From 638fbdb22a2e2d5e6f7ae9e7e54c313b50165dc9 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 15:28:10 -0700
Subject: [PATCH 01/25] logs: docker-logs fallback + clean 503 + Tailscale
 banner fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- PublicBindBanner: treat 100.64.0.0/10 (Tailscale CGNAT) as private so
  the destructive "public-looking address" warning no longer fires when
  reaching ControlRoom over Tailscale.
- internal/logs: add Available() (cached exec.LookPath); /api/logs/journal
  and /ws/logs/journal now return 503 with a clear operator message when
  journalctl is missing instead of bubbling up an exec error as 500.
- main: warn at boot when journalctl is not in PATH, matching the existing
  systemd-unavailable warning.
- web/Logs: source toggle (Journal / Containers). Containers mode reuses
  /api/containers + the existing /ws/containers/:id/logs WebSocket — no
  new backend route — with picker, client-side substring filter, pause,
  and 1k-line cap. Journal-mode errors now surface the real backend
  message instead of "Could not fetch logs."
- deploy/docker-compose: add group_add: ["${DOCKER_GID:-999}"] so the
  nonroot uid 65532 can read /var/run/docker.sock; refresh the header
  comment to match the new logs behavior.
---
 cmd/controlroom/main.go                 |   4 +
 deploy/docker-compose.yml               |  14 +-
 internal/api/logs/logs.go               |  12 +
 internal/logs/journal.go                |  14 ++
 web/src/components/PublicBindBanner.tsx |   5 +
 web/src/routes/Logs.tsx                 | 300 +++++++++++++++++++++---
 6 files changed, 316 insertions(+), 33 deletions(-)

diff --git a/cmd/controlroom/main.go b/cmd/controlroom/main.go
index 070f885..013e244 100644
--- a/cmd/controlroom/main.go
+++ b/cmd/controlroom/main.go
@@ -33,6 +33,7 @@ import (
 	"github.com/tm4rtin17/controlroom/internal/config"
 	"github.com/tm4rtin17/controlroom/internal/docker"
 	"github.com/tm4rtin17/controlroom/internal/jobs"
+	"github.com/tm4rtin17/controlroom/internal/logs"
 	"github.com/tm4rtin17/controlroom/internal/store"
 	"github.com/tm4rtin17/controlroom/internal/systemd"
 )
@@ -90,6 +91,9 @@ func run() error {
 	if sysdErr != nil {
 		logger.Warn().Err(sysdErr).Msg("systemd unavailable; /api/services disabled")
 	}
+	if !logs.Available() {
+		logger.Warn().Msg("journalctl not in PATH; /api/logs/journal will return 503")
+	}
 	if sysd != nil {
 		defer func() { _ = sysd.Close() }()
 	}
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 02eaaa4..422c797 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -1,10 +1,13 @@
 # ControlRoom — minimal compose file.
 #
 # Notes for container deployment:
-#   - systemd dbus and journalctl are not available inside the container,
-#     so /api/services and /api/logs return 503. Use the bare-metal install
-#     (deploy/install.sh) if you need those.
-#   - Mount the Docker socket read-only to manage other containers.
+#   - systemd dbus and journalctl are not available inside the container, so
+#     /api/services and /api/logs/journal return 503. The Logs page falls
+#     back to streaming docker container logs; install bare metal
+#     (deploy/install.sh) if you also need journal logs.
+#   - The Docker socket is mounted read-only. The container runs as nonroot
+#     (uid 65532), so we add the host's docker group via group_add — set
+#     DOCKER_GID to your host's docker group GID (`getent group docker`).
 #   - For Let's Encrypt: set CR_TLS_MODE=acme + CR_ACME_HOST + CR_ACME_EMAIL,
 #     and expose port 80 below for the HTTP-01 challenge.
 
@@ -13,6 +16,9 @@ services:
     image: ghcr.io/tm4rtin17/controlroom:latest
     container_name: controlroom
     restart: unless-stopped
+    # Grant access to /var/run/docker.sock for the nonroot user.
+    group_add:
+      - "${DOCKER_GID:-999}"
     ports:
       - "8443:8443"
       # Uncomment when CR_TLS_MODE=acme to serve HTTP-01 challenges:
diff --git a/internal/api/logs/logs.go b/internal/api/logs/logs.go
index 116ccf3..9789127 100644
--- a/internal/api/logs/logs.go
+++ b/internal/api/logs/logs.go
@@ -62,6 +62,9 @@ type queryResp struct {
 }
 
 func (d Deps) queryHandler(c *fiber.Ctx) error {
+	if !logs.Available() {
+		return fiber.NewError(http.StatusServiceUnavailable, journalUnavailableMsg)
+	}
 	entries, err := logs.Query(c.Context(), filterFromQuery(c))
 	if err != nil {
 		return fiber.NewError(http.StatusInternalServerError, "journal query: "+err.Error())
@@ -69,6 +72,10 @@ func (d Deps) queryHandler(c *fiber.Ctx) error {
 	return c.JSON(queryResp{Entries: entries})
 }
 
+// journalUnavailableMsg is shown to the operator when journalctl can't be
+// invoked (e.g. distroless container). The SPA surfaces it verbatim.
+const journalUnavailableMsg = "journal logs unavailable on this host (journalctl not found) — switch to Containers or run ControlRoom on bare metal"
+
 // ---- live tail ----
 
 // queryFrom is a tiny shim because we can't reuse fiber.Ctx here; we read
@@ -90,6 +97,11 @@ func queryFromConn(c *websocket.Conn) logs.Filter {
 func (d Deps) tailWS(c *websocket.Conn) {
 	defer func() { _ = c.Close() }()
 
+	if !logs.Available() {
+		_ = c.WriteJSON(fiber.Map{"type": "error", "err": journalUnavailableMsg})
+		return
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
diff --git a/internal/logs/journal.go b/internal/logs/journal.go
index 0dc8101..d3a3130 100644
--- a/internal/logs/journal.go
+++ b/internal/logs/journal.go
@@ -15,6 +15,7 @@ import (
 	"os/exec"
 	"regexp"
 	"strconv"
+	"sync"
 	"syscall"
 	"time"
 )
@@ -40,6 +41,19 @@ type Filter struct {
 	N        int // last-N entries (0 → no limit on tail mode; 200 default for static)
 }
 
+// Available reports whether `journalctl` is present in PATH. The result is
+// cached for the lifetime of the process; we don't expect journalctl to come
+// or go after boot.
+//
+// In container deployments (distroless image) this is false, and the API
+// surface should return 503 rather than 500 with a confusing exec error.
+func Available() bool { return availableOnce() }
+
+var availableOnce = sync.OnceValue(func() bool {
+	_, err := exec.LookPath("journalctl")
+	return err == nil
+})
+
 // validUnit blocks shell injection through the unit name without locking us
 // down to one filename pattern.
 var validUnit = regexp.MustCompile(`^[a-zA-Z0-9@_.\-:\\]+\.(service|socket|target|timer|path|mount|slice|scope)$`)
diff --git a/web/src/components/PublicBindBanner.tsx b/web/src/components/PublicBindBanner.tsx
index c783ff4..58c430e 100644
--- a/web/src/components/PublicBindBanner.tsx
+++ b/web/src/components/PublicBindBanner.tsx
@@ -41,6 +41,11 @@ function isPubliclyAccessed(host: string): boolean {
     const second = parseInt(host.split('.')[1] ?? '', 10)
     if (second >= 16 && second <= 31) return false
   }
+  // Tailscale / RFC 6598 CGNAT — 100.64.0.0/10.
+  if (host.startsWith('100.')) {
+    const second = parseInt(host.split('.')[1] ?? '', 10)
+    if (second >= 64 && second <= 127) return false
+  }
 
   // IPv6 unique-local (fc00::/7) and link-local (fe80::/10).
   const lower = host.toLowerCase()
diff --git a/web/src/routes/Logs.tsx b/web/src/routes/Logs.tsx
index 6c0c142..2549159 100644
--- a/web/src/routes/Logs.tsx
+++ b/web/src/routes/Logs.tsx
@@ -1,6 +1,8 @@
 import { useEffect, useMemo, useRef, useState } from 'react'
 import { ChevronDown, ChevronRight, Pause, Play, RefreshCw, Search } from 'lucide-react'
 
+import { ApiError } from '@/lib/api'
+import { type ContainerSummary, type LogFrame, useContainers } from '@/lib/containers'
 import { type LogEntry, type LogQuery, tailURL, useLogs } from '@/lib/logs'
 import { Alert, AlertDescription } from '@/components/ui/alert'
 import { Button } from '@/components/ui/button'
@@ -27,47 +29,70 @@ const PRIORITIES = [
   { label: 'Debug', value: 7 },
 ]
 
+type Source = 'journal' | 'containers'
+
 export function Logs() {
+  const [source, setSource] = useState<Source>('journal')
+
+  return (
+    <div className="flex flex-col gap-4">
+      <div className="flex items-baseline justify-between">
+        <h1 className="text-xl font-semibold tracking-tight">Logs</h1>
+        <div className="inline-flex items-center rounded-md border bg-background p-0.5 text-xs">
+          <SourceTab active={source === 'journal'} onClick={() => setSource('journal')}>
+            Journal
+          </SourceTab>
+          <SourceTab active={source === 'containers'} onClick={() => setSource('containers')}>
+            Containers
+          </SourceTab>
+        </div>
+      </div>
+      {source === 'journal' ? <JournalView onSwitchToContainers={() => setSource('containers')} /> : <ContainersView />}
+    </div>
+  )
+}
+
+function SourceTab({
+  active,
+  onClick,
+  children,
+}: {
+  active: boolean
+  onClick: () => void
+  children: React.ReactNode
+}) {
+  return (
+    <button
+      onClick={onClick}
+      className={cn(
+        'rounded-sm px-3 py-1',
+        active ? 'bg-primary/10 text-foreground ring-1 ring-primary/30' : 'text-muted-foreground hover:text-foreground'
+      )}
+    >
+      {children}
+    </button>
+  )
+}
+
+// ---- Journal ----
+
+function JournalView({ onSwitchToContainers }: { onSwitchToContainers: () => void }) {
   const [unit, setUnit] = useState('')
   const [search, setSearch] = useState('')
   const [since, setSince] = useState('-15min')
   const [priority, setPriority] = useState<number>(-1)
   const [live, setLive] = useState(false)
 
-  // Static query when not live; live tail keeps its own state.
   const query: LogQuery = useMemo(
     () => ({ unit: unit || undefined, q: search || undefined, since, priority, n: 200 }),
     [unit, search, since, priority]
   )
   const stat = useLogs(query, !live)
 
-  return (
-    <div className="flex flex-col gap-4">
-      <div className="flex items-baseline justify-between">
-        <h1 className="text-xl font-semibold tracking-tight">Logs</h1>
-        <div className="flex gap-2">
-          {!live && (
-            <Button size="sm" variant="outline" onClick={() => stat.refetch()}>
-              <RefreshCw className="h-3.5 w-3.5" aria-hidden />
-              Refresh
-            </Button>
-          )}
-          <Button size="sm" onClick={() => setLive((v) => !v)}>
-            {live ? (
-              <>
-                <Pause className="h-3.5 w-3.5" aria-hidden />
-                Stop tail
-              </>
-            ) : (
-              <>
-                <Play className="h-3.5 w-3.5" aria-hidden />
-                Live tail
-              </>
-            )}
-          </Button>
-        </div>
-      </div>
+  const unavailable = stat.error instanceof ApiError && stat.error.status === 503
 
+  return (
+    <>
       <Card>
         <CardContent className="grid grid-cols-1 gap-3 p-4 sm:grid-cols-4">
           <div className="flex flex-col gap-1 sm:col-span-2">
@@ -124,23 +149,53 @@ export function Logs() {
                 </button>
               ))}
             </div>
+            <div className="ml-auto flex gap-2">
+              {!live && (
+                <Button size="sm" variant="outline" onClick={() => stat.refetch()}>
+                  <RefreshCw className="h-3.5 w-3.5" aria-hidden />
+                  Refresh
+                </Button>
+              )}
+              <Button size="sm" onClick={() => setLive((v) => !v)} disabled={unavailable}>
+                {live ? (
+                  <>
+                    <Pause className="h-3.5 w-3.5" aria-hidden />
+                    Stop tail
+                  </>
+                ) : (
+                  <>
+                    <Play className="h-3.5 w-3.5" aria-hidden />
+                    Live tail
+                  </>
+                )}
+              </Button>
+            </div>
           </div>
         </CardContent>
       </Card>
 
       {live ? (
         <LiveStream query={query} />
+      ) : unavailable ? (
+        <Card>
+          <CardContent className="flex flex-col items-start gap-3 p-6 text-sm">
+            <p className="text-muted-foreground">{stat.error?.message}</p>
+            <Button size="sm" variant="outline" onClick={onSwitchToContainers}>
+              View container logs instead
+            </Button>
+          </CardContent>
+        </Card>
       ) : (
         <>
           {stat.error && (
             <Alert variant="destructive">
-              <AlertDescription>Could not fetch logs.</AlertDescription>
+              <AlertDescription>{stat.error.message || 'Could not fetch logs.'}</AlertDescription>
             </Alert>
           )}
           <EntriesList entries={stat.data?.entries ?? []} loading={stat.isLoading} />
         </>
       )}
-    </div>
+    </>
   )
 }
 
@@ -293,3 +348,190 @@ function formatTimestamp(s: string): string {
   if (idx < 0) return s
   return s.slice(idx + 1, idx + 9)
 }
+
+// ---- Containers ----
+
+interface DockerLine {
+  stream: 'stdout' | 'stderr' | 'stdin'
+  line: string
+}
+
+function ContainersView() {
+  const list = useContainers()
+  const [selectedId, setSelectedId] = useState<string>('')
+  const [search, setSearch] = useState('')
+  const [paused, setPaused] = useState(false)
+
+  const containers = list.data?.containers ?? []
+  // Auto-pick the first running container the first time the list loads.
+  useEffect(() => {
+    if (selectedId || containers.length === 0) return
+    const running = containers.find((c) => c.state === 'running') ?? containers[0]
+    if (running) setSelectedId(running.id)
+  }, [containers, selectedId])
+
+  const unavailable = list.error instanceof ApiError && list.error.status === 503
+  const errMsg = list.error?.message
+
+  if (unavailable) {
+    return (
+      <Card>
+        <CardContent className="p-6 text-sm text-muted-foreground">
+          {errMsg ?? 'Docker is not available on this host.'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  return (
+    <>
+      <Card>
+        <CardContent className="grid grid-cols-1 gap-3 p-4 sm:grid-cols-4">
+          <div className="flex flex-col gap-1 sm:col-span-2">
+            <Label htmlFor="container" className="text-xs">Container</Label>
+            <select
+              id="container"
+              className="h-10 rounded-md border bg-background px-2 font-mono text-xs"
+              value={selectedId}
+              onChange={(e) => setSelectedId(e.target.value)}
+            >
+              <option value="">— select a container —</option>
+              {containers.map((c) => (
+                <option key={c.id} value={c.id}>
+                  {labelFor(c)}
+                </option>
+              ))}
+            </select>
+          </div>
+          <div className="flex flex-col gap-1 sm:col-span-2">
+            <Label htmlFor="docker-search" className="text-xs">Search</Label>
+            <div className="flex items-center gap-2 rounded-md border bg-background px-2">
+              <Search className="h-4 w-4 text-muted-foreground" aria-hidden />
+              <Input
+                id="docker-search"
+                value={search}
+                onChange={(e) => setSearch(e.target.value)}
+                placeholder="Filter visible lines (substring)"
+                className="border-0 bg-transparent shadow-none focus-visible:ring-0"
+              />
+            </div>
+          </div>
+        </CardContent>
+      </Card>
+
+      {!selectedId ? (
+        <Card>
+          <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+            {list.isLoading ? 'Loading containers…' : 'Pick a container to start tailing.'}
+          </CardContent>
+        </Card>
+      ) : (
+        <DockerLogStream id={selectedId} search={search} paused={paused} setPaused={setPaused} />
+      )}
+    </>
+  )
+}
+
+function labelFor(c: ContainerSummary): string {
+  const tag = c.state === 'running' ? '●' : '○'
+  return `${tag} ${c.name} (${c.image})`
+}
+
+function DockerLogStream({
+  id,
+  search,
+  paused,
+  setPaused,
+}: {
+  id: string
+  search: string
+  paused: boolean
+  setPaused: (v: boolean) => void
+}) {
+  const [lines, setLines] = useState<DockerLine[]>([])
+  const [error, setError] = useState<string | null>(null)
+  const containerRef = useRef<HTMLDivElement | null>(null)
+
+  useEffect(() => {
+    setLines([])
+    setError(null)
+    const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
+    const ws = new WebSocket(`${proto}//${window.location.host}/ws/containers/${id}/logs`)
+    ws.onmessage = (evt) => {
+      try {
+        const f = JSON.parse(evt.data) as LogFrame
+        if (f.type === 'error') {
+          setError(f.err ?? 'log stream error')
+          return
+        }
+        if (f.type === 'line' && f.line !== undefined) {
+          setLines((prev) => {
+            const next = [...prev, { stream: (f.stream ?? 'stdout') as DockerLine['stream'], line: f.line! }]
+            return next.length > MAX_LIVE_ENTRIES ? next.slice(-MAX_LIVE_ENTRIES) : next
+          })
+        }
+      } catch {
+        // ignore
+      }
+    }
+    ws.onerror = () => setError('connection error')
+    return () => ws.close()
+  }, [id])
+
+  const filtered = useMemo(() => {
+    if (!search) return lines
+    const needle = search.toLowerCase()
+    return lines.filter((l) => l.line.toLowerCase().includes(needle))
+  }, [lines, search])
+
+  useEffect(() => {
+    if (paused) return
+    const el = containerRef.current
+    if (el) el.scrollTop = el.scrollHeight
+  }, [filtered, paused])
+
+  return (
+    <Card>
+      <CardContent className="flex flex-col gap-2 p-4">
+        <div className="flex items-center justify-between">
+          <span className="text-xs text-muted-foreground">
+            {filtered.length}
+            {search ? ` / ${lines.length}` : ''} line{filtered.length === 1 ? '' : 's'}
+            {paused && ' · paused'}
+          </span>
+          <div className="flex gap-2">
+            <Button variant="ghost" size="sm" onClick={() => setPaused(!paused)}>
+              {paused ? <Play className="h-4 w-4" aria-hidden /> : <Pause className="h-4 w-4" aria-hidden />}
+              {paused ? 'Resume' : 'Pause'}
+            </Button>
+            <Button variant="ghost" size="sm" onClick={() => setLines([])}>
+              Clear
+            </Button>
+          </div>
+        </div>
+        {error && (
+          <Alert variant="destructive">
+            <AlertDescription>{error}</AlertDescription>
+          </Alert>
+        )}
+        <div
+          ref={containerRef}
+          className="h-[28rem] overflow-auto rounded-md border bg-background p-3 font-mono text-[11px] leading-relaxed"
+        >
+          {filtered.length === 0 ? (
+            <p className="text-muted-foreground">{lines.length === 0 ? 'Waiting for output…' : 'No lines match the filter.'}</p>
+          ) : (
+            filtered.map((l, i) => (
+              <div
+                key={i}
+                className={cn('whitespace-pre-wrap break-all', l.stream === 'stderr' && 'text-amber-500')}
+              >
+                {l.line}
+              </div>
+            ))
+          )}
+        </div>
+      </CardContent>
+    </Card>
+  )
+}

From 8627e0897d39d23aa734dceece88d3f95d81ab73 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 15:37:10 -0700
Subject: [PATCH 02/25] gitignore: ignore .claude/ and stray *.crt files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- .claude/ — local Claude Code config and project agent definitions
  (.claude/agents/*.md). These contain working-tree-specific tooling
  and should not be published.
- *.crt — round out the existing *.pem / *.key entries so a stray
  TLS certificate dropped in the tree can't be committed.
---
 .gitignore | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitignore b/.gitignore
index dab5b87..ce585c2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,7 @@ web/dist/*
 # Stray credential material
 *.pem
 *.key
+*.crt
+
+# Local Claude Code config / agent definitions — do not publish
+.claude/

From 395b640e96006cb7209b84cba69b933ef0a6d6af Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 15:51:25 -0700
Subject: [PATCH 03/25] nav: hide Services / Containers tabs when backend lacks
 the capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds GET /api/system/capabilities — `{systemd, docker, journal}` booleans
derived from the existing nil-client / logs.Available() patterns — and
threads useCapabilities() into AppLayout to filter the sidebar.

In the container deployment this hides the Services tab (no dbus socket
mounted, no privilege to drive host systemd) instead of letting the
operator click into a dead-end 503. The Containers tab gets the same
treatment so a host without /var/run/docker.sock isn't shown a broken
tab either.

The Logs tab stays visible regardless: it has its own Journal/Containers
source toggle and degrades gracefully on its own.
---
 internal/api/router.go           |  7 ++++++-
 internal/api/system/system.go    | 26 ++++++++++++++++++++++++++
 web/src/components/AppLayout.tsx | 30 +++++++++++++++++++++++++-----
 web/src/lib/system.ts            | 14 ++++++++++++++
 4 files changed, 71 insertions(+), 6 deletions(-)

diff --git a/internal/api/router.go b/internal/api/router.go
index 626e3fb..53d564d 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -98,7 +98,12 @@ func NewRouter(d Deps) *fiber.App {
 	)
 	authapi.MountAuthenticated(guarded, authDeps)
 
-	systemDeps := systemapi.Deps{Aggregator: d.Aggregator, Logger: d.Logger}
+	systemDeps := systemapi.Deps{
+		Aggregator: d.Aggregator,
+		Logger:     d.Logger,
+		SystemD:    d.SystemD,
+		Docker:     d.Docker,
+	}
 	systemapi.MountHTTP(guarded, systemDeps)
 
 	servicesDeps := servicesapi.Deps{Client: d.SystemD, DB: d.DB, Logger: d.Logger}
diff --git a/internal/api/system/system.go b/internal/api/system/system.go
index 8bd8a56..4e105c8 100644
--- a/internal/api/system/system.go
+++ b/internal/api/system/system.go
@@ -14,11 +14,19 @@ import (
 	"github.com/rs/zerolog"
 
 	"github.com/tm4rtin17/controlroom/internal/collectors"
+	"github.com/tm4rtin17/controlroom/internal/docker"
+	"github.com/tm4rtin17/controlroom/internal/logs"
+	"github.com/tm4rtin17/controlroom/internal/systemd"
 )
 
 type Deps struct {
 	Aggregator *collectors.Aggregator
 	Logger     zerolog.Logger
+	// SystemD and Docker are nil-or-set; mirror the same wiring used by the
+	// services / containers handlers so /api/system/capabilities can report
+	// which features the SPA should expose.
+	SystemD systemd.Client
+	Docker  docker.Client
 }
 
 // MountHTTP registers the REST endpoint. Caller is responsible for applying
@@ -26,6 +34,24 @@ type Deps struct {
 func MountHTTP(authed fiber.Router, d Deps) {
 	g := authed.Group("/system")
 	g.Get("/overview", d.overviewHandler)
+	g.Get("/capabilities", d.capabilitiesHandler)
+}
+
+// capabilitiesResp tells the SPA which feature areas have a working backend
+// on this host. The frontend uses it to hide nav entries that would otherwise
+// dead-end with a 503 (e.g. the Services tab in container deployments).
+type capabilitiesResp struct {
+	Systemd bool `json:"systemd"`
+	Docker  bool `json:"docker"`
+	Journal bool `json:"journal"`
+}
+
+func (d Deps) capabilitiesHandler(c *fiber.Ctx) error {
+	return c.JSON(capabilitiesResp{
+		Systemd: d.SystemD != nil,
+		Docker:  d.Docker != nil,
+		Journal: logs.Available(),
+	})
 }
 
 // MountWS registers the WebSocket route. Caller applies auth (cookie-based)
diff --git a/web/src/components/AppLayout.tsx b/web/src/components/AppLayout.tsx
index 928f25f..cc114a2 100644
--- a/web/src/components/AppLayout.tsx
+++ b/web/src/components/AppLayout.tsx
@@ -20,15 +20,25 @@ import { Button } from '@/components/ui/button'
 import { ThemeToggle } from '@/components/ThemeToggle'
 import { PublicBindBanner } from '@/components/PublicBindBanner'
 import { useLogout, useMe } from '@/lib/auth'
-import { useSystemOverview } from '@/lib/system'
+import { type SystemCapabilities, useCapabilities, useSystemOverview } from '@/lib/system'
 import { cn } from '@/lib/utils'
 import { useNavigate } from 'react-router-dom'
 
-const NAV: { to: string; label: string; Icon: typeof Activity; ready?: boolean }[] = [
+// `requires` names a backend capability that must be true (per
+// /api/system/capabilities) for the entry to render. Unset = always show.
+type NavEntry = {
+  to: string
+  label: string
+  Icon: typeof Activity
+  ready?: boolean
+  requires?: keyof SystemCapabilities
+}
+
+const NAV: NavEntry[] = [
   { to: '/', label: 'Dashboard', Icon: Activity, ready: true },
   { to: '/updates', label: 'Updates', Icon: Download, ready: true },
-  { to: '/services', label: 'Services', Icon: Cog, ready: true },
-  { to: '/containers', label: 'Containers', Icon: Container, ready: true },
+  { to: '/services', label: 'Services', Icon: Cog, ready: true, requires: 'systemd' },
+  { to: '/containers', label: 'Containers', Icon: Container, ready: true, requires: 'docker' },
   { to: '/terminal', label: 'Terminal', Icon: TerminalIcon, ready: true },
   { to: '/network', label: 'Network', Icon: Wifi, ready: true },
   { to: '/logs', label: 'Logs', Icon: ScrollText, ready: true },
@@ -50,6 +60,16 @@ export function AppLayout({ children }: { children: React.ReactNode }) {
 }
 
 function Sidebar({ open, onClose }: { open: boolean; onClose: () => void }) {
+  const caps = useCapabilities()
+  // While capabilities are loading we show every entry; if the request fails
+  // we also fall back to showing them (better to surface a 503 once than to
+  // hide tabs that should be available).
+  const visible = NAV.filter((entry) => {
+    if (!entry.requires) return true
+    if (!caps.data) return true
+    return caps.data[entry.requires]
+  })
+
   return (
     <>
       {/* Mobile drawer overlay */}
@@ -78,7 +98,7 @@ function Sidebar({ open, onClose }: { open: boolean; onClose: () => void }) {
           </button>
         </div>
         <nav className="flex-1 space-y-0.5 px-2">
-          {NAV.map(({ to, label, Icon, ready }) => (
+          {visible.map(({ to, label, Icon, ready }) => (
             <NavLink
               key={to}
               to={to}
diff --git a/web/src/lib/system.ts b/web/src/lib/system.ts
index b5c2bfb..63a7ef2 100644
--- a/web/src/lib/system.ts
+++ b/web/src/lib/system.ts
@@ -73,6 +73,20 @@ export interface SystemOverview {
 
 export const SYSTEM_OVERVIEW_KEY = ['system', 'overview'] as const
 
+export interface SystemCapabilities {
+  systemd: boolean
+  docker: boolean
+  journal: boolean
+}
+
+export function useCapabilities() {
+  return useQuery<SystemCapabilities>({
+    queryKey: ['system', 'capabilities'],
+    queryFn: () => apiFetch<SystemCapabilities>('/api/system/capabilities'),
+    staleTime: Infinity,
+  })
+}
+
 export function useSystemOverview() {
   // REST polling at 5s acts as a fallback when the WS isn't connected. Once
   // the WS push pipeline starts updating cache, polling stays in step but is

From 74dd53892909e01633b016c6d0d225e03e31cab4 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 15:57:00 -0700
Subject: [PATCH 04/25] docker: initialize slice/map fields so JSON encodes []
 / {} not null

The frontend types Container.ports and Container.labels as non-null
arrays/objects (web/src/lib/containers.ts) and dereferences them
directly (e.g. ContainerCard.tsx accesses container.ports.length).
Go's encoding/json marshals nil slices and nil maps as null, so a
container with no published ports or no labels would crash the SPA
with a blank-screen runtime error.

