Commit Graph

511 Commits

Author SHA1 Message Date
Volodymyr Stoiko
a306678c7f helm: project kubeshark-hub SA token onto worker for internalauth (gated-auth)
The worker seeds its name-resolution map and capture targets via plain
HTTP GETs to the hub (/resolver/history, /pods/targeted, /pods/all). With
auth enabled these routes sit behind Auth() and return 401, leaving the
worker with an empty resolver map (all traffic shows unresolved).

Project a short-lived SA token (audience kubeshark-hub) onto the sniffer
container and expose its path via HUB_INTERNAL_TOKEN_PATH so the worker
presents it as a Bearer to the hub's internalauth gate. Gated on
tap.auth.enabled; auth-disabled clusters are unchanged.
2026-06-16 14:30:36 +00:00
Volodymyr Stoiko
a8422e3a4b Merge permissions-refactoring (#1942) into gated-auth
Brings the canonical AUTH_GROUP_MAPPING / AUTH_ROLES / defaultRole
permissions model. Conflicts resolved by taking #1942's config-map and
values.yaml auth block and re-layering the gated-auth phase 2a additions
(AUTH_CLI_SERVICE_ACCOUNTS, tap.auth.cli) on top. Drops the duplicate
AUTH_GROUP_MAPPING render in favor of #1942's.
2026-06-16 11:09:38 +00:00
Volodymyr Stoiko
c7fe7f4ce5 helm: render AUTH_GROUP_MAPPING in the hub config-map
The local chart never rendered AUTH_GROUP_MAPPING, so tap.auth.groupMapping
was silently dropped — SSO groups and the kubeshark-cli SA fell back to
AUTH_DEFAULT_ROLE instead of their mapped roles.
2026-06-15 22:56:31 +00:00
Volodymyr Stoiko
dba8867fb5 helm: kubeshark-cli ServiceAccount + token-minter RBAC + allowlist (phase 2a)
When tap.auth.cli.enabled, create the kubeshark-cli ServiceAccount and a
Role granting 'create' on serviceaccounts/token for it (bound to
configurable tap.auth.cli.subjects), and set AUTH_CLI_SERVICE_ACCOUNTS so
the Hub allowlists it. Binding the Role to a subject is what grants that
subject CLI access to a gated Hub.
2026-06-15 21:57:28 +00:00
Volodymyr Stoiko
879b4b1e7b Merge branch 'master' into permissions-refactoring
One conflict in helm-chart/values.yaml::tap.auth — master still
carries the legacy AUTH_ROLES schema (per-role AuthorizedActions
struct with canDownloadPCAP / scriptingPermissions / etc).
permissions-refactoring replaced it with the post-#782 shape
(rolesClaim/defaultRole/groupMapping/roles).

Kept the permissions-refactoring shape — locked decision per
plans/permissions-decisions.md (Q1, Q2). Helm template still
renders AUTH_ROLES + AUTH_GROUP_MAPPING + AUTH_ROLES_CLAIM
correctly.
2026-06-01 10:14:13 +00:00
Alon Girmonsky
f97866f747 🔖 Release v53.3.0 (#1937)
* 🔖 Bump the Helm chart version to 53.3.0

