.ErrValidation, apiutil.ErrUnsupportedContentType)
+		return nil, apiutil.ErrUnsupportedContentType
 	}

 	req := createSubReq{token: apiutil.ExtractBearerToken(r)}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		return nil, errors.Wrap(apiutil.ErrValidation, errors.Wrap(err, errors.ErrMalformedEntity))
+		return nil, errors.Wrap(apiutil.ErrMalformedRequestBody, err)
 	}

 	return req, nil
@@ -42,7 +42,7 @@ func (repo subscriptionsRepo) Save(ctx context.Context, sub notifiers.Subscripti
 	row, err := repo.db.NamedQueryContext(ctx, q, dbSub)
 	if err != nil {
 		if pqErr, ok := err.(*pgconn.PgError); ok && pqErr.Code == pgerrcode.UniqueViolation {
-			return "", errors.Wrap(repoerr.ErrConflict, err)
+			return "", errors.Wrap(notifiers.ErrSubscriptionsAlreadyExists, err)
 		}
 		return "", errors.Wrap(repoerr.ErrCreateEntity, err)
 	}
@@ -60,7 +60,7 @@ func TestSave(t *testing.T) {
 			desc: "save duplicate",
 			sub:  sub2,
 			id:   "",
-			err:  repoerr.ErrConflict,
+			err:  notifiers.ErrSubscriptionsAlreadyExists,
 		},
 	}

@@ -15,9 +15,13 @@ import (
 	"github.com/absmach/supermq/pkg/messaging"
 )

-// ErrMessage indicates an error converting a message to SuperMQ message.
-var ErrMessage = errors.New("failed to convert to SuperMQ message")
+var (
+	// ErrMessage indicates an error converting a message to SuperMQ message.
+	ErrMessage = errors.New("failed to convert to SuperMQ message")

+	// ErrSubscriptionsAlreadyExists indicates subscription already exists.
+	ErrSubscriptionsAlreadyExists = errors.NewRequestError("subscription already exists")
+)
 var _ consumers.AsyncConsumer = (*notifierService)(nil)

 // Service reprents a notification service.
@@ -16,7 +16,6 @@ import (
 	smqauthn "github.com/absmach/supermq/pkg/authn"
 	authnmocks "github.com/absmach/supermq/pkg/authn/mocks"
 	"github.com/absmach/supermq/pkg/errors"
-	repoerr "github.com/absmach/supermq/pkg/errors/repository"
 	svcerr "github.com/absmach/supermq/pkg/errors/service"
 	"github.com/absmach/supermq/pkg/messaging"
 	"github.com/absmach/supermq/pkg/uuid"
@@ -66,7 +65,7 @@ func TestCreateSubscription(t *testing.T) {
 			token:           exampleUser1,
 			sub:             notifiers.Subscription{Contact: exampleUser1, Topic: "valid.topic"},
 			id:              "",
-			err:             repoerr.ErrConflict,
+			err:             notifiers.ErrSubscriptionsAlreadyExists,
 			authenticateErr: nil,
 			userID:          validID,
 		},
@@ -8,5 +8,5 @@
 // SuperMQ WebSocket adapter service.
 //
 // For more details about tracing instrumentation for SuperMQ messaging refer
-// to the documentation at https://docs.supermq.abstractmachines.fr/tracing/.
+// to the documentation at https://docs.supermq.absmach.eu/tracing/.
 package tracing
@@ -1,16 +1,268 @@
 # Writers

-Writers provide an implementation of various `message writers`.
-Message writers are services that normalize (in `SenML` format)
-SuperMQ messages and store them in specific data store.
+Writers consume messages from the message broker, normalize them (SenML or JSON), and persist them to a storage backend. Magistrala provides two writer services:

-Writers are optional services and are treated as plugins. In order to
-run writer services, core services must be up and running. For more info
-on the platform core services with its dependencies, please check out
-the [Docker Compose][compose] file.
+- **Postgres writer**: Stores data in PostgreSQL.
+- **Timescale writer**: Stores data in TimescaleDB and uses hypertables for time-series workloads.

-For an in-depth explanation of the usage of `writers`, as well as thorough
-understanding of SuperMQ, please check out the [official documentation][doc].
+Writers are optional services and are treated as plugins. Core services and the message broker must be running first. For platform dependencies, see [Docker Compose](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml).

-[doc]: https://docs.supermq.abstractmachines.fr
-[compose]: ../docker/docker-compose.yaml
+## Configuration
+
+Values shown are from [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env) and the add-on compose files in `docker/addons/*-writer/docker-compose.yaml`.
+
+### Postgres writer
+
+#### Postgres Service endpoints
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_POSTGRES_WRITER_LOG_LEVEL` | Service log level | `debug` |
+| `MG_POSTGRES_WRITER_CONFIG_PATH` | Config file path (subjects/transformer) | `/config.toml` |
+| `MG_POSTGRES_WRITER_HTTP_HOST` | HTTP host | `postgres-writer` |
+| `MG_POSTGRES_WRITER_HTTP_PORT` | HTTP port | `9007` |
+| `MG_POSTGRES_WRITER_HTTP_SERVER_CERT` | HTTPS server certificate path | "" |
+| `MG_POSTGRES_WRITER_HTTP_SERVER_KEY` | HTTPS server key path | "" |
+| `MG_POSTGRES_WRITER_INSTANCE_ID` | Instance ID | "" |
+
+#### Postgres Database
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_POSTGRES_HOST` | PostgreSQL host | `postgres` |
+| `MG_POSTGRES_PORT` | PostgreSQL port | `5432` |
+| `MG_POSTGRES_USER` | PostgreSQL user | `supermq` |
+| `MG_POSTGRES_PASS` | PostgreSQL password | `supermq` |
+| `MG_POSTGRES_NAME` | PostgreSQL database name | `messages` |
+| `MG_POSTGRES_SSL_MODE` | PostgreSQL SSL mode | `disable` |
+| `MG_POSTGRES_SSL_CERT` | PostgreSQL SSL client cert | "" |
+| `MG_POSTGRES_SSL_KEY` | PostgreSQL SSL client key | "" |
+| `MG_POSTGRES_SSL_ROOT_CERT` | PostgreSQL SSL root cert | "" |
+
+#### Postgres Message broker and observability
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `SMQ_MESSAGE_BROKER_URL` | Message broker URL | `nats://nats:4222` |
+| `SMQ_JAEGER_URL` | Jaeger collector endpoint | `http://jaeger:4318/v1/traces` |
+| `SMQ_JAEGER_TRACE_RATIO` | Trace sampling ratio | `1.0` |
+| `SMQ_SEND_TELEMETRY` | Send telemetry to Magistrala call-home server | `true` |
+
+### Timescale writer
+
+#### Timescale Service endpoints
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_TIMESCALE_WRITER_LOG_LEVEL` | Service log level | `debug` |
+| `MG_TIMESCALE_WRITER_CONFIG_PATH` | Config file path (subjects/transformer) | `/config.toml` |
+| `MG_TIMESCALE_WRITER_HTTP_HOST` | HTTP host | `timescale-writer` |
+| `MG_TIMESCALE_WRITER_HTTP_PORT` | HTTP port | `9012` |
+| `MG_TIMESCALE_WRITER_HTTP_SERVER_CERT` | HTTPS server certificate path | "" |
+| `MG_TIMESCALE_WRITER_HTTP_SERVER_KEY` | HTTPS server key path | "" |
+| `MG_TIMESCALE_WRITER_INSTANCE_ID` | Instance ID | "" |
+
+#### Timescale Database
+
+| Variable | Description | Default |
+| --- | --- | --- |
+| `MG_TIMESCALE_HOST` | TimescaleDB host | `timescale` |
+| `MG_TIMESCALE_PORT` | TimescaleDB port | `5432` |
+| `MG_TIMESCALE_USER` | TimescaleDB user | `supermq` |
+| `MG_TIMESCALE_PASS` | TimescaleDB password | `supermq` |
+| `MG_TIMESCALE_NAME` | TimescaleDB database name | `supermq` |
+| `MG_TIMESCALE_SSL_MODE` | TimescaleDB SSL mode | `disable` |
+| `MG_TIMESCALE_SSL_CERT` | TimescaleDB SSL client cert | "" |
+| `MG_TIMESCALE_SSL_KEY` | TimescaleDB SSL client key | "" |
+| `MG_TIMESCALE_SSL_ROOT_CERT` | TimescaleDB SSL root cert | "" |
+
+#### Timescale Message broker and observability
+
+Timescale writer uses the same broker and telemetry variables listed for Postgres writer.
+
+### Writer config file
+
+Both writers read a config file defined by `*_WRITER_CONFIG_PATH`. The default add-on config files are:
+
+- `docker/addons/postgres-writer/config.toml`
+- `docker/addons/timescale-writer/config.toml`
+
+The config file controls subscription subjects and, for Postgres, optional transformer settings:
+
+```toml
+["subscriber"]
+subjects = ["writers.>"]
+
+[transformer]
+format = "senml"
+content_type = "application/senml+json"
+time_fields = [
+  { field_name = "seconds_key", field_format = "unix",    location = "UTC" },
+  { field_name = "millis_key",  field_format = "unix_ms", location = "UTC" },
+  { field_name = "micros_key",  field_format = "unix_us", location = "UTC" },
+  { field_name = "nanos_key",   field_format = "unix_ns", location = "UTC" }
+]
+```
+
+NATS uses subject `writers.>` and RabbitMQ uses routing key `writers.#` (both are handled by `consumers/writers/brokers`).
+
+## Features
+
+- **Message persistence**: Stores incoming SenML messages into PostgreSQL or TimescaleDB.
+- **JSON payload support**: Saves JSON payloads into dynamically created tables.
+- **Broker-backed ingestion**: Consumes from NATS JetStream or RabbitMQ topics.
+- **Configurable subscription**: Limits ingestion to specific `writers.*` subjects.
+- **Observability**: Exposes `/health` and `/metrics` endpoints, with Jaeger tracing.
+
+## Architecture
+
+### Runtime flow
+
+1. The message broker publishes messages under `writers.*`.
+2. The writer loads `config.toml` to select subjects and transformer settings.
+3. The consumer converts messages to SenML or JSON payloads.
+4. The repository writes records to the target database.
+
+### Components
+
+- **Message broker adapter**: `consumers/writers/brokers` (NATS JetStream or RabbitMQ).
+- **Writer services**: `consumers/writers/postgres` and `consumers/writers/timescale`.
+- **HTTP API**: `consumers/writers/api` exposes `/health` and `/metrics`.
+- **Migrations**: `consumers/writers/*/init.go` defines the schema and indexes.
+
+### PostgreSQL schema (SenML messages)
+
+Defined in `consumers/writers/postgres/init.go`:
+
+| Column | Type | Description |
+| --- | --- | --- |
+| `id` | `UUID` | Message ID |
+| `channel` | `UUID` | Channel ID |
+| `subtopic` | `VARCHAR(254)` | Subtopic |
+| `publisher` | `UUID` | Publisher (client) ID |
+| `protocol` | `TEXT` | Protocol name |
+| `name` | `TEXT` | SenML name |
+| `unit` | `TEXT` | SenML unit |
+| `value` | `FLOAT` | Numeric value |
+| `string_value` | `TEXT` | String value |
+| `bool_value` | `BOOL` | Boolean value |
+| `data_value` | `BYTEA` | Data value |
+| `sum` | `FLOAT` | Sum value |
+| `time` | `FLOAT` | Measurement time |
+| `update_time` | `FLOAT` | Update time |
+
+Primary key: `(time, publisher, subtopic, name)`
+
+### TimescaleDB schema (SenML messages)
+
+Defined in `consumers/writers/timescale/init.go`:
+
+| Column | Type | Description |
+| --- | --- | --- |
+| `time` | `BIGINT` | Measurement time |
+| `channel` | `UUID` | Channel ID |
+| `subtopic` | `VARCHAR(254)` | Subtopic |
+| `publisher` | `VARCHAR(254)` | Publisher (client) ID |
+| `protocol` | `TEXT` | Protocol name |
+| `name` | `VARCHAR(254)` | SenML name |
+| `unit` | `TEXT` | SenML unit |
+| `value` | `FLOAT` | Numeric value |
+| `string_value` | `TEXT` | String value |
+| `bool_value` | `BOOL` | Boolean value |
+| `data_value` | `BYTEA` | Data value |
+| `sum` | `FLOAT` | Sum value |
+| `update_time` | `FLOAT` | Update time |
+
+Primary key: `(time, channel, subtopic, protocol, publisher, name)`
+
+Timescale writer creates a hypertable on `messages` and adds time-series indexes for common query paths.
+
+### JSON payload tables (dynamic)
+
+If the transformer emits JSON payloads, the writers create a table named after the payload format:
+
+Postgres JSON table:
+`id UUID`, `created BIGINT`, `channel VARCHAR(254)`, `subtopic VARCHAR(254)`, `publisher VARCHAR(254)`, `protocol TEXT`, `payload JSONB` (PK: `id`)
+
+Timescale JSON table:
+`created BIGINT`, `channel VARCHAR(254)`, `subtopic VARCHAR(254)`, `publisher VARCHAR(254)`, `protocol TEXT`, `payload JSONB` (PK: `created`, `publisher`, `subtopic`)
+
+## Deployment
+
+### Build and run locally
+
+Postgres writer:
+
+```bash
+make postgres-writer
+
+MG_POSTGRES_WRITER_LOG_LEVEL=debug \
+MG_POSTGRES_WRITER_CONFIG_PATH=./docker/addons/postgres-writer/config.toml \
+MG_POSTGRES_WRITER_HTTP_PORT=9007 \
+MG_POSTGRES_HOST=localhost \
+MG_POSTGRES_PORT=5432 \
+MG_POSTGRES_USER=supermq \
+MG_POSTGRES_PASS=supermq \
+MG_POSTGRES_NAME=messages \
+SMQ_MESSAGE_BROKER_URL=nats://localhost:4222 \
+SMQ_JAEGER_URL=http://localhost:4318/v1/traces \
+./build/postgres-writer
+```
+
+Timescale writer:
+
+```bash
+make timescale-writer
+
+MG_TIMESCALE_WRITER_LOG_LEVEL=debug \
+MG_TIMESCALE_WRITER_CONFIG_PATH=./docker/addons/timescale-writer/config.toml \
+MG_TIMESCALE_WRITER_HTTP_PORT=9012 \
+MG_TIMESCALE_HOST=localhost \
+MG_TIMESCALE_PORT=5432 \
+MG_TIMESCALE_USER=supermq \
+MG_TIMESCALE_PASS=supermq \
+MG_TIMESCALE_NAME=supermq \
+SMQ_MESSAGE_BROKER_URL=nats://localhost:4222 \
+SMQ_JAEGER_URL=http://localhost:4318/v1/traces \
+./build/timescale-writer
+```
+
+### Docker Compose
+
+Postgres writer add-on:
+
+```bash
+docker compose -f docker/docker-compose.yaml -f docker/addons/postgres-writer/docker-compose.yaml up
+```
+
+Timescale writer add-on:
+
+```bash
+docker compose -f docker/docker-compose.yaml -f docker/addons/timescale-writer/docker-compose.yaml up
+```
+
+### Health check
+
+```bash
+curl -X GET http://localhost:9007/health \
+  -H "accept: application/health+json"
+```
+
+## Testing
+
+```bash
+go test ./consumers/writers/...
+```
+
+## Usage
+
+Writers do not expose a message ingestion API. Messages are written via the message broker. The HTTP API provides only health and metrics endpoints.
+
+| Endpoint | Description |
+| --- | --- |
+| `GET /health` | Service health check |
+| `GET /metrics` | Prometheus metrics |
+
+For an in-depth explanation of Writers, see the [official documentation][doc].
+
+[doc]: https://docs.magistrala.absmach.eu/dev-guide/consumers/
@@ -137,6 +137,9 @@ func (pr postgresRepo) insertJSON(ctx context.Context, msgs smqjson.Messages) er
 		}

 		if _, err = tx.NamedExec(q, dbmsg); err != nil {
+			if preErr, ok := err.(*pgconn.PrepareError); ok {
+				err = preErr.Unwrap()
+			}
 			pgErr, ok := err.(*pgconn.PgError)
 			if ok {
 				switch pgErr.Code {
@@ -139,6 +139,9 @@ func (tr timescaleRepo) insertJSON(ctx context.Context, msgs smqjson.Messages) e
 			return errors.Wrap(errSaveMessage, err)
 		}
 		if _, err = tx.NamedExec(q, dbmsg); err != nil {
+			if preErr, ok := err.(*pgconn.PrepareError); ok {
+				err = preErr.Unwrap()
+			}
 			pgErr, ok := err.(*pgconn.PgError)
 			if ok {
 				switch pgErr.Code {
@@ -52,6 +52,8 @@ SMQ_AUTH_GRPC_TIMEOUT=300s
 SMQ_AUTH_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}
 SMQ_AUTH_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}
 SMQ_AUTH_GRPC_CLIENT_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
+SMQ_AUTH_ACCESS_TOKEN_DURATION=1h
+SMQ_AUTH_REFRESH_TOKEN_DURATION=24h

 #### Clients Client Config
 SMQ_CLIENTS_URL=http://clients:9006
@@ -85,11 +87,14 @@ SMQ_SPICEDB_DB_PORT=5432

 ### SpiceDB config
 SMQ_SPICEDB_PRE_SHARED_KEY="12345678"
-SMQ_SPICEDB_SCHEMA_FILE="/schema.zed"
+SMQ_SPICEDB_SCHEMA_FILE="/schemas/combined-schema.zed"
 SMQ_SPICEDB_HOST=supermq-spicedb
 SMQ_SPICEDB_PORT=50051
 SMQ_SPICEDB_DATASTORE_ENGINE=postgres

+### Permissions
+SMQ_PERMISSIONS_FILE=/schemas/permission.yaml
+
 ### UI
 SMQ_UI_PATH_PREFIX=/ui

@@ -145,6 +150,7 @@ MG_ALARMS_DB_SSL_CERT=
 MG_ALARMS_DB_SSL_KEY=
 MG_ALARMS_DB_SSL_ROOT_CERT=
 MG_ALARMS_INSTANCE_ID=
+MG_ALARMS_EVENT_CONSUMER=alarms

 ### REPORTS
 MG_REPORTS_LOG_LEVEL=debug
@@ -169,14 +175,56 @@ MG_PDF_CONVERTER_URL=http://pdf-generator:3000/forms/chromium/convert/html
 ### Certs
 SMQ_ADDONS_CERTS_PATH_PREFIX=./

-# Certs service configuration
+## CERTS
+AM_CERTS_LOG_LEVEL=debug
+AM_CERTS_DB_HOST=certs-db
+AM_CERTS_DB_PORT=5432
+AM_CERTS_DB_USER=absmach
+AM_CERTS_DB_PASS=absmach
+AM_CERTS_DB=certs
+AM_CERTS_DB_SSL_MODE=disable
+AM_CERTS_DB_SSL_CERT=
+AM_CERTS_DB_SSL_KEY=
+AM_CERTS_DB_SSL_ROOT_CERT=
+AM_CERTS_DB_MAX_CONNECTIONS=100
+AM_CERTS_HTTP_HOST=certs
+AM_CERTS_HTTP_PORT=9010
+AM_CERTS_HTTP_SERVER_CERT=
+AM_CERTS_HTTP_SERVER_KEY=
+AM_CERTS_GRPC_HOST=certs
+AM_CERTS_GRPC_PORT=7012
+AM_CERTS_GRPC_SERVER_CERT=
+AM_CERTS_GRPC_SERVER_KEY=
+AM_CERTS_GRPC_SERVER_CA_CERTS=
+AM_CERTS_GRPC_SERVER_CA_KEY=
+AM_CERTS_GRPC_CLIENT_CA_CERTS=
+AM_CERTS_GRPC_URL=${AM_CERTS_GRPC_HOST}:${AM_CERTS_GRPC_PORT}
+AM_CERTS_GRPC_TIMEOUT=
+AM_CERTS_GRPC_CLIENT_CERT=
+AM_CERTS_GRPC_CLIENT_KEY=
+AM_CERTS_GRPC_CLIENT_TLS=
+AM_CERTS_GRPC_CA_CERTS=
+AM_CERTS_INSTANCE_ID=
+AM_CERTS_RELEASE_TAG=latest
+# WARNING: This is a development/testing secret only.
+# NEVER use this weak secret in production! Generate a strong random secret for production deployments.
 AM_CERTS_SECRET=12345678
-AM_CERTS_OPENBAO_SECRET_ID_TTL=87600h

-# OpenBao PKI CA configuration
+## OpenBao PKI Config
+AM_CERTS_OPENBAO_HOST=http://certs-openbao:8200
+AM_CERTS_OPENBAO_APP_ROLE=absmach
+AM_CERTS_OPENBAO_APP_SECRET=absmach
+AM_CERTS_OPENBAO_SECRET_ID_TTL=720h
+AM_CERTS_OPENBAO_NAMESPACE=
+AM_CERTS_OPENBAO_PKI_PATH=pki
+AM_CERTS_OPENBAO_ROLE=absmach
+AM_CERTS_SERVICE_TOKEN_PATH=/openbao/service_token
+AM_CERTS_SECRET_ID_PATH=/openbao/secret_id
+AM_CERTS_SECRET_RENEW_THRESHOLD=24h
+AM_CERTS_SECRET_CHECK_INTERVAL=1h
 AM_CERTS_OPENBAO_PKI_CA_CN=Abstract Machines Certificate Authority
 AM_CERTS_OPENBAO_PKI_CA_OU=Abstract Machines
-AM_CERTS_OPENBAO_PKI_CA_O=AbstractMacines
+AM_CERTS_OPENBAO_PKI_CA_O=AbstractMachines
 AM_CERTS_OPENBAO_PKI_CA_C=FRANCE
 AM_CERTS_OPENBAO_PKI_CA_L=PARIS
 AM_CERTS_OPENBAO_PKI_CA_ST=PARIS
@@ -186,13 +234,37 @@ AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES=localhost
 AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES=127.0.0.1,::1
 AM_CERTS_OPENBAO_PKI_CA_URI_SANS=
 AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES=info@abstractmachines.rs
-
-# OpenBao unseal keys and token
 AM_CERTS_OPENBAO_UNSEAL_KEY_1=
 AM_CERTS_OPENBAO_UNSEAL_KEY_2=
 AM_CERTS_OPENBAO_UNSEAL_KEY_3=
 AM_CERTS_OPENBAO_ROOT_TOKEN=

+## Jaeger
+AM_JAEGER_PORT=6831
+AM_JAEGER_FRONTEND=16686
+AM_JAEGER_URL=http://jaeger:4318/v1/traces
+AM_JAEGER_TRACE_RATIO=1.0
+AM_JAEGER_COLLECTOR_OTLP_ENABLED=true
+AM_JAEGER_OLTP_HTTP_PORT=4318
+AM_JAEGER_MEMORY_MAX_TRACES=5000
+
+#### Auth Client Config
+AM_AUTH_URL=auth:9001
+AM_AUTH_GRPC_URL=auth:7001
+AM_AUTH_GRPC_TIMEOUT=300s
+AM_AUTH_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}
+AM_AUTH_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.key}
+AM_AUTH_GRPC_CLIENT_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
+AM_AUTH_GRPC_SERVER_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
+
+#### Domains Client Config
+AM_DOMAINS_URL=domains:9003
+AM_DOMAINS_GRPC_URL=domains:7003
+AM_DOMAINS_GRPC_TIMEOUT=300s
+AM_DOMAINS_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/domains-grpc-client.crt}
+AM_DOMAINS_GRPC_CLIENT_KEY=${GRPC_MTLS:+./ssl/certs/domains-grpc-client.key}
+AM_DOMAINS_GRPC_CLIENT_CA_CERTS=${GRPC_MTLS:+./ssl/certs/ca.crt}
+
 ## Addon Services
 ### Bootstrap
 MG_BOOTSTRAP_LOG_LEVEL=debug
@@ -220,13 +292,14 @@ MG_PROVISION_HTTP_PORT=9016
 MG_PROVISION_ENV_CLIENTS_TLS=false
 MG_PROVISION_SERVER_CERT=
 MG_PROVISION_SERVER_KEY=
-MG_PROVISION_USERS_LOCATION=http://users:9002
-MG_PROVISION_CLIENTS_LOCATION=http://clients:9006
+MG_PROVISION_USERS_URL=http://users:9002
+MG_PROVISION_CHANNELS_URL=http://channels:9005
+MG_PROVISION_CLIENTS_URL=http://clients:9006
+MG_PROVISION_CERTS_URL=http://certs:9019
 MG_PROVISION_USER=
 MG_PROVISION_USERNAME=
 MG_PROVISION_PASS=
 MG_PROVISION_API_KEY=
-MG_PROVISION_CERTS_SVC_URL=http://certs:9019
 MG_PROVISION_X509_PROVISIONING=false
 MG_PROVISION_BS_SVC_URL=http://bootstrap:9013
 MG_PROVISION_BS_CONFIG_PROVISIONING=true
@@ -335,17 +408,18 @@ MG_UI_BACKEND_INSTANCE_ID=
 MG_UI_VERIFICATION_TLS=false
 MG_UI_CONTENT_TYPE=application/senml+json

-
 # Object storage for images
 # See docker/seaweedfs/s3.json.
 MG_BACKEND_OBJECT_STORAGE_REGION=fra1
 MG_BACKEND_OBJECT_STORAGE_BUCKET=mg-ui-images
 MG_BACKEND_OBJECT_STORAGE_ENDPOINT=http://seaweedfs-s3:8333
 MG_BACKEND_OBJECT_STORAGE_USE_PATH_STYLE=true
-MG_BACKEND_OBJECT_STORAGE_REWRITE_URL=localhost
+MG_BACKEND_OBJECT_STORAGE_PRESIGN_ENDPOINT=http://localhost:8333
 MG_BACKEND_OBJECT_STORAGE_ACCESS_KEY=localKey
 MG_BACKEND_OBJECT_STORAGE_SECRET_KEY=localSecret
-MG_BACKEND_OBJECT_STORAGE_TTL=1h
+MG_BACKEND_OBJECT_STORAGE_WRITE_TTL=1m
+MG_BACKEND_OBJECT_STORAGE_READ_TTL=15m
+MG_BACKEND_OBJECT_STORAGE_TTL=15m

 #### Auth GRPC Client Config
 MG_AUTH_GRPC_URL=auth:7001
@@ -401,6 +475,21 @@ MG_UI_BASEURL=http://localhost:3000
 MG_SUPPORT_EMAIL=
 MG_SUPPORT_EMAIL_PASS=

+## SMTP Variables
+MG_UI_SMTP_HOST=host.docker.internal
+MG_UI_SMTP_PORT=2525
+MG_UI_SMTP_SECURE=
+MG_UI_SUPPORT_FROM=from@example.com
+
+# Message cli variables
+MG_UI_CLI_MQTT_HOST=localhost
+MG_UI_CLI_MQTT_PORT=8883
+MG_UI_CLI_WS_URL=ws://localhost:8186
+MG_UI_CLI_COAP_HOST=0.0.0.0
+MG_UI_CLI_COAP_PORT=5684
+MG_UI_CLI_HTTP_URL=http://localhost:8008
+MG_UI_CLI_CA_FILE=/etc/ssl/certs/ca-certificates.crt
+
 # Docker image tag
 MG_RELEASE_TAG=latest

@@ -1,7 +1,7 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.25.4-alpine3.22 AS builder
+FROM golang:1.26-alpine3.22 AS builder
 ARG SVC
 ARG GOARCH
 ARG GOARM
@@ -33,7 +33,7 @@ Events store: This is used by Magistrala services to store events for distribute

 This is the same as MESSAGE_BROKER. This can either be 'NATS' or 'RabbitMQ' or 'Redis'.  If Redis is used as an events store, then RabbitMQ or NATS is used as a message broker.

