Merge pull request #2724 from jsternberg/vtproto

hack: generate vtproto files for buildx
vendor: update buildkit to v0.17.0-rc1
2025-08-15 16:25:54 +08:00 · 2024-10-08 17:04:19 -07:00 · 2024-10-08 16:54:03 -07:00 · 2024-10-08 13:35:06 -05:00 · 2024-10-04 12:52:45 -07:00 · 2024-10-04 12:51:28 -07:00
859 changed files with 119780 additions and 114923 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,5 +11,5 @@ updates:
      # trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
      - dependency-name: "docker/docs"
    labels:
-      - "dependencies"
+      - "area/dependencies"
      - "bot"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,6 +21,7 @@ on:
 env:
  BUILDX_VERSION: "latest"
  BUILDKIT_IMAGE: "moby/buildkit:latest"
+  SCOUT_VERSION: "1.11.0"
  REPO_SLUG: "docker/buildx-bin"
  DESTDIR: "./bin"
  TEST_CACHE_SCOPE: "test"
@@ -44,9 +45,9 @@ jobs:
          - master
          - latest
          - buildx-stable-1
+          - v0.15.2
          - v0.14.1
          - v0.13.2
-          - v0.12.5
        worker:
          - docker-container
          - remote
@@ -214,6 +215,38 @@ jobs:
          name: test-reports-${{ env.TESTREPORTS_NAME }}
          path: ${{ env.TESTREPORTS_BASEDIR }}

+  govulncheck:
+    runs-on: ubuntu-24.04
+    permissions:
+      # required to write sarif report
+      security-events: write
+      # required to check out the repository
+      contents: read
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Run
+        uses: docker/bake-action@v5
+        with:
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
  prepare-binaries:
    runs-on: ubuntu-24.04
    outputs:
@@ -328,6 +361,38 @@ jobs:
            *.cache-from=type=gha,scope=bin-image
            *.cache-to=type=gha,scope=bin-image,mode=max

+  scout:
+    runs-on: ubuntu-24.04
+    if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
+    permissions:
+      # required to write sarif report
+      security-events: write
+    needs:
+      - bin-image
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      -
+        name: Scout
+        id: scout
+        uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4
+        with:
+          version: ${{ env.SCOUT_VERSION }}
+          format: sarif
+          image: registry://${{ env.REPO_SLUG }}:master
+      -
+        name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scout.outputs.result-file }}
+
  release:
    runs-on: ubuntu-24.04
    needs:
@@ -359,7 +424,7 @@ jobs:
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0  # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191  # v2.0.8
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -57,7 +57,7 @@ jobs:
          VENDOR_MODULE: github.com/docker/buildx@${{ env.RELEASE_NAME }}
      -
        name: Create PR on docs repo
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v6.1.0
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f  # v7.0.5
        with:
          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
          push-to-fork: docker-tools-robot/docker.github.io
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -17,3 +17,5 @@ jobs:
      -
        name: Run
        uses: actions/labeler@v5
+        with:
+          sync-labels: true
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,12 +1,8 @@
 run:
  timeout: 30m
-  skip-files:
-    - ".*\\.pb\\.go$"

  modules-download-mode: vendor

-  build-tags:
-
 linters:
  enable:
    - gofmt
@@ -57,6 +53,8 @@ linters-settings:
      G306: "0644"

 issues:
+  exclude-files:
+    - ".*\\.pb\\.go$"
  exclude-rules:
    - linters:
        - revive
@@ -77,6 +75,6 @@ issues:
        - revive
      text: "if-return"

-# show all
-max-issues-per-linter: 0
-max-same-issues: 0
+  # show all
+  max-issues-per-linter: 0
+  max-same-issues: 0
--- a/.mailmap
+++ b/.mailmap
@@ -1,11 +1,25 @@
 # This file lists all individuals having contributed content to the repository.
 # For how it is generated, see hack/dockerfiles/authors.Dockerfile.

+Batuhan Apaydın <batuhan.apaydin@trendyol.com>
+Batuhan Apaydın <batuhan.apaydin@trendyol.com> <developerguy2@gmail.com>
 CrazyMax <github@crazymax.dev>
 CrazyMax <github@crazymax.dev> <1951866+crazy-max@users.noreply.github.com>
 CrazyMax <github@crazymax.dev> <crazy-max@users.noreply.github.com>
+David Karlsson <david.karlsson@docker.com>
+David Karlsson <david.karlsson@docker.com> <35727626+dvdksn@users.noreply.github.com>
+jaihwan104 <jaihwan104@woowahan.com>
+jaihwan104 <jaihwan104@woowahan.com> <42341126+jaihwan104@users.noreply.github.com>
+Kenyon Ralph <kenyon@kenyonralph.com>
+Kenyon Ralph <kenyon@kenyonralph.com> <quic_kralph@quicinc.com>
 Sebastiaan van Stijn <github@gone.nl>
 Sebastiaan van Stijn <github@gone.nl> <thaJeztah@users.noreply.github.com>
+Shaun Thompson <shaun.thompson@docker.com>
+Shaun Thompson <shaun.thompson@docker.com> <shaun.b.thompson@gmail.com>
+Silvin Lubecki <silvin.lubecki@docker.com>
+Silvin Lubecki <silvin.lubecki@docker.com> <31478878+silvin-lubecki@users.noreply.github.com>
+Talon Bowler <talon.bowler@docker.com>
+Talon Bowler <talon.bowler@docker.com> <nolat301@gmail.com>
 Tibor Vass <tibor@docker.com>
 Tibor Vass <tibor@docker.com> <tiborvass@users.noreply.github.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
--- a/69
+++ b/69
@@ -1,45 +1,112 @@
 # This file lists all individuals having contributed content to the repository.
 # For how it is generated, see hack/dockerfiles/authors.Dockerfile.

+accetto <34798830+accetto@users.noreply.github.com>
 Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Aleksa Sarai <cyphar@cyphar.com>
 Alex Couture-Beil <alex@earthly.dev>
 Andrew Haines <andrew.haines@zencargo.com>
+Andy Caldwell <andrew.caldwell@metaswitch.com>
 Andy MacKinlay <admackin@users.noreply.github.com>
 Anthony Poschen <zanven42@gmail.com>
+Arnold Sobanski <arnold@l4g.dev>
 Artur Klauser <Artur.Klauser@computer.org>
-Batuhan Apaydın <developerguy2@gmail.com>
+Avi Deitcher <avi@deitcher.net>
+Batuhan Apaydın <batuhan.apaydin@trendyol.com>
+Ben Peachey <potherca@gmail.com>
+Bertrand Paquet <bertrand.paquet@gmail.com>
 Bin Du <bindu@microsoft.com>
 Brandon Philips <brandon@ifup.org>
 Brian Goff <cpuguy83@gmail.com>
+Bryce Lampe <bryce@pulumi.com>
+Cameron Adams <pnzreba@gmail.com>
+Christian Dupuis <cd@atomist.com>
+Cory Snider <csnider@mirantis.com>
 CrazyMax <github@crazymax.dev>
+David Gageot <david.gageot@docker.com>
+David Karlsson <david.karlsson@docker.com>
+David Scott <dave@recoil.org>
 dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 Devin Bayer <dev@doubly.so>
 Djordje Lukic <djordje.lukic@docker.com>
+Dmitry Makovey <dmakovey@gitlab.com>
 Dmytro Makovey <dmytro.makovey@docker.com>
 Donghui Wang <977675308@qq.com>
+Doug Borg <dougborg@apple.com>
+Edgar Lee <edgarl@netflix.com>
+Eli Treuherz <et@arenko.group>
+Eliott Wiener <eliottwiener@gmail.com>
+Elran Shefer <elran.shefer@velocity.tech>
 faust <faustin@fala.red>
 Felipe Santos <felipecassiors@gmail.com>
+Felix de Souza <fdesouza@palantir.com>
 Fernando Miguel <github@FernandoMiguel.net>
 gfrancesco <gfrancesco@users.noreply.github.com>
 gracenoah <gracenoahgh@gmail.com>
+Guillaume Lours <705411+glours@users.noreply.github.com>
+guoguangwu <guoguangwu@magic-shield.com>
 Hollow Man <hollowman@hollowman.ml>
+Ian King'ori <kingorim.ian@gmail.com>
+idnandre <andre@idntimes.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
+Isaac Gaskin <isaac.gaskin@circle.com>
 Jack Laxson <jackjrabbit@gmail.com>
+jaihwan104 <jaihwan104@woowahan.com>
 Jean-Yves Gastaud <jygastaud@gmail.com>
+Jhan S. Álvarez <51450231+yastanotheruser@users.noreply.github.com>
+Jonathan A. Sternberg <jonathan.sternberg@docker.com>
+Jonathan Piché <jpiche@coveo.com>
+Justin Chadwell <me@jedevc.com>
+Kenyon Ralph <kenyon@kenyonralph.com>
 khs1994 <khs1994@khs1994.com>
+Kijima Daigo <norimaking777@gmail.com>
+Kohei Tokunaga <ktokunaga.mail@gmail.com>
 Kotaro Adachi <k33asby@gmail.com>
+Kushagra Mansingh <12158241+kushmansingh@users.noreply.github.com>
 l00397676 <lujingxiao@huawei.com>
+Laura Brehm <laurabrehm@hey.com>
+Laurent Goderre <laurent.goderre@docker.com>
+Mark Hildreth <113933455+markhildreth-gravity@users.noreply.github.com>
+Mayeul Blanzat <mayeul.blanzat@datadoghq.com>
 Michal Augustyn <michal.augustyn@mail.com>
+Milas Bowman <milas.bowman@docker.com>
+Mitsuru Kariya <mitsuru.kariya@nttdata.com>
+Moleus <fafufuburr@gmail.com>
+Nick Santos <nick.santos@docker.com>
+Nick Sieger <nick@nicksieger.com>
+Nicolas De Loof <nicolas.deloof@gmail.com>
+Niklas Gehlen <niklas@namespacelabs.com>
 Patrick Van Stee <patrick@vanstee.me>
+Paweł Gronowski <pawel.gronowski@docker.com>
+Phong Tran <tran.pho@northeastern.edu>
+Qasim Sarfraz <qasimsarfraz@microsoft.com>
+Rob Murray <rob.murray@docker.com>
+robertlestak <robert.lestak@umusic.com>
 Saul Shanabrook <s.shanabrook@gmail.com>
+Sean P. Kane <spkane00@gmail.com>
 Sebastiaan van Stijn <github@gone.nl>
+Shaun Thompson <shaun.thompson@docker.com>
 SHIMA Tatsuya <ts1s1andn@gmail.com>
 Silvin Lubecki <silvin.lubecki@docker.com>
+Simon A. Eugster <simon.eu@gmail.com>
 Solomon Hykes <sh.github.6811@hykes.org>
+Sumner Warren <sumner.warren@gmail.com>
 Sune Keller <absukl@almbrand.dk>
+Talon Bowler <talon.bowler@docker.com>
+Tianon Gravi <admwiggin@gmail.com>
 Tibor Vass <tibor@docker.com>
+Tim Smith <tismith@rvohealth.com>
+Timofey Kirillov <timofey.kirillov@flant.com>
+Tyler Smith <tylerlwsmith@gmail.com>
 Tõnis Tiigi <tonistiigi@gmail.com>
 Ulysses Souza <ulyssessouza@gmail.com>
+Usual Coder <34403413+Usual-Coder@users.noreply.github.com>
 Wang Jinglei <morlay.null@gmail.com>
+Wei <daviseago@gmail.com>
+Wojciech M <wmiedzybrodzki@outlook.com>
 Xiang Dai <764524258@qq.com>
+Zachary Povey <zachary.povey@autotrader.co.uk>
 zelahi <elahi.zuhayr@gmail.com>
+Zero <tobewhatwewant@gmail.com>
+zhyon404 <zhyong4@gmail.com>
+Zsolt <zsolt.szeberenyi@figured.com>
--- a/9
+++ b/9
@@ -1,19 +1,20 @@
 # syntax=docker/dockerfile:1

 ARG GO_VERSION=1.22
-ARG XX_VERSION=1.4.0
+ARG XX_VERSION=1.5.0

 # for testing
-ARG DOCKER_VERSION=27.0.3
+ARG DOCKER_VERSION=27.2.1
+ARG DOCKER_CLI_VERSION=${DOCKER_VERSION}
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG REGISTRY_VERSION=2.8.0
-ARG BUILDKIT_VERSION=v0.14.1
+ARG BUILDKIT_VERSION=v0.16.0
 ARG UNDOCK_VERSION=0.7.0

 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest
 FROM moby/moby-bin:$DOCKER_VERSION AS docker-engine
-FROM dockereng/cli-bin:$DOCKER_VERSION AS docker-cli
+FROM dockereng/cli-bin:$DOCKER_CLI_VERSION AS docker-cli
 FROM registry:$REGISTRY_VERSION AS registry
 FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
 FROM crazymax/undock:$UNDOCK_VERSION AS undock
--- a/PROJECT.md
+++ b/PROJECT.md
@@ -0,0 +1,453 @@
+# Project processing guide <!-- omit from toc -->
+
+- [Project scope](#project-scope)
+- [Labels](#labels)
+  - [Global](#global)
+  - [`area/`](#area)
+  - [`exp/`](#exp)
+  - [`impact/`](#impact)
+  - [`kind/`](#kind)
+  - [`needs/`](#needs)
+  - [`priority/`](#priority)
+  - [`status/`](#status)
+- [Types of releases](#types-of-releases)
+  - [Feature releases](#feature-releases)
+    - [Release Candidates](#release-candidates)
+    - [Support Policy](#support-policy)
+    - [Contributing to Releases](#contributing-to-releases)
+  - [Patch releases](#patch-releases)
+- [Milestones](#milestones)
+- [Triage process](#triage-process)
+  - [Verify essential information](#verify-essential-information)
+  - [Classify the issue](#classify-the-issue)
+- [Prioritization guidelines for `kind/bug`](#prioritization-guidelines-for-kindbug)
+- [Issue lifecyle](#issue-lifecyle)
+  - [Examples](#examples)
+    - [Submitting a bug](#submitting-a-bug)
+- [Pull request review process](#pull-request-review-process)
+- [Handling stalled issues and pull requests](#handling-stalled-issues-and-pull-requests)
+- [Moving to a discussion](#moving-to-a-discussion)
+- [Workflow automation](#workflow-automation)
+  - [Exempting an issue/PR from stale bot processing](#exempting-an-issuepr-from-stale-bot-processing)
+- [Updating dependencies](#updating-dependencies)
+
+---
+
+## Project scope
+
+**Docker Buildx** is a Docker CLI plugin designed to extend build capabilities using BuildKit. It provides advanced features for building container images, supporting multiple builder instances, multi-node builds, and high-level build constructs. Buildx enhances the Docker build process, making it more efficient and flexible, and is compatible with both Docker and Kubernetes environments. Key features include:
+
+- **Familiar user experience:** Buildx offers a user experience similar to legacy docker build, ensuring a smooth transition from legacy commands
+- **Full BuildKit capabilities:** Leverage the full feature set of [`moby/buildkit`](https://github.com/moby/buildkit) when using the container driver
+- **Multiple builder instances:** Supports the use of multiple builder instances, allowing concurrent builds and effective management and monitoring of these builders.
+- **Multi-node builds:** Use multiple nodes to build cross-platform images
+- **Compose integration:** Build complex, multi-services files as defined in compose
+- **High-level build constructs via `bake`:** Introduces high-level build constructs for more complex build workflows
+- **In-container driver support:** Support in-container drivers for both Docker and Kubernetes environments to support isolation/security.
+
+## Labels
+
+Below are common groups, labels, and their intended usage to support issues, pull requests, and discussion processing.
+
+### Global
+
+General attributes that can apply to nearly any issue or pull request.
+
+| Label               | Applies to  | Description                                                               |
+| ------------------- | ----------- | ------------------------------------------------------------------------- |
+| `bot`               | Issues, PRs | Created by a bot                                                          |
+| `good first issue ` | Issues      | Suitable for first-time contributors                                      |
+| `help wanted`       | Issues, PRs | Assistance requested                                                      |
+| `lgtm`              | PRs         | “Looks good to me” approval                                               |
+| `stale`             | Issues, PRs | The issue/PR has not had activity for a while                             |
+| `rotten`            | Issues, PRs | The issue/PR has not had activity since being marked stale and was closed |
+| `frozen`            | Issues, PRs | The issue/PR should be skipped by the stale-bot                           |
+| `dco/no`            | PRs         | The PR is missing a developer certificate of origin sign-off              |
+
+### `area/`
+
+Area or component of the project affected. Please note that the table below may not be inclusive of all current options.
+
+| Label                          | Applies to | Description                |
+| ------------------------------ | ---------- | -------------------------- |
+| `area/bake`                    | Any        | `bake`                     |
+| `area/bake/compose`            | Any        | `bake/compose`             |
+| `area/build`                   | Any        | `build`                    |
+| `area/builder`                 | Any        | `builder`                  |
+| `area/buildkit`                | Any        | Relates to `moby/buildkit` |
+| `area/cache`                   | Any        | `cache`                    |
+| `area/checks`                  | Any        | `checks`                   |
+| `area/ci`                      | Any        | Project CI                 |
+| `area/cli`                     | Any        | `cli`                      |
+| `area/controller`              | Any        | `controller`               |
+| `area/debug`                   | Any        | `debug`                    |
+| `area/dependencies`            | Any        | Project dependencies       |
+| `area/dockerfile`              | Any        | `dockerfile`               |
+| `area/docs`                    | Any        | `docs`                     |
+| `area/driver`                  | Any        | `driver`                   |
+| `area/driver/docker`           | Any        | `driver/docker`            |
+| `area/driver/docker-container` | Any        | `driver/docker-container`  |
+| `area/driver/kubernetes`       | Any        | `driver/kubernetes`        |
+| `area/driver/remote`           | Any        | `driver/remote`            |
+| `area/feature-parity`          | Any        | `feature-parity`           |
+| `area/github-actions`          | Any        | `github-actions`           |
+| `area/hack`                    | Any        | Project hack/support       |
+| `area/imagetools`              | Any        | `imagetools`               |
+| `area/metrics`                 | Any        | `metrics`                  |
+| `area/moby`                    | Any        | Relates to `moby/moby`     |
+| `area/project`                 | Any        | Project support            |
+| `area/qemu`                    | Any        | `qemu`                     |
+| `area/tests`                   | Any        | Project testing            |
+| `area/windows`                 | Any        | `windows`                  |
+
+### `exp/`
+
+Estimated experience level to complete the item
+
+| Label              | Applies to | Description                                                                     |
+| ------------------ | ---------- | ------------------------------------------------------------------------------- |
+| `exp/beginner`     | Issue      | Suitable for contributors new to the project or technology stack                |
+| `exp/intermediate` | Issue      | Requires some familiarity with the project and technology                       |
+| `exp/expert`       | Issue      | Requires deep understanding and advanced skills with the project and technology |
+
+### `impact/`
+
+Potential impact areas of the issue or pull request.
+
+| Label                | Applies to | Description                                        |
+| -------------------- | ---------- | -------------------------------------------------- |
+| `impact/breaking`    | PR         | Change is API-breaking                             |
+| `impact/changelog`   | PR         | When complete, the item should be in the changelog |
+| `impact/deprecation` | PR         | Change is a deprecation of a feature               |
+
+
+### `kind/`
+
+The type of issue, pull request or discussion
+
+| Label              | Applies to        | Description                                             |
+| ------------------ | ----------------- | ------------------------------------------------------- |
+| `kind/bug`         | Issue, PR         | Confirmed bug                                           |
+| `kind/chore`       | Issue, PR         | Project support tasks                                   |
+| `kind/docs`        | Issue, PR         | Additions or modifications to the documentation         |
+| `kind/duplicate`   | Any               | Duplicate of another item                               |
+| `kind/enhancement` | Any               | Enhancement of an existing feature                      |
+| `kind/feature`     | Any               | A brand new feature                                     |
+| `kind/maybe-bug`   | Issue, PR         | Unconfirmed bug, turns into kind/bug when confirmed     |
+| `kind/proposal`    | Issue, Discussion | A proposed major change                                 |
+| `kind/refactor`    | Issue, PR         | Refactor of existing code                               |
+| `kind/support`     | Any               | A question, discussion, or other user support item      |
+| `kind/tests`       | Issue, PR         | Additions or modifications to the project testing suite |
+
+### `needs/`
+
+Actions or missing requirements needed by the issue or pull request.
+
+| Label                       | Applies to | Description                                           |
+| --------------------------- | ---------- | ----------------------------------------------------- |
+| `needs/assignee`            | Issue, PR  | Needs an assignee                                     |
+| `needs/code-review`         | PR         | Needs review of code                                  |
+| `needs/design-review`       | Issue, PR  | Needs review of design                                |
+| `needs/docs-review`         | Issue, PR  | Needs review by the documentation team                |
+| `needs/docs-update`         | Issue, PR  | Needs an update to the docs                           |
+| `needs/follow-on-work`      | Issue, PR  | Needs follow-on work/PR                               |
+| `needs/issue`               | PR         | Needs an issue                                        |
+| `needs/maintainer-decision` | Issue, PR  | Needs maintainer discussion/decision before advancing |
+| `needs/milestone`           | Issue, PR  | Needs milestone assignment                            |
+| `needs/more-info`           | Any        | Needs more information from the author                |
+| `needs/more-investigation`  | Issue, PR  | Needs further investigation                           |
+| `needs/priority`            | Issue, PR  | Needs priority assignment                             |
+| `needs/pull-request`        | Issue      | Needs a pull request                                  |
+| `needs/rebase`              | PR         | Needs rebase to target branch                         |
+| `needs/reproduction`        | Issue, PR  | Needs reproduction steps                              |
+
+### `priority/`
+
+Level of urgency of a `kind/bug` issue or pull request.
+
+| Label         | Applies to | Description                                                             |
+| ------------- | ---------- | ----------------------------------------------------------------------- |
+| `priority/P0` | Issue, PR  | Urgent: Security, critical bugs, blocking issues.                       |
+| `priority/P1` | Issue, PR  | Important: This is a top priority and a must-have for the next release. |
+| `priority/P2` | Issue, PR  | Normal: Default priority                                                |
+
+### `status/`
+
+Current lifecycle state of the issue or pull request.
+
+| Label                 | Applies to | Description                                                            |
+| --------------------- | ---------- | ---------------------------------------------------------------------- |
+| `status/accepted`     | Issue, PR  | The issue has been reviewed and accepted for implementation            |
+| `status/active`       | PR         | The PR is actively being worked on by a maintainer or community member |
+| `status/blocked`      | Issue, PR  | The issue/PR is blocked from advancing to another status               |
+| `status/do-not-merge` | PR         | Should not be merged pending further review or changes                 |
+| `status/transfer`     | Any        | Transferred to another project                                         |
+| `status/triage`       | Any        | The item needs to be sorted by maintainers                             |
+| `status/wontfix`      | Issue, PR  | The issue/PR will not be fixed or addressed as described               |
+
+## Types of releases
+
+This project has feature releases, patch releases, and security releases.
+
+### Feature releases
+
+Feature releases are made from the development branch, followed by cutting a release branch for future patch releases, which may also occur during the code freeze period.
+
+#### Release Candidates
+
+Users can expect 2-3 release candidate (RC) test releases prior to a feature release. The first RC is typically released about one to two weeks before the final release.
+
+#### Support Policy
+
+Once a new feature release is cut, support for the previous feature release is discontinued. An exception may be made for urgent security releases that occur shortly after a new feature release. Buildx does not offer LTS (Long-Term Support) releases.
+
+#### Contributing to Releases
+
+Anyone can request that an issue or PR be included in the next feature or patch release milestone, provided it meets the necessary requirements.
+
+### Patch releases
+
+Patch releases should only include the most critical patches. Stability is vital, so everyone should always use the latest patch release.
+
+If a fix is needed but does not qualify for a patch release because of its code size or other criteria that make it too unpredictable, we will prioritize cutting a new feature release sooner rather than making an exception for backporting.
+
+Following PRs are included in patch releases
+
+- `priority/P0` fixes
+- `priority/P1` fixes, assuming maintainers don’t object because of the patch size
+- `priority/P2` fixes, only if (both required)
+    - proposed by maintainer
+    - the patch is trivial and self-contained
+- Documentation-only patches
+- Vendored dependency updates, only if:
+    - Fixing (qualifying) bug or security issue in Buildx
+    - The patch is small, else a forked version of the dependency with only the patches required
+
+New features do not qualify for patch release.
+
+## Milestones
+
+Milestones are used to help identify what releases a contribution will be in. 
+
+- The `v0.next` milestone collects unblocked items planned for the next 2-3 feature releases but not yet assigned to a specific version milestone.
+- The `v0.backlog` milestone gathers all triaged items considered for the long-term (beyond the next 3 feature releases) or currently unfit for a future release due to certain conditions. These items may be blocked and need to be unblocked before progressing.
+
+## Triage process
+
+Triage provides an important way to contribute to an open-source project. When submitted without an issue this process applies to Pull Requests as well. Triage helps ensure work items are resolved quickly by:
+
+- Ensuring the issue's intent and purpose are described precisely. This is necessary because it can be difficult for an issue to explain how an end user experiences a problem and what actions they took to arrive at the problem.
+- Giving a contributor the information they need before they commit to resolving an issue.
+- Lowering the issue count by preventing duplicate issues.
+- Streamlining the development process by preventing duplicate discussions.
+
+If you don't have time to code, consider helping with triage. The community will thank you for saving them time by spending some of yours. The same basic process should be applied upon receipt of a new issue.
+
+1. Verify essential information
+2. Classify the issue
+3. Prioritizing the issue
+
+### Verify essential information
+
+Before advancing the triage process, ensure the issue contains all necessary information to be properly understood and assessed. The required information may vary by issue type, but typically includes the system environment, version numbers, reproduction steps, expected outcomes, and actual results.
+
+- **Exercising Judgment**: Use your best judgment to assess the issue description’s completeness.
+- **Communicating Needs**: If the information provided is insufficient, kindly request additional details from the author. Explain that this information is crucial for clarity and resolution of the issue, and apply the `needs/more-information` label to indicate a response from the author is required.
+
+### Classify the issue
+
+An issue will typically have multiple labels. These are used to help communicate key information about context, requirements, and status. At a minimum, a properly classified issue should have:
+
+- (Required) One or more [`area/*`](#area) labels
+- (Required) One [`kind/*`](#kind) label  to indicate the type of issue
+- (Required if `kind/bug`) A [`priority/*`](#priority) label
+
+When assigning a decision the following labels should be present:
+
+- (Required) One [`status/*`](#status) label  to indicate lifecycle status
+
+Additional labels can provide more clarity:
+
+- Zero or more [`needs/*`](#needs) labels to indicate missing items
+- Zero or more [`impact/*`](#impact) labels
+- One [`exp/*`](#exp) label
+
+## Prioritization guidelines for `kind/bug`
+
+When an issue or pull request of `kind/bug` is correctly categorized and attached to a milestone, the labels indicate the urgency with which it should be completed. 
+
+**priority/P0**
+
+Fixing this item is the highest priority. A patch release will follow as soon as a patch is available and verified. This level is used exclusively for bugs.
+
+Examples:
+
+- Regression in a critical code path
+- Panic in a critical code path
+- Corruption in critical code path or rest of the system
+- Leaked zero-day critical security
+
+**priority/P1**
+
+Items with this label should be fixed with high priority and almost always included in a patch release. Unless waiting for another issue, patch releases should happen within a week. This level is not used for features or enhancements.
+
+Examples:
+
+- Any regression, panic
+- Measurable performance regression
+- A major bug in a new feature in the latest release
+- Incompatibility with upgraded external dependency
+
+**priority/P2**
+
+This is the default priority and is implied in the absence of a `priority/` label. Bugs with this priority should be included in the next feature release but may land in a patch release if they are ready and unlikely to impact other functionality adversely. Non-bug issues with this priority should also be included in the next feature release if they are available and ready.
+
+Examples:
+
+- Confirmed bugs
+- Bugs in non-default configurations
+- Most enhancements
+
+## Issue lifecyle
+
+```mermaid
+flowchart LR
+  create([New issue]) --> triage
+  subgraph triage[Triage Loop]
+    review[Review]
+  end
+  subgraph decision[Decision]
+    accept[Accept]
+    close[Close]
+  end
+  triage -- if accepted --> accept[Assign status, milestone]
+  triage -- if rejected --> close[Assign status, close issue]
+```
+
+### Examples
+
+#### Submitting a bug
+
+To help illustrate the issue life cycle let’s walk through submitting an issue as a potential bug in CI that enters a feedback loop and is eventually accepted as P2 priority and placed on the backlog.
+
+```mermaid
+flowchart LR
+
+	new([New issue])
+	
+	subgraph triage[Triage]
+	direction LR
+	
+  create["Action: Submit issue via Bug form\nLabels: kind/maybe-bug, status/triage"]
+  style create text-align:left
+
+		subgraph review[Review]
+		direction TB
+	  classify["Action: Maintainer reviews issue, requests more info\nLabels: kind/maybe-bug, status/triage, needs/more-info, area/*"]
+	  style classify text-align:left
+	  
+	  update["Action: Author updates issue\nLabels: kind/maybe-bug, status/triage, needs/more-info, area/*"]
+	  style update text-align:left
+	
+	  classify --> update
+	  update --> classify
+	  end
+  
+  create --> review
+  end
+
+	subgraph decision[Decision]
+	accept["Action: Maintainer reviews updates, accepts, assigns milestone\nLabels: kind/bug, priority/P2, status/accepted, area/*, impact/*"]
+  style accept text-align: left
+  end
+  
+  new --> triage
+  triage --> decision
+```
+
+## Pull request review process
+
+A thorough and timely review process for pull requests (PRs) is crucial for maintaining the integrity and quality of the project while fostering a collaborative environment.
+
+- **Labeling**: Most labels should be inherited from a linked issue. If no issue is linked an extended review process may be required.
+- **Continuous Integration**: With few exceptions, it is crucial that all Continuous Integration (CI) workflows pass successfully.
+- **Draft Status**: Incomplete or long-running PRs should be placed in "Draft" status. They may revert to "Draft" status upon initial review if significant rework is required.
+
+```mermaid
+flowchart LR
+  triage([Triage])
+  draft[Draft PR]
+  review[PR Review]
+  closed{{Close PR}}
+  merge{{Merge PR}}
+
+  subgraph feedback1[Feedback Loop]
+    draft
+  end
+  subgraph feedback2[Feedback Loop]
+     review
+  end
+
+  triage --> draft
+  draft --> review
+  review --> closed
+  review --> draft
+  review --> merge
+```
+
+## Handling stalled issues and pull requests
+
+Unfortunately, some issues or pull requests can remain inactive for extended periods. To mitigate this, automation is employed to prompt both the author and maintainers, ensuring that all contributions receive appropriate attention.
+
+**For Authors:**
+
+- **Closure of Inactive Items**: If your issue or PR becomes irrelevant or is no longer needed, please close it to help keep the project clean.
+- **Prompt Responses**: If additional information is requested, please respond promptly to facilitate progress.
+
+**For Maintainers:**
+
+- **Timely Responses**: Endeavor to address issues and PRs within a reasonable timeframe to keep the community actively engaged.
+- **Engagement with Stale Issues**: If an issue becomes stale due to maintainer inaction, re-engage with the author to reassess and revitalize the discussion.
+
+**Stale and Rotten Policy:**
+
+- An issue or PR will be labeled as **`stale`** after 14 calendar days of inactivity. If it remains inactive for another 30 days, it will be labeled as **`rotten`** and closed.
+- Authors whose issues or PRs have been closed are welcome to re-open them or create new ones and link to the original.
+
+**Skipping Stale Processing:**
+
+- To prevent an issue or PR from being marked as stale, label it as **`frozen`**.
+
+**Exceptions to Stale Processing:**
+
+- Issues or PRs marked as **`frozen`**.
+- Issues or PRs assigned to a milestone.
+
+## Moving to a discussion
+
+Sometimes, an issue or pull request may not be the appropriate medium for what is essentially a discussion. In such cases, the issue or PR will either be converted to a discussion or a new discussion will be created. The original item will then be labeled appropriately (**`kind/discussion`** or **`kind/question`**) and closed.
+
+If you believe this conversion was made in error, please express your concerns in the new discussion thread. If necessary, a reversal to the original issue or PR format can be facilitated.
+
+## Workflow automation
+
+To help expedite common operations, avoid errors and reduce toil some workflow automation is used by the project. This can include:
+
+- Stale issue or pull request processing
+- Auto-labeling actions
+- Auto-response actions
+- Label carry over from issue to pull request
+
+### Exempting an issue/PR from stale bot processing
+
+The stale item handling is configured in the [repository](link-to-config-file). To exempt an issue or PR from stale processing you can:
+
+- Add the item to a milestone
+- Add the `frozen` label to the item
+
+## Updating dependencies
+
+- **Runtime Dependencies**: Use the latest stable release available when the first Release Candidate (RC) of a new feature release is cut. For patch releases, update to the latest corresponding patch release of the dependency.
+- **Other Dependencies**: Always permitted to update to the latest patch release in the development branch. Updates to a new feature release require justification, unless the dependency is outdated. Prefer tagged versions of dependencies unless a specific untagged commit is needed. Go modules should specify the lowest compatible version; there is no requirement to update all dependencies to their latest versions before cutting a new Buildx feature release.
+- **Patch Releases**: Vendored dependency updates are considered for patch releases, except in the rare cases specified previously.
+- **Security Considerations**: A security scanner report indicating a non-exploitable issue via Buildx does not justify backports.
--- a/README.md
+++ b/README.md
@@ -56,8 +56,7 @@ For more information on how to use Buildx, see

 Using `buildx` with Docker requires Docker engine 19.03 or newer.

-> **Warning**
->
+> [!WARNING]
 > Using an incompatible version of Docker may result in unexpected behavior,
 > and will likely cause issues, especially when using Buildx builders with more
 > recent versions of BuildKit.
@@ -75,8 +74,7 @@ Docker Engine package repositories contain Docker Buildx packages when installed

 ## Manual download

-> **Important**
->
+> [!IMPORTANT]
 > This section is for unattended installation of the buildx component. These
 > instructions are mostly suitable for testing purposes. We do not recommend
 > installing buildx using manual download in production environments as they
@@ -107,8 +105,7 @@ On Windows:
 * `C:\ProgramData\Docker\cli-plugins`
 * `C:\Program Files\Docker\cli-plugins`

-> **Note**
->
+> [!NOTE]
 > On Unix environments, it may also be necessary to make it executable with `chmod +x`:
 > ```shell
 > $ chmod +x ~/.docker/cli-plugins/docker-buildx
--- a/bake/bake.go
+++ b/bake/bake.go
@@ -7,6 +7,7 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -25,6 +26,7 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
 	"github.com/tonistiigi/go-csvvalue"
 	"github.com/zclconf/go-cty/cty"
@@ -479,7 +481,7 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 	for _, v := range t.Contexts {
 		if strings.HasPrefix(v, "target:") {
 			target := strings.TrimPrefix(v, "target:")
-			if target == t.Name {
+			if target == name {
 				return errors.Errorf("target %s cannot link to itself", target)
 			}
 			for _, v := range visited {
@@ -501,6 +503,14 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 			if err := c.loadLinks(target, t2, m, o, visited); err != nil {
 				return err
 			}
+
+			// entitlements are inherited from linked targets
+			for _, ent := range t2.Entitlements {
+				if !slices.Contains(t.Entitlements, ent) {
+					t.Entitlements = append(t.Entitlements, ent)
+				}
+			}
+
 			if len(t.Platforms) > 1 && len(t2.Platforms) > 1 {
 				if !sliceEqual(t.Platforms, t2.Platforms) {
 					return errors.Errorf("target %s can't be used by %s because it is defined for different platforms %v and %v", target, name, t2.Platforms, t.Platforms)
@@ -542,7 +552,7 @@ func (c Config) newOverrides(v []string) (map[string]map[string]Override, error)
 			o := t[kk[1]]

 			switch keys[1] {
-			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest":
+			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest", "entitlements", "network":
 				if len(parts) == 2 {
 					o.ArrValue = append(o.ArrValue, parts[1])
 				}
@@ -703,11 +713,12 @@ type Target struct {
 	Outputs          []string           `json:"output,omitempty" hcl:"output,optional" cty:"output"`
 	Pull             *bool              `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
 	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
-	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
+	NetworkMode      *string            `json:"network,omitempty" hcl:"network,optional" cty:"network"`
 	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
 	ShmSize          *string            `json:"shm-size,omitempty" hcl:"shm-size,optional"`
 	Ulimits          []string           `json:"ulimits,omitempty" hcl:"ulimits,optional"`
 	Call             *string            `json:"call,omitempty" hcl:"call,optional" cty:"call"`
+	Entitlements     []string           `json:"entitlements,omitempty" hcl:"entitlements,optional" cty:"entitlements"`
 	// IMPORTANT: if you add more fields here, do not forget to update newOverrides/AddOverrides and docs/bake-reference.md.