* 🙈 Add .claude/ to .gitignore

* 🔥 Remove .claude/ and RELEASE_NOTES_v53.2.5.md

*  Revert changes to release-tag.yml

---------

Co-authored-by: Alon Girmonsky <alongir@Alons-MacBook-Air.local>
Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
2026-05-19 02:00:17 -07:00
Volodymyr Stoiko
e948637f79 Revert "auth: emit CHART_VERSION into hub ConfigMap (Phase V)"
This reverts c21e4c42. Companion to hub revert 61a275b6 — the hub no
longer reads CHART_VERSION, so emitting it serves no purpose.
2026-05-19 06:23:16 +00:00
Volodymyr Stoiko
c21e4c4276 auth: emit CHART_VERSION into hub ConfigMap (Phase V)
Hub commit 51abc954 reads this key on first SyncConfig and warns when
its embedded version.Ver disagrees with the chart at the major
component. Provided alongside as the chart-side companion to keep
both sides on one PR per repo on the permissions-refactoring branch.
2026-05-18 22:11:34 +00:00
Volodymyr Stoiko
9445806002 auth: add tap.auth.roles operator-defined role catalogue
Chart-side companion to hub commit 67162b2e (Phase C of the permissions
refactor). Operators can now declare named roles with their own
capability set + namespace scope under tap.auth.roles; the
12-config-map renders these as AUTH_ROLES JSON for the hub to consume.

  - config/configStructs: AuthConfig.Roles map[string]RoleConfig with
    Capabilities + Namespaces; doc comments updated for groupMapping +
    defaultRole to reflect that user-defined names are now accepted.
  - config/configStruct.go: zero-value initializer for Roles so
    `kubeshark config` renders `roles: {}` consistently.
  - helm-chart/templates/12-config-map.yaml: AUTH_ROLES emits the
    full roles map as JSON; hub-side syncAuthRoles validates names
    (kubeshark-* prefix reserved) and capabilities (unknown caps
    warn-dropped).
  - helm-chart/values.yaml: regenerated. Diff is the single `roles: {}`
    line under tap.auth.

Spot-checked the rendered ConfigMap:

  AUTH_ROLES: '{"payments-viewer":{"capabilities":["snapshot:read",
                                                   "dissection:live"],
                                    "namespaces":"payments"}}'

which is exactly the shape the hub parser expects.
2026-05-18 21:35:13 +00:00
Volodymyr Stoiko
90a6fb3d40 auth: set helm default role to kubeshark-viewer
Per round-2 permissions clarifications: SSO users whose claim doesn't
match any built-in role and isn't in AUTH_GROUP_MAPPING should fall
back to a read-only baseline instead of strict-deny ("").

defaultRole="" causes the dashboard to 403-storm gated endpoints from
unmatched users; viewer (snapshot:read only) gives them a sensible
read-only UX while still preventing any state change.
2026-05-17 21:34:50 +00:00
Volodymyr Stoiko
fd5bf8c1b5 auth: drop AUTH_ROLES; add AUTH_GROUP_MAPPING + built-in defaultRole
Companion to kubeshark/hub#permissions-refactoring. Aligns the CLI
config struct, chart values, and rendered ConfigMap with the
post-refactor hub.

config/configStructs/tapConfig.go:
  - Drop AuthConfig.Roles (admin-authored map[string]Role) and the
    Role + ScriptingPermissions structs they referenced.
  - Drop AuthConfig.DefaultFilter (no namespace scoping in v1).
  - Add AuthConfig.GroupMapping (map[string]string) — SSO group name
    → built-in role translation.
  - Tighten DefaultRole godoc to reference the four built-in role
    constants (kubeshark-admin / kubeshark-realtime /
    kubeshark-snapshot / kubeshark-viewer) and the strict-deny
    semantics on empty.

config/configStruct.go:
  - Drop the legacy "admin" entry from the AuthConfig default —
    operators now configure DefaultRole + GroupMapping instead.
  - Default RolesClaim is now "groups" (Okta/OIDC convention; was
    "role"), matching the hub's runtime default.

helm-chart/templates/12-config-map.yaml:
  - Drop AUTH_ROLES emission (key no longer read by hub).
  - Add AUTH_GROUP_MAPPING emission from tap.auth.groupMapping (JSON
    map; hub validates each value against the built-in role names at
    sync time).

helm-chart/values.yaml: regenerated from the Go config — drops the
tap.auth.roles block, adds tap.auth.groupMapping with the new
documentation header for DefaultRole.