-The current deployment strategy for Magistrala in `docker/docker-compose.yaml` is to use VerneMQ as a MQTT_BROKER and NATS as a MESSAGE_BROKER and EVENTS_STORE.
+The current deployment strategy for Magistrala in [docker/docker-compose.yaml](https://github.com/absmach/magistrala/blob/main/docker/docker-compose.yaml) is to use VerneMQ as a MQTT_BROKER and NATS as a MESSAGE_BROKER and EVENTS_STORE.

 Therefore, the following combinations are possible:

@@ -46,7 +46,7 @@ Therefore, the following combinations are possible:
 - MQTT_BROKER: NATS, MESSAGE_BROKER: NATS, EVENTS_STORE: NATS
 - MQTT_BROKER: NATS, MESSAGE_BROKER: NATS, EVENTS_STORE: Redis

-For Message brokers other than NATS, you would need to build the docker images with RabbitMQ as the build tag and change the `docker/.env`. For example, to use RabbitMQ as a message broker:
+For Message brokers other than NATS, you would need to build the docker images with RabbitMQ as the build tag and change the [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env). For example, to use RabbitMQ as a message broker:

 ```bash
 MG_MESSAGE_BROKER_TYPE=rabbitmq make dockers
@@ -70,7 +70,7 @@ MG_ES_TYPE=redis
 MG_ES_URL=${MG_REDIS_URL}
 ```

