message Ack {
  string error = 1;
}

/*
Protocol details:
on new connection from ztunnel to CNI, the CNI agent
- will send all the existing payloads (that it has in its cache) to the ztunnel using AddWorkload message.
- the ztunnel will send an ack for each payload (which the CNI will wait for before sending the next one).
- when the CNI finishes sending the content of its current cache, a SnapshotSent message will be sent.

// Record <key, value> as a payload in *s. The previous payload having the
// same key (if any) is overwritten. Payload will not be added if the Status
// is OK.
TF_CAPI_EXPORT void TF_SetPayload(TF_Status* s, const char* key,
                                  const char* value);

// Iterates over the stored payloads and calls the `visitor(key, value)`

						opts.Check = check.And(
							check.OK(),
							check.ReachedTargetClusters(t),
							check.RequestHeaders(map[string]string{
								headers.Authorization: "Bearer " + jwt.TokenIssuer1,
								"X-Test-Payload":      payload1,
							}))
					},
				},
			}

			for _, c := range cases {
				t.NewSubTest(c.name).Run(func(t framework.TestContext) {
					echotest.New(t, apps.All.Instances()).

    clearPrevious: Boolean,
    settings: Settings,
  ) {
    fail("")
  }

  override fun ackSettings() {
    fail("")
  }

  override fun ping(
    ack: Boolean,
    payload1: Int,
    payload2: Int,
  ) {
    fail("")
  }

  override fun goAway(
    lastGoodStreamId: Int,
    errorCode: ErrorCode,
    debugData: ByteString,
  ) {
    fail("")
  }

    }
  }

  /**
   * Send a connection-level ping to the peer. `ack` indicates this is a reply. The data in
   * `payload1` and `payload2` opaque binary, and there are no rules on the content.
   */
  @Throws(IOException::class)
  fun ping(
    ack: Boolean,
    payload1: Int,
    payload2: Int,
  ) {
    this.withLock {
      if (closed) throw IOException("closed")
      frameHeader(
        streamId = 0,

  internal const val OPCODE_CONTROL_CLOSE = 0x8
  internal const val OPCODE_CONTROL_PING = 0x9
  internal const val OPCODE_CONTROL_PONG = 0xa

  /**
   * Maximum length of frame payload. Larger payloads, if supported by the frame type, can use the
   * special values [PAYLOAD_SHORT] or [PAYLOAD_LONG].
   */
  internal const val PAYLOAD_BYTE_MAX = 125L

  /** Maximum length of close message in bytes. */

    val b1 = source.readByte() and 0xff

    val isMasked = b1 and B1_FLAG_MASK != 0
    if (isMasked == isClient) {
      // Masked payloads must be read on the server. Unmasked payloads must be read on the client.
      throw ProtocolException(
        if (isClient) {
          "Server-sent frames must not be masked."
        } else {

						opts.Check = check.And(
							check.OK(),
							check.ReachedTargetClusters(t),
							check.RequestHeaders(map[string]string{
								headers.Authorization: "Bearer " + jwt.TokenIssuer1,
								"X-Test-Payload":      payload1,
							}))
					},
				},
				{
					name:       "remote-jwks-with-service-entry",
					policyFile: "./testdata/requestauthn-with-se-timeout.yaml.tmpl",
					timeout:    "10ms",
					delay:      "30ms",

//  <length of pkg 0>
//  <length of pkg 1>
//  ...
//  --string table------
//  <uleb128 len> 8
//  <data> "somestring"
//  ...
//  --package payloads------
//  <meta-symbol for pkg 0>
//  <meta-symbol for pkg 1>
//  ...
//
// Each package payload is a stand-alone blob emitted by the compiler,
// and does not depend on anything else in the meta-data file. In
// particular, each blob has it's own string table. Note that the

//
// Note: go-jose currently does not allow access to unverified JWS payloads.
// See https://github.com/square/go-jose/issues/169
func (j *jwtTokenAuthenticator) hasCorrectIssuer(tokenData string) bool {
	if strings.HasPrefix(strings.TrimSpace(tokenData), "{") {
		return false
	}
	parts := strings.Split(tokenData, ".")
	if len(parts) != 3 {
		return false
	}
	payload, err := base64.RawURLEncoding.DecodeString(parts[1])