Breaking change: deployments carrying tap.auth.roles in their values
will silently lose those role definitions. Migration is to remove the
roles: block and either (a) name their SSO groups to match the four
built-in role constants, or (b) populate tap.auth.groupMapping with
explicit translations.
2026-05-14 21:04:48 +00:00
Volodymyr Stoiko
7b5954ea00 helm: grant hub tokenreviews and label worker pods for internal auth (#1926)
* helm: grant hub tokenreviews and pass trusted controllers

Adds RBAC for hub to call the authentication.k8s.io/v1 TokenReview
endpoint, used by the new internalauth middleware to validate projected
ServiceAccountTokens presented by in-cluster gRPC callers.

Adds tap.internalAuth.trustedControllers value (empty by default),
threaded through to hub's -trusted-controllers flag as a CSV. Listing
a controller here lets pods owned by it authenticate to hub via the
projected SA token (audience kubeshark-hub). Hub-spawned Jobs are
always trusted regardless of this list. Hub matches OwnerReferences
by name AND UID, so a name-only forgery does not grant trust.

Sub-issue of kubeshark/hub#656.

* helm: inline trusted controllers in hub deployment template

The chart already knows its own controller names (worker DaemonSet
metadata.name is the literal "kubeshark-worker-daemon-set" in
09-worker-daemon-set.yaml). Pasting the same literal into a user-facing
tap.internalAuth.trustedControllers value adds a step without buying
anything — if the worker DS rename, the deployment template would have
to change in lockstep regardless.

Drop the values knob, render the flag unconditionally with the literal
worker DS name (matching the convention used elsewhere in this chart,
e.g. the hub deployment's {{ include "kubeshark.name" . }}-hub).

* helm: drop redundant comment on tokenreviews RBAC

* helm: drop -trusted-controllers flag (no caller today)

The flag was wiring forward-prep for a hypothetical worker->hub gRPC
caller from the DaemonSet. Hub-spawned Jobs (dissection-job) are
admitted via internalauth.RegisterSpawnedJob, not via this flag.
Re-add when an actual DaemonSet-deployed caller materializes.

* helm: label worker DS pods for hub internal auth

Worker pods don't call hub gRPC today, but pre-labeling the DS pod
template means a future worker->hub gRPC caller is one PR (worker-side)
away from working — no chart change required. Matches the generic
label-driven trust model in hub#783.

* helm: rename trust label to kubeshark.io/internal-auth

Matches the hub rename. Generic name so the same label can mark pods
trusted by future kubeshark services beyond hub.
2026-05-13 10:53:20 -07:00
Volodymyr Stoiko
8186b7891b Authz refactoring (helm chart + CLI) (#1921)
* Migrate auth.saml.roles to unified auth.roles

Follows the hub-side introduction of the backend-neutral AUTH_ROLES /
AUTH_ROLES_CLAIM / AUTH_DEFAULT_ROLE config (hub commit 51177bcb).
CLI and Helm chart now surface the unified location:

  tap.auth.roles         — map of role -> permissions (shared SAML/OIDC)
  tap.auth.rolesClaim    — token/assertion claim name carrying roles
  tap.auth.defaultRole   — fallback role for authenticated users with
                           no matching role in their token

Helm ConfigMap template emits AUTH_ROLES / AUTH_ROLES_CLAIM /
AUTH_DEFAULT_ROLE and no longer emits AUTH_SAML_ROLES or
AUTH_SAML_ROLE_ATTRIBUTE. Hub's back-compat fallback still reads those
keys from any existing ConfigMap that hasn't been helm-upgraded.

Legacy struct fields (SamlConfig.Roles, SamlConfig.RoleAttribute) stay
in place so existing values.yaml files with auth.saml.roles still parse
without errors, but the CLI and the chart ignore them. Follow-up release
can remove the struct fields once telemetry confirms migration.

Breaking for users with customized auth.saml.roles in their values.yaml
— the customization is masked by the new default auth.roles.admin and
must be migrated to auth.roles for the custom permissions to take
effect. Documented in the chart README and release notes.

Part of authz-refactoring (Step 2 of hub-oidc-rbac.md, CLI side).