-For MQTT broker other than VerneMQ, you would need to change the `docker/.env`. For example, to use NATS as a MQTT broker:
+For MQTT broker other than VerneMQ, you would need to change the [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env). For example, to use NATS as a MQTT broker:

 ```env
 MG_MQTT_BROKER_TYPE=nats
@@ -121,7 +121,7 @@ services:
 ## Nginx Configuration

 Nginx is the entry point for all traffic to Magistrala.
-By using environment variables file at `docker/.env` you can modify the below given Nginx directive.
+By using environment variables file at [docker/.env](https://github.com/absmach/magistrala/blob/main/docker/.env) you can modify the below given Nginx directive.

 `SMQ_NGINX_SERVER_NAME` environmental variable is used to configure nginx directive `server_name`. If environmental variable `SMQ_NGINX_SERVER_NAME` is empty then default value `localhost` will set to `server_name`.

@@ -8,6 +8,7 @@

 networks:
  magistrala-base-net:
+    driver: bridge

 volumes:
  magistrala-bootstrap-db-volume:
@@ -1002,7 +1002,7 @@
            "uid": "PBFA97CFB590B2093"
          },
          "exemplar": true,
-          "expr": "ws_adapter_api_request_count{}",
+          "expr": "http_adapter_api_request_count{}",
          "interval": "",
          "legendFormat": "{{method}}",
          "refId": "A"
@@ -1107,7 +1107,7 @@
          },
          "editorMode": "code",
          "exemplar": false,
-          "expr": "label_replace(label_replace(label_replace(ws_adapter_api_request_latency_microseconds, \"quantile\", \"50th percentile\", \"quantile\", \"0.5\"), \"quantile\", \"90th percentile\", \"quantile\", \"0.9\"), \"quantile\", \"99th percentile\", \"quantile\", \"0.99\")",
+          "expr": "label_replace(label_replace(label_replace(http_adapter_api_request_latency_microseconds, \"quantile\", \"50th percentile\", \"quantile\", \"0.5\"), \"quantile\", \"90th percentile\", \"quantile\", \"0.9\"), \"quantile\", \"99th percentile\", \"quantile\", \"0.99\")",
          "format": "time_series",
          "instant": false,
          "interval": "",
@@ -55,10 +55,10 @@
      type = "plain"
      workers = 10

-[[things]]
-  name = "thing"
+[[clients]]
+  name = "client"

-  [things.metadata]
+  [clients.metadata]
    external_id = "xxxxxx"

 [[channels]]
@@ -8,6 +8,7 @@

 networks:
  magistrala-base-net:
+    driver: bridge

 services:
  provision:
@@ -25,13 +26,14 @@ services:
      MG_PROVISION_ENV_CLIENTS_TLS: ${MG_PROVISION_ENV_CLIENTS_TLS}
      MG_PROVISION_SERVER_CERT: ${MG_PROVISION_SERVER_CERT}
      MG_PROVISION_SERVER_KEY: ${MG_PROVISION_SERVER_KEY}
-      MG_PROVISION_USERS_LOCATION: ${MG_PROVISION_USERS_LOCATION}
-      MG_PROVISION_THINGS_LOCATION: ${MG_PROVISION_THINGS_LOCATION}
+      MG_PROVISION_USERS_URL: ${MG_PROVISION_USERS_URL}
+      MG_PROVISION_CHANNELS_URL: ${MG_PROVISION_CHANNELS_URL}
+      MG_PROVISION_CLIENTS_URL: ${MG_PROVISION_CLIENTS_URL}
      MG_PROVISION_USER: ${MG_PROVISION_USER}
      MG_PROVISION_USERNAME: ${MG_PROVISION_USERNAME}
      MG_PROVISION_PASS: ${MG_PROVISION_PASS}
      MG_PROVISION_API_KEY: ${MG_PROVISION_API_KEY}
-      MG_PROVISION_CERTS_SVC_URL: ${MG_PROVISION_CERTS_SVC_URL}
+      MG_PROVISION_CERTS_URL: ${MG_PROVISION_CERTS_URL}
      MG_PROVISION_X509_PROVISIONING: ${MG_PROVISION_X509_PROVISIONING}
      MG_PROVISION_BS_SVC_URL: ${MG_PROVISION_BS_SVC_URL}
      MG_PROVISION_BS_CONFIG_PROVISIONING: ${MG_PROVISION_BS_CONFIG_PROVISIONING}
@@ -40,6 +42,12 @@ services:
      MG_PROVISION_CERTS_HOURS_VALID: ${MG_PROVISION_CERTS_HOURS_VALID}
      SMQ_SEND_TELEMETRY: ${SMQ_SEND_TELEMETRY}
      MG_PROVISION_INSTANCE_ID: ${MG_PROVISION_INSTANCE_ID}
+      SMQ_AUTH_GRPC_URL: ${SMQ_AUTH_GRPC_URL}
+      SMQ_AUTH_GRPC_TIMEOUT: ${SMQ_AUTH_GRPC_TIMEOUT}
+      SMQ_AUTH_GRPC_CLIENT_CERT: ${SMQ_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
+      SMQ_AUTH_GRPC_CLIENT_KEY: ${SMQ_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
+      SMQ_AUTH_GRPC_SERVER_CA_CERTS: ${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
+      SMQ_ALLOW_UNVERIFIED_USER: ${SMQ_ALLOW_UNVERIFIED_USER}
    volumes:
      - ./configs:/configs
      - ../../ssl/certs/ca.key:/etc/ssl/certs/ca.key
@@ -0,0 +1,18 @@
+{
+  "identities": [
+    {
+      "name": "magistrala",
+      "credentials": [
+        {
+          "accessKey": "localKey",
+          "secretKey": "localSecret"
+        }
+      ],
+      "actions": [
+        "Admin",
+        "Read",
+        "Write"
+      ]
+    }
+  ]
+}
@@ -46,7 +46,6 @@ services:
      MG_READER_URL: ${MG_READER_URL}
      MG_BACKEND_URL: ${MG_UI_BACKEND_URL}
      MG_JOURNAL_URL: ${MG_JOURNAL_URL}
-      MG_BILLING_URL: ${MG_BILLING_URL}
      MG_ALARMS_URL: ${MG_ALARMS_URL}
      MG_RE_URL: ${MG_RE_URL}
      MG_REPORTS_URL: ${MG_REPORTS_URL}
@@ -66,6 +65,20 @@ services:
      MG_UI_DOCKER_ACCEPT_EULA: ${MG_UI_DOCKER_ACCEPT_EULA}
      MG_SUPPORT_EMAIL: ${MG_SUPPORT_EMAIL}
      MG_SUPPORT_EMAIL_PASS: ${MG_SUPPORT_EMAIL_PASS}
+      MG_UI_CLI_MQTT_HOST: ${MG_UI_CLI_MQTT_HOST}
+      MG_UI_CLI_WS_URL: ${MG_UI_CLI_WS_URL}
+      MG_UI_CLI_COAP_HOST: ${MG_UI_CLI_COAP_HOST}
+      MG_UI_CLI_COAP_PORT: ${MG_UI_CLI_COAP_PORT}
+      MG_UI_CLI_HTTP_URL: ${MG_UI_CLI_HTTP_URL}
+      MG_UI_ALLOW_UNVERIFIED_USER: ${SMQ_ALLOW_UNVERIFIED_USER}
+      MG_ACCESS_TOKEN_EXPIRY: ${SMQ_AUTH_ACCESS_TOKEN_DURATION}
+      MG_REFRESH_TOKEN_EXPIRY: ${SMQ_AUTH_REFRESH_TOKEN_DURATION}
+      MG_UI_SMTP_HOST: ${MG_UI_SMTP_HOST}
+      MG_UI_SMTP_PORT: ${MG_UI_SMTP_PORT}
+      MG_UI_SMTP_SECURE: ${MG_UI_SMTP_SECURE}
+      MG_UI_SUPPORT_FROM: ${MG_UI_SUPPORT_FROM}
+
+

  ui-backend:
    image: ghcr.io/absmach/magistrala/ui-backend:latest
@@ -114,65 +127,68 @@ services:
      MG_BACKEND_OBJECT_STORAGE_BUCKET: ${MG_BACKEND_OBJECT_STORAGE_BUCKET}
      MG_BACKEND_OBJECT_STORAGE_ENDPOINT: ${MG_BACKEND_OBJECT_STORAGE_ENDPOINT}
      MG_BACKEND_OBJECT_STORAGE_USE_PATH_STYLE: ${MG_BACKEND_OBJECT_STORAGE_USE_PATH_STYLE}
-      MG_BACKEND_OBJECT_STORAGE_REWRITE_URL: ${MG_BACKEND_OBJECT_STORAGE_REWRITE_URL}
+      MG_BACKEND_OBJECT_STORAGE_PRESIGN_ENDPOINT: ${MG_BACKEND_OBJECT_STORAGE_PRESIGN_ENDPOINT}
      MG_BACKEND_OBJECT_STORAGE_ACCESS_KEY: ${MG_BACKEND_OBJECT_STORAGE_ACCESS_KEY}
      MG_BACKEND_OBJECT_STORAGE_SECRET_KEY: ${MG_BACKEND_OBJECT_STORAGE_SECRET_KEY}
      MG_BACKEND_OBJECT_STORAGE_TTL: ${MG_BACKEND_OBJECT_STORAGE_TTL}
+      MG_BACKEND_OBJECT_STORAGE_READ_TTL: ${MG_BACKEND_OBJECT_STORAGE_READ_TTL}
    depends_on:
-      - ui-backend-db
-      - seaweedfs-s3
+      ui-backend-db:
+        condition: service_healthy
+      seaweedfs-s3:
+        condition: service_started
    volumes:
      # Auth gRPC client certificates
      - type: bind
        source: ${MG_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /auth-grpc-client${MG_AUTH_GRPC_CLIENT_CERT:+.crt}
+        target: /auth-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${MG_AUTH_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /auth-grpc-client${MG_AUTH_GRPC_CLIENT_KEY:+.key}
+        target: /auth-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
-        target: /auth-grpc-server-ca${MG_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /auth-grpc-server-ca.crt
        bind:
          create_host_path: true
      # Channels gRPC client certificates
      - type: bind
        source: ${SMQ_CHANNELS_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /channels-grpc-client${SMQ_CHANNELS_GRPC_CLIENT_CERT:+.crt}
+        target: /channels-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_CHANNELS_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /channels-grpc-client${SMQ_CHANNELS_GRPC_CLIENT_KEY:+.key}
+        target: /channels-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_CHANNELS_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
-        target: /channels-grpc-server-ca${SMQ_CHANNELS_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /channels-grpc-server-ca.crt
        bind:
          create_host_path: true
      # Reader gRPC client certificates
      - type: bind
        source: ${MG_TIMESCALE_READER_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /readers-grpc-client${MG_TIMESCALE_READER_GRPC_CLIENT_CERT:+.crt}
+        target: /readers-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${MG_TIMESCALE_READER_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /readers-grpc-client${MG_TIMESCALE_READER_GRPC_CLIENT_KEY:+.key}
+        target: /readers-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${MG_TIMESCALE_READER_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca_certs}
-        target: /readers-grpc-server-ca${MG_TIMESCALE_READER_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /readers-grpc-server-ca.crt
        bind:
          create_host_path: true

  ui-backend-db:
-    image: postgres:16.2-alpine
+    image: docker.io/postgres:18.0-alpine3.22
    container_name: magistrala-ui-backend-db
    restart: on-failure
    command: postgres -c "max_connections=${SMQ_POSTGRES_MAX_CONNECTIONS}"
@@ -187,11 +203,15 @@ services:
      - magistrala-base-net
    volumes:
      - magistrala-ui-backend-db-volume:/var/lib/postgresql/data
-
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 3s
+      retries: 60
  seaweedfs-s3:
-    image: chrislusf/seaweedfs:latest
+    image: chrislusf/seaweedfs:4.16
    container_name: magistrala-seaweedfs-s3
-    command: server -s3 -dir=/data
+    command: server -s3 -s3.config=/etc/seaweedfs/s3.json -dir=/data
    ports:
      - "8333:8333" # S3 endpoint
      - "9333:9333" # master UI
@@ -199,35 +219,42 @@ services:
      - "8888:8888" # filer UI
    volumes:
      - ./data/seaweedfs:/data
+      - ./configs/seaweedfs-s3.json:/etc/seaweedfs/s3.json:ro
    networks:
      - magistrala-base-net

  seaweedfs-init:
-    image: curlimages/curl
+    image: amazon/aws-cli
    container_name: magistrala-seaweedfs-init
+    entrypoint: /bin/sh
    depends_on:
      - seaweedfs-s3
-    command: >
-      /bin/sh -c "
-      echo \"Creating bucket $${BUCKET}, wait for 25s...\";
-      sleep 25;
-      HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' -f -X PUT http://seaweedfs-s3:8333/$${BUCKET});
-      if [ $${HTTP_CODE} = '200' ] || [ $${HTTP_CODE} = '201' ]; then
-        echo \"[INIT] Bucket $${BUCKET} created successfully!\";
-        curl -s http://seaweedfs-s3:8333/ | grep -o '<Name>[^<]*</Name>';
-        exit 0;
-      else
-        echo \"[INIT] Failed to create bucket $${BUCKET}! HTTP code $${HTTP_CODE}.\" >&2;
-        exit 1;
-      fi
-      "
+    command:
+      - -c
+      - |
+        echo "[INIT] Waiting 20s for SeaweedFS S3 to be ready...";
+        sleep 20;
+        OUT=$(aws --endpoint-url http://seaweedfs-s3:8333 s3api create-bucket --bucket $${BUCKET} 2>&1);
+        EXIT=$$?;
+        if [ $$EXIT -eq 0 ]; then
+          echo "[INIT] Bucket $${BUCKET} created successfully.";
+        elif echo "$$OUT" | grep -q 'BucketAlreadyOwnedByYou\|BucketAlreadyExists'; then
+          echo "[INIT] Bucket $${BUCKET} already exists, skipping.";
+        else
+          echo "[INIT] Failed to create bucket $${BUCKET}: $$OUT" >&2;
+          exit 1;
+        fi
    networks:
      - magistrala-base-net
    environment:
      BUCKET: ${MG_BACKEND_OBJECT_STORAGE_BUCKET}
+      AWS_ACCESS_KEY_ID: ${MG_BACKEND_OBJECT_STORAGE_ACCESS_KEY}
+      AWS_SECRET_ACCESS_KEY: ${MG_BACKEND_OBJECT_STORAGE_SECRET_KEY}
+      AWS_DEFAULT_REGION: ${MG_BACKEND_OBJECT_STORAGE_REGION}
+      AWS_EC2_METADATA_DISABLED: "true"

  re-db:
-    image: postgres:16.2-alpine
+    image: docker.io/postgres:18.0-alpine3.22
    container_name: magistrala-re-db
    restart: on-failure
    command: postgres -c "max_connections=${SMQ_POSTGRES_MAX_CONNECTIONS}"
@@ -247,6 +274,7 @@ services:
    container_name: magistrala-re
    depends_on:
      - re-db
+      - spicedb-migrate
    restart: on-failure
    environment:
      MG_RE_LOG_LEVEL: ${MG_RE_LOG_LEVEL}
@@ -284,6 +312,8 @@ services:
      SMQ_SPICEDB_PRE_SHARED_KEY: ${SMQ_SPICEDB_PRE_SHARED_KEY}
      SMQ_SPICEDB_HOST: ${SMQ_SPICEDB_HOST}
      SMQ_SPICEDB_PORT: ${SMQ_SPICEDB_PORT}
+      SMQ_SPICEDB_SCHEMA_FILE: ${SMQ_SPICEDB_SCHEMA_FILE}
+      SMQ_PERMISSIONS_FILE: ${SMQ_PERMISSIONS_FILE}
      MG_RE_INSTANCE_ID: ${MG_RE_INSTANCE_ID}
      MG_EMAIL_HOST: ${MG_EMAIL_HOST}
      MG_EMAIL_PORT: ${MG_EMAIL_PORT}
@@ -308,26 +338,28 @@ services:
    networks:
      - magistrala-base-net
    volumes:
+      - ./permission.yaml:${SMQ_PERMISSIONS_FILE}
+      - ./spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
      - ./templates/${MG_RE_EMAIL_TEMPLATE}:/email.tmpl
      # Auth gRPC client certificates
      - type: bind
        source: ${SMQ_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_CERT:+.crt}
+        target: /auth-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_AUTH_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_KEY:+.key}
+        target: /auth-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_AUTH_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
-        target: /auth-grpc-server-ca${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /auth-grpc-server-ca.crt
        bind:
          create_host_path: true

  alarms-db:
-    image: postgres:16.2-alpine
+    image: docker.io/postgres:18.0-alpine3.22
    container_name: magistrala-alarms-db
    restart: on-failure
    command: postgres -c "max_connections=${SMQ_POSTGRES_MAX_CONNECTIONS}"
@@ -347,6 +379,7 @@ services:
    container_name: magistrala-alarms
    depends_on:
      - alarms-db
+      - spicedb-migrate
    restart: on-failure
    environment:
      MG_ALARMS_LOG_LEVEL: ${MG_ALARMS_LOG_LEVEL}
@@ -364,6 +397,7 @@ services:
      MG_ALARMS_DB_SSL_KEY: ${MG_ALARMS_DB_SSL_KEY}
      MG_ALARMS_DB_SSL_ROOT_CERT: ${MG_ALARMS_DB_SSL_ROOT_CERT}
      SMQ_MESSAGE_BROKER_URL: ${SMQ_MESSAGE_BROKER_URL}
+      SMQ_ES_URL: ${SMQ_ES_URL}
      SMQ_JAEGER_URL: ${SMQ_JAEGER_URL}
      SMQ_JAEGER_TRACE_RATIO: ${SMQ_JAEGER_TRACE_RATIO}
      SMQ_AUTH_GRPC_URL: ${SMQ_AUTH_GRPC_URL}
@@ -376,47 +410,55 @@ services:
      SMQ_DOMAINS_GRPC_CLIENT_CERT: ${SMQ_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
      SMQ_DOMAINS_GRPC_CLIENT_KEY: ${SMQ_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
      SMQ_DOMAINS_GRPC_SERVER_CA_CERTS: ${SMQ_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
+      SMQ_SPICEDB_PRE_SHARED_KEY: ${SMQ_SPICEDB_PRE_SHARED_KEY}
+      SMQ_SPICEDB_HOST: ${SMQ_SPICEDB_HOST}
+      SMQ_SPICEDB_PORT: ${SMQ_SPICEDB_PORT}
+      SMQ_SPICEDB_SCHEMA_FILE: ${SMQ_SPICEDB_SCHEMA_FILE}
+      SMQ_PERMISSIONS_FILE: ${SMQ_PERMISSIONS_FILE}
      MG_ALARMS_INSTANCE_ID: ${MG_ALARMS_INSTANCE_ID}
+      MG_ALARMS_EVENT_CONSUMER: ${MG_ALARMS_EVENT_CONSUMER}
      SMQ_ALLOW_UNVERIFIED_USER: ${SMQ_ALLOW_UNVERIFIED_USER}
    ports:
      - ${MG_ALARMS_HTTP_PORT}:${MG_ALARMS_HTTP_PORT}
    networks:
      - magistrala-base-net
    volumes:
+      - ./permission.yaml:${SMQ_PERMISSIONS_FILE}
+      - ./spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
      # Auth gRPC client certificates
      - type: bind
        source: ${SMQ_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_CERT:+.crt}
+        target: /auth-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_AUTH_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_KEY:+.key}
+        target: /auth-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_AUTH_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
-        target: /auth-grpc-server-ca${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /auth-grpc-server-ca.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_DOMAINS_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /domains-grpc-client${SMQ_DOMAINS_GRPC_CLIENT_CERT:+.crt}
+        target: /domains-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_DOMAINS_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /domains-grpc-client${SMQ_DOMAINS_GRPC_CLIENT_KEY:+.key}
+        target: /domains-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_DOMAINS_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
-        target: /domains-grpc-server-ca${SMQ_DOMAINS_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /domains-grpc-server-ca.crt
        bind:
          create_host_path: true

  reports-db:
-    image: postgres:16.2-alpine
+    image: docker.io/postgres:18.0-alpine3.22
    container_name: magistrala-reports-db
    restart: on-failure
    command: postgres -c "max_connections=${SMQ_POSTGRES_MAX_CONNECTIONS}"
@@ -436,6 +478,7 @@ services:
    container_name: magistrala-reports
    depends_on:
      - reports-db
+      - spicedb-migrate
    restart: on-failure
    environment:
      MG_REPORTS_LOG_LEVEL: ${MG_REPORTS_LOG_LEVEL}
@@ -455,6 +498,7 @@ services:
      MG_REPORTS_DEFAULT_TEMPLATE: ${MG_REPORTS_DEFAULT_TEMPLATE}
      MG_PDF_CONVERTER_URL: ${MG_PDF_CONVERTER_URL}
      SMQ_MESSAGE_BROKER_URL: ${SMQ_MESSAGE_BROKER_URL}
+      SMQ_ES_URL: ${SMQ_ES_URL}
      SMQ_JAEGER_URL: ${SMQ_JAEGER_URL}
      SMQ_JAEGER_TRACE_RATIO: ${SMQ_JAEGER_TRACE_RATIO}
      SMQ_SEND_TELEMETRY: ${SMQ_SEND_TELEMETRY}
@@ -466,6 +510,8 @@ services:
      SMQ_SPICEDB_PRE_SHARED_KEY: ${SMQ_SPICEDB_PRE_SHARED_KEY}
      SMQ_SPICEDB_HOST: ${SMQ_SPICEDB_HOST}
      SMQ_SPICEDB_PORT: ${SMQ_SPICEDB_PORT}
+      SMQ_SPICEDB_SCHEMA_FILE: ${SMQ_SPICEDB_SCHEMA_FILE}
+      SMQ_PERMISSIONS_FILE: ${SMQ_PERMISSIONS_FILE}
      MG_REPORTS_INSTANCE_ID: ${MG_RE_INSTANCE_ID}
      MG_EMAIL_HOST: ${MG_EMAIL_HOST}
      MG_EMAIL_PORT: ${MG_EMAIL_PORT}
@@ -490,21 +536,23 @@ services:
    networks:
      - magistrala-base-net
    volumes:
+      - ./permission.yaml:${SMQ_PERMISSIONS_FILE}
+      - ./spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
      - ./templates/${MG_REPORTS_EMAIL_TEMPLATE}:/email.tmpl
      # Auth gRPC client certificates
      - type: bind
        source: ${SMQ_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
-        target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_CERT:+.crt}
+        target: /auth-grpc-client.crt
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_AUTH_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
-        target: /auth-grpc-client${SMQ_AUTH_GRPC_CLIENT_KEY:+.key}
+        target: /auth-grpc-client.key
        bind:
          create_host_path: true
      - type: bind
        source: ${SMQ_AUTH_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
-        target: /auth-grpc-server-ca${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
+        target: /auth-grpc-server-ca.crt
        bind:
          create_host_path: true

@@ -23,7 +23,6 @@ envsubst '
    ${SMQ_NGINX_MQTTS_PORT}
    ${MG_RE_HTTP_PORT}
    ${MG_ALARMS_HTTP_PORT}
-    ${MG_REPORTS_HTTP_PORT}
-    ${SMQ_WS_ADAPTER_HTTP_PORT}' </etc/nginx/nginx.conf.template >/etc/nginx/nginx.conf
+    ${MG_REPORTS_HTTP_PORT}' </etc/nginx/nginx.conf.template >/etc/nginx/nginx.conf

 exec nginx -g "daemon off;"
@@ -145,7 +145,7 @@ http {
        location /ws/ {
            include snippets/proxy-headers.conf;
            include snippets/ws-upgrade.conf;
-            proxy_pass http://ws-adapter:${SMQ_WS_ADAPTER_HTTP_PORT}/;
+            proxy_pass http://http-adapter:${SMQ_HTTP_ADAPTER_PORT}/;
        }
    }
 }
@@ -158,7 +158,7 @@ http {
            include snippets/verify-ssl-client.conf;
            include snippets/proxy-headers.conf;
            include snippets/ws-upgrade.conf;
-            proxy_pass http://ws-adapter:${SMQ_WS_ADAPTER_HTTP_PORT}/;
+            proxy_pass http://http-adapter:${SMQ_HTTP_ADAPTER_PORT}/;
        }
    }
 }
@@ -0,0 +1,74 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+alarm:
+  operations:
+    - list: alarm_read_permission
+    - view: alarm_read_permission
+    - update: alarm_update_permission
+    - delete: alarm_delete_permission
+    - assign: alarm_assign_permission
+    - acknowledge: alarm_acknowledge_permission
+    - resolve: alarm_resolve_permission
+
+rule:
+  operations:
+    - add: rule_create_permission
+    - list: rule_read_permission
+    - view: read_permission
+    - update: update_permission
+    - update_tags: update_permission
+    - update_schedule: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+    - alarm_assign: alarm_assign_permission
+    - alarm_acknowledge: alarm_acknowledge_permission
+    - alarm_resolve: alarm_resolve_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
+
+report:
+  operations:
+    - add: report_create_permission
+    - list: report_read_permission
+    - generate: report_read_permission
+    - view: read_permission
+    - update: update_permission
+    - update_schedule: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+    - update_template: update_permission
+    - view_template: read_permission
+    - delete_template: delete_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
@@ -0,0 +1,688 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+// Code generated by scripts/combine-schema.sh. DO NOT EDIT.
+//
+// Combined from:
+// - docker/supermq-docker/spicedb/schema.zed
+// - docker/spicedb/override-schema.zed
+
+definition user {}
+
+
+definition role {
+	relation entity: domain | group | channel | client
+	relation member: user
+	relation built_in_role: domain | group | channel | client
+
+	permission delete = entity->manage_role_permission - built_in_role->manage_role_permission
+	permission update = entity->manage_role_permission - built_in_role->manage_role_permission
+	permission read = entity->manage_role_permission - built_in_role->manage_role_permission
+
+	permission add_user = entity->add_role_users_permission
+	permission remove_user = entity->remove_role_users_permission
+	permission view_user = entity->view_role_users_permission
+}
+
+definition client {
+	relation domain: domain // This can't be clubbed with parent_group, but if parent_group is unassigned then we could not track belongs to which domain, so it safe to add domain
+	relation parent_group: group
+
+	relation update: role#member
+	relation read: role#member
+	relation delete: role#member
+	relation set_parent_group: role#member
+	relation connect_to_channel: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	permission update_permission = update + parent_group->client_update_permission + domain->client_update_permission
+	permission read_permission = read + parent_group->client_read_permission + domain->client_read_permission
+	permission delete_permission = delete + parent_group->client_delete_permission + domain->client_delete_permission
+	permission set_parent_group_permission = set_parent_group + parent_group->client_set_parent_group_permission + domain->client_set_parent_group_permission
+	permission connect_to_channel_permission  =  connect_to_channel + parent_group->client_connect_to_channel_permission + domain->client_connect_to_channel_permission
+
+	permission manage_role_permission = manage_role + parent_group->client_manage_role_permission + domain->client_manage_role_permission
+	permission add_role_users_permission = add_role_users + parent_group->client_add_role_users_permission + domain->client_add_role_users_permission
+	permission remove_role_users_permission = remove_role_users + parent_group->client_remove_role_users_permission + domain->client_remove_role_users_permission
+	permission view_role_users_permission = view_role_users + parent_group->client_view_role_users_permission + domain->client_view_role_users_permission
+}
+
+definition channel {
+	relation domain: domain // This can't be clubbed with parent_group, but if parent_group is unassigned then we could not track belongs to which domain, so it safe to add domain
+	relation parent_group: group
+
+	relation update: role#member
+	relation read: role#member
+	relation delete: role#member
+	relation set_parent_group: role#member
+	relation connect_to_client: role#member
+	relation publish: role#member | client
+	relation subscribe: role#member | client
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	permission update_permission = update + parent_group->channel_update_permission + domain->channel_update_permission
+	permission read_permission = read + parent_group->channel_read_permission + domain->channel_read_permission
+	permission delete_permission = delete + parent_group->channel_delete_permission + domain->channel_delete_permission
+	permission set_parent_group_permission = set_parent_group + parent_group->channel_set_parent_group_permission + domain->channel_set_parent_group_permission
+	permission connect_to_client_permission = connect_to_client + parent_group->channel_connect_to_client_permission + domain->channel_connect_to_client_permission
+	permission publish_permission = publish + parent_group->channel_publish_permission + domain->channel_publish_permission
+	permission subscribe_permission = subscribe + parent_group->channel_subscribe_permission + domain->channel_subscribe_permission
+
+	permission manage_role_permission = manage_role + parent_group->channel_manage_role_permission + domain->channel_manage_role_permission
+	permission add_role_users_permission = add_role_users + parent_group->channel_add_role_users_permission + domain->channel_add_role_users_permission
+	permission remove_role_users_permission = remove_role_users + parent_group->channel_remove_role_users_permission + domain->channel_remove_role_users_permission
+	permission view_role_users_permission = view_role_users + parent_group->channel_view_role_users_permission + domain->channel_view_role_users_permission
+}
+
+definition group {
+	relation domain: domain // This can't be clubbed with parent_group, but if parent_group is unassigned then we could not track belongs to which domain, so it is safe to add domain
+	relation parent_group: group
+
+	relation update: role#member
+	relation read: role#member
+	relation membership: role#member
+	relation delete: role#member
+	relation set_child: role#member
+	relation set_parent: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	relation client_create: role#member
+	relation channel_create: role#member
+	// this allows to add parent for group during the new group creation
+	relation subgroup_create: role#member
+	relation subgroup_client_create: role#member
+	relation subgroup_channel_create: role#member
+
+	relation client_update: role#member
+	relation client_read: role#member
+	relation client_delete: role#member
+	relation client_set_parent_group: role#member
+	relation client_connect_to_channel: role#member
+
+	relation client_manage_role: role#member
+	relation client_add_role_users: role#member
+	relation client_remove_role_users: role#member
+	relation client_view_role_users: role#member
+
+	relation channel_update: role#member
+	relation channel_read: role#member
+	relation channel_delete: role#member
+	relation channel_set_parent_group: role#member
+	relation channel_connect_to_client: role#member
+	relation channel_publish: role#member
+	relation channel_subscribe: role#member
+
+	relation channel_manage_role: role#member
+	relation channel_add_role_users: role#member
+	relation channel_remove_role_users: role#member
+	relation channel_view_role_users: role#member
+
+	relation subgroup_update: role#member
+	relation subgroup_read: role#member
+	relation subgroup_membership: role#member
+	relation subgroup_delete: role#member
+	relation subgroup_set_child: role#member
+	relation subgroup_set_parent: role#member
+
+	relation subgroup_manage_role: role#member
+	relation subgroup_add_role_users: role#member
+	relation subgroup_remove_role_users: role#member
+	relation subgroup_view_role_users: role#member
+
+	relation subgroup_client_update: role#member
+	relation subgroup_client_read: role#member
+	relation subgroup_client_delete: role#member
+	relation subgroup_client_set_parent_group: role#member
+	relation subgroup_client_connect_to_channel: role#member
+
+	relation subgroup_client_manage_role: role#member
+	relation subgroup_client_add_role_users: role#member
+	relation subgroup_client_remove_role_users: role#member
+	relation subgroup_client_view_role_users: role#member
+
+	relation subgroup_channel_update: role#member
+	relation subgroup_channel_read: role#member
+	relation subgroup_channel_delete: role#member
+	relation subgroup_channel_set_parent_group: role#member
+	relation subgroup_channel_connect_to_client: role#member
+	relation subgroup_channel_publish: role#member
+	relation subgroup_channel_subscribe: role#member
+
+	relation subgroup_channel_manage_role: role#member
+	relation subgroup_channel_add_role_users: role#member
+	relation subgroup_channel_remove_role_users: role#member
+	relation subgroup_channel_view_role_users: role#member
+
+	// Subgroup permission
+	permission subgroup_create_permission = subgroup_create + parent_group->subgroup_create_permission
+	permission subgroup_client_create_permission = subgroup_client_create + parent_group->subgroup_client_create_permission
+	permission subgroup_channel_create_permission = subgroup_channel_create + parent_group->subgroup_channel_create_permission
+
+	permission subgroup_update_permission = subgroup_update + parent_group->subgroup_update_permission
+	permission subgroup_membership_permission = subgroup_membership + parent_group->subgroup_membership_permission
+	permission subgroup_read_permission = subgroup_read + parent_group->subgroup_read_permission
+	permission subgroup_delete_permission = subgroup_delete + parent_group->subgroup_delete_permission
+	permission subgroup_set_child_permission = subgroup_set_child + parent_group->subgroup_set_child_permission
+	permission subgroup_set_parent_permission = subgroup_set_parent + parent_group->subgroup_set_parent_permission
+
+	permission subgroup_manage_role_permission = subgroup_manage_role + parent_group->subgroup_manage_role_permission
+	permission subgroup_add_role_users_permission = subgroup_add_role_users + parent_group->subgroup_add_role_users_permission
+	permission subgroup_remove_role_users_permission = subgroup_remove_role_users + parent_group->subgroup_remove_role_users_permission
+	permission subgroup_view_role_users_permission = subgroup_view_role_users + parent_group->subgroup_view_role_users_permission
+
+	// Group permission
+	permission update_permission = update + parent_group->subgroup_create_permission + domain->group_update_permission
+	permission membership_permission = membership + parent_group->subgroup_membership_permission + domain->group_membership_permission
+	permission read_permission = read + parent_group->subgroup_read_permission + domain->group_read_permission
+	permission delete_permission = delete + parent_group->subgroup_delete_permission + domain->group_delete_permission
+	permission set_child_permission =	set_child + parent_group->subgroup_set_child_permission + domain->group_set_child_permission
+	permission set_parent_permission = set_parent + parent_group->subgroup_set_parent_permission + domain->group_set_parent_permission
+
+	permission manage_role_permission = manage_role + parent_group->subgroup_manage_role_permission + domain->group_manage_role_permission
+	permission add_role_users_permission = add_role_users + parent_group->subgroup_add_role_users_permission + domain->group_add_role_users_permission
+	permission remove_role_users_permission = remove_role_users + parent_group->subgroup_remove_role_users_permission + domain->group_remove_role_users_permission
+	permission view_role_users_permission = view_role_users + parent_group->subgroup_view_role_users_permission + domain->group_view_role_users_permission
+
+	// Subgroup clients permission
+	permission subgroup_client_update_permission = subgroup_client_update + parent_group->subgroup_client_update_permission
+	permission subgroup_client_read_permission = subgroup_client_read + parent_group->subgroup_client_read_permission
+	permission subgroup_client_delete_permission = subgroup_client_delete + parent_group->subgroup_client_delete_permission
+	permission subgroup_client_set_parent_group_permission = subgroup_client_set_parent_group + parent_group->subgroup_client_set_parent_group_permission
+	permission subgroup_client_connect_to_channel_permission = subgroup_client_connect_to_channel + parent_group->subgroup_client_connect_to_channel_permission
+
+	permission subgroup_client_manage_role_permission = subgroup_client_manage_role + parent_group->subgroup_client_manage_role_permission
+	permission subgroup_client_add_role_users_permission = subgroup_client_add_role_users + parent_group->subgroup_client_add_role_users_permission
+	permission subgroup_client_remove_role_users_permission = subgroup_client_remove_role_users + parent_group->subgroup_client_remove_role_users_permission
+	permission subgroup_client_view_role_users_permission = subgroup_client_view_role_users + parent_group->subgroup_client_view_role_users_permission
+
+	// Group clients permission
+	permission client_create_permission = client_create + parent_group->subgroup_client_create_permission + domain->client_create_permission
+	permission client_update_permission = client_update + parent_group->subgroup_client_update_permission + domain->client_update_permission
+	permission client_read_permission = client_read + parent_group->subgroup_client_read_permission + domain->client_read_permission
+	permission client_delete_permission = client_delete + parent_group->subgroup_client_delete_permission + domain->client_delete_permission
+	permission client_set_parent_group_permission = client_set_parent_group + parent_group->subgroup_client_set_parent_group_permission + domain->client_set_parent_group_permission
+	permission client_connect_to_channel_permission = client_connect_to_channel + parent_group->subgroup_client_connect_to_channel_permission + domain->client_connect_to_channel_permission
+
+	permission client_manage_role_permission = client_manage_role + parent_group->subgroup_client_manage_role_permission + domain->client_manage_role_permission
+	permission client_add_role_users_permission = client_add_role_users + parent_group->subgroup_client_add_role_users_permission + domain->client_add_role_users_permission
+	permission client_remove_role_users_permission = client_remove_role_users + parent_group->subgroup_client_remove_role_users_permission + domain->client_remove_role_users_permission
+	permission client_view_role_users_permission = client_view_role_users + parent_group->subgroup_client_view_role_users_permission + domain->client_view_role_users_permission
+
+	// Subgroup channels permission
+	permission subgroup_channel_update_permission = subgroup_channel_update + parent_group->subgroup_channel_update_permission
+	permission subgroup_channel_read_permission = subgroup_channel_read + parent_group->subgroup_channel_read_permission
+	permission subgroup_channel_delete_permission =  subgroup_channel_delete + parent_group->subgroup_channel_delete_permission
+	permission subgroup_channel_set_parent_group_permission = subgroup_channel_set_parent_group + parent_group->subgroup_channel_set_parent_group_permission
+	permission subgroup_channel_connect_to_client_permission = subgroup_channel_connect_to_client + parent_group->subgroup_channel_connect_to_client_permission
+	permission subgroup_channel_publish_permission = subgroup_channel_publish + parent_group->subgroup_channel_publish_permission
+	permission subgroup_channel_subscribe_permission = subgroup_channel_subscribe + parent_group->subgroup_channel_subscribe_permission
+
+	permission subgroup_channel_manage_role_permission = subgroup_channel_manage_role + parent_group->subgroup_channel_manage_role_permission
+	permission subgroup_channel_add_role_users_permission = subgroup_channel_add_role_users + parent_group->subgroup_channel_add_role_users_permission
+	permission subgroup_channel_remove_role_users_permission = subgroup_channel_remove_role_users + parent_group->subgroup_channel_remove_role_users_permission
+	permission subgroup_channel_view_role_users_permission = subgroup_channel_view_role_users + parent_group->subgroup_channel_view_role_users_permission
+
+	// Group channels permission
+	permission channel_create_permission = channel_create + parent_group->subgroup_channel_create_permission + domain->channel_create_permission
+	permission channel_update_permission = channel_update + parent_group->subgroup_channel_update_permission + domain->channel_update_permission
+	permission channel_read_permission = channel_read + parent_group->subgroup_channel_read_permission + domain->channel_read_permission
+	permission channel_delete_permission = channel_delete + parent_group->subgroup_channel_delete_permission + domain->channel_delete_permission
+	permission channel_set_parent_group_permission = channel_set_parent_group + parent_group->subgroup_channel_set_parent_group_permission + domain->channel_set_parent_group_permission
+	permission channel_connect_to_client_permission = channel_connect_to_client + parent_group->subgroup_channel_connect_to_client_permission + domain->channel_connect_to_client_permission
+	permission channel_publish_permission = channel_publish + parent_group->subgroup_channel_publish_permission + domain->channel_publish_permission
+	permission channel_subscribe_permission = channel_subscribe + parent_group->subgroup_channel_subscribe_permission + domain->channel_subscribe_permission
+
+	permission channel_manage_role_permission = channel_manage_role + parent_group->channel_manage_role_permission + domain->channel_manage_role_permission
+	permission channel_add_role_users_permission = channel_add_role_users + parent_group->channel_add_role_users_permission + domain->channel_add_role_users_permission
+	permission channel_remove_role_users_permission = channel_remove_role_users + parent_group->channel_remove_role_users_permission + domain->channel_remove_role_users_permission
+	permission channel_view_role_users_permission = channel_view_role_users + parent_group->channel_view_role_users_permission + domain->channel_view_role_users_permission