 	// linked is a private field to mark a target used as a linked one
@@ -732,6 +743,12 @@ func (t *Target) normalize() {
 	t.NoCacheFilter = removeDupes(t.NoCacheFilter)
 	t.Ulimits = removeDupes(t.Ulimits)

+	if t.NetworkMode != nil && *t.NetworkMode == "host" {
+		t.Entitlements = append(t.Entitlements, "network.host")
+	}
+
+	t.Entitlements = removeDupes(t.Entitlements)
+
 	for k, v := range t.Contexts {
 		if v == "" {
 			delete(t.Contexts, k)
@@ -831,6 +848,9 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.Description != "" {
 		t.Description = t2.Description
 	}
+	if t2.Entitlements != nil { // merge
+		t.Entitlements = append(t.Entitlements, t2.Entitlements...)
+	}
 	t.Inherits = append(t.Inherits, t2.Inherits...)
 }

@@ -885,6 +905,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.Platforms = o.ArrValue
 		case "output":
 			t.Outputs = o.ArrValue
+		case "entitlements":
+			t.Entitlements = append(t.Entitlements, o.ArrValue...)
 		case "annotations":
 			t.Annotations = append(t.Annotations, o.ArrValue...)
 		case "attest":
@@ -901,6 +923,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.ShmSize = &value
 		case "ulimits":
 			t.Ulimits = o.ArrValue
+		case "network":
+			t.NetworkMode = &value
 		case "pull":
 			pull, err := strconv.ParseBool(value)
 			if err != nil {
@@ -1313,7 +1337,7 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}

 	if t.Call != nil {
-		bo.PrintFunc = &build.PrintFunc{
+		bo.CallFunc = &build.CallFunc{
 			Name: *t.Call,
 		}
 	}
@@ -1368,6 +1392,10 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Ulimits = ulimits

+	for _, ent := range t.Entitlements {
+		bo.Allow = append(bo.Allow, entitlements.Entitlement(ent))
+	}
+
 	return bo, nil
 }

--- a/bake/bake_test.go
+++ b/bake/bake_test.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -1726,3 +1727,132 @@ func TestAnnotations(t *testing.T) {
 	require.Len(t, bo["app"].Exports, 1)
 	require.Equal(t, "bar", bo["app"].Exports[0].Attrs["annotation-manifest[linux/amd64].foo"])
 }
+
+func TestHCLEntitlements(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				entitlements = ["security.insecure", "network.host"]
+			}`),
+	}
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 2)
+	require.Equal(t, "security.insecure", m["app"].Entitlements[0])
+	require.Equal(t, "network.host", m["app"].Entitlements[1])
+
+	require.Len(t, bo["app"].Allow, 2)
+	require.Equal(t, entitlements.EntitlementSecurityInsecure, bo["app"].Allow[0])
+	require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[1])
+}
+
+func TestEntitlementsForNetHostCompose(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				dockerfile = "app.Dockerfile"
+			}`),
+	}
+
+	fp2 := File{
+		Name: "docker-compose.yml",
+		Data: []byte(
+			`services:
+  app:
+    build:
+      network: "host"
+`),
+	}
+
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 1)
+	require.Equal(t, "network.host", m["app"].Entitlements[0])
+	require.Equal(t, "host", *m["app"].NetworkMode)
+
+	require.Len(t, bo["app"].Allow, 1)
+	require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[0])
+	require.Equal(t, "host", bo["app"].NetworkMode)
+}
+
+func TestEntitlementsForNetHost(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				dockerfile = "app.Dockerfile"
+				network = "host"
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 1)
+	require.Equal(t, "network.host", m["app"].Entitlements[0])
+	require.Equal(t, "host", *m["app"].NetworkMode)
+
+	require.Len(t, bo["app"].Allow, 1)
+	require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[0])
+	require.Equal(t, "host", bo["app"].NetworkMode)
+}
+
+func TestNetNone(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				dockerfile = "app.Dockerfile"
+				network = "none"
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 0)
+	require.Equal(t, "none", *m["app"].NetworkMode)
+
+	require.Len(t, bo["app"].Allow, 0)
+	require.Equal(t, "none", bo["app"].NetworkMode)
+}
--- a/bake/entitlements.go
+++ b/bake/entitlements.go
@@ -0,0 +1,175 @@
+package bake
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"slices"
+	"strings"
+
+	"github.com/containerd/console"
+	"github.com/docker/buildx/build"
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/pkg/errors"
+)
+
+type EntitlementKey string
+
+const (
+	EntitlementKeyNetworkHost      EntitlementKey = "network.host"
+	EntitlementKeySecurityInsecure EntitlementKey = "security.insecure"
+	EntitlementKeyFSRead           EntitlementKey = "fs.read"
+	EntitlementKeyFSWrite          EntitlementKey = "fs.write"
+	EntitlementKeyFS               EntitlementKey = "fs"
+	EntitlementKeyImagePush        EntitlementKey = "image.push"
+	EntitlementKeyImageLoad        EntitlementKey = "image.load"
+	EntitlementKeyImage            EntitlementKey = "image"
+	EntitlementKeySSH              EntitlementKey = "ssh"
+)
+
+type EntitlementConf struct {
+	NetworkHost      bool
+	SecurityInsecure bool
+	FSRead           []string
+	FSWrite          []string
+	ImagePush        []string
+	ImageLoad        []string
+	SSH              bool
+}
+
+func ParseEntitlements(in []string) (EntitlementConf, error) {
+	var conf EntitlementConf
+	for _, e := range in {
+		switch e {
+		case string(EntitlementKeyNetworkHost):
+			conf.NetworkHost = true
+		case string(EntitlementKeySecurityInsecure):
+			conf.SecurityInsecure = true
+		case string(EntitlementKeySSH):
+			conf.SSH = true
+		default:
+			k, v, _ := strings.Cut(e, "=")
+			switch k {
+			case string(EntitlementKeyFSRead):
+				conf.FSRead = append(conf.FSRead, v)
+			case string(EntitlementKeyFSWrite):
+				conf.FSWrite = append(conf.FSWrite, v)
+			case string(EntitlementKeyFS):
+				conf.FSRead = append(conf.FSRead, v)
+				conf.FSWrite = append(conf.FSWrite, v)
+			case string(EntitlementKeyImagePush):
+				conf.ImagePush = append(conf.ImagePush, v)
+			case string(EntitlementKeyImageLoad):
+				conf.ImageLoad = append(conf.ImageLoad, v)
+			case string(EntitlementKeyImage):
+				conf.ImagePush = append(conf.ImagePush, v)
+				conf.ImageLoad = append(conf.ImageLoad, v)
+			default:
+				return conf, errors.Errorf("uknown entitlement key %q", k)
+			}
+
+			// TODO: dedupe slices and parent paths
+		}
+	}
+	return conf, nil
+}
+
+func (c EntitlementConf) Validate(m map[string]build.Options) (EntitlementConf, error) {
+	var expected EntitlementConf
+
+	for _, v := range m {
+		if err := c.check(v, &expected); err != nil {
+			return EntitlementConf{}, err
+		}
+	}
+
+	return expected, nil
+}
+
+func (c EntitlementConf) check(bo build.Options, expected *EntitlementConf) error {
+	for _, e := range bo.Allow {
+		switch e {
+		case entitlements.EntitlementNetworkHost:
+			if !c.NetworkHost {
+				expected.NetworkHost = true
+			}
+		case entitlements.EntitlementSecurityInsecure:
+			if !c.SecurityInsecure {
+				expected.SecurityInsecure = true
+			}
+		}
+	}
+	return nil
+}
+
+func (c EntitlementConf) Prompt(ctx context.Context, out io.Writer) error {
+	var term bool
+	if _, err := console.ConsoleFromFile(os.Stdin); err == nil {
+		term = true
+	}
+
+	var msgs []string
+	var flags []string
+
+	if c.NetworkHost {
+		msgs = append(msgs, " - Running build containers that can access host network")
+		flags = append(flags, "network.host")
+	}
+	if c.SecurityInsecure {
+		msgs = append(msgs, " - Running privileged containers that can make system changes")
+		flags = append(flags, "security.insecure")
+	}
+
+	if len(msgs) == 0 {
+		return nil
+	}
+
+	fmt.Fprintf(out, "Your build is requesting privileges for following possibly insecure capabilities:\n\n")
+	for _, m := range msgs {
+		fmt.Fprintf(out, "%s\n", m)
+	}
+
+	for i, f := range flags {
+		flags[i] = "--allow=" + f
+	}
+
+	if term {
+		fmt.Fprintf(out, "\nIn order to not see this message in the future pass %q to grant requested privileges.\n", strings.Join(flags, " "))
+	} else {
+		fmt.Fprintf(out, "\nPass %q to grant requested privileges.\n", strings.Join(flags, " "))
+	}
+
+	args := append([]string(nil), os.Args...)
+	if v, ok := os.LookupEnv("DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"); ok && v != "" {
+		args[0] = v
+	}
+	idx := slices.Index(args, "bake")
+
+	if idx != -1 {
+		fmt.Fprintf(out, "\nYour full command with requested privileges:\n\n")
+		fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(flags, " "), strings.Join(args[idx+1:], " "))
+	}
+
+	if term {
+		fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ")
+		reader := bufio.NewReader(os.Stdin)
+		answerCh := make(chan string, 1)
+		go func() {
+			answer, _, _ := reader.ReadLine()
+			answerCh <- string(answer)
+			close(answerCh)
+		}()
+
+		select {
+		case <-ctx.Done():
+		case answer := <-answerCh:
+			if strings.ToLower(string(answer)) == "y" {
+				return nil
+			}
+		}
+	}
+
+	return errors.Errorf("additional privileges requested")
+}
--- a/bake/hcl.go
+++ b/bake/hcl.go
@@ -56,7 +56,7 @@ func formatHCLError(err error, files []File) error {
 					break
 				}
 			}
-			src := errdefs.Source{
+			src := &errdefs.Source{
 				Info: &pb.SourceInfo{
 					Filename: d.Subject.Filename,
 					Data:     dt,
@@ -72,7 +72,7 @@ func formatHCLError(err error, files []File) error {

 func toErrRange(in *hcl.Range) *pb.Range {
 	return &pb.Range{
-		Start: pb.Position{Line: int32(in.Start.Line), Character: int32(in.Start.Column)},
-		End:   pb.Position{Line: int32(in.End.Line), Character: int32(in.End.Column)},
+		Start: &pb.Position{Line: int32(in.Start.Line), Character: int32(in.Start.Column)},
+		End:   &pb.Position{Line: int32(in.End.Line), Character: int32(in.End.Column)},
 	}
 }
--- a/bake/hclparser/hclparser.go
+++ b/bake/hclparser/hclparser.go
@@ -75,7 +75,12 @@ type WithGetName interface {
 	GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) (string, error)
 }

-var errUndefined = errors.New("undefined")
+// errUndefined is returned when a variable or function is not defined.
+type errUndefined struct{}
+
+func (errUndefined) Error() string {
+	return "undefined"
+}

 func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map[string]struct{}, allowMissing bool) hcl.Diagnostics {
 	fns, hcldiags := funcCalls(exp)
@@ -85,7 +90,7 @@ func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map

 	for _, fn := range fns {
 		if err := p.resolveFunction(ectx, fn); err != nil {
-			if allowMissing && errors.Is(err, errUndefined) {
+			if allowMissing && errors.Is(err, errUndefined{}) {
 				continue
 			}
 			return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
@@ -139,7 +144,7 @@ func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map
 			}
 			for _, block := range blocks {
 				if err := p.resolveBlock(block, target); err != nil {
-					if allowMissing && errors.Is(err, errUndefined) {
+					if allowMissing && errors.Is(err, errUndefined{}) {
 						continue
 					}
 					return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
@@ -147,7 +152,7 @@ func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map
 			}
 		} else {
 			if err := p.resolveValue(ectx, v.RootName()); err != nil {
-				if allowMissing && errors.Is(err, errUndefined) {
+				if allowMissing && errors.Is(err, errUndefined{}) {
 					continue
 				}
 				return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
@@ -169,7 +174,7 @@ func (p *parser) resolveFunction(ectx *hcl.EvalContext, name string) error {
 	}
 	f, ok := p.funcs[name]
 	if !ok {
-		return errors.Wrapf(errUndefined, "function %q does not exist", name)
+		return errors.Wrapf(errUndefined{}, "function %q does not exist", name)
 	}
 	if _, ok := p.progressF[key(ectx, name)]; ok {
 		return errors.Errorf("function cycle not allowed for %s", name)
@@ -259,7 +264,7 @@ func (p *parser) resolveValue(ectx *hcl.EvalContext, name string) (err error) {
 	if _, builtin := p.opt.Vars[name]; !ok && !builtin {
 		vr, ok := p.vars[name]
 		if !ok {
-			return errors.Wrapf(errUndefined, "variable %q does not exist", name)
+			return errors.Wrapf(errUndefined{}, "variable %q does not exist", name)
 		}
 		def = vr.Default
 		ectx = p.ectx
--- a/bake/hclparser/stdlib.go
+++ b/bake/hclparser/stdlib.go
@@ -1,6 +1,9 @@
 package hclparser

 import (
+	"errors"
+	"path"
+	"strings"
 	"time"

 	"github.com/hashicorp/go-cty-funcs/cidr"
@@ -9,174 +12,251 @@ import (
 	"github.com/hashicorp/go-cty-funcs/uuid"
 	"github.com/hashicorp/hcl/v2/ext/tryfunc"
 	"github.com/hashicorp/hcl/v2/ext/typeexpr"
-	"github.com/pkg/errors"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 	"github.com/zclconf/go-cty/cty/function/stdlib"
 )

-var stdlibFunctions = map[string]function.Function{
-	"absolute":               stdlib.AbsoluteFunc,
-	"add":                    stdlib.AddFunc,
-	"and":                    stdlib.AndFunc,
-	"base64decode":           encoding.Base64DecodeFunc,
-	"base64encode":           encoding.Base64EncodeFunc,
-	"bcrypt":                 crypto.BcryptFunc,
-	"byteslen":               stdlib.BytesLenFunc,
-	"bytesslice":             stdlib.BytesSliceFunc,
-	"can":                    tryfunc.CanFunc,
-	"ceil":                   stdlib.CeilFunc,
-	"chomp":                  stdlib.ChompFunc,
-	"chunklist":              stdlib.ChunklistFunc,
-	"cidrhost":               cidr.HostFunc,
-	"cidrnetmask":            cidr.NetmaskFunc,
-	"cidrsubnet":             cidr.SubnetFunc,
-	"cidrsubnets":            cidr.SubnetsFunc,
-	"coalesce":               stdlib.CoalesceFunc,
-	"coalescelist":           stdlib.CoalesceListFunc,
-	"compact":                stdlib.CompactFunc,
-	"concat":                 stdlib.ConcatFunc,
-	"contains":               stdlib.ContainsFunc,
-	"convert":                typeexpr.ConvertFunc,
-	"csvdecode":              stdlib.CSVDecodeFunc,
-	"distinct":               stdlib.DistinctFunc,
-	"divide":                 stdlib.DivideFunc,
-	"element":                stdlib.ElementFunc,
-	"equal":                  stdlib.EqualFunc,
-	"flatten":                stdlib.FlattenFunc,
-	"floor":                  stdlib.FloorFunc,
-	"format":                 stdlib.FormatFunc,
-	"formatdate":             stdlib.FormatDateFunc,
-	"formatlist":             stdlib.FormatListFunc,
-	"greaterthan":            stdlib.GreaterThanFunc,
-	"greaterthanorequalto":   stdlib.GreaterThanOrEqualToFunc,
-	"hasindex":               stdlib.HasIndexFunc,
-	"indent":                 stdlib.IndentFunc,
-	"index":                  stdlib.IndexFunc,
-	"indexof":                indexOfFunc,
-	"int":                    stdlib.IntFunc,
-	"join":                   stdlib.JoinFunc,
-	"jsondecode":             stdlib.JSONDecodeFunc,
-	"jsonencode":             stdlib.JSONEncodeFunc,
-	"keys":                   stdlib.KeysFunc,
-	"length":                 stdlib.LengthFunc,
-	"lessthan":               stdlib.LessThanFunc,
-	"lessthanorequalto":      stdlib.LessThanOrEqualToFunc,
-	"log":                    stdlib.LogFunc,
-	"lookup":                 stdlib.LookupFunc,
-	"lower":                  stdlib.LowerFunc,
-	"max":                    stdlib.MaxFunc,
-	"md5":                    crypto.Md5Func,
-	"merge":                  stdlib.MergeFunc,
-	"min":                    stdlib.MinFunc,
-	"modulo":                 stdlib.ModuloFunc,
-	"multiply":               stdlib.MultiplyFunc,
-	"negate":                 stdlib.NegateFunc,
-	"not":                    stdlib.NotFunc,
-	"notequal":               stdlib.NotEqualFunc,
-	"or":                     stdlib.OrFunc,
-	"parseint":               stdlib.ParseIntFunc,
-	"pow":                    stdlib.PowFunc,
-	"range":                  stdlib.RangeFunc,
-	"regex_replace":          stdlib.RegexReplaceFunc,
-	"regex":                  stdlib.RegexFunc,
-	"regexall":               stdlib.RegexAllFunc,
-	"replace":                stdlib.ReplaceFunc,
-	"reverse":                stdlib.ReverseFunc,
-	"reverselist":            stdlib.ReverseListFunc,
-	"rsadecrypt":             crypto.RsaDecryptFunc,
-	"sethaselement":          stdlib.SetHasElementFunc,
-	"setintersection":        stdlib.SetIntersectionFunc,
-	"setproduct":             stdlib.SetProductFunc,
-	"setsubtract":            stdlib.SetSubtractFunc,
-	"setsymmetricdifference": stdlib.SetSymmetricDifferenceFunc,
-	"setunion":               stdlib.SetUnionFunc,
-	"sha1":                   crypto.Sha1Func,
-	"sha256":                 crypto.Sha256Func,
-	"sha512":                 crypto.Sha512Func,
-	"signum":                 stdlib.SignumFunc,
-	"slice":                  stdlib.SliceFunc,
-	"sort":                   stdlib.SortFunc,
-	"split":                  stdlib.SplitFunc,
-	"strlen":                 stdlib.StrlenFunc,
-	"substr":                 stdlib.SubstrFunc,
-	"subtract":               stdlib.SubtractFunc,
-	"timeadd":                stdlib.TimeAddFunc,
-	"timestamp":              timestampFunc,
-	"title":                  stdlib.TitleFunc,
-	"trim":                   stdlib.TrimFunc,
-	"trimprefix":             stdlib.TrimPrefixFunc,
-	"trimspace":              stdlib.TrimSpaceFunc,
-	"trimsuffix":             stdlib.TrimSuffixFunc,
-	"try":                    tryfunc.TryFunc,
-	"upper":                  stdlib.UpperFunc,
-	"urlencode":              encoding.URLEncodeFunc,
-	"uuidv4":                 uuid.V4Func,
-	"uuidv5":                 uuid.V5Func,
-	"values":                 stdlib.ValuesFunc,
-	"zipmap":                 stdlib.ZipmapFunc,
+type funcDef struct {
+	name    string
+	fn      function.Function
+	factory func() function.Function
+}
+
+var stdlibFunctions = []funcDef{
+	{name: "absolute", fn: stdlib.AbsoluteFunc},
+	{name: "add", fn: stdlib.AddFunc},
+	{name: "and", fn: stdlib.AndFunc},
+	{name: "base64decode", fn: encoding.Base64DecodeFunc},
+	{name: "base64encode", fn: encoding.Base64EncodeFunc},
+	{name: "basename", factory: basenameFunc},
+	{name: "bcrypt", fn: crypto.BcryptFunc},
+	{name: "byteslen", fn: stdlib.BytesLenFunc},
+	{name: "bytesslice", fn: stdlib.BytesSliceFunc},
+	{name: "can", fn: tryfunc.CanFunc},
+	{name: "ceil", fn: stdlib.CeilFunc},
+	{name: "chomp", fn: stdlib.ChompFunc},
+	{name: "chunklist", fn: stdlib.ChunklistFunc},
+	{name: "cidrhost", fn: cidr.HostFunc},
+	{name: "cidrnetmask", fn: cidr.NetmaskFunc},
+	{name: "cidrsubnet", fn: cidr.SubnetFunc},
+	{name: "cidrsubnets", fn: cidr.SubnetsFunc},
+	{name: "coalesce", fn: stdlib.CoalesceFunc},
+	{name: "coalescelist", fn: stdlib.CoalesceListFunc},
+	{name: "compact", fn: stdlib.CompactFunc},
+	{name: "concat", fn: stdlib.ConcatFunc},
+	{name: "contains", fn: stdlib.ContainsFunc},
+	{name: "convert", fn: typeexpr.ConvertFunc},
+	{name: "csvdecode", fn: stdlib.CSVDecodeFunc},
+	{name: "dirname", factory: dirnameFunc},
+	{name: "distinct", fn: stdlib.DistinctFunc},
+	{name: "divide", fn: stdlib.DivideFunc},
+	{name: "element", fn: stdlib.ElementFunc},
+	{name: "equal", fn: stdlib.EqualFunc},
+	{name: "flatten", fn: stdlib.FlattenFunc},
+	{name: "floor", fn: stdlib.FloorFunc},
+	{name: "format", fn: stdlib.FormatFunc},
+	{name: "formatdate", fn: stdlib.FormatDateFunc},
+	{name: "formatlist", fn: stdlib.FormatListFunc},
+	{name: "greaterthan", fn: stdlib.GreaterThanFunc},
+	{name: "greaterthanorequalto", fn: stdlib.GreaterThanOrEqualToFunc},
+	{name: "hasindex", fn: stdlib.HasIndexFunc},
+	{name: "indent", fn: stdlib.IndentFunc},
+	{name: "index", fn: stdlib.IndexFunc},
+	{name: "indexof", factory: indexOfFunc},
+	{name: "int", fn: stdlib.IntFunc},
+	{name: "join", fn: stdlib.JoinFunc},
+	{name: "jsondecode", fn: stdlib.JSONDecodeFunc},
+	{name: "jsonencode", fn: stdlib.JSONEncodeFunc},
+	{name: "keys", fn: stdlib.KeysFunc},
+	{name: "length", fn: stdlib.LengthFunc},
+	{name: "lessthan", fn: stdlib.LessThanFunc},
+	{name: "lessthanorequalto", fn: stdlib.LessThanOrEqualToFunc},
+	{name: "log", fn: stdlib.LogFunc},
+	{name: "lookup", fn: stdlib.LookupFunc},
+	{name: "lower", fn: stdlib.LowerFunc},
+	{name: "max", fn: stdlib.MaxFunc},
+	{name: "md5", fn: crypto.Md5Func},
+	{name: "merge", fn: stdlib.MergeFunc},
+	{name: "min", fn: stdlib.MinFunc},
+	{name: "modulo", fn: stdlib.ModuloFunc},
+	{name: "multiply", fn: stdlib.MultiplyFunc},
+	{name: "negate", fn: stdlib.NegateFunc},
+	{name: "not", fn: stdlib.NotFunc},
+	{name: "notequal", fn: stdlib.NotEqualFunc},
+	{name: "or", fn: stdlib.OrFunc},
+	{name: "parseint", fn: stdlib.ParseIntFunc},
+	{name: "pow", fn: stdlib.PowFunc},
+	{name: "range", fn: stdlib.RangeFunc},
+	{name: "regex_replace", fn: stdlib.RegexReplaceFunc},
+	{name: "regex", fn: stdlib.RegexFunc},
+	{name: "regexall", fn: stdlib.RegexAllFunc},
+	{name: "replace", fn: stdlib.ReplaceFunc},
+	{name: "reverse", fn: stdlib.ReverseFunc},
+	{name: "reverselist", fn: stdlib.ReverseListFunc},
+	{name: "rsadecrypt", fn: crypto.RsaDecryptFunc},
+	{name: "sanitize", factory: sanitizeFunc},
+	{name: "sethaselement", fn: stdlib.SetHasElementFunc},
+	{name: "setintersection", fn: stdlib.SetIntersectionFunc},
+	{name: "setproduct", fn: stdlib.SetProductFunc},
+	{name: "setsubtract", fn: stdlib.SetSubtractFunc},
+	{name: "setsymmetricdifference", fn: stdlib.SetSymmetricDifferenceFunc},
+	{name: "setunion", fn: stdlib.SetUnionFunc},
+	{name: "sha1", fn: crypto.Sha1Func},
+	{name: "sha256", fn: crypto.Sha256Func},
+	{name: "sha512", fn: crypto.Sha512Func},
+	{name: "signum", fn: stdlib.SignumFunc},
+	{name: "slice", fn: stdlib.SliceFunc},
+	{name: "sort", fn: stdlib.SortFunc},
+	{name: "split", fn: stdlib.SplitFunc},
+	{name: "strlen", fn: stdlib.StrlenFunc},
+	{name: "substr", fn: stdlib.SubstrFunc},
+	{name: "subtract", fn: stdlib.SubtractFunc},
+	{name: "timeadd", fn: stdlib.TimeAddFunc},
+	{name: "timestamp", factory: timestampFunc},
+	{name: "title", fn: stdlib.TitleFunc},
+	{name: "trim", fn: stdlib.TrimFunc},
+	{name: "trimprefix", fn: stdlib.TrimPrefixFunc},
+	{name: "trimspace", fn: stdlib.TrimSpaceFunc},
+	{name: "trimsuffix", fn: stdlib.TrimSuffixFunc},
+	{name: "try", fn: tryfunc.TryFunc},
+	{name: "upper", fn: stdlib.UpperFunc},
+	{name: "urlencode", fn: encoding.URLEncodeFunc},
+	{name: "uuidv4", fn: uuid.V4Func},
+	{name: "uuidv5", fn: uuid.V5Func},
+	{name: "values", fn: stdlib.ValuesFunc},
+	{name: "zipmap", fn: stdlib.ZipmapFunc},
 }

 // indexOfFunc constructs a function that finds the element index for a given
 // value in a list.
-var indexOfFunc = function.New(&function.Spec{
-	Params: []function.Parameter{
-		{
-			Name: "list",
-			Type: cty.DynamicPseudoType,
+func indexOfFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "list",
+				Type: cty.DynamicPseudoType,
+			},
+			{
+				Name: "value",
+				Type: cty.DynamicPseudoType,
+			},
 		},
-		{
-			Name: "value",
-			Type: cty.DynamicPseudoType,
-		},
-	},
-	Type: function.StaticReturnType(cty.Number),
-	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-		if !(args[0].Type().IsListType() || args[0].Type().IsTupleType()) {
-			return cty.NilVal, errors.New("argument must be a list or tuple")
-		}
-
-		if !args[0].IsKnown() {
-			return cty.UnknownVal(cty.Number), nil
-		}
-
-		if args[0].LengthInt() == 0 { // Easy path
-			return cty.NilVal, errors.New("cannot search an empty list")
-		}
-
-		for it := args[0].ElementIterator(); it.Next(); {
-			i, v := it.Element()
-			eq, err := stdlib.Equal(v, args[1])
-			if err != nil {
-				return cty.NilVal, err
+		Type: function.StaticReturnType(cty.Number),
+		Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+			if !(args[0].Type().IsListType() || args[0].Type().IsTupleType()) {
+				return cty.NilVal, errors.New("argument must be a list or tuple")
 			}
-			if !eq.IsKnown() {
+
+			if !args[0].IsKnown() {
 				return cty.UnknownVal(cty.Number), nil
 			}
-			if eq.True() {
-				return i, nil
-			}
-		}
-		return cty.NilVal, errors.New("item not found")

-	},
-})
+			if args[0].LengthInt() == 0 { // Easy path
+				return cty.NilVal, errors.New("cannot search an empty list")
+			}
+
+			for it := args[0].ElementIterator(); it.Next(); {
+				i, v := it.Element()
+				eq, err := stdlib.Equal(v, args[1])
+				if err != nil {
+					return cty.NilVal, err
+				}
+				if !eq.IsKnown() {
+					return cty.UnknownVal(cty.Number), nil
+				}
+				if eq.True() {
+					return i, nil
+				}
+			}
+			return cty.NilVal, errors.New("item not found")
+
+		},
+	})
+}
+
+// basenameFunc constructs a function that returns the last element of a path.
+func basenameFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "path",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			in := args[0].AsString()
+			return cty.StringVal(path.Base(in)), nil
+		},
+	})
+}
+
+// dirnameFunc constructs a function that returns the directory of a path.
+func dirnameFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "path",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			in := args[0].AsString()
+			return cty.StringVal(path.Dir(in)), nil
+		},
+	})
+}
+
+// sanitizyFunc constructs a function that replaces all non-alphanumeric characters with a underscore,
+// leaving only characters that are valid for a Bake target name.
+func sanitizeFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "name",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			in := args[0].AsString()
+			// only [a-zA-Z0-9_-]+ is allowed
+			var b strings.Builder
+			for _, r := range in {
+				if r >= 'a' && r <= 'z' || r >= 'A' && r <= 'Z' || r >= '0' && r <= '9' || r == '_' || r == '-' {
+					b.WriteRune(r)
+				} else {
+					b.WriteRune('_')
+				}
+			}
+			return cty.StringVal(b.String()), nil
+		},
+	})
+}

 // timestampFunc constructs a function that returns a string representation of the current date and time.
 //
 // This function was imported from terraform's datetime utilities.
-var timestampFunc = function.New(&function.Spec{
-	Params: []function.Parameter{},
-	Type:   function.StaticReturnType(cty.String),
-	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
-		return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
-	},
-})
+func timestampFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{},
+		Type:   function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
+		},
+	})
+}

 func Stdlib() map[string]function.Function {
 	funcs := make(map[string]function.Function, len(stdlibFunctions))
-	for k, v := range stdlibFunctions {
-		funcs[k] = v
+	for _, v := range stdlibFunctions {
+		if v.factory != nil {
+			funcs[v.name] = v.factory()
+		} else {
+			funcs[v.name] = v.fn
+		}
 	}
 	return funcs
 }
--- a/bake/hclparser/stdlib_test.go
+++ b/bake/hclparser/stdlib_test.go
@@ -3,6 +3,7 @@ package hclparser
 import (
 	"testing"

+	"github.com/stretchr/testify/require"
 	"github.com/zclconf/go-cty/cty"
 )

@@ -34,16 +35,165 @@ func TestIndexOf(t *testing.T) {
 	for name, test := range tests {
 		name, test := name, test
 		t.Run(name, func(t *testing.T) {
-			got, err := indexOfFunc.Call([]cty.Value{test.input, test.key})
-			if err != nil {
-				if test.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error: %s", err)
-			}
-			if !got.RawEquals(test.want) {
-				t.Errorf("wrong result\ngot:  %#v\nwant: %#v", got, test.want)
+			got, err := indexOfFunc().Call([]cty.Value{test.input, test.key})
+			if test.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.want, got)
 			}
 		})
 	}
 }
+
+func TestBasename(t *testing.T) {
+	type testCase struct {
+		input   cty.Value
+		want    cty.Value
+		wantErr bool
+	}
+	tests := map[string]testCase{
+		"empty": {
+			input: cty.StringVal(""),
+			want:  cty.StringVal("."),
+		},
+		"slash": {
+			input: cty.StringVal("/"),
+			want:  cty.StringVal("/"),
+		},
+		"simple": {
+			input: cty.StringVal("/foo/bar"),
+			want:  cty.StringVal("bar"),
+		},
+		"simple no slash": {
+			input: cty.StringVal("foo/bar"),
+			want:  cty.StringVal("bar"),
+		},
+		"dot": {
+			input: cty.StringVal("/foo/bar."),
+			want:  cty.StringVal("bar."),
+		},
+		"dotdot": {
+			input: cty.StringVal("/foo/bar.."),
+			want:  cty.StringVal("bar.."),
+		},
+		"dotdotdot": {
+			input: cty.StringVal("/foo/bar..."),
+			want:  cty.StringVal("bar..."),
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := basenameFunc().Call([]cty.Value{test.input})
+			if test.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.want, got)
+			}
+		})
+	}
+}
+
+func TestDirname(t *testing.T) {
+	type testCase struct {
+		input   cty.Value
+		want    cty.Value
+		wantErr bool
+	}
+	tests := map[string]testCase{
+		"empty": {
+			input: cty.StringVal(""),
+			want:  cty.StringVal("."),
+		},
+		"slash": {
+			input: cty.StringVal("/"),
+			want:  cty.StringVal("/"),
+		},
+		"simple": {
+			input: cty.StringVal("/foo/bar"),
+			want:  cty.StringVal("/foo"),
+		},
+		"simple no slash": {
+			input: cty.StringVal("foo/bar"),
+			want:  cty.StringVal("foo"),
+		},
+		"dot": {
+			input: cty.StringVal("/foo/bar."),
+			want:  cty.StringVal("/foo"),
+		},
+		"dotdot": {
+			input: cty.StringVal("/foo/bar.."),
+			want:  cty.StringVal("/foo"),
+		},
+		"dotdotdot": {
+			input: cty.StringVal("/foo/bar..."),
+			want:  cty.StringVal("/foo"),
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := dirnameFunc().Call([]cty.Value{test.input})
+			if test.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.want, got)
+			}
+		})
+	}
+}
+
+func TestSanitize(t *testing.T) {
+	type testCase struct {
+		input cty.Value
+		want  cty.Value
+	}
+	tests := map[string]testCase{
+		"empty": {
+			input: cty.StringVal(""),
+			want:  cty.StringVal(""),
+		},
+		"simple": {
+			input: cty.StringVal("foo/bar"),
+			want:  cty.StringVal("foo_bar"),
+		},
+		"simple no slash": {
+			input: cty.StringVal("foobar"),
+			want:  cty.StringVal("foobar"),
+		},
+		"dot": {
+			input: cty.StringVal("foo/bar."),
+			want:  cty.StringVal("foo_bar_"),
+		},
+		"dotdot": {
+			input: cty.StringVal("foo/bar.."),
+			want:  cty.StringVal("foo_bar__"),
+		},
+		"dotdotdot": {
+			input: cty.StringVal("foo/bar..."),
+			want:  cty.StringVal("foo_bar___"),
+		},
+		"utf8": {
+			input: cty.StringVal("foo/🍕bar"),
+			want:  cty.StringVal("foo__bar"),
+		},
+		"symbols": {
+			input: cty.StringVal("foo/bar!@(ba+z)"),
+			want:  cty.StringVal("foo_bar___ba_z_"),
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := sanitizeFunc().Call([]cty.Value{test.input})
+			require.NoError(t, err)
+			require.Equal(t, test.want, got)
+		})
+	}
+}
--- a/bake/remote.go
+++ b/bake/remote.go
@@ -11,6 +11,7 @@ import (
 	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/progress"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/frontend/dockerui"
@@ -19,6 +20,8 @@ import (
 	"github.com/pkg/errors"
 )

+const maxBakeDefinitionSize = 2 * 1024 * 1024 // 2 MB
+
 type Input struct {
 	State *llb.State
 	URL   string
@@ -106,7 +109,6 @@ func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, name
 		}
 		return nil, err
 	}, ch)
-
 	if err != nil {
 		return nil, nil, err
 	}
@@ -178,9 +180,9 @@ func filesFromURLRef(ctx context.Context, c gwclient.Client, ref gwclient.Refere
 	name := inp.URL
 	inp.URL = ""