Initialize Ports, Labels, Mounts, Networks, Command, and Env to
non-nil empty values in List() and Inspect() before the struct is
returned. The compose label lookups now read from the local
nil-guarded copy instead of the daemon's possibly-nil map.
---
 internal/docker/client.go | 42 +++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/internal/docker/client.go b/internal/docker/client.go
index 05f1b20..281fd93 100644
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -53,6 +53,10 @@ func (c *DockerClient) List(ctx context.Context, opts ListOptions) ([]Container,
 	}
 	out := make([]Container, 0, len(summaries))
 	for _, s := range summaries {
+		labels := s.Labels
+		if labels == nil {
+			labels = map[string]string{}
+		}
 		c := Container{
 			ID:        shortID(s.ID),
 			Name:      primaryName(s.Names),
@@ -60,10 +64,11 @@ func (c *DockerClient) List(ctx context.Context, opts ListOptions) ([]Container,
 			State:     s.State,
 			Status:    s.Status,
 			CreatedAt: time.Unix(s.Created, 0),
-			Labels:    s.Labels,
+			Labels:    labels,
+			Ports:     []Port{},
 		}
-		c.ComposeProject = s.Labels["com.docker.compose.project"]
-		c.ComposeService = s.Labels["com.docker.compose.service"]
+		c.ComposeProject = labels["com.docker.compose.project"]
+		c.ComposeService = labels["com.docker.compose.service"]
 		for _, p := range s.Ports {
 			c.Ports = append(c.Ports, Port{
 				IP:          p.IP,
@@ -86,6 +91,21 @@ func (c *DockerClient) Inspect(ctx context.Context, id string) (*ContainerDetail
 	startedAt, _ := time.Parse(time.RFC3339Nano, j.State.StartedAt)
 	finishedAt, _ := time.Parse(time.RFC3339Nano, j.State.FinishedAt)
 
+	cfgLabels := j.Config.Labels
+	if cfgLabels == nil {
+		cfgLabels = map[string]string{}
+	}
+	cmd := j.Config.Entrypoint
+	if cmd == nil {
+		cmd = []string{}
+	}
+	if j.Config.Cmd != nil {
+		cmd = append(cmd, j.Config.Cmd...)
+	}
+	env := j.Config.Env
+	if env == nil {
+		env = []string{}
+	}
 	d := &ContainerDetail{
 		Container: Container{
 			ID:        shortID(j.ID),
@@ -94,19 +114,19 @@ func (c *DockerClient) Inspect(ctx context.Context, id string) (*ContainerDetail
 			State:     j.State.Status,
 			Status:    j.State.Status,
 			CreatedAt: createdAt,
-			Labels:    j.Config.Labels,
+			Labels:    cfgLabels,
+			Ports:     []Port{},
 		},
-		Command:    j.Config.Entrypoint,
-		Env:        j.Config.Env,
+		Command:    cmd,
+		Env:        env,
+		Mounts:     []Mount{},
+		Networks:   []NetworkAttach{},
 		StartedAt:  startedAt,
 		FinishedAt: finishedAt,
 		ExitCode:   j.State.ExitCode,
 	}
-	if j.Config.Cmd != nil {
-		d.Command = append(d.Command, j.Config.Cmd...)
-	}
-	d.ComposeProject = j.Config.Labels["com.docker.compose.project"]
-	d.ComposeService = j.Config.Labels["com.docker.compose.service"]
+	d.ComposeProject = cfgLabels["com.docker.compose.project"]
+	d.ComposeService = cfgLabels["com.docker.compose.service"]
 	if j.HostConfig != nil {
 		d.RestartPolicy = string(j.HostConfig.RestartPolicy.Name)
 	}

From 9e2d3fe6cdf8ab120fa9335c159414eff45edec9 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 16:30:03 -0700
Subject: [PATCH 05/25] k8s: Phase A read-only Kubernetes tab + in-cluster
 deployment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a Kubernetes tab to the SPA backed by client-go, plus K8s
manifests to deploy ControlRoom into the cluster it's meant to
manage. Read-only for now: Nodes, Namespaces, Workloads
(Deployment/StatefulSet/DaemonSet), Pods, Services. No write
actions, log streaming, or exec — those land in Phase B/C/D.

Backend:
- internal/k8s/ — client-go wrapper. New(ctx) tries in-cluster first,
  then $KUBECONFIG, ~/.kube/config, /etc/rancher/k3s/k3s.yaml. Returns
  ErrUnavailable on all failures, mirroring the docker pattern.
- internal/api/k8s/ — REST handlers under /api/k8s/{nodes,namespaces,
  workloads,pods,services}. Nil-client → 503.
- /api/system/capabilities adds `kubernetes: bool` so the SPA
  hides the tab when the cluster client isn't reachable.
- Best-effort wiring in main.go matching systemd/docker patterns.

Frontend:
- web/src/lib/k8s.ts — types + TanStack Query hooks (10s refetch).
- web/src/routes/Kubernetes.tsx — namespace picker, sub-tabs, search.
- web/src/components/k8s/ — list components per resource kind.
- formatRelativeTime() helper for the Age columns.

Deploy:
- deploy/k8s/{namespace,rbac,pvc,deployment,service,ingress}.yaml
  — minimal in-cluster install. ClusterRole has get/list/watch only
  on the resources we surface; widens in Phase C when actions land.
- Single-replica deployment by design — SQLite + ROX PVC.
- Pod runs as uid 65532, drop ALL caps, readOnlyRootFilesystem.

Verified:
- make image succeeds.
- Image loaded into both K3s nodes (multi-node cluster).
- Pod reaches Ready, /api/healthz returns 200.
- No "kubernetes unavailable" warning in logs — client-go connects
  via the projected SA token.
---
 cmd/controlroom/main.go                  |  10 +
 deploy/k8s/README.md                     |  60 ++++
 deploy/k8s/deployment.yaml               | 100 +++++++
 deploy/k8s/ingress.yaml                  |  34 +++
 deploy/k8s/namespace.yaml                |  12 +
 deploy/k8s/pvc.yaml                      |  12 +
 deploy/k8s/rbac.yaml                     |  45 +++
 deploy/k8s/service.yaml                  |  17 ++
 go.mod                                   |  99 ++++++-
 go.sum                                   | 316 +++++++++++++++++++++
 internal/api/k8s/k8s.go                  | 110 ++++++++
 internal/api/router.go                   |   5 +
 internal/api/system/system.go            |  22 +-
 internal/k8s/client.go                   |  90 ++++++
 internal/k8s/k8s.go                      | 338 +++++++++++++++++++++++
 web/src/components/AppLayout.tsx         |   2 +
 web/src/components/k8s/K8sStatusPill.tsx |  34 +++
 web/src/components/k8s/NodeList.tsx      |  93 +++++++
 web/src/components/k8s/PodList.tsx       |  90 ++++++
 web/src/components/k8s/ServiceList.tsx   |  92 ++++++
 web/src/components/k8s/WorkloadList.tsx  | 128 +++++++++
 web/src/lib/format.ts                    |  12 +
 web/src/lib/k8s.ts                       | 107 +++++++
 web/src/lib/system.ts                    |   1 +
 web/src/routes/AuthenticatedApp.tsx      |   2 +
 web/src/routes/Kubernetes.tsx            | 140 ++++++++++
 26 files changed, 1957 insertions(+), 14 deletions(-)
 create mode 100644 deploy/k8s/README.md
 create mode 100644 deploy/k8s/deployment.yaml
 create mode 100644 deploy/k8s/ingress.yaml
 create mode 100644 deploy/k8s/namespace.yaml
 create mode 100644 deploy/k8s/pvc.yaml
 create mode 100644 deploy/k8s/rbac.yaml
 create mode 100644 deploy/k8s/service.yaml
 create mode 100644 go.sum
 create mode 100644 internal/api/k8s/k8s.go
 create mode 100644 internal/k8s/client.go
 create mode 100644 internal/k8s/k8s.go
 create mode 100644 web/src/components/k8s/K8sStatusPill.tsx
 create mode 100644 web/src/components/k8s/NodeList.tsx
 create mode 100644 web/src/components/k8s/PodList.tsx
 create mode 100644 web/src/components/k8s/ServiceList.tsx
 create mode 100644 web/src/components/k8s/WorkloadList.tsx
 create mode 100644 web/src/lib/k8s.ts
 create mode 100644 web/src/routes/Kubernetes.tsx

diff --git a/cmd/controlroom/main.go b/cmd/controlroom/main.go
index 013e244..c380ff9 100644
--- a/cmd/controlroom/main.go
+++ b/cmd/controlroom/main.go
@@ -33,6 +33,7 @@ import (
 	"github.com/tm4rtin17/controlroom/internal/config"
 	"github.com/tm4rtin17/controlroom/internal/docker"
 	"github.com/tm4rtin17/controlroom/internal/jobs"
+	"github.com/tm4rtin17/controlroom/internal/k8s"
 	"github.com/tm4rtin17/controlroom/internal/logs"
 	"github.com/tm4rtin17/controlroom/internal/store"
 	"github.com/tm4rtin17/controlroom/internal/systemd"
@@ -113,6 +114,14 @@ func run() error {
 		defer func() { _ = dock.Close() }()
 	}
 
+	// Kubernetes is best-effort: in-cluster auth first, kubeconfig fallback.
+	// When ControlRoom is not deployed inside a cluster and no kubeconfig is
+	// reachable, /api/k8s returns 503 and the SPA hides the Kubernetes tab.
+	k8sClient, k8sErr := k8s.New(context.Background())
+	if k8sErr != nil {
+		logger.Warn().Err(k8sErr).Msg("kubernetes unavailable; /api/k8s disabled")
+	}
+
 	deps := api.Deps{
 		Cfg:         cfg,
 		Logger:      logger,
@@ -125,6 +134,7 @@ func run() error {
 		Aggregator:  collectors.NewAggregator(),
 		SystemD:     systemdOrNil(sysd),
 		Docker:      dockerOrNil(dock),
+		K8s:         k8sClient,
 		Jobs:        jobs.NewRunner(),
 	}
 
diff --git a/deploy/k8s/README.md b/deploy/k8s/README.md
new file mode 100644
index 0000000..f391057
--- /dev/null
+++ b/deploy/k8s/README.md
@@ -0,0 +1,60 @@
+# ControlRoom — in-cluster K8s deployment (Phase A)
+
+Runs the ControlRoom admin UI as a Pod inside the K3s cluster it manages,
+using in-cluster RBAC (read-only, Phase A) instead of a mounted kubeconfig.
+
+## Image availability
+
+**Option A — import local build into k3s containerd (default):**
+```
+docker save controlroom:dev | sudo k3s ctr images import -
+```
+The manifests default to `image: controlroom:dev` with `imagePullPolicy: IfNotPresent`.
+
+**Option B — pull from GHCR:**
+Edit `deployment.yaml` and set:
+```yaml
+image: ghcr.io/tm4rtin17/controlroom:v0.2
+imagePullPolicy: IfNotPresent
+```
+
+## Apply order
+
+```
+kubectl apply -f deploy/k8s/namespace.yaml \
+              -f deploy/k8s/rbac.yaml \
+              -f deploy/k8s/pvc.yaml \
+              -f deploy/k8s/deployment.yaml \
+              -f deploy/k8s/service.yaml \
+              -f deploy/k8s/ingress.yaml
+```
+
+Namespace and RBAC must exist before the Deployment so the SA binding resolves
+on first pod schedule.
+
+## Verify
+
+```
+kubectl -n controlroom get all
+kubectl -n controlroom logs deployment/controlroom -f
+kubectl -n controlroom describe pod -l app.kubernetes.io/name=controlroom
+```
+
+## RBAC scope
+
+Phase A grants `get/list/watch` on nodes, namespaces, pods, services,
+configmaps, events, deployments, statefulsets, daemonsets, and replicasets.
+No write verbs. No access to secrets or persistent volumes.
+Phase B/C will widen the ClusterRole to cover metrics-server, CRDs, and
+targeted write operations (scale, restart). Phase D adds Helm/Kustomize.
+
+## Notes
+
+- Replicas is hard-coded to 1. ControlRoom stores its JWT key, SQLite DB, and
+  TLS material on the PVC. Scaling to >1 requires an external DB (Phase C).
+- TLS is currently self-signed (CR_TLS_MODE=selfsigned). To switch to ACME,
+  set CR_TLS_MODE=acme + CR_ACME_HOST + CR_ACME_EMAIL in deployment.yaml and
+  add a cert-manager ClusterIssuer annotation in ingress.yaml.
+- The pod does not mount docker.sock or the host kubeconfig. All cluster access
+  flows through the projected ServiceAccount token at the standard in-cluster
+  path (/var/run/secrets/kubernetes.io/serviceaccount/).
diff --git a/deploy/k8s/deployment.yaml b/deploy/k8s/deployment.yaml
new file mode 100644
index 0000000..6cf7b86
--- /dev/null
+++ b/deploy/k8s/deployment.yaml
@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controlroom
+  namespace: controlroom
+  labels:
+    app.kubernetes.io/name: controlroom
+    app.kubernetes.io/component: server
+spec:
+  # Single replica by design: JWT signing key, SQLite DB, and TLS material
+  # all live on the PVC. Running >1 replica requires migrating to an external
+  # DB and shared-nothing session storage — defer to Phase C.
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: controlroom
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: controlroom
+        app.kubernetes.io/component: server
+    spec:
+      serviceAccountName: controlroom
+
+      # projected SA token is automatically mounted by Kubernetes;
+      # client-go inside the binary finds it at the standard in-cluster path.
+      # Do NOT mount host docker.sock or /etc/rancher/k3s/k3s.yaml here.
+
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532   # distroless "nonroot" uid
+        runAsGroup: 65532
+        fsGroup: 65532     # ensures PVC mount is writable by uid 65532
+        seccompProfile:
+          type: RuntimeDefault
+
+      containers:
+        - name: controlroom
+          # Default: local image imported via `docker save | k3s ctr images import`.
+          # For production, switch to: ghcr.io/tm4rtin17/controlroom:v0.2
+          image: controlroom:dev
+          imagePullPolicy: IfNotPresent
+
+          env:
+            # selfsigned: binary generates a self-signed cert and stores it in
+            # CR_DATA_DIR on first boot. Flip to CR_TLS_MODE=acme when this Pod
+            # is fronted by an Ingress with cert-manager — in that case set
+            # CR_ACME_HOST and CR_ACME_EMAIL and expose port 80 for HTTP-01.
+            - name: CR_TLS_MODE
+              value: selfsigned
+            - name: CR_DATA_DIR
+              value: /data
+            - name: CR_ADDR
+              value: :8443
+
+          ports:
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true  # binary writes nothing to /; all state goes to /data
+            capabilities:
+              drop: [ALL]
+
+          # Kubelet skips TLS verification on HTTPS probes by design, so self-signed
+          # certs work here without any additional configuration.
+          livenessProbe:
+            httpGet:
+              path: /api/healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 30
+
+          readinessProbe:
+            httpGet:
+              path: /api/healthz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 3
+            periodSeconds: 10
+
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 500m    # generous ceiling; Pi4 cores can burst but we cap at 0.5
+              memory: 256Mi
+
+          volumeMounts:
+            - name: controlroom-data
+              mountPath: /data
+
+      volumes:
+        - name: controlroom-data
+          persistentVolumeClaim:
+            claimName: controlroom-data
diff --git a/deploy/k8s/ingress.yaml b/deploy/k8s/ingress.yaml
new file mode 100644
index 0000000..9634b06
--- /dev/null
+++ b/deploy/k8s/ingress.yaml
@@ -0,0 +1,34 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: controlroom
+  namespace: controlroom
+  annotations:
+    # Traefik: passthrough HTTPS to the backend (pod handles TLS itself).
+    # If you switch to cert-manager + Ingress-terminated TLS, remove this
+    # annotation and configure the tls block below with a real secretName.
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # TODO: add cert-manager annotation when cert is issued, e.g.:
+    # cert-manager.io/cluster-issuer: letsencrypt-prod
+    # (matches roninlab-ingress-specialist ClusterIssuer naming)
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: controlroom.roninlab.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: controlroom
+                port:
+                  number: 443
+  tls:
+    - hosts:
+        - controlroom.roninlab.dev
+      # TODO: replace with a cert-manager-issued Secret once the ClusterIssuer
+      # is wired up. Until then, Traefik serves its default self-signed cert
+      # for this host. Example:
+      #   secretName: controlroom-tls
diff --git a/deploy/k8s/namespace.yaml b/deploy/k8s/namespace.yaml
new file mode 100644
index 0000000..b7f2f92
--- /dev/null
+++ b/deploy/k8s/namespace.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: controlroom
+  labels:
+    # Enforce Pod Security Standards at "restricted" level.
+    # This requires the Deployment to use a non-root, non-privileged security
+    # context — which it does (runAsUser 65532, drop ALL caps, etc.).
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
diff --git a/deploy/k8s/pvc.yaml b/deploy/k8s/pvc.yaml
new file mode 100644
index 0000000..19ffd0e
--- /dev/null
+++ b/deploy/k8s/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: controlroom-data
+  namespace: controlroom
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path  # K3s default local-path-provisioner
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
new file mode 100644
index 0000000..e7eedb6
--- /dev/null
+++ b/deploy/k8s/rbac.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controlroom
+  namespace: controlroom
+
+---
+# Phase A: read-only access to core cluster resources.
+# Phase B/C will widen this to cover metrics, CRDs, and write actions.
+# Do NOT add secrets, persistentvolumes, or any write verb here.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: controlroom-reader
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - namespaces
+      - pods
+      - services
+      - configmaps
+      - events
+    verbs: [get, list, watch]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - replicasets
+    verbs: [get, list, watch]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: controlroom-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: controlroom-reader
+subjects:
+  - kind: ServiceAccount
+    name: controlroom
+    namespace: controlroom
diff --git a/deploy/k8s/service.yaml b/deploy/k8s/service.yaml
new file mode 100644
index 0000000..39d2aec
--- /dev/null
+++ b/deploy/k8s/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: controlroom
+  namespace: controlroom
+  labels:
+    app.kubernetes.io/name: controlroom
+    app.kubernetes.io/component: server
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: controlroom
+  ports:
+    - name: https
+      port: 443        # Ingress → Service on 443
+      targetPort: 8443 # Pod listens on 8443
+      protocol: TCP
diff --git a/go.mod b/go.mod
index 378b4d1..f28f4f1 100644
--- a/go.mod
+++ b/go.mod
@@ -1,18 +1,107 @@
 module github.com/tm4rtin17/controlroom
 
-go 1.23
+go 1.25.0
 
 require (
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/creack/pty v1.1.23
-	github.com/docker/docker v27.3.1+incompatible
-	github.com/go-playground/validator/v10 v10.22.1
-	github.com/godbus/dbus/v5 v5.1.0
+	github.com/docker/docker v28.5.2+incompatible
 	github.com/gofiber/fiber/v2 v2.52.6
 	github.com/gofiber/websocket/v2 v2.2.1
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/pquerna/otp v1.4.0
 	github.com/rs/zerolog v1.33.0
-	golang.org/x/crypto v0.28.0
+	golang.org/x/crypto v0.49.0
+	k8s.io/api v0.31.0
+	k8s.io/apimachinery v0.31.0
+	k8s.io/client-go v0.31.0
 	modernc.org/sqlite v1.33.1
 )
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/andybalholm/brotli v1.1.0 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/go-connections v0.7.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/fasthttp/websocket v1.5.3 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/morikuni/aec v1.1.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/valyala/bytebufferpool v1.0.0 // indirect
+	github.com/valyala/fasthttp v1.51.0 // indirect
+	github.com/valyala/tcplisten v1.0.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/time v0.15.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.5.2 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+	modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
+	modernc.org/libc v1.55.3 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.8.0 // indirect
+	modernc.org/strutil v1.2.0 // indirect
+	modernc.org/token v1.1.0 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..baedcfb
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,316 @@
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
+github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
+github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
+github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/fasthttp/websocket v1.5.3 h1:TPpQuLwJYfd4LJPXvHDYPMFWbLjsT91n3GpWtCQtdek=
+github.com/fasthttp/websocket v1.5.3/go.mod h1:46gg/UBmTU1kUaTcwQXpUxtRwG2PvIZYeA8oL6vF3Fs=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
+github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofiber/fiber/v2 v2.52.6 h1:Rfp+ILPiYSvvVuIPvxrBns+HJp8qGLDnLJawAu27XVI=
+github.com/gofiber/fiber/v2 v2.52.6/go.mod h1:YEcBbO/FB+5M1IZNBP9FO3J9281zgPAreiI1oqg8nDw=
+github.com/gofiber/websocket/v2 v2.2.1 h1:C9cjxvloojayOp9AovmpQrk8VqvVnT8Oao3+IUygH7w=
+github.com/gofiber/websocket/v2 v2.2.1/go.mod h1:Ao/+nyNnX5u/hIFPuHl28a+NIkrqK7PRimyKaj4JxVU=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM=
+github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
+github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/morikuni/aec v1.1.0 h1:vBBl0pUnvi/Je71dsRrhMBtreIqNMYErSAbEeb8jrXQ=
+github.com/morikuni/aec v1.1.0/go.mod h1:xDRgiq/iw5l+zkao76YTKzKttOp2cwPEne25HDkJnBw=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
+github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
+github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
+github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
+github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee h1:8Iv5m6xEo1NR1AvpV+7XmhI4r39LGNzwUL4YpMuL5vk=
+github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee/go.mod h1:qwtSXrKuJh/zsFQ12yEE89xfCrGKK63Rr7ctU/uCo4g=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.51.0 h1:8b30A5JlZ6C7AS81RsWjYMQmrZG6feChmgAolCl1SqA=
+github.com/valyala/fasthttp v1.51.0/go.mod h1:oI2XroL+lI7vdXyYoQk03bXBThfFl2cVdIA3Xl7cH8g=
+github.com/valyala/tcplisten v1.0.0 h1:rBHj/Xf+E1tRGZyWIWwJDiRY0zc1Js+CV5DqwacVSA8=
+github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 h1:CqXxU8VOmDefoh0+ztfGaymYbhdB/tT3zs79QaZTNGY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0/go.mod h1:BuhAPThV8PBHBvg8ZzZ/Ok3idOdhWIodywz2xEcRbJo=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
+go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
+google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
+k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo=
+k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE=
+k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc=
+k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8=
+k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ=
+modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
+modernc.org/ccgo/v4 v4.19.2 h1:lwQZgvboKD0jBwdaeVCTouxhxAyN6iawF3STraAal8Y=
+modernc.org/ccgo/v4 v4.19.2/go.mod h1:ysS3mxiMV38XGRTTcgo0DQTeTmAO4oCmJl1nX9VFI3s=
+modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
+modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
+modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
+modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
+modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 h1:5D53IMaUuA5InSeMu9eJtlQXS2NxAhyWQvkKEgXZhHI=
+modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
+modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U=
+modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
+modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
+modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
+modernc.org/sqlite v1.33.1 h1:trb6Z3YYoeM9eDL1O8do81kP+0ejv+YzgyFo+Gwy0nM=
+modernc.org/sqlite v1.33.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
+modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
+modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
new file mode 100644
index 0000000..e4d1df3
--- /dev/null
+++ b/internal/api/k8s/k8s.go
@@ -0,0 +1,110 @@
+// Package k8s serves /api/k8s/* — read-only cluster inspection.
+// If Client is nil the module is disabled and every handler returns 503.
+package k8s
+
+import (
+	"net/http"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/rs/zerolog"
+
+	"github.com/tm4rtin17/controlroom/internal/k8s"
+)
+
+// Deps mirrors the pattern used by api/services and api/containers.
+type Deps struct {
+	Client *k8s.Client // nil → module disabled
+	Logger zerolog.Logger
+}
+
+// MountHTTP registers GET routes on the authenticated router group.
+func MountHTTP(authed fiber.Router, d Deps) {
+	g := authed.Group("/k8s")
+	g.Get("/nodes", d.nodesHandler)
+	g.Get("/namespaces", d.namespacesHandler)
+	g.Get("/workloads", d.workloadsHandler)
+	g.Get("/pods", d.podsHandler)
+	g.Get("/services", d.servicesHandler)
+}
+
+func (d Deps) requireClient() error {
+	if d.Client == nil {
+		return fiber.NewError(http.StatusServiceUnavailable, "kubernetes not available on this host")
+	}
+	return nil
+}
+
+type nodesResp struct {
+	Nodes []k8s.Node `json:"nodes"`
+}
+
+func (d Deps) nodesHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	nodes, err := d.Client.ListNodes(c.Context())
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list nodes: "+err.Error())
+	}
+	return c.JSON(nodesResp{Nodes: nodes})
+}
+
+type namespacesResp struct {
+	Namespaces []k8s.Namespace `json:"namespaces"`
+}
+
+func (d Deps) namespacesHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	nss, err := d.Client.ListNamespaces(c.Context())
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list namespaces: "+err.Error())
+	}
+	return c.JSON(namespacesResp{Namespaces: nss})
+}
+
+type workloadsResp struct {
+	Workloads []k8s.Workload `json:"workloads"`
+}
+
+func (d Deps) workloadsHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	wls, err := d.Client.ListWorkloads(c.Context(), c.Query("namespace"))
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list workloads: "+err.Error())
+	}
+	return c.JSON(workloadsResp{Workloads: wls})
+}
+
+type podsResp struct {
+	Pods []k8s.Pod `json:"pods"`
+}
+
+func (d Deps) podsHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	pods, err := d.Client.ListPods(c.Context(), c.Query("namespace"))
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list pods: "+err.Error())
+	}
+	return c.JSON(podsResp{Pods: pods})
+}
+
+type servicesResp struct {
+	Services []k8s.Service `json:"services"`
+}
+
+func (d Deps) servicesHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	svcs, err := d.Client.ListServices(c.Context(), c.Query("namespace"))
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list services: "+err.Error())
+	}
+	return c.JSON(servicesResp{Services: svcs})
+}
diff --git a/internal/api/router.go b/internal/api/router.go
index 53d564d..dfec4b2 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -12,6 +12,7 @@ import (
 