+
+
+}
+
+definition domain {
+	//Replace platform with organization in future
+	relation organization: platform
+	relation team: team
+
+	relation update: role#member | team#member
+	relation enable: role#member | team#member
+	relation disable: role#member | team#member
+	relation read: role#member | team#member
+	relation delete: role#member | team#member
+
+	relation manage_role: role#member | team#member
+	relation add_role_users: role#member | team#member
+	relation remove_role_users: role#member | team#member
+	relation view_role_users: role#member | team#member
+
+	relation client_create: role#member | team#member
+	relation channel_create: role#member | team#member
+	relation group_create: role#member | team#member
+
+	relation client_update: role#member | team#member
+	relation client_read: role#member | team#member
+	relation client_delete: role#member | team#member
+	relation client_set_parent_group: role#member | team#member
+	relation client_connect_to_channel: role#member | team#member
+
+	relation client_manage_role: role#member | team#member
+	relation client_add_role_users: role#member | team#member
+	relation client_remove_role_users: role#member | team#member
+	relation client_view_role_users: role#member | team#member
+
+	relation channel_update: role#member | team#member
+	relation channel_read: role#member | team#member
+	relation channel_delete: role#member | team#member
+	relation channel_set_parent_group: role#member | team#member
+	relation channel_connect_to_client: role#member | team#member
+	relation channel_publish: role#member | team#member
+	relation channel_subscribe: role#member | team#member
+
+	relation channel_manage_role: role#member | team#member
+	relation channel_add_role_users: role#member | team#member
+	relation channel_remove_role_users: role#member | team#member
+	relation channel_view_role_users: role#member | team#member
+
+	relation group_update: role#member | team#member
+	relation group_membership: role#member | team#member
+	relation group_read: role#member | team#member
+	relation group_delete: role#member | team#member
+	relation group_set_child: role#member | team#member
+	relation group_set_parent: role#member | team#member
+
+	relation group_manage_role: role#member | team#member
+	relation group_add_role_users: role#member | team#member
+	relation group_remove_role_users: role#member | team#member
+	relation group_view_role_users: role#member | team#member
+
+	// Magistrala-specific relations
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+	relation alarm_assign: role#member | team#member
+	relation alarm_acknowledge: role#member | team#member
+	relation alarm_resolve: role#member | team#member
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+	permission update_permission = update + team->domain_update + organization->admin
+	permission read_permission = read + team->domain_read + organization->admin
+	permission enable_permission = enable + team->domain_update + organization->admin
+	permission disable_permission = disable + team->domain_update + organization->admin
+	permission delete_permission = delete + team->domain_delete + organization->admin
+
+	permission manage_role_permission = manage_role + team->domain_manage_role + organization->admin
+	permission add_role_users_permission = add_role_users + team->domain_add_role_users + organization->admin
+	permission remove_role_users_permission = remove_role_users + team->domain_remove_role_users + organization->admin
+	permission view_role_users_permission = view_role_users + team->domain_view_role_users + organization->admin
+
+	permission membership = read + update + enable + disable + delete +
+	manage_role + add_role_users + remove_role_users + view_role_users +
+	client_create + channel_create + group_create +
+	client_update + client_read + client_delete + client_set_parent_group + client_connect_to_channel +
+	client_manage_role + client_add_role_users + client_remove_role_users + client_view_role_users +
+	channel_update + channel_read + channel_delete + channel_set_parent_group + channel_connect_to_client + channel_publish + channel_subscribe +
+	channel_manage_role + channel_add_role_users + channel_remove_role_users + channel_view_role_users +
+	group_update + group_membership + group_read + group_delete + group_set_child + group_set_parent +
+	group_manage_role + group_add_role_users + group_remove_role_users + group_view_role_users +
+	alarm_update + alarm_read + alarm_delete + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + alarm_assign + alarm_acknowledge + alarm_resolve + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users +
+	organization->admin
+
+	permission admin = (read & update & enable & disable & delete & manage_role & add_role_users & remove_role_users & view_role_users) + organization->admin
+
+	permission client_create_permission = client_create + team->client_create + organization->admin
+	permission channel_create_permission = channel_create + team->channel_create + organization->admin
+	permission group_create_permission = group_create + team->group_create + organization->admin
+
+	permission client_update_permission = client_update + team->client_update + organization->admin
+	permission client_read_permission = client_read + team->client_read + organization->admin
+	permission client_delete_permission = client_delete + team->client_delete + organization->admin
+	permission client_set_parent_group_permission = client_set_parent_group + team->client_set_parent_group + organization->admin
+	permission client_connect_to_channel_permission = client_connect_to_channel + team->client_connect_to_channel + organization->admin
+
+	permission client_manage_role_permission = client_manage_role + team->client_manage_role + organization->admin
+	permission client_add_role_users_permission = client_add_role_users + team->client_add_role_users + organization->admin
+	permission client_remove_role_users_permission = client_remove_role_users + team->client_remove_role_users + organization->admin
+	permission client_view_role_users_permission = client_view_role_users + team->client_view_role_users + organization->admin
+
+	permission channel_update_permission = channel_update + team->channel_update + organization->admin
+	permission channel_read_permission = channel_read + team->channel_read + organization->admin
+	permission channel_delete_permission = channel_delete + team->channel_delete + organization->admin
+	permission channel_set_parent_group_permission = channel_set_parent_group + team->channel_set_parent_group + organization->admin
+	permission channel_connect_to_client_permission = channel_connect_to_client + team->channel_connect_to_client + organization->admin
+	permission channel_publish_permission = channel_publish + team->channel_publish + organization->admin
+	permission channel_subscribe_permission = channel_subscribe + team->channel_subscribe + organization->admin
+
+	permission channel_manage_role_permission = channel_manage_role + team->channel_manage_role + organization->admin
+	permission channel_add_role_users_permission = channel_add_role_users + team->channel_add_role_users + organization->admin
+	permission channel_remove_role_users_permission = channel_remove_role_users + team->channel_remove_role_users + organization->admin
+	permission channel_view_role_users_permission = channel_view_role_users + team->channel_view_role_users + organization->admin
+
+	permission group_update_permission = group_update + team->group_update + organization->admin
+	permission group_membership_permission = group_membership + team->group_membership + organization->admin
+	permission group_read_permission = group_read + team->group_read + organization->admin
+	permission group_delete_permission = group_delete + team->group_delete + organization->admin
+	permission group_set_child_permission = group_set_child + team->group_set_child + organization->admin
+	permission group_set_parent_permission = group_set_parent + team->group_set_parent + organization->admin
+
+	permission group_manage_role_permission = group_manage_role + team->group_manage_role + organization->admin
+	permission group_add_role_users_permission = group_add_role_users + team->group_add_role_users + organization->admin
+	permission group_remove_role_users_permission = group_remove_role_users + team->group_remove_role_users + organization->admin
+	permission group_view_role_users_permission = group_view_role_users + team->group_view_role_users + organization->admin
+
+	// Magistrala-specific permissions
+	permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin
+	permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin
+	permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin
+	permission rule_create_permission = rule_create + team->rule_create + organization->admin
+	permission rule_update_permission = rule_update + team->rule_update + organization->admin
+	permission rule_read_permission = rule_read + team->rule_read + organization->admin
+	permission rule_delete_permission = rule_delete + team->rule_delete + organization->admin
+	permission rule_manage_role_permission = rule_manage_role + team->rule_manage_role + organization->admin
+	permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin
+	permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin
+	permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin
+	permission alarm_assign_permission = alarm_assign + team->alarm_assign + organization->admin
+	permission alarm_acknowledge_permission = alarm_acknowledge + team->alarm_acknowledge + organization->admin
+	permission alarm_resolve_permission = alarm_resolve + team->alarm_resolve + organization->admin
+	permission report_create_permission = report_create + team->report_create + organization->admin
+	permission report_update_permission = report_update + team->report_update + organization->admin
+	permission report_read_permission = report_read + team->report_read + organization->admin
+	permission report_delete_permission = report_delete + team->report_delete + organization->admin
+	permission report_manage_role_permission = report_manage_role + team->report_manage_role + organization->admin
+	permission report_add_role_users_permission = report_add_role_users + team->report_add_role_users + organization->admin
+	permission report_remove_role_users_permission = report_remove_role_users + team->report_remove_role_users + organization->admin
+	permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin
+
+}
+
+// Add this relation and permission in future while adding organization
+definition team {
+	relation organization: organization
+	relation parent_team: team
+
+	relation delete: role#member
+	relation enable: role#member | team#member
+	relation disable: role#member | team#member
+	relation update: role#member
+	relation read: role#member
+
+	relation set_parent: role#member
+	relation set_child: role#member
+
+	relation member: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	relation subteam_delete: role#member
+	relation subteam_update: role#member
+	relation subteam_read: role#member
+
+	relation subteam_member: role#member
+
+	relation subteam_set_child: role#member
+	relation subteam_set_parent: role#member
+
+	relation subteam_manage_role: role#member
+	relation subteam_add_role_users: role#member
+	relation subteam_remove_role_users: role#member
+	relation subteam_view_role_users: role#member
+
+    // Domain related permission
+
+	relation domain_update: role#member | team#member
+	relation domain_read: role#member | team#member
+	relation domain_membership: role#member | team#member
+	relation domain_delete: role#member | team#member
+
+	relation domain_manage_role: role#member | team#member
+	relation domain_add_role_users: role#member | team#member
+	relation domain_remove_role_users: role#member | team#member
+	relation domain_view_role_users: role#member | team#member
+
+	relation client_create: role#member | team#member
+	relation channel_create: role#member | team#member
+	relation group_create: role#member | team#member
+
+	relation client_update: role#member | team#member
+	relation client_read: role#member | team#member
+	relation client_delete: role#member | team#member
+	relation client_set_parent_group: role#member | team#member
+	relation client_connect_to_channel: role#member | team#member
+
+	relation client_manage_role: role#member | team#member
+	relation client_add_role_users: role#member | team#member
+	relation client_remove_role_users: role#member | team#member
+	relation client_view_role_users: role#member | team#member
+
+	relation channel_update: role#member | team#member
+	relation channel_read: role#member | team#member
+	relation channel_delete: role#member | team#member
+	relation channel_set_parent_group: role#member | team#member
+	relation channel_connect_to_client: role#member | team#member
+	relation channel_publish: role#member | team#member
+	relation channel_subscribe: role#member | team#member
+
+	relation channel_manage_role: role#member | team#member
+	relation channel_add_role_users: role#member | team#member
+	relation channel_remove_role_users: role#member | team#member
+	relation channel_view_role_users: role#member | team#member
+
+	relation group_update: role#member | team#member
+	relation group_membership: role#member | team#member
+	relation group_read: role#member | team#member
+	relation group_delete: role#member | team#member
+	relation group_set_child: role#member | team#member
+	relation group_set_parent: role#member | team#member
+
+	relation group_manage_role: role#member | team#member
+	relation group_add_role_users: role#member | team#member
+	relation group_remove_role_users: role#member | team#member
+	relation group_view_role_users: role#member | team#member
+
+	// Magistrala-specific relations
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+	relation alarm_assign: role#member | team#member
+	relation alarm_acknowledge: role#member | team#member
+	relation alarm_resolve: role#member | team#member
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+	permission delete_permission = delete + organization->team_delete + parent_team->subteam_delete + organization->admin
+	permission update_permission = update + organization->team_update + parent_team->subteam_update + organization->admin
+	permission read_permission = read + organization->team_read + parent_team->subteam_read + organization->admin
+
+	permission set_parent_permission = set_parent + organization->team_set_parent + parent_team->subteam_set_parent + organization->admin
+	permission set_child_permisssion = set_child + organization->team_set_child + parent_team->subteam_set_child + organization->admin
+
+    permission membership = member + organization->team_member + parent_team->subteam_member + organization->admin
+
+	permission manage_role_permission = manage_role + organization->team_manage_role + parent_team->subteam_manage_role + organization->admin
+	permission add_role_users_permission = add_role_users + organization->team_add_role_users + parent_team->subteam_add_role_users + organization->admin
+	permission remove_role_users_permission = remove_role_users + organization->team_remove_role_users + parent_team->subteam_remove_role_users + organization->admin
+	permission view_role_users_permission = view_role_users + organization->team_view_role_users + parent_team->subteam_view_role_users + organization->admin
+}
+
+
+definition organization {
+	relation platform: platform
+	relation administrator: user
+
+	relation delete: role#member
+	relation update: role#member
+	relation read: role#member
+
+	relation member: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	relation team_create: role#member
+
+	relation team_delete: role#member
+	relation team_update: role#member
+	relation team_read: role#member
+
+	relation team_member: role#member  // Will be member of all the teams in the organization
+
+	relation team_set_child: role#member
+	relation team_set_parent: role#member
+
+	relation team_manage_role: role#member
+	relation team_add_role_users: role#member
+	relation team_remove_role_users: role#member
+	relation team_view_role_users: role#member
+
+	permission admin = administrator + platform->administrator
+	permission delete_permission = admin + delete->member
+	permission update_permission = admin + update->member
+	permission read_permission = admin + read->member
+
+	permission membership = admin + member->member
+
+	permission team_create_permission = admin + team_create->member
+
+	permission manage_role_permission = admin + manage_role
+	permission add_role_users_permisson = admin + add_role_users
+	permission remove_role_users_permission = admin + remove_role_users
+	permission view_role_users_permission = admin + view_role_users
+}
+
+
+definition platform {
+  relation administrator: user
+  relation member: user
+
+  permission admin = administrator
+  permission membership = administrator + member
+}
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Merge documentation
+// - Source A (base): docker/supermq-docker/spicedb/schema.zed (SuperMQ upstream schema)
+// - Source B (overlay): docker/spicedb/override-schema.zed (Magistrala schema extensions)
+// - Merge script: scripts/combined-schema.sh
+// - Output: docker/spicedb/combined-schema.zed
+//
+// How merge works:
+// 1. The first `definition domain { ... }` block is treated as explicit domain overlay.
+// 2. The first `definition team { ... }` block is treated as explicit team overlay.
+// 3. Domain overlay relations/permissions are injected into SuperMQ `definition domain`.
+// 4. Team overlay relations are injected into SuperMQ `definition team`.
+// 5. `permission membership_extension = ...` from the domain overlay is injected into
+//    SuperMQ `domain.permission membership` before `organization->admin`.
+// 6. Overlay `definition domain` and `definition team` blocks are removed before append,
+//    so only merged SuperMQ domain/team definitions remain.
+// 7. Remaining definitions in this file (for example `alarm`, `rule`, `report`) are appended.
+//
+// Maintenance notes:
+// - Keep all custom domain/team merge lines inside the two overlay blocks below.
+// - Update `permission membership_extension` whenever domain membership additions change.
+// - Regenerate combined schema with: `sh scripts/combine-schema.sh`
+// - `scripts/supermq.sh` also regenerates combined schema after refreshing SuperMQ docker files.
+
+// Overlay domain block consumed by scripts/combine-schema.sh during merge.
+
+// Overlay team block consumed by scripts/combine-schema.sh during merge.
+
+definition rule {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+relation alarm_read: role#member
+relation alarm_assign: role#member
+relation alarm_acknowledge: role#member
+relation alarm_resolve: role#member
+
+permission update_permission = update + domain->rule_update_permission
+permission read_permission = read + domain->rule_read_permission
+permission delete_permission = delete + domain->rule_delete_permission
+
+permission manage_role_permission = manage_role + domain->rule_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission
+
+permission alarm_read_permission = alarm_read + domain->alarm_read_permission
+permission alarm_assign_permission = alarm_assign + domain->alarm_assign_permission
+permission alarm_acknowledge_permission = alarm_acknowledge + domain->alarm_acknowledge_permission
+permission alarm_resolve_permission = alarm_resolve + domain->alarm_resolve_permission
+}
+
+definition report {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->report_update_permission
+permission read_permission = read + domain->report_read_permission
+permission delete_permission = delete + domain->report_delete_permission
+
+permission manage_role_permission = manage_role + domain->report_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->report_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->report_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->report_view_role_users_permission
+}
@@ -0,0 +1,168 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Merge documentation
+// - Source A (base): docker/supermq-docker/spicedb/schema.zed (SuperMQ upstream schema)
+// - Source B (overlay): docker/spicedb/override-schema.zed (Magistrala schema extensions)
+// - Merge script: scripts/combined-schema.sh
+// - Output: docker/spicedb/combined-schema.zed
+//
+// How merge works:
+// 1. The first `definition domain { ... }` block is treated as explicit domain overlay.
+// 2. The first `definition team { ... }` block is treated as explicit team overlay.
+// 3. Domain overlay relations/permissions are injected into SuperMQ `definition domain`.
+// 4. Team overlay relations are injected into SuperMQ `definition team`.
+// 5. `permission membership_extension = ...` from the domain overlay is injected into
+//    SuperMQ `domain.permission membership` before `organization->admin`.
+// 6. Overlay `definition domain` and `definition team` blocks are removed before append,
+//    so only merged SuperMQ domain/team definitions remain.
+// 7. Remaining definitions in this file (for example `alarm`, `rule`, `report`) are appended.
+//
+// Maintenance notes:
+// - Keep all custom domain/team merge lines inside the two overlay blocks below.
+// - Update `permission membership_extension` whenever domain membership additions change.
+// - Regenerate combined schema with: `sh scripts/combine-schema.sh`
+// - `scripts/supermq.sh` also regenerates combined schema after refreshing SuperMQ docker files.
+
+// Overlay domain block consumed by scripts/combine-schema.sh during merge.
+definition domain {
+
+	// Magistrala-specific relations
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+	relation alarm_assign: role#member | team#member
+	relation alarm_acknowledge: role#member | team#member
+	relation alarm_resolve: role#member | team#member
+
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+	// Magistrala-specific permissions
+	permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin
+	permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin
+	permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin
+
+	permission rule_create_permission = rule_create + team->rule_create + organization->admin
+	permission rule_update_permission = rule_update + team->rule_update + organization->admin
+	permission rule_read_permission = rule_read + team->rule_read + organization->admin
+	permission rule_delete_permission = rule_delete + team->rule_delete + organization->admin
+	permission rule_manage_role_permission = rule_manage_role + team->rule_manage_role + organization->admin
+	permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin
+	permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin
+	permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin
+	permission alarm_assign_permission = alarm_assign + team->alarm_assign + organization->admin
+	permission alarm_acknowledge_permission = alarm_acknowledge + team->alarm_acknowledge + organization->admin
+	permission alarm_resolve_permission = alarm_resolve + team->alarm_resolve + organization->admin
+
+	permission report_create_permission = report_create + team->report_create + organization->admin
+	permission report_update_permission = report_update + team->report_update + organization->admin
+	permission report_read_permission = report_read + team->report_read + organization->admin
+	permission report_delete_permission = report_delete + team->report_delete + organization->admin
+	permission report_manage_role_permission = report_manage_role + team->report_manage_role + organization->admin
+	permission report_add_role_users_permission = report_add_role_users + team->report_add_role_users + organization->admin
+	permission report_remove_role_users_permission = report_remove_role_users + team->report_remove_role_users + organization->admin
+	permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin
+
+	// Explicit extension injected into SuperMQ domain `permission membership`.
+	permission membership_extension = alarm_update + alarm_read + alarm_delete + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + alarm_assign + alarm_acknowledge + alarm_resolve + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users
+
+}
+
+// Overlay team block consumed by scripts/combine-schema.sh during merge.
+definition team {
+
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+	relation alarm_assign: role#member | team#member
+	relation alarm_acknowledge: role#member | team#member
+	relation alarm_resolve: role#member | team#member
+
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+}
+
+definition rule {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+relation alarm_read: role#member
+relation alarm_assign: role#member
+relation alarm_acknowledge: role#member
+relation alarm_resolve: role#member
+
+permission update_permission = update + domain->rule_update_permission
+permission read_permission = read + domain->rule_read_permission
+permission delete_permission = delete + domain->rule_delete_permission
+
+permission manage_role_permission = manage_role + domain->rule_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission
+
+permission alarm_read_permission = alarm_read + domain->alarm_read_permission
+permission alarm_assign_permission = alarm_assign + domain->alarm_assign_permission
+permission alarm_acknowledge_permission = alarm_acknowledge + domain->alarm_acknowledge_permission
+permission alarm_resolve_permission = alarm_resolve + domain->alarm_resolve_permission
+}
+
+definition report {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->report_update_permission
+permission read_permission = read + domain->report_read_permission
+permission delete_permission = delete + domain->report_delete_permission
+
+permission manage_role_permission = manage_role + domain->report_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->report_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->report_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->report_view_role_users_permission
+}
@@ -2,9 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0

 services:
+
  spicedb:
    networks: !override
      - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}

  spicedb-migrate:
    networks: !override
@@ -17,7 +20,8 @@ services:
  auth-db:
    networks: !override
      - magistrala-base-net
-
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
  auth-redis:
    networks: !override
      - magistrala-base-net
@@ -25,6 +29,8 @@ services:
  auth:
    networks: !override
      - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}

  domains-db:
    networks: !override
@@ -37,6 +43,8 @@ services:
  domains:
    networks: !override
      - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}

  clients-db:
    networks: !override
@@ -49,6 +57,8 @@ services:
  clients:
    networks: !override
      - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}

  channels-redis:
    networks: !override
@@ -61,6 +71,8 @@ services:
  channels:
    networks: !override
      - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}

  users-db:
    networks: !override
@@ -77,6 +89,8 @@ services:
  groups:
    networks: !override
      - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}

  jaeger:
    networks: !override
@@ -94,10 +108,6 @@ services:
    networks: !override
      - magistrala-base-net

-  ws-adapter:
-    networks: !override
-      - magistrala-base-net
-
  rabbitmq:
    networks: !override
      - magistrala-base-net
@@ -130,9 +140,64 @@ services:
      - magistrala-base-net

  certs:
-    volumes:
-      - ../../docker/ssl/certs/ca.key:/etc/ssl/certs/ca.key
-      - ../../docker/ssl/certs/ca.crt:/etc/ssl/certs/ca.crt
+    environment:
+      AM_CERTS_LOG_LEVEL: ${AM_CERTS_LOG_LEVEL}
+      AM_CERTS_HTTP_HOST: ${AM_CERTS_HTTP_HOST}
+      AM_CERTS_HTTP_PORT: ${AM_CERTS_HTTP_PORT}
+      AM_CERTS_GRPC_HOST: ${AM_CERTS_GRPC_HOST}
+      AM_CERTS_GRPC_PORT: ${AM_CERTS_GRPC_PORT}
+      AM_CERTS_RELEASE_TAG: ${AM_CERTS_RELEASE_TAG}
+      AM_CERTS_SECRET: ${AM_CERTS_SECRET}
+      AM_CERTS_DB_HOST: ${AM_CERTS_DB_HOST}
+      AM_CERTS_DB_PORT: ${AM_CERTS_DB_PORT}
+      AM_CERTS_DB_USER: ${AM_CERTS_DB_USER}
+      AM_CERTS_DB_PASS: ${AM_CERTS_DB_PASS}
+      AM_CERTS_DB: ${AM_CERTS_DB}
+      AM_CERTS_DB_SSL_MODE: ${AM_CERTS_DB_SSL_MODE}
+      AM_CERTS_DB_MAX_CONNECTIONS: ${AM_CERTS_DB_MAX_CONNECTIONS}
+      AM_CERTS_OPENBAO_HOST: ${AM_CERTS_OPENBAO_HOST}
+      AM_CERTS_OPENBAO_APP_ROLE: ${AM_CERTS_OPENBAO_APP_ROLE}
+      AM_CERTS_OPENBAO_APP_SECRET: ${AM_CERTS_OPENBAO_APP_SECRET}
+      AM_CERTS_OPENBAO_NAMESPACE: ${AM_CERTS_OPENBAO_NAMESPACE}
+      AM_CERTS_OPENBAO_PKI_PATH: ${AM_CERTS_OPENBAO_PKI_PATH}
+      AM_CERTS_OPENBAO_ROLE: ${AM_CERTS_OPENBAO_ROLE}
+      AM_CERTS_OPENBAO_SECRET_ID_TTL: ${AM_CERTS_OPENBAO_SECRET_ID_TTL}
+      AM_CERTS_SERVICE_TOKEN_PATH: ${AM_CERTS_SERVICE_TOKEN_PATH}
+      AM_CERTS_SECRET_ID_PATH: ${AM_CERTS_SECRET_ID_PATH}
+      AM_CERTS_SECRET_RENEW_THRESHOLD: ${AM_CERTS_SECRET_RENEW_THRESHOLD}
+      AM_CERTS_SECRET_CHECK_INTERVAL: ${AM_CERTS_SECRET_CHECK_INTERVAL}
+
+      # OpenBao PKI CA configuration
+      AM_CERTS_OPENBAO_PKI_CA_CN: ${AM_CERTS_OPENBAO_PKI_CA_CN}
+      AM_CERTS_OPENBAO_PKI_CA_OU: ${AM_CERTS_OPENBAO_PKI_CA_OU}
+      AM_CERTS_OPENBAO_PKI_CA_O: ${AM_CERTS_OPENBAO_PKI_CA_O}
+      AM_CERTS_OPENBAO_PKI_CA_C: ${AM_CERTS_OPENBAO_PKI_CA_C}
+      AM_CERTS_OPENBAO_PKI_CA_L: ${AM_CERTS_OPENBAO_PKI_CA_L}
+      AM_CERTS_OPENBAO_PKI_CA_ST: ${AM_CERTS_OPENBAO_PKI_CA_ST}
+      AM_CERTS_OPENBAO_PKI_CA_ADDR: ${AM_CERTS_OPENBAO_PKI_CA_ADDR}
+      AM_CERTS_OPENBAO_PKI_CA_PO: ${AM_CERTS_OPENBAO_PKI_CA_PO}
+      AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES: ${AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES}
+      AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES: ${AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES}
+      AM_CERTS_OPENBAO_PKI_CA_URI_SANS: ${AM_CERTS_OPENBAO_PKI_CA_URI_SANS}
+      AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES: ${AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES}
+      AM_CERTS_OPENBAO_UNSEAL_KEY_1: ${AM_CERTS_OPENBAO_UNSEAL_KEY_1}
+      AM_CERTS_OPENBAO_UNSEAL_KEY_2: ${AM_CERTS_OPENBAO_UNSEAL_KEY_2}
+      AM_CERTS_OPENBAO_UNSEAL_KEY_3: ${AM_CERTS_OPENBAO_UNSEAL_KEY_3}
+      AM_CERTS_OPENBAO_ROOT_TOKEN: ${AM_CERTS_OPENBAO_ROOT_TOKEN}
+
+      AM_JAEGER_URL: ${AM_JAEGER_URL}
+      AM_JAEGER_TRACE_RATIO: ${AM_JAEGER_TRACE_RATIO}
+
+      AM_AUTH_GRPC_URL: ${AM_AUTH_GRPC_URL}
+      AM_AUTH_GRPC_TIMEOUT: ${AM_AUTH_GRPC_TIMEOUT}
+      AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
+      AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
+      AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
+      AM_DOMAINS_GRPC_URL: ${AM_DOMAINS_GRPC_URL}
+      AM_DOMAINS_GRPC_TIMEOUT: ${AM_DOMAINS_GRPC_TIMEOUT}
+      AM_DOMAINS_GRPC_CLIENT_CERT: ${AM_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
+      AM_DOMAINS_GRPC_CLIENT_KEY: ${AM_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
+      AM_DOMAINS_GRPC_SERVER_CA_CERTS: ${AM_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
    networks: !override
      - magistrala-base-net

@@ -143,10 +208,10 @@ services:
      - ../../docker/nginx/entrypoint.sh:/docker-entrypoint.d/entrypoint.sh
      - type: bind
        source: ${SMQ_NGINX_SERVER_CERT:-../../docker/ssl/certs/magistrala-server.crt}
-        target: /etc/ssl/certs/magistrala-server.crt
+        target: /etc/ssl/certs/supermq-server.crt
      - type: bind
        source: ${SMQ_NGINX_SERVER_KEY:-../../docker/ssl/certs/magistrala-server.key}
-        target: /etc/ssl/private/magistrala-server.key
+        target: /etc/ssl/private/supermq-server.key
      - type: bind
        source: ${SMQ_NGINX_SERVER_CLIENT_CA:-../../docker/ssl/certs/ca.crt}
        target: /etc/ssl/certs/ca.crt
@@ -158,3 +223,4 @@ services:
    env_file: !override
      - ./.env
      - ../../docker/.env
+
@@ -98,13 +98,18 @@ SMQ_AUTH_DB_SSL_MODE=disable
 SMQ_AUTH_DB_SSL_CERT=
 SMQ_AUTH_DB_SSL_KEY=
 SMQ_AUTH_DB_SSL_ROOT_CERT=
-SMQ_AUTH_SECRET_KEY=HyE2D4RUt9nnKG6v8zKEqAp6g6ka8hhZsqUpzgKvnwpXrNVQSH
 SMQ_AUTH_ACCESS_TOKEN_DURATION="1h"
 SMQ_AUTH_REFRESH_TOKEN_DURATION="24h"
+SMQ_AUTH_KEYS_ALGORITHM="EdDSA"
+SMQ_AUTH_KEYS_ACTIVE_KEY_PATH="./keys/active.key"
+SMQ_AUTH_KEYS_RETIRING_KEY_PATH="./keys/retiring.key"
 SMQ_AUTH_INVITATION_DURATION="168h"
 SMQ_AUTH_ADAPTER_INSTANCE_ID=
 SMQ_AUTH_CACHE_URL=redis://auth-redis:${SMQ_REDIS_TCP_PORT}/0
 SMQ_AUTH_CACHE_KEY_DURATION=10m
+SMQ_AUTH_JWKS_URL=http://${SMQ_AUTH_HTTP_HOST}:${SMQ_AUTH_HTTP_PORT}/keys/.well-known/jwks.json
+SMQ_AUTH_JWKS_CACHE_MAX_AGE=900
+SMQ_AUTH_JWKS_CACHE_STALE_WHILE_REVALIDATE=60

 #### Client Callout
 SMQ_CLIENTS_CALLOUT_URLS=""
@@ -233,8 +238,6 @@ SMQ_USERS_ADMIN_USERNAME=admin
 SMQ_USERS_ADMIN_FIRST_NAME=super
 SMQ_USERS_ADMIN_LAST_NAME=admin
 SMQ_USERS_PASS_REGEX=^.{8,}$
-SMQ_USERS_ACCESS_TOKEN_DURATION=15m
-SMQ_USERS_REFRESH_TOKEN_DURATION=24h
 SMQ_USERS_HTTP_HOST=users
 SMQ_USERS_HTTP_PORT=9002
 SMQ_USERS_HTTP_SERVER_CERT=
@@ -258,8 +261,6 @@ SMQ_USERS_SECRET_KEY=HyE2D4RUt9nnKG6v8zKEqAp6g6ka8hhZsqUpzgKvnwpXrNVQSH
 SMQ_USERS_ADMIN_EMAIL=admin@example.com
 SMQ_USERS_ADMIN_PASSWORD=12345678
 SMQ_USERS_PASS_REGEX=^.{8,}$
-SMQ_USERS_ACCESS_TOKEN_DURATION=15m
-SMQ_USERS_REFRESH_TOKEN_DURATION=24h
 SMQ_USERS_ALLOW_SELF_REGISTER=true
 SMQ_OAUTH_UI_REDIRECT_URL=http://localhost:9095${SMQ_UI_PATH_PREFIX}/tokens/secure
 SMQ_OAUTH_UI_ERROR_URL=http://localhost:9095${SMQ_UI_PATH_PREFIX}/error
@@ -413,6 +414,12 @@ SMQ_MQTT_ADAPTER_ES_DB=0
 SMQ_MQTT_ADAPTER_CACHE_NUM_COUNTERS=200000
 SMQ_MQTT_ADAPTER_CACHE_MAX_COST=1048576
 SMQ_MQTT_ADAPTER_CACHE_BUFFER_ITEMS=64
+SMQ_MQTT_ADAPTER_CERT_FILE=
+SMQ_MQTT_ADAPTER_KEY_FILE=
+SMQ_MQTT_ADAPTER_SERVER_CA_FILE=
+SMQ_MQTT_ADAPTER_CLIENT_CA_FILE=
+SMQ_MQTT_ADAPTER_CERT_VERIFICATION_METHODS=
+SMQ_MQTT_ADAPTER_OCSP_RESPONDER_URL=

 ### CoAP
 ## If enabled run make all inside docker/ssl directory to generate the DTLS certs
@@ -432,17 +439,6 @@ SMQ_COAP_ADAPTER_CACHE_MAX_COST=1048576
 SMQ_COAP_ADAPTER_CACHE_BUFFER_ITEMS=64
 SMQ_COAP_ADAPTER_INSTANCE_ID=

-### WS
-SMQ_WS_ADAPTER_LOG_LEVEL=debug
-SMQ_WS_ADAPTER_HTTP_HOST=ws-adapter
-SMQ_WS_ADAPTER_HTTP_PORT=8186
-SMQ_WS_ADAPTER_HTTP_SERVER_CERT=
-SMQ_WS_ADAPTER_HTTP_SERVER_KEY=
-SMQ_WS_ADAPTER_CACHE_NUM_COUNTERS=200000
-SMQ_WS_ADAPTER_CACHE_MAX_COST=1048576
-SMQ_WS_ADAPTER_CACHE_BUFFER_ITEMS=64
-SMQ_WS_ADAPTER_INSTANCE_ID=
-
 ## Addons Services
 # Certs
 AM_CERTS_LOG_LEVEL=debug
@@ -451,7 +447,7 @@ AM_CERTS_HTTP_PORT=9019
 AM_CERTS_GRPC_HOST=certs
 AM_CERTS_GRPC_PORT=7012
 AM_CERTS_RELEASE_TAG=latest
-AM_CERTS_TOKEN=
+AM_CERTS_SECRET=12345678

 ## Certs Database Configuration
 AM_CERTS_DB_HOST=certs-db
@@ -469,32 +465,38 @@ AM_CERTS_OPENBAO_APP_SECRET=absmach
 AM_CERTS_OPENBAO_NAMESPACE=
 AM_CERTS_OPENBAO_PKI_PATH=pki
 AM_CERTS_OPENBAO_ROLE=absmach
+AM_CERTS_OPENBAO_SECRET_ID_TTL=720h
+AM_CERTS_SERVICE_TOKEN_PATH=/openbao/service_token
+AM_CERTS_SECRET_ID_PATH=/openbao/secret_id
+AM_CERTS_SECRET_RENEW_THRESHOLD=24h
+AM_CERTS_SECRET_CHECK_INTERVAL=1h

 ## OpenBao PKI CA Configuration
-AM_OPENBAO_PKI_CA_CN=Abstract Machines Root Certificate Authority
-AM_OPENBAO_PKI_CA_OU=Abstract Machines
-AM_OPENBAO_PKI_CA_O=Abstract Machines
-AM_OPENBAO_PKI_CA_C=FRANCE
-AM_OPENBAO_PKI_CA_L=PARIS
-AM_OPENBAO_PKI_CA_ST=PARIS
-AM_OPENBAO_PKI_CA_ADDR=5 Av. Anatole
-AM_OPENBAO_PKI_CA_PO=75007
-AM_OPENBAO_PKI_CA_DNS_NAMES=localhost
-AM_OPENBAO_PKI_CA_IP_ADDRESSES=127.0.0.1,::1
-AM_OPENBAO_PKI_CA_URI_SANS=
-AM_OPENBAO_PKI_CA_EMAIL_ADDRESSES=info@abstractmachines.rs
+AM_CERTS_OPENBAO_PKI_CA_CN=Abstract Machines Certificate Authority
+AM_CERTS_OPENBAO_PKI_CA_OU=Abstract Machines
+AM_CERTS_OPENBAO_PKI_CA_O=AbstractMachines
+AM_CERTS_OPENBAO_PKI_CA_C=FRANCE
+AM_CERTS_OPENBAO_PKI_CA_L=PARIS
+AM_CERTS_OPENBAO_PKI_CA_ST=PARIS
+AM_CERTS_OPENBAO_PKI_CA_ADDR=5 Av. Anatole
+AM_CERTS_OPENBAO_PKI_CA_PO=75007
+AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES=localhost
+AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES=127.0.0.1,::1
+AM_CERTS_OPENBAO_PKI_CA_URI_SANS=
+AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES=info@abstractmachines.rs

 ## OpenBao Unseal Keys and Token
-AM_OPENBAO_UNSEAL_KEY_1=
-AM_OPENBAO_UNSEAL_KEY_2=
-AM_OPENBAO_UNSEAL_KEY_3=
-AM_OPENBAO_ROOT_TOKEN=
+AM_CERTS_OPENBAO_UNSEAL_KEY_1=
+AM_CERTS_OPENBAO_UNSEAL_KEY_2=
+AM_CERTS_OPENBAO_UNSEAL_KEY_3=
+AM_CERTS_OPENBAO_ROOT_TOKEN=

 ## Jaeger Configuration for Certs
 AM_JAEGER_URL=http://jaeger:4318/v1/traces
 AM_JAEGER_TRACE_RATIO=1.0

 #### Auth Client Config for Certs Service
+SMQ_ADDONS_CERTS_PATH_PREFIX=../../
 AM_AUTH_GRPC_URL=auth:7001
 AM_AUTH_GRPC_TIMEOUT=300s
 AM_AUTH_GRPC_CLIENT_CERT=${GRPC_MTLS:+./ssl/certs/auth-grpc-client.crt}
@@ -1,7 +1,7 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.25.4-alpine3.22 AS builder
+FROM golang:1.26.1-alpine3.22 AS builder
 ARG SVC
 ARG GOARCH
 ARG GOARM
@@ -2,11 +2,11 @@

 Configure environment variables and run SuperMQ Docker Composition.

-\*Note\*\*: `docker-compose` uses `.env` file to set all environment variables. Ensure that you run the command from the same location as .env file.
+> \*Note\*\*: `docker-compose` uses `.env` file to set all environment variables. Ensure that you run the command from the same location as .env file.

 ## Installation

-Follow the [official documentation](https://docs.docker.com/compose/install/).
+Follow the [official Docker Compose installation guide](https://docs.docker.com/compose/install/) to install Docker Compose.

 ## Usage

@@ -16,6 +16,8 @@ Run the following commands from the project root directory.
 docker compose -f docker/docker-compose.yaml up
 ```

