transferwise · tanuj-builds · Mar 5, 2026 · Mar 5, 2026
@@ -1,2 +1,2 @@
-version=1.34.10-3
+version=1.35.8-1
 org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
@@ -63,7 +63,7 @@ message TestAllTypes {
   string single_string = 14;
   bytes single_bytes = 15;
   optional bool optional_bool = 16;
-  optional bool optional_string = 17;
+  optional string optional_string = 17;
 
   // Collides with 'in' operator.
   bool in = 18;

@@ -79,49 +79,44 @@ message TestCase {
   // environments.
   cel.expr.conformance.Environment env = 4;
 
-  // Input for the test case
-  TestInput input = 5;
+  // A map representing a variable binding where the key is the name of the
+  // input variable.
+  map<string, InputValue> input = 5;
+
+  // Input in the form of a context proto for the test case.
+  // Note: Only one of `input_bindings` and `input_context` can be provided. Providing
+  // both should result in an error.
+  InputContext input_context = 6;
 
   // Expected result of the test case.
-  TestOutput output = 6;
+  TestOutput output = 7;
 
   // If specified validates that the deduced type at check time matches
   // If the result kind is not set and this field is set, the test is considered
   // "check-only".
-  cel.expr.Type deduced_type = 7;
+  cel.expr.Type deduced_type = 8;
 
   // Bypass the type-checking and only attempt to evaluate the parsed
   // expression.
-  bool disable_check = 8;
+  bool disable_check = 9;
 }
 
-// Input for the test case
-message TestInput {
-  // The type of input for the test case
-  oneof input_kind {
-    // A set of variable bindings to be used for evaluating a checked
-    // expression.
-    Bindings bindings = 1;
-
+// Input context proto for the test case
+message InputContext {
+  // The type of input context for the test case
+  oneof input_context_kind {
     // A context message represents an input kind in the form of a proto
     // message whose type is defined at runtime.
-    google.protobuf.Any context_message = 2;
+    google.protobuf.Any context_message = 1;
 
     // A context expression representing a context proto variable. The
     // fields of the input proto.Messages are used as top-level variables within
     // an Activation. The expression is evaluated using the cel environment
     // configured for the test suite.
-    string context_expr = 3;
+    string context_expr = 2;
   }
 }
 
-// The bindings of input variables for the test case.
-message Bindings {
-  // A map representing a variable binding where the key is the name of the
-  // input variable.
-  map<string, InputValue> values = 1;
-}
-
 // The input value for a variable binding
 message InputValue {
   // The type of input value that can be used for a variable binding

@@ -16,8 +16,8 @@ syntax = "proto3";
 
 package cel.expr;
 
+import "google/protobuf/any.proto";
 import "cel/expr/value.proto";
-import "google/rpc/status.proto";
 
 option cc_enable_arenas = true;
 option go_package = "cel.dev/expr";
@@ -104,9 +104,31 @@ message ExprValue {
 //
 // The errors included depend on the context. See `ExprValue.error`.
 message ErrorSet {
-  repeated google.rpc.Status errors = 1;
+  // Errors that could come up during evaluation phase.
+  repeated Status errors = 1;
 }
 
+  // Each `Status` message contains three pieces of data: error code, error message,
+  // and error details.
+  //
+  // You can find out more about this error model and how to work with it in the
+  // [API Design Guide](https://cloud.google.com/apis/design/errors).
+  //
+  // Status value is intended to be wire and field compatible with `google.rpc.Status`.
+  message Status {
+    // The status code, which should be an enum value of [google.rpc.Code][].
+    int32 code = 1;
+
+    // A developer-facing error message, which should be in English. Any
+    // user-facing error message should be localized and sent in the
+    // [Status.details][] field, or localized by the client.
+    string message = 2;
+
+    // A list of messages that carry the error details.  There is a common set of
+    // message types for APIs to use.
+    repeated google.protobuf.Any details = 3;
+  }
+
 // A set of expressions for which the value is unknown.
 //
 // The unknowns included depend on the context. See `ExprValue.unknown`.