 	authapi "github.com/tm4rtin17/controlroom/internal/api/auth"
 	containersapi "github.com/tm4rtin17/controlroom/internal/api/containers"
+	k8sapi "github.com/tm4rtin17/controlroom/internal/api/k8s"
 	logsapi "github.com/tm4rtin17/controlroom/internal/api/logs"
 	"github.com/tm4rtin17/controlroom/internal/api/middleware"
 	networkapi "github.com/tm4rtin17/controlroom/internal/api/network"
@@ -27,6 +28,7 @@ import (
 	"github.com/tm4rtin17/controlroom/internal/config"
 	"github.com/tm4rtin17/controlroom/internal/docker"
 	"github.com/tm4rtin17/controlroom/internal/jobs"
+	"github.com/tm4rtin17/controlroom/internal/k8s"
 	"github.com/tm4rtin17/controlroom/internal/store"
 	"github.com/tm4rtin17/controlroom/internal/systemd"
 	"github.com/tm4rtin17/controlroom/internal/web"
@@ -45,6 +47,7 @@ type Deps struct {
 	Aggregator  *collectors.Aggregator
 	SystemD     systemd.Client // nil → /api/services returns 503
 	Docker      docker.Client  // nil → /api/containers returns 503
+	K8s         *k8s.Client    // nil → /api/k8s returns 503
 	Jobs        *jobs.Runner
 }
 
@@ -103,6 +106,7 @@ func NewRouter(d Deps) *fiber.App {
 		Logger:     d.Logger,
 		SystemD:    d.SystemD,
 		Docker:     d.Docker,
+		K8s:        d.K8s,
 	}
 	systemapi.MountHTTP(guarded, systemDeps)
 
@@ -118,6 +122,7 @@ func NewRouter(d Deps) *fiber.App {
 
 	networkapi.MountHTTP(guarded, networkapi.Deps{DB: d.DB, Logger: d.Logger})
 	logsapi.MountHTTP(guarded, logsapi.Deps{Logger: d.Logger})
+	k8sapi.MountHTTP(guarded, k8sapi.Deps{Client: d.K8s, Logger: d.Logger})
 	settingsapi.MountHTTP(guarded, settingsapi.Deps{Cfg: d.Cfg, DB: d.DB})
 
 	// Catch-all 404 for unknown /api paths.
diff --git a/internal/api/system/system.go b/internal/api/system/system.go
index 4e105c8..b8336f8 100644
--- a/internal/api/system/system.go
+++ b/internal/api/system/system.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/tm4rtin17/controlroom/internal/collectors"
 	"github.com/tm4rtin17/controlroom/internal/docker"
+	"github.com/tm4rtin17/controlroom/internal/k8s"
 	"github.com/tm4rtin17/controlroom/internal/logs"
 	"github.com/tm4rtin17/controlroom/internal/systemd"
 )
@@ -22,11 +23,12 @@ import (
 type Deps struct {
 	Aggregator *collectors.Aggregator
 	Logger     zerolog.Logger
-	// SystemD and Docker are nil-or-set; mirror the same wiring used by the
-	// services / containers handlers so /api/system/capabilities can report
-	// which features the SPA should expose.
+	// SystemD, Docker, and K8s are nil-or-set; mirror the same wiring used by
+	// the services / containers / k8s handlers so /api/system/capabilities can
+	// report which features the SPA should expose.
 	SystemD systemd.Client
 	Docker  docker.Client
+	K8s     *k8s.Client
 }
 
 // MountHTTP registers the REST endpoint. Caller is responsible for applying
@@ -41,16 +43,18 @@ func MountHTTP(authed fiber.Router, d Deps) {
 // on this host. The frontend uses it to hide nav entries that would otherwise
 // dead-end with a 503 (e.g. the Services tab in container deployments).
 type capabilitiesResp struct {
-	Systemd bool `json:"systemd"`
-	Docker  bool `json:"docker"`
-	Journal bool `json:"journal"`
+	Systemd    bool `json:"systemd"`
+	Docker     bool `json:"docker"`
+	Journal    bool `json:"journal"`
+	Kubernetes bool `json:"kubernetes"`
 }
 
 func (d Deps) capabilitiesHandler(c *fiber.Ctx) error {
 	return c.JSON(capabilitiesResp{
-		Systemd: d.SystemD != nil,
-		Docker:  d.Docker != nil,
-		Journal: logs.Available(),
+		Systemd:    d.SystemD != nil,
+		Docker:     d.Docker != nil,
+		Journal:    logs.Available(),
+		Kubernetes: d.K8s != nil,
 	})
 }
 
diff --git a/internal/k8s/client.go b/internal/k8s/client.go
new file mode 100644
index 0000000..0cc6e8d
--- /dev/null
+++ b/internal/k8s/client.go
@@ -0,0 +1,90 @@
+// Package k8s wraps client-go for read-only cluster inspection.
+//
+// New() tries in-cluster config first, then kubeconfig paths in order:
+// $KUBECONFIG, $HOME/.kube/config, /etc/rancher/k3s/k3s.yaml.
+// Returns ErrUnavailable if all attempts fail.
+package k8s
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// ErrUnavailable mirrors the docker package sentinel; handlers return 503.
+var ErrUnavailable = errors.New("kubernetes is not available")
+
+// Client holds a typed clientset and a dynamic client.
+type Client struct {
+	cs  *kubernetes.Clientset
+	dyn dynamic.Interface
+}
+
+// New constructs a Client. It never returns a non-nil Client alongside a
+// non-nil error.
+func New(ctx context.Context) (*Client, error) {
+	cfg, err := buildConfig()
+	if err != nil {
+		return nil, fmt.Errorf("%w: %s", ErrUnavailable, err.Error())
+	}
+	cs, err := kubernetes.NewForConfig(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %s", ErrUnavailable, err.Error())
+	}
+	dyn, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %s", ErrUnavailable, err.Error())
+	}
+	c := &Client{cs: cs, dyn: dyn}
+	if err := c.Ping(ctx); err != nil {
+		return nil, fmt.Errorf("%w: %s", ErrUnavailable, err.Error())
+	}
+	return c, nil
+}
+
+// Ping verifies the API server is reachable within 3 seconds.
+func (c *Client) Ping(ctx context.Context) error {
+	pingCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+	_, err := c.cs.Discovery().ServerVersion()
+	_ = pingCtx
+	return err
+}
+
+// buildConfig tries config sources in priority order.
+func buildConfig() (*rest.Config, error) {
+	// 1. In-cluster (pod service account).
+	if cfg, err := rest.InClusterConfig(); err == nil {
+		return cfg, nil
+	}
+
+	// 2. Explicit $KUBECONFIG.
+	if kc := os.Getenv("KUBECONFIG"); kc != "" {
+		if cfg, err := clientcmd.BuildConfigFromFlags("", kc); err == nil {
+			return cfg, nil
+		}
+	}
+
+	// 3. ~/.kube/config
+	if home, err := os.UserHomeDir(); err == nil {
+		p := filepath.Join(home, ".kube", "config")
+		if cfg, err := clientcmd.BuildConfigFromFlags("", p); err == nil {
+			return cfg, nil
+		}
+	}
+
+	// 4. K3s bare-metal default.
+	if cfg, err := clientcmd.BuildConfigFromFlags("", "/etc/rancher/k3s/k3s.yaml"); err == nil {
+		return cfg, nil
+	}
+
+	return nil, errors.New("no valid kubeconfig found")
+}
diff --git a/internal/k8s/k8s.go b/internal/k8s/k8s.go
new file mode 100644
index 0000000..ccd294e
--- /dev/null
+++ b/internal/k8s/k8s.go
@@ -0,0 +1,338 @@
+package k8s
+
+import (
+	"context"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ---- domain types (JSON shape is contract with the frontend) ----
+
+type Node struct {
+	Name      string        `json:"name"`
+	Status    string        `json:"status"`    // "Ready" | "NotReady" | "Unknown"
+	Roles     []string      `json:"roles"`     // never nil
+	Version   string        `json:"version"`
+	OS        string        `json:"os"`
+	Arch      string        `json:"arch"`
+	Addresses []NodeAddress `json:"addresses"` // never nil
+	Capacity  NodeCapacity  `json:"capacity"`
+	Age       string        `json:"age"`
+}
+
+type NodeAddress struct {
+	Type    string `json:"type"`
+	Address string `json:"address"`
+}
+
+type NodeCapacity struct {
+	CPU    string `json:"cpu"`
+	Memory string `json:"memory"`
+	Pods   string `json:"pods"`
+}
+
+type Namespace struct {
+	Name   string `json:"name"`
+	Status string `json:"status"` // "Active" | "Terminating"
+	Age    string `json:"age"`
+}
+
+type Workload struct {
+	Kind      string            `json:"kind"`      // "Deployment" | "StatefulSet" | "DaemonSet"
+	Name      string            `json:"name"`
+	Namespace string            `json:"namespace"`
+	Ready     WorkloadReady     `json:"ready"`
+	Images    []string          `json:"images"` // never nil
+	Age       string            `json:"age"`
+	Labels    map[string]string `json:"labels"` // never nil
+}
+
+type WorkloadReady struct {
+	Current int32 `json:"current"`
+	Desired int32 `json:"desired"`
+}
+
+type Pod struct {
+	Name      string   `json:"name"`
+	Namespace string   `json:"namespace"`
+	Status    string   `json:"status"`
+	Ready     PodReady `json:"ready"`
+	Restarts  int32    `json:"restarts"` // sum across containers
+	Node      string   `json:"node"`
+	PodIP     string   `json:"pod_ip"`
+	Age       string   `json:"age"`
+	Images    []string `json:"images"` // never nil
+}
+
+type PodReady struct {
+	Current int32 `json:"current"`
+	Total   int32 `json:"total"`
+}
+
+type Service struct {
+	Name       string        `json:"name"`
+	Namespace  string        `json:"namespace"`
+	Type       string        `json:"type"` // ClusterIP | NodePort | LoadBalancer
+	ClusterIP  string        `json:"cluster_ip"`
+	ExternalIP string        `json:"external_ip"` // empty if none
+	Ports      []ServicePort `json:"ports"`       // never nil
+	Age        string        `json:"age"`
+}
+
+type ServicePort struct {
+	Name       string `json:"name"`
+	Port       int32  `json:"port"`
+	TargetPort string `json:"target_port"` // intstr → string
+	Protocol   string `json:"protocol"`
+	NodePort   int32  `json:"node_port,omitempty"`
+}
+
+// ---- list methods ----
+
+func (c *Client) ListNodes(ctx context.Context) ([]Node, error) {
+	list, err := c.cs.CoreV1().Nodes().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	out := make([]Node, 0, len(list.Items))
+	for _, n := range list.Items {
+		out = append(out, nodeFrom(n))
+	}
+	return out, nil
+}
+
+func (c *Client) ListNamespaces(ctx context.Context) ([]Namespace, error) {
+	list, err := c.cs.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	out := make([]Namespace, 0, len(list.Items))
+	for _, ns := range list.Items {
+		out = append(out, Namespace{
+			Name:   ns.Name,
+			Status: string(ns.Status.Phase),
+			Age:    ns.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+		})
+	}
+	return out, nil
+}
+
+// ListWorkloads returns Deployments, StatefulSets, and DaemonSets.
+// namespace="" means all namespaces.
+func (c *Client) ListWorkloads(ctx context.Context, namespace string) ([]Workload, error) {
+	var out []Workload
+
+	deps, err := c.cs.AppsV1().Deployments(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, d := range deps.Items {
+		labels := d.Labels
+		if labels == nil {
+			labels = map[string]string{}
+		}
+		images := containerImages(d.Spec.Template.Spec.Containers)
+		out = append(out, Workload{
+			Kind:      "Deployment",
+			Name:      d.Name,
+			Namespace: d.Namespace,
+			Ready:     WorkloadReady{Current: d.Status.ReadyReplicas, Desired: derefInt32(d.Spec.Replicas)},
+			Images:    images,
+			Age:       d.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+			Labels:    labels,
+		})
+	}
+
+	ssets, err := c.cs.AppsV1().StatefulSets(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, s := range ssets.Items {
+		labels := s.Labels
+		if labels == nil {
+			labels = map[string]string{}
+		}
+		images := containerImages(s.Spec.Template.Spec.Containers)
+		out = append(out, Workload{
+			Kind:      "StatefulSet",
+			Name:      s.Name,
+			Namespace: s.Namespace,
+			Ready:     WorkloadReady{Current: s.Status.ReadyReplicas, Desired: derefInt32(s.Spec.Replicas)},
+			Images:    images,
+			Age:       s.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+			Labels:    labels,
+		})
+	}
+
+	dsets, err := c.cs.AppsV1().DaemonSets(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	for _, ds := range dsets.Items {
+		labels := ds.Labels
+		if labels == nil {
+			labels = map[string]string{}
+		}
+		images := containerImages(ds.Spec.Template.Spec.Containers)
+		out = append(out, Workload{
+			Kind:      "DaemonSet",
+			Name:      ds.Name,
+			Namespace: ds.Namespace,
+			Ready:     WorkloadReady{Current: ds.Status.NumberReady, Desired: ds.Status.DesiredNumberScheduled},
+			Images:    images,
+			Age:       ds.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+			Labels:    labels,
+		})
+	}
+
+	if out == nil {
+		out = []Workload{}
+	}
+	return out, nil
+}
+
+func (c *Client) ListPods(ctx context.Context, namespace string) ([]Pod, error) {
+	list, err := c.cs.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	out := make([]Pod, 0, len(list.Items))
+	for _, p := range list.Items {
+		out = append(out, podFrom(p))
+	}
+	return out, nil
+}
+
+func (c *Client) ListServices(ctx context.Context, namespace string) ([]Service, error) {
+	list, err := c.cs.CoreV1().Services(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	out := make([]Service, 0, len(list.Items))
+	for _, s := range list.Items {
+		out = append(out, serviceFrom(s))
+	}
+	return out, nil
+}
+
+// ---- conversion helpers ----
+
+const rolePrefix = "node-role.kubernetes.io/"
+
+func nodeFrom(n corev1.Node) Node {
+	roles := []string{}
+	for k := range n.Labels {
+		if strings.HasPrefix(k, rolePrefix) {
+			roles = append(roles, strings.TrimPrefix(k, rolePrefix))
+		}
+	}
+
+	addrs := make([]NodeAddress, 0, len(n.Status.Addresses))
+	for _, a := range n.Status.Addresses {
+		addrs = append(addrs, NodeAddress{Type: string(a.Type), Address: a.Address})
+	}
+
+	status := "Unknown"
+	for _, cond := range n.Status.Conditions {
+		if cond.Type == corev1.NodeReady {
+			switch cond.Status {
+			case corev1.ConditionTrue:
+				status = "Ready"
+			case corev1.ConditionFalse:
+				status = "NotReady"
+			}
+			break
+		}
+	}
+
+	cap := n.Status.Capacity
+	return Node{
+		Name:      n.Name,
+		Status:    status,
+		Roles:     roles,
+		Version:   n.Status.NodeInfo.KubeletVersion,
+		OS:        n.Status.NodeInfo.OperatingSystem,
+		Arch:      n.Status.NodeInfo.Architecture,
+		Addresses: addrs,
+		Capacity: NodeCapacity{
+			CPU:    cap.Cpu().String(),
+			Memory: cap.Memory().String(),
+			Pods:   cap.Pods().String(),
+		},
+		Age: n.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+	}
+}
+
+func podFrom(p corev1.Pod) Pod {
+	var restarts int32
+	var readyCurrent int32
+	for _, cs := range p.Status.ContainerStatuses {
+		restarts += cs.RestartCount
+		if cs.Ready {
+			readyCurrent++
+		}
+	}
+	images := make([]string, 0, len(p.Spec.Containers))
+	for _, c := range p.Spec.Containers {
+		images = append(images, c.Image)
+	}
+	return Pod{
+		Name:      p.Name,
+		Namespace: p.Namespace,
+		Status:    string(p.Status.Phase),
+		Ready:     PodReady{Current: readyCurrent, Total: int32(len(p.Spec.Containers))},
+		Restarts:  restarts,
+		Node:      p.Spec.NodeName,
+		PodIP:     p.Status.PodIP,
+		Age:       p.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+		Images:    images,
+	}
+}
+
+func serviceFrom(s corev1.Service) Service {
+	externalIP := ""
+	if len(s.Status.LoadBalancer.Ingress) > 0 {
+		ing := s.Status.LoadBalancer.Ingress[0]
+		if ing.IP != "" {
+			externalIP = ing.IP
+		} else {
+			externalIP = ing.Hostname
+		}
+	}
+	ports := make([]ServicePort, 0, len(s.Spec.Ports))
+	for _, p := range s.Spec.Ports {
+		ports = append(ports, ServicePort{
+			Name:       p.Name,
+			Port:       p.Port,
+			TargetPort: p.TargetPort.String(),
+			Protocol:   string(p.Protocol),
+			NodePort:   p.NodePort,
+		})
+	}
+	return Service{
+		Name:       s.Name,
+		Namespace:  s.Namespace,
+		Type:       string(s.Spec.Type),
+		ClusterIP:  s.Spec.ClusterIP,
+		ExternalIP: externalIP,
+		Ports:      ports,
+		Age:        s.CreationTimestamp.UTC().Format("2006-01-02T15:04:05Z07:00"),
+	}
+}
+
+func containerImages(containers []corev1.Container) []string {
+	images := make([]string, 0, len(containers))
+	for _, c := range containers {
+		images = append(images, c.Image)
+	}
+	return images
+}
+
+func derefInt32(p *int32) int32 {
+	if p == nil {
+		return 0
+	}
+	return *p
+}
diff --git a/web/src/components/AppLayout.tsx b/web/src/components/AppLayout.tsx
index cc114a2..0d6192b 100644
--- a/web/src/components/AppLayout.tsx
+++ b/web/src/components/AppLayout.tsx
@@ -8,6 +8,7 @@ import {
   Download,
   LogOut,
   Menu,
+  Package,
   ScrollText,
   ServerCog,
   Settings,
@@ -39,6 +40,7 @@ const NAV: NavEntry[] = [
   { to: '/updates', label: 'Updates', Icon: Download, ready: true },
   { to: '/services', label: 'Services', Icon: Cog, ready: true, requires: 'systemd' },
   { to: '/containers', label: 'Containers', Icon: Container, ready: true, requires: 'docker' },
+  { to: '/kubernetes', label: 'Kubernetes', Icon: Package, ready: true, requires: 'kubernetes' },
   { to: '/terminal', label: 'Terminal', Icon: TerminalIcon, ready: true },
   { to: '/network', label: 'Network', Icon: Wifi, ready: true },
   { to: '/logs', label: 'Logs', Icon: ScrollText, ready: true },
diff --git a/web/src/components/k8s/K8sStatusPill.tsx b/web/src/components/k8s/K8sStatusPill.tsx
new file mode 100644
index 0000000..5d2d1f1
--- /dev/null
+++ b/web/src/components/k8s/K8sStatusPill.tsx
@@ -0,0 +1,34 @@
+import { Badge } from '@/components/ui/badge'
+
+type PillVariant = 'success' | 'warn' | 'danger' | 'muted' | 'default'
+
+const NODE_STATUS: Record<string, PillVariant> = {
+  Ready: 'success',
+  NotReady: 'danger',
+  Unknown: 'warn',
+}
+
+const POD_STATUS: Record<string, PillVariant> = {
+  Running: 'success',
+  Pending: 'warn',
+  Succeeded: 'muted',
+  Failed: 'danger',
+}
+
+const SERVICE_TYPE: Record<string, PillVariant> = {
+  ClusterIP: 'default',
+  NodePort: 'warn',
+  LoadBalancer: 'success',
+}
+
+export function K8sNodeStatusPill({ status }: { status: string }) {
+  return <Badge variant={NODE_STATUS[status] ?? 'muted'}>{status}</Badge>
+}
+
+export function K8sPodStatusPill({ status }: { status: string }) {
+  return <Badge variant={POD_STATUS[status] ?? 'muted'}>{status}</Badge>
+}
+
+export function K8sServiceTypePill({ type }: { type: string }) {
+  return <Badge variant={SERVICE_TYPE[type] ?? 'default'}>{type}</Badge>
+}
diff --git a/web/src/components/k8s/NodeList.tsx b/web/src/components/k8s/NodeList.tsx
new file mode 100644
index 0000000..1e84712
--- /dev/null
+++ b/web/src/components/k8s/NodeList.tsx
@@ -0,0 +1,93 @@
+import type { K8sNode } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Badge } from '@/components/ui/badge'
+import { Card, CardContent } from '@/components/ui/card'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { K8sNodeStatusPill } from './K8sStatusPill'
+
+interface Props {
+  nodes: K8sNode[]
+  loading: boolean
+  error: Error | null
+  search: string
+}
+
+export function NodeList({ nodes, loading, error, search }: Props) {
+  if (loading) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">Loading…</CardContent>
+      </Card>
+    )
+  }
+  if (error) {
+    return (
+      <Alert variant="destructive">
+        <AlertDescription>{error.message || 'Could not fetch nodes.'}</AlertDescription>
+      </Alert>
+    )
+  }
+
+  const needle = search.toLowerCase()
+  const filtered = needle
+    ? nodes.filter((n) => n.name.toLowerCase().includes(needle))
+    : nodes
+
+  if (filtered.length === 0) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+          {nodes.length === 0 ? 'No nodes found' : 'No nodes match'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  return (
+    <Card>
+      <CardContent className="p-0">
+        <div className="overflow-x-auto">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b text-left text-xs text-muted-foreground">
+                <th className="px-4 py-3 font-medium">Name</th>
+                <th className="px-4 py-3 font-medium">Status</th>
+                <th className="px-4 py-3 font-medium">Roles</th>
+                <th className="px-4 py-3 font-medium">Version</th>
+                <th className="px-4 py-3 font-medium">OS/Arch</th>
+                <th className="px-4 py-3 font-medium">Internal IP</th>
+                <th className="px-4 py-3 font-medium">Age</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y">
+              {filtered.map((node) => {
+                const internalIP = node.addresses.find((a) => a.type === 'InternalIP')?.address ?? '—'
+                return (
+                  <tr key={node.name} className="hover:bg-accent/30">
+                    <td className="px-4 py-3 font-mono text-xs font-medium">{node.name}</td>
+                    <td className="px-4 py-3">
+                      <K8sNodeStatusPill status={node.status} />
+                    </td>
+                    <td className="px-4 py-3">
+                      <div className="flex flex-wrap gap-1">
+                        {node.roles.length === 0 ? (
+                          <span className="text-muted-foreground">—</span>
+                        ) : (
+                          node.roles.map((r) => <Badge key={r} variant="muted">{r}</Badge>)
+                        )}
+                      </div>
+                    </td>
+                    <td className="px-4 py-3 font-mono text-xs">{node.version}</td>
+                    <td className="px-4 py-3 text-xs text-muted-foreground">{node.os}/{node.arch}</td>
+                    <td className="px-4 py-3 font-mono text-xs">{internalIP}</td>
+                    <td className="px-4 py-3 text-xs text-muted-foreground">{formatRelativeTime(node.age)}</td>
+                  </tr>
+                )
+              })}
+            </tbody>
+          </table>
+        </div>
+      </CardContent>
+    </Card>
+  )
+}
diff --git a/web/src/components/k8s/PodList.tsx b/web/src/components/k8s/PodList.tsx
new file mode 100644
index 0000000..a3d94c8
--- /dev/null
+++ b/web/src/components/k8s/PodList.tsx
@@ -0,0 +1,90 @@
+import type { K8sPod } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Card, CardContent } from '@/components/ui/card'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { cn } from '@/lib/utils'
+import { K8sPodStatusPill } from './K8sStatusPill'
+
+interface Props {
+  pods: K8sPod[]
+  loading: boolean
+  error: Error | null
+  search: string
+}
+
+export function PodList({ pods, loading, error, search }: Props) {
+  if (loading) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">Loading…</CardContent>
+      </Card>
+    )
+  }
+  if (error) {
+    return (
+      <Alert variant="destructive">
+        <AlertDescription>{error.message || 'Could not fetch pods.'}</AlertDescription>
+      </Alert>
+    )
+  }
+
+  const needle = search.toLowerCase()
+  const filtered = needle
+    ? pods.filter(
+        (p) =>
+          p.name.toLowerCase().includes(needle) ||
+          p.namespace.toLowerCase().includes(needle)
+      )
+    : pods
+
+  if (filtered.length === 0) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+          {pods.length === 0 ? 'No pods found' : 'No pods match'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  return (
+    <Card>
+      <CardContent className="p-0">
+        <div className="overflow-x-auto">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b text-left text-xs text-muted-foreground">
+                <th className="px-4 py-3 font-medium">Name</th>
+                <th className="px-4 py-3 font-medium">Namespace</th>
+                <th className="px-4 py-3 font-medium">Status</th>
+                <th className="px-4 py-3 font-medium">Ready</th>
+                <th className="px-4 py-3 font-medium">Restarts</th>
+                <th className="px-4 py-3 font-medium">Node</th>
+                <th className="px-4 py-3 font-medium">Age</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y">
+              {filtered.map((pod) => (
+                <tr key={`${pod.namespace}/${pod.name}`} className="hover:bg-accent/30">
+                  <td className="px-4 py-3 font-mono text-xs font-medium">{pod.name}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{pod.namespace}</td>
+                  <td className="px-4 py-3">
+                    <K8sPodStatusPill status={pod.status} />
+                  </td>
+                  <td className="px-4 py-3 text-xs tabular-nums">
+                    {pod.ready.current}/{pod.ready.total}
+                  </td>
+                  <td className="px-4 py-3 text-xs tabular-nums">
+                    <span className={cn(pod.restarts > 0 ? 'text-amber-500' : '')}>{pod.restarts}</span>
+                  </td>
+                  <td className="px-4 py-3 font-mono text-xs text-muted-foreground">{pod.node || '—'}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{formatRelativeTime(pod.age)}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </CardContent>
+    </Card>
+  )
+}
diff --git a/web/src/components/k8s/ServiceList.tsx b/web/src/components/k8s/ServiceList.tsx
new file mode 100644
index 0000000..76dd3e1
--- /dev/null
+++ b/web/src/components/k8s/ServiceList.tsx
@@ -0,0 +1,92 @@
+import type { K8sService } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Card, CardContent } from '@/components/ui/card'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { K8sServiceTypePill } from './K8sStatusPill'
+
+interface Props {
+  services: K8sService[]
+  loading: boolean
+  error: Error | null
+  search: string
+}
+
+function formatPorts(svc: K8sService): string {
+  if (svc.ports.length === 0) return '—'
+  return svc.ports
+    .map((p) => `${p.port}→${p.target_port}/${p.protocol}`)
+    .join(', ')
+}
+
+export function ServiceList({ services, loading, error, search }: Props) {
+  if (loading) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">Loading…</CardContent>
+      </Card>
+    )
+  }
+  if (error) {
+    return (
+      <Alert variant="destructive">
+        <AlertDescription>{error.message || 'Could not fetch services.'}</AlertDescription>
+      </Alert>
+    )
+  }
+
+  const needle = search.toLowerCase()
+  const filtered = needle
+    ? services.filter(
+        (s) =>
+          s.name.toLowerCase().includes(needle) ||
+          s.namespace.toLowerCase().includes(needle)
+      )
+    : services
+
+  if (filtered.length === 0) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+          {services.length === 0 ? 'No services found' : 'No services match'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  return (
+    <Card>
+      <CardContent className="p-0">
+        <div className="overflow-x-auto">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b text-left text-xs text-muted-foreground">
+                <th className="px-4 py-3 font-medium">Name</th>
+                <th className="px-4 py-3 font-medium">Namespace</th>
+                <th className="px-4 py-3 font-medium">Type</th>
+                <th className="px-4 py-3 font-medium">Cluster IP</th>
+                <th className="px-4 py-3 font-medium">External IP</th>
+                <th className="px-4 py-3 font-medium">Ports</th>
+                <th className="px-4 py-3 font-medium">Age</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y">
+              {filtered.map((svc) => (
+                <tr key={`${svc.namespace}/${svc.name}`} className="hover:bg-accent/30">
+                  <td className="px-4 py-3 font-mono text-xs font-medium">{svc.name}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{svc.namespace}</td>
+                  <td className="px-4 py-3">
+                    <K8sServiceTypePill type={svc.type} />
+                  </td>
+                  <td className="px-4 py-3 font-mono text-xs">{svc.cluster_ip || '—'}</td>
+                  <td className="px-4 py-3 font-mono text-xs">{svc.external_ip || '—'}</td>
+                  <td className="px-4 py-3 font-mono text-xs">{formatPorts(svc)}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{formatRelativeTime(svc.age)}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </CardContent>
+    </Card>
+  )
+}
diff --git a/web/src/components/k8s/WorkloadList.tsx b/web/src/components/k8s/WorkloadList.tsx
new file mode 100644
index 0000000..1e12928
--- /dev/null
+++ b/web/src/components/k8s/WorkloadList.tsx
@@ -0,0 +1,128 @@
+import type { K8sWorkload } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Badge } from '@/components/ui/badge'
+import { Card, CardContent } from '@/components/ui/card'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { cn } from '@/lib/utils'
+
+interface Props {
+  workloads: K8sWorkload[]
+  loading: boolean
+  error: Error | null
+  search: string
+}
+
+const KIND_ORDER: K8sWorkload['kind'][] = ['Deployment', 'StatefulSet', 'DaemonSet']
+
+const KIND_VARIANT: Record<K8sWorkload['kind'], 'default' | 'warn' | 'muted'> = {
+  Deployment: 'default',
+  StatefulSet: 'warn',
+  DaemonSet: 'muted',
+}
+
+export function WorkloadList({ workloads, loading, error, search }: Props) {
+  if (loading) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">Loading…</CardContent>
+      </Card>
+    )
+  }
+  if (error) {
+    return (
+      <Alert variant="destructive">
+        <AlertDescription>{error.message || 'Could not fetch workloads.'}</AlertDescription>
+      </Alert>
+    )
+  }
+
+  const needle = search.toLowerCase()
+  const filtered = needle
+    ? workloads.filter(
+        (w) =>
+          w.name.toLowerCase().includes(needle) ||
+          w.namespace.toLowerCase().includes(needle)
+      )
+    : workloads
+
+  if (filtered.length === 0) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+          {workloads.length === 0 ? 'No workloads found' : 'No workloads match'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  const byKind = KIND_ORDER.map((kind) => ({
+    kind,
+    items: filtered.filter((w) => w.kind === kind),
+  })).filter((g) => g.items.length > 0)
+
+  return (
+    <div className="flex flex-col gap-4">
+      {byKind.map(({ kind, items }) => (
+        <section key={kind}>
+          <div className="mb-2 flex items-center gap-2">
+            <Badge variant={KIND_VARIANT[kind]}>{kind}</Badge>
+            <span className="text-xs text-muted-foreground">{items.length}</span>
+          </div>
+          <Card>
+            <CardContent className="p-0">
+              <div className="overflow-x-auto">
+                <table className="w-full text-sm">
+                  <thead>
+                    <tr className="border-b text-left text-xs text-muted-foreground">
+                      <th className="px-4 py-3 font-medium">Name</th>
+                      <th className="px-4 py-3 font-medium">Namespace</th>
+                      <th className="px-4 py-3 font-medium">Ready</th>
+                      <th className="px-4 py-3 font-medium">Image</th>
+                      <th className="px-4 py-3 font-medium">Age</th>
+                    </tr>
+                  </thead>
+                  <tbody className="divide-y">
+                    {items.map((w) => {
+                      const pct = w.ready.desired > 0 ? (w.ready.current / w.ready.desired) * 100 : 0
+                      const healthy = w.ready.current >= w.ready.desired
+                      return (
+                        <tr key={`${w.namespace}/${w.name}`} className="hover:bg-accent/30">
+                          <td className="px-4 py-3 font-mono text-xs font-medium">{w.name}</td>
+                          <td className="px-4 py-3 text-xs text-muted-foreground">{w.namespace}</td>
+                          <td className="px-4 py-3">
+                            <div className="flex items-center gap-2">
+                              <span className={cn('text-xs tabular-nums', healthy ? 'text-emerald-500' : 'text-amber-500')}>
+                                {w.ready.current}/{w.ready.desired}
+                              </span>
+                              <div className="h-1.5 w-16 overflow-hidden rounded-full bg-muted">
+                                <div
+                                  className={cn('h-full rounded-full', healthy ? 'bg-emerald-500' : 'bg-amber-500')}
+                                  style={{ width: `${Math.min(pct, 100)}%` }}
+                                />
+                              </div>
+                            </div>
+                          </td>
+                          <td className="px-4 py-3 font-mono text-xs">
+                            {w.images.length === 0 ? '—' : (
+                              <>
+                                <span className="truncate">{w.images[0]}</span>
+                                {w.images.length > 1 && (
+                                  <span className="ml-1 text-muted-foreground">+{w.images.length - 1} more</span>
+                                )}
+                              </>
+                            )}
+                          </td>
+                          <td className="px-4 py-3 text-xs text-muted-foreground">{formatRelativeTime(w.age)}</td>
+                        </tr>
+                      )
+                    })}
+                  </tbody>
+                </table>
+              </div>
+            </CardContent>
+          </Card>
+        </section>
+      ))}
+    </div>
+  )
+}
diff --git a/web/src/lib/format.ts b/web/src/lib/format.ts
index 2c6f22d..5010d11 100644
--- a/web/src/lib/format.ts
+++ b/web/src/lib/format.ts
@@ -32,3 +32,15 @@ export function formatUptime(seconds: number): string {
 export function formatTemp(c: number): string {
   return `${c.toFixed(1)}°C`
 }
+
+export function formatRelativeTime(iso: string): string {
+  const ms = Date.now() - new Date(iso).getTime()
+  const s = Math.floor(ms / 1000)
+  if (s < 60) return `${s}s`
+  const m = Math.floor(s / 60)
+  if (m < 60) return `${m}m`
+  const h = Math.floor(m / 60)
+  if (h < 24) return `${h}h`
+  const d = Math.floor(h / 24)
+  return `${d}d`
+}
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
new file mode 100644
index 0000000..81f2830
--- /dev/null
+++ b/web/src/lib/k8s.ts
@@ -0,0 +1,107 @@
+import { useQuery } from '@tanstack/react-query'
+
+import { apiFetch } from './api'
+
+export interface K8sNode {
+  name: string
+  status: 'Ready' | 'NotReady' | 'Unknown'
+  roles: string[]
+  version: string
+  os: string
+  arch: string
+  addresses: { type: string; address: string }[]
+  capacity: { cpu: string; memory: string; pods: string }
+  age: string
+}
+
+export interface K8sNamespace {
+  name: string
+  status: string
+  age: string
+}
+
+export interface K8sWorkload {
+  kind: 'Deployment' | 'StatefulSet' | 'DaemonSet'
+  name: string
+  namespace: string
+  ready: { current: number; desired: number }
+  images: string[]
+  age: string
+  labels: Record<string, string>
+}
+
+export interface K8sPod {
+  name: string
+  namespace: string
+  status: string
+  ready: { current: number; total: number }
+  restarts: number
+  node: string
+  pod_ip: string
+  age: string
+  images: string[]
+}
+
+export interface K8sService {
+  name: string
+  namespace: string
+  type: 'ClusterIP' | 'NodePort' | 'LoadBalancer'
+  cluster_ip: string
+  external_ip: string
+  ports: { name: string; port: number; target_port: string; protocol: string; node_port?: number }[]
+  age: string
+}
+
+export function useK8sNodes() {
+  return useQuery({
+    queryKey: ['k8s', 'nodes'],
+    queryFn: () => apiFetch<{ nodes: K8sNode[] }>('/api/k8s/nodes'),
+    refetchInterval: 10_000,
+    staleTime: 2_000,
+  })
+}
+
+export function useK8sNamespaces() {
+  return useQuery({
+    queryKey: ['k8s', 'namespaces'],
+    queryFn: () => apiFetch<{ namespaces: K8sNamespace[] }>('/api/k8s/namespaces'),
+    refetchInterval: 10_000,
+    staleTime: 2_000,
+  })
+}
+
+export function useK8sWorkloads(namespace: string) {
+  return useQuery({
+    queryKey: ['k8s', 'workloads', namespace],
+    queryFn: () =>
+      apiFetch<{ workloads: K8sWorkload[] }>(
+        `/api/k8s/workloads${namespace ? `?namespace=${encodeURIComponent(namespace)}` : ''}`
+      ),
+    refetchInterval: 10_000,
+    staleTime: 2_000,
+  })
+}
+
+export function useK8sPods(namespace: string) {
+  return useQuery({
+    queryKey: ['k8s', 'pods', namespace],
+    queryFn: () =>
+      apiFetch<{ pods: K8sPod[] }>(
+        `/api/k8s/pods${namespace ? `?namespace=${encodeURIComponent(namespace)}` : ''}`
+      ),
+    refetchInterval: 10_000,
+    staleTime: 2_000,
+  })
+}
+
+export function useK8sServices(namespace: string) {
+  return useQuery({
+    queryKey: ['k8s', 'services', namespace],
+    queryFn: () =>
+      apiFetch<{ services: K8sService[] }>(
+        `/api/k8s/services${namespace ? `?namespace=${encodeURIComponent(namespace)}` : ''}`
+      ),
+    refetchInterval: 10_000,
+    staleTime: 2_000,
+  })
+}
diff --git a/web/src/lib/system.ts b/web/src/lib/system.ts
index 63a7ef2..a38d7ce 100644
--- a/web/src/lib/system.ts
+++ b/web/src/lib/system.ts
@@ -77,6 +77,7 @@ export interface SystemCapabilities {
   systemd: boolean
   docker: boolean
   journal: boolean
+  kubernetes: boolean
 }
 