* Remove legacy

* Align CLI + Helm chart with hub AUTH_TYPE rename

Follows hub commit 11564fef. The canonical AUTH_TYPE is now `oidc` for
generic OIDC; `dex` is a permanent alias; `descope` is a new explicit
label. This change surfaces the new vocabulary in the CLI config struct
and the Helm chart, and renames the nested `auth.dexOidc` values.yaml
field to `auth.oidc` for consistency.

Helm chart:
- 12-config-map.yaml: AUTH_OIDC_* keys now read `.Values.tap.auth.oidc.*`
  instead of `auth.dexOidc.*`. The cloud-license override that forced
  AUTH_TYPE=default unless the admin picked `dex` now accepts `oidc` too.
- 13-secret.yaml: OIDC_CLIENT_ID / OIDC_CLIENT_SECRET read from
  `auth.oidc.*` (was `auth.dexOidc.*`).
- 06-front-deployment.yaml: REACT_APP_AUTH_ENABLED / REACT_APP_AUTH_TYPE
  conditionals accept both `oidc` and `dex` where they previously only
  matched `dex`.
- values.yaml: comment on `tap.auth.type` lists valid values and flags
  the breaking change.
- README.md: `tap.auth.type` row lists valid values. All `dexOidc`
  references renamed to `oidc`. Sample values.yaml blocks now show
  `type: oidc` as the canonical form.

CLI:
- config/configStructs/tapConfig.go: AuthConfig.Type documented with the
  full list of valid values and the migration hint.

Breaking changes (repeated in release notes):
1. `tap.auth.type: oidc` now routes to the generic OIDC middleware
   (previously Descope). Switch to `tap.auth.type: descope` or `default`
   if you were using `oidc` for Descope.
2. `tap.auth.dexOidc.*` values are no longer read. Rename to
   `tap.auth.oidc.*`. No fallback.
3. `tap.auth.type: dex` continues to work — permanent alias of `oidc`.

Part of authz-refactoring (Step 4 of hub-oidc-rbac.md, CLI/Helm side).

* default kfl

* Authz Refactoring: Step 8: namespaces-list role filter

Align with hub PR kubeshark/hub#756. Per-role auth.roles[].filter (KFL)
is replaced by auth.roles[].namespaces (comma-separated list with "*",
literal, and glob semantics). Standalone tap.auth.defaultFilter knob
removed.

helm-chart/values.yaml
- admin role example uses namespaces: "*" instead of filter: "".
- Comment block explains the new namespaces semantics.
- defaultFilter: "" entry + accompanying comment block deleted.

helm-chart/templates/12-config-map.yaml
- AUTH_DEFAULT_FILTER ConfigMap entry removed (hub no longer reads it).

helm-chart/README.md
- tap.auth.defaultFilter row removed.
- tap.auth.roles default value example updated: filter: "" → namespaces: "*";
  description gains the per-role namespaces semantics legend.
2026-05-06 09:08:21 -07:00
Alon Girmonsky
ab81b0c3a7 🔖 Bump the Helm chart version to 53.2.5 (#1920)
Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
2026-05-01 13:36:38 -07:00
Alon Girmonsky
fef3e8fb05 Add PostgreSQL protocol configuration (#1919)
* Add MySQL protocol to default configuration

Closes #1915

* Add PostgreSQL protocol configuration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-29 12:59:11 +03:00
Alon Girmonsky
7ae81ccc4b Add MySQL protocol to default configuration (#1916)
Closes #1915

Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
2026-04-28 15:49:44 +03:00
Serhii Ponomarenko
27111e48d3 🔨 Create dashboard entries-limit helm value (#1914)
* 🔨 Create dashboard entries-limit helm value

* 🔨 Set default value for entries-limit env
2026-04-23 18:20:22 +03:00
Alon Girmonsky
863be8f47a 🔖 Bump the Helm chart version to 53.2.3 (#1912) 2026-04-20 16:39:25 +03:00
Serhii Ponomarenko
9e4059bc4d 🔨 Set nginx proxy-buffer directives (#1909) 2026-04-18 08:07:47 +03:00
Alon Girmonsky
f79885bd35 🔖 Release v53.2.2 (#1908)
* 🔖 Bump the Helm chart version to 53.2.2