+To start additional addon services:
+
 ```bash
 docker compose -f docker/addons/<path>/docker-compose.yaml up
 ```
@@ -26,33 +28,37 @@ To pull docker images from a specific release you need to change the value of `S

 SuperMQ supports configurable MQTT broker and Message broker, which also acts as an events store. SuperMQ uses two types of brokers:

-1. MQTT_BROKER: Handles MQTT communication between MQTT adapters and message broker. This can either be 'RabbitMQ' or 'NATS'.
-2. MESSAGE_BROKER: Manages message exchange between SuperMQ core, optional, and external services. This can either be 'NATS' or 'RabbitMQ'. This is used to store messages for distributed processing.
+1. **MQTT_BROKER**: Handles MQTT communication between MQTT adapters and message broker. This can either be `RabbitMQ` or `NATS`.
+2. **MESSAGE_BROKER**: Manages message exchange between SuperMQ core, optional, and external services. This can either be `NATS` or `RabbitMQ`. This is used to store messages for distributed processing.

-Events store: This is used by SuperMQ services to store events for distributed processing. SuperMQ uses a single service to be the message broker and events store. This can either be 'NATS' or 'RabbitMQ'. Redis can also be used as an events store, but it requires a message broker to be deployed along with it for message exchange.
+Events store: This is used by SuperMQ services to store events for distributed processing. SuperMQ uses a single service to be the message broker and events store. This can either be `NATS` or `RabbitMQ`. Redis can also be used as an events store, but it requires a message broker to be deployed along with it for message exchange.

-This is the same as MESSAGE_BROKER. This can either be 'NATS' or 'RabbitMQ' or 'Redis'.  If Redis is used as an events store, then RabbitMQ or NATS is used as a message broker.
+## Supported Combinations
+
+This is the same as MESSAGE_BROKER. This can either be `NATS` or `RabbitMQ` or `Redis`.  If Redis is used as an events store, then RabbitMQ or NATS is used as a message broker.

 The current deployment strategy for SuperMQ in `docker/docker-compose.yaml` is to use RabbitMQ as a MQTT_BROKER and NATS as a MESSAGE_BROKER and EVENTS_STORE.

-Therefore, the following combinations are possible:
+Depending on the desired setup, the following broker configurations are valid:

- MQTT_BROKER: RabbitMQ, MESSAGE_BROKER: NATS, EVENTS_STORE: NATS
- MQTT_BROKER: RabbitMQ, MESSAGE_BROKER: NATS, EVENTS_STORE: Redis
- MQTT_BROKER: RabbitMQ, MESSAGE_BROKER: RabbitMQ, EVENTS_STORE: RabbitMQ
- MQTT_BROKER: RabbitMQ, MESSAGE_BROKER: RabbitMQ, EVENTS_STORE: Redis
- MQTT_BROKER: NATS, MESSAGE_BROKER: RabbitMQ, EVENTS_STORE: RabbitMQ
- MQTT_BROKER: NATS, MESSAGE_BROKER: RabbitMQ, EVENTS_STORE: Redis
- MQTT_BROKER: NATS, MESSAGE_BROKER: NATS, EVENTS_STORE: NATS
- MQTT_BROKER: NATS, MESSAGE_BROKER: NATS, EVENTS_STORE: Redis
+- `MQTT_BROKER: RabbitMQ`, `MESSAGE_BROKER: NATS`, `EVENTS_STORE: NATS`
+- `MQTT_BROKER: RabbitMQ`, `MESSAGE_BROKER: NATS`, `EVENTS_STORE: Redis`
+- `MQTT_BROKER: RabbitMQ`, `MESSAGE_BROKER: RabbitMQ`, `EVENTS_STORE: RabbitMQ`
+- `MQTT_BROKER: RabbitMQ`, `MESSAGE_BROKER: RabbitMQ`, `EVENTS_STORE: Redis`
+- `MQTT_BROKER: NATS`, `MESSAGE_BROKER: RabbitMQ`, `EVENTS_STORE: RabbitMQ`
+- `MQTT_BROKER: NATS`, `MESSAGE_BROKER: RabbitMQ`, `EVENTS_STORE: Redis`
+- `MQTT_BROKER: NATS`, `MESSAGE_BROKER: NATS`, `EVENTS_STORE: NATS`
+- `MQTT_BROKER: NATS`, `MESSAGE_BROKER: NATS`, `EVENTS_STORE: Redis`

-For Message brokers other than NATS, you would need to build the docker images with RabbitMQ as the build tag and change the `docker/.env`. For example, to use RabbitMQ as a message broker:
+> For non-default brokers (e.g. RabbitMQ as message broker), adjust the environment variables appropriately and rebuild Docker images. Example:

 ```bash
 SMQ_MESSAGE_BROKER_TYPE=msg_rabbitmq make dockers
 ```

-```env
+Then in `.env`:
+
+```text
 SMQ_MESSAGE_BROKER_TYPE=msg_rabbitmq
 SMQ_MESSAGE_BROKER_URL=${SMQ_RABBITMQ_URL}
 ```
@@ -84,7 +90,7 @@ SMQ_MQTT_ADAPTER_WS_TARGET_PORT=8080
 SMQ_MQTT_ADAPTER_WS_TARGET_PATH=${SMQ_NATS_WS_TARGET_PATH}
 ```

-### RabbitMQ configuration
+### RabbitMQ configuration (as MQTT broker or MESSAGE_BROKER)

 ```yaml
 services:
@@ -104,7 +110,7 @@ services:
      - supermq-base-net
 ```