 export function useCapabilities() {
diff --git a/web/src/routes/AuthenticatedApp.tsx b/web/src/routes/AuthenticatedApp.tsx
index 42dd0a1..67a7f39 100644
--- a/web/src/routes/AuthenticatedApp.tsx
+++ b/web/src/routes/AuthenticatedApp.tsx
@@ -4,6 +4,7 @@ import { AppLayout } from '@/components/AppLayout'
 import { Dashboard } from '@/routes/Dashboard'
 import { Services } from '@/routes/Services'
 import { Containers } from '@/routes/Containers'
+import { Kubernetes } from '@/routes/Kubernetes'
 import { Terminal } from '@/routes/Terminal'
 import { Updates } from '@/routes/Updates'
 import { Network } from '@/routes/Network'
@@ -18,6 +19,7 @@ export function AuthenticatedApp() {
         <Route path="/updates" element={<Updates />} />
         <Route path="/services" element={<Services />} />
         <Route path="/containers" element={<Containers />} />
+        <Route path="/kubernetes" element={<Kubernetes />} />
         <Route path="/terminal" element={<Terminal />} />
         <Route path="/network" element={<Network />} />
         <Route path="/logs" element={<Logs />} />
diff --git a/web/src/routes/Kubernetes.tsx b/web/src/routes/Kubernetes.tsx
new file mode 100644
index 0000000..be3a102
--- /dev/null
+++ b/web/src/routes/Kubernetes.tsx
@@ -0,0 +1,140 @@
+import { useState } from 'react'
+import { Search } from 'lucide-react'
+
+import { ApiError } from '@/lib/api'
+import { useK8sNodes, useK8sNamespaces, useK8sWorkloads, useK8sPods, useK8sServices } from '@/lib/k8s'
+import { Input } from '@/components/ui/input'
+import { Card, CardContent } from '@/components/ui/card'
+import { Label } from '@/components/ui/label'
+import { cn } from '@/lib/utils'
+import { NodeList } from '@/components/k8s/NodeList'
+import { WorkloadList } from '@/components/k8s/WorkloadList'
+import { PodList } from '@/components/k8s/PodList'
+import { ServiceList } from '@/components/k8s/ServiceList'
+
+type Tab = 'nodes' | 'workloads' | 'pods' | 'services'
+
+const TABS: { id: Tab; label: string }[] = [
+  { id: 'nodes', label: 'Nodes' },
+  { id: 'workloads', label: 'Workloads' },
+  { id: 'pods', label: 'Pods' },
+  { id: 'services', label: 'Services' },
+]
+
+export function Kubernetes() {
+  const [tab, setTab] = useState<Tab>('nodes')
+  const [namespace, setNamespace] = useState('')
+  const [search, setSearch] = useState('')
+
+  const namespacesQ = useK8sNamespaces()
+  const nodesQ = useK8sNodes()
+  const workloadsQ = useK8sWorkloads(namespace)
+  const podsQ = useK8sPods(namespace)
+  const servicesQ = useK8sServices(namespace)
+
+  // Surface 503 from the namespaces call as a top-level unavailable state.
+  const unavailable = namespacesQ.error instanceof ApiError && namespacesQ.error.status === 503
+
+  if (unavailable) {
+    return (
+      <div className="flex flex-col gap-4">
+        <h1 className="text-xl font-semibold tracking-tight">Kubernetes</h1>
+        <Card>
+          <CardContent className="p-6 text-sm text-muted-foreground">
+            {namespacesQ.error?.message ?? 'Kubernetes is not available on this host.'}
+          </CardContent>
+        </Card>
+      </div>
+    )
+  }
+
+  const namespaces = namespacesQ.data?.namespaces ?? []
+
+  return (
+    <div className="flex flex-col gap-4">
+      <div className="flex flex-wrap items-center justify-between gap-2">
+        <h1 className="text-xl font-semibold tracking-tight">Kubernetes</h1>
+      </div>
+
+      {/* Controls row: namespace picker + search */}
+      <div className="flex flex-wrap items-end gap-3">
+        <div className="flex flex-col gap-1">
+          <Label htmlFor="namespace" className="text-xs">Namespace</Label>
+          <select
+            id="namespace"
+            className="h-10 rounded-md border bg-background px-2 text-sm"
+            value={namespace}
+            onChange={(e) => setNamespace(e.target.value)}
+          >
+            <option value="">All namespaces</option>
+            {namespaces.map((ns) => (
+              <option key={ns.name} value={ns.name}>{ns.name}</option>
+            ))}
+          </select>
+        </div>
+
+        <div className="flex flex-1 min-w-[200px] items-center gap-2 rounded-md border bg-card px-3 h-10">
+          <Search className="h-4 w-4 text-muted-foreground shrink-0" aria-hidden />
+          <Input
+            value={search}
+            onChange={(e) => setSearch(e.target.value)}
+            placeholder="Filter by name or namespace"
+            className="border-0 bg-transparent shadow-none focus-visible:ring-0"
+          />
+        </div>
+      </div>
+
+      {/* Tab bar */}
+      <div className="inline-flex items-center rounded-md border bg-background p-0.5 text-xs">
+        {TABS.map(({ id, label }) => (
+          <button
+            key={id}
+            onClick={() => setTab(id)}
+            className={cn(
+              'rounded-sm px-3 py-1',
+              tab === id
+                ? 'bg-primary/10 text-foreground ring-1 ring-primary/30'
+                : 'text-muted-foreground hover:text-foreground'
+            )}
+          >
+            {label}
+          </button>
+        ))}
+      </div>
+
+      {/* Tab content — namespace picker is hidden on Nodes tab since nodes are cluster-scoped */}
+      {tab === 'nodes' && (
+        <NodeList
+          nodes={nodesQ.data?.nodes ?? []}
+          loading={nodesQ.isLoading}
+          error={nodesQ.error}
+          search={search}
+        />
+      )}
+      {tab === 'workloads' && (
+        <WorkloadList
+          workloads={workloadsQ.data?.workloads ?? []}
+          loading={workloadsQ.isLoading}
+          error={workloadsQ.error}
+          search={search}
+        />
+      )}
+      {tab === 'pods' && (
+        <PodList
+          pods={podsQ.data?.pods ?? []}
+          loading={podsQ.isLoading}
+          error={podsQ.error}
+          search={search}
+        />
+      )}
+      {tab === 'services' && (
+        <ServiceList
+          services={servicesQ.data?.services ?? []}
+          loading={servicesQ.isLoading}
+          error={servicesQ.error}
+          search={search}
+        />
+      )}
+    </div>
+  )
+}

From dff99cc51464b412a5b7166daf4c531323305f01 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 16:49:00 -0700
Subject: [PATCH 06/25] k8s: Phase B detail drawers + pod log streaming
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds click-to-detail across the Kubernetes tab and a live log
viewer for pods. Read-only still — no write actions yet.

Backend (internal/k8s/detail.go, internal/api/k8s/k8s.go):
- GET /api/k8s/nodes/:name → NodeDetail (conditions, allocatable,
  taints, events).
- GET /api/k8s/workloads/:namespace/:kind/:name → WorkloadDetail
  for Deployment / StatefulSet / DaemonSet (selector, strategy,
  conditions, events).
- GET /api/k8s/pods/:namespace/:name → PodDetail (per-container
  status, conditions, QoS, node, events).
- GET /api/k8s/services/:namespace/:name → ServiceDetail
  (endpoint addresses, selector, events).
- WS /ws/k8s/pods/:namespace/:name/logs?container=&tail= — streams
  via CoreV1.Pods().GetLogs().Stream(). Frame shape matches
  /ws/containers/:id/logs (type=line, stream=stdout, line) so the
  SPA reuses the LogStream UX.
- Events listed via field selector on involvedObject — server-side
  filter, no full-list scan. Cluster-scoped Node events scan all
  namespaces.
- DNS-1123 regex with length guard validates :namespace and :name
  before they reach the API server.

Frontend (web/src/components/k8s/*Detail.tsx + helpers):
- Sheet-based drawer per resource kind, opened by row click in the
  list views. State held in routes/Kubernetes.tsx so opening a pod
  doesn't clobber a node selection.
- Reusable EventsTable and ConditionsTable.
- PodLogStream — WebSocket viewer mirroring ContainerLogStream
  (pause/resume/clear, 1000-line cap, auto-scroll).
- Container picker in PodDetail: clicking a container row syncs
  the active container in the picker chips and the log stream.
- Used the existing Sheet primitive — no new deps.

RBAC widening (deploy/k8s/rbac.yaml):
- pods/log → get (so the SA can stream container output).
- endpoints → get/list/watch (for ServiceDetail.endpoints).
- Still no secrets, no PVs, no write verbs. Phase C territory.