-	if len(dt) > stat.Size() {
-		if stat.Size() > 1024*512 {
-			return nil, errors.Errorf("non-archive definition URL bigger than maximum allowed size")
+	if int64(len(dt)) > stat.Size {
+		if stat.Size > maxBakeDefinitionSize {
+			return nil, errors.Errorf("non-archive definition URL bigger than maximum allowed size (%s)", units.HumanSize(maxBakeDefinitionSize))
 		}

 		dt, err = ref.ReadFile(ctx, gwclient.ReadRequest{
--- a/build/build.go
+++ b/build/build.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -34,6 +35,7 @@ import (
 	gateway "github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/solver/pb"
 	spb "github.com/moby/buildkit/sourcepolicy/pb"
@@ -44,18 +46,16 @@ import (
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"github.com/tonistiigi/fsutil"
+	fstypes "github.com/tonistiigi/fsutil/types"
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/errgroup"
-)
-
-var (
-	errStdinConflict      = errors.New("invalid argument: can't use stdin for both build context and dockerfile")
-	errDockerfileConflict = errors.New("ambiguous Dockerfile source: both stdin and flag correspond to Dockerfiles")
+	"google.golang.org/protobuf/proto"
 )

 const (
-	printFallbackImage     = "docker/dockerfile:1.5@sha256:dbbd5e059e8a07ff7ea6233b213b36aa516b4c53c645f1817a4dd18b83cbea56"
-	printLintFallbackImage = "docker.io/docker/dockerfile-upstream:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd"
+	printFallbackImage     = "docker/dockerfile:1.7.1@sha256:a57df69d0ea827fb7266491f2813635de6f17269be881f696fbfdf2d83dda33e"
+	printLintFallbackImage = "docker/dockerfile:1.8.1@sha256:e87caa74dcb7d46cd820352bfea12591f3dba3ddc4285e19c7dcd13359f7cefd"
 )

 type Options struct {
@@ -83,13 +83,13 @@ type Options struct {

 	Session                []session.Attachable
 	Linked                 bool // Linked marks this target as exclusively linked (not requested by the user).
-	PrintFunc              *PrintFunc
+	CallFunc               *CallFunc
 	ProvenanceResponseMode confutil.MetadataProvenanceMode
 	SourcePolicy           *spb.Policy
 	GroupRef               string
 }

-type PrintFunc struct {
+type CallFunc struct {
 	Name         string
 	Format       string
 	IgnoreStatus bool
@@ -98,10 +98,13 @@ type PrintFunc struct {
 type Inputs struct {
 	ContextPath      string
 	DockerfilePath   string
-	InStream         io.Reader
+	InStream         *SyncMultiReader
 	ContextState     *llb.State
 	DockerfileInline string
 	NamedContexts    map[string]NamedContext
+	// DockerfileMappingSrc and DockerfileMappingDst are filled in by the builder.
+	DockerfileMappingSrc string
+	DockerfileMappingDst string
 }

 type NamedContext struct {
@@ -148,11 +151,11 @@ func toRepoOnly(in string) (string, error) {
 	return strings.Join(out, ","), nil
 }

-func Build(ctx context.Context, nodes []builder.Node, opt map[string]Options, docker *dockerutil.Client, configDir string, w progress.Writer) (resp map[string]*client.SolveResponse, err error) {
-	return BuildWithResultHandler(ctx, nodes, opt, docker, configDir, w, nil)
+func Build(ctx context.Context, nodes []builder.Node, opts map[string]Options, docker *dockerutil.Client, configDir string, w progress.Writer) (resp map[string]*client.SolveResponse, err error) {
+	return BuildWithResultHandler(ctx, nodes, opts, docker, configDir, w, nil)
 }

-func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[string]Options, docker *dockerutil.Client, configDir string, w progress.Writer, resultHandleFunc func(driverIndex int, rCtx *ResultHandle)) (resp map[string]*client.SolveResponse, err error) {
+func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opts map[string]Options, docker *dockerutil.Client, configDir string, w progress.Writer, resultHandleFunc func(driverIndex int, rCtx *ResultHandle)) (resp map[string]*client.SolveResponse, err error) {
 	if len(nodes) == 0 {
 		return nil, errors.Errorf("driver required for build")
 	}
@@ -170,9 +173,9 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 		}
 	}

-	if noMobyDriver != nil && !noDefaultLoad() && noPrintFunc(opt) {
+	if noMobyDriver != nil && !noDefaultLoad() && noCallFunc(opts) {
 		var noOutputTargets []string
-		for name, opt := range opt {
+		for name, opt := range opts {
 			if noMobyDriver.Features(ctx)[driver.DefaultLoad] {
 				continue
 			}
@@ -193,7 +196,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 		}
 	}

-	drivers, err := resolveDrivers(ctx, nodes, opt, w)
+	drivers, err := resolveDrivers(ctx, nodes, opts, w)
 	if err != nil {
 		return nil, err
 	}
@@ -210,10 +213,10 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	reqForNodes := make(map[string][]*reqForNode)
 	eg, ctx := errgroup.WithContext(ctx)

-	for k, opt := range opt {
+	for k, opt := range opts {
 		multiDriver := len(drivers[k]) > 1
 		hasMobyDriver := false
-		gitattrs, addVCSLocalDir, err := getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
+		addGitAttrs, err := getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
 		if err != nil {
 			logrus.WithError(err).Warn("current commit information was not captured by the build")
 		}
@@ -230,16 +233,16 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 			if err != nil {
 				return nil, err
 			}
-			so, release, err := toSolveOpt(ctx, np.Node(), multiDriver, opt, gatewayOpts, configDir, addVCSLocalDir, w, docker)
+			localOpt := opt
+			so, release, err := toSolveOpt(ctx, np.Node(), multiDriver, &localOpt, gatewayOpts, configDir, w, docker)
+			opts[k] = localOpt
 			if err != nil {
 				return nil, err
 			}
 			if err := saveLocalState(so, k, opt, np.Node(), configDir); err != nil {
 				return nil, err
 			}
-			for k, v := range gitattrs {
-				so.FrontendAttrs[k] = v
-			}
+			addGitAttrs(so)
 			defers = append(defers, release)
 			reqn = append(reqn, &reqForNode{
 				resolvedNode: np,
@@ -272,7 +275,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	}

 	// validate that all links between targets use same drivers
-	for name := range opt {
+	for name := range opts {
 		dps := reqForNodes[name]
 		for i, dp := range dps {
 			so := reqForNodes[name][i].so
@@ -298,15 +301,21 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 		}
 	}

+	sharedSessions, err := detectSharedMounts(ctx, reqForNodes)
+	if err != nil {
+		return nil, err
+	}
+	sharedSessionsWG := map[string]*sync.WaitGroup{}
+
 	resp = map[string]*client.SolveResponse{}
 	var respMu sync.Mutex
 	results := waitmap.New()

-	multiTarget := len(opt) > 1
-	childTargets := calculateChildTargets(reqForNodes, opt)
+	multiTarget := len(opts) > 1
+	childTargets := calculateChildTargets(reqForNodes, opts)

-	for k, opt := range opt {
-		err := func(k string) error {
+	for k, opt := range opts {
+		err := func(k string) (err error) {
 			opt := opt
 			dps := drivers[k]
 			multiDriver := len(drivers[k]) > 1
@@ -318,6 +327,12 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 			}
 			baseCtx := ctx

+			if multiTarget {
+				defer func() {
+					err = errors.Wrapf(err, "target %s", k)
+				}()
+			}
+
 			res := make([]*client.SolveResponse, len(dps))
 			eg2, ctx := errgroup.WithContext(ctx)

@@ -362,7 +377,37 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 				if err != nil {
 					return err
 				}
+
+				var done func()
+				if sessions, ok := sharedSessions[node.Name]; ok {
+					wg, ok := sharedSessionsWG[node.Name]
+					if ok {
+						wg.Add(1)
+					} else {
+						wg = &sync.WaitGroup{}
+						wg.Add(1)
+						sharedSessionsWG[node.Name] = wg
+						for _, s := range sessions {
+							s := s
+							eg.Go(func() error {
+								return s.Run(baseCtx, c.Dialer())
+							})
+						}
+						go func() {
+							wg.Wait()
+							for _, s := range sessions {
+								s.Close()
+							}
+						}()
+					}
+					done = wg.Done
+				}
+
 				eg2.Go(func() error {
+					if done != nil {
+						defer done()
+					}
+
 					pw = progress.ResetTime(pw)

 					if err := waitContextDeps(ctx, dp.driverIndex, results, so); err != nil {
@@ -393,15 +438,15 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 					defer func() { <-done }()

 					cc := c
-					var printRes map[string][]byte
+					var callRes map[string][]byte
 					buildFunc := func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
-						if opt.PrintFunc != nil {
+						if opt.CallFunc != nil {
 							if _, ok := req.FrontendOpt["frontend.caps"]; !ok {
 								req.FrontendOpt["frontend.caps"] = "moby.buildkit.frontend.subrequests+forward"
 							} else {
 								req.FrontendOpt["frontend.caps"] += ",moby.buildkit.frontend.subrequests+forward"
 							}
-							req.FrontendOpt["requestid"] = "frontend." + opt.PrintFunc.Name
+							req.FrontendOpt["requestid"] = "frontend." + opt.CallFunc.Name
 						}

 						res, err := c.Solve(ctx, req)
@@ -417,8 +462,8 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 								return nil, err
 							}
 						}
-						if opt.PrintFunc != nil {
-							printRes = res.Metadata
+						if opt.CallFunc != nil {
+							callRes = res.Metadata
 						}

 						rKey := resultKey(dp.driverIndex, k)
@@ -474,13 +519,15 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 					if rr.ExporterResponse == nil {
 						rr.ExporterResponse = map[string]string{}
 					}
-					for k, v := range printRes {
+					for k, v := range callRes {
 						rr.ExporterResponse[k] = string(v)
 					}
-					rr.ExporterResponse["buildx.build.ref"] = buildRef
-					if node.Driver.HistoryAPISupported(ctx) {
-						if err := setRecordProvenance(ctx, c, rr, so.Ref, opt.ProvenanceResponseMode, pw); err != nil {
-							return err
+					if opt.CallFunc == nil {
+						rr.ExporterResponse["buildx.build.ref"] = buildRef
+						if node.Driver.HistoryAPISupported(ctx) {
+							if err := setRecordProvenance(ctx, c, rr, so.Ref, opt.ProvenanceResponseMode, pw); err != nil {
+								return err
+							}
 						}
 					}

@@ -530,6 +577,13 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 						tracing.FinishWithError(span, err)
 					}
 				}()
+
+				if multiTarget {
+					defer func() {
+						err = errors.Wrapf(err, "target %s", k)
+					}()
+				}
+
 				pw := progress.WithPrefix(w, "default", false)
 				if err := eg2.Wait(); err != nil {
 					return err
@@ -793,6 +847,124 @@ func resultKey(index int, name string) string {
 	return fmt.Sprintf("%d-%s", index, name)
 }

+// detectSharedMounts looks for same local mounts used by multiple requests to the same node
+// and creates a separate session that will be used by all detected requests.
+func detectSharedMounts(ctx context.Context, reqs map[string][]*reqForNode) (_ map[string][]*session.Session, err error) {
+	type fsTracker struct {
+		fs fsutil.FS
+		so []*client.SolveOpt
+	}
+	type fsKey struct {
+		name string
+		dir  string
+	}
+
+	m := map[string]map[fsKey]*fsTracker{}
+	for _, reqs := range reqs {
+		for _, req := range reqs {
+			nodeName := req.resolvedNode.Node().Name
+			if _, ok := m[nodeName]; !ok {
+				m[nodeName] = map[fsKey]*fsTracker{}
+			}
+			fsMap := m[nodeName]
+			for name, m := range req.so.LocalMounts {
+				fs, ok := m.(*fs)
+				if !ok {
+					continue
+				}
+				key := fsKey{name: name, dir: fs.dir}
+				if _, ok := fsMap[key]; !ok {
+					fsMap[key] = &fsTracker{fs: fs.FS}
+				}
+				fsMap[key].so = append(fsMap[key].so, req.so)
+			}
+		}
+	}
+
+	type sharedSession struct {
+		*session.Session
+		fsMap map[string]fsutil.FS
+	}
+
+	sessionMap := map[string][]*sharedSession{}
+
+	defer func() {
+		if err != nil {
+			for _, sessions := range sessionMap {
+				for _, s := range sessions {
+					s.Close()
+				}
+			}
+		}
+	}()
+
+	for node, fsMap := range m {
+		for key, fs := range fsMap {
+			if len(fs.so) <= 1 {
+				continue
+			}
+
+			sessions := sessionMap[node]
+
+			// find session that doesn't have the fs name reserved
+			idx := slices.IndexFunc(sessions, func(s *sharedSession) bool {
+				_, ok := s.fsMap[key.name]
+				return !ok
+			})
+
+			var ss *sharedSession
+			if idx == -1 {
+				s, err := session.NewSession(ctx, fs.so[0].SharedKey)
+				if err != nil {
+					return nil, err
+				}
+				ss = &sharedSession{Session: s, fsMap: map[string]fsutil.FS{}}
+				sessions = append(sessions, ss)
+				sessionMap[node] = sessions
+			} else {
+				ss = sessions[idx]
+			}
+
+			ss.fsMap[key.name] = fs.fs
+			for _, so := range fs.so {
+				if so.FrontendAttrs == nil {
+					so.FrontendAttrs = map[string]string{}
+				}
+				so.FrontendAttrs["local-sessionid:"+key.name] = ss.ID()
+			}
+		}
+	}
+
+	resetUIDAndGID := func(p string, st *fstypes.Stat) fsutil.MapResult {
+		st.Uid = 0
+		st.Gid = 0
+		return fsutil.MapResultKeep
+	}
+
+	// convert back to regular sessions
+	sessions := map[string][]*session.Session{}
+	for n, ss := range sessionMap {
+		arr := make([]*session.Session, 0, len(ss))
+		for _, s := range ss {
+			arr = append(arr, s.Session)
+
+			src := make(filesync.StaticDirSource, len(s.fsMap))
+			for name, fs := range s.fsMap {
+				fs, err := fsutil.NewFilterFS(fs, &fsutil.FilterOpt{
+					Map: resetUIDAndGID,
+				})
+				if err != nil {
+					return nil, err
+				}
+				src[name] = fs
+			}
+			s.Allow(filesync.NewFSSyncProvider(src))
+		}
+		sessions[n] = arr
+	}
+	return sessions, nil
+}
+
 // calculateChildTargets returns all the targets that depend on current target for reverse index
 func calculateChildTargets(reqs map[string][]*reqForNode, opt map[string]Options) map[string][]string {
 	out := make(map[string][]string)
@@ -940,9 +1112,9 @@ func fallbackPrintError(err error, req gateway.SolveRequest) (gateway.SolveReque
 	return req, false
 }

-func noPrintFunc(opt map[string]Options) bool {
+func noCallFunc(opt map[string]Options) bool {
 	for _, v := range opt {
-		if v.PrintFunc != nil {
+		if v.CallFunc != nil {
 			return false
 		}
 	}
@@ -965,7 +1137,7 @@ func ReadSourcePolicy() (*spb.Policy, error) {
 	var pol spb.Policy
 	if err := json.Unmarshal(data, &pol); err != nil {
 		// maybe it's in protobuf format?
-		e2 := pol.Unmarshal(data)
+		e2 := proto.Unmarshal(data, &pol)
 		if e2 != nil {
 			return nil, errors.Wrap(err, "failed to parse source policy")
 		}
--- a/build/git.go
+++ b/build/git.go
@@ -17,10 +17,19 @@ import (

 const DockerfileLabel = "com.docker.image.source.entrypoint"

-func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (map[string]string, func(key, dir string, so *client.SolveOpt), error) {
-	res := make(map[string]string)
+type gitAttrsAppendFunc func(so *client.SolveOpt)
+
+func gitAppendNoneFunc(_ *client.SolveOpt) {}
+
+func getGitAttributes(ctx context.Context, contextPath, dockerfilePath string) (f gitAttrsAppendFunc, err error) {
+	defer func() {
+		if f == nil {
+			f = gitAppendNoneFunc
+		}
+	}()
+
 	if contextPath == "" {
-		return nil, nil, nil
+		return nil, nil
 	}

 	setGitLabels := false
@@ -39,7 +48,7 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	}

 	if !setGitLabels && !setGitInfo {
-		return nil, nil, nil
+		return nil, nil
 	}

 	// figure out in which directory the git command needs to run in
@@ -54,25 +63,27 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	gitc, err := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
 	if err != nil {
 		if st, err1 := os.Stat(path.Join(wd, ".git")); err1 == nil && st.IsDir() {
-			return res, nil, errors.Wrap(err, "git was not found in the system")
+			return nil, errors.Wrap(err, "git was not found in the system")
 		}
-		return nil, nil, nil
+		return nil, nil
 	}

 	if !gitc.IsInsideWorkTree() {
 		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
-			return res, nil, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
+			return nil, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
 		}
-		return nil, nil, nil
+		return nil, nil
 	}

 	root, err := gitc.RootDir()
 	if err != nil {
-		return res, nil, errors.Wrap(err, "failed to get git root dir")
+		return nil, errors.Wrap(err, "failed to get git root dir")
 	}

+	res := make(map[string]string)
+
 	if sha, err := gitc.FullCommit(); err != nil && !gitutil.IsUnknownRevision(err) {
-		return res, nil, errors.Wrap(err, "failed to get git commit")
+		return nil, errors.Wrap(err, "failed to get git commit")
 	} else if sha != "" {
 		checkDirty := false
 		if v, ok := os.LookupEnv("BUILDX_GIT_CHECK_DIRTY"); ok {
@@ -112,20 +123,38 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 		}
 	}

-	return res, func(key, dir string, so *client.SolveOpt) {
+	return func(so *client.SolveOpt) {
+		if so.FrontendAttrs == nil {
+			so.FrontendAttrs = make(map[string]string)
+		}
+		for k, v := range res {
+			so.FrontendAttrs[k] = v
+		}
+
 		if !setGitInfo || root == "" {
 			return
 		}
-		dir, err := filepath.Abs(dir)
-		if err != nil {
-			return
-		}
-		if lp, err := osutil.GetLongPathName(dir); err == nil {
-			dir = lp
-		}
-		dir = osutil.SanitizePath(dir)
-		if r, err := filepath.Rel(root, dir); err == nil && !strings.HasPrefix(r, "..") {
-			so.FrontendAttrs["vcs:localdir:"+key] = r
+
+		for key, mount := range so.LocalMounts {
+			fs, ok := mount.(*fs)
+			if !ok {
+				continue
+			}
+			dir, err := filepath.EvalSymlinks(fs.dir) // keep same behavior as fsutil.NewFS
+			if err != nil {
+				continue
+			}
+			dir, err = filepath.Abs(dir)
+			if err != nil {
+				continue
+			}
+			if lp, err := osutil.GetLongPathName(dir); err == nil {
+				dir = lp
+			}
+			dir = osutil.SanitizePath(dir)
+			if r, err := filepath.Rel(root, dir); err == nil && !strings.HasPrefix(r, "..") {
+				so.FrontendAttrs["vcs:localdir:"+key] = r
+			}
 		}
 	}, nil
 }
--- a/build/git_test.go
+++ b/build/git_test.go
@@ -31,7 +31,7 @@ func setupTest(tb testing.TB) {
 }

 func TestGetGitAttributesNotGitRepo(t *testing.T) {
-	_, _, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
+	_, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
 	assert.NoError(t, err)
 }

@@ -39,16 +39,18 @@ func TestGetGitAttributesBadGitRepo(t *testing.T) {
 	tmp := t.TempDir()
 	require.NoError(t, os.MkdirAll(path.Join(tmp, ".git"), 0755))

-	_, _, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
+	_, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
 	assert.Error(t, err)
 }

 func TestGetGitAttributesNoContext(t *testing.T) {
 	setupTest(t)

-	gitattrs, _, err := getGitAttributes(context.Background(), "", "Dockerfile")
+	addGitAttrs, err := getGitAttributes(context.Background(), "", "Dockerfile")
 	assert.NoError(t, err)
-	assert.Empty(t, gitattrs)
+	var so client.SolveOpt
+	addGitAttrs(&so)
+	assert.Empty(t, so.FrontendAttrs)
 }

 func TestGetGitAttributes(t *testing.T) {
@@ -115,15 +117,17 @@ func TestGetGitAttributes(t *testing.T) {
 			if tt.envGitInfo != "" {
 				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
 			}
-			gitattrs, _, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+			addGitAttrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
 			require.NoError(t, err)
+			var so client.SolveOpt
+			addGitAttrs(&so)
 			for _, e := range tt.expected {
-				assert.Contains(t, gitattrs, e)
-				assert.NotEmpty(t, gitattrs[e])
+				assert.Contains(t, so.FrontendAttrs, e)
+				assert.NotEmpty(t, so.FrontendAttrs[e])
 				if e == "label:"+DockerfileLabel {
-					assert.Equal(t, "Dockerfile", gitattrs[e])
+					assert.Equal(t, "Dockerfile", so.FrontendAttrs[e])
 				} else if e == "label:"+specs.AnnotationSource || e == "vcs:source" {
-					assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs[e])
+					assert.Equal(t, "git@github.com:docker/buildx.git", so.FrontendAttrs[e])
 				}
 			}
 		})
@@ -140,20 +144,25 @@ func TestGetGitAttributesDirty(t *testing.T) {
 	require.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))

 	t.Setenv("BUILDX_GIT_LABELS", "true")
-	gitattrs, _, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
-	assert.Equal(t, 5, len(gitattrs))
+	addGitAttrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+	require.NoError(t, err)

-	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
-	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
-	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
-	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
-	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
-	assert.True(t, strings.HasSuffix(gitattrs["label:"+specs.AnnotationRevision], "-dirty"))
+	var so client.SolveOpt
+	addGitAttrs(&so)

-	assert.Contains(t, gitattrs, "vcs:source")
-	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
-	assert.Contains(t, gitattrs, "vcs:revision")
-	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
+	assert.Equal(t, 5, len(so.FrontendAttrs))
+
+	assert.Contains(t, so.FrontendAttrs, "label:"+DockerfileLabel)
+	assert.Equal(t, "Dockerfile", so.FrontendAttrs["label:"+DockerfileLabel])
+	assert.Contains(t, so.FrontendAttrs, "label:"+specs.AnnotationSource)
+	assert.Equal(t, "git@github.com:docker/buildx.git", so.FrontendAttrs["label:"+specs.AnnotationSource])
+	assert.Contains(t, so.FrontendAttrs, "label:"+specs.AnnotationRevision)
+	assert.True(t, strings.HasSuffix(so.FrontendAttrs["label:"+specs.AnnotationRevision], "-dirty"))
+
+	assert.Contains(t, so.FrontendAttrs, "vcs:source")
+	assert.Equal(t, "git@github.com:docker/buildx.git", so.FrontendAttrs["vcs:source"])
+	assert.Contains(t, so.FrontendAttrs, "vcs:revision")
+	assert.True(t, strings.HasSuffix(so.FrontendAttrs["vcs:revision"], "-dirty"))
 }

 func TestLocalDirs(t *testing.T) {
@@ -163,15 +172,17 @@ func TestLocalDirs(t *testing.T) {
 		FrontendAttrs: map[string]string{},
 	}

-	_, addVCSLocalDir, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+	addGitAttrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
 	require.NoError(t, err)
-	require.NotNil(t, addVCSLocalDir)

-	require.NoError(t, setLocalMount("context", ".", so, addVCSLocalDir))
+	require.NoError(t, setLocalMount("context", ".", so))
+	require.NoError(t, setLocalMount("dockerfile", ".", so))
+
+	addGitAttrs(so)
+
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:context")
 	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:context"])

-	require.NoError(t, setLocalMount("dockerfile", ".", so, addVCSLocalDir))
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:dockerfile")
 	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:dockerfile"])
 }
@@ -194,16 +205,17 @@ func TestLocalDirsSub(t *testing.T) {
 	so := &client.SolveOpt{
 		FrontendAttrs: map[string]string{},
 	}
+	require.NoError(t, setLocalMount("context", ".", so))
+	require.NoError(t, setLocalMount("dockerfile", "app", so))

-	_, addVCSLocalDir, err := getGitAttributes(context.Background(), ".", "app/Dockerfile")
+	addGitAttrs, err := getGitAttributes(context.Background(), ".", "app/Dockerfile")
 	require.NoError(t, err)
-	require.NotNil(t, addVCSLocalDir)

-	require.NoError(t, setLocalMount("context", ".", so, addVCSLocalDir))
+	addGitAttrs(so)
+
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:context")
 	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:context"])

-	require.NoError(t, setLocalMount("dockerfile", "app", so, addVCSLocalDir))
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:dockerfile")
 	assert.Equal(t, "app", so.FrontendAttrs["vcs:localdir:dockerfile"])
 }
--- a/build/opt.go
+++ b/build/opt.go
@@ -1,11 +1,12 @@
 package build

 import (
-	"bufio"
+	"bytes"
 	"context"
 	"io"
 	"os"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"syscall"
@@ -34,7 +35,7 @@ import (
 	"github.com/tonistiigi/fsutil"
 )

-func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Options, bopts gateway.BuildOpts, configDir string, addVCSLocalDir func(key, dir string, so *client.SolveOpt), pw progress.Writer, docker *dockerutil.Client) (_ *client.SolveOpt, release func(), err error) {
+func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt *Options, bopts gateway.BuildOpts, configDir string, pw progress.Writer, docker *dockerutil.Client) (_ *client.SolveOpt, release func(), err error) {
 	nodeDriver := node.Driver
 	defers := make([]func(), 0, 2)
 	releaseF := func() {
@@ -157,7 +158,7 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 	case 1:
 		// valid
 	case 0:
-		if !noDefaultLoad() && opt.PrintFunc == nil {
+		if !noDefaultLoad() && opt.CallFunc == nil {
 			if nodeDriver.IsMobyDriver() {
 				// backwards compat for docker driver only:
 				// this ensures the build results in a docker image.
@@ -260,9 +261,9 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 	}

 	so.Exports = opt.Exports
-	so.Session = opt.Session
+	so.Session = slices.Clone(opt.Session)

-	releaseLoad, err := loadInputs(ctx, nodeDriver, opt.Inputs, addVCSLocalDir, pw, &so)
+	releaseLoad, err := loadInputs(ctx, nodeDriver, &opt.Inputs, pw, &so)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -347,15 +348,15 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 		so.FrontendAttrs["ulimit"] = ulimits
 	}

-	// mark info request as internal
-	if opt.PrintFunc != nil {
+	// mark call request as internal
+	if opt.CallFunc != nil {
 		so.Internal = true
 	}

 	return &so, releaseF, nil
 }

-func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSLocalDir func(key, dir string, so *client.SolveOpt), pw progress.Writer, target *client.SolveOpt) (func(), error) {
+func loadInputs(ctx context.Context, d *driver.DriverHandle, inp *Inputs, pw progress.Writer, target *client.SolveOpt) (func(), error) {
 	if inp.ContextPath == "" {
 		return nil, errors.New("please specify build context (e.g. \".\" for the current directory)")
 	}
@@ -363,11 +364,12 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 	// TODO: handle stdin, symlinks, remote contexts, check files exist

 	var (
-		err              error
-		dockerfileReader io.Reader
-		dockerfileDir    string
-		dockerfileName   = inp.DockerfilePath
-		toRemove         []string
+		err               error
+		dockerfileReader  io.ReadCloser
+		dockerfileDir     string
+		dockerfileName    = inp.DockerfilePath
+		dockerfileSrcName = inp.DockerfilePath
+		toRemove          []string
 	)

 	switch {
@@ -379,11 +381,11 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 		target.FrontendInputs["dockerfile"] = *inp.ContextState
 	case inp.ContextPath == "-":
 		if inp.DockerfilePath == "-" {
-			return nil, errStdinConflict
+			return nil, errors.Errorf("invalid argument: can't use stdin for both build context and dockerfile")
 		}

-		buf := bufio.NewReader(inp.InStream)
-		magic, err := buf.Peek(archiveHeaderSize * 2)
+		rc := inp.InStream.NewReadCloser()
+		magic, err := inp.InStream.Peek(archiveHeaderSize * 2)
 		if err != nil && err != io.EOF {
 			return nil, errors.Wrap(err, "failed to peek context header from STDIN")
 		}
@@ -391,23 +393,23 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 			if isArchive(magic) {
 				// stdin is context
 				up := uploadprovider.New()
-				target.FrontendAttrs["context"] = up.Add(buf)
+				target.FrontendAttrs["context"] = up.Add(rc)
 				target.Session = append(target.Session, up)
 			} else {
 				if inp.DockerfilePath != "" {
-					return nil, errDockerfileConflict
+					return nil, errors.Errorf("ambiguous Dockerfile source: both stdin and flag correspond to Dockerfiles")
 				}
 				// stdin is dockerfile
-				dockerfileReader = buf
+				dockerfileReader = rc
 				inp.ContextPath, _ = os.MkdirTemp("", "empty-dir")
 				toRemove = append(toRemove, inp.ContextPath)
-				if err := setLocalMount("context", inp.ContextPath, target, addVCSLocalDir); err != nil {
+				if err := setLocalMount("context", inp.ContextPath, target); err != nil {
 					return nil, err
 				}
 			}
 		}
 	case osutil.IsLocalDir(inp.ContextPath):
-		if err := setLocalMount("context", inp.ContextPath, target, addVCSLocalDir); err != nil {
+		if err := setLocalMount("context", inp.ContextPath, target); err != nil {
 			return nil, err
 		}
 		sharedKey := inp.ContextPath
@@ -417,7 +419,7 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 		target.SharedKey = sharedKey
 		switch inp.DockerfilePath {
 		case "-":
-			dockerfileReader = inp.InStream
+			dockerfileReader = inp.InStream.NewReadCloser()
 		case "":
 			dockerfileDir = inp.ContextPath
 		default:
@@ -426,7 +428,7 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 		}
 	case IsRemoteURL(inp.ContextPath):
 		if inp.DockerfilePath == "-" {
-			dockerfileReader = inp.InStream
+			dockerfileReader = inp.InStream.NewReadCloser()
 		} else if filepath.IsAbs(inp.DockerfilePath) {
 			dockerfileDir = filepath.Dir(inp.DockerfilePath)
 			dockerfileName = filepath.Base(inp.DockerfilePath)
@@ -438,11 +440,16 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 	}

 	if inp.DockerfileInline != "" {
-		dockerfileReader = strings.NewReader(inp.DockerfileInline)
+		dockerfileReader = io.NopCloser(strings.NewReader(inp.DockerfileInline))
+		dockerfileSrcName = "inline"
+	} else if inp.DockerfilePath == "-" {
+		dockerfileSrcName = "stdin"
+	} else if inp.DockerfilePath == "" {
+		dockerfileSrcName = filepath.Join(inp.ContextPath, "Dockerfile")
 	}

 	if dockerfileReader != nil {
-		dockerfileDir, err = createTempDockerfile(dockerfileReader)
+		dockerfileDir, err = createTempDockerfile(dockerfileReader, inp.InStream)
 		if err != nil {
 			return nil, err
 		}
@@ -466,7 +473,7 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 	}

 	if dockerfileDir != "" {
-		if err := setLocalMount("dockerfile", dockerfileDir, target, addVCSLocalDir); err != nil {
+		if err := setLocalMount("dockerfile", dockerfileDir, target); err != nil {
 			return nil, err
 		}
 		dockerfileName = handleLowercaseDockerfile(dockerfileDir, dockerfileName)
@@ -528,7 +535,7 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 		if k == "context" || k == "dockerfile" {
 			localName = "_" + k // underscore to avoid collisions
 		}
-		if err := setLocalMount(localName, v.Path, target, addVCSLocalDir); err != nil {
+		if err := setLocalMount(localName, v.Path, target); err != nil {
 			return nil, err
 		}
 		target.FrontendAttrs["context:"+k] = "local:" + localName
@@ -539,6 +546,9 @@ func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, addVCSL
 			_ = os.RemoveAll(dir)
 		}
 	}
+
+	inp.DockerfileMappingSrc = dockerfileSrcName
+	inp.DockerfileMappingDst = dockerfileName
 	return release, nil
 }

@@ -570,26 +580,19 @@ func resolveDigest(localPath, tag string) (dig string, _ error) {
 	return dig, nil
 }

-func setLocalMount(name, root string, so *client.SolveOpt, addVCSLocalDir func(key, dir string, so *client.SolveOpt)) error {
-	lm, err := fsutil.NewFS(root)
-	if err != nil {
-		return err
-	}
-	root, err = filepath.EvalSymlinks(root) // keep same behavior as fsutil.NewFS
+func setLocalMount(name, dir string, so *client.SolveOpt) error {
+	lm, err := fsutil.NewFS(dir)
 	if err != nil {
 		return err
 	}
 	if so.LocalMounts == nil {
 		so.LocalMounts = map[string]fsutil.FS{}
 	}
-	so.LocalMounts[name] = lm
-	if addVCSLocalDir != nil {
-		addVCSLocalDir(name, root, so)
-	}
+	so.LocalMounts[name] = &fs{FS: lm, dir: dir}
 	return nil
 }