* temp

* temp2

* revert back makefile
2026-04-14 01:21:58 -07:00
Volodymyr Stoiko
31129e570a Provide external volume for dissection job (#1905)
* Pass dissection storage configuration

* add dissection storage test

* Allow pvc management

* Use snapshot storage config as default for dissection storage config

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-04-10 09:51:44 -07:00
theechofive
3a1ad64b4c fix: add subPathExpr to worker DaemonSet for shared persistent storage (#1901)
Co-authored-by: Volodymyr Stoiko <me@volodymyrstoiko.com>
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-04-10 09:23:31 -07:00
Alon Girmonsky
fa03da2fd4 Enable MongoDB protocol dissector (#1903)
Add mongodb to the enabled dissectors list and port mapping (27017)
in both Go config defaults and Helm chart values.

Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 08:05:13 -07:00
Alon Girmonsky
b80723edfb 🔖 Bump the Helm chart version to 53.2.0 (#1889)
Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
2026-03-31 11:30:42 -07:00
Serhii Ponomarenko
c63740ec45 🐛 Fix dissection-control front env logic (#1878) 2026-03-20 08:20:53 -07:00
Serhii Ponomarenko
963b3e4ac2 🐛 Add default value for demoModeEnabled (#1872) 2026-03-17 13:22:42 -07:00
Volodymyr Stoiko
b2813e02bd Add detailed docs for kubeshark irsa setup (#1871)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-03-16 20:29:49 -07:00
Serhii Ponomarenko
707d7351b6 🛂 Demo Portal: Readonly mode / no authn (#1869)
* 🔨 Add snapshots-updating-enabled `front` env

* 🔨 Add snapshots-updating-enabled config

* 🔨 Add demo-enabled `front` env

* 🔨 Add demo-enabled config

* 🔨 Replace `liveConfigMapChangesDisabled` with `demoModeEnabled` flag

* 🐛 Fix dissection-control-enabled env logic

* 🦺 Handle nullish `demoModeEnabled` value
2026-03-16 20:01:18 -07:00
Serhii Ponomarenko
23c86be773 🛂 Control L4 map visibility (helm value) (#1866)
* 🔨 Add `tap.dashboard.clusterWideMapEnabled` helm value

* 🔨 Add cluster-wide-map-enabled `front` env

* 🔨 Add fallback value for `front` env
2026-03-11 15:36:20 -07:00
Volodymyr Stoiko
33f5310e8e Add gcs cloudstorage configuration docs (#1862)
* add gcs docs

* add explicit gcs keys

* gcs helm tests

* add iam permissions docs for gcs

* Update gcs docs with exact setup steps for workload identity
2026-03-09 07:48:17 -07:00
Alon Girmonsky
5f2f34e826 Sync helm-chart README with current values.yaml (#1856)
Update configuration table to match actual defaults in values.yaml:

- tap.storageLimit: 5Gi → 10Gi
- tap.capture.dbMaxSize: "" → 500Mi
- tap.resources.sniffer/tracer.limits.memory: 3Gi → 5Gi
- tap.probes.hub/sniffer initialDelaySeconds: 15 → 5
- tap.probes.hub/sniffer periodSeconds: 10 → 5
- tap.dnsConfig.* → tap.dns.* (match yaml tag)
- tap.sentry.enabled: true → false

Add missing entries:
- tap.capture.captureSelf
- tap.delayedDissection.cpu/memory
- tap.packetCapture
- tap.misc.trafficSampleRate
- tap.misc.tcpStreamChannelTimeoutMs

Remove stale KernelMapping text.
2026-03-06 11:52:10 -08:00
Volodymyr Stoiko
f9a5fbbb78 Fix snapshots local storage size (#1859)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-03-06 08:33:59 -08:00
Volodymyr Stoiko
73f8e3585d Cloud storage explicit config (#1858)
* Add explicit configs