Verified:
- make image, image loaded into both K3s nodes (piserver + piserver2).
- kubectl apply -f deploy/k8s/rbac.yaml succeeded.
- rollout restart deployment/controlroom rolled cleanly within 90s.
- /api/healthz → 200, /api/system/capabilities reports
  kubernetes:true.
- kubectl auth can-i get pods/log as the SA → yes.
- No "kubernetes unavailable" warning in pod logs.
---
 deploy/k8s/rbac.yaml                       |  10 +-
 internal/api/k8s/k8s.go                    | 228 ++++++++++
 internal/api/router.go                     |   1 +
 internal/k8s/detail.go                     | 489 +++++++++++++++++++++
 web/src/components/k8s/ConditionsTable.tsx |  47 ++
 web/src/components/k8s/EventsTable.tsx     |  41 ++
 web/src/components/k8s/NodeDetail.tsx      |  82 ++++
 web/src/components/k8s/NodeList.tsx        |   5 +-
 web/src/components/k8s/PodDetail.tsx       | 145 ++++++
 web/src/components/k8s/PodList.tsx         |   5 +-
 web/src/components/k8s/PodLogStream.tsx    | 104 +++++
 web/src/components/k8s/ServiceDetail.tsx   | 123 ++++++
 web/src/components/k8s/ServiceList.tsx     |   5 +-
 web/src/components/k8s/WorkloadDetail.tsx  |  91 ++++
 web/src/components/k8s/WorkloadList.tsx    |   5 +-
 web/src/lib/k8s.ts                         | 120 +++++
 web/src/routes/Kubernetes.tsx              |  44 ++
 17 files changed, 1535 insertions(+), 10 deletions(-)
 create mode 100644 internal/k8s/detail.go
 create mode 100644 web/src/components/k8s/ConditionsTable.tsx
 create mode 100644 web/src/components/k8s/EventsTable.tsx
 create mode 100644 web/src/components/k8s/NodeDetail.tsx
 create mode 100644 web/src/components/k8s/PodDetail.tsx
 create mode 100644 web/src/components/k8s/PodLogStream.tsx
 create mode 100644 web/src/components/k8s/ServiceDetail.tsx
 create mode 100644 web/src/components/k8s/WorkloadDetail.tsx

diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
index e7eedb6..02ea952 100644
--- a/deploy/k8s/rbac.yaml
+++ b/deploy/k8s/rbac.yaml
@@ -6,8 +6,9 @@ metadata:
 
 ---
 # Phase A: read-only access to core cluster resources.
-# Phase B/C will widen this to cover metrics, CRDs, and write actions.
-# Do NOT add secrets, persistentvolumes, or any write verb here.
+# Phase B widens with pods/log so the SPA can stream container output.
+# Phase C will widen further for write actions; do NOT add secrets,
+# persistentvolumes, or any write verb here yet.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -21,7 +22,12 @@ rules:
       - services
       - configmaps
       - events
+      - endpoints
     verbs: [get, list, watch]
+  - apiGroups: [""]
+    resources:
+      - pods/log
+    verbs: [get]
   - apiGroups: ["apps"]
     resources:
       - deployments
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
index e4d1df3..2d4308b 100644
--- a/internal/api/k8s/k8s.go
+++ b/internal/api/k8s/k8s.go
@@ -3,9 +3,16 @@
 package k8s
 
 import (
+	"bufio"
+	"context"
+	"fmt"
 	"net/http"
+	"regexp"
+	"strings"
+	"time"
 
 	"github.com/gofiber/fiber/v2"
+	"github.com/gofiber/websocket/v2"
 	"github.com/rs/zerolog"
 
 	"github.com/tm4rtin17/controlroom/internal/k8s"
@@ -17,14 +24,40 @@ type Deps struct {
 	Logger zerolog.Logger
 }
 
+const (
+	wsLogWriteWait = 5 * time.Second
+	wsLogReadWait  = 70 * time.Second
+	wsLogPing      = 30 * time.Second
+
+	tailDefault = 200
+	tailMax     = 5000
+)
+
+// dns1123RE matches a DNS-1123 subdomain (k8s name and namespace format).
+var dns1123RE = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`)
+
+func validK8sName(s string) bool {
+	return len(s) > 0 && len(s) <= 253 && dns1123RE.MatchString(s)
+}
+
 // MountHTTP registers GET routes on the authenticated router group.
 func MountHTTP(authed fiber.Router, d Deps) {
 	g := authed.Group("/k8s")
 	g.Get("/nodes", d.nodesHandler)
+	g.Get("/nodes/:name", d.nodeDetailHandler)
 	g.Get("/namespaces", d.namespacesHandler)
 	g.Get("/workloads", d.workloadsHandler)
+	g.Get("/workloads/:namespace/:kind/:name", d.workloadDetailHandler)
 	g.Get("/pods", d.podsHandler)
+	g.Get("/pods/:namespace/:name", d.podDetailHandler)
 	g.Get("/services", d.servicesHandler)
+	g.Get("/services/:namespace/:name", d.serviceDetailHandler)
+}
+
+// MountWS registers WebSocket routes on the ws group.
+func MountWS(wsGroup fiber.Router, d Deps) {
+	g := wsGroup.Group("/k8s")
+	g.Get("/pods/:namespace/:name/logs", websocket.New(d.podLogsWS, websocket.Config{HandshakeTimeout: 5 * time.Second}))
 }
 
 func (d Deps) requireClient() error {
@@ -49,6 +82,21 @@ func (d Deps) nodesHandler(c *fiber.Ctx) error {
 	return c.JSON(nodesResp{Nodes: nodes})
 }
 
+func (d Deps) nodeDetailHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	name := c.Params("name")
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid node name")
+	}
+	detail, err := d.Client.GetNode(c.Context(), name)
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "get node: "+err.Error())
+	}
+	return c.JSON(detail)
+}
+
 type namespacesResp struct {
 	Namespaces []k8s.Namespace `json:"namespaces"`
 }
@@ -79,6 +127,38 @@ func (d Deps) workloadsHandler(c *fiber.Ctx) error {
 	return c.JSON(workloadsResp{Workloads: wls})
 }
 
+// validWorkloadKind accepts deployment, statefulset, daemonset (case-insensitive).
+func validWorkloadKind(kind string) bool {
+	switch strings.ToLower(kind) {
+	case "deployment", "statefulset", "daemonset":
+		return true
+	}
+	return false
+}
+
+func (d Deps) workloadDetailHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	kind := c.Params("kind")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validWorkloadKind(kind) {
+		return fiber.NewError(http.StatusBadRequest, fmt.Sprintf("invalid workload kind %q: must be deployment, statefulset, or daemonset", kind))
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid workload name")
+	}
+	detail, err := d.Client.GetWorkload(c.Context(), namespace, kind, name)
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "get workload: "+err.Error())
+	}
+	return c.JSON(detail)
+}
+
 type podsResp struct {
 	Pods []k8s.Pod `json:"pods"`
 }
@@ -94,6 +174,25 @@ func (d Deps) podsHandler(c *fiber.Ctx) error {
 	return c.JSON(podsResp{Pods: pods})
 }
 
+func (d Deps) podDetailHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid pod name")
+	}
+	detail, err := d.Client.GetPod(c.Context(), namespace, name)
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "get pod: "+err.Error())
+	}
+	return c.JSON(detail)
+}
+
 type servicesResp struct {
 	Services []k8s.Service `json:"services"`
 }
@@ -108,3 +207,132 @@ func (d Deps) servicesHandler(c *fiber.Ctx) error {
 	}
 	return c.JSON(servicesResp{Services: svcs})
 }
+
+func (d Deps) serviceDetailHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid service name")
+	}
+	detail, err := d.Client.GetService(c.Context(), namespace, name)
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "get service: "+err.Error())
+	}
+	return c.JSON(detail)
+}
+
+// ---- WebSocket ----
+
+type wsLogFrame struct {
+	Type   string `json:"type"`             // "line" | "error"
+	Stream string `json:"stream,omitempty"` // always "stdout"
+	Line   string `json:"line,omitempty"`
+	Err    string `json:"err,omitempty"`
+}
+
+func (d Deps) podLogsWS(c *websocket.Conn) {
+	defer func() { _ = c.Close() }()
+
+	if d.Client == nil {
+		_ = c.WriteJSON(wsLogFrame{Type: "error", Err: "kubernetes not available"})
+		return
+	}
+
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		_ = c.WriteJSON(wsLogFrame{Type: "error", Err: "invalid namespace"})
+		return
+	}
+	if !validK8sName(name) {
+		_ = c.WriteJSON(wsLogFrame{Type: "error", Err: "invalid pod name"})
+		return
+	}
+
+	container := c.Query("container")
+	// container is validated by the API server if provided; empty is fine (k8s picks the only one).
+
+	tail := int64(tailDefault)
+	if v := c.Query("tail"); v != "" {
+		var n int64
+		if _, err := fmt.Sscanf(v, "%d", &n); err == nil && n > 0 {
+			if n > tailMax {
+				n = tailMax
+			}
+			tail = n
+		}
+	}
+
+	var sinceSeconds *int64
+	if v := c.Query("since"); v != "" {
+		if dur, err := time.ParseDuration(v); err == nil && dur > 0 {
+			secs := int64(dur.Seconds())
+			sinceSeconds = &secs
+		}
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	_ = c.SetReadDeadline(time.Now().Add(wsLogReadWait))
+	c.SetPongHandler(func(string) error { return c.SetReadDeadline(time.Now().Add(wsLogReadWait)) })
+
+	closed := make(chan struct{})
+	go func() {
+		defer close(closed)
+		for {
+			if _, _, err := c.ReadMessage(); err != nil {
+				return
+			}
+		}
+	}()
+
+	rc, err := d.Client.PodLogs(ctx, namespace, name, container, tail, sinceSeconds)
+	if err != nil {
+		_ = c.WriteJSON(wsLogFrame{Type: "error", Err: err.Error()})
+		return
+	}
+	defer rc.Close()
+
+	lines := make(chan string, 64)
+	go func() {
+		defer close(lines)
+		scanner := bufio.NewScanner(rc)
+		for scanner.Scan() {
+			select {
+			case lines <- scanner.Text():
+			case <-ctx.Done():
+				return
+			}
+		}
+	}()
+
+	ping := time.NewTicker(wsLogPing)
+	defer ping.Stop()
+
+	for {
+		select {
+		case <-closed:
+			return
+		case <-ping.C:
+			_ = c.SetWriteDeadline(time.Now().Add(wsLogWriteWait))
+			if err := c.WriteMessage(websocket.PingMessage, nil); err != nil {
+				return
+			}
+		case line, ok := <-lines:
+			if !ok {
+				return
+			}
+			_ = c.SetWriteDeadline(time.Now().Add(wsLogWriteWait))
+			if err := c.WriteJSON(wsLogFrame{Type: "line", Stream: "stdout", Line: line}); err != nil {
+				return
+			}
+		}
+	}
+}
diff --git a/internal/api/router.go b/internal/api/router.go
index dfec4b2..d5397fa 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -140,6 +140,7 @@ func NewRouter(d Deps) *fiber.App {
 	terminalapi.MountWS(wsGroup, terminalapi.Deps{DB: d.DB, Logger: d.Logger})
 	updatesapi.MountWS(wsGroup, updatesDeps)
 	logsapi.MountWS(wsGroup, logsapi.Deps{Logger: d.Logger})
+	k8sapi.MountWS(wsGroup, k8sapi.Deps{Client: d.K8s, Logger: d.Logger})
 
 	wsGroup.All("/*", notFound)
 
diff --git a/internal/k8s/detail.go b/internal/k8s/detail.go
new file mode 100644
index 0000000..492988b
--- /dev/null
+++ b/internal/k8s/detail.go
@@ -0,0 +1,489 @@
+package k8s
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ---- detail domain types ----
+
+type Event struct {
+	Type    string `json:"type"`   // "Normal" | "Warning"
+	Reason  string `json:"reason"`
+	Message string `json:"message"`
+	Source  string `json:"source"` // "kubelet" | controller name
+	Count   int32  `json:"count"`
+	First   string `json:"first"` // RFC3339
+	Last    string `json:"last"`  // RFC3339
+}
+
+type Condition struct {
+	Type               string `json:"type"`
+	Status             string `json:"status"` // "True" | "False" | "Unknown"
+	Reason             string `json:"reason"`
+	Message            string `json:"message"`
+	LastTransitionTime string `json:"last_transition_time"` // RFC3339
+}
+
+type Taint struct {
+	Key    string `json:"key"`
+	Value  string `json:"value"`
+	Effect string `json:"effect"`
+}
+
+type NodeDetail struct {
+	Node        Node         `json:"node"`
+	Conditions  []Condition  `json:"conditions"`  // never nil
+	Allocatable NodeCapacity `json:"allocatable"`
+	Taints      []Taint      `json:"taints"`  // never nil
+	Events      []Event      `json:"events"`  // never nil
+}
+
+type WorkloadDetail struct {
+	Workload   Workload          `json:"workload"`
+	Conditions []Condition       `json:"conditions"` // never nil
+	Selector   map[string]string `json:"selector"`   // never nil
+	Strategy   string            `json:"strategy"`
+	Events     []Event           `json:"events"` // never nil
+}
+
+type ContainerStatus struct {
+	Name         string `json:"name"`
+	Image        string `json:"image"`
+	Ready        bool   `json:"ready"`
+	RestartCount int32  `json:"restart_count"`
+	State        string `json:"state"`   // "running" | "waiting" | "terminated"
+	Reason       string `json:"reason"`  // for waiting/terminated
+	Started      string `json:"started"` // RFC3339; "" when not running
+}
+
+type PodDetail struct {
+	Pod        Pod               `json:"pod"`
+	Conditions []Condition       `json:"conditions"` // never nil
+	Containers []ContainerStatus `json:"containers"` // never nil
+	NodeName   string            `json:"node_name"`
+	QoSClass   string            `json:"qos_class"`
+	Events     []Event           `json:"events"` // never nil
+}
+
+type EndpointAddr struct {
+	IP       string `json:"ip"`
+	NodeName string `json:"node_name"`
+	Ready    bool   `json:"ready"`
+}
+
+type ServiceDetail struct {
+	Service   Service           `json:"service"`
+	Endpoints []EndpointAddr    `json:"endpoints"` // never nil
+	Selector  map[string]string `json:"selector"`  // never nil
+	Events    []Event           `json:"events"`    // never nil
+}
+
+// ---- Get* methods ----
+
+func (c *Client) GetNode(ctx context.Context, name string) (*NodeDetail, error) {
+	n, err := c.cs.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	conditions := make([]Condition, 0, len(n.Status.Conditions))
+	for _, cond := range n.Status.Conditions {
+		conditions = append(conditions, Condition{
+			Type:               string(cond.Type),
+			Status:             string(cond.Status),
+			Reason:             cond.Reason,
+			Message:            cond.Message,
+			LastTransitionTime: cond.LastTransitionTime.UTC().Format(time.RFC3339),
+		})
+	}
+
+	taints := make([]Taint, 0, len(n.Spec.Taints))
+	for _, t := range n.Spec.Taints {
+		taints = append(taints, Taint{
+			Key:    t.Key,
+			Value:  t.Value,
+			Effect: string(t.Effect),
+		})
+	}
+
+	alloc := n.Status.Allocatable
+	events, err := c.ListEvents(ctx, "", "Node", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &NodeDetail{
+		Node:       nodeFrom(*n),
+		Conditions: conditions,
+		Allocatable: NodeCapacity{
+			CPU:    alloc.Cpu().String(),
+			Memory: alloc.Memory().String(),
+			Pods:   alloc.Pods().String(),
+		},
+		Taints: taints,
+		Events: events,
+	}, nil
+}
+
+func (c *Client) GetWorkload(ctx context.Context, namespace, kind, name string) (*WorkloadDetail, error) {
+	switch strings.ToLower(kind) {
+	case "deployment":
+		return c.getDeploymentDetail(ctx, namespace, name)
+	case "statefulset":
+		return c.getStatefulSetDetail(ctx, namespace, name)
+	case "daemonset":
+		return c.getDaemonSetDetail(ctx, namespace, name)
+	default:
+		return nil, fmt.Errorf("unknown workload kind: %s", kind)
+	}
+}
+
+func (c *Client) getDeploymentDetail(ctx context.Context, namespace, name string) (*WorkloadDetail, error) {
+	d, err := c.cs.AppsV1().Deployments(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	conditions := make([]Condition, 0, len(d.Status.Conditions))
+	for _, cond := range d.Status.Conditions {
+		conditions = append(conditions, Condition{
+			Type:               string(cond.Type),
+			Status:             string(cond.Status),
+			Reason:             cond.Reason,
+			Message:            cond.Message,
+			LastTransitionTime: cond.LastTransitionTime.UTC().Format(time.RFC3339),
+		})
+	}
+
+	selector := selectorLabels(d.Spec.Selector)
+	strategy := string(d.Spec.Strategy.Type)
+
+	labels := d.Labels
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	images := containerImages(d.Spec.Template.Spec.Containers)
+
+	events, err := c.ListEvents(ctx, namespace, "Deployment", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &WorkloadDetail{
+		Workload: Workload{
+			Kind:      "Deployment",
+			Name:      d.Name,
+			Namespace: d.Namespace,
+			Ready:     WorkloadReady{Current: d.Status.ReadyReplicas, Desired: derefInt32(d.Spec.Replicas)},
+			Images:    images,
+			Age:       d.CreationTimestamp.UTC().Format(time.RFC3339),
+			Labels:    labels,
+		},
+		Conditions: conditions,
+		Selector:   selector,
+		Strategy:   strategy,
+		Events:     events,
+	}, nil
+}
+
+func (c *Client) getStatefulSetDetail(ctx context.Context, namespace, name string) (*WorkloadDetail, error) {
+	s, err := c.cs.AppsV1().StatefulSets(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	conditions := make([]Condition, 0, len(s.Status.Conditions))
+	for _, cond := range s.Status.Conditions {
+		conditions = append(conditions, Condition{
+			Type:               string(cond.Type),
+			Status:             string(cond.Status),
+			Reason:             cond.Reason,
+			Message:            cond.Message,
+			LastTransitionTime: cond.LastTransitionTime.UTC().Format(time.RFC3339),
+		})
+	}
+
+	selector := selectorLabels(s.Spec.Selector)
+	strategy := string(s.Spec.UpdateStrategy.Type)
+
+	labels := s.Labels
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	images := containerImages(s.Spec.Template.Spec.Containers)
+
+	events, err := c.ListEvents(ctx, namespace, "StatefulSet", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &WorkloadDetail{
+		Workload: Workload{
+			Kind:      "StatefulSet",
+			Name:      s.Name,
+			Namespace: s.Namespace,
+			Ready:     WorkloadReady{Current: s.Status.ReadyReplicas, Desired: derefInt32(s.Spec.Replicas)},
+			Images:    images,
+			Age:       s.CreationTimestamp.UTC().Format(time.RFC3339),
+			Labels:    labels,
+		},
+		Conditions: conditions,
+		Selector:   selector,
+		Strategy:   strategy,
+		Events:     events,
+	}, nil
+}
+
+func (c *Client) getDaemonSetDetail(ctx context.Context, namespace, name string) (*WorkloadDetail, error) {
+	ds, err := c.cs.AppsV1().DaemonSets(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	// DaemonSets don't have conditions in status; return empty slice.
+	conditions := []Condition{}
+
+	selector := selectorLabels(ds.Spec.Selector)
+	strategy := string(ds.Spec.UpdateStrategy.Type)
+
+	labels := ds.Labels
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	images := containerImages(ds.Spec.Template.Spec.Containers)
+
+	events, err := c.ListEvents(ctx, namespace, "DaemonSet", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &WorkloadDetail{
+		Workload: Workload{
+			Kind:      "DaemonSet",
+			Name:      ds.Name,
+			Namespace: ds.Namespace,
+			Ready:     WorkloadReady{Current: ds.Status.NumberReady, Desired: ds.Status.DesiredNumberScheduled},
+			Images:    images,
+			Age:       ds.CreationTimestamp.UTC().Format(time.RFC3339),
+			Labels:    labels,
+		},
+		Conditions: conditions,
+		Selector:   selector,
+		Strategy:   strategy,
+		Events:     events,
+	}, nil
+}
+
+func (c *Client) GetPod(ctx context.Context, namespace, name string) (*PodDetail, error) {
+	p, err := c.cs.CoreV1().Pods(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	conditions := make([]Condition, 0, len(p.Status.Conditions))
+	for _, cond := range p.Status.Conditions {
+		conditions = append(conditions, Condition{
+			Type:               string(cond.Type),
+			Status:             string(cond.Status),
+			Reason:             cond.Reason,
+			Message:            cond.Message,
+			LastTransitionTime: cond.LastTransitionTime.UTC().Format(time.RFC3339),
+		})
+	}
+
+	// Build a map of container status by name for O(1) lookup.
+	statusByName := make(map[string]corev1.ContainerStatus, len(p.Status.ContainerStatuses))
+	for _, cs := range p.Status.ContainerStatuses {
+		statusByName[cs.Name] = cs
+	}
+
+	containers := make([]ContainerStatus, 0, len(p.Spec.Containers))
+	for _, spec := range p.Spec.Containers {
+		cs, ok := statusByName[spec.Name]
+		state := "waiting"
+		reason := ""
+		started := ""
+		if ok {
+			state, reason, started = containerState(cs.State)
+		}
+		ready := ok && cs.Ready
+		var restarts int32
+		if ok {
+			restarts = cs.RestartCount
+		}
+		containers = append(containers, ContainerStatus{
+			Name:         spec.Name,
+			Image:        spec.Image,
+			Ready:        ready,
+			RestartCount: restarts,
+			State:        state,
+			Reason:       reason,
+			Started:      started,
+		})
+	}
+
+	events, err := c.ListEvents(ctx, namespace, "Pod", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &PodDetail{
+		Pod:        podFrom(*p),
+		Conditions: conditions,
+		Containers: containers,
+		NodeName:   p.Spec.NodeName,
+		QoSClass:   string(p.Status.QOSClass),
+		Events:     events,
+	}, nil
+}
+
+func (c *Client) GetService(ctx context.Context, namespace, name string) (*ServiceDetail, error) {
+	s, err := c.cs.CoreV1().Services(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	selector := s.Spec.Selector
+	if selector == nil {
+		selector = map[string]string{}
+	}
+
+	// Fetch endpoints for this service.
+	ep, err := c.cs.CoreV1().Endpoints(namespace).Get(ctx, name, metav1.GetOptions{})
+	endpoints := []EndpointAddr{}
+	if err == nil {
+		for _, subset := range ep.Subsets {
+			for _, addr := range subset.Addresses {
+				nodeName := ""
+				if addr.NodeName != nil {
+					nodeName = *addr.NodeName
+				}
+				endpoints = append(endpoints, EndpointAddr{IP: addr.IP, NodeName: nodeName, Ready: true})
+			}
+			for _, addr := range subset.NotReadyAddresses {
+				nodeName := ""
+				if addr.NodeName != nil {
+					nodeName = *addr.NodeName
+				}
+				endpoints = append(endpoints, EndpointAddr{IP: addr.IP, NodeName: nodeName, Ready: false})
+			}
+		}
+	}
+
+	events, err := c.ListEvents(ctx, namespace, "Service", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &ServiceDetail{
+		Service:   serviceFrom(*s),
+		Endpoints: endpoints,
+		Selector:  selector,
+		Events:    events,
+	}, nil
+}
+
+// ListEvents lists events whose involvedObject matches (namespace, kind, name).
+// For cluster-scoped objects (e.g. Node), pass empty namespace.
+func (c *Client) ListEvents(ctx context.Context, namespace, kind, name string) ([]Event, error) {
+	// Field selector targets the specific object to avoid fetching all events.
+	fieldSelector := fmt.Sprintf("involvedObject.kind=%s,involvedObject.name=%s", kind, name)
+	if namespace != "" {
+		fieldSelector += fmt.Sprintf(",involvedObject.namespace=%s", namespace)
+	}
+
+	list, err := c.cs.CoreV1().Events(namespace).List(ctx, metav1.ListOptions{
+		FieldSelector: fieldSelector,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	out := make([]Event, 0, len(list.Items))
+	for _, ev := range list.Items {
+		out = append(out, eventFrom(ev))
+	}
+	return out, nil
+}
+
+// ---- conversion helpers ----
+
+func eventFrom(ev corev1.Event) Event {
+	source := ev.Source.Component
+	if source == "" {
+		source = ev.ReportingController
+	}
+
+	// Prefer eventTime over firstTimestamp for newer events.
+	first := ev.FirstTimestamp.UTC().Format(time.RFC3339)
+	if ev.FirstTimestamp.IsZero() && !ev.EventTime.IsZero() {
+		first = ev.EventTime.UTC().Format(time.RFC3339)
+	}
+	last := ev.LastTimestamp.UTC().Format(time.RFC3339)
+	if ev.LastTimestamp.IsZero() && !ev.EventTime.IsZero() {
+		last = ev.EventTime.UTC().Format(time.RFC3339)
+	}
+
+	count := ev.Count
+	if count == 0 {
+		count = 1
+	}
+
+	return Event{
+		Type:    ev.Type,
+		Reason:  ev.Reason,
+		Message: ev.Message,
+		Source:  source,
+		Count:   count,
+		First:   first,
+		Last:    last,
+	}
+}
+
+func containerState(s corev1.ContainerState) (state, reason, started string) {
+	if s.Running != nil {
+		started = s.Running.StartedAt.UTC().Format(time.RFC3339)
+		return "running", "", started
+	}
+	if s.Waiting != nil {
+		return "waiting", s.Waiting.Reason, ""
+	}
+	if s.Terminated != nil {
+		return "terminated", s.Terminated.Reason, ""
+	}
+	return "waiting", "", ""
+}
+
+func selectorLabels(sel *metav1.LabelSelector) map[string]string {
+	if sel == nil || sel.MatchLabels == nil {
+		return map[string]string{}
+	}
+	out := make(map[string]string, len(sel.MatchLabels))
+	for k, v := range sel.MatchLabels {
+		out[k] = v
+	}
+	return out
+}
+
+// PodLogs opens a streaming log reader for the given pod/container.
+// container may be empty if the pod has exactly one container.
+// sinceSeconds may be nil (no time floor).
+func (c *Client) PodLogs(ctx context.Context, namespace, name, container string, tail int64, sinceSeconds *int64) (io.ReadCloser, error) {
+	opts := &corev1.PodLogOptions{
+		Follow:       true,
+		TailLines:    &tail,
+		SinceSeconds: sinceSeconds,
+	}
+	if container != "" {
+		opts.Container = container
+	}
+	req := c.cs.CoreV1().Pods(namespace).GetLogs(name, opts)
+	return req.Stream(ctx)
+}
diff --git a/web/src/components/k8s/ConditionsTable.tsx b/web/src/components/k8s/ConditionsTable.tsx
new file mode 100644
index 0000000..d20f4bb
--- /dev/null
+++ b/web/src/components/k8s/ConditionsTable.tsx
@@ -0,0 +1,47 @@
+import type { K8sCondition } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Badge } from '@/components/ui/badge'
+
+const STATUS_VARIANT: Record<string, 'success' | 'danger' | 'muted'> = {
+  True: 'success',
+  False: 'danger',
+  Unknown: 'muted',
+}
+
+export function ConditionsTable({ conditions }: { conditions: K8sCondition[] }) {
+  if (conditions.length === 0) {
+    return <p className="text-xs text-muted-foreground">No conditions.</p>
+  }
+  return (
+    <div className="overflow-x-auto">
+      <table className="w-full text-xs">
+        <thead>
+          <tr className="border-b text-left text-muted-foreground">
+            <th className="py-1.5 pr-3 font-medium">Type</th>
+            <th className="py-1.5 pr-3 font-medium">Status</th>
+            <th className="py-1.5 pr-3 font-medium">Reason</th>
+            <th className="py-1.5 pr-3 font-medium">Message</th>
+            <th className="py-1.5 font-medium">Last Transition</th>
+          </tr>
+        </thead>
+        <tbody className="divide-y">
+          {conditions.map((c) => (
+            <tr key={c.type}>
+              <td className="py-1.5 pr-3 font-mono">{c.type}</td>
+              <td className="py-1.5 pr-3">
+                <Badge variant={STATUS_VARIANT[c.status] ?? 'muted'}>{c.status}</Badge>
+              </td>
+              <td className="py-1.5 pr-3 text-muted-foreground">{c.reason || '—'}</td>
+              <td className="py-1.5 pr-3 max-w-[200px] truncate text-muted-foreground" title={c.message}>
+                {c.message || '—'}
+              </td>
+              <td className="py-1.5 text-muted-foreground">
+                {c.last_transition_time ? formatRelativeTime(c.last_transition_time) : '—'}
+              </td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  )
+}
diff --git a/web/src/components/k8s/EventsTable.tsx b/web/src/components/k8s/EventsTable.tsx
new file mode 100644
index 0000000..c20137f
--- /dev/null
+++ b/web/src/components/k8s/EventsTable.tsx
@@ -0,0 +1,41 @@
+import type { K8sEvent } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Badge } from '@/components/ui/badge'
+
+export function EventsTable({ events }: { events: K8sEvent[] }) {
+  if (events.length === 0) {
+    return <p className="text-xs text-muted-foreground">No events.</p>
+  }
+  return (
+    <div className="overflow-x-auto">
+      <table className="w-full text-xs">
+        <thead>
+          <tr className="border-b text-left text-muted-foreground">
+            <th className="py-1.5 pr-3 font-medium">Type</th>
+            <th className="py-1.5 pr-3 font-medium">Reason</th>
+            <th className="py-1.5 pr-3 font-medium">Source</th>
+            <th className="py-1.5 pr-3 font-medium">Message</th>
+            <th className="py-1.5 font-medium">Last</th>
+          </tr>
+        </thead>
+        <tbody className="divide-y">
+          {events.map((e, i) => (
+            <tr key={i}>
+              <td className="py-1.5 pr-3">
+                <Badge variant={e.type === 'Warning' ? 'warn' : 'muted'}>{e.type}</Badge>
+              </td>
+              <td className="py-1.5 pr-3 font-mono">{e.reason}</td>
+              <td className="py-1.5 pr-3 text-muted-foreground">{e.source}</td>
+              <td className="py-1.5 pr-3 max-w-[220px] truncate text-muted-foreground" title={e.message}>
+                {e.message}
+              </td>
+              <td className="py-1.5 text-muted-foreground">
+                {e.last ? formatRelativeTime(e.last) : '—'}
+              </td>
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  )
+}
diff --git a/web/src/components/k8s/NodeDetail.tsx b/web/src/components/k8s/NodeDetail.tsx
new file mode 100644
index 0000000..3554a52
--- /dev/null
+++ b/web/src/components/k8s/NodeDetail.tsx
@@ -0,0 +1,82 @@
+import { useK8sNodeDetail } from '@/lib/k8s'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { Badge } from '@/components/ui/badge'
+import { K8sNodeStatusPill } from './K8sStatusPill'
+import { ConditionsTable } from './ConditionsTable'
+import { EventsTable } from './EventsTable'
+
+function Section({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <p className="mb-2 text-xs uppercase tracking-wider text-muted-foreground">{title}</p>
+      {children}
+    </div>
+  )
+}
+
+export function NodeDetail({
+  name,
+  open,
+  onOpenChange,
+}: {
+  name: string | null
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const { data } = useK8sNodeDetail(open ? name : null)
+
+  return (
+    <Sheet open={open} onOpenChange={onOpenChange}>
+      <SheetContent className="overflow-y-auto">
+        <SheetHeader>
+          <SheetTitle className="font-mono break-all">{data?.node.name ?? name}</SheetTitle>
+          <SheetDescription>
+            {data ? `${data.node.os} / ${data.node.arch} · ${data.node.version}` : ''}
+          </SheetDescription>
+        </SheetHeader>
+
+        {data && (
+          <div className="mt-4 flex flex-col gap-6">
+            <div className="flex items-center gap-2">
+              <K8sNodeStatusPill status={data.node.status} />
+            </div>
+
+            {/* Capacity / Allocatable */}
+            <Section title="Capacity / Allocatable">
+              <div className="grid grid-cols-3 gap-3 text-xs">
+                {(['cpu', 'memory', 'pods'] as const).map((k) => (
+                  <div key={k}>
+                    <div className="uppercase tracking-wider text-muted-foreground">{k}</div>
+                    <div className="font-mono">{data.node.capacity[k]}</div>
+                    <div className="font-mono text-muted-foreground">{data.allocatable[k]}</div>
+                  </div>
+                ))}
+              </div>
+              <p className="mt-1 text-[10px] text-muted-foreground">capacity / allocatable</p>
+            </Section>
+
+            <Section title="Conditions">
+              <ConditionsTable conditions={data.conditions} />
+            </Section>
+
+            {data.taints.length > 0 && (
+              <Section title="Taints">
+                <div className="flex flex-wrap gap-1.5">
+                  {data.taints.map((t, i) => (
+                    <Badge key={i} variant="warn">
+                      {t.key}{t.value ? `=${t.value}` : ''}:{t.effect}
+                    </Badge>
+                  ))}
+                </div>
+              </Section>
+            )}
+
+            <Section title="Events">
+              <EventsTable events={data.events} />
+            </Section>
+          </div>
+        )}
+      </SheetContent>
+    </Sheet>
+  )
+}
diff --git a/web/src/components/k8s/NodeList.tsx b/web/src/components/k8s/NodeList.tsx
index 1e84712..b43a801 100644
--- a/web/src/components/k8s/NodeList.tsx
+++ b/web/src/components/k8s/NodeList.tsx
@@ -10,9 +10,10 @@ interface Props {
   loading: boolean
   error: Error | null
   search: string
+  onOpen?: (name: string) => void
 }
 