-func createTempDockerfile(r io.Reader) (string, error) {
+func createTempDockerfile(r io.Reader, multiReader *SyncMultiReader) (string, error) {
 	dir, err := os.MkdirTemp("", "dockerfile")
 	if err != nil {
 		return "", err
@@ -599,6 +602,16 @@ func createTempDockerfile(r io.Reader) (string, error) {
 		return "", err
 	}
 	defer f.Close()
+
+	if multiReader != nil {
+		dt, err := io.ReadAll(r)
+		if err != nil {
+			return "", err
+		}
+		multiReader.Reset(dt)
+		r = bytes.NewReader(dt)
+	}
+
 	if _, err := io.Copy(f, r); err != nil {
 		return "", err
 	}
@@ -635,3 +648,10 @@ func handleLowercaseDockerfile(dir, p string) string {
 	}
 	return p
 }
+
+type fs struct {
+	fsutil.FS
+	dir string
+}
+
+var _ fsutil.FS = &fs{}
--- a/build/provenance.go
+++ b/build/provenance.go
@@ -15,6 +15,7 @@ import (
 	controlapi "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client"
 	provenancetypes "github.com/moby/buildkit/solver/llbsolver/provenance/types"
+	digest "github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
@@ -124,8 +125,8 @@ func lookupProvenance(res *controlapi.BuildResultInfo) *ocispecs.Descriptor {
 	for _, a := range res.Attestations {
 		if a.MediaType == "application/vnd.in-toto+json" && strings.HasPrefix(a.Annotations["in-toto.io/predicate-type"], "https://slsa.dev/provenance/") {
 			return &ocispecs.Descriptor{
-				Digest:      a.Digest,
-				Size:        a.Size_,
+				Digest:      digest.Digest(a.Digest),
+				Size:        a.Size,
 				MediaType:   a.MediaType,
 				Annotations: a.Annotations,
 			}
--- a/build/replicatedstream.go
+++ b/build/replicatedstream.go
@@ -0,0 +1,164 @@
+package build
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"sync"
+)
+
+type SyncMultiReader struct {
+	source  *bufio.Reader
+	buffer  []byte
+	static  []byte
+	mu      sync.Mutex
+	cond    *sync.Cond
+	readers []*syncReader
+	err     error
+	offset  int
+}
+
+type syncReader struct {
+	mr     *SyncMultiReader
+	offset int
+	closed bool
+}
+
+func NewSyncMultiReader(source io.Reader) *SyncMultiReader {
+	mr := &SyncMultiReader{
+		source: bufio.NewReader(source),
+		buffer: make([]byte, 0, 32*1024),
+	}
+	mr.cond = sync.NewCond(&mr.mu)
+	return mr
+}
+
+func (mr *SyncMultiReader) Peek(n int) ([]byte, error) {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	if mr.static != nil {
+		return mr.static[min(n, len(mr.static)):], nil
+	}
+
+	return mr.source.Peek(n)
+}
+
+func (mr *SyncMultiReader) Reset(dt []byte) {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	mr.static = dt
+}
+
+func (mr *SyncMultiReader) NewReadCloser() io.ReadCloser {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	if mr.static != nil {
+		return io.NopCloser(bytes.NewReader(mr.static))
+	}
+
+	reader := &syncReader{
+		mr: mr,
+	}
+	mr.readers = append(mr.readers, reader)
+	return reader
+}
+
+func (sr *syncReader) Read(p []byte) (int, error) {
+	sr.mr.mu.Lock()
+	defer sr.mr.mu.Unlock()
+
+	return sr.read(p)
+}
+
+func (sr *syncReader) read(p []byte) (int, error) {
+	end := sr.mr.offset + len(sr.mr.buffer)
+
+loop0:
+	for {
+		if sr.closed {
+			return 0, io.EOF
+		}
+
+		end := sr.mr.offset + len(sr.mr.buffer)
+
+		if sr.mr.err != nil && sr.offset == end {
+			return 0, sr.mr.err
+		}
+
+		start := sr.offset - sr.mr.offset
+
+		dt := sr.mr.buffer[start:]
+
+		if len(dt) > 0 {
+			n := copy(p, dt)
+			sr.offset += n
+			sr.mr.cond.Broadcast()
+			return n, nil
+		}
+
+		// check for readers that have not caught up
+		hasOpen := false
+		for _, r := range sr.mr.readers {
+			if !r.closed {
+				hasOpen = true
+			} else {
+				continue
+			}
+			if r.offset < end {
+				sr.mr.cond.Wait()
+				continue loop0
+			}
+		}
+
+		if !hasOpen {
+			return 0, io.EOF
+		}
+		break
+	}
+
+	last := sr.mr.offset + len(sr.mr.buffer)
+	// another reader has already updated the buffer
+	if last > end || sr.mr.err != nil {
+		return sr.read(p)
+	}
+
+	sr.mr.offset += len(sr.mr.buffer)
+
+	sr.mr.buffer = sr.mr.buffer[:cap(sr.mr.buffer)]
+	n, err := sr.mr.source.Read(sr.mr.buffer)
+	if n >= 0 {
+		sr.mr.buffer = sr.mr.buffer[:n]
+	} else {
+		sr.mr.buffer = sr.mr.buffer[:0]
+	}
+
+	sr.mr.cond.Broadcast()
+
+	if err != nil {
+		sr.mr.err = err
+		return 0, err
+	}
+
+	nn := copy(p, sr.mr.buffer)
+	sr.offset += nn
+
+	return nn, nil
+}
+
+func (sr *syncReader) Close() error {
+	sr.mr.mu.Lock()
+	defer sr.mr.mu.Unlock()
+
+	if sr.closed {
+		return nil
+	}
+
+	sr.closed = true
+
+	sr.mr.cond.Broadcast()
+
+	return nil
+}
--- a/build/replicatedstream_test.go
+++ b/build/replicatedstream_test.go
@@ -0,0 +1,77 @@
+package build
+
+import (
+	"bytes"
+	"crypto/rand"
+	"io"
+	mathrand "math/rand"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func generateRandomData(size int) []byte {
+	data := make([]byte, size)
+	rand.Read(data)
+	return data
+}
+func TestSyncMultiReaderParallel(t *testing.T) {
+	data := generateRandomData(1024 * 1024)
+	source := bytes.NewReader(data)
+	mr := NewSyncMultiReader(source)
+
+	var wg sync.WaitGroup
+	numReaders := 10
+	bufferSize := 4096 * 4
+
+	readers := make([]io.ReadCloser, numReaders)
+
+	for i := 0; i < numReaders; i++ {
+		readers[i] = mr.NewReadCloser()
+	}
+
+	for i := 0; i < numReaders; i++ {
+		wg.Add(1)
+		go func(readerId int) {
+			defer wg.Done()
+			reader := readers[readerId]
+			defer reader.Close()
+
+			totalRead := 0
+			buf := make([]byte, bufferSize)
+			for totalRead < len(data) {
+				// Simulate random read sizes
+				readSize := mathrand.Intn(bufferSize) //nolint:gosec
+				n, err := reader.Read(buf[:readSize])
+
+				if n > 0 {
+					assert.Equal(t, data[totalRead:totalRead+n], buf[:n], "Reader %d mismatch", readerId)
+					totalRead += n
+				}
+
+				if err == io.EOF {
+					assert.Equal(t, len(data), totalRead, "Reader %d EOF mismatch", readerId)
+					return
+				}
+
+				require.NoError(t, err, "Reader %d error", readerId)
+
+				if mathrand.Intn(1000) == 0 { //nolint:gosec
+					t.Logf("Reader %d closing", readerId)
+					// Simulate random close
+					return
+				}
+
+				// Simulate random timing between reads
+				time.Sleep(time.Millisecond * time.Duration(mathrand.Intn(5))) //nolint:gosec
+			}
+
+			assert.Equal(t, len(data), totalRead, "Reader %d total read mismatch", readerId)
+		}(i)
+	}
+
+	wg.Wait()
+}
--- a/build/result.go
+++ b/build/result.go
@@ -295,14 +295,14 @@ func (r *ResultHandle) build(buildFunc gateway.BuildFunc) (err error) {
 func (r *ResultHandle) getContainerConfig(cfg *controllerapi.InvokeConfig) (containerCfg gateway.NewContainerRequest, _ error) {
 	if r.res != nil && r.solveErr == nil {
 		logrus.Debugf("creating container from successful build")
-		ccfg, err := containerConfigFromResult(r.res, *cfg)
+		ccfg, err := containerConfigFromResult(r.res, cfg)
 		if err != nil {
 			return containerCfg, err
 		}
 		containerCfg = *ccfg
 	} else {
 		logrus.Debugf("creating container from failed build %+v", cfg)
-		ccfg, err := containerConfigFromError(r.solveErr, *cfg)
+		ccfg, err := containerConfigFromError(r.solveErr, cfg)
 		if err != nil {
 			return containerCfg, errors.Wrapf(err, "no result nor error is available")
 		}
@@ -315,19 +315,19 @@ func (r *ResultHandle) getProcessConfig(cfg *controllerapi.InvokeConfig, stdin i
 	processCfg := newStartRequest(stdin, stdout, stderr)
 	if r.res != nil && r.solveErr == nil {
 		logrus.Debugf("creating container from successful build")
-		if err := populateProcessConfigFromResult(&processCfg, r.res, *cfg); err != nil {
+		if err := populateProcessConfigFromResult(&processCfg, r.res, cfg); err != nil {
 			return processCfg, err
 		}
 	} else {
 		logrus.Debugf("creating container from failed build %+v", cfg)
-		if err := populateProcessConfigFromError(&processCfg, r.solveErr, *cfg); err != nil {
+		if err := populateProcessConfigFromError(&processCfg, r.solveErr, cfg); err != nil {
 			return processCfg, err
 		}
 	}
 	return processCfg, nil
 }

-func containerConfigFromResult(res *gateway.Result, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+func containerConfigFromResult(res *gateway.Result, cfg *controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
 	if cfg.Initial {
 		return nil, errors.Errorf("starting from the container from the initial state of the step is supported only on the failed steps")
 	}
@@ -352,7 +352,7 @@ func containerConfigFromResult(res *gateway.Result, cfg controllerapi.InvokeConf
 	}, nil
 }

-func populateProcessConfigFromResult(req *gateway.StartRequest, res *gateway.Result, cfg controllerapi.InvokeConfig) error {
+func populateProcessConfigFromResult(req *gateway.StartRequest, res *gateway.Result, cfg *controllerapi.InvokeConfig) error {
 	imgData := res.Metadata[exptypes.ExporterImageConfigKey]
 	var img *specs.Image
 	if len(imgData) > 0 {
@@ -403,7 +403,7 @@ func populateProcessConfigFromResult(req *gateway.StartRequest, res *gateway.Res
 	return nil
 }

-func containerConfigFromError(solveErr *errdefs.SolveError, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+func containerConfigFromError(solveErr *errdefs.SolveError, cfg *controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
 	exec, err := execOpFromError(solveErr)
 	if err != nil {
 		return nil, err
@@ -431,7 +431,7 @@ func containerConfigFromError(solveErr *errdefs.SolveError, cfg controllerapi.In
 	}, nil
 }

-func populateProcessConfigFromError(req *gateway.StartRequest, solveErr *errdefs.SolveError, cfg controllerapi.InvokeConfig) error {
+func populateProcessConfigFromError(req *gateway.StartRequest, solveErr *errdefs.SolveError, cfg *controllerapi.InvokeConfig) error {
 	exec, err := execOpFromError(solveErr)
 	if err != nil {
 		return err
--- a/build/url.go
+++ b/build/url.go
@@ -7,12 +7,15 @@ import (

 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/progress"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	gwclient "github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/pkg/errors"
 )

+const maxDockerfileSize = 2 * 1024 * 1024 // 2 MB
+
 func createTempDockerfileFromURL(ctx context.Context, d *driver.DriverHandle, url string, pw progress.Writer) (string, error) {
 	c, err := driver.Boot(ctx, ctx, d, pw)
 	if err != nil {
@@ -43,8 +46,8 @@ func createTempDockerfileFromURL(ctx context.Context, d *driver.DriverHandle, ur
 		if err != nil {
 			return nil, err
 		}
-		if stat.Size() > 512*1024 {
-			return nil, errors.Errorf("Dockerfile %s bigger than allowed max size", url)
+		if stat.Size > maxDockerfileSize {
+			return nil, errors.Errorf("Dockerfile %s bigger than allowed max size (%s)", url, units.HumanSize(maxDockerfileSize))
 		}

 		dt, err := ref.ReadFile(ctx, gwclient.ReadRequest{
@@ -63,7 +66,6 @@ func createTempDockerfileFromURL(ctx context.Context, d *driver.DriverHandle, ur
 		out = dir
 		return nil, nil
 	}, ch)
-
 	if err != nil {
 		return "", err
 	}
--- a/builder/builder.go
+++ b/builder/builder.go
@@ -435,7 +435,16 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
 		return nil, err
 	}

-	buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts)
+	buildkitdConfigFile := opts.BuildkitdConfigFile
+	if buildkitdConfigFile == "" {
+		// if buildkit daemon config is not provided, check if the default one
+		// is available and use it
+		if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
+			buildkitdConfigFile = f
+		}
+	}
+
+	buildkitdFlags, err := parseBuildkitdFlags(opts.BuildkitdFlags, driverName, driverOpts, buildkitdConfigFile)
 	if err != nil {
 		return nil, err
 	}
@@ -496,15 +505,6 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
 		setEp = false
 	}

-	buildkitdConfigFile := opts.BuildkitdConfigFile
-	if buildkitdConfigFile == "" {
-		// if buildkit daemon config is not provided, check if the default one
-		// is available and use it
-		if f, ok := confutil.DefaultConfigFile(dockerCli); ok {
-			buildkitdConfigFile = f
-		}
-	}
-
 	if err := ng.Update(opts.NodeName, ep, opts.Platforms, setEp, opts.Append, buildkitdFlags, buildkitdConfigFile, driverOpts); err != nil {
 		return nil, err
 	}
@@ -641,7 +641,7 @@ func validateBuildkitEndpoint(ep string) (string, error) {
 }

 // parseBuildkitdFlags parses buildkit flags
-func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string) (res []string, err error) {
+func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string, buildkitdConfigFile string) (res []string, err error) {
 	if inp != "" {
 		res, err = shlex.Split(inp)
 		if err != nil {
@@ -663,10 +663,27 @@ func parseBuildkitdFlags(inp string, driver string, driverOpts map[string]string
 		}
 	}

+	var hasNetworkHostEntitlementInConf bool
+	if buildkitdConfigFile != "" {
+		btoml, err := confutil.LoadConfigTree(buildkitdConfigFile)
+		if err != nil {
+			return nil, err
+		} else if btoml != nil {
+			if ies := btoml.GetArray("insecure-entitlements"); ies != nil {
+				for _, e := range ies.([]string) {
+					if e == "network.host" {
+						hasNetworkHostEntitlementInConf = true
+						break
+					}
+				}
+			}
+		}
+	}
+
 	if v, ok := driverOpts["network"]; ok && v == "host" && !hasNetworkHostEntitlement && driver == "docker-container" {
 		// always set network.host entitlement if user has set network=host
 		res = append(res, "--allow-insecure-entitlement=network.host")
-	} else if len(allowInsecureEntitlements) == 0 && (driver == "kubernetes" || driver == "docker-container") {
+	} else if len(allowInsecureEntitlements) == 0 && !hasNetworkHostEntitlementInConf && (driver == "kubernetes" || driver == "docker-container") {
 		// set network.host entitlement if user does not provide any as
 		// network is isolated for container drivers.
 		res = append(res, "--allow-insecure-entitlement=network.host")
--- a/builder/builder_test.go
+++ b/builder/builder_test.go
@@ -1,6 +1,8 @@
 package builder

 import (
+	"os"
+	"path"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -27,19 +29,34 @@ func TestCsvToMap(t *testing.T) {
 }

 func TestParseBuildkitdFlags(t *testing.T) {
+	buildkitdConf := `
+# debug enables additional debug logging
+debug = true
+# insecure-entitlements allows insecure entitlements, disabled by default.
+insecure-entitlements = [ "network.host", "security.insecure" ]
+[log]
+  # log formatter: json or text
+  format = "text"
+`
+	dirConf := t.TempDir()
+	buildkitdConfPath := path.Join(dirConf, "buildkitd-conf.toml")
+	require.NoError(t, os.WriteFile(buildkitdConfPath, []byte(buildkitdConf), 0644))
+
 	testCases := []struct {
-		name       string
-		flags      string
-		driver     string
-		driverOpts map[string]string
-		expected   []string
-		wantErr    bool
+		name                string
+		flags               string
+		driver              string
+		driverOpts          map[string]string
+		buildkitdConfigFile string
+		expected            []string
+		wantErr             bool
 	}{
 		{
 			"docker-container no flags",
 			"",
 			"docker-container",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -50,6 +67,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"",
 			"kubernetes",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -60,6 +78,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"",
 			"remote",
 			nil,
+			"",
 			nil,
 			false,
 		},
@@ -68,6 +87,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=security.insecure",
 			"docker-container",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=security.insecure",
 			},
@@ -78,6 +98,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
 			"docker-container",
 			nil,
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 				"--allow-insecure-entitlement=security.insecure",
@@ -89,6 +110,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"",
 			"docker-container",
 			map[string]string{"network": "host"},
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -99,6 +121,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=network.host",
 			"docker-container",
 			map[string]string{"network": "host"},
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 			},
@@ -109,17 +132,28 @@ func TestParseBuildkitdFlags(t *testing.T) {
 			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
 			"docker-container",
 			map[string]string{"network": "host"},
+			"",
 			[]string{
 				"--allow-insecure-entitlement=network.host",
 				"--allow-insecure-entitlement=security.insecure",
 			},
 			false,
 		},
+		{
+			"docker-container with buildkitd conf setting network.host entitlement",
+			"",
+			"docker-container",
+			nil,
+			buildkitdConfPath,
+			nil,
+			false,
+		},
 		{
 			"error parsing flags",
 			"foo'",
 			"docker-container",
 			nil,
+			"",
 			nil,
 			true,
 		},
@@ -127,7 +161,7 @@ func TestParseBuildkitdFlags(t *testing.T) {
 	for _, tt := range testCases {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts)
+			flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts, tt.buildkitdConfigFile)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
--- a/builder/node.go
+++ b/builder/node.go
@@ -8,7 +8,6 @@ import (

 	"github.com/containerd/platforms"
 	"github.com/docker/buildx/driver"
-	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/dockerutil"
@@ -18,7 +17,6 @@ import (
 	"github.com/moby/buildkit/util/grpcerrors"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc/codes"
 )
@@ -119,37 +117,19 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 					return nil
 				}

-				contextStore := b.opts.dockerCli.ContextStore()
-
-				var kcc driver.KubeClientConfig
-				kcc, err = ctxkube.ConfigFromEndpoint(n.Endpoint, contextStore)
-				if err != nil {
-					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
-					// try again with name="default".
-					// FIXME(@AkihiroSuda): n should retain real context name.
-					kcc, err = ctxkube.ConfigFromEndpoint("default", contextStore)
-					if err != nil {
-						logrus.Error(err)
-					}
-				}
-
-				tryToUseKubeConfigInCluster := false
-				if kcc == nil {
-					tryToUseKubeConfigInCluster = true
-				} else {
-					if _, err := kcc.ClientConfig(); err != nil {
-						tryToUseKubeConfigInCluster = true
-					}
-				}
-				if tryToUseKubeConfigInCluster {
-					kccInCluster := driver.KubeClientConfigInCluster{}
-					if _, err := kccInCluster.ClientConfig(); err == nil {
-						logrus.Debug("using kube config in cluster")
-						kcc = kccInCluster
-					}
-				}
-
-				d, err := driver.GetDriver(ctx, driver.BuilderName(n.Name), factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.BuildkitdFlags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash, lno.dialMeta)
+				d, err := driver.GetDriver(ctx, factory, driver.InitConfig{
+					Name:            driver.BuilderName(n.Name),
+					EndpointAddr:    n.Endpoint,
+					DockerAPI:       dockerapi,
+					ContextStore:    b.opts.dockerCli.ContextStore(),
+					BuildkitdFlags:  n.BuildkitdFlags,
+					Files:           n.Files,
+					DriverOpts:      n.DriverOpts,
+					Auth:            imageopt.Auth,
+					Platforms:       n.Platforms,
+					ContextPathHash: b.opts.contextPathHash,
+					DialMeta:        lno.dialMeta,
+				})
 				if err != nil {
 					node.Err = err
 					return nil
--- a/cmd/buildx/main.go
+++ b/cmd/buildx/main.go
@@ -27,6 +27,9 @@ import (
 	_ "github.com/docker/buildx/driver/docker-container"
 	_ "github.com/docker/buildx/driver/kubernetes"
 	_ "github.com/docker/buildx/driver/remote"
+
+	// Use custom grpc codec to utilize vtprotobuf
+	_ "github.com/moby/buildkit/util/grpcutil/encoding/proto"
 )

 func init() {
--- a/commands/bake.go
+++ b/commands/bake.go
@@ -4,12 +4,16 @@ import (
 	"bytes"
 	"cmp"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"slices"
+	"sort"
 	"strings"
+	"sync"
 	"text/tabwriter"

 	"github.com/containerd/console"
@@ -26,14 +30,15 @@ import (
 	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/desktop"
 	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/osutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli/cli/command"
-	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/attribute"
 )

 type bakeOptions struct {
@@ -44,6 +49,7 @@ type bakeOptions struct {
 	listVars    bool
 	sbom        string
 	provenance  string
+	allow       []string

 	builder      string
 	metadataFile string
@@ -53,6 +59,8 @@ type bakeOptions struct {
 }

 func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
+	mp := dockerCli.MeterProvider()
+
 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
 	if err != nil {
 		return err
@@ -61,27 +69,12 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		end(err)
 	}()

-	var url string
-	cmdContext := "cwd://"
-
-	if len(targets) > 0 {
-		if build.IsRemoteURL(targets[0]) {
-			url = targets[0]
-			targets = targets[1:]
-			if len(targets) > 0 {
-				if build.IsRemoteURL(targets[0]) {
-					cmdContext = targets[0]
-					targets = targets[1:]
-				}
-			}
-		}
-	}
-
+	url, cmdContext, targets := bakeArgs(targets)
 	if len(targets) == 0 {
 		targets = []string{"default"}
 	}

-	callFunc, err := buildflags.ParsePrintFunc(in.callFunc)
+	callFunc, err := buildflags.ParseCallFunc(in.callFunc)
 	if err != nil {
 		return err
 	}
@@ -110,6 +103,11 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	}
 	contextPathHash, _ := os.Getwd()

+	ent, err := bake.ParseEntitlements(in.allow)
+	if err != nil {
+		return err
+	}
+
 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()

@@ -117,6 +115,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	var progressConsoleDesc, progressTextDesc string

 	// instance only needed for reading remote bake files or building
+	var driverType string
 	if url != "" || !in.printOnly {
 		b, err := builder.New(dockerCli,
 			builder.WithName(in.builder),
@@ -134,51 +133,33 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		}
 		progressConsoleDesc = fmt.Sprintf("%s:%s", b.Driver, b.Name)
 		progressTextDesc = fmt.Sprintf("building with %q instance using %s driver", b.Name, b.Driver)
+		driverType = b.Driver
 	}

 	var term bool
 	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
 		term = true
 	}
+	attributes := bakeMetricAttributes(dockerCli, driverType, url, cmdContext, targets, &in)

 	progressMode := progressui.DisplayMode(cFlags.progress)
 	var printer *progress.Printer
-	printer, err = progress.NewPrinter(ctx2, os.Stderr, progressMode,
-		progress.WithDesc(progressTextDesc, progressConsoleDesc),
-		progress.WithOnClose(func() {
-			printWarnings(os.Stderr, printer.Warnings(), progressMode)
-		}),
-	)
-	if err != nil {
+
+	makePrinter := func() error {
+		var err error
+		printer, err = progress.NewPrinter(ctx2, os.Stderr, progressMode,
+			progress.WithDesc(progressTextDesc, progressConsoleDesc),
+			progress.WithMetrics(mp, attributes),
+			progress.WithOnClose(func() {
+				printWarnings(os.Stderr, printer.Warnings(), progressMode)
+			}),
+		)
 		return err
 	}

-	var resp map[string]*client.SolveResponse
-
-	defer func() {
-		if printer != nil {
-			err1 := printer.Wait()
-			if err == nil {
-				err = err1
-			}
-			if err != nil {
-				return
-			}
-			if progressMode != progressui.QuietMode && progressMode != progressui.RawJSONMode {
-				desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
-			}
-			if resp != nil && len(in.metadataFile) > 0 {
-				dt := make(map[string]interface{})
-				for t, r := range resp {
-					dt[t] = decodeExporterResponse(r.ExporterResponse)
-				}
-				if warnings := printer.Warnings(); len(warnings) > 0 && confutil.MetadataWarningsEnabled() {
-					dt["buildx.build.warnings"] = warnings
-				}
-				err = writeMetadataFile(in.metadataFile, dt)
-			}
-		}
-	}()
+	if err := makePrinter(); err != nil {
+		return err
+	}

 	files, inp, err := readBakeFiles(ctx, nodes, url, in.files, dockerCli.In(), printer)
 	if err != nil {
@@ -201,10 +182,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		if err != nil {
 			return err
 		}
-
-		err = printer.Wait()
-		printer = nil
-		if err != nil {
+		if err = printer.Wait(); err != nil {
 			return err
 		}
 		if in.listTargets {
@@ -247,68 +225,79 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	}

 	if in.printOnly {
-		dt, err := json.MarshalIndent(def, "", "  ")
+		if err = printer.Wait(); err != nil {
+			return err
+		}
+		dtdef, err := json.MarshalIndent(def, "", "  ")
 		if err != nil {
 			return err
 		}
-		err = printer.Wait()
-		printer = nil
-		if err != nil {
-			return err
-		}
-		fmt.Fprintln(dockerCli.Out(), string(dt))
-		return nil
+		_, err = fmt.Fprintln(dockerCli.Out(), string(dtdef))
+		return err
 	}

 	for _, opt := range bo {
-		if opt.PrintFunc != nil {
-			cf, err := buildflags.ParsePrintFunc(opt.PrintFunc.Name)
+		if opt.CallFunc != nil {
+			cf, err := buildflags.ParseCallFunc(opt.CallFunc.Name)
 			if err != nil {
 				return err
 			}
-			opt.PrintFunc.Name = cf.Name
+			opt.CallFunc.Name = cf.Name
 		}
 	}

-	prm := confutil.MetadataProvenance()
-	if len(in.metadataFile) == 0 {
-		prm = confutil.MetadataProvenanceModeDisabled
-	}
-
-	groupRef := identity.NewID()
-	var refs []string
-	for k, b := range bo {
-		b.Ref = identity.NewID()
-		b.GroupRef = groupRef
-		b.ProvenanceResponseMode = prm
-		refs = append(refs, b.Ref)
-		bo[k] = b
-	}
-	dt, err := json.Marshal(def)
+	exp, err := ent.Validate(bo)
 	if err != nil {
 		return err
 	}
-	if err := saveLocalStateGroup(dockerCli, groupRef, localstate.StateGroup{
-		Definition: dt,
-		Targets:    targets,
-		Inputs:     overrides,
-		Refs:       refs,
-	}); err != nil {
+	if err := exp.Prompt(ctx, &syncWriter{w: dockerCli.Err(), wait: printer.Wait}); err != nil {
+		return err
+	}
+	if printer.IsDone() {
+		// init new printer as old one was stopped to show the prompt
+		if err := makePrinter(); err != nil {
+			return err
+		}
+	}
+
+	if err := saveLocalStateGroup(dockerCli, in, targets, bo, overrides, def); err != nil {
 		return err
 	}

-	resp, err = build.Build(ctx, nodes, bo, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), printer)
-	if err != nil {
-		return wrapBuildError(err, true)
+	done := timeBuildCommand(mp, attributes)
+	resp, retErr := build.Build(ctx, nodes, bo, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), printer)
+	if err := printer.Wait(); retErr == nil {
+		retErr = err
 	}
+	if retErr != nil {
+		err = wrapBuildError(retErr, true)
+	}
+	done(err)

-	err = printer.Wait()
 	if err != nil {
 		return err
 	}

+	if progressMode != progressui.QuietMode && progressMode != progressui.RawJSONMode {
+		desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
+	}
+	if len(in.metadataFile) > 0 {
+		dt := make(map[string]interface{})
+		for t, r := range resp {
+			dt[t] = decodeExporterResponse(r.ExporterResponse)
+		}
+		if callFunc == nil {
+			if warnings := printer.Warnings(); len(warnings) > 0 && confutil.MetadataWarningsEnabled() {
+				dt["buildx.build.warnings"] = warnings
+			}
+		}
+		if err := writeMetadataFile(in.metadataFile, dt); err != nil {
+			return err
+		}
+	}
+
 	var callFormatJSON bool
-	var jsonResults = map[string]map[string]any{}
+	jsonResults := map[string]map[string]any{}
 	if callFunc != nil {
 		callFormatJSON = callFunc.Format == "json"
 	}
@@ -323,14 +312,14 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba

 	for _, name := range names {
 		req := bo[name]
-		if req.PrintFunc == nil {
+		if req.CallFunc == nil {
 			continue
 		}

-		pf := &pb.PrintFunc{
-			Name:         req.PrintFunc.Name,
-			Format:       req.PrintFunc.Format,
-			IgnoreStatus: req.PrintFunc.IgnoreStatus,
+		pf := &pb.CallFunc{
+			Name:         req.CallFunc.Name,
+			Format:       req.CallFunc.Format,
+			IgnoreStatus: req.CallFunc.IgnoreStatus,
 		}

 		if callFunc != nil {
@@ -346,7 +335,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		if callFormatJSON {
 			jsonResults[name] = map[string]any{}
 			buf := &bytes.Buffer{}
-			if code, err := printResult(buf, pf, res); err != nil {
+			if code, err := printResult(buf, pf, res, name, &req.Inputs); err != nil {
 				jsonResults[name]["error"] = err.Error()
 				exitCode = 1
 			} else if code != 0 && exitCode == 0 {
@@ -372,7 +361,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 			}

 			fmt.Fprintln(dockerCli.Out())
-			if code, err := printResult(dockerCli.Out(), pf, res); err != nil {
+			if code, err := printResult(dockerCli.Out(), pf, res, name, &req.Inputs); err != nil {
 				fmt.Fprintf(dockerCli.Out(), "error: %v\n", err)
 				exitCode = 1
 			} else if code != 0 && exitCode == 0 {
@@ -394,7 +383,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 				"build": def,
 			}
 			if res, ok := jsonResults[name]; ok {
-				printName := bo[name].PrintFunc.Name
+				printName := bo[name].CallFunc.Name
 				if printName == "lint" {
 					printName = "check"
 				}
@@ -449,6 +438,7 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--set=*.attest=type=provenance"`)
 	flags.StringArrayVar(&options.overrides, "set", nil, `Override target value (e.g., "targetpattern.key=value")`)
 	flags.StringVar(&options.callFunc, "call", "build", `Set method for evaluating build ("check", "outline", "targets")`)
+	flags.StringArrayVar(&options.allow, "allow", nil, "Allow build to access specified resources")

 	flags.VarPF(callAlias(&options.callFunc, "check"), "check", "", `Shorthand for "--call=check"`)
 	flags.Lookup("check").NoOptDefVal = "true"
@@ -466,12 +456,49 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	return cmd
 }

-func saveLocalStateGroup(dockerCli command.Cli, ref string, lsg localstate.StateGroup) error {
+func saveLocalStateGroup(dockerCli command.Cli, in bakeOptions, targets []string, bo map[string]build.Options, overrides []string, def any) error {
+	prm := confutil.MetadataProvenance()
+	if len(in.metadataFile) == 0 {
+		prm = confutil.MetadataProvenanceModeDisabled
+	}
+	groupRef := identity.NewID()
+	refs := make([]string, 0, len(bo))
+	for k, b := range bo {
+		b.Ref = identity.NewID()
+		b.GroupRef = groupRef
+		b.ProvenanceResponseMode = prm
+		refs = append(refs, b.Ref)
+		bo[k] = b
+	}
 	l, err := localstate.New(confutil.ConfigDir(dockerCli))
 	if err != nil {
 		return err
 	}
-	return l.SaveGroup(ref, lsg)
+	dtdef, err := json.MarshalIndent(def, "", "  ")
+	if err != nil {
+		return err
+	}
+	return l.SaveGroup(groupRef, localstate.StateGroup{
+		Definition: dtdef,
+		Targets:    targets,
+		Inputs:     overrides,
+		Refs:       refs,
+	})
+}
+
+// bakeArgs will retrieve the remote url, command context, and targets
+// from the command line arguments.
+func bakeArgs(args []string) (url, cmdContext string, targets []string) {
+	cmdContext, targets = "cwd://", args
+	if len(targets) == 0 || !build.IsRemoteURL(targets[0]) {
+		return url, cmdContext, targets
+	}
+	url, targets = targets[0], targets[1:]
+	if len(targets) == 0 || !build.IsRemoteURL(targets[0]) {
+		return url, cmdContext, targets
+	}
+	cmdContext, targets = targets[0], targets[1:]
+	return url, cmdContext, targets
 }

 func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names []string, stdin io.Reader, pw progress.Writer) (files []bake.File, inp *bake.Input, err error) {
@@ -588,3 +615,85 @@ func printTargetList(w io.Writer, cfg *bake.Config) error {

 	return nil
 }
+
+func bakeMetricAttributes(dockerCli command.Cli, driverType, url, cmdContext string, targets []string, options *bakeOptions) attribute.Set {
+	return attribute.NewSet(
+		commandNameAttribute.String("bake"),
+		attribute.Stringer(string(commandOptionsHash), &bakeOptionsHash{
+			bakeOptions: options,
+			configDir:   confutil.ConfigDir(dockerCli),
+			url:         url,
+			cmdContext:  cmdContext,
+			targets:     targets,
+		}),
+		driverNameAttribute.String(options.builder),
+		driverTypeAttribute.String(driverType),
+	)
+}
+
+type bakeOptionsHash struct {
+	*bakeOptions
+	configDir  string
+	url        string
+	cmdContext string
+	targets    []string
+	result     string
+	resultOnce sync.Once
+}
+
+func (o *bakeOptionsHash) String() string {
+	o.resultOnce.Do(func() {
+		url := o.url
+		cmdContext := o.cmdContext
+		if cmdContext == "cwd://" {
+			// Resolve the directory if the cmdContext is the current working directory.
+			cmdContext = osutil.GetWd()
+		}
+
+		// Sort the inputs for files and targets since the ordering
+		// doesn't matter, but avoid modifying the original slice.
+		files := immutableSort(o.files)
+		targets := immutableSort(o.targets)
+
+		joinedFiles := strings.Join(files, ",")
+		joinedTargets := strings.Join(targets, ",")
+		salt := confutil.TryNodeIdentifier(o.configDir)
+
+		h := sha256.New()
+		for _, s := range []string{url, cmdContext, joinedFiles, joinedTargets, salt} {
+			_, _ = io.WriteString(h, s)
+			h.Write([]byte{0})
+		}
+		o.result = hex.EncodeToString(h.Sum(nil))
+	})
+	return o.result
+}
+
+// immutableSort will sort the entries in s without modifying the original slice.
+func immutableSort(s []string) []string {
+	if !sort.StringsAreSorted(s) {
+		cpy := make([]string, len(s))
+		copy(cpy, s)
+		sort.Strings(cpy)
+		return cpy
+	}
+	return s
+}
+
+type syncWriter struct {
+	w    io.Writer
+	once sync.Once
+	wait func() error
+}
+
+func (w *syncWriter) Write(p []byte) (n int, err error) {
+	w.once.Do(func() {
+		if w.wait != nil {
+			err = w.wait()
+		}
+	})
+	if err != nil {
+		return 0, err
+	}
+	return w.w.Write(p)
+}
--- a/commands/build.go
+++ b/commands/build.go
@@ -49,6 +49,7 @@ import (
 	"github.com/moby/buildkit/frontend/subrequests/outline"
 	"github.com/moby/buildkit/frontend/subrequests/targets"
 	"github.com/moby/buildkit/solver/errdefs"
+	solverpb "github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/grpcerrors"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/morikuni/aec"
@@ -60,6 +61,7 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/protobuf/proto"
 )

 type buildOptions struct {
@@ -79,7 +81,7 @@ type buildOptions struct {
 	noCacheFilter  []string
 	outputs        []string
 	platforms      []string
-	printFunc      string
+	callFunc       string
 	secrets        []string
 	shmSize        dockeropts.MemBytes
 	ssh            []string
@@ -199,13 +201,13 @@ func (o *buildOptions) toControllerOptions() (*controllerapi.BuildOptions, error
 		return nil, err
 	}

-	opts.PrintFunc, err = buildflags.ParsePrintFunc(o.printFunc)
+	opts.CallFunc, err = buildflags.ParseCallFunc(o.callFunc)
 	if err != nil {
 		return nil, err
 	}

 	prm := confutil.MetadataProvenance()
-	if opts.PrintFunc != nil || len(o.metadataFile) == 0 {
+	if opts.CallFunc != nil || len(o.metadataFile) == 0 {
 		prm = confutil.MetadataProvenanceModeDisabled
 	}
 	opts.ProvenanceResponseMode = string(prm)
@@ -224,15 +226,22 @@ func (o *buildOptions) toDisplayMode() (progressui.DisplayMode, error) {
 	return progress, nil
 }

-func buildMetricAttributes(dockerCli command.Cli, b *builder.Builder, options *buildOptions) attribute.Set {
+const (
+	commandNameAttribute = attribute.Key("command.name")
+	commandOptionsHash   = attribute.Key("command.options.hash")
+	driverNameAttribute  = attribute.Key("driver.name")
+	driverTypeAttribute  = attribute.Key("driver.type")
+)
+
+func buildMetricAttributes(dockerCli command.Cli, driverType string, options *buildOptions) attribute.Set {
 	return attribute.NewSet(
-		attribute.String("command.name", "build"),
-		attribute.Stringer("command.options.hash", &buildOptionsHash{
+		commandNameAttribute.String("build"),
+		attribute.Stringer(string(commandOptionsHash), &buildOptionsHash{
 			buildOptions: options,
 			configDir:    confutil.ConfigDir(dockerCli),
 		}),
-		attribute.String("driver.name", options.builder),
-		attribute.String("driver.type", b.Driver),
+		driverNameAttribute.String(options.builder),
+		driverTypeAttribute.String(driverType),
 	)
 }

@@ -308,12 +317,13 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
 	if err != nil {
 		return err
 	}
+	driverType := b.Driver

 	var term bool
 	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
 		term = true
 	}
-	attributes := buildMetricAttributes(dockerCli, b, &options)
+	attributes := buildMetricAttributes(dockerCli, driverType, &options)