@@ -4,6 +4,7 @@ package envoy.extensions.filters.network.postgres_proxy.v3alpha;
 
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -19,15 +20,26 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // <config_network_filters_postgres_proxy>`.
 // [#extension: envoy.filters.network.postgres_proxy]
 
+// [#next-free-field: 6]
 message PostgresProxy {
-  // Upstream SSL operational modes.
+  // Downstream and Upstream SSL operational modes.
   enum SSLMode {
-    // Do not encrypt upstream connection to the server.
+    // If used in downstream ssl, do not terminate SSL session initiated by a client.
+    // The Postgres proxy filter will pass all encrypted and unencrypted packets to the upstream server.
+    // If used in upstream ssl, do not encrypt upstream connection to the server.
     DISABLE = 0;
 
-    // Establish upstream SSL connection to the server. If the server does not
+    // If used in downstream ssl, the Postgres proxy filter will terminate SSL
+    // session and close downstream connections that refuse to upgrade to SSL.
+    // If used in upstream SSL, establish upstream SSL connection to the server. If the server does not
     // accept the request for SSL connection, the session is terminated.
     REQUIRE = 1;
+
+    // If used in downstream SSL, the Postgres proxy filter will accept downstream
+    // client's encryption settings. If the client wants to use clear-text,
+    // Envoy will not enforce SSL encryption.
+    // If the client wants to use encryption, Envoy will terminate SSL.
+    ALLOW = 2;
   }
 
   // The human readable prefix to use when emitting :ref:`statistics
@@ -48,7 +60,10 @@ message PostgresProxy {
   // If the filter does not manage to terminate the SSL session, it will close the connection from the client.
   // Refer to official documentation for details
   // `SSL Session Encryption Message Flow <https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.5.7.11>`_.
-  bool terminate_ssl = 3;
+  // This field is deprecated.
+  // Please use :ref:`downstream_ssl <envoy_v3_api_field_extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy.downstream_ssl>`.
+  bool terminate_ssl = 3
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Controls whether to establish upstream SSL connection to the server.
   // Envoy will try to establish upstream SSL connection to the server only when
@@ -57,6 +72,12 @@ message PostgresProxy {
   // SSL connection to Envoy and Postgres filter is configured to terminate SSL.
   // In order for upstream encryption to work, the corresponding cluster must be configured to use
   // :ref:`starttls transport socket <envoy_v3_api_msg_extensions.transport_sockets.starttls.v3.UpstreamStartTlsConfig>`.
-  // Defaults to ``SSL_DISABLE``.
+  // Defaults to ``DISABLE``.
   SSLMode upstream_ssl = 4;
+
+  // Controls whether to close downstream connections that refuse to upgrade to SSL.
+  // If enabled, the filter chain must use
+  // :ref:`starttls transport socket <envoy_v3_api_msg_extensions.transport_sockets.starttls.v3.UpstreamStartTlsConfig>`.
+  // Defaults to ``DISABLE``.
+  SSLMode downstream_ssl = 5;
 }
@@ -143,8 +143,8 @@ message HostStatus {
   //
   // .. note::
   //
-  //   The message will be missing if the host didn’t receive enough traffic to compute a success rate, or if the
-  //   cluster didn’t have enough hosts to perform outlier ejection based on success rate.
+  //   The message will be missing if the host didn't receive enough traffic to compute a success rate, or if the
+  //   cluster didn't have enough hosts to perform outlier ejection based on success rate.
   //
   type.v3.Percent local_origin_success_rate = 8;
 
@@ -171,18 +171,22 @@ message HostHealthStatus {
   // health checking.
   bool pending_dynamic_removal = 5;
 
-  // The host has not yet been health checked.
+  // The host is awaiting first health check.
   bool pending_active_hc = 6;
 
   // The host should be excluded from panic, spillover, etc. calculations because it was explicitly
   // taken out of rotation via protocol signal and is not meant to be routed to.
   bool excluded_via_immediate_hc_fail = 7;
 
-  // The host failed active HC due to timeout.
+  // The host failed active health check due to timeout.
   bool active_hc_timeout = 8;
 
