@Inject
    public AbstractUpgradeGoal(StrategyOrchestrator orchestrator) {
        this.orchestrator = orchestrator;
    }

    /**
     * Executes the upgrade goal.
     * Template method that calls doUpgrade and optionally saves modifications.
     */
    @Override
    public int execute(UpgradeContext context) throws Exception {
        UpgradeOptions options = context.options();

        public int testExecuteWithTargetModel(UpgradeContext context, String targetModel) {
            try {
                Map<Path, Document> pomMap = Map.of(); // Empty for this test
                return doUpgrade(context, targetModel, pomMap);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }

        // Helper method from AbstractUpgradeStrategy

import jcifs.internal.smb2.nego.PreauthIntegrityNegotiateContext;

/**
 * Enhanced Pre-Authentication Integrity Service for SMB 3.1.1.
 *
 * Provides comprehensive pre-authentication integrity protection against
 * downgrade attacks by maintaining cryptographic hash chains of all
 * negotiation and session setup messages.
 */
public class PreauthIntegrityService {

            assertEquals("package", packageExecution.child("phase").orElse(null).textContent());
        }
    }

    @Nested
    @DisplayName("Downgrade Handling")
    class DowngradeHandlingTests {

        @Test
        @DisplayName("should fail with error when attempting downgrade from 4.1.0 to 4.0.0")
        void shouldFailWhenAttemptingDowngrade() throws Exception {
            String pomXml = """

  fun wrongConnectionHeader() {
    webServer.enqueue(
      MockResponse
        .Builder()
        .code(101)
        .setHeader("Upgrade", "websocket")
        .setHeader("Connection", "Downgrade")
        .setHeader("Sec-WebSocket-Accept", "ujmZX4KXZqjwy6vi1aQFH5p4Ygk=")
        .build(),
    )
    webServer.enqueue(
      MockResponse
        .Builder()
        .onRequestStart(CloseSocket())

        sslSocket.enabledProtocols.intersect(tlsVersionsAsString, naturalOrder())
      } else {
        sslSocket.enabledProtocols
      }

    // In accordance with https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 the SCSV
    // cipher is added to signal that a protocol fallback has taken place.
    val supportedCipherSuites = sslSocket.supportedCipherSuites
    val indexOfFallbackScsv =
      supportedCipherSuites.indexOf(

- [ ] Implement lease key generation and management
- [ ] Add lease context to Create request/response
- [ ] Implement lease break notification handling
- [ ] Modify SmbFile to support lease-based caching
- [ ] Add lease upgrade/downgrade logic
- [ ] Implement lease epoch tracking for v2 leases

#### 1.3 Integration Points
- Modify `Smb2CreateRequest` to include lease contexts
- Update `SmbFile` caching logic to use leases

        }

        @ParameterizedTest(name = "from {0} to {1}")
        @MethodSource("provideInvalidPathUpgradeVersions")
        @DisplayName("should reject downgrade")
        void shouldRejectDowngrade(String from, String to) {
            assertFalse(ModelVersionUtils.canUpgrade(from, to));
        }

        private static Stream<Arguments> provideInvalidPathUpgradeVersions() {

    /**
     * Enforce secure negotiation
     *
     * Property {@code jcifs.smb.client.requireSecureNegotiate} (boolean, default true)
     *
     * This does not provide any actual downgrade protection if SMB1 is allowed.
     *
     * It will also break connections with SMB2 servers that do not properly sign error responses.
     *
     * @return whether to enforce the use of secure negotiation.
     */

    private ReferrerPolicyValues() {}

    public static final String NO_REFERRER = "no-referrer";
    public static final String NO_REFFERER_WHEN_DOWNGRADE = "no-referrer-when-downgrade";
    public static final String SAME_ORIGIN = "same-origin";
    public static final String ORIGIN = "origin";
    public static final String STRICT_ORIGIN = "strict-origin";