 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
@@ -338,11 +348,12 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)

 	done := timeBuildCommand(mp, attributes)
 	var resp *client.SolveResponse
+	var inputs *build.Inputs
 	var retErr error
 	if confutil.IsExperimental() {
-		resp, retErr = runControllerBuild(ctx, dockerCli, opts, options, printer)
+		resp, inputs, retErr = runControllerBuild(ctx, dockerCli, opts, options, printer)
 	} else {
-		resp, retErr = runBasicBuild(ctx, dockerCli, opts, printer)
+		resp, inputs, retErr = runBasicBuild(ctx, dockerCli, opts, printer)
 	}

 	if err := printer.Wait(); retErr == nil {
@@ -367,21 +378,24 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
 			return errors.Wrap(err, "writing image ID file")
 		}
 	}
-	if opts.PrintFunc != nil {
-		if exitcode, err := printResult(dockerCli.Out(), opts.PrintFunc, resp.ExporterResponse); err != nil {
-			return err
-		} else if exitcode != 0 {
-			os.Exit(exitcode)
-		}
-	} else if options.metadataFile != "" {
+	if options.metadataFile != "" {
 		dt := decodeExporterResponse(resp.ExporterResponse)
-		if warnings := printer.Warnings(); len(warnings) > 0 && confutil.MetadataWarningsEnabled() {
-			dt["buildx.build.warnings"] = warnings
+		if opts.CallFunc == nil {
+			if warnings := printer.Warnings(); len(warnings) > 0 && confutil.MetadataWarningsEnabled() {
+				dt["buildx.build.warnings"] = warnings
+			}
 		}
 		if err := writeMetadataFile(options.metadataFile, dt); err != nil {
 			return err
 		}
 	}
+	if opts.CallFunc != nil {
+		if exitcode, err := printResult(dockerCli.Out(), opts.CallFunc, resp.ExporterResponse, options.target, inputs); err != nil {
+			return err
+		} else if exitcode != 0 {
+			os.Exit(exitcode)
+		}
+	}
 	return nil
 }

@@ -394,22 +408,22 @@ func getImageID(resp map[string]string) string {
 	return dgst
 }

-func runBasicBuild(ctx context.Context, dockerCli command.Cli, opts *controllerapi.BuildOptions, printer *progress.Printer) (*client.SolveResponse, error) {
-	resp, res, err := cbuild.RunBuild(ctx, dockerCli, *opts, dockerCli.In(), printer, false)
+func runBasicBuild(ctx context.Context, dockerCli command.Cli, opts *controllerapi.BuildOptions, printer *progress.Printer) (*client.SolveResponse, *build.Inputs, error) {
+	resp, res, dfmap, err := cbuild.RunBuild(ctx, dockerCli, opts, dockerCli.In(), printer, false)
 	if res != nil {
 		res.Done()
 	}
-	return resp, err
+	return resp, dfmap, err
 }

-func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *controllerapi.BuildOptions, options buildOptions, printer *progress.Printer) (*client.SolveResponse, error) {
+func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *controllerapi.BuildOptions, options buildOptions, printer *progress.Printer) (*client.SolveResponse, *build.Inputs, error) {
 	if options.invokeConfig != nil && (options.dockerfileName == "-" || options.contextPath == "-") {
 		// stdin must be usable for monitor
-		return nil, errors.Errorf("Dockerfile or context from stdin is not supported with invoke")
+		return nil, nil, errors.Errorf("Dockerfile or context from stdin is not supported with invoke")
 	}
 	c, err := controller.NewController(ctx, options.ControlOptions, dockerCli, printer)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	defer func() {
 		if err := c.Close(); err != nil {
@@ -421,12 +435,13 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 	// so we need to resolve paths to abosolute ones in the client.
 	opts, err = controllerapi.ResolveOptionPaths(opts)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	var ref string
 	var retErr error
 	var resp *client.SolveResponse
+	var inputs *build.Inputs

 	var f *ioset.SingleForwarder
 	var pr io.ReadCloser
@@ -444,7 +459,7 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 		})
 	}

-	ref, resp, err = c.Build(ctx, *opts, pr, printer)
+	ref, resp, inputs, err = c.Build(ctx, opts, pr, printer)
 	if err != nil {
 		var be *controllererrors.BuildError
 		if errors.As(err, &be) {
@@ -452,7 +467,7 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 			retErr = err
 			// We can proceed to monitor
 		} else {
-			return nil, errors.Wrapf(err, "failed to build")
+			return nil, nil, errors.Wrapf(err, "failed to build")
 		}
 	}

@@ -493,7 +508,7 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 		}
 	}

-	return resp, retErr
+	return resp, inputs, retErr
 }

 func printError(err error, printer *progress.Printer) error {
@@ -634,8 +649,8 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 		cobrautil.MarkFlagsExperimental(flags, "root", "detach", "server-config")
 	}

-	flags.StringVar(&options.printFunc, "call", "build", `Set method for evaluating build ("check", "outline", "targets")`)
-	flags.VarPF(callAlias(&options.printFunc, "check"), "check", "", `Shorthand for "--call=check"`)
+	flags.StringVar(&options.callFunc, "call", "build", `Set method for evaluating build ("check", "outline", "targets")`)
+	flags.VarPF(callAlias(&options.callFunc, "check"), "check", "", `Shorthand for "--call=check"`)
 	flags.Lookup("check").NoOptDefVal = "true"

 	// hidden flags
@@ -644,7 +659,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	var ignoreBool bool
 	var ignoreInt int64

-	flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets)")
+	flags.StringVar(&options.callFunc, "print", "", "Print result of information request (e.g., outline, targets)")
 	cobrautil.MarkFlagsExperimental(flags, "print")
 	flags.MarkHidden("print")

@@ -731,9 +746,17 @@ func writeMetadataFile(filename string, dt interface{}) error {
 }

 func decodeExporterResponse(exporterResponse map[string]string) map[string]interface{} {
+	decFunc := func(k, v string) ([]byte, error) {
+		if k == "result.json" {
+			// result.json is part of metadata response for subrequests which
+			// is already a JSON object: https://github.com/moby/buildkit/blob/f6eb72f2f5db07ddab89ac5e2bd3939a6444f4be/frontend/dockerui/requests.go#L100-L102
+			return []byte(v), nil
+		}
+		return base64.StdEncoding.DecodeString(v)
+	}
 	out := make(map[string]interface{})
 	for k, v := range exporterResponse {
-		dt, err := base64.StdEncoding.DecodeString(v)
+		dt, err := decFunc(k, v)
 		if err != nil {
 			out[k] = v
 			continue
@@ -835,7 +858,7 @@ func printWarnings(w io.Writer, warnings []client.VertexWarning, mode progressui
 		fmt.Fprintf(sb, "%d warnings found", len(warnings))
 	}
 	if logrus.GetLevel() < logrus.DebugLevel {
-		fmt.Fprintf(sb, " (use --debug to expand)")
+		fmt.Fprintf(sb, " (use docker --debug to expand)")
 	}
 	fmt.Fprintf(sb, ":\n")
 	fmt.Fprint(w, aec.Apply(sb.String(), aec.YellowF))
@@ -863,7 +886,7 @@ func printWarnings(w io.Writer, warnings []client.VertexWarning, mode progressui
 	}
 }

-func printResult(w io.Writer, f *controllerapi.PrintFunc, res map[string]string) (int, error) {
+func printResult(w io.Writer, f *controllerapi.CallFunc, res map[string]string, target string, inp *build.Inputs) (int, error) {
 	switch f.Name {
 	case "outline":
 		return 0, printValue(w, outline.PrintOutline, outline.SubrequestsOutlineDefinition.Version, f.Format, res)
@@ -872,17 +895,48 @@ func printResult(w io.Writer, f *controllerapi.PrintFunc, res map[string]string)
 	case "subrequests.describe":
 		return 0, printValue(w, subrequests.PrintDescribe, subrequests.SubrequestsDescribeDefinition.Version, f.Format, res)
 	case "lint":
-		err := printValue(w, lint.PrintLintViolations, lint.SubrequestLintDefinition.Version, f.Format, res)
-		if err != nil {
-			return 0, err
-		}
-
 		lintResults := lint.LintResults{}
 		if result, ok := res["result.json"]; ok {
 			if err := json.Unmarshal([]byte(result), &lintResults); err != nil {
 				return 0, err
 			}
 		}
+
+		warningCount := len(lintResults.Warnings)
+		if f.Format != "json" && warningCount > 0 {
+			var warningCountMsg string
+			if warningCount == 1 {
+				warningCountMsg = "1 warning has been found!"
+			} else if warningCount > 1 {
+				warningCountMsg = fmt.Sprintf("%d warnings have been found!", warningCount)
+			}
+			fmt.Fprintf(w, "Check complete, %s\n", warningCountMsg)
+		}
+		sourceInfoMap := func(sourceInfo *solverpb.SourceInfo) *solverpb.SourceInfo {
+			if sourceInfo == nil || inp == nil {
+				return sourceInfo
+			}
+			if target == "" {
+				target = "default"
+			}
+
+			if inp.DockerfileMappingSrc != "" {
+				newSourceInfo := proto.Clone(sourceInfo).(*solverpb.SourceInfo)
+				newSourceInfo.Filename = inp.DockerfileMappingSrc
+				return newSourceInfo
+			}
+			return sourceInfo
+		}
+
+		printLintWarnings := func(dt []byte, w io.Writer) error {
+			return lintResults.PrintTo(w, sourceInfoMap)
+		}
+
+		err := printValue(w, printLintWarnings, lint.SubrequestLintDefinition.Version, f.Format, res)
+		if err != nil {
+			return 0, err
+		}
+
 		if lintResults.Error != nil {
 			// Print the error message and the source
 			// Normally, we would use `errdefs.WithSource` to attach the source to the
@@ -893,13 +947,8 @@ func printResult(w io.Writer, f *controllerapi.PrintFunc, res map[string]string)
 			if f.Format != "json" && len(lintResults.Warnings) > 0 {
 				fmt.Fprintln(w)
 			}
-			lintBuf := bytes.NewBuffer([]byte(lintResults.Error.Message + "\n"))
-			sourceInfo := lintResults.Sources[lintResults.Error.Location.SourceIndex]
-			source := errdefs.Source{
-				Info:   sourceInfo,
-				Ranges: lintResults.Error.Location.Ranges,
-			}
-			source.Print(lintBuf)
+			lintBuf := bytes.NewBuffer(nil)
+			lintResults.PrintErrorTo(lintBuf, sourceInfoMap)
 			return 0, errors.New(lintBuf.String())
 		} else if len(lintResults.Warnings) == 0 && f.Format != "json" {
 			fmt.Fprintln(w, "Check complete, no warnings found.")
@@ -921,9 +970,9 @@ func printResult(w io.Writer, f *controllerapi.PrintFunc, res map[string]string)
 	return 0, nil
 }

-type printFunc func([]byte, io.Writer) error
+type callFunc func([]byte, io.Writer) error

-func printValue(w io.Writer, printer printFunc, version string, format string, res map[string]string) error {
+func printValue(w io.Writer, printer callFunc, version string, format string, res map[string]string) error {
 	if format == "json" {
 		fmt.Fprintln(w, res["result.json"])
 		return nil
@@ -964,7 +1013,7 @@ func (cfg *invokeConfig) runDebug(ctx context.Context, ref string, options *cont
 		return nil, errors.Errorf("failed to configure terminal: %v", err)
 	}
 	defer con.Reset()
-	return monitor.RunMonitor(ctx, ref, options, cfg.InvokeConfig, c, stdin, stdout, stderr, progress)
+	return monitor.RunMonitor(ctx, ref, options, &cfg.InvokeConfig, c, stdin, stdout, stderr, progress)
 }

 func (cfg *invokeConfig) parseInvokeConfig(invoke, on string) error {
--- a/commands/debug/root.go
+++ b/commands/debug/root.go
@@ -64,7 +64,7 @@ func RootCmd(dockerCli command.Cli, children ...DebuggableCmd) *cobra.Command {
 				return errors.Errorf("failed to configure terminal: %v", err)
 			}

-			_, err = monitor.RunMonitor(ctx, "", nil, controllerapi.InvokeConfig{
+			_, err = monitor.RunMonitor(ctx, "", nil, &controllerapi.InvokeConfig{
 				Tty: true,
 			}, c, dockerCli.In(), os.Stdout, os.Stderr, printer)
 			con.Reset()
--- a/commands/inspect.go
+++ b/commands/inspect.go
@@ -122,8 +122,20 @@ func runInspect(ctx context.Context, dockerCli command.Cli, in inspectOptions) e
 					if rule.KeepDuration > 0 {
 						fmt.Fprintf(w, "\tKeep Duration:\t%v\n", rule.KeepDuration.String())
 					}
-					if rule.KeepBytes > 0 {
-						fmt.Fprintf(w, "\tKeep Bytes:\t%s\n", units.BytesSize(float64(rule.KeepBytes)))
+					if rule.ReservedSpace > 0 {
+						fmt.Fprintf(w, "\tReserved Space:\t%s\n", units.BytesSize(float64(rule.ReservedSpace)))
+					}
+					if rule.MaxUsedSpace > 0 {
+						fmt.Fprintf(w, "\tMax Used Space:\t%s\n", units.BytesSize(float64(rule.MaxUsedSpace)))
+					}
+					if rule.MinFreeSpace > 0 {
+						fmt.Fprintf(w, "\tMin Free Space:\t%s\n", units.BytesSize(float64(rule.MinFreeSpace)))
+					}
+				}
+				for f, dt := range nodes[i].Files {
+					fmt.Fprintf(w, "File#%s:\n", f)
+					for _, line := range strings.Split(string(dt), "\n") {
+						fmt.Fprintf(w, "\t> %s\n", line)
 					}
 				}
 			}
--- a/commands/ls.go
+++ b/commands/ls.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"

+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
@@ -35,7 +36,8 @@ const (
 )

 type lsOptions struct {
-	format string
+	format  string
+	noTrunc bool
 }

 func runLs(ctx context.Context, dockerCli command.Cli, in lsOptions) error {
@@ -72,7 +74,7 @@ func runLs(ctx context.Context, dockerCli command.Cli, in lsOptions) error {
 		return err
 	}

-	if hasErrors, err := lsPrint(dockerCli, current, builders, in.format); err != nil {
+	if hasErrors, err := lsPrint(dockerCli, current, builders, in); err != nil {
 		return err
 	} else if hasErrors {
 		_, _ = fmt.Fprintf(dockerCli.Err(), "\n")
@@ -107,6 +109,7 @@ func lsCmd(dockerCli command.Cli) *cobra.Command {

 	flags := cmd.Flags()
 	flags.StringVar(&options.format, "format", formatter.TableFormatKey, "Format the output")
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Don't truncate output")

 	// hide builder persistent flag for this command
 	cobrautil.HideInheritedFlags(cmd, "builder")
@@ -114,14 +117,15 @@ func lsCmd(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }

-func lsPrint(dockerCli command.Cli, current *store.NodeGroup, builders []*builder.Builder, format string) (hasErrors bool, _ error) {
-	if format == formatter.TableFormatKey {
-		format = lsDefaultTableFormat
+func lsPrint(dockerCli command.Cli, current *store.NodeGroup, builders []*builder.Builder, in lsOptions) (hasErrors bool, _ error) {
+	if in.format == formatter.TableFormatKey {
+		in.format = lsDefaultTableFormat
 	}

 	ctx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: formatter.Format(format),
+		Format: formatter.Format(in.format),
+		Trunc:  !in.noTrunc,
 	}

 	sort.SliceStable(builders, func(i, j int) bool {
@@ -138,11 +142,12 @@ func lsPrint(dockerCli command.Cli, current *store.NodeGroup, builders []*builde
 	render := func(format func(subContext formatter.SubContext) error) error {
 		for _, b := range builders {
 			if err := format(&lsContext{
+				format: ctx.Format,
+				trunc:  ctx.Trunc,
 				Builder: &lsBuilder{
 					Builder: b,
 					Current: b.Name == current.Name,
 				},
-				format: ctx.Format,
 			}); err != nil {
 				return err
 			}
@@ -160,6 +165,7 @@ func lsPrint(dockerCli command.Cli, current *store.NodeGroup, builders []*builde
 				}
 				if err := format(&lsContext{
 					format: ctx.Format,
+					trunc:  ctx.Trunc,
 					Builder: &lsBuilder{
 						Builder: b,
 						Current: b.Name == current.Name,
@@ -196,6 +202,7 @@ type lsContext struct {
 	Builder *lsBuilder

 	format formatter.Format
+	trunc  bool
 	node   builder.Node
 }

@@ -261,7 +268,11 @@ func (c *lsContext) Platforms() string {
 	if c.node.Name == "" {
 		return ""
 	}
-	return strings.Join(platformutil.FormatInGroups(c.node.Node.Platforms, c.node.Platforms), ", ")
+	pfs := platformutil.FormatInGroups(c.node.Node.Platforms, c.node.Platforms)
+	if c.trunc && c.format.IsTable() {
+		return truncPlatforms(pfs, 4).String()
+	}
+	return strings.Join(pfs, ", ")
 }

 func (c *lsContext) Error() string {
@@ -272,3 +283,133 @@ func (c *lsContext) Error() string {
 	}
 	return ""
 }
+
+var truncMajorPlatforms = []string{
+	"linux/amd64",
+	"linux/arm64",
+	"linux/arm",
+	"linux/ppc64le",
+	"linux/s390x",
+	"linux/riscv64",
+	"linux/mips64",
+}
+
+type truncatedPlatforms struct {
+	res   map[string][]string
+	input []string
+	max   int
+}
+
+func (tp truncatedPlatforms) List() map[string][]string {
+	return tp.res
+}
+
+func (tp truncatedPlatforms) String() string {
+	var out []string
+	var count int
+
+	var keys []string
+	for k := range tp.res {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	seen := make(map[string]struct{})
+	for _, mpf := range truncMajorPlatforms {
+		if tpf, ok := tp.res[mpf]; ok {
+			seen[mpf] = struct{}{}
+			if len(tpf) == 1 {
+				out = append(out, fmt.Sprintf("%s", tpf[0]))
+				count++
+			} else {
+				hasPreferredPlatform := false
+				for _, pf := range tpf {
+					if strings.HasSuffix(pf, "*") {
+						hasPreferredPlatform = true
+						break
+					}
+				}
+				mainpf := mpf
+				if hasPreferredPlatform {
+					mainpf += "*"
+				}
+				out = append(out, fmt.Sprintf("%s (+%d)", mainpf, len(tpf)))
+				count += len(tpf)
+			}
+		}
+	}
+
+	for _, mpf := range keys {
+		if len(out) >= tp.max {
+			break
+		}
+		if _, ok := seen[mpf]; ok {
+			continue
+		}
+		if len(tp.res[mpf]) == 1 {
+			out = append(out, fmt.Sprintf("%s", tp.res[mpf][0]))
+			count++
+		} else {
+			hasPreferredPlatform := false
+			for _, pf := range tp.res[mpf] {
+				if strings.HasSuffix(pf, "*") {
+					hasPreferredPlatform = true
+					break
+				}
+			}
+			mainpf := mpf
+			if hasPreferredPlatform {
+				mainpf += "*"
+			}
+			out = append(out, fmt.Sprintf("%s (+%d)", mainpf, len(tp.res[mpf])))
+			count += len(tp.res[mpf])
+		}
+	}
+
+	left := len(tp.input) - count
+	if left > 0 {
+		out = append(out, fmt.Sprintf("(%d more)", left))
+	}
+
+	return strings.Join(out, ", ")
+}
+
+func truncPlatforms(pfs []string, max int) truncatedPlatforms {
+	res := make(map[string][]string)
+	for _, mpf := range truncMajorPlatforms {
+		for _, pf := range pfs {
+			if len(res) >= max {
+				break
+			}
+			pp, err := platforms.Parse(strings.TrimSuffix(pf, "*"))
+			if err != nil {
+				continue
+			}
+			if pp.OS+"/"+pp.Architecture == mpf {
+				res[mpf] = append(res[mpf], pf)
+			}
+		}
+	}
+	left := make(map[string][]string)
+	for _, pf := range pfs {
+		if len(res) >= max {
+			break
+		}
+		pp, err := platforms.Parse(strings.TrimSuffix(pf, "*"))
+		if err != nil {
+			continue
+		}
+		ppf := strings.TrimSuffix(pp.OS+"/"+pp.Architecture, "*")
+		if _, ok := res[ppf]; !ok {
+			left[ppf] = append(left[ppf], pf)
+		}
+	}
+	for k, v := range left {
+		res[k] = v
+	}
+	return truncatedPlatforms{
+		res:   res,
+		input: pfs,
+		max:   max,
+	}
+}
--- a/commands/ls_test.go
+++ b/commands/ls_test.go
@@ -0,0 +1,174 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTruncPlatforms(t *testing.T) {
+	tests := []struct {
+		name         string
+		platforms    []string
+		max          int
+		expectedList map[string][]string
+		expectedOut  string
+	}{
+		{
+			name:      "arm64 preferred and emulated",
+			platforms: []string{"linux/arm64*", "linux/amd64", "linux/amd64/v2", "linux/riscv64", "linux/ppc64le", "linux/s390x", "linux/386", "linux/mips64le", "linux/mips64", "linux/arm/v7", "linux/arm/v6"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/amd64": {
+					"linux/amd64",
+					"linux/amd64/v2",
+				},
+				"linux/arm": {
+					"linux/arm/v7",
+					"linux/arm/v6",
+				},
+				"linux/arm64": {
+					"linux/arm64*",
+				},
+				"linux/ppc64le": {
+					"linux/ppc64le",
+				},
+			},
+			expectedOut: "linux/amd64 (+2), linux/arm64*, linux/arm (+2), linux/ppc64le, (5 more)",
+		},
+		{
+			name:      "riscv64 preferred only",
+			platforms: []string{"linux/riscv64*"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/riscv64": {
+					"linux/riscv64*",
+				},
+			},
+			expectedOut: "linux/riscv64*",
+		},
+		{
+			name:      "amd64 no preferred and emulated",
+			platforms: []string{"linux/amd64", "linux/amd64/v2", "linux/amd64/v3", "linux/386", "linux/arm64", "linux/riscv64", "linux/ppc64le", "linux/s390x", "linux/mips64le", "linux/mips64", "linux/arm/v7", "linux/arm/v6"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/amd64": {
+					"linux/amd64",
+					"linux/amd64/v2",
+					"linux/amd64/v3",
+				},
+				"linux/arm": {
+					"linux/arm/v7",
+					"linux/arm/v6",
+				},
+				"linux/arm64": {
+					"linux/arm64",
+				},
+				"linux/ppc64le": {
+					"linux/ppc64le",
+				}},
+			expectedOut: "linux/amd64 (+3), linux/arm64, linux/arm (+2), linux/ppc64le, (5 more)",
+		},
+		{
+			name:      "amd64 no preferred",
+			platforms: []string{"linux/amd64", "linux/386"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/386": {
+					"linux/386",
+				},
+				"linux/amd64": {
+					"linux/amd64",
+				},
+			},
+			expectedOut: "linux/amd64, linux/386",
+		},
+		{
+			name:      "arm64 no preferred",
+			platforms: []string{"linux/arm64", "linux/arm/v7", "linux/arm/v6"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/arm": {
+					"linux/arm/v7",
+					"linux/arm/v6",
+				},
+				"linux/arm64": {
+					"linux/arm64",
+				},
+			},
+			expectedOut: "linux/arm64, linux/arm (+2)",
+		},
+		{
+			name:      "all preferred",
+			platforms: []string{"darwin/arm64*", "linux/arm64*", "linux/arm/v5*", "linux/arm/v6*", "linux/arm/v7*", "windows/arm64*"},
+			max:       4,
+			expectedList: map[string][]string{
+				"darwin/arm64": {
+					"darwin/arm64*",
+				},
+				"linux/arm": {
+					"linux/arm/v5*",
+					"linux/arm/v6*",
+					"linux/arm/v7*",
+				},
+				"linux/arm64": {
+					"linux/arm64*",
+				},
+				"windows/arm64": {
+					"windows/arm64*",
+				},
+			},
+			expectedOut: "linux/arm64*, linux/arm* (+3), darwin/arm64*, windows/arm64*",
+		},
+		{
+			name:      "no major preferred",
+			platforms: []string{"linux/amd64/v2*", "linux/arm/v6*", "linux/mips64le*", "linux/amd64", "linux/amd64/v3", "linux/386", "linux/arm64", "linux/riscv64", "linux/ppc64le", "linux/s390x", "linux/mips64", "linux/arm/v7"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/amd64": {
+					"linux/amd64/v2*",
+					"linux/amd64",
+					"linux/amd64/v3",
+				},
+				"linux/arm": {
+					"linux/arm/v6*",
+					"linux/arm/v7",
+				},
+				"linux/arm64": {
+					"linux/arm64",
+				},
+				"linux/ppc64le": {
+					"linux/ppc64le",
+				},
+			},
+			expectedOut: "linux/amd64* (+3), linux/arm64, linux/arm* (+2), linux/ppc64le, (5 more)",
+		},
+		{
+			name:      "no major with multiple variants",
+			platforms: []string{"linux/arm64", "linux/arm/v7", "linux/arm/v6", "linux/mips64le/softfloat", "linux/mips64le/hardfloat"},
+			max:       4,
+			expectedList: map[string][]string{
+				"linux/arm": {
+					"linux/arm/v7",
+					"linux/arm/v6",
+				},
+				"linux/arm64": {
+					"linux/arm64",
+				},
+				"linux/mips64le": {
+					"linux/mips64le/softfloat",
+					"linux/mips64le/hardfloat",
+				},
+			},
+			expectedOut: "linux/arm64, linux/arm (+2), linux/mips64le (+2)",
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			tpfs := truncPlatforms(tt.platforms, tt.max)
+			assert.Equal(t, tt.expectedList, tpfs.List())
+			assert.Equal(t, tt.expectedOut, tpfs.String())
+		})
+	}
+}
--- a/commands/prune.go
+++ b/commands/prune.go
@@ -22,12 +22,14 @@ import (
 )

 type pruneOptions struct {
-	builder     string
-	all         bool
-	filter      opts.FilterOpt
-	keepStorage opts.MemBytes
-	force       bool
-	verbose     bool
+	builder       string
+	all           bool
+	filter        opts.FilterOpt
+	reservedSpace opts.MemBytes
+	maxUsedSpace  opts.MemBytes
+	minFreeSpace  opts.MemBytes
+	force         bool
+	verbose       bool
 }

 const (
@@ -106,7 +108,7 @@ func runPrune(ctx context.Context, dockerCli command.Cli, opts pruneOptions) err
 						return err
 					}
 					popts := []client.PruneOption{
-						client.WithKeepOpt(pi.KeepDuration, opts.keepStorage.Value()),
+						client.WithKeepOpt(pi.KeepDuration, opts.reservedSpace.Value(), opts.maxUsedSpace.Value(), opts.minFreeSpace.Value()),
 						client.WithFilter(pi.Filter),
 					}
 					if opts.all {
@@ -148,10 +150,15 @@ func pruneCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags := cmd.Flags()
 	flags.BoolVarP(&options.all, "all", "a", false, "Include internal/frontend images")
 	flags.Var(&options.filter, "filter", `Provide filter values (e.g., "until=24h")`)
-	flags.Var(&options.keepStorage, "keep-storage", "Amount of disk space to keep for cache")
+	flags.Var(&options.reservedSpace, "reserved-space", "Amount of disk space always allowed to keep for cache")
+	flags.Var(&options.minFreeSpace, "min-free-space", "Target amount of free disk space after pruning")
+	flags.Var(&options.maxUsedSpace, "max-used-space", "Maximum amount of disk space allowed to keep for cache")
 	flags.BoolVar(&options.verbose, "verbose", false, "Provide a more verbose output")
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")

+	flags.Var(&options.reservedSpace, "keep-storage", "Amount of disk space to keep for cache")
+	flags.MarkDeprecated("keep-storage", "keep-storage flag has been changed to max-storage")
+
 	return cmd
 }

--- a/commands/root.go
+++ b/commands/root.go
@@ -21,6 +21,7 @@ import (
 )

 func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Command {
+	var opt rootOptions
 	cmd := &cobra.Command{
 		Short: "Docker Buildx",
 		Long:  `Extended build capabilities with BuildKit`,
@@ -32,6 +33,10 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 			HiddenDefaultCmd: true,
 		},
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			if opt.debug {
+				debug.Enable()
+			}
+
 			cmd.SetContext(appcontext.Context())
 			if !isPlugin {
 				return nil
@@ -47,11 +52,6 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		cmd.TraverseChildren = true
 		cmd.DisableFlagsInUseLine = true
 		cli.DisableFlagsInUseLine(cmd)
-
-		// DEBUG=1 should perform the same as --debug at the docker root level
-		if debug.IsEnabled() {
-			debug.Enable()
-		}
 	}

 	logrus.SetFormatter(&logutil.Formatter{})
@@ -68,16 +68,16 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		cmd.SetHelpTemplate(cmd.HelpTemplate() + "\nExperimental commands and flags are hidden. Set BUILDX_EXPERIMENTAL=1 to show them.\n")
 	}

-	addCommands(cmd, dockerCli)
+	addCommands(cmd, &opt, dockerCli)
 	return cmd
 }

 type rootOptions struct {
 	builder string
+	debug   bool
 }

-func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
-	opts := &rootOptions{}
+func addCommands(cmd *cobra.Command, opts *rootOptions, dockerCli command.Cli) {
 	rootFlags(opts, cmd.PersistentFlags())

 	cmd.AddCommand(
@@ -112,4 +112,5 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {

 func rootFlags(options *rootOptions, flags *pflag.FlagSet) {
 	flags.StringVar(&options.builder, "builder", os.Getenv("BUILDX_BUILDER"), "Override the configured builder instance")
+	flags.BoolVarP(&options.debug, "debug", "D", debug.IsEnabled(), "Enable debug logging")
 }
--- a/controller/build/build.go
+++ b/controller/build/build.go
@@ -3,7 +3,6 @@ package build
 import (
 	"context"
 	"io"
-	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -19,7 +18,6 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/config"
 	dockeropts "github.com/docker/cli/opts"
 	"github.com/docker/docker/api/types/container"
 	"github.com/moby/buildkit/client"
@@ -36,9 +34,9 @@ const defaultTargetName = "default"
 // NOTE: When an error happens during the build and this function acquires the debuggable *build.ResultHandle,
 // this function returns it in addition to the error (i.e. it does "return nil, res, err"). The caller can
 // inspect the result and debug the cause of that error.
-func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.BuildOptions, inStream io.Reader, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
+func RunBuild(ctx context.Context, dockerCli command.Cli, in *controllerapi.BuildOptions, inStream io.Reader, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, *build.Inputs, error) {
 	if in.NoCache && len(in.NoCacheFilter) > 0 {
-		return nil, nil, errors.Errorf("--no-cache and --no-cache-filter cannot currently be used together")
+		return nil, nil, nil, errors.Errorf("--no-cache and --no-cache-filter cannot currently be used together")
 	}

 	contexts := map[string]build.NamedContext{}
@@ -50,7 +48,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 		Inputs: build.Inputs{
 			ContextPath:    in.ContextPath,
 			DockerfilePath: in.DockerfileName,
-			InStream:       inStream,
+			InStream:       build.NewSyncMultiReader(inStream),
 			NamedContexts:  contexts,
 		},
 		Ref:                    in.Ref,
@@ -72,16 +70,16 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build

 	platforms, err := platformutil.Parse(in.Platforms)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 	opts.Platforms = platforms

-	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	dockerConfig := dockerCli.ConfigFile()
 	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(dockerConfig, nil))

 	secrets, err := controllerapi.CreateSecrets(in.Secrets)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 	opts.Session = append(opts.Session, secrets)

@@ -91,13 +89,13 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 	}
 	ssh, err := controllerapi.CreateSSH(sshSpecs)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 	opts.Session = append(opts.Session, ssh)

 	outputs, err := controllerapi.CreateExports(in.Exports)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 	if in.ExportPush {
 		var pushUsed bool
@@ -136,7 +134,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build

 	annotations, err := buildflags.ParseAnnotations(in.Annotations)
 	if err != nil {
-		return nil, nil, errors.Wrap(err, "parse annotations")
+		return nil, nil, nil, errors.Wrap(err, "parse annotations")
 	}

 	for _, o := range outputs {
@@ -156,15 +154,15 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build

 	allow, err := buildflags.ParseEntitlements(in.Allow)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 	opts.Allow = allow

-	if in.PrintFunc != nil {
-		opts.PrintFunc = &build.PrintFunc{
-			Name:         in.PrintFunc.Name,
-			Format:       in.PrintFunc.Format,
-			IgnoreStatus: in.PrintFunc.IgnoreStatus,
+	if in.CallFunc != nil {
+		opts.CallFunc = &build.CallFunc{
+			Name:         in.CallFunc.Name,
+			Format:       in.CallFunc.Format,
+			IgnoreStatus: in.CallFunc.IgnoreStatus,
 		}
 	}

@@ -180,23 +178,28 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 		builder.WithContextPathHash(contextPathHash),
 	)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 	if err = updateLastActivity(dockerCli, b.NodeGroup); err != nil {
-		return nil, nil, errors.Wrapf(err, "failed to update builder last activity time")
+		return nil, nil, nil, errors.Wrapf(err, "failed to update builder last activity time")
 	}
 	nodes, err := b.LoadNodes(ctx)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}

-	resp, res, err := buildTargets(ctx, dockerCli, nodes, map[string]build.Options{defaultTargetName: opts}, progress, generateResult)
+	var inputs *build.Inputs
+	buildOptions := map[string]build.Options{defaultTargetName: opts}
+	resp, res, err := buildTargets(ctx, dockerCli, nodes, buildOptions, progress, generateResult)
 	err = wrapBuildError(err, false)
 	if err != nil {
 		// NOTE: buildTargets can return *build.ResultHandle even on error.
-		return nil, res, err
+		return nil, res, nil, err
 	}
-	return resp, res, nil
+	if i, ok := buildOptions[defaultTargetName]; ok {
+		inputs = &i.Inputs
+	}
+	return resp, res, inputs, nil
 }

 // buildTargets runs the specified build and returns the result.
--- a/controller/control/controller.go
+++ b/controller/control/controller.go
@@ -4,18 +4,19 @@ import (
 	"context"
 	"io"

+	"github.com/docker/buildx/build"
 	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
 )

 type BuildxController interface {
-	Build(ctx context.Context, options controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (ref string, resp *client.SolveResponse, err error)
+	Build(ctx context.Context, options *controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (ref string, resp *client.SolveResponse, inputs *build.Inputs, err error)
 	// Invoke starts an IO session into the specified process.
 	// If pid doesn't matche to any running processes, it starts a new process with the specified config.
 	// If there is no container running or InvokeConfig.Rollback is speicfied, the process will start in a newly created container.
 	// NOTE: If needed, in the future, we can split this API into three APIs (NewContainer, NewProcess and Attach).
-	Invoke(ctx context.Context, ref, pid string, options controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error
+	Invoke(ctx context.Context, ref, pid string, options *controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error
 	Kill(ctx context.Context) error
 	Close() error
 	List(ctx context.Context) (refs []string, _ error)
--- a/controller/errdefs/build.go
+++ b/controller/errdefs/build.go
@@ -10,7 +10,7 @@ func init() {
 }

 type BuildError struct {
-	Build
+	*Build
 	error
 }

@@ -19,16 +19,16 @@ func (e *BuildError) Unwrap() error {
 }

 func (e *BuildError) ToProto() grpcerrors.TypedErrorProto {
-	return &e.Build
+	return e.Build
 }

 func WrapBuild(err error, ref string) error {
 	if err == nil {
 		return nil
 	}
-	return &BuildError{Build: Build{Ref: ref}, error: err}
+	return &BuildError{Build: &Build{Ref: ref}, error: err}
 }

 func (b *Build) WrapError(err error) error {
-	return &BuildError{error: err, Build: *b}
+	return &BuildError{error: err, Build: b}
 }
--- a/controller/errdefs/errdefs.pb.go
+++ b/controller/errdefs/errdefs.pb.go
@@ -1,77 +1,147 @@
-// Code generated by protoc-gen-gogo. DO NOT EDIT.
-// source: errdefs.proto
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.34.1
+// 	protoc        v3.11.4
+// source: github.com/docker/buildx/controller/errdefs/errdefs.proto

 package errdefs

 import (
-	fmt "fmt"
-	proto "github.com/gogo/protobuf/proto"
-	_ "github.com/moby/buildkit/solver/pb"
-	math "math"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
 )