-  // Health status as reported by EDS. Note: only HEALTHY and UNHEALTHY are currently supported
-  // here.
+  // Health status as reported by EDS.
+  //
+  // .. note::
+  //
+  //   Currently, only ``HEALTHY`` and ``UNHEALTHY`` are supported.
+  //
   // [#comment:TODO(mrice32): pipe through remaining EDS health status possibilities.]
   config.core.v3.HealthStatus eds_health_status = 3;
 }
@@ -57,9 +57,7 @@ message Bootstrap {
     // If a network based configuration source is specified for :ref:`cds_config
     // <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.DynamicResources.cds_config>`, it's necessary
     // to have some initial cluster definitions available to allow Envoy to know
-    // how to speak to the management server. These cluster definitions may not
-    // use :ref:`EDS <arch_overview_dynamic_config_eds>` (i.e. they should be static
-    // IP or DNS-based).
+    // how to speak to the management server.
     repeated cluster.v3.Cluster clusters = 2;
 
     // These static secrets can be used by :ref:`SdsSecretConfig

@@ -652,9 +652,10 @@ message Cluster {
     // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge
     // window to 0.
     //
-    // Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is
-    // because merging those updates isn't currently safe. See
-    // https://github.com/envoyproxy/envoy/pull/3941.
+    // .. note::
+    //   Merging does not apply to cluster membership changes (e.g.: adds/removes); this is
+    //   because merging those updates isn't currently safe. See
+    //   https://github.com/envoyproxy/envoy/pull/3941.
     google.protobuf.Duration update_merge_window = 4;
 
     // If set to true, Envoy will :ref:`exclude <arch_overview_load_balancing_excluded>` new hosts
@@ -816,12 +817,14 @@ message Cluster {
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
   // An optional alternative to the cluster name to be used for observability. This name is used
-  // emitting stats for the cluster and access logging the cluster name. This will appear as
+  // for emitting stats for the cluster and access logging the cluster name. This will appear as
   // additional information in configuration dumps of a cluster's current status as
   // :ref:`observability_name <envoy_v3_api_field_admin.v3.ClusterStatus.observability_name>`
-  // and as an additional tag "upstream_cluster.name" while tracing. Note: Any ``:`` in the name
-  // will be converted to ``_`` when emitting statistics. This should not be confused with
-  // :ref:`Router Filter Header <config_http_filters_router_x-envoy-upstream-alt-stat-name>`.
+  // and as an additional tag "upstream_cluster.name" while tracing.
+  //
+  // .. note::
+  //   Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be confused with
+  //   :ref:`Router Filter Header <config_http_filters_router_x-envoy-upstream-alt-stat-name>`.
   string alt_stat_name = 28 [(udpa.annotations.field_migrate).rename = "observability_name"];
 
   oneof cluster_discovery_type {

@@ -41,6 +41,17 @@ message Matcher {
       // Protocol-specific action to take.
       core.v3.TypedExtensionConfig action = 2;
     }
+
+    // If true, the action will be taken but the caller will behave as if no
+    // match was found. This applies both to actions directly encoded in the
+    // action field and to actions returned from a nested matcher tree in the
+    // matcher field. A subsequent matcher on_no_match action will be used
+    // instead.
+    //
+    // This field is not supported in all contexts in which the matcher API is
+    // used. If this field is set in a context in which it's not supported,
+    // the resource will be rejected.
+    bool keep_matching = 3;
   }
 
   // A linear list of field matchers.
@@ -84,7 +95,7 @@ message Matcher {
         // A list of predicates to be AND-ed together.
         PredicateList and_matcher = 3;
 
-        // The invert of a predicate
+        // The inverse of a predicate
         Predicate not_matcher = 4;
       }
     }
@@ -137,8 +148,8 @@ message Matcher {
     MatcherTree matcher_tree = 2;
   }
 
-  // Optional OnMatch to use if the matcher failed.
-  // If specified, the OnMatch is used, and the matcher is considered
+  // Optional ``OnMatch`` to use if the matcher failed.
+  // If specified, the ``OnMatch`` is used, and the matcher is considered
   // to have matched.
   // If not specified, the matcher is considered not to have matched.
   OnMatch on_no_match = 3;
@@ -204,9 +215,9 @@ message HttpHeadersMatch {
 //
 // .. attention::
 //
-//   Searching for patterns in HTTP body is potentially cpu intensive. For each specified pattern, http body is scanned byte by byte to find a match.
+//   Searching for patterns in HTTP body is potentially CPU-intensive. For each specified pattern, HTTP body is scanned byte by byte to find a match.
 //   If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified
-//   to scan only part of the http body.
+//   to scan only part of the HTTP body.
 message HttpGenericBodyMatch {
   message GenericTextMatch {
     oneof rule {