* Add helm unit tests

* fixpipeline

* latest

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-03-06 08:27:08 -08:00
Alon Girmonsky
e6a67cc3b7 🔖 Release v53.1.0 (#1854)
* 🔖 Bump the Helm chart version to 53.1.0

* Fix reviewer username typo: corst -> corest

* Fold release-helm into release-pr for a 2-step workflow

* Update .github/workflows/release-tag.yml

Co-authored-by: Volodymyr Stoiko <me@volodymyrstoiko.com>

---------

Co-authored-by: Volodymyr Stoiko <me@volodymyrstoiko.com>
2026-03-05 08:25:59 -08:00
Volodymyr Stoiko
d266408377 Add snapshots cloud storage (#1852)
* add testing values for helm chart

* Add readme updates for cloud storage

* fixes

* cloud-storage-docs

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-03-04 08:50:45 -08:00
Volodymyr Stoiko
95c18b57a4 Use dissection image tag from worker (#1850) 2026-02-25 11:41:50 -08:00
Volodymyr Stoiko
686c7eba54 Adjust nginx config to work with large download/upload snapshots (#1848)
* adjust-nginx

* cleanup

* improve

* streaming
2026-02-18 10:48:57 -08:00
Ilya Gavrilov
1ad61798f6 Set tcp and udp flows timeouts. Default is 20 minutes (#1847)
* Set tcp and udp flows timeouts. Default is 10 minutes

* fix make test
2026-02-17 16:50:13 -08:00
Volodymyr Stoiko
fecf290a25 Rename generic capture to l7 dissection specific config (#1841)
* Rename generic capture to l7 dissection specific config

* upd

* upd flags

* Create `REACT_APP_DISSECTION_ENABLED` env to set initial dissection state

---------

Co-authored-by: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com>
Co-authored-by: tiptophelmet <serhii.ponomarenko.jobs@gmail.com>
2026-02-11 11:27:37 -08:00
Serhii Ponomarenko
633a17a0e0 🔧 Add REACT_APP_SCRIPTING_HIDDEN front env (#1845)
* 🔧 Add `scripting.enabled` helm value

* 🔧 Add `REACT_APP_SCRIPTING_HIDDEN` front env

* 🔧 Change `REACT_APP_SCRIPTING_HIDDEN` front env
2026-02-09 13:39:33 -08:00
Ilya Gavrilov
76c5eb6b59 Rename flow and full_flow to conn and flow (#1838)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-02-09 13:01:24 -08:00
Serhii Ponomarenko
6ae379cbff 🔧 Hide agentic functionality prototype flags (#1840) 2026-02-06 20:33:15 -08:00
Dan Mudge
3f6c62a7e3 move the name of the data colume outside of the tap.tls if statement (#1830)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-02-06 11:46:54 -08:00
Serhii Ponomarenko
d012ea89b6 🔨 Enable L4 flow-full dissectors (#1831)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-02-05 12:14:51 -08:00
Volodymyr Stoiko
0f1c9c52ea Add captureSelf flag to enable/disable kubeshark traffic capture (#1829)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-02-04 08:49:01 -08:00
Volodymyr Stoiko
f3a0d35485 Make cloud-api-url configurable (#1827) 2026-02-03 10:11:43 -08:00
Alon Girmonsky
1669680d10 🔖 Bump the Helm chart version to 52.12.0 2026-01-25 17:54:24 -08:00
Alon Girmonsky
19389fcba7 Bring back community license. (#1822) 2026-01-23 14:49:38 -08:00
Volodymyr Stoiko
1b027153e3 Increase dissector image limit (#1823)
Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-01-21 19:52:45 -08:00
Volodymyr Stoiko
77d16e73e8 Migrate kubehq.com to kubeshark.com domain (#1824)
* Update labels

* Update kubeshark API url

* Update other domains

* comments

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
2026-01-21 19:23:50 -08:00