-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)

 type Build struct {
-	Ref                  string   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Ref string `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
 }

-func (m *Build) Reset()         { *m = Build{} }
-func (m *Build) String() string { return proto.CompactTextString(m) }
-func (*Build) ProtoMessage()    {}
+func (x *Build) Reset() {
+	*x = Build{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_github_com_docker_buildx_controller_errdefs_errdefs_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Build) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Build) ProtoMessage() {}
+
+func (x *Build) ProtoReflect() protoreflect.Message {
+	mi := &file_github_com_docker_buildx_controller_errdefs_errdefs_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Build.ProtoReflect.Descriptor instead.
 func (*Build) Descriptor() ([]byte, []int) {
-	return fileDescriptor_689dc58a5060aff5, []int{0}
-}
-func (m *Build) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_Build.Unmarshal(m, b)
-}
-func (m *Build) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_Build.Marshal(b, m, deterministic)
-}
-func (m *Build) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Build.Merge(m, src)
-}
-func (m *Build) XXX_Size() int {
-	return xxx_messageInfo_Build.Size(m)
-}
-func (m *Build) XXX_DiscardUnknown() {
-	xxx_messageInfo_Build.DiscardUnknown(m)
+	return file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescGZIP(), []int{0}
 }

-var xxx_messageInfo_Build proto.InternalMessageInfo
-
-func (m *Build) GetRef() string {
-	if m != nil {
-		return m.Ref
+func (x *Build) GetRef() string {
+	if x != nil {
+		return x.Ref
 	}
 	return ""
 }

-func init() {
-	proto.RegisterType((*Build)(nil), "errdefs.Build")
+var File_github_com_docker_buildx_controller_errdefs_errdefs_proto protoreflect.FileDescriptor
+
+var file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDesc = []byte{
+	0x0a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x64, 0x6f, 0x63,
+	0x6b, 0x65, 0x72, 0x2f, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x78, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72,
+	0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x65, 0x72, 0x72, 0x64, 0x65, 0x66, 0x73, 0x2f, 0x65, 0x72,
+	0x72, 0x64, 0x65, 0x66, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x64, 0x6f, 0x63,
+	0x6b, 0x65, 0x72, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x78, 0x2e, 0x65, 0x72, 0x72, 0x64, 0x65,
+	0x66, 0x73, 0x22, 0x19, 0x0a, 0x05, 0x42, 0x75, 0x69, 0x6c, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x52,
+	0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x52, 0x65, 0x66, 0x42, 0x2d, 0x5a,
+	0x2b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x64, 0x6f, 0x63, 0x6b,
+	0x65, 0x72, 0x2f, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x78, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f,
+	0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x65, 0x72, 0x72, 0x64, 0x65, 0x66, 0x73, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }

-func init() { proto.RegisterFile("errdefs.proto", fileDescriptor_689dc58a5060aff5) }
+var (
+	file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescOnce sync.Once
+	file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescData = file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDesc
+)

-var fileDescriptor_689dc58a5060aff5 = []byte{
-	// 111 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4d, 0x2d, 0x2a, 0x4a,
-	0x49, 0x4d, 0x2b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x87, 0x72, 0xa5, 0x74, 0xd2,
-	0x33, 0x4b, 0x32, 0x4a, 0x93, 0xf4, 0x92, 0xf3, 0x73, 0xf5, 0x73, 0xf3, 0x93, 0x2a, 0xf5, 0x93,
-	0x4a, 0x33, 0x73, 0x52, 0xb2, 0x33, 0x4b, 0xf4, 0x8b, 0xf3, 0x73, 0xca, 0x52, 0x8b, 0xf4, 0x0b,
-	0x92, 0xf4, 0xf3, 0x0b, 0xa0, 0xda, 0x94, 0x24, 0xb9, 0x58, 0x9d, 0x40, 0xf2, 0x42, 0x02, 0x5c,
-	0xcc, 0x41, 0xa9, 0x69, 0x12, 0x8c, 0x0a, 0x8c, 0x1a, 0x9c, 0x41, 0x20, 0x66, 0x12, 0x1b, 0x58,
-	0x85, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x56, 0x52, 0x41, 0x91, 0x69, 0x00, 0x00, 0x00,
+func file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescGZIP() []byte {
+	file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescOnce.Do(func() {
+		file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescData = protoimpl.X.CompressGZIP(file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescData)
+	})
+	return file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDescData
+}
+
+var file_github_com_docker_buildx_controller_errdefs_errdefs_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_github_com_docker_buildx_controller_errdefs_errdefs_proto_goTypes = []interface{}{
+	(*Build)(nil), // 0: docker.buildx.errdefs.Build
+}
+var file_github_com_docker_buildx_controller_errdefs_errdefs_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_github_com_docker_buildx_controller_errdefs_errdefs_proto_init() }
+func file_github_com_docker_buildx_controller_errdefs_errdefs_proto_init() {
+	if File_github_com_docker_buildx_controller_errdefs_errdefs_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_github_com_docker_buildx_controller_errdefs_errdefs_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Build); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_github_com_docker_buildx_controller_errdefs_errdefs_proto_goTypes,
+		DependencyIndexes: file_github_com_docker_buildx_controller_errdefs_errdefs_proto_depIdxs,
+		MessageInfos:      file_github_com_docker_buildx_controller_errdefs_errdefs_proto_msgTypes,
+	}.Build()
+	File_github_com_docker_buildx_controller_errdefs_errdefs_proto = out.File
+	file_github_com_docker_buildx_controller_errdefs_errdefs_proto_rawDesc = nil
+	file_github_com_docker_buildx_controller_errdefs_errdefs_proto_goTypes = nil
+	file_github_com_docker_buildx_controller_errdefs_errdefs_proto_depIdxs = nil
 }
--- a/controller/errdefs/errdefs.proto
+++ b/controller/errdefs/errdefs.proto
@@ -1,9 +1,9 @@
 syntax = "proto3";

-package errdefs;
+package docker.buildx.errdefs;

-import "github.com/moby/buildkit/solver/pb/ops.proto";
+option go_package = "github.com/docker/buildx/controller/errdefs";

 message Build {
  string Ref = 1;
-}
+}
--- a/controller/errdefs/errdefs_vtproto.pb.go
+++ b/controller/errdefs/errdefs_vtproto.pb.go
@@ -0,0 +1,194 @@
+// Code generated by protoc-gen-go-vtproto. DO NOT EDIT.
+// protoc-gen-go-vtproto version: v0.6.1-0.20240319094008-0393e58bdf10
+// source: github.com/docker/buildx/controller/errdefs/errdefs.proto
+
+package errdefs
+
+import (
+	fmt "fmt"
+	protohelpers "github.com/planetscale/vtprotobuf/protohelpers"
+	proto "google.golang.org/protobuf/proto"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	io "io"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+func (m *Build) CloneVT() *Build {
+	if m == nil {
+		return (*Build)(nil)
+	}
+	r := new(Build)
+	r.Ref = m.Ref
+	if len(m.unknownFields) > 0 {
+		r.unknownFields = make([]byte, len(m.unknownFields))
+		copy(r.unknownFields, m.unknownFields)
+	}
+	return r
+}
+
+func (m *Build) CloneMessageVT() proto.Message {
+	return m.CloneVT()
+}
+
+func (this *Build) EqualVT(that *Build) bool {
+	if this == that {
+		return true
+	} else if this == nil || that == nil {
+		return false
+	}
+	if this.Ref != that.Ref {
+		return false
+	}
+	return string(this.unknownFields) == string(that.unknownFields)
+}
+
+func (this *Build) EqualMessageVT(thatMsg proto.Message) bool {
+	that, ok := thatMsg.(*Build)
+	if !ok {
+		return false
+	}
+	return this.EqualVT(that)
+}
+func (m *Build) MarshalVT() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Build) MarshalToVT(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *Build) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if len(m.Ref) > 0 {
+		i -= len(m.Ref)
+		copy(dAtA[i:], m.Ref)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.Ref)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *Build) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	n += len(m.unknownFields)
+	return n
+}
+
+func (m *Build) UnmarshalVT(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return protohelpers.ErrIntOverflow
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Build: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Build: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
--- a/controller/errdefs/generate.go
+++ b/controller/errdefs/generate.go
@@ -1,3 +0,0 @@
-package errdefs
-
-//go:generate protoc -I=. -I=../../vendor/ --gogo_out=plugins=grpc:. errdefs.proto
--- a/controller/local/controller.go
+++ b/controller/local/controller.go
@@ -42,27 +42,27 @@ type localController struct {
 	buildOnGoing atomic.Bool
 }

-func (b *localController) Build(ctx context.Context, options controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, error) {
+func (b *localController) Build(ctx context.Context, options *controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, *build.Inputs, error) {
 	if !b.buildOnGoing.CompareAndSwap(false, true) {
-		return "", nil, errors.New("build ongoing")
+		return "", nil, nil, errors.New("build ongoing")
 	}
 	defer b.buildOnGoing.Store(false)

-	resp, res, buildErr := cbuild.RunBuild(ctx, b.dockerCli, options, in, progress, true)
+	resp, res, dockerfileMappings, buildErr := cbuild.RunBuild(ctx, b.dockerCli, options, in, progress, true)
 	// NOTE: RunBuild can return *build.ResultHandle even on error.
 	if res != nil {
 		b.buildConfig = buildConfig{
 			resultCtx:    res,
-			buildOptions: &options,
+			buildOptions: options,
 		}
 		if buildErr != nil {
 			buildErr = controllererrors.WrapBuild(buildErr, b.ref)
 		}
 	}
 	if buildErr != nil {
-		return "", nil, buildErr
+		return "", nil, nil, buildErr
 	}
-	return b.ref, resp, nil
+	return b.ref, resp, dockerfileMappings, nil
 }

 func (b *localController) ListProcesses(ctx context.Context, ref string) (infos []*controllerapi.ProcessInfo, retErr error) {
@@ -83,7 +83,7 @@ func (b *localController) cancelRunningProcesses() {
 	b.processes.CancelRunningProcesses()
 }

-func (b *localController) Invoke(ctx context.Context, ref string, pid string, cfg controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error {
+func (b *localController) Invoke(ctx context.Context, ref string, pid string, cfg *controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error {
 	if ref != b.ref {
 		return errors.Errorf("unknown ref %q", ref)
 	}
@@ -95,7 +95,7 @@ func (b *localController) Invoke(ctx context.Context, ref string, pid string, cf
 			return errors.New("no build result is registered")
 		}
 		var err error
-		proc, err = b.processes.StartProcess(pid, b.buildConfig.resultCtx, &cfg)
+		proc, err = b.processes.StartProcess(pid, b.buildConfig.resultCtx, cfg)
 		if err != nil {
 			return err
 		}
--- a/controller/pb/controller.pb.go
+++ b/controller/pb/controller.pb.go
--- a/controller/pb/controller.proto
+++ b/controller/pb/controller.proto
@@ -5,7 +5,7 @@ package buildx.controller.v1;
 import "github.com/moby/buildkit/api/services/control/control.proto";
 import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";

-option go_package = "pb";
+option go_package = "github.com/docker/buildx/controller/pb";

 service Controller {
  rpc Build(BuildRequest) returns (BuildResponse);
@@ -49,7 +49,7 @@ message BuildRequest {
 message BuildOptions {
  string ContextPath = 1;
  string DockerfileName = 2;
-  PrintFunc PrintFunc = 3;
+  CallFunc CallFunc = 3;
  map<string, string> NamedContexts = 4;

  repeated string Allow = 5;
@@ -111,7 +111,7 @@ message Secret {
  string Env = 3;
 }

-message PrintFunc {
+message CallFunc {
  string Name = 1;
  string Format = 2;
  bool IgnoreStatus = 3;
--- a/controller/pb/controller_grpc.pb.go
+++ b/controller/pb/controller_grpc.pb.go
@@ -0,0 +1,452 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             v3.11.4
+// source: github.com/docker/buildx/controller/pb/controller.proto
+
+package pb
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	Controller_Build_FullMethodName             = "/buildx.controller.v1.Controller/Build"
+	Controller_Inspect_FullMethodName           = "/buildx.controller.v1.Controller/Inspect"
+	Controller_Status_FullMethodName            = "/buildx.controller.v1.Controller/Status"
+	Controller_Input_FullMethodName             = "/buildx.controller.v1.Controller/Input"
+	Controller_Invoke_FullMethodName            = "/buildx.controller.v1.Controller/Invoke"
+	Controller_List_FullMethodName              = "/buildx.controller.v1.Controller/List"
+	Controller_Disconnect_FullMethodName        = "/buildx.controller.v1.Controller/Disconnect"
+	Controller_Info_FullMethodName              = "/buildx.controller.v1.Controller/Info"
+	Controller_ListProcesses_FullMethodName     = "/buildx.controller.v1.Controller/ListProcesses"
+	Controller_DisconnectProcess_FullMethodName = "/buildx.controller.v1.Controller/DisconnectProcess"
+)
+
+// ControllerClient is the client API for Controller service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type ControllerClient interface {
+	Build(ctx context.Context, in *BuildRequest, opts ...grpc.CallOption) (*BuildResponse, error)
+	Inspect(ctx context.Context, in *InspectRequest, opts ...grpc.CallOption) (*InspectResponse, error)
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[StatusResponse], error)
+	Input(ctx context.Context, opts ...grpc.CallOption) (grpc.ClientStreamingClient[InputMessage, InputResponse], error)
+	Invoke(ctx context.Context, opts ...grpc.CallOption) (grpc.BidiStreamingClient[Message, Message], error)
+	List(ctx context.Context, in *ListRequest, opts ...grpc.CallOption) (*ListResponse, error)
+	Disconnect(ctx context.Context, in *DisconnectRequest, opts ...grpc.CallOption) (*DisconnectResponse, error)
+	Info(ctx context.Context, in *InfoRequest, opts ...grpc.CallOption) (*InfoResponse, error)
+	ListProcesses(ctx context.Context, in *ListProcessesRequest, opts ...grpc.CallOption) (*ListProcessesResponse, error)
+	DisconnectProcess(ctx context.Context, in *DisconnectProcessRequest, opts ...grpc.CallOption) (*DisconnectProcessResponse, error)
+}
+
+type controllerClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewControllerClient(cc grpc.ClientConnInterface) ControllerClient {
+	return &controllerClient{cc}
+}
+
+func (c *controllerClient) Build(ctx context.Context, in *BuildRequest, opts ...grpc.CallOption) (*BuildResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(BuildResponse)
+	err := c.cc.Invoke(ctx, Controller_Build_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controllerClient) Inspect(ctx context.Context, in *InspectRequest, opts ...grpc.CallOption) (*InspectResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(InspectResponse)
+	err := c.cc.Invoke(ctx, Controller_Inspect_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controllerClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (grpc.ServerStreamingClient[StatusResponse], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &Controller_ServiceDesc.Streams[0], Controller_Status_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[StatusRequest, StatusResponse]{ClientStream: stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Controller_StatusClient = grpc.ServerStreamingClient[StatusResponse]
+
+func (c *controllerClient) Input(ctx context.Context, opts ...grpc.CallOption) (grpc.ClientStreamingClient[InputMessage, InputResponse], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &Controller_ServiceDesc.Streams[1], Controller_Input_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[InputMessage, InputResponse]{ClientStream: stream}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Controller_InputClient = grpc.ClientStreamingClient[InputMessage, InputResponse]
+
+func (c *controllerClient) Invoke(ctx context.Context, opts ...grpc.CallOption) (grpc.BidiStreamingClient[Message, Message], error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	stream, err := c.cc.NewStream(ctx, &Controller_ServiceDesc.Streams[2], Controller_Invoke_FullMethodName, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &grpc.GenericClientStream[Message, Message]{ClientStream: stream}
+	return x, nil
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Controller_InvokeClient = grpc.BidiStreamingClient[Message, Message]
+
+func (c *controllerClient) List(ctx context.Context, in *ListRequest, opts ...grpc.CallOption) (*ListResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ListResponse)
+	err := c.cc.Invoke(ctx, Controller_List_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controllerClient) Disconnect(ctx context.Context, in *DisconnectRequest, opts ...grpc.CallOption) (*DisconnectResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(DisconnectResponse)
+	err := c.cc.Invoke(ctx, Controller_Disconnect_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controllerClient) Info(ctx context.Context, in *InfoRequest, opts ...grpc.CallOption) (*InfoResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(InfoResponse)
+	err := c.cc.Invoke(ctx, Controller_Info_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controllerClient) ListProcesses(ctx context.Context, in *ListProcessesRequest, opts ...grpc.CallOption) (*ListProcessesResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ListProcessesResponse)
+	err := c.cc.Invoke(ctx, Controller_ListProcesses_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controllerClient) DisconnectProcess(ctx context.Context, in *DisconnectProcessRequest, opts ...grpc.CallOption) (*DisconnectProcessResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(DisconnectProcessResponse)
+	err := c.cc.Invoke(ctx, Controller_DisconnectProcess_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ControllerServer is the server API for Controller service.
+// All implementations should embed UnimplementedControllerServer
+// for forward compatibility.
+type ControllerServer interface {
+	Build(context.Context, *BuildRequest) (*BuildResponse, error)
+	Inspect(context.Context, *InspectRequest) (*InspectResponse, error)
+	Status(*StatusRequest, grpc.ServerStreamingServer[StatusResponse]) error
+	Input(grpc.ClientStreamingServer[InputMessage, InputResponse]) error
+	Invoke(grpc.BidiStreamingServer[Message, Message]) error
+	List(context.Context, *ListRequest) (*ListResponse, error)
+	Disconnect(context.Context, *DisconnectRequest) (*DisconnectResponse, error)
+	Info(context.Context, *InfoRequest) (*InfoResponse, error)
+	ListProcesses(context.Context, *ListProcessesRequest) (*ListProcessesResponse, error)
+	DisconnectProcess(context.Context, *DisconnectProcessRequest) (*DisconnectProcessResponse, error)
+}
+
+// UnimplementedControllerServer should be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedControllerServer struct{}
+
+func (UnimplementedControllerServer) Build(context.Context, *BuildRequest) (*BuildResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Build not implemented")
+}
+func (UnimplementedControllerServer) Inspect(context.Context, *InspectRequest) (*InspectResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Inspect not implemented")
+}
+func (UnimplementedControllerServer) Status(*StatusRequest, grpc.ServerStreamingServer[StatusResponse]) error {
+	return status.Errorf(codes.Unimplemented, "method Status not implemented")
+}
+func (UnimplementedControllerServer) Input(grpc.ClientStreamingServer[InputMessage, InputResponse]) error {
+	return status.Errorf(codes.Unimplemented, "method Input not implemented")
+}
+func (UnimplementedControllerServer) Invoke(grpc.BidiStreamingServer[Message, Message]) error {
+	return status.Errorf(codes.Unimplemented, "method Invoke not implemented")
+}
+func (UnimplementedControllerServer) List(context.Context, *ListRequest) (*ListResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method List not implemented")
+}
+func (UnimplementedControllerServer) Disconnect(context.Context, *DisconnectRequest) (*DisconnectResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Disconnect not implemented")
+}
+func (UnimplementedControllerServer) Info(context.Context, *InfoRequest) (*InfoResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Info not implemented")
+}
+func (UnimplementedControllerServer) ListProcesses(context.Context, *ListProcessesRequest) (*ListProcessesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListProcesses not implemented")
+}
+func (UnimplementedControllerServer) DisconnectProcess(context.Context, *DisconnectProcessRequest) (*DisconnectProcessResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DisconnectProcess not implemented")
+}
+func (UnimplementedControllerServer) testEmbeddedByValue() {}
+
+// UnsafeControllerServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ControllerServer will
+// result in compilation errors.
+type UnsafeControllerServer interface {
+	mustEmbedUnimplementedControllerServer()
+}
+
+func RegisterControllerServer(s grpc.ServiceRegistrar, srv ControllerServer) {
+	// If the following call pancis, it indicates UnimplementedControllerServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&Controller_ServiceDesc, srv)
+}
+
+func _Controller_Build_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(BuildRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).Build(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_Build_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).Build(ctx, req.(*BuildRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Controller_Inspect_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(InspectRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).Inspect(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_Inspect_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).Inspect(ctx, req.(*InspectRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Controller_Status_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(StatusRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(ControllerServer).Status(m, &grpc.GenericServerStream[StatusRequest, StatusResponse]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Controller_StatusServer = grpc.ServerStreamingServer[StatusResponse]
+
+func _Controller_Input_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(ControllerServer).Input(&grpc.GenericServerStream[InputMessage, InputResponse]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Controller_InputServer = grpc.ClientStreamingServer[InputMessage, InputResponse]
+
+func _Controller_Invoke_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(ControllerServer).Invoke(&grpc.GenericServerStream[Message, Message]{ServerStream: stream})
+}
+
+// This type alias is provided for backwards compatibility with existing code that references the prior non-generic stream type by name.
+type Controller_InvokeServer = grpc.BidiStreamingServer[Message, Message]
+
+func _Controller_List_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).List(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_List_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).List(ctx, req.(*ListRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Controller_Disconnect_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DisconnectRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).Disconnect(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_Disconnect_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).Disconnect(ctx, req.(*DisconnectRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Controller_Info_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(InfoRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).Info(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_Info_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).Info(ctx, req.(*InfoRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Controller_ListProcesses_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListProcessesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).ListProcesses(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_ListProcesses_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).ListProcesses(ctx, req.(*ListProcessesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Controller_DisconnectProcess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DisconnectProcessRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControllerServer).DisconnectProcess(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: Controller_DisconnectProcess_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControllerServer).DisconnectProcess(ctx, req.(*DisconnectProcessRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// Controller_ServiceDesc is the grpc.ServiceDesc for Controller service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var Controller_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "buildx.controller.v1.Controller",
+	HandlerType: (*ControllerServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Build",
+			Handler:    _Controller_Build_Handler,
+		},
+		{
+			MethodName: "Inspect",
+			Handler:    _Controller_Inspect_Handler,
+		},
+		{
+			MethodName: "List",
+			Handler:    _Controller_List_Handler,
+		},
+		{
+			MethodName: "Disconnect",
+			Handler:    _Controller_Disconnect_Handler,
+		},
+		{
+			MethodName: "Info",
+			Handler:    _Controller_Info_Handler,
+		},
+		{
+			MethodName: "ListProcesses",
+			Handler:    _Controller_ListProcesses_Handler,
+		},
+		{
+			MethodName: "DisconnectProcess",
+			Handler:    _Controller_DisconnectProcess_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "Status",
+			Handler:       _Controller_Status_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "Input",
+			Handler:       _Controller_Input_Handler,
+			ClientStreams: true,
+		},
+		{
+			StreamName:    "Invoke",
+			Handler:       _Controller_Invoke_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "github.com/docker/buildx/controller/pb/controller.proto",
+}
--- a/controller/pb/controller_vtproto.pb.go
+++ b/controller/pb/controller_vtproto.pb.go
--- a/controller/pb/generate.go
+++ b/controller/pb/generate.go
@@ -1,3 +0,0 @@
-package pb
-
-//go:generate protoc -I=. -I=../../vendor/ --gogo_out=plugins=grpc:. controller.proto
--- a/controller/pb/path_test.go
+++ b/controller/pb/path_test.go
@@ -3,10 +3,10 @@ package pb
 import (
 	"os"
 	"path/filepath"
-	"reflect"
 	"testing"

 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
 )

 func TestResolvePaths(t *testing.T) {
@@ -16,54 +16,58 @@ func TestResolvePaths(t *testing.T) {
 	require.NoError(t, os.Chdir(tmpwd))
 	tests := []struct {
 		name    string
-		options BuildOptions
-		want    BuildOptions
+		options *BuildOptions
+		want    *BuildOptions
 	}{
 		{
 			name:    "contextpath",
-			options: BuildOptions{ContextPath: "test"},
-			want:    BuildOptions{ContextPath: filepath.Join(tmpwd, "test")},
+			options: &BuildOptions{ContextPath: "test"},
+			want:    &BuildOptions{ContextPath: filepath.Join(tmpwd, "test")},
 		},
 		{
 			name:    "contextpath-cwd",
-			options: BuildOptions{ContextPath: "."},
-			want:    BuildOptions{ContextPath: tmpwd},
+			options: &BuildOptions{ContextPath: "."},
+			want:    &BuildOptions{ContextPath: tmpwd},
 		},
 		{
 			name:    "contextpath-dash",
-			options: BuildOptions{ContextPath: "-"},
-			want:    BuildOptions{ContextPath: "-"},
+			options: &BuildOptions{ContextPath: "-"},
+			want:    &BuildOptions{ContextPath: "-"},
 		},
 		{
 			name:    "contextpath-ssh",
-			options: BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
-			want:    BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
+			options: &BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
+			want:    &BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
 		},
 		{
 			name:    "dockerfilename",
-			options: BuildOptions{DockerfileName: "test", ContextPath: "."},
-			want:    BuildOptions{DockerfileName: filepath.Join(tmpwd, "test"), ContextPath: tmpwd},
+			options: &BuildOptions{DockerfileName: "test", ContextPath: "."},
+			want:    &BuildOptions{DockerfileName: filepath.Join(tmpwd, "test"), ContextPath: tmpwd},
 		},
 		{
 			name:    "dockerfilename-dash",
-			options: BuildOptions{DockerfileName: "-", ContextPath: "."},
-			want:    BuildOptions{DockerfileName: "-", ContextPath: tmpwd},
+			options: &BuildOptions{DockerfileName: "-", ContextPath: "."},
+			want:    &BuildOptions{DockerfileName: "-", ContextPath: tmpwd},
 		},
 		{
 			name:    "dockerfilename-remote",
-			options: BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
-			want:    BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
+			options: &BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
+			want:    &BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
 		},
 		{
 			name: "contexts",
-			options: BuildOptions{NamedContexts: map[string]string{"a": "test1", "b": "test2",
-				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git"}},
-			want: BuildOptions{NamedContexts: map[string]string{"a": filepath.Join(tmpwd, "test1"), "b": filepath.Join(tmpwd, "test2"),
-				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git"}},
+			options: &BuildOptions{NamedContexts: map[string]string{
+				"a": "test1", "b": "test2",
+				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git",
+			}},
+			want: &BuildOptions{NamedContexts: map[string]string{
+				"a": filepath.Join(tmpwd, "test1"), "b": filepath.Join(tmpwd, "test2"),
+				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git",
+			}},
 		},
 		{
 			name: "cache-from",
-			options: BuildOptions{
+			options: &BuildOptions{
 				CacheFrom: []*CacheOptionsEntry{
 					{
 						Type:  "local",
@@ -75,7 +79,7 @@ func TestResolvePaths(t *testing.T) {
 					},
 				},
 			},
-			want: BuildOptions{
+			want: &BuildOptions{
 				CacheFrom: []*CacheOptionsEntry{
 					{
 						Type:  "local",
@@ -90,7 +94,7 @@ func TestResolvePaths(t *testing.T) {
 		},
 		{
 			name: "cache-to",
-			options: BuildOptions{
+			options: &BuildOptions{
 				CacheTo: []*CacheOptionsEntry{
 					{
 						Type:  "local",
@@ -102,7 +106,7 @@ func TestResolvePaths(t *testing.T) {
 					},
 				},
 			},
-			want: BuildOptions{
+			want: &BuildOptions{
 				CacheTo: []*CacheOptionsEntry{
 					{
 						Type:  "local",
@@ -117,7 +121,7 @@ func TestResolvePaths(t *testing.T) {
 		},
 		{
 			name: "exports",
-			options: BuildOptions{
+			options: &BuildOptions{
 				Exports: []*ExportEntry{
 					{
 						Type:        "local",
@@ -145,7 +149,7 @@ func TestResolvePaths(t *testing.T) {
 					},
 				},
 			},
-			want: BuildOptions{
+			want: &BuildOptions{
 				Exports: []*ExportEntry{
 					{
 						Type:        "local",
@@ -176,7 +180,7 @@ func TestResolvePaths(t *testing.T) {
 		},
 		{
 			name: "secrets",
-			options: BuildOptions{
+			options: &BuildOptions{
 				Secrets: []*Secret{
 					{
 						FilePath: "test1",
@@ -191,7 +195,7 @@ func TestResolvePaths(t *testing.T) {
 					},
 				},
 			},
-			want: BuildOptions{
+			want: &BuildOptions{
 				Secrets: []*Secret{
 					{
 						FilePath: filepath.Join(tmpwd, "test1"),
@@ -209,7 +213,7 @@ func TestResolvePaths(t *testing.T) {
 		},
 		{
 			name: "ssh",
-			options: BuildOptions{
+			options: &BuildOptions{
 				SSH: []*SSH{
 					{
 						ID:    "default",
@@ -221,7 +225,7 @@ func TestResolvePaths(t *testing.T) {
 					},
 				},
 			},
-			want: BuildOptions{
+			want: &BuildOptions{
 				SSH: []*SSH{
 					{
 						ID:    "default",
@@ -238,10 +242,10 @@ func TestResolvePaths(t *testing.T) {
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := ResolveOptionPaths(&tt.options)
+			got, err := ResolveOptionPaths(tt.options)
 			require.NoError(t, err)
-			if !reflect.DeepEqual(tt.want, *got) {
-				t.Fatalf("expected %#v, got %#v", tt.want, *got)
+			if !proto.Equal(tt.want, got) {
+				t.Fatalf("expected %#v, got %#v", tt.want, got)
 			}
 		})
 	}
--- a/controller/pb/progress.go
+++ b/controller/pb/progress.go
@@ -1,10 +1,13 @@
 package pb

 import (
+	"time"
+
 	"github.com/docker/buildx/util/progress"
 	control "github.com/moby/buildkit/api/services/control"
 	"github.com/moby/buildkit/client"
 	"github.com/opencontainers/go-digest"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )

 type writer struct {
@@ -33,11 +36,11 @@ func ToControlStatus(s *client.SolveStatus) *StatusResponse {
 	resp := StatusResponse{}
 	for _, v := range s.Vertexes {
 		resp.Vertexes = append(resp.Vertexes, &control.Vertex{
-			Digest:        v.Digest,
-			Inputs:        v.Inputs,
+			Digest:        string(v.Digest),
+			Inputs:        digestSliceToPB(v.Inputs),
 			Name:          v.Name,
-			Started:       v.Started,
-			Completed:     v.Completed,
+			Started:       timestampToPB(v.Started),
+			Completed:     timestampToPB(v.Completed),
 			Error:         v.Error,
 			Cached:        v.Cached,
 			ProgressGroup: v.ProgressGroup,
@@ -46,26 +49,26 @@ func ToControlStatus(s *client.SolveStatus) *StatusResponse {
 	for _, v := range s.Statuses {
 		resp.Statuses = append(resp.Statuses, &control.VertexStatus{
 			ID:        v.ID,
-			Vertex:    v.Vertex,
+			Vertex:    string(v.Vertex),
 			Name:      v.Name,
 			Total:     v.Total,
 			Current:   v.Current,
-			Timestamp: v.Timestamp,
-			Started:   v.Started,
-			Completed: v.Completed,
+			Timestamp: timestamppb.New(v.Timestamp),
+			Started:   timestampToPB(v.Started),
+			Completed: timestampToPB(v.Completed),
 		})
 	}
 	for _, v := range s.Logs {
 		resp.Logs = append(resp.Logs, &control.VertexLog{
-			Vertex:    v.Vertex,
+			Vertex:    string(v.Vertex),
 			Stream:    int64(v.Stream),
 			Msg:       v.Data,
-			Timestamp: v.Timestamp,
+			Timestamp: timestamppb.New(v.Timestamp),
 		})
 	}
 	for _, v := range s.Warnings {
 		resp.Warnings = append(resp.Warnings, &control.VertexWarning{
-			Vertex: v.Vertex,
+			Vertex: string(v.Vertex),
 			Level:  int64(v.Level),
 			Short:  v.Short,
 			Detail: v.Detail,
@@ -81,11 +84,11 @@ func FromControlStatus(resp *StatusResponse) *client.SolveStatus {
 	s := client.SolveStatus{}
 	for _, v := range resp.Vertexes {
 		s.Vertexes = append(s.Vertexes, &client.Vertex{
-			Digest:        v.Digest,
-			Inputs:        v.Inputs,
+			Digest:        digest.Digest(v.Digest),
+			Inputs:        digestSliceFromPB(v.Inputs),
 			Name:          v.Name,
-			Started:       v.Started,
-			Completed:     v.Completed,
+			Started:       timestampFromPB(v.Started),
+			Completed:     timestampFromPB(v.Completed),
 			Error:         v.Error,
 			Cached:        v.Cached,
 			ProgressGroup: v.ProgressGroup,
@@ -94,26 +97,26 @@ func FromControlStatus(resp *StatusResponse) *client.SolveStatus {
 	for _, v := range resp.Statuses {
 		s.Statuses = append(s.Statuses, &client.VertexStatus{
 			ID:        v.ID,
-			Vertex:    v.Vertex,
+			Vertex:    digest.Digest(v.Vertex),
 			Name:      v.Name,
 			Total:     v.Total,
 			Current:   v.Current,
-			Timestamp: v.Timestamp,
-			Started:   v.Started,
-			Completed: v.Completed,
+			Timestamp: v.Timestamp.AsTime(),
+			Started:   timestampFromPB(v.Started),
+			Completed: timestampFromPB(v.Completed),
 		})
 	}
 	for _, v := range resp.Logs {
 		s.Logs = append(s.Logs, &client.VertexLog{
-			Vertex:    v.Vertex,
+			Vertex:    digest.Digest(v.Vertex),
 			Stream:    int(v.Stream),
 			Data:      v.Msg,
-			Timestamp: v.Timestamp,
+			Timestamp: v.Timestamp.AsTime(),
 		})
 	}
 	for _, v := range resp.Warnings {
 		s.Warnings = append(s.Warnings, &client.VertexWarning{
-			Vertex:     v.Vertex,
+			Vertex:     digest.Digest(v.Vertex),
 			Level:      int(v.Level),
 			Short:      v.Short,
 			Detail:     v.Detail,
@@ -124,3 +127,38 @@ func FromControlStatus(resp *StatusResponse) *client.SolveStatus {
 	}
 	return &s
 }
+
+func timestampFromPB(ts *timestamppb.Timestamp) *time.Time {
+	if ts == nil {
+		return nil
+	}
+
+	t := ts.AsTime()
+	if t.IsZero() {
+		return nil
+	}
+	return &t
+}
+
+func timestampToPB(ts *time.Time) *timestamppb.Timestamp {
+	if ts == nil {
+		return nil
+	}
+	return timestamppb.New(*ts)
+}
+
+func digestSliceFromPB(elems []string) []digest.Digest {
+	clone := make([]digest.Digest, len(elems))
+	for i, e := range elems {
+		clone[i] = digest.Digest(e)
+	}
+	return clone
+}
+
+func digestSliceToPB(elems []digest.Digest) []string {
+	clone := make([]string, len(elems))
+	for i, e := range elems {
+		clone[i] = string(e)
+	}
+	return clone
+}
--- a/controller/remote/client.go
+++ b/controller/remote/client.go
@@ -8,6 +8,7 @@ import (

 	"github.com/containerd/containerd/defaults"
 	"github.com/containerd/containerd/pkg/dialer"
+	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
@@ -27,6 +28,7 @@ func NewClient(ctx context.Context, addr string) (*Client, error) {
 		Backoff: backoffConfig,
 	}
 	gopts := []grpc.DialOption{
+		//nolint:staticcheck // ignore SA1019: WithBlock is deprecated and does not work with NewClient.
 		grpc.WithBlock(),
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithConnectParams(connParams),
@@ -36,6 +38,7 @@ func NewClient(ctx context.Context, addr string) (*Client, error) {
 		grpc.WithUnaryInterceptor(grpcerrors.UnaryClientInterceptor),
 		grpc.WithStreamInterceptor(grpcerrors.StreamClientInterceptor),
 	}
+	//nolint:staticcheck // ignore SA1019: Recommended NewClient has different behavior from DialContext.
 	conn, err := grpc.DialContext(ctx, dialer.DialAddress(addr), gopts...)
 	if err != nil {
 		return nil, err
@@ -93,7 +96,7 @@ func (c *Client) DisconnectProcess(ctx context.Context, ref, pid string) error {
 	return err
 }