-### Redis configuration
+### Redis configuration (as events store)

 ```yaml
 services:
@@ -123,12 +129,47 @@ services:
 Nginx is the entry point for all traffic to SuperMQ.
 By using environment variables file at `docker/.env` you can modify the below given Nginx directive.

-`SMQ_NGINX_SERVER_NAME` environmental variable is used to configure nginx directive `server_name`. If environmental variable `SMQ_NGINX_SERVER_NAME` is empty then default value `localhost` will set to `server_name`.
+| Environment Variable | Description |
+|----------------------|-------------|
+| `SMQ_NGINX_SERVER_NAME` | `SMQ_NGINX_SERVER_NAME` environmental variable is used to configure nginx directive `server_name`. If environmental variable `SMQ_NGINX_SERVER_NAME` is empty then default value `localhost` will set to `server_name`. |
+| `SMQ_NGINX_SERVER_CERT` | `SMQ_NGINX_SERVER_CERT` environmental variable is used to configure nginx directive `ssl_certificate`. If environmental variable `SMQ_NGINX_SERVER_CERT` is empty then by default server certificate in the path `docker/ssl/certs/supermq-server.crt`  will be assigned. |
+| `SMQ_NGINX_SERVER_KEY` | `SMQ_NGINX_SERVER_KEY` environmental variable is used to configure nginx directive `ssl_certificate_key`. If environmental variable `SMQ_NGINX_SERVER_KEY` is empty then by default server certificate key in the path `docker/ssl/certs/supermq-server.key`  will be assigned. |
+| `SMQ_NGINX_SERVER_CLIENT_CA` | `SMQ_NGINX_SERVER_CLIENT_CA` environmental variable is used to configure nginx directive `ssl_client_certificate`. If environmental variable `SMQ_NGINX_SERVER_CLIENT_CA` is empty then by default certificate in the path `docker/ssl/certs/ca.crt` will be assigned. |
+| `SMQ_NGINX_SERVER_DHPARAM` | `SMQ_NGINX_SERVER_DHPARAM` environmental variable is used to configure nginx directive `ssl_dhparam`. If environmental variable `SMQ_NGINX_SERVER_DHPARAM` is empty then by default file in the path `docker/ssl/dhparam.pem` will be assigned. |

-`SMQ_NGINX_SERVER_CERT` environmental variable is used to configure nginx directive `ssl_certificate`. If environmental variable `SMQ_NGINX_SERVER_CERT` is empty then by default server certificate in the path `docker/ssl/certs/supermq-server.crt`  will be assigned.
+Adjust these values in `.env` to configure TLS / SSL behavior for your deployment.

-`SMQ_NGINX_SERVER_KEY` environmental variable is used to configure nginx directive `ssl_certificate_key`. If environmental variable `SMQ_NGINX_SERVER_KEY` is empty then by default server certificate key in the path `docker/ssl/certs/supermq-server.key`  will be assigned.
+## Makefile Integration

-`SMQ_NGINX_SERVER_CLIENT_CA` environmental variable is used to configure nginx directive `ssl_client_certificate`. If environmental variable `SMQ_NGINX_SERVER_CLIENT_CA` is empty then by default certificate in the path `docker/ssl/certs/ca.crt` will be assigned.
+The included `Makefile` defines build and Docker‑build targets for all SuperMQ services. Key points:

-`SMQ_NGINX_SERVER_DHPARAM` environmental variable is used to configure nginx directive `ssl_dhparam`. If environmental variable `SMQ_NGINX_SERVER_DHPARAM` is empty then by default file in the path `docker/ssl/dhparam.pem` will be assigned.
+- `SERVICES`: list of core services (auth, clients, channels, http, coap, mqtt, ws, etc.)
+
+- `DOCKERS`, `DOCKERS_DEV`: build targets for production and development Docker images
+
+- Build arguments embed version, commit hash, and build timestamp into the binary
+
+Build all services:
+
+```bash
+make all        # builds all services
+make dockers    # builds all Docker images
+```
+
+Start services with Docker compose:
+
+```bash
+docker compose -f docker/docker-compose.yaml up
+```
+
+To clean up:
+
+```bash
+make cleandocker
+```
+
+To run tests(unit tests + API tests)
+
+```bash
+make test
+```
@@ -33,19 +33,25 @@ AM_CERTS_GRPC_CLIENT_TLS=
 AM_CERTS_GRPC_CA_CERTS=
 AM_CERTS_INSTANCE_ID=
 AM_CERTS_RELEASE_TAG=latest
+# WARNING: This is a development/testing secret only.
+# NEVER use this weak secret in production! Generate a strong random secret for production deployments.
 AM_CERTS_SECRET=12345678

 ## OpenBao PKI Config
 AM_CERTS_OPENBAO_HOST=http://certs-openbao:8200
 AM_CERTS_OPENBAO_APP_ROLE=absmach
 AM_CERTS_OPENBAO_APP_SECRET=absmach
-AM_CERTS_OPENBAO_SECRET_ID_TTL=87600h
+AM_CERTS_OPENBAO_SECRET_ID_TTL=720h
 AM_CERTS_OPENBAO_NAMESPACE=
 AM_CERTS_OPENBAO_PKI_PATH=pki
 AM_CERTS_OPENBAO_ROLE=absmach
+AM_CERTS_SERVICE_TOKEN_PATH=/openbao/service_token
+AM_CERTS_SECRET_ID_PATH=/openbao/secret_id
+AM_CERTS_SECRET_RENEW_THRESHOLD=24h
+AM_CERTS_SECRET_CHECK_INTERVAL=1h
 AM_CERTS_OPENBAO_PKI_CA_CN=Abstract Machines Certificate Authority
 AM_CERTS_OPENBAO_PKI_CA_OU=Abstract Machines
-AM_CERTS_OPENBAO_PKI_CA_O=AbstractMacines
+AM_CERTS_OPENBAO_PKI_CA_O=AbstractMachines
 AM_CERTS_OPENBAO_PKI_CA_C=FRANCE
 AM_CERTS_OPENBAO_PKI_CA_L=PARIS
 AM_CERTS_OPENBAO_PKI_CA_ST=PARIS
@@ -1,7 +1,7 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-FROM golang:1.25-alpine AS builder
+FROM golang:1.26-alpine AS builder

 ARG SVC
 ARG GOARCH
@@ -16,8 +16,10 @@ services:
    image: ghcr.io/absmach/certs:${AM_CERTS_RELEASE_TAG}
    container_name: certs
    depends_on:
-      - openbao
-      - certs-db
+      openbao:
+        condition: service_healthy
+      certs-db:
+        condition: service_started
    restart: on-failure
    networks:
      - certs-base-net
@@ -35,6 +37,7 @@ services:
      AM_CERTS_OPENBAO_NAMESPACE: ${AM_CERTS_OPENBAO_NAMESPACE}
      AM_CERTS_OPENBAO_PKI_PATH: ${AM_CERTS_OPENBAO_PKI_PATH}
      AM_CERTS_OPENBAO_ROLE: ${AM_CERTS_OPENBAO_ROLE}
+      AM_CERTS_OPENBAO_SECRET_ID_TTL: ${AM_CERTS_OPENBAO_SECRET_ID_TTL}
      AM_CERTS_DB_HOST: ${AM_CERTS_DB_HOST}
      AM_CERTS_DB_PORT: ${AM_CERTS_DB_PORT}
      AM_CERTS_DB_USER: ${AM_CERTS_DB_USER}
@@ -43,18 +46,55 @@ services:
      AM_CERTS_DB_SSL_MODE: ${AM_CERTS_DB_SSL_MODE}
      AM_AUTH_GRPC_URL: ${AM_AUTH_GRPC_URL}
      AM_AUTH_GRPC_TIMEOUT: ${AM_AUTH_GRPC_TIMEOUT}
-      AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT}
-      AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY}
-      AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS}
+      AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
+      AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
+      AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
      AM_DOMAINS_GRPC_URL: ${AM_DOMAINS_GRPC_URL}
      AM_DOMAINS_GRPC_TIMEOUT: ${AM_DOMAINS_GRPC_TIMEOUT}
      AM_DOMAINS_GRPC_CLIENT_CERT: ${AM_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
      AM_DOMAINS_GRPC_CLIENT_KEY: ${AM_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
      AM_DOMAINS_GRPC_SERVER_CA_CERTS: ${AM_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
      AM_CERTS_SECRET: ${AM_CERTS_SECRET}
+      AM_CERTS_SERVICE_TOKEN_PATH: ${AM_CERTS_SERVICE_TOKEN_PATH}
+      AM_CERTS_SECRET_ID_PATH: ${AM_CERTS_SECRET_ID_PATH}
+      AM_CERTS_SECRET_RENEW_THRESHOLD: ${AM_CERTS_SECRET_RENEW_THRESHOLD}
+      AM_CERTS_SECRET_CHECK_INTERVAL: ${AM_CERTS_SECRET_CHECK_INTERVAL}
+      SMQ_ALLOW_UNVERIFIED_USER: ${SMQ_ALLOW_UNVERIFIED_USER}
    ports:
      - ${AM_CERTS_HTTP_PORT}:${AM_CERTS_HTTP_PORT}
      - ${AM_CERTS_GRPC_PORT}:${AM_CERTS_GRPC_PORT}
+    volumes:
+      - openbao-data:/openbao:ro
+      - type: bind
+        source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${AM_AUTH_GRPC_CLIENT_CERT:-./ssl/certs/dummy/client_cert}
+        target: /auth-grpc-client.crt
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${AM_AUTH_GRPC_CLIENT_KEY:-./ssl/certs/dummy/client_key}
+        target: /auth-grpc-client.key
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${AM_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/certs/dummy/server_ca}
+        target: /auth-grpc-server-ca.crt
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${AM_DOMAINS_GRPC_CLIENT_CERT:-./ssl/certs/dummy/client_cert}
+        target: /domains-grpc-client.crt
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${AM_DOMAINS_GRPC_CLIENT_KEY:-./ssl/certs/dummy/client_key}
+        target: /domains-grpc-client.key
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_ADDONS_CERTS_PATH_PREFIX}${AM_DOMAINS_GRPC_SERVER_CA_CERTS:-./ssl/certs/dummy/server_ca}
+        target: /domains-grpc-server-ca.crt
+        bind:
+          create_host_path: true

  certs-db:
    image: postgres:16.2-alpine
@@ -80,6 +120,12 @@ services:
      - certs-base-net
    ports:
      - 8200:8200
+    healthcheck:
+      test: ["CMD", "sh", "-c", "test -f /opt/openbao/data/service_token"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
+      start_period: 30s
    environment:
      - BAO_ADDR=http://127.0.0.1:8200
      - BAO_LOG_LEVEL=info
@@ -27,6 +27,66 @@ EOF

 export BAO_ADDR=http://127.0.0.1:8200

+create_pki_policy() {
+  cat > /opt/openbao/config/pki-policy.hcl << EOF
+path "pki_int/issue/${AM_CERTS_OPENBAO_PKI_ROLE}" {
+  capabilities = ["create", "update"]
+}
+path "pki_int/sign/${AM_CERTS_OPENBAO_PKI_ROLE}" {
+  capabilities = ["create", "update"]
+}
+path "pki_int/sign-verbatim/${AM_CERTS_OPENBAO_PKI_ROLE}" {
+  capabilities = ["create", "update"]
+}
+path "pki_int/certs" {
+  capabilities = ["list"]
+}
+path "pki_int/cert/*" {
+  capabilities = ["read"]
+}
+path "pki_int/revoke" {
+  capabilities = ["create", "update"]
+}
+path "pki_int/ca" {
+  capabilities = ["read"]
+}
+path "pki_int/ca_chain" {
+  capabilities = ["read"]
+}
+path "pki_int/crl" {
+  capabilities = ["read"]
+}
+path "pki/ca" {
+  capabilities = ["read"]
+}
+path "pki/ca_chain" {
+  capabilities = ["read"]
+}
+path "pki/crl" {
+  capabilities = ["read"]
+}
+path "auth/token/renew-self" {
+  capabilities = ["update"]
+}
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+path "sys/renew/*" {
+  capabilities = ["update"]
+}
+path "auth/approle/role/${AM_CERTS_OPENBAO_PKI_ROLE}/secret-id" {
+  capabilities = ["create", "update"]
+}
+path "auth/approle/role/${AM_CERTS_OPENBAO_PKI_ROLE}/secret-id-accessor/lookup" {
+  capabilities = ["create", "update"]
+}
+path "auth/approle/role/${AM_CERTS_OPENBAO_PKI_ROLE}/secret-id-accessor/destroy" {
+  capabilities = ["create", "update"]
+}
+EOF
+  bao policy write pki-policy /opt/openbao/config/pki-policy.hcl > /dev/null
+}
+
 # Check if we have pre-configured unseal keys and root token
 if [ -n "$AM_CERTS_OPENBAO_UNSEAL_KEY_1" ] && [ -n "$AM_CERTS_OPENBAO_UNSEAL_KEY_2" ] && [ -n "$AM_CERTS_OPENBAO_UNSEAL_KEY_3" ] && [ -n "$AM_CERTS_OPENBAO_ROOT_TOKEN" ]; then
  echo "Using pre-configured unseal keys and root token..."
@@ -229,6 +289,16 @@ if [ ! -f /opt/openbao/data/configured ]; then

  echo "Intermediate CA certificate signed successfully!"

+  bao write pki/config/urls \
+    issuing_certificates='http://127.0.0.1:8200/v1/pki/ca' \
+    crl_distribution_points='http://127.0.0.1:8200/v1/pki/crl' \
+    ocsp_servers='http://127.0.0.1:8200/v1/pki/ocsp' > /dev/null
+
+  bao write pki_int/config/urls \
+    issuing_certificates='http://127.0.0.1:8200/v1/pki_int/ca' \
+    crl_distribution_points='http://127.0.0.1:8200/v1/pki_int/crl' \
+    ocsp_servers='http://127.0.0.1:8200/v1/pki_int/ocsp' > /dev/null
+
  bao write pki_int/intermediate/set-signed certificate="$INTERMEDIATE_CERT" > /dev/null

  if [ $? -eq 0 ]; then
@@ -240,16 +310,6 @@ if [ ! -f /opt/openbao/data/configured ]; then

  echo "$INTERMEDIATE_CERT" > /opt/openbao/data/intermediate_ca.pem

-  bao write pki/config/urls \
-    issuing_certificates='http://127.0.0.1:8200/v1/pki/ca' \
-    crl_distribution_points='http://127.0.0.1:8200/v1/pki/crl' \
-    ocsp_servers='http://127.0.0.1:8200/v1/pki/ocsp' > /dev/null
-
-  bao write pki_int/config/urls \
-    issuing_certificates='http://127.0.0.1:8200/v1/pki_int/ca' \
-    crl_distribution_points='http://127.0.0.1:8200/v1/pki_int/crl' \
-    ocsp_servers='http://127.0.0.1:8200/v1/pki_int/ocsp' > /dev/null
-
  ROLE_CMD="bao write pki_int/roles/${AM_CERTS_OPENBAO_PKI_ROLE} \
    allow_any_name=true \
    enforce_hostnames=false \
@@ -271,66 +331,13 @@ if [ ! -f /opt/openbao/data/configured ]; then
    ext_key_usage=\"ServerAuth,ClientAuth,OCSPSigning\" \
    use_csr_common_name=true \
    use_csr_sans=true \
-    copy_extensions=true \
-    allowed_extensions=\"*\" \
    basic_constraints_valid_for_non_ca=true \
    max_ttl=720h \
    ttl=720h"

  eval "$ROLE_CMD" > /dev/null

-  # Create PKI policy
-  cat > /opt/openbao/config/pki-policy.hcl << EOF
-path "pki_int/issue/${AM_CERTS_OPENBAO_PKI_ROLE}" {
-  capabilities = ["create", "update"]
-}
-path "pki_int/sign/${AM_CERTS_OPENBAO_PKI_ROLE}" {
-  capabilities = ["create", "update"]
-}
-path "pki_int/sign-verbatim/${AM_CERTS_OPENBAO_PKI_ROLE}" {
-  capabilities = ["create", "update"]
-}
-path "pki_int/certs" {
-  capabilities = ["list"]
-}
-path "pki_int/cert/*" {
-  capabilities = ["read"]
-}
-path "pki_int/revoke" {
-  capabilities = ["create", "update"]
-}
-path "pki_int/ca" {
-  capabilities = ["read"]
-}
-path "pki_int/ca_chain" {
-  capabilities = ["read"]
-}
-path "pki_int/crl" {
-  capabilities = ["read"]
-}
-path "pki/ca" {
-  capabilities = ["read"]
-}
-path "pki/ca_chain" {
-  capabilities = ["read"]
-}
-path "pki/crl" {
-  capabilities = ["read"]
-}
-# Token management
-path "auth/token/renew-self" {
-  capabilities = ["update"]
-}
-path "auth/token/lookup-self" {
-  capabilities = ["read"]
-}
-# System lease renewal
-path "sys/renew/*" {
-  capabilities = ["update"]
-}
-EOF
-
-  bao policy write pki-policy /opt/openbao/config/pki-policy.hcl > /dev/null
+  create_pki_policy

  # Create AppRole
  SECRET_ID_TTL="${AM_CERTS_OPENBAO_SECRET_ID_TTL}"
@@ -346,9 +353,13 @@ EOF
    bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/role-id role_id="$AM_CERTS_OPENBAO_APP_ROLE" > /dev/null
  fi

-  # Set custom secret ID if provided
+  # Set custom secret ID if provided, otherwise generate one
  if [ -n "$AM_CERTS_OPENBAO_APP_SECRET" ]; then
    bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/custom-secret-id secret_id="$AM_CERTS_OPENBAO_APP_SECRET" > /dev/null
+    echo "$AM_CERTS_OPENBAO_APP_SECRET" > /opt/openbao/data/secret_id
+  else
+    GENERATED_SECRET_ID=$(bao write -field=secret_id -force auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/secret-id)
+    echo "$GENERATED_SECRET_ID" > /opt/openbao/data/secret_id
  fi

  # Generate service token for additional access
@@ -364,7 +375,7 @@ EOF
  touch /opt/openbao/data/configured
  echo "OpenBao configuration completed successfully!"
 else
-  echo "OpenBao already configured, skipping setup..."
+  echo "OpenBao already configured, verifying and updating configuration..."
  
  # Restore namespace if it exists
  if [ -f /opt/openbao/data/namespace ] && [ -n "$AM_CERTS_OPENBAO_NAMESPACE" ]; then
@@ -374,17 +385,68 @@ else
    fi
  fi
  
-  if [ -n "$AM_CERTS_OPENBAO_APP_SECRET" ]; then
-    echo "Verifying existing secret ID validity..."
-    if ! bao write -field=client_token auth/approle/login role_id="$AM_CERTS_OPENBAO_APP_ROLE" secret_id="$AM_CERTS_OPENBAO_APP_SECRET" > /dev/null 2>&1; then
-      echo "================================"
-      echo "ERROR: Secret ID has expired!"
-      echo "Please regenerate AM_CERTS_OPENBAO_APP_SECRET"
-      echo "and update your environment configuration"
-      echo "================================"
-    else
-      echo "Existing secret ID is valid"
+  # Check if AppRole role exists, create if missing
+  if ! bao read auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}" > /dev/null 2>&1; then
+    if ! bao auth enable approle > /tmp/auth_success 2>/tmp/auth_error; then
+      if ! grep -q "already in use" /tmp/auth_error; then
+        echo "ERROR: Failed to enable AppRole auth method:" >&2
+        cat /tmp/auth_error >&2
+        exit 1
+      fi
    fi
+    rm -f /tmp/auth_error /tmp/auth_success
+    
+    create_pki_policy
+    
+    SECRET_ID_TTL="${AM_CERTS_OPENBAO_SECRET_ID_TTL}"
+    bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}" \
+      token_policies=pki-policy \
+      token_ttl=1h \
+      token_max_ttl=4h \
+      bind_secret_id=true \
+      secret_id_ttl="$SECRET_ID_TTL" > /dev/null
+    
+    if [ -n "$AM_CERTS_OPENBAO_APP_ROLE" ]; then
+      bao write auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/role-id role_id="$AM_CERTS_OPENBAO_APP_ROLE" > /dev/null
+    fi
+  fi
+  
+  SECRET_ID_VALID=false
+  if [ -n "$AM_CERTS_OPENBAO_APP_SECRET" ]; then
+    if bao write -field=client_token auth/approle/login role_id="$AM_CERTS_OPENBAO_APP_ROLE" secret_id="$AM_CERTS_OPENBAO_APP_SECRET" > /dev/null 2>&1; then
+      SECRET_ID_VALID=true
+      echo "$AM_CERTS_OPENBAO_APP_SECRET" > /opt/openbao/data/secret_id
+    fi
+  elif [ -f /opt/openbao/data/secret_id ]; then
+    STORED_SECRET_ID=$(cat /opt/openbao/data/secret_id)
+    if [ -n "$STORED_SECRET_ID" ]; then
+      ROLE_ID=$(bao read -field=role_id auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/role-id)
+      if bao write -field=client_token auth/approle/login role_id="$ROLE_ID" secret_id="$STORED_SECRET_ID" > /dev/null 2>&1; then
+        SECRET_ID_VALID=true
+      fi
+    fi
+  fi
+  
+  if [ "$SECRET_ID_VALID" = "false" ]; then
+    NEW_SECRET_ID=$(bao write -field=secret_id -force auth/approle/role/"${AM_CERTS_OPENBAO_PKI_ROLE}"/secret-id)
+    
+    if [ -z "$NEW_SECRET_ID" ]; then
+      echo "ERROR: Failed to generate new secret ID" >&2
+    else
+      echo "$NEW_SECRET_ID" > /opt/openbao/data/secret_id
+      echo "Generated new secret ID for certs service"
+    fi
+  fi
+  
+  # Regenerate service token
+  SERVICE_TOKEN=$(bao write -field=token auth/token/create \
+    policies=pki-policy \
+    ttl=24h \
+    renewable=true \
+    display_name="certs-service" 2>/dev/null)
+  
+  if [ -n "$SERVICE_TOKEN" ]; then
+    echo "SERVICE_TOKEN=$SERVICE_TOKEN" > /opt/openbao/data/service_token
  fi
 fi

@@ -59,6 +59,7 @@ services:
      SMQ_AUTH_GRPC_CLIENT_CERT: ${SMQ_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
      SMQ_AUTH_GRPC_CLIENT_KEY: ${SMQ_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
      SMQ_AUTH_GRPC_SERVER_CA_CERTS: ${SMQ_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
+      SMQ_AUTH_KEYS_ALGORITHM: ${SMQ_AUTH_KEYS_ALGORITHM}
      SMQ_ES_URL: ${SMQ_ES_URL}
      SMQ_JAEGER_URL: ${SMQ_JAEGER_URL}
      SMQ_JAEGER_TRACE_RATIO: ${SMQ_JAEGER_TRACE_RATIO}
@@ -1,10 +1,6 @@
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0

-networks:
-  supermq-base-net:
-    external: true
-
 services:
  certs:
    environment:
@@ -14,8 +10,7 @@ services:
      AM_CERTS_GRPC_HOST: ${AM_CERTS_GRPC_HOST}
      AM_CERTS_GRPC_PORT: ${AM_CERTS_GRPC_PORT}
      AM_CERTS_RELEASE_TAG: ${AM_CERTS_RELEASE_TAG}
-      AM_CERTS_TOKEN: ${AM_CERTS_TOKEN}
-      
+      AM_CERTS_SECRET: ${AM_CERTS_SECRET}
      AM_CERTS_DB_HOST: ${AM_CERTS_DB_HOST}
      AM_CERTS_DB_PORT: ${AM_CERTS_DB_PORT}
      AM_CERTS_DB_USER: ${AM_CERTS_DB_USER}
@@ -23,54 +18,52 @@ services:
      AM_CERTS_DB: ${AM_CERTS_DB}
      AM_CERTS_DB_SSL_MODE: ${AM_CERTS_DB_SSL_MODE}
      AM_CERTS_DB_MAX_CONNECTIONS: ${AM_CERTS_DB_MAX_CONNECTIONS}
-      
      AM_CERTS_OPENBAO_HOST: ${AM_CERTS_OPENBAO_HOST}
      AM_CERTS_OPENBAO_APP_ROLE: ${AM_CERTS_OPENBAO_APP_ROLE}
      AM_CERTS_OPENBAO_APP_SECRET: ${AM_CERTS_OPENBAO_APP_SECRET}
      AM_CERTS_OPENBAO_NAMESPACE: ${AM_CERTS_OPENBAO_NAMESPACE}
      AM_CERTS_OPENBAO_PKI_PATH: ${AM_CERTS_OPENBAO_PKI_PATH}
      AM_CERTS_OPENBAO_ROLE: ${AM_CERTS_OPENBAO_ROLE}
-      
-      # OpenBao PKI CA configuration
-      AM_OPENBAO_PKI_CA_CN: ${AM_OPENBAO_PKI_CA_CN}
-      AM_OPENBAO_PKI_CA_OU: ${AM_OPENBAO_PKI_CA_OU}
-      AM_OPENBAO_PKI_CA_O: ${AM_OPENBAO_PKI_CA_O}
-      AM_OPENBAO_PKI_CA_C: ${AM_OPENBAO_PKI_CA_C}
-      AM_OPENBAO_PKI_CA_L: ${AM_OPENBAO_PKI_CA_L}
-      AM_OPENBAO_PKI_CA_ST: ${AM_OPENBAO_PKI_CA_ST}
-      AM_OPENBAO_PKI_CA_ADDR: ${AM_OPENBAO_PKI_CA_ADDR}
-      AM_OPENBAO_PKI_CA_PO: ${AM_OPENBAO_PKI_CA_PO}
-      AM_OPENBAO_PKI_CA_DNS_NAMES: ${AM_OPENBAO_PKI_CA_DNS_NAMES}
-      AM_OPENBAO_PKI_CA_IP_ADDRESSES: ${AM_OPENBAO_PKI_CA_IP_ADDRESSES}
-      AM_OPENBAO_PKI_CA_URI_SANS: ${AM_OPENBAO_PKI_CA_URI_SANS}
-      AM_OPENBAO_PKI_CA_EMAIL_ADDRESSES: ${AM_OPENBAO_PKI_CA_EMAIL_ADDRESSES}
-      
-      AM_OPENBAO_UNSEAL_KEY_1: ${AM_OPENBAO_UNSEAL_KEY_1}
-      AM_OPENBAO_UNSEAL_KEY_2: ${AM_OPENBAO_UNSEAL_KEY_2}
-      AM_OPENBAO_UNSEAL_KEY_3: ${AM_OPENBAO_UNSEAL_KEY_3}
-      AM_OPENBAO_ROOT_TOKEN: ${AM_OPENBAO_ROOT_TOKEN}
-      
+      AM_CERTS_OPENBAO_SECRET_ID_TTL: ${AM_CERTS_OPENBAO_SECRET_ID_TTL}
+      AM_CERTS_SERVICE_TOKEN_PATH: ${AM_CERTS_SERVICE_TOKEN_PATH}
+      AM_CERTS_SECRET_ID_PATH: ${AM_CERTS_SECRET_ID_PATH}
+      AM_CERTS_SECRET_RENEW_THRESHOLD: ${AM_CERTS_SECRET_RENEW_THRESHOLD}
+      AM_CERTS_SECRET_CHECK_INTERVAL: ${AM_CERTS_SECRET_CHECK_INTERVAL}
+      AM_CERTS_OPENBAO_PKI_CA_CN: ${AM_CERTS_OPENBAO_PKI_CA_CN}
+      AM_CERTS_OPENBAO_PKI_CA_OU: ${AM_CERTS_OPENBAO_PKI_CA_OU}
+      AM_CERTS_OPENBAO_PKI_CA_O: ${AM_CERTS_OPENBAO_PKI_CA_O}
+      AM_CERTS_OPENBAO_PKI_CA_C: ${AM_CERTS_OPENBAO_PKI_CA_C}
+      AM_CERTS_OPENBAO_PKI_CA_L: ${AM_CERTS_OPENBAO_PKI_CA_L}
+      AM_CERTS_OPENBAO_PKI_CA_ST: ${AM_CERTS_OPENBAO_PKI_CA_ST}
+      AM_CERTS_OPENBAO_PKI_CA_ADDR: ${AM_CERTS_OPENBAO_PKI_CA_ADDR}
+      AM_CERTS_OPENBAO_PKI_CA_PO: ${AM_CERTS_OPENBAO_PKI_CA_PO}
+      AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES: ${AM_CERTS_OPENBAO_PKI_CA_DNS_NAMES}
+      AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES: ${AM_CERTS_OPENBAO_PKI_CA_IP_ADDRESSES}
+      AM_CERTS_OPENBAO_PKI_CA_URI_SANS: ${AM_CERTS_OPENBAO_PKI_CA_URI_SANS}
+      AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES: ${AM_CERTS_OPENBAO_PKI_CA_EMAIL_ADDRESSES}
+      AM_CERTS_OPENBAO_UNSEAL_KEY_1: ${AM_CERTS_OPENBAO_UNSEAL_KEY_1}
+      AM_CERTS_OPENBAO_UNSEAL_KEY_2: ${AM_CERTS_OPENBAO_UNSEAL_KEY_2}
+      AM_CERTS_OPENBAO_UNSEAL_KEY_3: ${AM_CERTS_OPENBAO_UNSEAL_KEY_3}
+      AM_CERTS_OPENBAO_ROOT_TOKEN: ${AM_CERTS_OPENBAO_ROOT_TOKEN}
      AM_JAEGER_URL: ${AM_JAEGER_URL}
      AM_JAEGER_TRACE_RATIO: ${AM_JAEGER_TRACE_RATIO}
-      
      AM_AUTH_GRPC_URL: ${AM_AUTH_GRPC_URL}
      AM_AUTH_GRPC_TIMEOUT: ${AM_AUTH_GRPC_TIMEOUT}
-      AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT}
-      AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY}
-      AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS}
-      
+      AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
+      AM_AUTH_GRPC_CLIENT_KEY: ${AM_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
+      AM_AUTH_GRPC_SERVER_CA_CERTS: ${AM_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
      AM_DOMAINS_GRPC_URL: ${AM_DOMAINS_GRPC_URL}
      AM_DOMAINS_GRPC_TIMEOUT: ${AM_DOMAINS_GRPC_TIMEOUT}
-      AM_DOMAINS_GRPC_CLIENT_CERT: ${AM_DOMAINS_GRPC_CLIENT_CERT}
-      AM_DOMAINS_GRPC_CLIENT_KEY: ${AM_DOMAINS_GRPC_CLIENT_KEY}
-      AM_DOMAINS_GRPC_SERVER_CA_CERTS: ${AM_DOMAINS_GRPC_SERVER_CA_CERTS}
-    networks:
+      AM_DOMAINS_GRPC_CLIENT_CERT: ${AM_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
+      AM_DOMAINS_GRPC_CLIENT_KEY: ${AM_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
+      AM_DOMAINS_GRPC_SERVER_CA_CERTS: ${AM_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
+    networks: !override
      - supermq-base-net

  certs-db:
-    networks:
+    networks: !override
      - supermq-base-net

  openbao:
-    networks:
+    networks: !override
      - supermq-base-net
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIPB+6hA+8rK067SdVlkWzgtxEUNysMhFFFzmGsKB1BAl
+-----END PRIVATE KEY-----
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIE9Qu5lN6KOfdO14XJUClM1UPrqT55BczLMcRuSG7Ziy
+-----END PRIVATE KEY-----
@@ -22,7 +22,6 @@ envsubst '
    ${SMQ_CHANNELS_HTTP_PORT}
    ${SMQ_HTTP_ADAPTER_PORT}
    ${SMQ_NGINX_MQTT_PORT}
-    ${SMQ_NGINX_MQTTS_PORT}
-    ${SMQ_WS_ADAPTER_HTTP_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
+    ${SMQ_NGINX_MQTTS_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf

 exec nginx -g "daemon off;"
@@ -131,7 +131,7 @@ http {
        location /ws/ {
            include snippets/proxy-headers.conf;
            include snippets/ws-upgrade.conf;
-            proxy_pass http://ws-adapter:${SMQ_WS_ADAPTER_HTTP_PORT}/;
+            proxy_pass http://http-adapter:${SMQ_HTTP_ADAPTER_PORT}/;
        }
    }
 }
@@ -144,7 +144,7 @@ http {
            include snippets/verify-ssl-client.conf;
            include snippets/proxy-headers.conf;
            include snippets/ws-upgrade.conf;
-            proxy_pass http://ws-adapter:${SMQ_WS_ADAPTER_HTTP_PORT}/;