-export function NodeList({ nodes, loading, error, search }: Props) {
+export function NodeList({ nodes, loading, error, search, onOpen }: Props) {
   if (loading) {
     return (
       <Card>
@@ -63,7 +64,7 @@ export function NodeList({ nodes, loading, error, search }: Props) {
               {filtered.map((node) => {
                 const internalIP = node.addresses.find((a) => a.type === 'InternalIP')?.address ?? '—'
                 return (
-                  <tr key={node.name} className="hover:bg-accent/30">
+                  <tr key={node.name} className={onOpen ? 'cursor-pointer hover:bg-accent/30' : 'hover:bg-accent/30'} onClick={() => onOpen?.(node.name)}>
                     <td className="px-4 py-3 font-mono text-xs font-medium">{node.name}</td>
                     <td className="px-4 py-3">
                       <K8sNodeStatusPill status={node.status} />
diff --git a/web/src/components/k8s/PodDetail.tsx b/web/src/components/k8s/PodDetail.tsx
new file mode 100644
index 0000000..b2f8b40
--- /dev/null
+++ b/web/src/components/k8s/PodDetail.tsx
@@ -0,0 +1,145 @@
+import { useState } from 'react'
+
+import { useK8sPodDetail } from '@/lib/k8s'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { Badge } from '@/components/ui/badge'
+import { cn } from '@/lib/utils'
+import { K8sPodStatusPill } from './K8sStatusPill'
+import { ConditionsTable } from './ConditionsTable'
+import { EventsTable } from './EventsTable'
+import { PodLogStream } from './PodLogStream'
+
+function Section({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <p className="mb-2 text-xs uppercase tracking-wider text-muted-foreground">{title}</p>
+      {children}
+    </div>
+  )
+}
+
+export function PodDetail({
+  namespace,
+  name,
+  open,
+  onOpenChange,
+}: {
+  namespace: string | null
+  name: string | null
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const { data } = useK8sPodDetail(open ? namespace : null, open ? name : null)
+  const [activeContainer, setActiveContainer] = useState<string | null>(null)
+
+  const containers = data?.containers ?? []
+  // Resolve active container: use state if valid, else first container
+  const resolvedContainer =
+    (activeContainer && containers.find((c) => c.name === activeContainer)?.name) ||
+    containers[0]?.name ||
+    null
+
+  return (
+    <Sheet open={open} onOpenChange={onOpenChange}>
+      <SheetContent className="overflow-y-auto">
+        <SheetHeader>
+          <SheetTitle className="font-mono break-all">{data?.pod.name ?? name}</SheetTitle>
+          <SheetDescription>
+            {data ? `${data.pod.namespace} · ${data.node_name || '—'} · ${data.pod.pod_ip || '—'} · ${data.qos_class}` : (namespace ?? '')}
+          </SheetDescription>
+        </SheetHeader>
+
+        {data && (
+          <div className="mt-4 flex flex-col gap-6">
+            <div className="flex items-center gap-2">
+              <K8sPodStatusPill status={data.pod.status} />
+            </div>
+
+            <Section title="Containers">
+              <div className="overflow-x-auto">
+                <table className="w-full text-xs">
+                  <thead>
+                    <tr className="border-b text-left text-muted-foreground">
+                      <th className="py-1.5 pr-3 font-medium">Name</th>
+                      <th className="py-1.5 pr-3 font-medium">Image</th>
+                      <th className="py-1.5 pr-3 font-medium">Ready</th>
+                      <th className="py-1.5 pr-3 font-medium">Restarts</th>
+                      <th className="py-1.5 pr-3 font-medium">State</th>
+                    </tr>
+                  </thead>
+                  <tbody className="divide-y">
+                    {containers.map((c) => (
+                      <tr
+                        key={c.name}
+                        onClick={() => setActiveContainer(c.name)}
+                        className={cn(
+                          'cursor-pointer hover:bg-accent/30',
+                          resolvedContainer === c.name && 'bg-accent/50'
+                        )}
+                      >
+                        <td className="py-1.5 pr-3 font-mono font-medium">{c.name}</td>
+                        <td className="py-1.5 pr-3 font-mono text-muted-foreground max-w-[160px] truncate" title={c.image}>
+                          {c.image}
+                        </td>
+                        <td className="py-1.5 pr-3">
+                          <Badge variant={c.ready ? 'success' : 'danger'}>{c.ready ? 'Yes' : 'No'}</Badge>
+                        </td>
+                        <td className="py-1.5 pr-3">
+                          <span className={cn('tabular-nums', c.restart_count > 0 && 'text-amber-500')}>
+                            {c.restart_count}
+                          </span>
+                        </td>
+                        <td className="py-1.5 pr-3">
+                          <Badge variant={c.state === 'running' ? 'success' : c.state === 'terminated' ? 'muted' : 'warn'}>
+                            {c.state}
+                          </Badge>
+                        </td>
+                      </tr>
+                    ))}
+                  </tbody>
+                </table>
+              </div>
+            </Section>
+
+            <Section title="Conditions">
+              <ConditionsTable conditions={data.conditions} />
+            </Section>
+
+            <Section title="Events">
+              <EventsTable events={data.events} />
+            </Section>
+
+            {namespace && name && resolvedContainer && (
+              <Section title="Logs">
+                {/* container picker */}
+                {containers.length > 1 && (
+                  <div className="mb-2 flex flex-wrap gap-1.5">
+                    {containers.map((c) => (
+                      <button
+                        key={c.name}
+                        onClick={() => setActiveContainer(c.name)}
+                        className={cn(
+                          'rounded-full border px-2 py-0.5 text-xs transition-colors',
+                          resolvedContainer === c.name
+                            ? 'border-primary/30 bg-primary/10 text-foreground'
+                            : 'border-transparent bg-muted text-muted-foreground hover:text-foreground'
+                        )}
+                      >
+                        {c.name}
+                      </button>
+                    ))}
+                  </div>
+                )}
+                <PodLogStream
+                  namespace={namespace}
+                  podName={name}
+                  container={resolvedContainer}
+                />
+              </Section>
+            )}
+          </div>
+        )}
+      </SheetContent>
+    </Sheet>
+  )
+}
diff --git a/web/src/components/k8s/PodList.tsx b/web/src/components/k8s/PodList.tsx
index a3d94c8..8d6eb8e 100644
--- a/web/src/components/k8s/PodList.tsx
+++ b/web/src/components/k8s/PodList.tsx
@@ -10,9 +10,10 @@ interface Props {
   loading: boolean
   error: Error | null
   search: string
+  onOpen?: (namespace: string, name: string) => void
 }
 
-export function PodList({ pods, loading, error, search }: Props) {
+export function PodList({ pods, loading, error, search, onOpen }: Props) {
   if (loading) {
     return (
       <Card>
@@ -65,7 +66,7 @@ export function PodList({ pods, loading, error, search }: Props) {
             </thead>
             <tbody className="divide-y">
               {filtered.map((pod) => (
-                <tr key={`${pod.namespace}/${pod.name}`} className="hover:bg-accent/30">
+                <tr key={`${pod.namespace}/${pod.name}`} className={onOpen ? 'cursor-pointer hover:bg-accent/30' : 'hover:bg-accent/30'} onClick={() => onOpen?.(pod.namespace, pod.name)}>
                   <td className="px-4 py-3 font-mono text-xs font-medium">{pod.name}</td>
                   <td className="px-4 py-3 text-xs text-muted-foreground">{pod.namespace}</td>
                   <td className="px-4 py-3">
diff --git a/web/src/components/k8s/PodLogStream.tsx b/web/src/components/k8s/PodLogStream.tsx
new file mode 100644
index 0000000..fe8b9f3
--- /dev/null
+++ b/web/src/components/k8s/PodLogStream.tsx
@@ -0,0 +1,104 @@
+import { useEffect, useRef, useState } from 'react'
+import { Pause, Play } from 'lucide-react'
+
+import { podLogsURL } from '@/lib/k8s'
+import { Button } from '@/components/ui/button'
+
+const MAX_LINES = 1000
+
+interface LogLine {
+  line: string
+}
+
+interface LogFrame {
+  type: 'line' | 'error'
+  stream?: string
+  line?: string
+  err?: string
+}
+
+export function PodLogStream({
+  namespace,
+  podName,
+  container,
+}: {
+  namespace: string
+  podName: string
+  container: string
+}) {
+  const [lines, setLines] = useState<LogLine[]>([])
+  const [paused, setPaused] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const containerRef = useRef<HTMLDivElement | null>(null)
+
+  useEffect(() => {
+    setLines([])
+    setError(null)
+    const url = podLogsURL(namespace, podName, container)
+    const ws = new WebSocket(url)
+    ws.onmessage = (evt) => {
+      try {
+        const f = JSON.parse(evt.data) as LogFrame
+        if (f.type === 'error') {
+          setError(f.err ?? 'log stream error')
+          return
+        }
+        if (f.type === 'line' && f.line !== undefined) {
+          setLines((prev) => {
+            const next = [...prev, { line: f.line! }]
+            return next.length > MAX_LINES ? next.slice(-MAX_LINES) : next
+          })
+        }
+      } catch {
+        // ignore
+      }
+    }
+    ws.onerror = () => setError('connection error')
+    return () => ws.close()
+  }, [namespace, podName, container])
+
+  useEffect(() => {
+    if (paused) return
+    const el = containerRef.current
+    if (el) el.scrollTop = el.scrollHeight
+  }, [lines, paused])
+
+  return (
+    <div className="flex flex-col gap-2">
+      <div className="flex items-center justify-between">
+        <span className="text-xs text-muted-foreground">
+          {lines.length} line{lines.length === 1 ? '' : 's'}
+          {paused && ' · paused'}
+        </span>
+        <div className="flex gap-2">
+          <Button variant="ghost" size="sm" onClick={() => setPaused((p) => !p)}>
+            {paused ? <Play className="h-4 w-4" aria-hidden /> : <Pause className="h-4 w-4" aria-hidden />}
+            {paused ? 'Resume' : 'Pause'}
+          </Button>
+          <Button variant="ghost" size="sm" onClick={() => setLines([])}>
+            Clear
+          </Button>
+        </div>
+      </div>
+      {error && (
+        <div className="rounded-md border border-destructive/40 bg-destructive/10 px-3 py-2 text-xs text-destructive">
+          {error}
+        </div>
+      )}
+      <div
+        ref={containerRef}
+        className="h-72 overflow-auto rounded-md border bg-background p-3 font-mono text-[11px] leading-relaxed"
+      >
+        {lines.length === 0 ? (
+          <p className="text-muted-foreground">Waiting for output…</p>
+        ) : (
+          lines.map((l, i) => (
+            <div key={i} className="whitespace-pre-wrap break-all">
+              {l.line}
+            </div>
+          ))
+        )}
+      </div>
+    </div>
+  )
+}
diff --git a/web/src/components/k8s/ServiceDetail.tsx b/web/src/components/k8s/ServiceDetail.tsx
new file mode 100644
index 0000000..ed1a2ed
--- /dev/null
+++ b/web/src/components/k8s/ServiceDetail.tsx
@@ -0,0 +1,123 @@
+import { useK8sServiceDetail } from '@/lib/k8s'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { Badge } from '@/components/ui/badge'
+import { K8sServiceTypePill } from './K8sStatusPill'
+import { EventsTable } from './EventsTable'
+
+function Section({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <p className="mb-2 text-xs uppercase tracking-wider text-muted-foreground">{title}</p>
+      {children}
+    </div>
+  )
+}
+
+export function ServiceDetail({
+  namespace,
+  name,
+  open,
+  onOpenChange,
+}: {
+  namespace: string | null
+  name: string | null
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const { data } = useK8sServiceDetail(open ? namespace : null, open ? name : null)
+  const svc = data?.service
+
+  return (
+    <Sheet open={open} onOpenChange={onOpenChange}>
+      <SheetContent className="overflow-y-auto">
+        <SheetHeader>
+          <SheetTitle className="font-mono break-all">{svc?.name ?? name}</SheetTitle>
+          <SheetDescription>
+            {svc ? `${svc.namespace} · ${svc.cluster_ip || '—'}` : (namespace ?? '')}
+          </SheetDescription>
+        </SheetHeader>
+
+        {data && svc && (
+          <div className="mt-4 flex flex-col gap-6">
+            <div className="flex items-center gap-2">
+              <K8sServiceTypePill type={svc.type} />
+              <span className="font-mono text-xs text-muted-foreground">{svc.cluster_ip}</span>
+            </div>
+
+            {svc.ports.length > 0 && (
+              <Section title="Ports">
+                <div className="overflow-x-auto">
+                  <table className="w-full text-xs">
+                    <thead>
+                      <tr className="border-b text-left text-muted-foreground">
+                        <th className="py-1.5 pr-3 font-medium">Name</th>
+                        <th className="py-1.5 pr-3 font-medium">Port</th>
+                        <th className="py-1.5 pr-3 font-medium">Target</th>
+                        <th className="py-1.5 pr-3 font-medium">Protocol</th>
+                        <th className="py-1.5 font-medium">NodePort</th>
+                      </tr>
+                    </thead>
+                    <tbody className="divide-y">
+                      {svc.ports.map((p, i) => (
+                        <tr key={i}>
+                          <td className="py-1.5 pr-3 font-mono">{p.name || '—'}</td>
+                          <td className="py-1.5 pr-3 tabular-nums">{p.port}</td>
+                          <td className="py-1.5 pr-3 tabular-nums">{p.target_port}</td>
+                          <td className="py-1.5 pr-3 text-muted-foreground">{p.protocol}</td>
+                          <td className="py-1.5 text-muted-foreground">{p.node_port ?? '—'}</td>
+                        </tr>
+                      ))}
+                    </tbody>
+                  </table>
+                </div>
+              </Section>
+            )}
+
+            <Section title="Endpoints">
+              {data.endpoints.length === 0 ? (
+                <p className="text-xs text-muted-foreground">No endpoints.</p>
+              ) : (
+                <div className="overflow-x-auto">
+                  <table className="w-full text-xs">
+                    <thead>
+                      <tr className="border-b text-left text-muted-foreground">
+                        <th className="py-1.5 pr-3 font-medium">IP</th>
+                        <th className="py-1.5 pr-3 font-medium">Node</th>
+                        <th className="py-1.5 font-medium">Ready</th>
+                      </tr>
+                    </thead>
+                    <tbody className="divide-y">
+                      {data.endpoints.map((ep, i) => (
+                        <tr key={i}>
+                          <td className="py-1.5 pr-3 font-mono">{ep.ip}</td>
+                          <td className="py-1.5 pr-3 font-mono text-muted-foreground">{ep.node_name || '—'}</td>
+                          <td className="py-1.5">
+                            <Badge variant={ep.ready ? 'success' : 'danger'}>{ep.ready ? 'Yes' : 'No'}</Badge>
+                          </td>
+                        </tr>
+                      ))}
+                    </tbody>
+                  </table>
+                </div>
+              )}
+            </Section>
+
+            {Object.keys(data.selector).length > 0 && (
+              <Section title="Selector">
+                <div className="flex flex-wrap gap-1.5">
+                  {Object.entries(data.selector).map(([k, v]) => (
+                    <Badge key={k} variant="muted">{k}={v}</Badge>
+                  ))}
+                </div>
+              </Section>
+            )}
+
+            <Section title="Events">
+              <EventsTable events={data.events} />
+            </Section>
+          </div>
+        )}
+      </SheetContent>
+    </Sheet>
+  )
+}
diff --git a/web/src/components/k8s/ServiceList.tsx b/web/src/components/k8s/ServiceList.tsx
index 76dd3e1..e2e3f79 100644
--- a/web/src/components/k8s/ServiceList.tsx
+++ b/web/src/components/k8s/ServiceList.tsx
@@ -9,6 +9,7 @@ interface Props {
   loading: boolean
   error: Error | null
   search: string
+  onOpen?: (namespace: string, name: string) => void
 }
 
 function formatPorts(svc: K8sService): string {
@@ -18,7 +19,7 @@ function formatPorts(svc: K8sService): string {
     .join(', ')
 }
 
-export function ServiceList({ services, loading, error, search }: Props) {
+export function ServiceList({ services, loading, error, search, onOpen }: Props) {
   if (loading) {
     return (
       <Card>
@@ -71,7 +72,7 @@ export function ServiceList({ services, loading, error, search }: Props) {
             </thead>
             <tbody className="divide-y">
               {filtered.map((svc) => (
-                <tr key={`${svc.namespace}/${svc.name}`} className="hover:bg-accent/30">
+                <tr key={`${svc.namespace}/${svc.name}`} className={onOpen ? 'cursor-pointer hover:bg-accent/30' : 'hover:bg-accent/30'} onClick={() => onOpen?.(svc.namespace, svc.name)}>
                   <td className="px-4 py-3 font-mono text-xs font-medium">{svc.name}</td>
                   <td className="px-4 py-3 text-xs text-muted-foreground">{svc.namespace}</td>
                   <td className="px-4 py-3">
diff --git a/web/src/components/k8s/WorkloadDetail.tsx b/web/src/components/k8s/WorkloadDetail.tsx
new file mode 100644
index 0000000..996c20f
--- /dev/null
+++ b/web/src/components/k8s/WorkloadDetail.tsx
@@ -0,0 +1,91 @@
+import { useK8sWorkloadDetail } from '@/lib/k8s'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { Badge } from '@/components/ui/badge'
+import { cn } from '@/lib/utils'
+import { ConditionsTable } from './ConditionsTable'
+import { EventsTable } from './EventsTable'
+
+function Section({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <p className="mb-2 text-xs uppercase tracking-wider text-muted-foreground">{title}</p>
+      {children}
+    </div>
+  )
+}
+
+export function WorkloadDetail({
+  namespace,
+  kind,
+  name,
+  open,
+  onOpenChange,
+}: {
+  namespace: string | null
+  kind: string | null
+  name: string | null
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const { data } = useK8sWorkloadDetail(
+    open ? namespace : null,
+    open ? kind : null,
+    open ? name : null
+  )
+
+  const w = data?.workload
+  const pct = w && w.ready.desired > 0 ? (w.ready.current / w.ready.desired) * 100 : 0
+  const healthy = w ? w.ready.current >= w.ready.desired : false
+
+  return (
+    <Sheet open={open} onOpenChange={onOpenChange}>
+      <SheetContent className="overflow-y-auto">
+        <SheetHeader>
+          <SheetTitle className="font-mono break-all">{w?.name ?? name}</SheetTitle>
+          <SheetDescription>
+            {w ? `${w.kind} · ${w.namespace}` : (kind && namespace ? `${kind} · ${namespace}` : '')}
+          </SheetDescription>
+        </SheetHeader>
+
+        {data && w && (
+          <div className="mt-4 flex flex-col gap-6">
+            {/* Ready bar */}
+            <div className="flex items-center gap-3">
+              <span className={cn('text-sm tabular-nums font-medium', healthy ? 'text-emerald-500' : 'text-amber-500')}>
+                {w.ready.current}/{w.ready.desired} ready
+              </span>
+              <div className="h-2 flex-1 overflow-hidden rounded-full bg-muted">
+                <div
+                  className={cn('h-full rounded-full', healthy ? 'bg-emerald-500' : 'bg-amber-500')}
+                  style={{ width: `${Math.min(pct, 100)}%` }}
+                />
+              </div>
+            </div>
+
+            <Section title="Strategy">
+              <span className="text-sm">{data.strategy || '—'}</span>
+            </Section>
+
+            {Object.keys(data.selector).length > 0 && (
+              <Section title="Selector">
+                <div className="flex flex-wrap gap-1.5">
+                  {Object.entries(data.selector).map(([k, v]) => (
+                    <Badge key={k} variant="muted">{k}={v}</Badge>
+                  ))}
+                </div>
+              </Section>
+            )}
+
+            <Section title="Conditions">
+              <ConditionsTable conditions={data.conditions} />
+            </Section>
+
+            <Section title="Events">
+              <EventsTable events={data.events} />
+            </Section>
+          </div>
+        )}
+      </SheetContent>
+    </Sheet>
+  )
+}
diff --git a/web/src/components/k8s/WorkloadList.tsx b/web/src/components/k8s/WorkloadList.tsx
index 1e12928..74a0c2a 100644
--- a/web/src/components/k8s/WorkloadList.tsx
+++ b/web/src/components/k8s/WorkloadList.tsx
@@ -10,6 +10,7 @@ interface Props {
   loading: boolean
   error: Error | null
   search: string
+  onOpen?: (namespace: string, kind: string, name: string) => void
 }
 
 const KIND_ORDER: K8sWorkload['kind'][] = ['Deployment', 'StatefulSet', 'DaemonSet']
@@ -20,7 +21,7 @@ const KIND_VARIANT: Record<K8sWorkload['kind'], 'default' | 'warn' | 'muted'> =
   DaemonSet: 'muted',
 }
 