-func (c *Client) Invoke(ctx context.Context, ref string, pid string, invokeConfig pb.InvokeConfig, in io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+func (c *Client) Invoke(ctx context.Context, ref string, pid string, invokeConfig *pb.InvokeConfig, in io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
 	if ref == "" || pid == "" {
 		return errors.New("build reference must be specified")
 	}
@@ -101,7 +104,7 @@ func (c *Client) Invoke(ctx context.Context, ref string, pid string, invokeConfi
 	if err != nil {
 		return err
 	}
-	return attachIO(ctx, stream, &pb.InitMessage{Ref: ref, ProcessID: pid, InvokeConfig: &invokeConfig}, ioAttachConfig{
+	return attachIO(ctx, stream, &pb.InitMessage{Ref: ref, ProcessID: pid, InvokeConfig: invokeConfig}, ioAttachConfig{
 		stdin:  in,
 		stdout: stdout,
 		stderr: stderr,
@@ -113,7 +116,7 @@ func (c *Client) Inspect(ctx context.Context, ref string) (*pb.InspectResponse,
 	return c.client().Inspect(ctx, &pb.InspectRequest{Ref: ref})
 }

-func (c *Client) Build(ctx context.Context, options pb.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, error) {
+func (c *Client) Build(ctx context.Context, options *pb.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, *build.Inputs, error) {
 	ref := identity.NewID()
 	statusChan := make(chan *client.SolveStatus)
 	eg, egCtx := errgroup.WithContext(ctx)
@@ -131,10 +134,10 @@ func (c *Client) Build(ctx context.Context, options pb.BuildOptions, in io.ReadC
 		}
 		return nil
 	})
-	return ref, resp, eg.Wait()
+	return ref, resp, nil, eg.Wait()
 }

-func (c *Client) build(ctx context.Context, ref string, options pb.BuildOptions, in io.ReadCloser, statusChan chan *client.SolveStatus) (*client.SolveResponse, error) {
+func (c *Client) build(ctx context.Context, ref string, options *pb.BuildOptions, in io.ReadCloser, statusChan chan *client.SolveStatus) (*client.SolveResponse, error) {
 	eg, egCtx := errgroup.WithContext(ctx)
 	done := make(chan struct{})

@@ -144,7 +147,7 @@ func (c *Client) build(ctx context.Context, ref string, options pb.BuildOptions,
 		defer close(done)
 		pbResp, err := c.client().Build(egCtx, &pb.BuildRequest{
 			Ref:     ref,
-			Options: &options,
+			Options: options,
 		})
 		if err != nil {
 			return err
--- a/controller/remote/controller.go
+++ b/controller/remote/controller.go
@@ -148,8 +148,8 @@ func serveCmd(dockerCli command.Cli) *cobra.Command {
 			}()

 			// prepare server
-			b := NewServer(func(ctx context.Context, options *controllerapi.BuildOptions, stdin io.Reader, progress progress.Writer) (*client.SolveResponse, *build.ResultHandle, error) {
-				return cbuild.RunBuild(ctx, dockerCli, *options, stdin, progress, true)
+			b := NewServer(func(ctx context.Context, options *controllerapi.BuildOptions, stdin io.Reader, progress progress.Writer) (*client.SolveResponse, *build.ResultHandle, *build.Inputs, error) {
+				return cbuild.RunBuild(ctx, dockerCli, options, stdin, progress, true)
 			})
 			defer b.Close()

--- a/controller/remote/io.go
+++ b/controller/remote/io.go
@@ -207,6 +207,7 @@ func attachIO(ctx context.Context, stream msgStream, initMessage *pb.InitMessage

 	if cfg.signal != nil {
 		eg.Go(func() error {
+			names := signalNames()
 			for {
 				var sig syscall.Signal
 				select {
@@ -216,7 +217,7 @@ func attachIO(ctx context.Context, stream msgStream, initMessage *pb.InitMessage
 				case <-ctx.Done():
 					return nil
 				}
-				name := sigToName[sig]
+				name := names[sig]
 				if name == "" {
 					continue
 				}
@@ -380,12 +381,12 @@ func copyToStream(fd uint32, snd msgStream, r io.Reader) error {
 	})
 }

-var sigToName = map[syscall.Signal]string{}
-
-func init() {
+func signalNames() map[syscall.Signal]string {
+	m := make(map[syscall.Signal]string, len(signal.SignalMap))
 	for name, value := range signal.SignalMap {
-		sigToName[value] = name
+		m[value] = name
 	}
+	return m
 }

 type debugStream struct {
--- a/controller/remote/server.go
+++ b/controller/remote/server.go
@@ -19,7 +19,7 @@ import (
 	"golang.org/x/sync/errgroup"
 )

-type BuildFunc func(ctx context.Context, options *pb.BuildOptions, stdin io.Reader, progress progress.Writer) (resp *client.SolveResponse, res *build.ResultHandle, err error)
+type BuildFunc func(ctx context.Context, options *pb.BuildOptions, stdin io.Reader, progress progress.Writer) (resp *client.SolveResponse, res *build.ResultHandle, inp *build.Inputs, err error)

 func NewServer(buildFunc BuildFunc) *Server {
 	return &Server{
@@ -200,7 +200,7 @@ func (m *Server) Build(ctx context.Context, req *pb.BuildRequest) (*pb.BuildResp
 	// Build the specified request
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
-	resp, res, buildErr := m.buildFunc(ctx, req.Options, inR, pw)
+	resp, res, _, buildErr := m.buildFunc(ctx, req.Options, inR, pw)
 	m.sessionMu.Lock()
 	if s, ok := m.session[ref]; ok {
 		// NOTE: buildFunc can return *build.ResultHandle even on error (e.g. when it's implemented using (github.com/docker/buildx/controller/build).RunBuild).
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -31,7 +31,7 @@ group "default" {
 }

 group "validate" {
-  targets = ["lint", "lint-gopls", "validate-vendor", "validate-docs"]
+  targets = ["lint", "lint-gopls", "validate-golangci", "validate-vendor", "validate-docs"]
 }

 target "lint" {
@@ -51,6 +51,14 @@ target "lint" {
  ] : []
 }

+target "validate-golangci" {
+  description = "Validate .golangci.yml schema (does not run Go linter)"
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  target = "validate-golangci"
+  output = ["type=cacheonly"]
+}
+
 target "lint-gopls" {
  inherits = ["lint"]
  target = "gopls-analyze"
@@ -209,3 +217,18 @@ target "integration-test" {
  inherits = ["integration-test-base"]
  target = "integration-test"
 }
+
+variable "GOVULNCHECK_FORMAT" {
+  default = null
+}
+
+target "govulncheck" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/govulncheck.Dockerfile"
+  target = "output"
+  args = {
+    FORMAT = GOVULNCHECK_FORMAT
+  }
+  no-cache-filter = ["run"]
+  output = ["${DESTDIR}"]
+}
--- a/docs/bake-reference.md
+++ b/docs/bake-reference.md
@@ -443,8 +443,7 @@ COPY --from=src . .

 #### Use another target as base

-> **Note**
->
+> [!NOTE]
 > You should prefer to use regular multi-stage builds over this option. You can
 > Use this feature when you have multiple Dockerfiles that can't be easily
 > merged into one.
@@ -506,6 +505,25 @@ $ docker buildx bake --print -f - <<< 'target "default" {}'
 }
 ```

+### `target.entitlements`
+
+Entitlements are permissions that the build process requires to run.
+
+Currently supported entitlements are:
+
+- `network.host`: Allows the build to use commands that access the host network. In Dockerfile, use [`RUN --network=host`](https://docs.docker.com/reference/dockerfile/#run---networkhost) to run a command with host network enabled.
+
+- `security.insecure`: Allows the build to run commands in privileged containers that are not limited by the default security sandbox. Such container may potentially access and modify system resources. In Dockerfile, use [`RUN --security=insecure`](https://docs.docker.com/reference/dockerfile/#run---security) to run a command in a privileged container.
+
+```hcl
+target "integration-tests" {
+  # this target requires privileged containers to run nested containers
+  entitlements = ["security.insecure"]
+}
+```
+
+Entitlements are enabled with a two-step process. First, a target must declare the entitlements it requires. Secondly, when invoking the `bake` command, the user must grant the entitlements by passing the `--allow` flag or confirming the entitlements when prompted in an interactive terminal. This is to ensure that the user is aware of the possibly insecure permissions they are granting to the build process.
+
 ### `target.inherits`

 A target can inherit attributes from other targets.
@@ -750,6 +768,27 @@ target "app" {
 }
 ```

+### `target.network`
+
+Specify the network mode for the whole build request. This will override the default network mode
+for all the `RUN` instructions in the Dockerfile. Accepted values are `default`, `host`, and `none`.
+
+Usually, a better approach to set the network mode for your build steps is to instead use `RUN --network=<value>`
+in your Dockerfile. This way, you can set the network mode for individual build steps and everyone building
+the Dockerfile gets consistent behavior without needing to pass additional flags to the build command.
+
+If you set network mode to `host` in your Bake file, you must also grant `network.host` entitlement when
+invoking the `bake` command. This is because `host` network mode requires elevated privileges and can be a security risk.
+You can pass `--allow=network.host` to the `docker buildx bake` command to grant the entitlement, or you can
+confirm the entitlement when prompted if you are using an interactive terminal.
+
+```hcl
+target "app" {
+  # make sure this build does not access internet
+  network = "none"
+}
+```
+
 ### `target.no-cache-filter`

 Don't use build cache for the specified stages.
@@ -832,8 +871,8 @@ This lets you [mount the secret][run_mount_secret] in your Dockerfile.
 ```dockerfile
 RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
    aws cloudfront create-invalidation ...
-RUN --mount=type=secret,id=KUBECONFIG \
-    KUBECONFIG=$(cat /run/secrets/KUBECONFIG) helm upgrade --install
+RUN --mount=type=secret,id=KUBECONFIG,env=KUBECONFIG \
+    helm upgrade --install
 ```

 ### `target.shm-size`
@@ -853,8 +892,7 @@ target "default" {
 }
 ```

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
@@ -919,14 +957,12 @@ target "app" {
 }
 ```

-> **Note**
->
+> [!NOTE]
 > If you do not provide a `hard limit`, the `soft limit` is used
 > for both values. If no `ulimits` are set, they are inherited from
 > the default `ulimits` set on the daemon.

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
@@ -1114,8 +1150,7 @@ target "webapp-dev" {
 }
 ```

-> **Note**
->
+> [!NOTE]
 > See [User defined HCL functions][hcl-funcs] page for more details.

 <!-- external links -->
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -4,8 +4,7 @@ To assist with creating and debugging complex builds, Buildx provides a
 debugger to help you step through the build process and easily inspect the
 state of the build environment at any point.

-> **Note**
->
+> [!NOTE]
 > The debug monitor is a new experimental feature in recent versions of Buildx.
 > There are rough edges, known bugs, and missing features. Please try it out
 > and let us know what you think!
--- a/docs/reference/buildx.md
+++ b/docs/reference/buildx.md
@@ -32,6 +32,7 @@ Extended build capabilities with BuildKit
 | Name                    | Type     | Default | Description                              |
 |:------------------------|:---------|:--------|:-----------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                     |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_bake.md
+++ b/docs/reference/buildx_bake.md
@@ -15,9 +15,11 @@ Build from a file

 | Name                                | Type          | Default | Description                                                                                         |
 |:------------------------------------|:--------------|:--------|:----------------------------------------------------------------------------------------------------|
+| `--allow`                           | `stringArray` |         | Allow build to access specified resources                                                           |
 | [`--builder`](#builder)             | `string`      |         | Override the configured builder instance                                                            |
 | [`--call`](#call)                   | `string`      | `build` | Set method for evaluating build (`check`, `outline`, `targets`)                                     |
 | [`--check`](#check)                 | `bool`        |         | Shorthand for `--call=check`                                                                        |
+| `-D`, `--debug`                     | `bool`        |         | Enable debug logging                                                                                |
 | [`-f`](#file), [`--file`](#file)    | `stringArray` |         | Build definition file                                                                               |
 | `--load`                            | `bool`        |         | Shorthand for `--set=*.output=type=docker`                                                          |
 | [`--metadata-file`](#metadata-file) | `string`      |         | Write build result metadata to a file                                                               |
@@ -41,8 +43,7 @@ as part of the build.
 Read [High-level build options with Bake](https://docs.docker.com/build/bake/)
 guide for introduction to writing bake files.

-> **Note**
->
+> [!NOTE]
 > `buildx bake` command may receive backwards incompatible features in the future
 > if needed. We are looking for feedback on improving the command and extending
 > the functionality further.
@@ -163,17 +164,15 @@ $ cat metadata.json
 }
 ```

-> **Note**
->
-> Build record [provenance](https://docs.docker.com/build/attestations/slsa-provenance/#provenance-attestation-example)
+> [!NOTE]
+> Build record [provenance](https://docs.docker.com/build/metadata/attestations/slsa-provenance/#provenance-attestation-example)
 > (`buildx.build.provenance`) includes minimal provenance by default. Set the
 > `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
 > * `min` sets minimal provenance (default).
 > * `max` sets full provenance.
 > * `disabled`, `false` or `0` does not set any provenance.

-> **Note**
-> 
+> [!NOTE]
 > Build warnings (`buildx.build.warnings`) are not included by default. Set the
 > `BUILDX_METADATA_WARNINGS` environment variable to `1` or `true` to
 > include them.
--- a/docs/reference/buildx_build.md
+++ b/docs/reference/buildx_build.md
@@ -27,6 +27,7 @@ Start a build
 | [`--call`](#call)                       | `string`      | `build`   | Set method for evaluating build (`check`, `outline`, `targets`)                                     |
 | [`--cgroup-parent`](#cgroup-parent)     | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
 | [`--check`](#check)                     | `bool`        |           | Shorthand for `--call=check`                                                                        |
+| `-D`, `--debug`                         | `bool`        |           | Enable debug logging                                                                                |
 | `--detach`                              | `bool`        |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
 | [`-f`](#file), [`--file`](#file)        | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
 | `--iidfile`                             | `string`      |           | Write the image ID to a file                                                                        |
@@ -144,7 +145,7 @@ For more information about annotations, see
 --attest=type=provenance,...
 ```

-Create [image attestations](https://docs.docker.com/build/attestations/).
+Create [image attestations](https://docs.docker.com/build/metadata/attestations/).
 BuildKit currently supports:

 - `sbom` - Software Bill of Materials.
@@ -152,7 +153,7 @@ BuildKit currently supports:
  Use `--attest=type=sbom` to generate an SBOM for an image at build-time.
  Alternatively, you can use the [`--sbom` shorthand](#sbom).

-  For more information, see [here](https://docs.docker.com/build/attestations/sbom/).
+  For more information, see [here](https://docs.docker.com/build/metadata/attestations/sbom/).

 - `provenance` - SLSA Provenance

@@ -162,7 +163,7 @@ BuildKit currently supports:
  By default, a minimal provenance attestation will be created for the build
  result, which will only be attached for images pushed to registries.

-  For more information, see [here](https://docs.docker.com/build/attestations/slsa-provenance/).
+  For more information, see [here](https://docs.docker.com/build/metadata/attestations/slsa-provenance/).

 ### <a name="allow"></a> Allow extra privileged entitlement (--allow)

@@ -581,9 +582,8 @@ $ cat metadata.json
 }
 ```

-> **Note**
->
-> Build record [provenance](https://docs.docker.com/build/attestations/slsa-provenance/#provenance-attestation-example)
+> [!NOTE]
+> Build record [provenance](https://docs.docker.com/build/metadata/attestations/slsa-provenance/#provenance-attestation-example)
 > (`buildx.build.provenance`) includes minimal provenance by default. Set the
 > `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
 >
@@ -591,6 +591,11 @@ $ cat metadata.json
 > - `max` sets full provenance.
 > - `disabled`, `false` or `0` doesn't set any provenance.

+> [!NOTE]
+> Build warnings (`buildx.build.warnings`) are not included by default. Set the
+> `BUILDX_METADATA_WARNINGS` environment variable to `1` or `true` to
+> include them.
+
 ### <a name="network"></a> Set the networking mode for the RUN instructions during build (--network)

 Available options for the networking mode are:
@@ -601,12 +606,6 @@ Available options for the networking mode are:

 Find more details in the [Dockerfile reference](https://docs.docker.com/reference/dockerfile/#run---network).

-> **Note**
-> 
-> Build warnings (`buildx.build.warnings`) are not included by default. Set the
-> `BUILDX_METADATA_WARNINGS` environment variable to `1` or `true` to
-> include them.
-
 ### <a name="no-cache-filter"></a> Ignore build cache for specific stages (--no-cache-filter)

 The `--no-cache-filter` lets you specify one or more stages of a multi-stage
@@ -669,7 +668,7 @@ The arguments for the `--no-cache-filter` flag must be names of stages.
 ```

 Sets the export action for the build result. The default output, when using the
-`docker` [build driver](https://docs.docker.com/build/drivers/), is a container
+`docker` [build driver](https://docs.docker.com/build/builders/drivers/), is a container
 image exported to the local image store. The `--output` flag makes this step
 configurable allows export of results directly to the client's filesystem, an
 OCI image tarball, a registry, and more.
@@ -832,8 +831,7 @@ $ docker buildx build --platform=darwin .
 Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use `plain` to show container
 output (default `auto`).

-> **Note**
->
+> [!NOTE]
 > You can also use the `BUILDKIT_PROGRESS` environment variable to set its value.

 The following example uses `plain` output during the build:
@@ -851,8 +849,7 @@ $ docker buildx build --load --progress=plain .
 ...
 ```

-> **Note**
->
+> [!NOTE]
 > Check also the [`BUILDKIT_COLORS`](https://docs.docker.com/build/building/variables/#buildkit_colors)
 > environment variable for modifying the colors of the terminal output.

@@ -877,7 +874,7 @@ to a registry if you use the default image store. Alternatively, you can switch
 to using the containerd image store.

 For more information about provenance attestations, see
-[here](https://docs.docker.com/build/attestations/slsa-provenance/).
+[here](https://docs.docker.com/build/metadata/attestations/slsa-provenance/).

 ### <a name="push"></a> Push the build result to a registry (--push)

@@ -899,7 +896,7 @@ attestations. Provenance attestations only persist for images pushed directly
 to a registry if you use the default image store. Alternatively, you can switch
 to using the containerd image store.

-For more information, see [here](https://docs.docker.com/build/attestations/sbom/).
+For more information, see [here](https://docs.docker.com/build/metadata/attestations/sbom/).

 ### <a name="secret"></a> Secret to expose to the build (--secret)

@@ -950,8 +947,8 @@ Attribute keys:
 # syntax=docker/dockerfile:1
 FROM node:alpine
 RUN --mount=type=bind,target=. \
-  --mount=type=secret,id=SECRET_TOKEN \
-  SECRET_TOKEN=$(cat /run/secrets/SECRET_TOKEN) yarn run test
+  --mount=type=secret,id=SECRET_TOKEN,env=SECRET_TOKEN \
+  yarn run test
 ```

 ```console
@@ -967,8 +964,7 @@ The format is `<number><unit>`. `number` must be greater than `0`. Unit is
 optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g`
 (gigabytes). If you omit the unit, the system uses bytes.

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
@@ -1054,14 +1050,12 @@ instructions and are specified with a soft and hard limit as such:
 $ docker buildx build --ulimit nofile=1024:1024 .
 ```

-> **Note**
->
+> [!NOTE]
 > If you don't provide a `hard limit`, the `soft limit` is used
 > for both values. If no `ulimits` are set, they're inherited from
 > the default `ulimits` set on the daemon.

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
--- a/docs/reference/buildx_create.md
+++ b/docs/reference/buildx_create.md
@@ -15,6 +15,7 @@ Create a new builder instance
 | `--bootstrap`                             | `bool`        |         | Boot builder after creation                                           |
 | [`--buildkitd-config`](#buildkitd-config) | `string`      |         | BuildKit daemon config file                                           |
 | [`--buildkitd-flags`](#buildkitd-flags)   | `string`      |         | BuildKit daemon flags                                                 |
+| `-D`, `--debug`                           | `bool`        |         | Enable debug logging                                                  |
 | [`--driver`](#driver)                     | `string`      |         | Driver to use (available: `docker-container`, `kubernetes`, `remote`) |
 | [`--driver-opt`](#driver-opt)             | `stringArray` |         | Options for the driver                                                |
 | [`--leave`](#leave)                       | `bool`        |         | Remove a node from builder instead of changing it                     |
@@ -101,8 +102,7 @@ value is `auto` and can be one of `bridge`, `cni`, `host`:
 --buildkitd-flags '--oci-worker-net bridge'
 ```

-> **Note**
->
+> [!NOTE]
 > Network mode "bridge" is supported since BuildKit v0.13 and will become the
 > default in next v0.14.

@@ -120,7 +120,7 @@ backend. Buildx supports the following drivers:
 * `kubernetes`
 * `remote`

-For more information about build drivers, see [here](https://docs.docker.com/build/drivers/).
+For more information about build drivers, see [here](https://docs.docker.com/build/builders/drivers/).

 #### `docker` driver

@@ -167,10 +167,10 @@ Passes additional driver-specific options.
 For information about available driver options, refer to the detailed
 documentation for the specific driver:

-* [`docker` driver](https://docs.docker.com/build/drivers/docker/)
-* [`docker-container` driver](https://docs.docker.com/build/drivers/docker-container/)
-* [`kubernetes` driver](https://docs.docker.com/build/drivers/kubernetes/)
-* [`remote` driver](https://docs.docker.com/build/drivers/remote/)
+* [`docker` driver](https://docs.docker.com/build/builders/drivers/docker/)
+* [`docker-container` driver](https://docs.docker.com/build/builders/drivers/docker-container/)
+* [`kubernetes` driver](https://docs.docker.com/build/builders/drivers/kubernetes/)
+* [`remote` driver](https://docs.docker.com/build/builders/drivers/remote/)

 ### <a name="leave"></a> Remove a node from a builder (--leave)

--- a/docs/reference/buildx_debug.md
+++ b/docs/reference/buildx_debug.md
@@ -15,6 +15,7 @@ Start debugger (EXPERIMENTAL)
 | Name              | Type     | Default | Description                                                                                                         |
 |:------------------|:---------|:--------|:--------------------------------------------------------------------------------------------------------------------|
 | `--builder`       | `string` |         | Override the configured builder instance                                                                            |
+| `-D`, `--debug`   | `bool`   |         | Enable debug logging                                                                                                |
 | `--detach`        | `bool`   | `true`  | Detach buildx server for the monitor (supported only on linux) (EXPERIMENTAL)                                       |
 | `--invoke`        | `string` |         | Launch a monitor with executing specified command (EXPERIMENTAL)                                                    |
 | `--on`            | `string` | `error` | When to launch the monitor ([always, error]) (EXPERIMENTAL)                                                         |
--- a/docs/reference/buildx_debug_build.md
+++ b/docs/reference/buildx_debug_build.md
@@ -23,6 +23,7 @@ Start a build
 | `--call`            | `string`      | `build`   | Set method for evaluating build (`check`, `outline`, `targets`)                                     |
 | `--cgroup-parent`   | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
 | `--check`           | `bool`        |           | Shorthand for `--call=check`                                                                        |
+| `-D`, `--debug`     | `bool`        |           | Enable debug logging                                                                                |
 | `--detach`          | `bool`        |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
 | `-f`, `--file`      | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
 | `--iidfile`         | `string`      |           | Write the image ID to a file                                                                        |
--- a/docs/reference/buildx_dial-stdio.md
+++ b/docs/reference/buildx_dial-stdio.md
@@ -5,11 +5,12 @@ Proxy current stdio streams to builder instance

 ### Options

-| Name         | Type     | Default | Description                                                                                         |
-|:-------------|:---------|:--------|:----------------------------------------------------------------------------------------------------|
-| `--builder`  | `string` |         | Override the configured builder instance                                                            |
-| `--platform` | `string` |         | Target platform: this is used for node selection                                                    |
-| `--progress` | `string` | `quiet` | Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use plain to show container output |
+| Name            | Type     | Default | Description                                                                                         |
+|:----------------|:---------|:--------|:----------------------------------------------------------------------------------------------------|
+| `--builder`     | `string` |         | Override the configured builder instance                                                            |
+| `-D`, `--debug` | `bool`   |         | Enable debug logging                                                                                |
+| `--platform`    | `string` |         | Target platform: this is used for node selection                                                    |
+| `--progress`    | `string` | `quiet` | Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use plain to show container output |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_du.md
+++ b/docs/reference/buildx_du.md
@@ -12,6 +12,7 @@ Disk usage
 | Name                    | Type     | Default | Description                              |
 |:------------------------|:---------|:--------|:-----------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                     |
 | `--filter`              | `filter` |         | Provide filter values                    |
 | [`--verbose`](#verbose) | `bool`   |         | Provide a more verbose output            |