+            proxy_pass http://http-adapter:${SMQ_HTTP_ADAPTER_PORT}/;
        }
    }
 }
@@ -0,0 +1,132 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+clients:
+  operations:
+    - view: read_permission
+    - update: update_permission
+    - update_tags: update_permission
+    - update_secret: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+    - set_parent_group: set_parent_group_permission
+    - remove_parent_group: set_parent_group_permission
+    - connect_to_channel: connect_to_channel_permission
+    - disconnect_from_channel: connect_to_channel_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
+
+channels:
+  operations:
+    - view: read_permission
+    - update: update_permission
+    - update_tags: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+    - set_parent_group: set_parent_group_permission
+    - remove_parent_group: set_parent_group_permission
+    - connect_client: connect_to_client_permission
+    - disconnect_client: connect_to_client_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
+
+groups:
+  operations:
+    - view: read_permission
+    - update: update_permission
+    - update_tags: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+    - retrieve_group_hierarchy: read_permission
+    - add_parent_group: set_parent_permission
+    - remove_parent_group: set_parent_permission
+    - add_children_groups: set_child_permission
+    - remove_children_groups: set_child_permission
+    - remove_all_children_groups: set_child_permission
+    - list_children_groups: read_permission
+    - set_child_client: set_child_permission
+    - remove_child_client: set_child_permission
+    - set_child_channel: set_child_permission
+    - remove_child_channel: set_child_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
+
+domains:
+  operations:
+    - create: create_permission
+    - update: update_permission
+    - read: read_permission
+    - enable: enable_permission
+    - disable: disable_permission
+    - list: read_permission
+    - send_invitation: manage_role_permission
+    - list_invitation: membership_permission
+    - list_domain_invitation: manage_role_permission
+    - delete_invitation: manage_role_permission
+    - create_clients: client_create_permission
+    - list_clients: client_read_permission
+    - create_channels: channel_create_permission
+    - list_channels: channel_read_permission
+    - create_groups: group_create_permission
+    - list_groups: group_read_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
@@ -0,0 +1,14 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+# Enable AOF persistence
+appendonly yes
+appendfilename "appendonly.aof"
+appendfsync everysec
+
+# Enable periodic snapshots
+save 300 10
+
+# Persist data in Docker volume
+dir /data
+
@@ -1,19 +1,20 @@
-module github.com/absmach/magistrala
+module github.com/absmach/magistrala-old

-go 1.25.3
+go 1.26.0

 require (
 	github.com/0x6flab/namegenerator v1.4.0
 	github.com/absmach/callhome v0.18.2
-	github.com/absmach/certs v0.18.2
-	github.com/absmach/supermq v0.18.3
-	github.com/authzed/authzed-go v1.7.0
+	github.com/absmach/certs v0.18.5
+	github.com/absmach/magistrala v0.19.1
+	github.com/absmach/supermq v0.19.2-0.20260317185610-fade98b84ee4
+	github.com/authzed/authzed-go v1.8.0
 	github.com/authzed/grpcutil v0.0.0-20250221190651-1985b19b35b8
-	github.com/caarlos0/env/v11 v11.3.1
+	github.com/caarlos0/env/v11 v11.4.0
 	github.com/eclipse/paho.mqtt.golang v1.5.1
 	github.com/fatih/color v1.18.0
 	github.com/fiorix/go-smpp v0.0.0-20210403173735-2894b96e70ba
-	github.com/go-chi/chi/v5 v5.2.3
+	github.com/go-chi/chi/v5 v5.2.5
 	github.com/go-kit/kit v0.13.0
 	github.com/gofrs/uuid/v5 v5.4.0
 	github.com/gookit/color v1.6.0
@@ -22,41 +23,58 @@ require (
 	github.com/ivanpirog/coloredcobra v1.0.1
 	github.com/jackc/pgerrcode v0.0.0-20250907135507-afb5586c32a6
 	github.com/jackc/pgtype v1.14.4
-	github.com/jackc/pgx/v5 v5.7.6
+	github.com/jackc/pgx/v5 v5.8.0
 	github.com/jmoiron/sqlx v1.4.0
 	github.com/ory/dockertest/v3 v3.12.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/prometheus/client_golang v1.23.2
-	github.com/redis/go-redis/v9 v9.17.1
+	github.com/redis/go-redis/v9 v9.18.0
 	github.com/rubenv/sql-migrate v1.8.1
-	github.com/slack-go/slack v0.17.3
-	github.com/spf13/cobra v1.10.1
+	github.com/slack-go/slack v0.19.0
+	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	github.com/traefik/yaegi v0.16.1
 	github.com/vadv/gopher-lua-libs v0.8.0
 	github.com/yuin/gopher-lua v1.1.1
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
-	go.opentelemetry.io/otel v1.38.0
-	go.opentelemetry.io/otel/trace v1.38.0
-	golang.org/x/sync v0.18.0
-	gonum.org/v1/gonum v0.16.0
-	google.golang.org/grpc v1.77.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0
+	go.opentelemetry.io/otel v1.42.0
+	go.opentelemetry.io/otel/trace v1.42.0
+	golang.org/x/sync v0.20.0
+	gonum.org/v1/gonum v0.17.0
+	google.golang.org/grpc v1.79.2
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	moul.io/http2curl v1.0.0
 )

 require (
-	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/time v0.14.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
+	github.com/authzed/cel-go v0.20.2 // indirect
+	github.com/authzed/spicedb v1.49.2 // indirect
+	github.com/ccoveille/go-safecast/v2 v2.0.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-logr/zerologr v1.2.3 // indirect
+	github.com/moby/moby/api v1.53.0 // indirect
+	github.com/moby/moby/client v0.2.2 // indirect
+	github.com/rs/zerolog v1.34.0 // indirect
+	github.com/stoewer/go-strcase v1.3.1 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/exp v0.0.0-20251017212417-90e834f514db // indirect
+	sigs.k8s.io/controller-runtime v0.22.4 // indirect
 )

 require (
-	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1 // indirect
-	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+)
+
+require (
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20251209175733-2a1774d88802.1 // indirect
 	dario.cat/mergo v1.0.2 // indirect
-	filippo.io/edwards25519 v1.1.0 // indirect
+	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
@@ -68,14 +86,13 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/dgraph-io/ristretto/v2 v2.3.0 // indirect
+	github.com/dgraph-io/ristretto/v2 v2.4.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/docker/cli v27.4.1+incompatible // indirect
-	github.com/docker/docker v28.0.0+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/cli v29.2.0+incompatible // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -86,43 +103,40 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jzelinskie/stringz v0.0.3 // indirect
-	github.com/klauspost/compress v1.18.1 // indirect
-	github.com/lib/pq v1.10.9 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/lib/pq v1.11.2 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/user v0.3.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nats-io/nats.go v1.47.0
-	github.com/nats-io/nkeys v0.4.11 // indirect
+	github.com/nats-io/nats.go v1.49.0
+	github.com/nats-io/nkeys v0.4.12 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/oklog/ulid/v2 v2.1.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runc v1.2.8 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240917153116-6f2963f01587 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.1 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/rabbitmq/amqp091-go v1.10.0 // indirect
 	github.com/sagikazarmark/locafero v0.12.0 // indirect
-	github.com/samber/lo v1.52.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
@@ -135,19 +149,20 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
-	google.golang.org/protobuf v1.36.10
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
+	go.opentelemetry.io/otel/metric v1.42.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.42.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -1,20 +1,25 @@
 al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
-buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1 h1:31on4W/yPcV4nZHL4+UCiCvLPsMqe/vJcNg8Rci0scc=
-buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1/go.mod h1:fUl8CEN/6ZAMk6bP8ahBJPUJw7rbp+j4x+wCcYi2IG4=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20251209175733-2a1774d88802.1 h1:j9yeqTWEFrtimt8Nng2MIeRrpoCvQzM9/g25XTvqUGg=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20251209175733-2a1774d88802.1/go.mod h1:tvtbpgaVXZX4g6Pn+AnzFycuRK3MOz5HJfEGeEllXYM=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.122.0 h1:0JTLGrcSIs3HIGsgVPvTx3cfyFSP/k9CI8vLPHTd6Wc=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
+filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/0x6flab/namegenerator v1.4.0 h1:QnkI813SZsI/hYnKD9pg3mkIlcYzCx0N4hnzb0YYME4=
 github.com/0x6flab/namegenerator v1.4.0/go.mod h1:2sQzXuS6dX/KEwWtB6GJU729O3m4gBdD5oAU8hd0SyY=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
@@ -24,23 +29,31 @@ github.com/VividCortex/gohistogram v1.0.0 h1:6+hBz+qvs0JOrrNhhmR7lFxo5sINxBCGXrd
 github.com/VividCortex/gohistogram v1.0.0/go.mod h1:Pf5mBqqDxYaXu3hDrrU+w6nw50o/4+TcAqDqk/vUH7g=
 github.com/absmach/callhome v0.18.2 h1:dmopRHm2qTheHN1hdUKRRYpKwRrj7X9d8AWCFrb+K6s=
 github.com/absmach/callhome v0.18.2/go.mod h1:LEXKhES9JJtj3tBgTZv7VPNjOi5ukJQB0mFic0QP60Q=
-github.com/absmach/certs v0.18.2 h1:s6KKL3/KfDZ6z0IxvNCksIOUwRnEgQyCpeAonuR15No=
-github.com/absmach/certs v0.18.2/go.mod h1:scqVZsmW2xPScnpMTtE70oN6cn0LLjFcJVPi4JKZ4+E=
+github.com/absmach/certs v0.18.5 h1:eYlvitou+LoDtt7ETVLTp6d/1xCejGL3EmVOg+rHGTU=
+github.com/absmach/certs v0.18.5/go.mod h1:31dtVe1VYF16W+IvjAE/uPAIz4f3uLHgh+moBezjqIc=
+github.com/absmach/magistrala v0.19.1 h1:WLT1B3WOOO8KL43HxZOWKnt1JJQh65uGiFhwQB4DzC8=
+github.com/absmach/magistrala v0.19.1/go.mod h1:5pNI533Mf2tN1ihDETR4lOhRdGuijmRuAhxVw7+pKCI=
 github.com/absmach/mgate v0.5.0 h1:RV2Aalra3xIm+XTs13TM7iE7v4WTL2SKhKcPbKr22Ac=
 github.com/absmach/mgate v0.5.0/go.mod h1:0KVq7mxM0wayosmyXPPxp1EL0c2d9kRp5V8NZCKdetA=
 github.com/absmach/senml v1.0.8 h1:+opem/r4g6c6eA/JLyCIuksyEhj7eBdysY3pEmy1mqo=
 github.com/absmach/senml v1.0.8/go.mod h1:DRhzHLgvQoIUHroBgpFrSWso+bJZO9E96RlHAHy+VRI=
-github.com/absmach/supermq v0.18.3 h1:IUIZ/uCZ+ZH1O4/fOZwCZOrrll6kImlLuA6Gbye7HtU=
-github.com/absmach/supermq v0.18.3/go.mod h1:QAKnqBIYfTMkFfMgWfqGTP0pTIZQxTXCJkTf7Vf7VOo=
+github.com/absmach/supermq v0.19.2-0.20260317185610-fade98b84ee4 h1:533pRc6R7perWDqJuZq+ofBQfYfmyj7n49V4LFY4zpo=
+github.com/absmach/supermq v0.19.2-0.20260317185610-fade98b84ee4/go.mod h1:xDAX/O3VcOsHWCx2fk85VD7FI17hAUOvoOhho7DA7g0=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/authzed/authzed-go v1.7.0 h1:mgBC1dZLRan+t6oKvrf0RMfpZx5ggXCH16OkodtAbVw=
-github.com/authzed/authzed-go v1.7.0/go.mod h1:2PVaUUQavKGsjK22dFdovY5djkeHAiByiySRwbWR8tU=
+github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
+github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
+github.com/authzed/authzed-go v1.8.0 h1:cRka8J8QXGl+nyNrhsiPSFJUluIG1tuTXnG8ad2LZ1Y=
+github.com/authzed/authzed-go v1.8.0/go.mod h1:WC3x/SuVvclBlDYMg9V7e5c/J/KGGwG+cSw2WQBbodk=
+github.com/authzed/cel-go v0.20.2 h1:GlmLecGry7Z8HU0k+hmaHHUV05ZHrsFxduXHtIePvck=
+github.com/authzed/cel-go v0.20.2/go.mod h1:pJHVFWbqUHV1J+klQoZubdKswlbxcsbojda3mye9kiU=
 github.com/authzed/grpcutil v0.0.0-20250221190651-1985b19b35b8 h1:y17oq4U8n+k1OcIGGDsjYdIdp4QywGcE7ZphIvtfEbo=
 github.com/authzed/grpcutil v0.0.0-20250221190651-1985b19b35b8/go.mod h1:Pf1ZSi41EePvx1GC1DeEJw5dn35iUcxZHqpHuG1Rpic=
+github.com/authzed/spicedb v1.49.2 h1:6LKOxiNN7K18x4xs2NB0dhnDNDypbpuOP7s06AwjCH8=
+github.com/authzed/spicedb v1.49.2/go.mod h1:I9t8PtFBxUHsSZKfrkK6bxbMy8La7LYjkpgw6UpNHQs=
 github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.40.45 h1:QN1nsY27ssD/JmW4s83qmSb+uL6DG4GmCDzjmJB4xUI=
 github.com/aws/aws-sdk-go v1.40.45/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
@@ -53,10 +66,12 @@ github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
-github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
-github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/caarlos0/env/v11 v11.4.0 h1:Kcb6t5kIIr4XkoQC9AF2j+8E1Jsrl3Wz/hhm1LtoGAc=
+github.com/caarlos0/env/v11 v11.4.0/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
 github.com/cbroglie/mustache v1.0.1 h1:ivMg8MguXq/rrz2eu3tw6g3b16+PQhoTn6EZAhst2mw=
 github.com/cbroglie/mustache v1.0.1/go.mod h1:R/RUa+SobQ14qkP4jtx5Vke5sDytONDQXNLPY/PO69g=
+github.com/ccoveille/go-safecast/v2 v2.0.0 h1:+5eyITXAUj3wMjad6cRVJKGnC7vDS55zk0INzJagub0=
+github.com/ccoveille/go-safecast/v2 v2.0.0/go.mod h1:JIYA4CAR33blIDuE6fSwCp2sz1oOBahXnvmdBhOAABs=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
@@ -76,32 +91,37 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
 github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
-github.com/dgraph-io/ristretto/v2 v2.3.0 h1:qTQ38m7oIyd4GAed/QkUZyPFNMnvVWyazGXRwvOt5zk=
-github.com/dgraph-io/ristretto/v2 v2.3.0/go.mod h1:gpoRV3VzrEY1a9dWAYV6T1U7YzfgttXdd/ZzL1s9OZM=
+github.com/dgraph-io/ristretto/v2 v2.4.0 h1:I/w09yLjhdcVD2QV192UJcq8dPBaAJb9pOuMyNy0XlU=
+github.com/dgraph-io/ristretto/v2 v2.4.0/go.mod h1:0KsrXtXvnv0EqnzyowllbVJB8yBonswa2lTCK2gGo9E=
 github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da h1:aIftn67I1fkbMa512G+w+Pxci9hJPB8oMnkcP3iZF38=
 github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI=
-github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v28.0.0+incompatible h1:Olh0KS820sJ7nPsBKChVhk5pzqcwDR15fumfAd/p9hM=
-github.com/docker/docker v28.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=
+github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -109,12 +129,14 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/eclipse/paho.mqtt.golang v1.5.1 h1:/VSOv3oDLlpqR2Epjn1Q7b2bSTplJIeV2ISgCl2W7nE=
 github.com/eclipse/paho.mqtt.golang v1.5.1/go.mod h1:1/yJCneuyOoCOzKSsOTUc0AJfpsItBGWvYpBLimhArU=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
-github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
+github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
@@ -129,8 +151,10 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
-github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
+github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
+github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
+github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
 github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@@ -150,22 +174,26 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-logr/zerologr v1.2.3 h1:up5N9vcH9Xck3jJkXzgyOxozT14R47IyDODz8LM1KSs=
+github.com/go-logr/zerologr v1.2.3/go.mod h1:BxwGo7y5zgSHYR1BjbnHPyF/5ZjVKfKxAZANVu6E8Ho=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid/v5 v5.4.0 h1:EfbpCTjqMuGyq5ZJwxqzn3Cbr2d0rUZU7v5ycAk/e/0=
 github.com/gofrs/uuid/v5 v5.4.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -191,6 +219,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY=
+github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -206,8 +236,8 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f h1:7LYC+Yfkj3CTRcShK0KOL/w6iTiKyqqBA9a41Wnggw8=
 github.com/hokaccha/go-prettyjson v0.0.0-20211117102719-0474bc63780f/go.mod h1:pFlLw2CfqZiIBOx6BuCeRLCrfxBJipTY0nIOF/VbGcI=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
@@ -264,8 +294,8 @@ github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQ
 github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
 github.com/jackc/pgx/v4 v4.18.2 h1:xVpYkNR5pk5bMCZGfClbO962UIqVABcAGt7ha1s/FeU=
 github.com/jackc/pgx/v4 v4.18.2/go.mod h1:Ey4Oru5tH5sB6tV7hDmfWFahwF15Eb7DNXlRKx2CkVw=
-github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
-github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
@@ -289,8 +319,10 @@ github.com/jzelinskie/stringz v0.0.3 h1:0GhG3lVMYrYtIvRbxvQI6zqRTT1P1xyQlpa0FhfU
 github.com/jzelinskie/stringz v0.0.3/go.mod h1:hHYbgxJuNLRw91CmpuFsYEOyQqpDVFg8pvEh23vy4P0=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
-github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -321,12 +353,14 @@ github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.11.2 h1:x6gxUeu39V0BHZiugWe8LXZYZ+Utk7hSJGThs8sdzfs=
+github.com/lib/pq v1.11.2/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
@@ -334,6 +368,8 @@ github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
@@ -347,10 +383,14 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/moby/api v1.53.0 h1:PihqG1ncw4W+8mZs69jlwGXdaYBeb5brF6BL7mPIS/w=
+github.com/moby/moby/api v1.53.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
+github.com/moby/moby/client v0.2.2 h1:Pt4hRMCAIlyjL3cr8M5TrXCwKzguebPAc2do2ur7dEM=
+github.com/moby/moby/client v0.2.2/go.mod h1:2EkIPVNCqR05CMIzL1mfA07t0HvVUUOl85pasRz/GmQ=
 github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
 github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
@@ -360,18 +400,22 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/nats-io/nats.go v1.47.0 h1:YQdADw6J/UfGUd2Oy6tn4Hq6YHxCaJrVKayxxFqYrgM=
-github.com/nats-io/nats.go v1.47.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g=
-github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0=
-github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE=
+github.com/nats-io/nats.go v1.49.0 h1:yh/WvY59gXqYpgl33ZI+XoVPKyut/IcEaqtsiuTJpoE=
+github.com/nats-io/nats.go v1.49.0/go.mod h1:fDCn3mN5cY8HooHwE2ukiLb4p4G4ImmzvXyJt+tGwdw=
+github.com/nats-io/nkeys v0.4.12 h1:nssm7JKOG9/x4J8II47VWCL1Ds29avyiQDRn0ckMvDc=
+github.com/nats-io/nkeys v0.4.12/go.mod h1:MT59A1HYcjIcyQDJStTfaOY6vhy9XTUjOFo+SVsvpBg=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
 github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
+github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=
+github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runc v1.2.8 h1:RnEICeDReapbZ5lZEgHvj7E9Q3Eex9toYmaGBsbvU5Q=
 github.com/opencontainers/runc v1.2.8/go.mod h1:cC0YkmZcuvr+rtBZ6T7NBoVbMGNAdLa/21vIElJDOzI=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
@@ -382,15 +426,14 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pion/dtls/v3 v3.0.7 h1:bItXtTYYhZwkPFk4t1n3Kkf5TDrfj6+4wG+CZR8uI9Q=
-github.com/pion/dtls/v3 v3.0.7/go.mod h1:uDlH5VPrgOQIw59irKYkMudSFprY9IEFCqz/eTz16f8=
+github.com/pion/dtls/v3 v3.1.2 h1:gqEdOUXLtCGW+afsBLO0LtDD8GnuBBjEy6HRtyofZTc=
+github.com/pion/dtls/v3 v3.1.2/go.mod h1:Hw/igcX4pdY69z1Hgv5x7wJFrUkdgHwAn/Q/uo7YHRo=
 github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8=
 github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so=
-github.com/pion/transport/v3 v3.0.8 h1:oI3myyYnTKUSTthu/NZZ8eu2I5sHbxbUNNFW62olaYc=
-github.com/pion/transport/v3 v3.0.8/go.mod h1:+c2eewC5WJQHiAA46fkMMzoYZSuGzA/7E2FPrOYHctQ=
+github.com/pion/transport/v4 v4.0.1 h1:sdROELU6BZ63Ab7FrOLn13M6YdJLY20wldXW2Cu2k8o=
+github.com/pion/transport/v4 v4.0.1/go.mod h1:nEuEA4AD5lPdcIegQDpVLgNoDGreqM/YqmEx3ovP4jM=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240917153116-6f2963f01587 h1:xzZOeCMQLA/W198ZkdVdt4EKFKJtS26B773zNU377ZY=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240917153116-6f2963f01587/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
@@ -414,32 +457,33 @@ github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvM
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
-github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
-github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
-github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzukfVhBw=
 github.com/rabbitmq/amqp091-go v1.10.0/go.mod h1:Hy4jKW5kQART1u+JkDTF9YYOQUHXqMuhrgxOEeS7G4o=
-github.com/redis/go-redis/v9 v9.17.1 h1:7tl732FjYPRT9H9aNfyTwKg9iTETjWjGKEJ2t/5iWTs=
-github.com/redis/go-redis/v9 v9.17.1/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370=
+github.com/redis/go-redis/v9 v9.18.0 h1:pMkxYPkEbMPwRdenAzUNyFNrDgHx9U+DrBabWNfSRQs=
+github.com/redis/go-redis/v9 v9.18.0/go.mod h1:k3ufPphLU5YXwNTUcCRXGxUoF1fqxnhFQmscfkCoDA0=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
+github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
+github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/rubenv/sql-migrate v1.8.1 h1:EPNwCvjAowHI3TnZ+4fQu3a915OpnQoPAjTXCGOy2U0=
 github.com/rubenv/sql-migrate v1.8.1/go.mod h1:BTIKBORjzyxZDS6dzoiw6eAFYJ1iNlGAtjn4LGeVjS8=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=
 github.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=
-github.com/samber/lo v1.52.0 h1:Rvi+3BFHES3A8meP33VPAxiBZX/Aws5RxrschYGjomw=
-github.com/samber/lo v1.52.0/go.mod h1:4+MXEGsJzbKGaUEQFKBq2xtfuznW9oz/WrgyzMzRoM0=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
 github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
@@ -452,8 +496,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/slack-go/slack v0.17.3 h1:zV5qO3Q+WJAQ/XwbGfNFrRMaJ5T/naqaonyPV/1TP4g=
-github.com/slack-go/slack v0.17.3/go.mod h1:X+UqOufi3LYQHDnMG1vxf0J8asC6+WllXrVrhl8/Prk=
+github.com/slack-go/slack v0.19.0 h1:J8lL/nGTsIUX53HU8YxZeI3PDkA+sxZsFrI2Dew7h44=
+github.com/slack-go/slack v0.19.0/go.mod h1:K81UmCivcYd/5Jmz8vLBfuyoZ3B4rQC2GHVXHteXiAE=
 github.com/smarty/assertions v1.16.0 h1:EvHNkdRA4QHMrn75NZSoUQ/mAUXAYWfatfB01yTCzfY=
 github.com/smarty/assertions v1.16.0/go.mod h1:duaaFdCS0K9dnoM50iyek/eYINOZ64gbh1Xlf6LG7AI=
 github.com/smartystreets/goconvey v1.8.1 h1:qGjIddxOk4grTu9JPOU31tVfq3cNdBlNa5sSznIX1xY=
@@ -463,8 +507,8 @@ github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
@@ -473,6 +517,8 @@ github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/sqids/sqids-go v0.4.1 h1:eQKYzmAZbLlRwHeHYPF35QhgxwZHLnlmVj9AkIj/rrw=
 github.com/sqids/sqids-go v0.4.1/go.mod h1:EMwHuPQgSNFS0A49jESTfIQS+066XQTVhukrzEPScl8=
+github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs=
+github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -518,34 +564,38 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t
 github.com/yuin/gopher-lua v0.0.0-20200816102855-ee81675732da/go.mod h1:E1AXubJBdNmFERAOucpDIxNzeGfLzg0mYh+UfMWdChA=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
 github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
+github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0 h1:YH4g8lQroajqUwWbq/tr2QX1JFmEXaDLgG+ew9bLMWo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
-go.opentelemetry.io/proto/otlp v1.8.0 h1:fRAZQDcAFHySxpJ1TwlA1cJ4tvcrw7nXl9xWWC8N5CE=
-go.opentelemetry.io/proto/otlp v1.8.0/go.mod h1:tIeYOeNBU4cvmPqpaji1P+KbB4Oloai8wN4rWzRrFF0=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0/go.mod h1:NoUCKYWK+3ecatC4HjkRktREheMeEtrXoQxrqYFeHSc=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 h1:OyrsyzuttWTSur2qN/Lm0m2a8yqyIjUVBZcxFPuXq2o=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0/go.mod h1:C2NGBr+kAB4bk3xtMXfZ94gqFDtg/GkI7e9zqGh5Beg=
+go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho=
+go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 h1:THuZiwpQZuHPul65w4WcwEnkX2QIuMT+UFoOrygtoJw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0/go.mod h1:J2pvYM5NGHofZ2/Ru6zw/TNWnEQp5crgyDeSrYpXkAw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 h1:uLXP+3mghfMf7XmV4PkGfFhFKuNWoCvvx5wP/wOXo0o=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0/go.mod h1:v0Tj04armyT59mnURNUJf7RCKcKzq+lgJs6QSjHjaTc=
+go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4=
+go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI=
+go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo=
+go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts=
+go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA=
+go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc=
+go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY=
+go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc=
+go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
+go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
@@ -575,8 +625,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20251017212417-90e834f514db h1:by6IehL4BH5k3e3SJmcoNbOobMey2SLpAF79iPOEBvw=
 golang.org/x/exp v0.0.0-20251017212417-90e834f514db/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
@@ -590,6 +640,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -609,12 +661,12 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
-golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -624,8 +676,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -655,12 +707,14 @@ golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -676,8 +730,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
@@ -698,30 +752,32 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
-gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
-google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 h1:JLQynH/LBHfCTSbDWl+py8C+Rg/k1OVH3xfcaiANuF0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:kSJwQxqmFXeo79zOmbrALdflXQeAYcUbgS7PbpMknCY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