-export function WorkloadList({ workloads, loading, error, search }: Props) {
+export function WorkloadList({ workloads, loading, error, search, onOpen }: Props) {
   if (loading) {
     return (
       <Card>
@@ -86,7 +87,7 @@ export function WorkloadList({ workloads, loading, error, search }: Props) {
                       const pct = w.ready.desired > 0 ? (w.ready.current / w.ready.desired) * 100 : 0
                       const healthy = w.ready.current >= w.ready.desired
                       return (
-                        <tr key={`${w.namespace}/${w.name}`} className="hover:bg-accent/30">
+                        <tr key={`${w.namespace}/${w.name}`} className={onOpen ? 'cursor-pointer hover:bg-accent/30' : 'hover:bg-accent/30'} onClick={() => onOpen?.(w.namespace, w.kind, w.name)}>
                           <td className="px-4 py-3 font-mono text-xs font-medium">{w.name}</td>
                           <td className="px-4 py-3 text-xs text-muted-foreground">{w.namespace}</td>
                           <td className="px-4 py-3">
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
index 81f2830..565ac70 100644
--- a/web/src/lib/k8s.ts
+++ b/web/src/lib/k8s.ts
@@ -2,6 +2,78 @@ import { useQuery } from '@tanstack/react-query'
 
 import { apiFetch } from './api'
 
+export interface K8sCondition {
+  type: string
+  status: 'True' | 'False' | 'Unknown'
+  reason: string
+  message: string
+  last_transition_time: string
+}
+
+export interface K8sEvent {
+  type: 'Normal' | 'Warning'
+  reason: string
+  message: string
+  source: string
+  count: number
+  first: string
+  last: string
+}
+
+export interface K8sTaint {
+  key: string
+  value: string
+  effect: string
+}
+
+export interface K8sContainerStatus {
+  name: string
+  image: string
+  ready: boolean
+  restart_count: number
+  state: 'running' | 'waiting' | 'terminated' | string
+  reason: string
+  started: string
+}
+
+export interface K8sEndpointAddr {
+  ip: string
+  node_name: string
+  ready: boolean
+}
+
+export interface K8sNodeDetail {
+  node: K8sNode
+  conditions: K8sCondition[]
+  allocatable: { cpu: string; memory: string; pods: string }
+  taints: K8sTaint[]
+  events: K8sEvent[]
+}
+
+export interface K8sWorkloadDetail {
+  workload: K8sWorkload
+  conditions: K8sCondition[]
+  selector: Record<string, string>
+  strategy: string
+  events: K8sEvent[]
+}
+
+export interface K8sPodDetail {
+  pod: K8sPod
+  conditions: K8sCondition[]
+  containers: K8sContainerStatus[]
+  node_name: string
+  qos_class: string
+  events: K8sEvent[]
+}
+
+export interface K8sServiceDetail {
+  service: K8sService
+  endpoints: K8sEndpointAddr[]
+  selector: Record<string, string>
+  events: K8sEvent[]
+}
+
 export interface K8sNode {
   name: string
   status: 'Ready' | 'NotReady' | 'Unknown'
@@ -105,3 +177,51 @@ export function useK8sServices(namespace: string) {
     staleTime: 2_000,
   })
 }
+
+export function useK8sNodeDetail(name: string | null) {
+  return useQuery({
+    queryKey: ['k8s', 'nodes', name, 'detail'],
+    queryFn: () => apiFetch<K8sNodeDetail>(`/api/k8s/nodes/${encodeURIComponent(name!)}`),
+    enabled: !!name,
+    refetchInterval: 10_000,
+  })
+}
+
+export function useK8sWorkloadDetail(namespace: string | null, kind: string | null, name: string | null) {
+  return useQuery({
+    queryKey: ['k8s', 'workloads', namespace, kind, name, 'detail'],
+    queryFn: () =>
+      apiFetch<K8sWorkloadDetail>(
+        `/api/k8s/workloads/${encodeURIComponent(namespace!)}/${encodeURIComponent(kind!.toLowerCase())}/${encodeURIComponent(name!)}`
+      ),
+    enabled: !!(namespace && kind && name),
+    refetchInterval: 10_000,
+  })
+}
+
+export function useK8sPodDetail(namespace: string | null, name: string | null) {
+  return useQuery({
+    queryKey: ['k8s', 'pods', namespace, name, 'detail'],
+    queryFn: () =>
+      apiFetch<K8sPodDetail>(`/api/k8s/pods/${encodeURIComponent(namespace!)}/${encodeURIComponent(name!)}`),
+    enabled: !!(namespace && name),
+    refetchInterval: 10_000,
+  })
+}
+
+export function useK8sServiceDetail(namespace: string | null, name: string | null) {
+  return useQuery({
+    queryKey: ['k8s', 'services', namespace, name, 'detail'],
+    queryFn: () =>
+      apiFetch<K8sServiceDetail>(
+        `/api/k8s/services/${encodeURIComponent(namespace!)}/${encodeURIComponent(name!)}`
+      ),
+    enabled: !!(namespace && name),
+    refetchInterval: 10_000,
+  })
+}
+
+export function podLogsURL(namespace: string, name: string, container: string): string {
+  const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
+  return `${proto}//${window.location.host}/ws/k8s/pods/${encodeURIComponent(namespace)}/${encodeURIComponent(name)}/logs?container=${encodeURIComponent(container)}&tail=200`
+}
diff --git a/web/src/routes/Kubernetes.tsx b/web/src/routes/Kubernetes.tsx
index be3a102..de3fe9a 100644
--- a/web/src/routes/Kubernetes.tsx
+++ b/web/src/routes/Kubernetes.tsx
@@ -11,6 +11,10 @@ import { NodeList } from '@/components/k8s/NodeList'
 import { WorkloadList } from '@/components/k8s/WorkloadList'
 import { PodList } from '@/components/k8s/PodList'
 import { ServiceList } from '@/components/k8s/ServiceList'
+import { NodeDetail } from '@/components/k8s/NodeDetail'
+import { WorkloadDetail } from '@/components/k8s/WorkloadDetail'
+import { PodDetail } from '@/components/k8s/PodDetail'
+import { ServiceDetail } from '@/components/k8s/ServiceDetail'
 
 type Tab = 'nodes' | 'workloads' | 'pods' | 'services'
 
@@ -21,11 +25,21 @@ const TABS: { id: Tab; label: string }[] = [
   { id: 'services', label: 'Services' },
 ]
 
+interface NodeOpen { name: string }
+interface WorkloadOpen { namespace: string; kind: string; name: string }
+interface PodOpen { namespace: string; name: string }
+interface ServiceOpen { namespace: string; name: string }
+
 export function Kubernetes() {
   const [tab, setTab] = useState<Tab>('nodes')
   const [namespace, setNamespace] = useState('')
   const [search, setSearch] = useState('')
 
+  const [openNode, setOpenNode] = useState<NodeOpen | null>(null)
+  const [openWorkload, setOpenWorkload] = useState<WorkloadOpen | null>(null)
+  const [openPod, setOpenPod] = useState<PodOpen | null>(null)
+  const [openService, setOpenService] = useState<ServiceOpen | null>(null)
+
   const namespacesQ = useK8sNamespaces()
   const nodesQ = useK8sNodes()
   const workloadsQ = useK8sWorkloads(namespace)
@@ -109,6 +123,7 @@ export function Kubernetes() {
           loading={nodesQ.isLoading}
           error={nodesQ.error}
           search={search}
+          onOpen={(name) => setOpenNode({ name })}
         />
       )}
       {tab === 'workloads' && (
@@ -117,6 +132,7 @@ export function Kubernetes() {
           loading={workloadsQ.isLoading}
           error={workloadsQ.error}
           search={search}
+          onOpen={(ns, kind, name) => setOpenWorkload({ namespace: ns, kind, name })}
         />
       )}
       {tab === 'pods' && (
@@ -125,6 +141,7 @@ export function Kubernetes() {
           loading={podsQ.isLoading}
           error={podsQ.error}
           search={search}
+          onOpen={(ns, name) => setOpenPod({ namespace: ns, name })}
         />
       )}
       {tab === 'services' && (
@@ -133,8 +150,35 @@ export function Kubernetes() {
           loading={servicesQ.isLoading}
           error={servicesQ.error}
           search={search}
+          onOpen={(ns, name) => setOpenService({ namespace: ns, name })}
         />
       )}
+
+      {/* Detail drawers — rendered outside tab content so state persists across tab switches */}
+      <NodeDetail
+        name={openNode?.name ?? null}
+        open={!!openNode}
+        onOpenChange={(o) => { if (!o) setOpenNode(null) }}
+      />
+      <WorkloadDetail
+        namespace={openWorkload?.namespace ?? null}
+        kind={openWorkload?.kind ?? null}
+        name={openWorkload?.name ?? null}
+        open={!!openWorkload}
+        onOpenChange={(o) => { if (!o) setOpenWorkload(null) }}
+      />
+      <PodDetail
+        namespace={openPod?.namespace ?? null}
+        name={openPod?.name ?? null}
+        open={!!openPod}
+        onOpenChange={(o) => { if (!o) setOpenPod(null) }}
+      />
+      <ServiceDetail
+        namespace={openService?.namespace ?? null}
+        name={openService?.name ?? null}
+        open={!!openService}
+        onOpenChange={(o) => { if (!o) setOpenService(null) }}
+      />
     </div>
   )
 }

From 246a6c7e97e035849acdc47f83c618f983e4fbf8 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 17:48:26 -0700
Subject: [PATCH 07/25] deploy: wire kubeconfig into docker-compose so K8s tab
 works
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The docker-compose container can't reach K3s' API server at
127.0.0.1:6443 from inside its bridge namespace, and the cert SAN
doesn't include the docker bridge gateway IP. So we rewrite the
kubeconfig server URL to the host's K3s node-ip (which is in the
cert SAN by default) and mount that copy read-only into the
container.

deploy/scripts/setup-host-kubeconfig.sh
  - One-shot helper run on the host (sudo). Reads
    /etc/rancher/k3s/k3s.yaml, picks a host IP that's in the cert
    SAN (override → /etc/rancher/k3s/config.yaml node-ip →
    hostname -I), writes the rewritten config to
    /var/lib/controlroom/kubeconfig with mode 0600 and owner
    65532:65532 (the controlroom container's nonroot uid).
  - Verifies the chosen IP is in the cert's SubjectAltName before
    writing — warns the operator if not.

deploy/docker-compose.yml
  - Mount /var/lib/controlroom/kubeconfig:/etc/k3s/kubeconfig:ro
  - KUBECONFIG=/etc/k3s/kubeconfig — client-go's first lookup path.
  - Comment header reframed: progressive integration model. Docker
    + K8s wired now; journal / systemd / apt left as TODO mounts.

Security note: the K3s admin kubeconfig has cluster-admin. The
container now has cluster-admin. Matches the user's stated intent
of "fat-privileged container" but worth calling out — RBAC the SA
later if you want to scope this down.
---
 deploy/docker-compose.yml               | 32 ++++++++----
 deploy/scripts/setup-host-kubeconfig.sh | 68 +++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 11 deletions(-)
 create mode 100755 deploy/scripts/setup-host-kubeconfig.sh

diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 422c797..45f429d 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -1,15 +1,19 @@
-# ControlRoom — minimal compose file.
+# ControlRoom — fat-privileged container deployment.
 #
-# Notes for container deployment:
-#   - systemd dbus and journalctl are not available inside the container, so
-#     /api/services and /api/logs/journal return 503. The Logs page falls
-#     back to streaming docker container logs; install bare metal
-#     (deploy/install.sh) if you also need journal logs.
-#   - The Docker socket is mounted read-only. The container runs as nonroot
-#     (uid 65532), so we add the host's docker group via group_add — set
-#     DOCKER_GID to your host's docker group GID (`getent group docker`).
-#   - For Let's Encrypt: set CR_TLS_MODE=acme + CR_ACME_HOST + CR_ACME_EMAIL,
-#     and expose port 80 below for the HTTP-01 challenge.
+# Optional integrations are wired progressively. Each one needs the matching
+# host bind mount; without it the relevant API returns 503 and the SPA hides
+# the tab.
+#
+#   Docker     — /var/run/docker.sock + group_add docker GID
+#   Kubernetes — /var/lib/controlroom/kubeconfig (run deploy/scripts/setup-host-kubeconfig.sh once on the host)
+#   Journal    — TODO (mount /run/log/journal + /etc/machine-id; image needs journalctl, drops distroless)
+#   Systemd    — TODO (mount /var/run/dbus/system_bus_socket; needs privilege)
+#   Apt/Net    — TODO (host PID/net ns, binaries in image)
+#
+# The container runs as nonroot (uid 65532). DOCKER_GID overrides the
+# group_add for /var/run/docker.sock — set it to `getent group docker`.
+# For Let's Encrypt: set CR_TLS_MODE=acme + CR_ACME_HOST + CR_ACME_EMAIL,
+# and expose port 80 below for the HTTP-01 challenge.
 
 services:
   controlroom:
@@ -26,8 +30,14 @@ services:
     volumes:
       - controlroom-data:/data
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      # Kubernetes: mount the host-rewritten kubeconfig generated by
+      # deploy/scripts/setup-host-kubeconfig.sh. Comment out if you don't
+      # want the K8s tab in the SPA.
+      - /var/lib/controlroom/kubeconfig:/etc/k3s/kubeconfig:ro
     environment:
       CR_TLS_MODE: selfsigned
+      # client-go reads $KUBECONFIG first; matches the mount above.
+      KUBECONFIG: /etc/k3s/kubeconfig
       # CR_TLS_MODE: acme
       # CR_ACME_HOST: ctrl.example.com
       # CR_ACME_EMAIL: admin@example.com
diff --git a/deploy/scripts/setup-host-kubeconfig.sh b/deploy/scripts/setup-host-kubeconfig.sh
new file mode 100755
index 0000000..3a540fb
--- /dev/null
+++ b/deploy/scripts/setup-host-kubeconfig.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+#
+# Generate a kubeconfig for the docker-compose deployment of ControlRoom to
+# reach the host's K3s API server. The container can't reach 127.0.0.1 from
+# inside its network namespace, so we rewrite the server URL to the host's
+# real IP — which must be in K3s' TLS SANs.
+#
+# Run once on the host as root before `docker compose up`:
+#
+#   sudo deploy/scripts/setup-host-kubeconfig.sh
+#
+# Override the host IP if the auto-detected one isn't in the cert SAN:
+#
+#   sudo HOST_IP=192.168.1.50 deploy/scripts/setup-host-kubeconfig.sh
+#
+# Note: the K3s admin kubeconfig contains cluster-admin credentials; the
+# resulting file under /var/lib/controlroom/kubeconfig is mode 0600 and
+# owned by uid 65532 (the controlroom container's nonroot user). Anyone
+# with read access to that file has root on the cluster.
+
+set -euo pipefail
+
+K3S_CONFIG=${K3S_CONFIG:-/etc/rancher/k3s/k3s.yaml}
+OUT_DIR=${OUT_DIR:-/var/lib/controlroom}
+OUT=${OUT:-${OUT_DIR}/kubeconfig}
+CR_UID=65532
+CR_GID=65532
+
+if [ ! -r "$K3S_CONFIG" ]; then
+  echo "error: $K3S_CONFIG not readable — run as root or use sudo" >&2
+  exit 1
+fi
+
+# Pick a host IP that's in K3s' cert SAN.
+# Priority: $HOST_IP override → node-ip from /etc/rancher/k3s/config.yaml
+# → first non-loopback IPv4 from `hostname -I`.
+HOST_IP=${HOST_IP:-}
+if [ -z "$HOST_IP" ] && [ -r /etc/rancher/k3s/config.yaml ]; then
+  HOST_IP=$(awk '/^node-ip:/ {gsub(/[",]/,"",$2); print $2; exit}' /etc/rancher/k3s/config.yaml || true)
+fi
+if [ -z "$HOST_IP" ]; then
+  HOST_IP=$(hostname -I | awk '{print $1}')
+fi
+if [ -z "$HOST_IP" ]; then
+  echo "error: could not determine host IP — set HOST_IP=… and re-run" >&2
+  exit 1
+fi
+
+# Verify the IP is in the cert SAN before we hand the container a config that
+# will fail validation at runtime.
+CERT=/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
+if [ -r "$CERT" ]; then
+  if ! openssl x509 -in "$CERT" -noout -ext subjectAltName 2>/dev/null \
+       | grep -q "IP Address:$HOST_IP\b"; then
+    echo "warning: $HOST_IP not in cert SAN of $CERT" >&2
+    echo "         the container will fail TLS verification — re-run with HOST_IP=… set to a SAN-correct address" >&2
+  fi
+fi
+
+mkdir -p "$OUT_DIR"
+sed "s|server: https://127.0.0.1:6443|server: https://${HOST_IP}:6443|" "$K3S_CONFIG" > "$OUT"
+chown "$CR_UID:$CR_GID" "$OUT"
+chmod 0600 "$OUT"
+
+echo "wrote $OUT"
+echo "  server: https://${HOST_IP}:6443"
+echo "  owner:  ${CR_UID}:${CR_GID}"
+echo "  mode:   0600"

From f52c126aff1ffef6ce314685ba462fba329f2de3 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 18:30:55 -0700
Subject: [PATCH 08/25] =?UTF-8?q?deploy:=20fat-privileged=20container=20?=
 =?UTF-8?q?=E2=80=94=20host=20shell,=20journal,=20services,=20apt,=20netwo?=
 =?UTF-8?q?rk?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bundle that lights up every host-integration tab in the docker-compose
deployment by giving the container the host namespaces, capabilities,
and bind mounts it needs. Bare-metal install (deploy/install.sh) is
unchanged and remains the unprivileged path.

Image (deploy/Dockerfile)
  - Drop gcr.io/distroless/static-debian12:nonroot, switch runtime to
    debian:bookworm-slim.
  - Install: bash, ca-certificates, sudo, util-linux (nsenter), procps,
    iproute2, iptables, ufw, systemd (journalctl + systemctl + libsystemd0
    + libdbus-1-3), apt-utils.
  - Run as root; SYS_ADMIN can't survive a uid transition.
  - Image size 230MB (up from ~20MB distroless). Acceptable; documented.

Compose (deploy/docker-compose.yml)
  - network_mode: host, pid: host
  - cap_add: SYS_ADMIN (nsenter) + SYS_PTRACE (host ps/top) + NET_ADMIN
    (ufw/iptables)
  - security_opt: apparmor:unconfined + seccomp:unconfined
  - user: 0:0
  - Mounts: dbus socket (rw), /run/log/journal + /var/log/journal +
    /etc/machine-id (ro) for journalctl, /etc/rancher/k3s/k3s.yaml
    directly (network_mode:host means 127.0.0.1:6443 is reachable so
    the rewritten kubeconfig from setup-host-kubeconfig.sh is no longer
    needed), /var/cache/apt rw + /etc/apt + /var/lib/dpkg ro for apt.
  - env: CR_HOST_SHELL=true so pty wraps shells with nsenter.
  - Header reframed with security model + integration matrix.

pty (internal/pty/pty.go + config.go + api/terminal + api/router)
  - New Options.HostShell. When true, exec.Command becomes
    `/usr/bin/nsenter -t 1 -m -u -i -n -p -- <shell> --login` so the
    user gets a shell in the host's mount/UTS/IPC/network/PID namespaces
    — equivalent to ssh-ing into the host.
  - CR_HOST_SHELL env var (default false). Wired through
    config.Config → api.Deps.Cfg → terminalapi.Deps.HostShell →
    pty.Options.HostShell.
  - Stat-checks /usr/bin/nsenter when HostShell=true; clear error if
    missing instead of an opaque exec failure.
  - Bare-metal behavior is byte-identical when CR_HOST_SHELL=false.

setup-host-kubeconfig.sh + deploy/k8s/README.md
  - Header rewritten: script no longer needed for the standard
    docker-compose deployment, retained for non-host-network cases.
  - K8s README adds a paragraph contrasting in-cluster (unprivileged
    nonroot SA, scoped RBAC) vs docker-compose (fat-privileged) shapes.

Verified:
  - make image succeeds at 230MB.
  - Container boots clean — none of the four "unavailable" warnings
    (systemd / journalctl / kubernetes / docker).
  - host_shell=true logged at boot.
  - All required binaries present in image: bash, sudo, nsenter, ip,
    ufw, journalctl, systemctl, apt, apt-get.
  - `nsenter -t 1` from inside the container produces a real host
    shell (returns the host hostname + kernel).
  - /api/healthz → 200.

Security note (re-stating compose header): a compromise of ControlRoom
is now effectively root on the host. Intended tradeoff for a single-user
homelab where the operator already has root. The bare-metal install
remains the unprivileged option.
---
 cmd/controlroom/main.go                 |   1 +
 deploy/Dockerfile                       |  69 +++++++++++++--
 deploy/docker-compose.yml               | 106 ++++++++++++++++++------
 deploy/k8s/README.md                    |   8 ++
 deploy/scripts/setup-host-kubeconfig.sh |  18 ++--
 internal/api/router.go                  |   2 +-
 internal/api/terminal/terminal.go       |   8 +-
 internal/config/config.go               |   2 +
 internal/pty/pty.go                     |  27 ++++--
 9 files changed, 194 insertions(+), 47 deletions(-)

diff --git a/cmd/controlroom/main.go b/cmd/controlroom/main.go
index c380ff9..30ee99d 100644
--- a/cmd/controlroom/main.go
+++ b/cmd/controlroom/main.go
@@ -65,6 +65,7 @@ func run() error {
 		Str("tls_mode", string(cfg.TLSMode)).
 		Bool("trust_proxy", cfg.TrustProxy).
 		Bool("dev_mode", cfg.DevMode).
+		Bool("host_shell", cfg.HostShell).
 		Msg("controlroom starting")
 
 	if err := os.MkdirAll(cfg.DataDir, 0o750); err != nil {
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index a3eddaf..36538ac 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -3,7 +3,30 @@
 # Multi-stage build for ControlRoom:
 #   1. node-builder  — `vite build` → web/dist/
 #   2. go-builder    — `go build` with embed.FS picking up web/dist
-#   3. runtime       — distroless static, nonroot user, ~20 MB final image
+#   3. runtime       — debian:bookworm-slim, fat-privileged, root user, ~150-200 MB
+#
+# FAT-PRIVILEGED SHAPE
+# ====================
+# This image is designed to run with:
+#   pid: host            — so nsenter -t 1 can reach systemd (PID 1 on the host)
+#   cap_add: [SYS_ADMIN, SYS_PTRACE, NET_ADMIN]
+#   security_opt: [apparmor:unconfined, seccomp:unconfined]
+#   network_mode: host   — so `ip addr` and ufw see host interfaces
+#   user: root (uid 0)   — required; Linux drops caps on uid transitions
+#   mounts: see docker-compose.yml for the full list
+#
+# The distroless/nonroot shape has been intentionally dropped to enable
+# Terminal (nsenter), Journal Logs (journalctl), Services (dbus),
+# Updates (apt/systemctl), and Network (ip/ufw) integrations.
+#
+# Image size: ~150-200 MB (up from ~20 MB distroless). Expected and acceptable.
+#
+# UNPRIVILEGED PATH
+# =================
+# deploy/install.sh installs ControlRoom as a bare-metal systemd service with a
+# scoped sudoers file. Use that if the privilege model of this container concerns
+# you. The in-cluster K8s manifest (deploy/k8s/) also runs nonroot with a
+# read-only ClusterRole.
 