--- a/docs/reference/buildx_imagetools.md
+++ b/docs/reference/buildx_imagetools.md
@@ -20,6 +20,7 @@ Commands to work on images in registry
 | Name                    | Type     | Default | Description                              |
 |:------------------------|:---------|:--------|:-----------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                     |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_imagetools_create.md
+++ b/docs/reference/buildx_imagetools_create.md
@@ -14,6 +14,7 @@ Create a new image based on source images
 | [`--annotation`](#annotation)    | `stringArray` |         | Add annotation to the image                                                                                                   |
 | [`--append`](#append)            | `bool`        |         | Append to existing manifest                                                                                                   |
 | [`--builder`](#builder)          | `string`      |         | Override the configured builder instance                                                                                      |
+| `-D`, `--debug`                  | `bool`        |         | Enable debug logging                                                                                                          |
 | [`--dry-run`](#dry-run)          | `bool`        |         | Show final image instead of pushing                                                                                           |
 | [`-f`](#file), [`--file`](#file) | `stringArray` |         | Read source descriptor from file                                                                                              |
 | `--prefer-index`                 | `bool`        | `true`  | When only a single source is specified, prefer outputting an image index or manifest list instead of performing a carbon copy |
@@ -52,8 +53,7 @@ $ docker buildx imagetools create \
  foo/bar:alpha foo/bar:beta foo/bar:gamma
 ```

-> **Note**
->
+> [!NOTE]
 > The `imagetools create` command supports adding annotations to the image
 > index and descriptor, using the following type prefixes:
 >
--- a/docs/reference/buildx_imagetools_inspect.md
+++ b/docs/reference/buildx_imagetools_inspect.md
@@ -12,6 +12,7 @@ Show details of an image in the registry
 | Name                    | Type     | Default         | Description                                   |
 |:------------------------|:---------|:----------------|:----------------------------------------------|
 | [`--builder`](#builder) | `string` |                 | Override the configured builder instance      |
+| `-D`, `--debug`         | `bool`   |                 | Enable debug logging                          |
 | [`--format`](#format)   | `string` | `{{.Manifest}}` | Format the output using the given Go template |
 | [`--raw`](#raw)         | `bool`   |                 | Show original, unformatted JSON manifest      |

--- a/docs/reference/buildx_inspect.md
+++ b/docs/reference/buildx_inspect.md
@@ -13,6 +13,7 @@ Inspect current builder instance
 |:----------------------------|:---------|:--------|:--------------------------------------------|
 | [`--bootstrap`](#bootstrap) | `bool`   |         | Ensure builder has booted before inspecting |
 | [`--builder`](#builder)     | `string` |         | Override the configured builder instance    |
+| `-D`, `--debug`             | `bool`   |         | Enable debug logging                        |


 <!---MARKER_GEN_END-->
@@ -43,8 +44,7 @@ name of the builder to inspect to get information about that builder.
 The following example shows information about a builder instance named
 `elated_tesla`:

-> **Note**
->
+> [!NOTE]
 > The asterisk (`*`) next to node build platform(s) indicate they have been
 > manually set during `buildx create`. Otherwise the platforms were
 > automatically detected.
--- a/docs/reference/buildx_ls.md
+++ b/docs/reference/buildx_ls.md
@@ -9,9 +9,11 @@ List builder instances

 ### Options

-| Name                  | Type     | Default | Description       |
-|:----------------------|:---------|:--------|:------------------|
-| [`--format`](#format) | `string` | `table` | Format the output |
+| Name                  | Type     | Default | Description           |
+|:----------------------|:---------|:--------|:----------------------|
+| `-D`, `--debug`       | `bool`   |         | Enable debug logging  |
+| [`--format`](#format) | `string` | `table` | Format the output     |
+| `--no-trunc`          | `bool`   |         | Don't truncate output |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_prune.md
+++ b/docs/reference/buildx_prune.md
@@ -9,14 +9,17 @@ Remove build cache

 ### Options

-| Name                    | Type     | Default | Description                               |
-|:------------------------|:---------|:--------|:------------------------------------------|
-| `-a`, `--all`           | `bool`   |         | Include internal/frontend images          |
-| [`--builder`](#builder) | `string` |         | Override the configured builder instance  |
-| `--filter`              | `filter` |         | Provide filter values (e.g., `until=24h`) |
-| `-f`, `--force`         | `bool`   |         | Do not prompt for confirmation            |
-| `--keep-storage`        | `bytes`  | `0`     | Amount of disk space to keep for cache    |
-| `--verbose`             | `bool`   |         | Provide a more verbose output             |
+| Name                    | Type     | Default | Description                                            |
+|:------------------------|:---------|:--------|:-------------------------------------------------------|
+| `-a`, `--all`           | `bool`   |         | Include internal/frontend images                       |
+| [`--builder`](#builder) | `string` |         | Override the configured builder instance               |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                                   |
+| `--filter`              | `filter` |         | Provide filter values (e.g., `until=24h`)              |
+| `-f`, `--force`         | `bool`   |         | Do not prompt for confirmation                         |
+| `--max-used-space`      | `bytes`  | `0`     | Maximum amount of disk space allowed to keep for cache |
+| `--min-free-space`      | `bytes`  | `0`     | Target amount of free disk space after pruning         |
+| `--reserved-space`      | `bytes`  | `0`     | Amount of disk space always allowed to keep for cache  |
+| `--verbose`             | `bool`   |         | Provide a more verbose output                          |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_rm.md
+++ b/docs/reference/buildx_rm.md
@@ -13,6 +13,7 @@ Remove one or more builder instances
 |:------------------------------------|:---------|:--------|:-----------------------------------------|
 | [`--all-inactive`](#all-inactive)   | `bool`   |         | Remove all inactive builders             |
 | [`--builder`](#builder)             | `string` |         | Override the configured builder instance |
+| `-D`, `--debug`                     | `bool`   |         | Enable debug logging                     |
 | [`-f`](#force), [`--force`](#force) | `bool`   |         | Do not prompt for confirmation           |
 | [`--keep-daemon`](#keep-daemon)     | `bool`   |         | Keep the BuildKit daemon running         |
 | [`--keep-state`](#keep-state)       | `bool`   |         | Keep BuildKit state                      |
--- a/docs/reference/buildx_stop.md
+++ b/docs/reference/buildx_stop.md
@@ -12,6 +12,7 @@ Stop builder instance
 | Name                    | Type     | Default | Description                              |
 |:------------------------|:---------|:--------|:-----------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                     |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_use.md
+++ b/docs/reference/buildx_use.md
@@ -12,6 +12,7 @@ Set the current builder instance
 | Name                    | Type     | Default | Description                                |
 |:------------------------|:---------|:--------|:-------------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance   |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                       |
 | `--default`             | `bool`   |         | Set builder as default for current context |
 | `--global`              | `bool`   |         | Builder persists context changes           |

--- a/docs/reference/buildx_version.md
+++ b/docs/reference/buildx_version.md
@@ -7,6 +7,12 @@ docker buildx version
 <!---MARKER_GEN_START-->
 Show buildx version information

+### Options
+
+| Name            | Type   | Default | Description          |
+|:----------------|:-------|:--------|:---------------------|
+| `-D`, `--debug` | `bool` |         | Enable debug logging |
+

 <!---MARKER_GEN_END-->

--- a/driver/docker/driver.go
+++ b/driver/docker/driver.go
@@ -29,7 +29,7 @@ func (d *Driver) Bootstrap(ctx context.Context, l progress.Logger) error {
 func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 	_, err := d.DockerAPI.ServerVersion(ctx)
 	if err != nil {
-		return nil, errors.Wrapf(driver.ErrNotConnecting, err.Error())
+		return nil, errors.Wrapf(driver.ErrNotConnecting{}, err.Error())
 	}
 	return &driver.Info{
 		Status: driver.Running,
@@ -39,7 +39,7 @@ func (d *Driver) Info(ctx context.Context) (*driver.Info, error) {
 func (d *Driver) Version(ctx context.Context) (string, error) {
 	v, err := d.DockerAPI.ServerVersion(ctx)
 	if err != nil {
-		return "", errors.Wrapf(driver.ErrNotConnecting, err.Error())
+		return "", errors.Wrapf(driver.ErrNotConnecting{}, err.Error())
 	}
 	if bkversion, _ := resolveBuildKitVersion(v.Version); bkversion != "" {
 		return bkversion, nil
--- a/driver/driver.go
+++ b/driver/driver.go
@@ -14,8 +14,17 @@ import (
 	"github.com/pkg/errors"
 )

-var ErrNotRunning = errors.Errorf("driver not running")
-var ErrNotConnecting = errors.Errorf("driver not connecting")
+type ErrNotRunning struct{}
+
+func (ErrNotRunning) Error() string {
+	return "driver not running"
+}
+
+type ErrNotConnecting struct{}
+
+func (ErrNotConnecting) Error() string {
+	return "driver not connecting"
+}

 type Status int

@@ -105,7 +114,7 @@ func Boot(ctx, clientContext context.Context, d *DriverHandle, pw progress.Write

 		c, err := d.Client(clientContext)
 		if err != nil {
-			if errors.Cause(err) == ErrNotRunning && try <= 2 {
+			if errors.Is(err, ErrNotRunning{}) && try <= 2 {
 				continue
 			}
 			return nil, err
--- a/driver/kubernetes/driver.go
+++ b/driver/kubernetes/driver.go
@@ -38,7 +38,8 @@ const (

 type Driver struct {
 	driver.InitConfig
-	factory driver.Factory
+	factory      driver.Factory
+	clientConfig ClientConfig

 	// if you add fields, remember to update docs:
 	// https://github.com/docker/docs/blob/main/content/build/drivers/kubernetes.md
@@ -198,7 +199,7 @@ func (d *Driver) Rm(ctx context.Context, force, rmVolume, rmDaemon bool) error {

 func (d *Driver) Dial(ctx context.Context) (net.Conn, error) {
 	restClient := d.clientset.CoreV1().RESTClient()
-	restClientConfig, err := d.KubeClientConfig.ClientConfig()
+	restClientConfig, err := d.clientConfig.ClientConfig()
 	if err != nil {
 		return nil, err
 	}
--- a/driver/kubernetes/factory.go
+++ b/driver/kubernetes/factory.go
@@ -2,19 +2,22 @@ package kubernetes

 import (
 	"context"
+	"os"
 	"strconv"
 	"strings"
 	"time"

-	corev1 "k8s.io/api/core/v1"
-
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/driver/bkimage"
+	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
 	"github.com/docker/buildx/driver/kubernetes/manifest"
 	"github.com/docker/buildx/driver/kubernetes/podchooser"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )

 const (
@@ -23,11 +26,31 @@ const (
 	defaultTimeout      = 120 * time.Second
 )

+type ClientConfig interface {
+	ClientConfig() (*rest.Config, error)
+	Namespace() (string, bool, error)
+}
+
+type ClientConfigInCluster struct{}
+
+func (k ClientConfigInCluster) ClientConfig() (*rest.Config, error) {
+	return rest.InClusterConfig()
+}
+
+func (k ClientConfigInCluster) Namespace() (string, bool, error) {
+	namespace, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+	if err != nil {
+		return "", false, err
+	}
+	return strings.TrimSpace(string(namespace)), true, nil
+}
+
 func init() {
 	driver.Register(&factory{})
 }

 type factory struct {
+	cc ClientConfig // used for testing
 }

 func (*factory) Name() string {
@@ -46,18 +69,50 @@ func (*factory) Priority(ctx context.Context, endpoint string, api dockerclient.
 }

 func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver, error) {
-	if cfg.KubeClientConfig == nil {
-		return nil, errors.Errorf("%s driver requires kubernetes API access", DriverName)
+	var err error
+	var cc ClientConfig
+	if f.cc != nil {
+		cc = f.cc
+	} else {
+		cc, err = ctxkube.ConfigFromEndpoint(cfg.EndpointAddr, cfg.ContextStore)
+		if err != nil {
+			// err is returned if cfg.EndpointAddr is non-context name like "unix:///var/run/docker.sock".
+			// try again with name="default".
+			// FIXME(@AkihiroSuda): cfg should retain real context name.
+			cc, err = ctxkube.ConfigFromEndpoint("default", cfg.ContextStore)
+			if err != nil {
+				logrus.Error(err)
+			}
+		}
+		tryToUseConfigInCluster := false
+		if cc == nil {
+			tryToUseConfigInCluster = true
+		} else {
+			if _, err := cc.ClientConfig(); err != nil {
+				tryToUseConfigInCluster = true
+			}
+		}
+		if tryToUseConfigInCluster {
+			ccInCluster := ClientConfigInCluster{}
+			if _, err := ccInCluster.ClientConfig(); err == nil {
+				logrus.Debug("using kube config in cluster")
+				cc = ccInCluster
+			}
+		}
+		if cc == nil {
+			return nil, errors.Errorf("%s driver requires kubernetes API access", DriverName)
+		}
 	}
+
 	deploymentName, err := buildxNameToDeploymentName(cfg.Name)
 	if err != nil {
 		return nil, err
 	}
-	namespace, _, err := cfg.KubeClientConfig.Namespace()
+	namespace, _, err := cc.Namespace()
 	if err != nil {
 		return nil, errors.Wrap(err, "cannot determine Kubernetes namespace, specify manually")
 	}
-	restClientConfig, err := cfg.KubeClientConfig.ClientConfig()
+	restClientConfig, err := cc.ClientConfig()
 	if err != nil {
 		return nil, err
 	}
@@ -67,9 +122,10 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 	}

 	d := &Driver{
-		factory:    f,
-		InitConfig: cfg,
-		clientset:  clientset,
+		factory:      f,
+		clientConfig: cc,
+		InitConfig:   cfg,
+		clientset:    clientset,
 	}

 	deploymentOpt, loadbalance, namespace, defaultLoad, timeout, err := f.processDriverOpts(deploymentName, namespace, cfg)
--- a/driver/kubernetes/factory_test.go
+++ b/driver/kubernetes/factory_test.go
@@ -11,29 +11,28 @@ import (
 	"k8s.io/client-go/rest"
 )

-type mockKubeClientConfig struct {
+type mockClientConfig struct {
 	clientConfig *rest.Config
 	namespace    string
 }

-func (r *mockKubeClientConfig) ClientConfig() (*rest.Config, error) {
+func (r *mockClientConfig) ClientConfig() (*rest.Config, error) {
 	return r.clientConfig, nil
 }

-func (r *mockKubeClientConfig) Namespace() (string, bool, error) {
+func (r *mockClientConfig) Namespace() (string, bool, error) {
 	return r.namespace, true, nil
 }

 func TestFactory_processDriverOpts(t *testing.T) {
-	kcc := mockKubeClientConfig{
-		clientConfig: &rest.Config{},
-	}
-
 	cfg := driver.InitConfig{
-		Name:             driver.BuilderName("test"),
-		KubeClientConfig: &kcc,
+		Name: driver.BuilderName("test"),
+	}
+	f := factory{
+		cc: &mockClientConfig{
+			clientConfig: &rest.Config{},
+		},
 	}
-	f := factory{}

 	t.Run(
 		"ValidOptions", func(t *testing.T) {
--- a/driver/kubernetes/manifest/manifest.go
+++ b/driver/kubernetes/manifest/manifest.go
@@ -7,7 +7,6 @@ import (

 	"github.com/docker/buildx/util/platformutil"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -53,10 +52,17 @@ const (
 	LabelApp           = "app"
 )

-var (
-	ErrReservedAnnotationPlatform = errors.Errorf("the annotation \"%s\" is reserved and cannot be customized", AnnotationPlatform)
-	ErrReservedLabelApp           = errors.Errorf("the label \"%s\" is reserved and cannot be customized", LabelApp)
-)
+type ErrReservedAnnotationPlatform struct{}
+
+func (ErrReservedAnnotationPlatform) Error() string {
+	return fmt.Sprintf("the annotation %q is reserved and cannot be customized", AnnotationPlatform)
+}
+
+type ErrReservedLabelApp struct{}
+
+func (ErrReservedLabelApp) Error() string {
+	return fmt.Sprintf("the label %q is reserved and cannot be customized", LabelApp)
+}

 func NewDeployment(opt *DeploymentOpt) (d *appsv1.Deployment, c []*corev1.ConfigMap, err error) {
 	labels := map[string]string{
@@ -73,14 +79,14 @@ func NewDeployment(opt *DeploymentOpt) (d *appsv1.Deployment, c []*corev1.Config

 	for k, v := range opt.CustomAnnotations {
 		if k == AnnotationPlatform {
-			return nil, nil, ErrReservedAnnotationPlatform
+			return nil, nil, ErrReservedAnnotationPlatform{}
 		}
 		annotations[k] = v
 	}

 	for k, v := range opt.CustomLabels {
 		if k == LabelApp {
-			return nil, nil, ErrReservedLabelApp
+			return nil, nil, ErrReservedLabelApp{}
 		}
 		labels[k] = v
 	}
--- a/driver/manager.go
+++ b/driver/manager.go
@@ -2,17 +2,15 @@ package driver

 import (
 	"context"
-	"os"
 	"sort"
-	"strings"
 	"sync"

+	"github.com/docker/cli/cli/context/store"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/util/tracing/delegated"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
-	"k8s.io/client-go/rest"
 )

 type Factory interface {
@@ -28,38 +26,18 @@ type BuildkitConfig struct {
 	// Rootless bool
 }

-type KubeClientConfig interface {
-	ClientConfig() (*rest.Config, error)
-	Namespace() (string, bool, error)
-}
-
-type KubeClientConfigInCluster struct{}
-
-func (k KubeClientConfigInCluster) ClientConfig() (*rest.Config, error) {
-	return rest.InClusterConfig()
-}
-
-func (k KubeClientConfigInCluster) Namespace() (string, bool, error) {
-	namespace, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
-	if err != nil {
-		return "", false, err
-	}
-	return strings.TrimSpace(string(namespace)), true, nil
-}
-
 type InitConfig struct {
-	// This object needs updates to be generic for different drivers
-	Name             string
-	EndpointAddr     string
-	DockerAPI        dockerclient.APIClient
-	KubeClientConfig KubeClientConfig
-	BuildkitdFlags   []string
-	Files            map[string][]byte
-	DriverOpts       map[string]string
-	Auth             Auth
-	Platforms        []specs.Platform
-	ContextPathHash  string // can be used for determining pods in the driver instance
-	DialMeta         map[string][]string
+	Name            string
+	EndpointAddr    string
+	DockerAPI       dockerclient.APIClient
+	ContextStore    store.Reader
+	BuildkitdFlags  []string
+	Files           map[string][]byte
+	DriverOpts      map[string]string
+	Auth            Auth
+	Platforms       []specs.Platform
+	ContextPathHash string
+	DialMeta        map[string][]string
 }

 var drivers map[string]Factory
@@ -104,28 +82,15 @@ func GetFactory(name string, instanceRequired bool) (Factory, error) {
 	return nil, errors.Errorf("failed to find driver %q", name)
 }

-func GetDriver(ctx context.Context, name string, f Factory, endpointAddr string, api dockerclient.APIClient, auth Auth, kcc KubeClientConfig, buildkitdFlags []string, files map[string][]byte, do map[string]string, platforms []specs.Platform, contextPathHash string, dialMeta map[string][]string) (*DriverHandle, error) {
-	ic := InitConfig{
-		EndpointAddr:     endpointAddr,
-		DockerAPI:        api,
-		KubeClientConfig: kcc,
-		Name:             name,
-		BuildkitdFlags:   buildkitdFlags,
-		DriverOpts:       do,
-		Auth:             auth,
-		Platforms:        platforms,
-		ContextPathHash:  contextPathHash,
-		DialMeta:         dialMeta,
-		Files:            files,
-	}
+func GetDriver(ctx context.Context, f Factory, cfg InitConfig) (*DriverHandle, error) {
 	if f == nil {
 		var err error
-		f, err = GetDefaultFactory(ctx, endpointAddr, api, false, dialMeta)
+		f, err = GetDefaultFactory(ctx, cfg.EndpointAddr, cfg.DockerAPI, false, cfg.DialMeta)
 		if err != nil {
 			return nil, err
 		}
 	}
-	d, err := f.New(ctx, ic)
+	d, err := f.New(ctx, cfg)
 	if err != nil {
 		return nil, err
 	}
--- a/driver/remote/factory.go
+++ b/driver/remote/factory.go
@@ -7,15 +7,15 @@ import (
 	"strconv"
 	"strings"

-	// import connhelpers for special url schemes
-	_ "github.com/moby/buildkit/client/connhelper/dockercontainer"
-	_ "github.com/moby/buildkit/client/connhelper/kubepod"
-	_ "github.com/moby/buildkit/client/connhelper/ssh"
-
 	"github.com/docker/buildx/driver"
 	util "github.com/docker/buildx/driver/remote/util"
 	dockerclient "github.com/docker/docker/client"
 	"github.com/pkg/errors"
+
+	// import connhelpers for special url schemes
+	_ "github.com/moby/buildkit/client/connhelper/dockercontainer"
+	_ "github.com/moby/buildkit/client/connhelper/kubepod"
+	_ "github.com/moby/buildkit/client/connhelper/ssh"
 )

 const prioritySupported = 20
--- a/driver/remote/util/dialer_unix.go
+++ b/driver/remote/util/dialer_unix.go
@@ -1,7 +1,7 @@
 //go:build !windows
 // +build !windows

-package remote
+package remoteutil

 import (
 	"context"
--- a/driver/remote/util/dialer_windows.go
+++ b/driver/remote/util/dialer_windows.go
@@ -1,4 +1,4 @@
-package remote
+package remoteutil

 import (
 	"context"
--- a/driver/remote/util/endpoint.go
+++ b/driver/remote/util/endpoint.go
@@ -1,18 +1,19 @@
-package remote
+package remoteutil

 import (
 	"net/url"
+	"slices"

 	"github.com/pkg/errors"
 )

-var schemes = map[string]struct{}{
-	"tcp":              {},
-	"unix":             {},
-	"ssh":              {},
-	"docker-container": {},
-	"kube-pod":         {},
-	"npipe":            {},
+var schemes = []string{
+	"docker-container",
+	"kube-pod",
+	"npipe",
+	"ssh",
+	"tcp",
+	"unix",
 }

 func IsValidEndpoint(ep string) error {
@@ -20,7 +21,7 @@ func IsValidEndpoint(ep string) error {
 	if err != nil {
 		return errors.Wrapf(err, "failed to parse endpoint %s", ep)
 	}
-	if _, ok := schemes[endpoint.Scheme]; !ok {
+	if _, ok := slices.BinarySearch(schemes, endpoint.Scheme); !ok {
 		return errors.Errorf("unrecognized url scheme %s", endpoint.Scheme)
 	}
 	return nil
--- a/driver/remote/util/endpoint_test.go
+++ b/driver/remote/util/endpoint_test.go
@@ -0,0 +1,12 @@
+package remoteutil
+
+import (
+	"slices"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSchemes(t *testing.T) {
+	require.True(t, slices.IsSorted(schemes))
+}
--- a/go.mod
+++ b/go.mod
@@ -1,60 +1,61 @@
 module github.com/docker/buildx

-go 1.21.0
+go 1.22.0

 require (
 	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/aws/aws-sdk-go-v2/config v1.26.6
-	github.com/compose-spec/compose-go/v2 v2.1.3
+	github.com/compose-spec/compose-go/v2 v2.2.0
 	github.com/containerd/console v1.0.4
-	github.com/containerd/containerd v1.7.19
+	github.com/containerd/containerd v1.7.22
 	github.com/containerd/continuity v0.4.3
 	github.com/containerd/errdefs v0.1.0
 	github.com/containerd/log v0.1.0
 	github.com/containerd/platforms v0.2.1
-	github.com/containerd/typeurl/v2 v2.1.1
+	github.com/containerd/typeurl/v2 v2.2.0
 	github.com/creack/pty v1.1.21
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v27.0.3+incompatible
+	github.com/docker/cli v27.3.1+incompatible
 	github.com/docker/cli-docs-tool v0.8.0
-	github.com/docker/docker v27.0.3+incompatible
+	github.com/docker/docker v27.3.1+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/gofrs/flock v0.12.0
-	github.com/gogo/protobuf v1.3.2
-	github.com/golang/protobuf v1.5.4
+	github.com/gofrs/flock v0.12.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-cty-funcs v0.0.0-20230405223818-a090f58aa992
 	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/moby/buildkit v0.15.0
-	github.com/moby/sys/mountinfo v0.7.1
-	github.com/moby/sys/signal v0.7.0
+	github.com/moby/buildkit v0.17.0-rc1
+	github.com/moby/sys/mountinfo v0.7.2
+	github.com/moby/sys/signal v0.7.1
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10
 	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c
+	github.com/tonistiigi/fsutil v0.0.0-20241003195857-3f140a1299b0
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4
 	github.com/zclconf/go-cty v1.14.4
 	go.opentelemetry.io/otel v1.21.0
 	go.opentelemetry.io/otel/metric v1.21.0
 	go.opentelemetry.io/otel/sdk v1.21.0
 	go.opentelemetry.io/otel/trace v1.21.0
-	golang.org/x/mod v0.17.0
-	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.21.0
-	golang.org/x/term v0.20.0
-	golang.org/x/text v0.15.0
-	google.golang.org/grpc v1.59.0
+	golang.org/x/mod v0.21.0
+	golang.org/x/sync v0.8.0
+	golang.org/x/sys v0.25.0
+	golang.org/x/term v0.24.0
+	golang.org/x/text v0.18.0
+	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
+	google.golang.org/protobuf v1.34.1
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.29.2
 	k8s.io/apimachinery v0.29.2
@@ -82,12 +83,12 @@ require (
 	github.com/aws/smithy-go v1.19.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/containerd/api v1.7.19 // indirect
 	github.com/containerd/ttrpc v1.2.5 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
@@ -101,11 +102,12 @@ require (
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
-	github.com/gogo/googleapis v1.4.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -127,8 +129,9 @@ require (
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -152,25 +155,22 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.42.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.42.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.21.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
-	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.17.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.25.0 // indirect
+	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,7 @@
-cloud.google.com/go v0.110.8 h1:tyNdfIxjzaWctIiLYOTalaLKZ17SI44SKFW26QbOhME=
-cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0=
-cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM=
+cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
@@ -76,22 +75,22 @@ github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXe
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004 h1:lkAMpLVBDaj17e85keuznYcH5rqI438v41pKcBl4ZxQ=
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
-github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k=
-github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw=
+github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
-github.com/compose-spec/compose-go/v2 v2.1.3 h1:bD67uqLuL/XgkAK6ir3xZvNLFPxPScEi1KW7R5esrLE=
-github.com/compose-spec/compose-go/v2 v2.1.3/go.mod h1:lFN0DrMxIncJGYAXTfWuajfwj5haBJqrBkarHcnjJKc=
+github.com/compose-spec/compose-go/v2 v2.2.0 h1:VsQosGhuO+H9wh5laiIiAe4TVd73kQ5NWwmNrdm0HRA=
+github.com/compose-spec/compose-go/v2 v2.2.0/go.mod h1:lFN0DrMxIncJGYAXTfWuajfwj5haBJqrBkarHcnjJKc=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
 github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
-github.com/containerd/containerd v1.7.19 h1:/xQ4XRJ0tamDkdzrrBAUy/LE5nCcxFKdBm4EcPrSMEE=
-github.com/containerd/containerd v1.7.19/go.mod h1:h4FtNYUUMB4Phr6v+xG89RYKj9XccvbNSCKjdufCrkc=
+github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0=
+github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g=
 github.com/containerd/containerd/api v1.7.19 h1:VWbJL+8Ap4Ju2mx9c9qS1uFSB1OVYr5JJrW2yT5vFoA=
 github.com/containerd/containerd/api v1.7.19/go.mod h1:fwGavl3LNwAV5ilJ0sbrABL44AQxmNjDRcwheXDb6Ig=
 github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
@@ -102,8 +101,8 @@ github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY
 github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/nydus-snapshotter v0.13.7 h1:x7DHvGnzJOu1ZPwPYkeOPk5MjZZYbdddygEjaSDoFTk=
-github.com/containerd/nydus-snapshotter v0.13.7/go.mod h1:VPVKQ3jmHFIcUIV2yiQ1kImZuBFS3GXDohKs9mRABVE=
+github.com/containerd/nydus-snapshotter v0.14.0 h1:6/eAi6d7MjaeLLuMO8Udfe5GVsDudmrDNO4SGETMBco=
+github.com/containerd/nydus-snapshotter v0.14.0/go.mod h1:TT4jv2SnIDxEBu4H2YOvWQHPOap031ydTaHTuvc5VQk=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/containerd/stargz-snapshotter v0.15.1 h1:fpsP4kf/Z4n2EYnU0WT8ZCE3eiKDwikDhL6VwxIlgeA=
@@ -111,8 +110,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G
 github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
 github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU=
 github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
-github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
-github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
+github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso=
+github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g=
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -124,15 +123,15 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v27.0.3+incompatible h1:usGs0/BoBW8MWxGeEtqPMkzOY56jZ6kYlSN5BLDioCQ=
-github.com/docker/cli v27.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ=
+github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli-docs-tool v0.8.0 h1:YcDWl7rQJC3lJ7WVZRwSs3bc9nka97QLWfyJQli8yJU=
 github.com/docker/cli-docs-tool v0.8.0/go.mod h1:8TQQ3E7mOXoYUs811LiPdUnAhXrcVsBIrW21a5pUbdk=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE=
-github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
+github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
 github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@@ -152,8 +151,8 @@ github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNE
 github.com/dvsekhvalnov/jose2go v0.0.0-20170216131308-f21a8cedbbae/go.mod h1:7BvyPhdbLxMXIYTFPLsyJRFMsKmOZnQmzh6Gb+uquuM=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA=
-github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
+github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
+github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
@@ -184,17 +183,15 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
 github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/gofrs/flock v0.12.0 h1:xHW8t8GPAiGtqz7KxiSqfOEXwpOaqhpYZrTE2MQBgXY=
-github.com/gofrs/flock v0.12.0/go.mod h1:FirDy1Ing0mI2+kB6wk+vyyAH+e6xiE+EYA0jnzV9jc=
-github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0=
-github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
-github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
-github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
+github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
+github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -202,7 +199,6 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93 h1:jc2UWq7CbdszqeH6qu1ougXMIUBfSy8Pbh/anURYbGI=
@@ -211,7 +207,6 @@ github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvR
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -226,8 +221,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -306,8 +301,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.15.0 h1:vnZLThPr9JU6SvItctKoa6NfgPZ8oUApg/TCOaa/SVs=
-github.com/moby/buildkit v0.15.0/go.mod h1:oN9S+8I7wF26vrqn9NuAF6dFSyGTfXvtiu9o1NlnnH4=
+github.com/moby/buildkit v0.17.0-rc1 h1:LTHa+CEoGZGWWEJcOEUj/5fv+6FPvMZTOD/KVEW4syA=
+github.com/moby/buildkit v0.17.0-rc1/go.mod h1:BprE7bOBNMZPwd3YR7iUmHdqt618BDvS49hZySzr5Mg=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
@@ -316,14 +311,16 @@ github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkV
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
-github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
-github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
-github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
-github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
+github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
+github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=
+github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8=
+github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
+github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
+github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -368,6 +365,8 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.0-pre1.0.20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -394,8 +393,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE=
@@ -440,8 +439,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c=
 github.com/theupdateframework/notary v0.7.0/go.mod h1:c9DRxcmhHmVLDay4/2fUYdISnHqbFDGRSlXPO0AhYWw=
-github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c h1:+6wg/4ORAbnSoGDzg2Q1i3CeMcT/jjhye/ZfnBHy7/M=
-github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c/go.mod h1:vbbYqJlnswsbJqWUcJN8fKtBhnEgldDrcagTgnBVKKM=
+github.com/tonistiigi/fsutil v0.0.0-20241003195857-3f140a1299b0 h1:H9++AiQUqjwrOMA/DOpWhxWp3JLyyT+MN4sRPbMmwoY=
+github.com/tonistiigi/fsutil v0.0.0-20241003195857-3f140a1299b0/go.mod h1:Dl/9oEjK7IqnjAm21Okx/XIxUCFJzvh+XdVHUlBwXTw=
 github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 h1:7I5c2Ig/5FgqkYOh/N87NzoyI9U15qUPXhDD8uCupv8=
 github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
@@ -475,12 +474,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJ
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
 go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
 go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.42.0 h1:ZtfnDL+tUrs1F0Pzfwbg2d59Gru9NCH3bgSHBM6LDwU=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.42.0/go.mod h1:hG4Fj/y8TR/tlEDREo8tWstl9fO9gcFkn4xrx0Io8xU=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.42.0 h1:NmnYCiR0qNufkldjVvyQfZTHSdzeHoZ41zggMsdMcLM=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.42.0/go.mod h1:UVAO61+umUsHLtYb8KXXRoHtxUkdOPkYidzW3gipRLQ=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.42.0 h1:wNMDy/LVGLj2h3p6zg4d0gypKfWKSWI14E1C4smOgl8=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.42.0/go.mod h1:YfbDdXAAkemWJK3H/DshvlrxqFB2rtW4rY6ky/3x/H0=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0 h1:jd0+5t/YynESZqsSyPz+7PAFdEop0dlN0+PkyHYo8oI=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0/go.mod h1:U707O40ee1FpQGyhvqnzmCJm1Wh6OX6GGBVn0E6Uyyk=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0 h1:bflGWrfYyuulcdxf14V6n9+CoQcu5SAAdHmDPAJnlps=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0/go.mod h1:qcTO4xHAxZLaLxPd60TdE88rxtItPHgHWqOhOGRr0as=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
@@ -507,34 +504,33 @@ golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200422194213-44a606286825/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o=
-golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
+golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
-golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
+golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -545,48 +541,44 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
+golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
+golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE=
+golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b h1:+YaDE2r2OG8t/z5qmsh7Y+XXwCbvadxxZ0YY6mTdrVA=
-google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:CgAqfJo+Xmu0GwA0411Ht3OU3OntXwsGmrmjI8ioGXI=
-google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b h1:CIC2YMXmIhYw6evmhPxBKJ4fmLbOFtXQN/GV3XOZR8k=
-google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:IBQ646DjkDkvUIsVq/cc03FUFQ9wbZu7yE396YcL870=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
+google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 h1:+rdxYoE3E5htTEWIe15GlN6IfvbURM//Jt0mmkmm6ZU=
+google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117/go.mod h1:OimBR/bc1wPO9iV4NC2bpyjy3VnAwZh5EBPQdtaE5oo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 h1:1GBuWVLM/KMVUv1t1En5Gs+gFZCNd360GGb4sSxtrhU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
 google.golang.org/grpc v1.0.5/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
-google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo=
+google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A=
+google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/cenkalti/backoff.v2 v2.2.1 h1:eJ9UAg01/HIHG987TwxvnzK2MgxXq97YY6rYDpY9aII=
--- a/hack/dockerfiles/authors.Dockerfile
+++ b/hack/dockerfiles/authors.Dockerfile
@@ -1,20 +1,21 @@
 # syntax=docker/dockerfile:1

-FROM alpine:3.14 AS gen
+ARG ALPINE_VERSION=3.20
+
+FROM alpine:${ALPINE_VERSION} AS gen
 RUN apk add --no-cache git
 WORKDIR /src
 RUN --mount=type=bind,target=. <<EOT
-#!/usr/bin/env bash
-set -e
-mkdir /out
-# see also ".mailmap" for how email addresses and names are deduplicated
-{
-  echo "# This file lists all individuals having contributed content to the repository."
-  echo "# For how it is generated, see hack/dockerfiles/authors.Dockerfile."
-  echo
-  git log --format='%aN <%aE>' | LC_ALL=C.UTF-8 sort -uf
-} > /out/AUTHORS
-cat /out/AUTHORS
+  set -e
+  mkdir /out
+  # see also ".mailmap" for how email addresses and names are deduplicated
+  {
+    echo "# This file lists all individuals having contributed content to the repository."
+    echo "# For how it is generated, see hack/dockerfiles/authors.Dockerfile."
+    echo
+    git log --format='%aN <%aE>' | LC_ALL=C.UTF-8 sort -uf
+  } > /out/AUTHORS
+  cat /out/AUTHORS
 EOT

 FROM scratch AS update
@@ -22,12 +23,12 @@ COPY --from=gen /out /

 FROM gen AS validate
 RUN --mount=type=bind,target=.,rw <<EOT
-set -e
-git add -A
-cp -rf /out/* .
-if [ -n "$(git status --porcelain -- AUTHORS)" ]; then
-  echo >&2 'ERROR: Authors result differs. Please update with "make authors"'
-  git status --porcelain -- AUTHORS
-  exit 1
-fi
+  set -e
+  git add -A
+  cp -rf /out/* .
+  if [ -n "$(git status --porcelain -- AUTHORS)" ]; then
+    echo >&2 'ERROR: Authors result differs. Please update with "make authors"'
+    git status --porcelain -- AUTHORS
+    exit 1
+  fi
 EOT
--- a/hack/dockerfiles/generated-files.Dockerfile
+++ b/hack/dockerfiles/generated-files.Dockerfile
@@ -7,10 +7,13 @@

 ARG GO_VERSION="1.22"
 ARG PROTOC_VERSION="3.11.4"
+ARG PROTOC_GOOGLEAPIS_VERSION=2af421884dd468d565137215c946ebe4e245ae26

 # protoc is dynamically linked to glibc so can't use alpine base
 FROM golang:${GO_VERSION}-bookworm AS base
 RUN apt-get update && apt-get --no-install-recommends install -y git unzip
+
+FROM base AS protoc
 ARG PROTOC_VERSION
 ARG TARGETOS
 ARG TARGETARCH
@@ -18,34 +21,69 @@ RUN <<EOT
  set -e
  arch=$(echo $TARGETARCH | sed -e s/amd64/x86_64/ -e s/arm64/aarch_64/)
  wget -q https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip
-  unzip protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip -d /usr/local
+  unzip protoc-${PROTOC_VERSION}-${TARGETOS}-${arch}.zip -d /opt/protoc
 EOT
-WORKDIR /go/src/github.com/docker/buildx

-FROM base AS tools
-RUN --mount=type=bind,target=.,rw \
+FROM base AS googleapis
+ARG PROTOC_GOOGLEAPIS_VERSION
+RUN <<EOT
+  set -e
+  wget -q https://github.com/googleapis/googleapis/archive/${PROTOC_GOOGLEAPIS_VERSION}.zip -O googleapis.zip
+  unzip googleapis.zip '*.proto' -d /opt
+  mkdir -p /opt/googleapis
+  mv /opt/googleapis-${PROTOC_GOOGLEAPIS_VERSION} /opt/googleapis/include
+EOT
+
+FROM base AS gobuild-base
+WORKDIR /app
+
+FROM gobuild-base AS vtprotobuf
+RUN --mount=type=bind,source=go.mod,target=/app/go.mod \
+    --mount=type=bind,source=go.sum,target=/app/go.sum \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -e
+  mkdir -p /opt/vtprotobuf
+  go mod download github.com/planetscale/vtprotobuf
+  cp -r $(go list -m -f='{{.Dir}}' github.com/planetscale/vtprotobuf)/include /opt/vtprotobuf
+EOT
+
+FROM gobuild-base AS vendored
+RUN --mount=type=bind,source=vendor,target=/app <<EOT
+  set -e
+  mkdir -p /opt/vendored/include
+  find . -name '*.proto' | tar -cf - --files-from - | tar -C /opt/vendored/include -xf -
+EOT
+
+FROM gobuild-base AS tools
+RUN --mount=type=bind,source=go.mod,target=/app/go.mod,ro \
+    --mount=type=bind,source=go.sum,target=/app/go.sum,ro \
    --mount=type=cache,target=/root/.cache \
    --mount=type=cache,target=/go/pkg/mod \
-    go install \
-      github.com/gogo/protobuf/protoc-gen-gogo \
-      github.com/gogo/protobuf/protoc-gen-gogofaster \
-      github.com/gogo/protobuf/protoc-gen-gogoslick \
-      github.com/golang/protobuf/protoc-gen-go
+  go install \
+    github.com/planetscale/vtprotobuf/cmd/protoc-gen-go-vtproto \
+    google.golang.org/protobuf/cmd/protoc-gen-go \
+    google.golang.org/grpc/cmd/protoc-gen-go-grpc
+COPY --link --from=protoc /opt/protoc /usr/local
+COPY --link --from=googleapis /opt/googleapis /usr/local
+COPY --link --from=vtprotobuf /opt/vtprotobuf /usr/local
+COPY --link --from=vendored /opt/vendored /usr/local

 FROM tools AS generated
-RUN --mount=type=bind,target=.,rw <<EOT
+RUN --mount=type=bind,target=github.com/docker/buildx,ro <<EOT
  set -ex
-  go generate -mod=vendor -v ./...
  mkdir /out
-  git ls-files -m --others -- ':!vendor' '**/*.pb.go' | tar -cf - --files-from - | tar -C /out -xf -
+  find github.com/docker/buildx -name '*.proto' -o -name vendor -prune -false | xargs \
+    protoc --go_out=/out --go-grpc_out=require_unimplemented_servers=false:/out \
+           --go-vtproto_out=features=marshal+unmarshal+size+equal+pool+clone:/out
 EOT

 FROM scratch AS update
-COPY --from=generated /out /
+COPY --from=generated /out/github.com/docker/buildx /

-FROM base AS validate
+FROM gobuild-base AS validate
 RUN --mount=type=bind,target=.,rw \
-    --mount=type=bind,from=generated,source=/out,target=/generated-files <<EOT
+    --mount=type=bind,from=update,target=/generated-files <<EOT
  set -e
  git add -A
  if [ "$(ls -A /generated-files)" ]; then
--- a/hack/dockerfiles/govulncheck.Dockerfile
+++ b/hack/dockerfiles/govulncheck.Dockerfile
@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.22"
+ARG GOVULNCHECK_VERSION="v1.1.3"
+ARG FORMAT="text"
+
+FROM golang:${GO_VERSION}-alpine AS base
+WORKDIR /go/src/github.com/docker/buildx
+RUN apk add --no-cache jq moreutils
+ARG GOVULNCHECK_VERSION
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
+
+FROM base AS run
+ARG FORMAT
+RUN --mount=type=bind,target=. <<EOT
+  set -ex
+  mkdir /out
+  govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
+  if [ "${FORMAT}" = "sarif" ]; then
+    # Make sure "results" field is defined in SARIF output otherwise GitHub Code Scanning
+    # will fail when uploading report with "Invalid SARIF. Missing 'results' array in run."
+    # Relates to https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69
+    jq '(.runs[] | select(.results == null) | .results) |= []' /out/govulncheck.out | tee >(sponge /out/govulncheck.out)
+  fi
+EOT
+
+FROM scratch AS output
+COPY --from=run /out /
--- a/hack/dockerfiles/lint.Dockerfile
+++ b/hack/dockerfiles/lint.Dockerfile
@@ -13,18 +13,24 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golang-base
 RUN apk add --no-cache git gcc musl-dev

-FROM golang-base AS lint
+FROM golang-base AS lint-base
 ENV GOFLAGS="-buildvcs=false"
 ARG GOLANGCI_LINT_VERSION
 RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v${GOLANGCI_LINT_VERSION}
 COPY --link --from=xx / /
 WORKDIR /go/src/github.com/docker/buildx
 ARG TARGETPLATFORM
+
+FROM lint-base AS lint
 RUN --mount=target=/go/src/github.com/docker/buildx \
    --mount=target=/root/.cache,type=cache,id=lint-cache-$TARGETPLATFORM \
    xx-go --wrap && \
    golangci-lint run

+FROM lint-base AS validate-golangci
+RUN --mount=target=/go/src/github.com/docker/buildx \
+  golangci-lint config verify
+
 FROM golang-base AS gopls
 RUN apk add --no-cache git
 ARG GOPLS_VERSION
--- a/monitor/commands/exec.go
+++ b/monitor/commands/exec.go
@@ -13,11 +13,11 @@ import (
 type ExecCmd struct {
 	m types.Monitor

-	invokeConfig controllerapi.InvokeConfig
+	invokeConfig *controllerapi.InvokeConfig
 	stdout       io.WriteCloser
 }

-func NewExecCmd(m types.Monitor, invokeConfig controllerapi.InvokeConfig, stdout io.WriteCloser) types.Command {
+func NewExecCmd(m types.Monitor, invokeConfig *controllerapi.InvokeConfig, stdout io.WriteCloser) types.Command {
 	return &ExecCmd{m, invokeConfig, stdout}
 }

@@ -41,7 +41,7 @@ func (cm *ExecCmd) Exec(ctx context.Context, args []string) error {
 	if len(args) < 2 {
 		return errors.Errorf("command must be passed")
 	}
-	cfg := controllerapi.InvokeConfig{
+	cfg := &controllerapi.InvokeConfig{
 		Entrypoint: []string{args[1]},
 		Cmd:        args[2:],
 		NoCmd:      false,
--- a/monitor/commands/reload.go
+++ b/monitor/commands/reload.go
@@ -20,10 +20,10 @@ type ReloadCmd struct {
 	progress *progress.Printer

 	options      *controllerapi.BuildOptions
-	invokeConfig controllerapi.InvokeConfig
+	invokeConfig *controllerapi.InvokeConfig
 }

-func NewReloadCmd(m types.Monitor, stdout io.WriteCloser, progress *progress.Printer, options *controllerapi.BuildOptions, invokeConfig controllerapi.InvokeConfig) types.Command {
+func NewReloadCmd(m types.Monitor, stdout io.WriteCloser, progress *progress.Printer, options *controllerapi.BuildOptions, invokeConfig *controllerapi.InvokeConfig) types.Command {
 	return &ReloadCmd{m, stdout, progress, options, invokeConfig}
 }

@@ -61,7 +61,7 @@ func (cm *ReloadCmd) Exec(ctx context.Context, args []string) error {
 	}
 	var resultUpdated bool
 	cm.progress.Unpause()
-	ref, _, err := cm.m.Build(ctx, *bo, nil, cm.progress) // TODO: support stdin, hold build ref
+	ref, _, _, err := cm.m.Build(ctx, bo, nil, cm.progress) // TODO: support stdin, hold build ref
 	cm.progress.Pause()
 	if err != nil {
 		var be *controllererrors.BuildError
--- a/monitor/commands/rollback.go
+++ b/monitor/commands/rollback.go
@@ -13,11 +13,11 @@ import (
 type RollbackCmd struct {
 	m types.Monitor

-	invokeConfig controllerapi.InvokeConfig
+	invokeConfig *controllerapi.InvokeConfig
 	stdout       io.WriteCloser
 }

-func NewRollbackCmd(m types.Monitor, invokeConfig controllerapi.InvokeConfig, stdout io.WriteCloser) types.Command {
+func NewRollbackCmd(m types.Monitor, invokeConfig *controllerapi.InvokeConfig, stdout io.WriteCloser) types.Command {
 	return &RollbackCmd{m, invokeConfig, stdout}
 }

--- a/Show More
+++ b/Show More