+google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU=
+google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -729,8 +785,8 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
@@ -757,10 +813,14 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
 moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
+sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A=
+sigs.k8s.io/controller-runtime v0.22.4/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
@@ -12,7 +12,7 @@ import (
 	"strings"
 	"text/template"

-	"github.com/absmach/magistrala/pkg/errors"
+	"github.com/absmach/supermq/pkg/errors"
 	"gopkg.in/gomail.v2"
 )

@@ -1,5 +0,0 @@
-# Errors
-
-`errors` package serve to build an arbitrary long error chain in order to capture errors returned from nested service calls.
-
-`errors` package contains the custom Go `error` interface implementation, `Error`. You use the `Error` interface to **wrap** two errors in a containing error as well as to test recursively if a given error **contains** some other error.
@@ -1,5 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-// Package errors contains Magistrala errors definitions.
-package errors
@@ -1,128 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package errors
-
-import (
-	"encoding/json"
-)
-
-// Error specifies an API that must be fullfiled by error type.
-type Error interface {
-	// Error implements the error interface.
-	Error() string
-
-	// Msg returns error message.
-	Msg() string
-
-	// Err returns wrapped error.
-	Err() Error
-
-	// MarshalJSON returns a marshaled error.
-	MarshalJSON() ([]byte, error)
-}
-
-var _ Error = (*customError)(nil)
-
-// customError represents a Magistrala error.
-type customError struct {
-	msg string
-	err Error
-}
-
-// New returns an Error that formats as the given text.
-func New(text string) Error {
-	return &customError{
-		msg: text,
-		err: nil,
-	}
-}
-
-func (ce *customError) Error() string {
-	if ce == nil {
-		return ""
-	}
-	if ce.err == nil {
-		return ce.msg
-	}
-	return ce.msg + " : " + ce.err.Error()
-}
-
-func (ce *customError) Msg() string {
-	return ce.msg
-}
-
-func (ce *customError) Err() Error {
-	return ce.err
-}
-
-func (ce *customError) MarshalJSON() ([]byte, error) {
-	var val string
-	if e := ce.Err(); e != nil {
-		val = e.Msg()
-	}
-	return json.Marshal(&struct {
-		Err string `json:"error"`
-		Msg string `json:"message"`
-	}{
-		Err: val,
-		Msg: ce.Msg(),
-	})
-}
-
-// Contains inspects if e2 error is contained in any layer of e1 error.
-func Contains(e1, e2 error) bool {
-	if e1 == nil || e2 == nil {
-		return e2 == e1
-	}
-	ce, ok := e1.(Error)
-	if ok {
-		if ce.Msg() == e2.Error() {
-			return true
-		}
-		return Contains(ce.Err(), e2)
-	}
-	return e1.Error() == e2.Error()
-}
-
-// Wrap returns an Error that wrap err with wrapper.
-func Wrap(wrapper, err error) error {
-	if wrapper == nil || err == nil {
-		return wrapper
-	}
-	if w, ok := wrapper.(Error); ok {
-		return &customError{
-			msg: w.Msg(),
-			err: cast(err),
-		}
-	}
-	return &customError{
-		msg: wrapper.Error(),
-		err: cast(err),
-	}
-}
-
-// Unwrap returns the wrapper and the error by separating the Wrapper from the error.
-func Unwrap(err error) (error, error) {
-	if ce, ok := err.(Error); ok {
-		if ce.Err() == nil {
-			return nil, New(ce.Msg())
-		}
-		return New(ce.Msg()), ce.Err()
-	}
-
-	return nil, err
-}
-
-func cast(err error) Error {
-	if err == nil {
-		return nil
-	}
-	if e, ok := err.(Error); ok {
-		return e
-	}
-	return &customError{
-		msg: err.Error(),
-		err: nil,
-	}
-}
@@ -1,352 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package errors_test
-
-import (
-	nerrors "errors"
-	"fmt"
-	"strconv"
-	"testing"
-
-	"github.com/absmach/magistrala/pkg/errors"
-	"github.com/stretchr/testify/assert"
-)
-
-const level = 10
-
-var (
-	err0 = errors.New("0")
-	err1 = errors.New("1")
-	err2 = errors.New("2")
-	nat  = nerrors.New("native error")
-)
-
-func TestError(t *testing.T) {
-	cases := []struct {
-		desc     string
-		err      error
-		msg      string
-		bytes    []byte
-		bytesErr error
-	}{
-		{
-			desc:     "level 0 wrapped error",
-			err:      err0,
-			msg:      "0",
-			bytes:    []byte(`{"error":"","message":"0"}`),
-			bytesErr: nil,
-		},
-		{
-			desc:     "level 1 wrapped error",
-			err:      wrap(1),
-			msg:      message(1),
-			bytes:    []byte(`{"error":"0","message":"1"}`),
-			bytesErr: nil,
-		},
-		{
-			desc:     "level 2 wrapped error",
-			err:      wrap(2),
-			msg:      message(2),
-			bytes:    []byte(`{"error":"1","message":"2"}`),
-			bytesErr: nil,
-		},
-		{
-			desc:     fmt.Sprintf("level %d wrapped error", level),
-			err:      wrap(level),
-			msg:      message(level),
-			bytes:    []byte(`{"error":"9","message":"` + strconv.Itoa(level) + `"}`),
-			bytesErr: nil,
-		},
-		{
-			desc:     "nil error",
-			err:      errors.New(""),
-			msg:      "",
-			bytes:    []byte(`{"error":"","message":""}`),
-			bytesErr: nil,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			errMsg := c.err.Error()
-			assert.Equal(t, c.msg, errMsg)
-			err := c.err.(errors.Error)
-			data, derr := err.MarshalJSON()
-			assert.Equal(t, c.bytesErr, derr)
-			assert.Equal(t, c.bytes, data)
-		})
-	}
-}
-
-func TestContains(t *testing.T) {
-	cases := []struct {
-		desc      string
-		container error
-		contained error
-		contains  bool
-	}{
-		{
-			desc:      "nil contains nil",
-			container: nil,
-			contained: nil,
-			contains:  true,
-		},
-		{
-			desc:      "nil contains non-nil",
-			container: nil,
-			contained: err0,
-			contains:  false,
-		},
-		{
-			desc:      "non-nil contains nil",
-			container: err0,
-			contained: nil,
-			contains:  false,
-		},
-		{
-			desc:      "non-nil contains non-nil",
-			container: err0,
-			contained: err1,
-			contains:  false,
-		},
-		{
-			desc:      "res of errors.Wrap(err1, err0) contains err0",
-			container: errors.Wrap(err1, err0),
-			contained: err0,
-			contains:  true,
-		},
-		{
-			desc:      "res of errors.Wrap(err1, err0) contains err1",
-			container: errors.Wrap(err1, err0),
-			contained: err1,
-			contains:  true,
-		},
-		{
-			desc:      "res of errors.Wrap(err2, errors.Wrap(err1, err0)) contains err1",
-			container: errors.Wrap(err2, errors.Wrap(err1, err0)),
-			contained: err1,
-			contains:  true,
-		},
-		{
-			desc:      fmt.Sprintf("level %d wrapped error contains", level),
-			container: wrap(level),
-			contained: errors.New(strconv.Itoa(level / 2)),
-			contains:  true,
-		},
-		{
-			desc:      "superset wrapper error contains subset wrapper error",
-			container: wrap(level),
-			contained: wrap(level / 2),
-			contains:  false,
-		},
-		{
-			desc:      "native error contains error",
-			container: nat,
-			contained: err0,
-			contains:  false,
-		},
-		{
-			desc:      "res of errors.Wrap(err1, errors.New('')) contains err1",
-			container: errors.Wrap(err1, nat),
-			contained: err1,
-			contains:  true,
-		},
-		{
-			desc:      "error contains native error",
-			container: err0,
-			contained: nat,
-			contains:  false,
-		},
-		{
-			desc:      "res of errors.Wrap(errors.New(''), err0) contains err0",
-			container: errors.Wrap(nat, err0),
-			contained: err0,
-			contains:  true,
-		},
-	}
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			contains := errors.Contains(c.container, c.contained)
-			assert.Equal(t, c.contains, contains)
-		})
-	}
-}
-
-func TestWrap(t *testing.T) {
-	cases := []struct {
-		desc      string
-		wrapper   error
-		wrapped   error
-		contained error
-		contains  bool
-	}{
-		{
-			desc:      "err 1 wraps err 2",
-			wrapper:   err1,
-			wrapped:   err0,
-			contained: err0,
-			contains:  true,
-		},
-		{
-			desc:      "err2 wraps err1 wraps err0 and contains err0",
-			wrapper:   err2,
-			wrapped:   errors.Wrap(err1, err0),
-			contained: err0,
-			contains:  true,
-		},
-		{
-			desc:      "err2 wraps err1 wraps err0 and contains err1",
-			wrapper:   err2,
-			wrapped:   errors.Wrap(err1, err0),
-			contained: err1,
-			contains:  true,
-		},
-		{
-			desc:      "nil wraps nil",
-			wrapper:   nil,
-			wrapped:   nil,
-			contained: nil,
-			contains:  true,
-		},
-		{
-			desc:      "err0 wraps nil",
-			wrapper:   err0,
-			wrapped:   nil,
-			contained: nil,
-			contains:  false,
-		},
-		{
-			desc:      "nil wraps err0",
-			wrapper:   nil,
-			wrapped:   err0,
-			contained: err0,
-			contains:  false,
-		},
-		{
-			desc:      "err0 wraps native error",
-			wrapper:   err0,
-			wrapped:   nat,
-			contained: nat,
-			contains:  true,
-		},
-		{
-			desc:      "nil wraps native error",
-			wrapper:   nil,
-			wrapped:   nat,
-			contained: nat,
-			contains:  false,
-		},
-		{
-			desc:      "native error wraps err0",
-			wrapper:   nat,
-			wrapped:   err0,
-			contained: err0,
-			contains:  true,
-		},
-		{
-			desc:      "native error wraps nil",
-			wrapper:   nat,
-			wrapped:   nil,
-			contained: nil,
-			contains:  false,
-		},
-		{
-			desc:      "err0 wraps err1 wraps native error",
-			wrapper:   err0,
-			wrapped:   errors.Wrap(err1, nat),
-			contained: nat,
-			contains:  true,
-		},
-		{
-			desc:      "native error wraps err1 wraps err0",
-			wrapper:   nat,
-			wrapped:   errors.Wrap(err1, err0),
-			contained: err0,
-			contains:  true,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			err := errors.Wrap(c.wrapper, c.wrapped)
-			contains := errors.Contains(err, c.contained)
-			assert.Equal(t, c.contains, contains)
-		})
-	}
-}
-
-func TestUnwrap(t *testing.T) {
-	cases := []struct {
-		desc    string
-		err     error
-		wrapper error
-		wrapped error
-	}{
-		{
-			desc:    "err 1 wraped err 2",
-			err:     errors.Wrap(err1, err2),
-			wrapper: err1,
-			wrapped: err2,
-		},
-		{
-			desc:    "err2 wraps err1 wraps err0",
-			err:     errors.Wrap(err2, errors.Wrap(err1, err0)),
-			wrapper: err2,
-			wrapped: errors.Wrap(err1, err0),
-		},
-		{
-			desc:    "nil wraps nil",
-			err:     errors.Wrap(nil, nil),
-			wrapper: nil,
-			wrapped: nil,
-		},
-		{
-			desc:    "err0 wraps nil",
-			err:     errors.Wrap(err0, nil),
-			wrapper: nil,
-			wrapped: err0,
-		},
-		{
-			desc:    "nil wraps err0",
-			err:     errors.Wrap(nil, err0),
-			wrapper: nil,
-			wrapped: nil,
-		},
-		{
-			desc:    "nil wraps native error",
-			err:     errors.Wrap(nil, nat),
-			wrapper: nil,
-			wrapped: nil,
-		},
-		{
-			desc:    "native error wraps nil",
-			err:     errors.Wrap(nat, nil),
-			wrapper: nil,
-			wrapped: nat,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			wrapper, wrapped := errors.Unwrap(c.err)
-			assert.Equal(t, c.wrapper, wrapper)
-			assert.Equal(t, c.wrapped, wrapped)
-		})
-	}
-}
-
-func wrap(level int) error {
-	if level == 0 {
-		return errors.New(strconv.Itoa(level))
-	}
-	return errors.Wrap(errors.New(strconv.Itoa(level)), wrap(level-1))
-}
-
-// message generates error message of wrap() generated wrapper error.
-func message(level int) string {
-	if level == 0 {
-		return "0"
-	}
-	return strconv.Itoa(level) + " : " + message(level-1)
-}
@@ -1,39 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package repository
-
-import "github.com/absmach/magistrala/pkg/errors"
-
-// Wrapper for Repository errors.
-var (
-	// ErrMalformedEntity indicates a malformed entity specification.
-	ErrMalformedEntity = errors.New("malformed entity specification")
-
-	// ErrNotFound indicates a non-existent entity request.
-	ErrNotFound = errors.New("entity not found")
-
-	// ErrConflict indicates that entity already exists.
-	ErrConflict = errors.New("entity already exists")
-
-	// ErrCreateEntity indicates error in creating entity or entities.
-	ErrCreateEntity = errors.New("failed to create entity in the db")
-
-	// ErrViewEntity indicates error in viewing entity or entities.
-	ErrViewEntity = errors.New("view entity failed")
-
-	// ErrUpdateEntity indicates error in updating entity or entities.
-	ErrUpdateEntity = errors.New("update entity failed")
-
-	// ErrRemoveEntity indicates error in removing entity.
-	ErrRemoveEntity = errors.New("failed to remove entity")
-
-	// ErrFailedOpDB indicates a failure in a database operation.
-	ErrFailedOpDB = errors.New("operation on db element failed")
-
-	// ErrFailedToRetrieveAllGroups failed to retrieve groups.
-	ErrFailedToRetrieveAllGroups = errors.New("failed to retrieve all groups")
-
-	// ErrMissingNames indicates missing first and last names.
-	ErrMissingNames = errors.New("missing first or last name")
-)
@@ -1,123 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package errors
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-)
-
-type errorRes struct {
-	Err string `json:"error"`
-	Msg string `json:"message"`
-}
-
-// Failed to read response body.
-var errRespBody = New("failed to read response body")
-
-// SDKError is an error type for Magistrala SDK.
-type SDKError interface {
-	Error
-	StatusCode() int
-}
-
-var _ SDKError = (*sdkError)(nil)
-
-type sdkError struct {
-	*customError
-	statusCode int
-}
-
-func (ce *sdkError) Error() string {
-	if ce == nil {
-		return ""
-	}
-	if ce.customError == nil {
-		return http.StatusText(ce.statusCode)
-	}
-	return fmt.Sprintf("Status: %s: %s", http.StatusText(ce.statusCode), ce.customError.Error())
-}
-
-func (ce *sdkError) StatusCode() int {
-	return ce.statusCode
-}
-
-// NewSDKError returns an SDK Error that formats as the given text.
-func NewSDKError(err error) SDKError {
-	if err == nil {
-		return nil
-	}
-
-	if e, ok := err.(Error); ok {
-		return &sdkError{
-			statusCode: 0,
-			customError: &customError{
-				msg: e.Msg(),
-				err: cast(e.Err()),
-			},
-		}
-	}
-	return &sdkError{
-		customError: &customError{
-			msg: err.Error(),
-			err: nil,
-		},
-		statusCode: 0,
-	}
-}
-
-// NewSDKErrorWithStatus returns an SDK Error setting the status code.
-func NewSDKErrorWithStatus(err error, statusCode int) SDKError {
-	if err == nil {
-		return nil
-	}
-
-	if e, ok := err.(Error); ok {
-		return &sdkError{
-			statusCode: statusCode,
-			customError: &customError{
-				msg: e.Msg(),
-				err: cast(e.Err()),
-			},
-		}
-	}
-	return &sdkError{
-		statusCode: statusCode,
-		customError: &customError{
-			msg: err.Error(),
-			err: nil,
-		},
-	}
-}
-
-// CheckError will check the HTTP response status code and matches it with the given status codes.
-// Since multiple status codes can be valid, we can pass multiple status codes to the function.
-// The function then checks for errors in the HTTP response.
-func CheckError(resp *http.Response, expectedStatusCodes ...int) SDKError {
-	if resp == nil {
-		return nil
-	}
-
-	for _, expectedStatusCode := range expectedStatusCodes {
-		if resp.StatusCode == expectedStatusCode {
-			return nil
-		}
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return NewSDKErrorWithStatus(Wrap(errRespBody, err), resp.StatusCode)
-	}
-	var content errorRes
-	if err := json.Unmarshal(body, &content); err != nil {
-		return NewSDKErrorWithStatus(err, resp.StatusCode)
-	}
-	if content.Err == "" {
-		return NewSDKErrorWithStatus(New(content.Msg), resp.StatusCode)
-	}
-
-	return NewSDKErrorWithStatus(Wrap(New(content.Msg), New(content.Err)), resp.StatusCode)
-}
@@ -1,206 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package errors_test
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"net/http"
-	"testing"
-
-	"github.com/absmach/magistrala/pkg/errors"
-	"github.com/stretchr/testify/assert"
-)
-
-var body = []byte(`{"error":"error","message":"message"}`)
-
-func TestNewSDKError(t *testing.T) {
-	cases := []struct {
-		desc string
-		err  error
-	}{
-		{
-			desc: "nil error",
-			err:  nil,
-		},
-		{
-			desc: "non nil error",
-			err:  err0,
-		},
-		{
-			desc: "non nil error with wrapped error",
-			err:  errors.Wrap(err0, err1),
-		},
-		{
-			desc: "native error",
-			err:  nat,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			sdk := errors.NewSDKError(c.err)
-			if c.err != nil {
-				assert.Equal(t, sdk.StatusCode(), 0)
-				assert.Equal(t, sdk.Error(), fmt.Sprintf("Status: %s: %s", http.StatusText(0), c.err.Error()))
-			}
-		})
-	}
-}
-
-func TestNewSDKErrorWithStatus(t *testing.T) {
-	cases := []struct {
-		desc string
-		err  error
-		sc   int
-	}{
-		{
-			desc: "nil error with 0 status code",
-			err:  nil,
-			sc:   0,
-		},
-		{
-			desc: "nil error with 404 status code",
-			err:  nil,
-			sc:   404,
-		},
-		{
-			desc: "non nil error with 0 status code",
-			err:  err0,
-			sc:   0,
-		},
-		{
-			desc: "non nil error with 404 status code",
-			err:  err0,
-			sc:   404,
-		},
-		{
-			desc: "non nil error with wrapped error and 0 status code",
-			err:  errors.Wrap(err0, err1),
-			sc:   0,
-		},
-		{
-			desc: "non nil error with wrapped error and 404 status code",
-			err:  errors.Wrap(err0, err1),
-			sc:   404,
-		},
-		{
-			desc: "native error with 0 status code",
-			err:  nat,
-			sc:   0,
-		},
-		{
-			desc: "native error with 404 status code",
-			err:  nat,
-			sc:   404,
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			sdk := errors.NewSDKErrorWithStatus(c.err, c.sc)
-			if c.err != nil {
-				assert.Equal(t, sdk.StatusCode(), c.sc)
-				assert.Equal(t, sdk.Error(), fmt.Sprintf("Status: %s: %s", http.StatusText(c.sc), c.err.Error()))
-			}
-		})
-	}
-}
-
-func TestCheckError(t *testing.T) {
-	cases := []struct {
-		desc  string
-		resp  *http.Response
-		codes []int
-		err   errors.SDKError
-	}{
-		{
-			desc:  "nil response",
-			resp:  nil,
-			codes: []int{http.StatusOK},
-			err:   nil,
-		},
-		{
-			desc:  "nil response with 404 status code",
-			resp:  nil,
-			codes: []int{http.StatusNotFound},
-			err:   nil,
-		},
-		{
-			desc: "valid response with 200 status code",
-			resp: &http.Response{
-				StatusCode: http.StatusOK,
-				Body:       io.NopCloser(bytes.NewReader(body)),
-			},
-			codes: []int{http.StatusOK},
-			err:   nil,
-		},
-		{
-			desc: "valid response with 404 status code",
-			resp: &http.Response{
-				StatusCode: http.StatusNotFound,
-				Body:       io.NopCloser(bytes.NewReader(body)),
-			},
-			codes: []int{http.StatusNotFound},
-			err:   nil,
-		},
-		{
-			desc: "invalid response with 200 status code",
-			resp: &http.Response{
-				StatusCode: http.StatusNotFound,
-				Body:       io.NopCloser(bytes.NewReader(body)),
-			},
-			codes: []int{http.StatusOK},
-			err:   errors.NewSDKErrorWithStatus(errors.Wrap(errors.New("message"), errors.New("error")), http.StatusNotFound),
-		},
-		{
-			desc: "invalid response with 404 status code",
-			resp: &http.Response{
-				StatusCode: http.StatusOK,
-				Body:       io.NopCloser(bytes.NewReader(body)),
-			},
-			codes: []int{http.StatusNotFound},
-			err:   errors.NewSDKErrorWithStatus(errors.Wrap(errors.New("message"), errors.New("error")), http.StatusOK),
-		},
-		{
-			desc: "valid response with 200 status code and 404 status code",
-			resp: &http.Response{
-				StatusCode: http.StatusOK,
-				Body:       io.NopCloser(bytes.NewReader(body)),
-			},
-			codes: []int{http.StatusOK, http.StatusNotFound},
-			err:   nil,
-		},
-		{
-			desc: "error in JSON marshalling",
-			resp: &http.Response{
-				StatusCode: http.StatusNotFound,
-				Body:       io.NopCloser(bytes.NewReader([]byte(`"error":`))),
-			},
-			codes: []int{http.StatusOK},
-			err:   errors.NewSDKErrorWithStatus(errors.New("invalid character ':' after top-level value"), http.StatusNotFound),
-		},
-		{
-			desc: "empty error message",
-			resp: &http.Response{
-				StatusCode: http.StatusNotFound,
-				Body:       io.NopCloser(bytes.NewReader([]byte(`{"error":"","message":""}`))),
-			},
-			codes: []int{http.StatusOK},
-			err:   errors.NewSDKErrorWithStatus(errors.New(""), http.StatusNotFound),
-		},
-	}
-
-	for _, c := range cases {
-		t.Run(c.desc, func(t *testing.T) {
-			sdk := errors.CheckError(c.resp, c.codes...)
-			assert.Equal(t, sdk, c.err)
-			if c.err != nil {
-				assert.Equal(t, sdk, c.err)
-				assert.Equal(t, sdk.StatusCode(), c.resp.StatusCode)
-			}
-		})
-	}
-}
@@ -1,78 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package service
-
-import "github.com/absmach/magistrala/pkg/errors"
-
-// Wrapper for Service errors.
-var (
-	// ErrAuthentication indicates failure occurred while authenticating the entity.
-	ErrAuthentication = errors.New("failed to perform authentication over the entity")
-
-	// ErrAuthorization indicates failure occurred while authorizing the entity.
-	ErrAuthorization = errors.New("failed to perform authorization over the entity")
-
-	// ErrDomainAuthorization indicates failure occurred while authorizing the domain.
-	ErrDomainAuthorization = errors.New("failed to perform authorization over the domain")
-
-	// ErrLogin indicates wrong login credentials.
-	ErrLogin = errors.New("invalid user id or secret")
-
-	// ErrMalformedEntity indicates a malformed entity specification.
-	ErrMalformedEntity = errors.New("malformed entity specification")
-
-	// ErrNotFound indicates a non-existent entity request.
-	ErrNotFound = errors.New("entity not found")
-
-	// ErrConflict indicates that entity already exists.
-	ErrConflict = errors.New("entity already exists")
-
-	// ErrCreateEntity indicates error in creating entity or entities.
-	ErrCreateEntity = errors.New("failed to create entity")
-
-	// ErrRemoveEntity indicates error in removing entity.
-	ErrRemoveEntity = errors.New("failed to remove entity")
-
-	// ErrViewEntity indicates error in viewing entity or entities.
-	ErrViewEntity = errors.New("view entity failed")
-
-	// ErrUpdateEntity indicates error in updating entity or entities.
-	ErrUpdateEntity = errors.New("update entity failed")
-
-	// ErrInvalidStatus indicates an invalid status.
-	ErrInvalidStatus = errors.New("invalid status")
-
-	// ErrInvalidRole indicates that an invalid role.
-	ErrInvalidRole = errors.New("invalid client role")
-
-	// ErrInvalidPolicy indicates that an invalid policy.
-	ErrInvalidPolicy = errors.New("invalid policy")
-
-	// ErrEnableClient indicates error in enabling client.
-	ErrEnableClient = errors.New("failed to enable client")
-
-	// ErrDisableClient indicates error in disabling client.
-	ErrDisableClient = errors.New("failed to disable client")
-
-	// ErrAddPolicies indicates error in adding policies.
-	ErrAddPolicies = errors.New("failed to add policies")
-
-	// ErrDeletePolicies indicates error in removing policies.
-	ErrDeletePolicies = errors.New("failed to remove policies")
-
-	// ErrSearch indicates error in searching clients.
-	ErrSearch = errors.New("failed to search clients")
-
-	// ErrInvitationAlreadyRejected indicates that the invitation is already rejected.
-	ErrInvitationAlreadyRejected = errors.New("invitation already rejected")
-
-	// ErrInvitationAlreadyAccepted indicates that the invitation is already accepted.
-	ErrInvitationAlreadyAccepted = errors.New("invitation already accepted")
-
-	// ErrParentGroupAuthorization indicates failure occurred while authorizing the parent group.
-	ErrParentGroupAuthorization = errors.New("failed to authorize parent group")
-
-	// ErrMissingUsername indicates that the user's names are missing.
-	ErrMissingUsername = errors.New("missing usernames")
-)
@@ -1,32 +0,0 @@
-// Copyright (c) Abstract Machines
-// SPDX-License-Identifier: Apache-2.0
-
-package errors
-
-import "errors"
-
-var (
-	// ErrMalformedEntity indicates a malformed entity specification.
-	ErrMalformedEntity = New("malformed entity specification")
-
-	// ErrUnsupportedContentType indicates invalid content type.
-	ErrUnsupportedContentType = errors.New("invalid content type")
-
-	// ErrUnidentified indicates unidentified error.
-	ErrUnidentified = errors.New("unidentified error")
-
-	// ErrEmptyPath indicates empty file path.
-	ErrEmptyPath = errors.New("empty file path")
-
-	// ErrStatusAlreadyAssigned indicated that the client or group has already been assigned the status.
-	ErrStatusAlreadyAssigned = errors.New("status already assigned")
-
-	// ErrRollbackTx indicates failed to rollback transaction.
-	ErrRollbackTx = errors.New("failed to rollback transaction")
-
-	// ErrAuthentication indicates failure occurred while authenticating the entity.
-	ErrAuthentication = errors.New("failed to perform authentication over the entity")
-
-	// ErrAuthorization indicates failure occurred while authorizing the entity.
-	ErrAuthorization = errors.New("failed to perform authorization over the entity")
-)
@@ -0,0 +1,10 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+package policies
+
+const (
+	RulesType   = "rules"
+	ReportsType = "reports"
+	AlarmsType  = "alarms"
+)
--- a/Show More
+++ b/Show More