 # ---------- 1. frontend ----------
 FROM node:20-alpine AS web-builder
@@ -15,7 +38,7 @@ COPY web/ ./
 RUN npm run build
 
 # ---------- 2. backend ----------
-FROM golang:1.23-alpine AS go-builder
+FROM golang:1.25-alpine AS go-builder
 
 ARG VERSION=dev
 ARG COMMIT=none
@@ -30,10 +53,9 @@ COPY go.mod go.sum* ./
 RUN go mod download
 
 COPY . .
-COPY --from=web-builder /src/web/dist ./web/dist
+COPY --from=web-builder /src/internal/web/dist ./internal/web/dist
 
-# Pre-create the data dir so we can COPY it into the runtime with the right
-# ownership (distroless has no shell to run mkdir/chown at runtime).
+# Pre-create the data dir so we can COPY it into the runtime stage.
 RUN mkdir -p /out/data
 
 RUN CGO_ENABLED=0 GOOS=linux go build \
@@ -45,16 +67,47 @@ RUN CGO_ENABLED=0 GOOS=linux go build \
     -o /out/controlroom ./cmd/controlroom
 
 # ---------- 3. runtime ----------
-FROM gcr.io/distroless/static-debian12:nonroot
+FROM debian:bookworm-slim
+
+# Install host-integration dependencies in a single layer; purge apt lists to
+# keep the layer as small as possible.
+#
+#   bash         — host shell via nsenter + script use
+#   ca-certificates  — TLS roots for outbound HTTPS
+#   sudo         — wraps existing `sudo -n` calls in apt/ufw code (root → no-op,
+#                  but the binary must be present)
+#   util-linux   — provides nsenter for host-shell mode (Terminal tab)
+#   procps       — ps/top inside the host PID namespace
+#   iproute2     — `ip -j addr show` for the Network tab
+#   iptables     — required by ufw
+#   ufw          — host firewall control (Network tab)
+#   systemd      — provides journalctl + systemctl + libsystemd0 (dbus client)
+#   apt-utils    — apt helpers used by Updates tab
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+      bash \
+      ca-certificates \
+      sudo \
+      util-linux \
+      procps \
+      iproute2 \
+      iptables \
+      ufw \
+      systemd \
+      apt-utils \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY --from=go-builder /out/controlroom /app/controlroom
-COPY --from=go-builder --chown=65532:65532 /out/data /data
+COPY --from=go-builder /out/data /data
 
 ENV CR_DATA_DIR=/data \
     CR_ADDR=:8443
 
 VOLUME ["/data"]
 EXPOSE 8443
-USER 65532:65532
+
+# Run as root. SYS_ADMIN and other broad caps are dropped by the kernel on any
+# uid transition away from root, so we must stay uid 0.
+# Security boundary is the host itself — see the comment at the top of this file.
 
 ENTRYPOINT ["/app/controlroom"]
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 45f429d..91de317 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -1,43 +1,99 @@
-# ControlRoom — fat-privileged container deployment.
+# ControlRoom — fat-privileged docker-compose deployment.
 #
-# Optional integrations are wired progressively. Each one needs the matching
-# host bind mount; without it the relevant API returns 503 and the SPA hides
-# the tab.
+# SECURITY MODEL
+# ==============
+# This deployment runs as root with host network/PID namespaces and broad
+# Linux capabilities. A compromise of the ControlRoom process is effectively
+# root on the host. This is intentional for a single-user homelab where the
+# operator already has root, and is the only way to drive all integrations
+# from a container without a sidecar or privileged DaemonSet.
 #
-#   Docker     — /var/run/docker.sock + group_add docker GID
-#   Kubernetes — /var/lib/controlroom/kubeconfig (run deploy/scripts/setup-host-kubeconfig.sh once on the host)
-#   Journal    — TODO (mount /run/log/journal + /etc/machine-id; image needs journalctl, drops distroless)
-#   Systemd    — TODO (mount /var/run/dbus/system_bus_socket; needs privilege)
-#   Apt/Net    — TODO (host PID/net ns, binaries in image)
+# If the privilege model concerns you, use deploy/install.sh instead — it
+# installs ControlRoom as a bare-metal systemd service with a scoped sudoers
+# file and no container involved.
 #
-# The container runs as nonroot (uid 65532). DOCKER_GID overrides the
-# group_add for /var/run/docker.sock — set it to `getent group docker`.
-# For Let's Encrypt: set CR_TLS_MODE=acme + CR_ACME_HOST + CR_ACME_EMAIL,
-# and expose port 80 below for the HTTP-01 challenge.
+# INTEGRATION REQUIREMENTS
+# ========================
+# Integration    | Mount / Cap needed
+# ---------------|-----------------------------------------------------------
+# Docker         | /var/run/docker.sock:ro  (root has access without group_add)
+# Kubernetes     | /etc/rancher/k3s/k3s.yaml:ro  (127.0.0.1:6443 reachable via
+#                |   network_mode:host; no kubeconfig rewrite needed)
+# Terminal       | pid:host + SYS_ADMIN  (nsenter -t 1 reaches systemd/PID 1)
+# Journal Logs   | /run/log/journal:ro + /var/log/journal:ro + /etc/machine-id:ro
+# Services       | /var/run/dbus/system_bus_socket:rw  (dbus client in image)
+# Updates (apt)  | /var/cache/apt:rw + /etc/apt:ro + /var/lib/dpkg:ro
+#                |   root in container → sudo apt-get is a no-op passthrough
+# Network (ip)   | network_mode:host  (ip addr shows host interfaces)
+# Network (ufw)  | network_mode:host + NET_ADMIN  (ufw needs iptables access)
+#
+# PORTS
+# =====
+# network_mode:host binds directly to the host's :8443. No ports: mapping
+# needed (and it would be ignored anyway). Access via https://<host-ip>:8443.
 
 services:
   controlroom:
     image: ghcr.io/tm4rtin17/controlroom:latest
     container_name: controlroom
     restart: unless-stopped
-    # Grant access to /var/run/docker.sock for the nonroot user.
-    group_add:
-      - "${DOCKER_GID:-999}"
-    ports:
-      - "8443:8443"
-      # Uncomment when CR_TLS_MODE=acme to serve HTTP-01 challenges:
-      # - "80:80"
+
+    # Share host namespaces so nsenter and ip/ufw see the real host.
+    network_mode: host
+    pid: host
+
+    # Broad caps required for nsenter (SYS_ADMIN), ps/top in host PID ns
+    # (SYS_PTRACE), and ufw/iptables (NET_ADMIN).
+    cap_add:
+      - SYS_ADMIN
+      - SYS_PTRACE
+      - NET_ADMIN
+
+    # Lift AppArmor and seccomp confinement so nsenter and host commands are
+    # not blocked by the Docker daemon's default profiles.
+    security_opt:
+      - apparmor:unconfined
+      - seccomp:unconfined
+
+    # Run as root (uid 0). Linux drops capabilities on uid transitions, so
+    # we must stay root for SYS_ADMIN to remain in effect.
+    user: "0:0"
+
     volumes:
+      # Persistent app data (JWT key, SQLite DB, TLS material).
       - controlroom-data:/data
+
+      # Docker socket — root has access without group_add.
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      # Kubernetes: mount the host-rewritten kubeconfig generated by
-      # deploy/scripts/setup-host-kubeconfig.sh. Comment out if you don't
-      # want the K8s tab in the SPA.
-      - /var/lib/controlroom/kubeconfig:/etc/k3s/kubeconfig:ro
+
+      # dbus system bus — for the Services tab (systemctl start/stop via dbus).
+      - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw
+
+      # Journal logs — /run/log/journal is the volatile (current boot) location;
+      # /var/log/journal is the persistent location (if configured).
+      - /run/log/journal:/run/log/journal:ro
+      - /var/log/journal:/var/log/journal:ro
+
+      # journalctl requires the host machine-id to identify log entries.
+      - /etc/machine-id:/etc/machine-id:ro
+
+      # K3s kubeconfig — mount directly; network_mode:host makes 127.0.0.1:6443
+      # reachable without any server-URL rewrite (cert SAN includes 127.0.0.1).
+      # deploy/scripts/setup-host-kubeconfig.sh is no longer needed.
+      - /etc/rancher/k3s/k3s.yaml:/etc/k3s/kubeconfig:ro
+
+      # apt integration — rw cache so `apt-get update` can refresh package lists;
+      # dpkg state and sources are read-only.
+      - /var/cache/apt:/var/cache/apt:rw
+      - /etc/apt:/etc/apt:ro
+      - /var/lib/dpkg:/var/lib/dpkg:ro
+
     environment:
       CR_TLS_MODE: selfsigned
-      # client-go reads $KUBECONFIG first; matches the mount above.
+      # client-go reads $KUBECONFIG; matches the mount above.
       KUBECONFIG: /etc/k3s/kubeconfig
+      # Signals pty.go to wrap interactive shells with nsenter -t 1.
+      CR_HOST_SHELL: "true"
       # CR_TLS_MODE: acme
       # CR_ACME_HOST: ctrl.example.com
       # CR_ACME_EMAIL: admin@example.com
diff --git a/deploy/k8s/README.md b/deploy/k8s/README.md
index f391057..d9477e6 100644
--- a/deploy/k8s/README.md
+++ b/deploy/k8s/README.md
@@ -58,3 +58,11 @@ targeted write operations (scale, restart). Phase D adds Helm/Kustomize.
 - The pod does not mount docker.sock or the host kubeconfig. All cluster access
   flows through the projected ServiceAccount token at the standard in-cluster
   path (/var/run/secrets/kubernetes.io/serviceaccount/).
+- **Privilege model**: This in-cluster Pod deployment is the unprivileged path.
+  It runs as nonroot uid 65532, drops ALL Linux capabilities, and uses a
+  scoped controlroom-reader ClusterRole with get/list/watch verbs only. This
+  contrasts with the docker-compose deployment (deploy/docker-compose.yml),
+  which is fat-privileged: root uid, pid:host + network_mode:host, and
+  cap_add SYS_ADMIN/SYS_PTRACE/NET_ADMIN to enable the Terminal, Journal,
+  Services, Updates, and Network integrations. Choose the in-cluster path if
+  the docker-compose privilege model is not acceptable for your environment.
diff --git a/deploy/scripts/setup-host-kubeconfig.sh b/deploy/scripts/setup-host-kubeconfig.sh
index 3a540fb..9d8d7ee 100755
--- a/deploy/scripts/setup-host-kubeconfig.sh
+++ b/deploy/scripts/setup-host-kubeconfig.sh
@@ -1,11 +1,19 @@
 #!/usr/bin/env bash
 #
-# Generate a kubeconfig for the docker-compose deployment of ControlRoom to
-# reach the host's K3s API server. The container can't reach 127.0.0.1 from
-# inside its network namespace, so we rewrite the server URL to the host's
-# real IP — which must be in K3s' TLS SANs.
+# NOTE: This script is NO LONGER NEEDED for the standard docker-compose
+# deployment. Since docker-compose.yml now uses network_mode:host, the
+# container shares the host network namespace and can reach the K3s API
+# at 127.0.0.1:6443 directly. The original /etc/rancher/k3s/k3s.yaml is
+# mounted read-only as /etc/k3s/kubeconfig inside the container — no
+# server-URL rewrite is required.
 #
-# Run once on the host as root before `docker compose up`:
+# This script is retained for non-host-network deployments (e.g. a custom
+# bridge network or a remote ControlRoom instance pointing at a separate
+# K3s host). In those cases the container cannot reach 127.0.0.1:6443, so
+# the server URL must be rewritten to the host's real IP that is in the
+# K3s TLS SAN list.
+#
+# Usage (non-host-network deployments only):
 #
 #   sudo deploy/scripts/setup-host-kubeconfig.sh
 #
diff --git a/internal/api/router.go b/internal/api/router.go
index d5397fa..1213978 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -137,7 +137,7 @@ func NewRouter(d Deps) *fiber.App {
 	systemapi.MountWS(wsGroup, systemDeps)
 	servicesapi.MountWS(wsGroup, servicesDeps)
 	containersapi.MountWS(wsGroup, containersDeps)
-	terminalapi.MountWS(wsGroup, terminalapi.Deps{DB: d.DB, Logger: d.Logger})
+	terminalapi.MountWS(wsGroup, terminalapi.Deps{DB: d.DB, Logger: d.Logger, HostShell: d.Cfg.HostShell})
 	updatesapi.MountWS(wsGroup, updatesDeps)
 	logsapi.MountWS(wsGroup, logsapi.Deps{Logger: d.Logger})
 	k8sapi.MountWS(wsGroup, k8sapi.Deps{Client: d.K8s, Logger: d.Logger})
diff --git a/internal/api/terminal/terminal.go b/internal/api/terminal/terminal.go
index 08a6dd4..e9b6edc 100644
--- a/internal/api/terminal/terminal.go
+++ b/internal/api/terminal/terminal.go
@@ -35,6 +35,7 @@ type Deps struct {
 	// IdleTimeout closes a session after this much inactivity (no read or
 	// write). Zero falls back to defaultIdleTimeout.
 	IdleTimeout time.Duration
+	HostShell   bool // passed through from cfg.HostShell; wraps shell in nsenter
 }
 
 const (
@@ -96,9 +97,10 @@ func (d Deps) handler(c *websocket.Conn) {
 
 	sessionID := mintSessionID()
 	sess, err := pty.New(sessionID, pty.Options{
-		Shell: init.Shell,
-		Rows:  init.Rows,
-		Cols:  init.Cols,
+		Shell:     init.Shell,
+		Rows:      init.Rows,
+		Cols:      init.Cols,
+		HostShell: d.HostShell,
 	})
 	if err != nil {
 		_ = c.WriteJSON(errorFrame{Type: "error", Err: err.Error()})
diff --git a/internal/config/config.go b/internal/config/config.go
index 895e9d7..3f21952 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -34,6 +34,7 @@ type Config struct {
 	HostName     string
 	VersionCheck bool
 	DevMode      bool
+	HostShell    bool // CR_HOST_SHELL — wrap terminal in nsenter -t 1 to enter host namespaces
 }
 
 func Load() (*Config, error) {
@@ -50,6 +51,7 @@ func Load() (*Config, error) {
 		HostName:     os.Getenv("CR_HOST_NAME"),
 		VersionCheck: envBool("CR_VERSION_CHECK", false),
 		DevMode:      envBool("CR_DEV", false),
+		HostShell:    envBool("CR_HOST_SHELL", false),
 	}
 	if err := c.Validate(); err != nil {
 		return nil, err
diff --git a/internal/pty/pty.go b/internal/pty/pty.go
index 8a419a7..4644a18 100644
--- a/internal/pty/pty.go
+++ b/internal/pty/pty.go
@@ -39,6 +39,9 @@ var AllowedShells = []string{
 // PreferredShells is the fallback order if the client doesn't specify one.
 var PreferredShells = []string{"/bin/bash", "/bin/sh"}
 
+// NsenterPath is the expected location of nsenter inside the container image.
+const NsenterPath = "/usr/bin/nsenter"
+
 // MaxRows / MaxCols clamp window-size requests to sane bounds.
 const (
 	MaxRows = 500
@@ -67,10 +70,11 @@ type Session struct {
 
 // Options for New. Fields left zero/empty fall back to safe defaults.
 type Options struct {
-	Shell string // "" → first existing entry of PreferredShells
-	Rows  int
-	Cols  int
-	Env   []string // appended to the sanitized base env
+	Shell     string   // "" → first existing entry of PreferredShells
+	Rows      int
+	Cols      int
+	Env       []string // appended to the sanitized base env
+	HostShell bool     // wrap spawned process in nsenter -t 1 -m -u -i -n -p
 }
 
 // New starts a shell under a fresh PTY. The returned Session is hot — the
@@ -81,9 +85,22 @@ func New(id string, opts Options) (*Session, error) {
 		return nil, err
 	}
 
+	if opts.HostShell {
+		if _, err := os.Stat(NsenterPath); err != nil {
+			return nil, errors.New("CR_HOST_SHELL=true but /usr/bin/nsenter not found in image")
+		}
+	}
+
 	rows, cols := clampSize(opts.Rows, opts.Cols)
 
-	cmd := exec.Command(shell)
+	var cmd *exec.Cmd
+	if opts.HostShell {
+		// Enter all host namespaces (mount, uts, ipc, net, pid) via PID 1 so
+		// the operator gets a full host shell, not the container's view.
+		cmd = exec.Command(NsenterPath, "-t", "1", "-m", "-u", "-i", "-n", "-p", "--", shell, "--login")
+	} else {
+		cmd = exec.Command(shell)
+	}
 	cmd.Env = baseEnv(opts.Env, shell)
 	// Run in its own session so signals stay scoped.
 	cmd.SysProcAttr = &syscall.SysProcAttr{Setsid: true}

From 2d353e7ad4269edfc440323c2d0dd834e844a64d Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 18:41:53 -0700
Subject: [PATCH 09/25] terminal: spawn /bin/login (PAM auth) instead of root
 shell by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The fat-privileged container runs as root, and the previous nsenter
default dropped the operator straight into a root shell — a meaningful
escalation over the SSH UX it should mirror. Now it runs login(1)
inside the host namespaces; the user types host credentials in the
xterm, PAM authenticates, and login execs the user's shell at the
user's uid only on success. Same audit trail as SSH (auth.log,
last-login records).

Wiring:
- internal/pty/pty.go: new Options.LoginMode. When HostShell+LoginMode
  the spawned process is `nsenter -t 1 -m -u -i -n -p -- /bin/login`.
  Removed the misleading container-side stat for login (after nsenter
  -m the binary resolves from the host's filesystem; a stat from the
  container's view doesn't tell us anything useful).
- internal/config/config.go: CR_TERMINAL_LOGIN env var, default false.
- internal/api/terminal + router: thread cfg.TerminalLogin through to
  pty.Options.LoginMode.
- cmd/controlroom/main.go: log the new flag at boot.
- deploy/docker-compose.yml: CR_TERMINAL_LOGIN=true alongside
  CR_HOST_SHELL=true. Comment explains the security improvement.

Bare-metal install is unchanged — CR_TERMINAL_LOGIN defaults false,
existing pty.New behavior preserved.

Refused setup: LoginMode without HostShell returns an error. login(1)
is meaningful only when there are namespaces to enter; otherwise we'd
just be running it as the controlroom user with nothing to gain.
---
 cmd/controlroom/main.go           |  1 +
 deploy/docker-compose.yml         |  6 ++++++
 internal/api/router.go            |  7 ++++++-
 internal/api/terminal/terminal.go |  6 ++++--
 internal/config/config.go         |  2 ++
 internal/pty/pty.go               | 26 ++++++++++++++++++++++++--
 6 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/cmd/controlroom/main.go b/cmd/controlroom/main.go
index 30ee99d..7687d96 100644
--- a/cmd/controlroom/main.go
+++ b/cmd/controlroom/main.go
@@ -66,6 +66,7 @@ func run() error {
 		Bool("trust_proxy", cfg.TrustProxy).
 		Bool("dev_mode", cfg.DevMode).
 		Bool("host_shell", cfg.HostShell).
+		Bool("terminal_login", cfg.TerminalLogin).
 		Msg("controlroom starting")
 
 	if err := os.MkdirAll(cfg.DataDir, 0o750); err != nil {
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 91de317..a30f237 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -94,6 +94,12 @@ services:
       KUBECONFIG: /etc/k3s/kubeconfig
       # Signals pty.go to wrap interactive shells with nsenter -t 1.
       CR_HOST_SHELL: "true"
+      # When true, the terminal spawns /bin/login (PAM auth via the host's
+      # /etc/pam.d/login policy) instead of dropping straight into root's
+      # shell. Mirrors SSH UX: the operator types host credentials in the
+      # xterm and login(1) execs the user's shell at the user's uid only on
+      # success. Strongly recommended whenever CR_HOST_SHELL is true.
+      CR_TERMINAL_LOGIN: "true"
       # CR_TLS_MODE: acme
       # CR_ACME_HOST: ctrl.example.com
       # CR_ACME_EMAIL: admin@example.com
diff --git a/internal/api/router.go b/internal/api/router.go
index 1213978..af9564b 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -137,7 +137,12 @@ func NewRouter(d Deps) *fiber.App {
 	systemapi.MountWS(wsGroup, systemDeps)
 	servicesapi.MountWS(wsGroup, servicesDeps)
 	containersapi.MountWS(wsGroup, containersDeps)
-	terminalapi.MountWS(wsGroup, terminalapi.Deps{DB: d.DB, Logger: d.Logger, HostShell: d.Cfg.HostShell})
+	terminalapi.MountWS(wsGroup, terminalapi.Deps{
+		DB:            d.DB,
+		Logger:        d.Logger,
+		HostShell:     d.Cfg.HostShell,
+		TerminalLogin: d.Cfg.TerminalLogin,
+	})
 	updatesapi.MountWS(wsGroup, updatesDeps)
 	logsapi.MountWS(wsGroup, logsapi.Deps{Logger: d.Logger})
 	k8sapi.MountWS(wsGroup, k8sapi.Deps{Client: d.K8s, Logger: d.Logger})
diff --git a/internal/api/terminal/terminal.go b/internal/api/terminal/terminal.go
index e9b6edc..3e7a188 100644
--- a/internal/api/terminal/terminal.go
+++ b/internal/api/terminal/terminal.go
@@ -34,8 +34,9 @@ type Deps struct {
 	Logger zerolog.Logger
 	// IdleTimeout closes a session after this much inactivity (no read or
 	// write). Zero falls back to defaultIdleTimeout.
-	IdleTimeout time.Duration
-	HostShell   bool // passed through from cfg.HostShell; wraps shell in nsenter
+	IdleTimeout   time.Duration
+	HostShell     bool // passed through from cfg.HostShell; wraps shell in nsenter
+	TerminalLogin bool // passed through from cfg.TerminalLogin; spawn login(1) for PAM auth
 }
 
 const (
@@ -101,6 +102,7 @@ func (d Deps) handler(c *websocket.Conn) {
 		Rows:      init.Rows,
 		Cols:      init.Cols,
 		HostShell: d.HostShell,
+		LoginMode: d.TerminalLogin,
 	})
 	if err != nil {
 		_ = c.WriteJSON(errorFrame{Type: "error", Err: err.Error()})
diff --git a/internal/config/config.go b/internal/config/config.go
index 3f21952..550489b 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -35,6 +35,7 @@ type Config struct {
 	VersionCheck bool
 	DevMode      bool
 	HostShell    bool // CR_HOST_SHELL — wrap terminal in nsenter -t 1 to enter host namespaces
+	TerminalLogin bool // CR_TERMINAL_LOGIN — spawn /bin/login (PAM auth) instead of a bare shell. Requires HostShell.
 }
 
 func Load() (*Config, error) {
@@ -52,6 +53,7 @@ func Load() (*Config, error) {
 		VersionCheck: envBool("CR_VERSION_CHECK", false),
 		DevMode:      envBool("CR_DEV", false),
 		HostShell:    envBool("CR_HOST_SHELL", false),
+		TerminalLogin: envBool("CR_TERMINAL_LOGIN", false),
 	}
 	if err := c.Validate(); err != nil {
 		return nil, err
diff --git a/internal/pty/pty.go b/internal/pty/pty.go
index 4644a18..e9986c9 100644
--- a/internal/pty/pty.go
+++ b/internal/pty/pty.go
@@ -75,8 +75,20 @@ type Options struct {
 	Cols      int
 	Env       []string // appended to the sanitized base env
 	HostShell bool     // wrap spawned process in nsenter -t 1 -m -u -i -n -p
+	// LoginMode runs /bin/login inside the host namespaces instead of jumping
+	// straight to a shell. The user types their host credentials into the same
+	// xterm; PAM authenticates via the host's policies and only then execs the
+	// user's shell at the user's uid. Requires HostShell.
+	LoginMode bool
 }
 
+// LoginPath is the host's login(1) binary. /bin/login is universal on
+// Debian/RPi/Ubuntu and on usrmerge-style Fedora/Arch. Resolved from the
+// host's mount namespace at exec time, so a stat from the container
+// against this path would be misleading — we rely on exec failing with a
+// clear error if the host is missing it.
+const LoginPath = "/bin/login"
+
 // New starts a shell under a fresh PTY. The returned Session is hot — the
 // caller must Close() it eventually or the child leaks.
 func New(id string, opts Options) (*Session, error) {
@@ -90,15 +102,24 @@ func New(id string, opts Options) (*Session, error) {
 			return nil, errors.New("CR_HOST_SHELL=true but /usr/bin/nsenter not found in image")
 		}
 	}
+	if opts.LoginMode && !opts.HostShell {
+		return nil, errors.New("LoginMode requires HostShell")
+	}
 
 	rows, cols := clampSize(opts.Rows, opts.Cols)
 
 	var cmd *exec.Cmd
-	if opts.HostShell {
+	switch {
+	case opts.HostShell && opts.LoginMode:
+		// Enter all host namespaces, then exec login(1). PAM prompts the user
+		// for host credentials directly in the xterm; on success login execs
+		// the user's shell at the user's uid. The password never touches Go.
+		cmd = exec.Command(NsenterPath, "-t", "1", "-m", "-u", "-i", "-n", "-p", "--", LoginPath)
+	case opts.HostShell:
 		// Enter all host namespaces (mount, uts, ipc, net, pid) via PID 1 so
 		// the operator gets a full host shell, not the container's view.
 		cmd = exec.Command(NsenterPath, "-t", "1", "-m", "-u", "-i", "-n", "-p", "--", shell, "--login")
-	} else {
+	default:
 		cmd = exec.Command(shell)
 	}
 	cmd.Env = baseEnv(opts.Env, shell)
@@ -215,6 +236,7 @@ func isAllowed(path string) bool {
 	return false
 }
 
+
 func clampSize(rows, cols int) (int, int) {
 	if rows < 1 {
 		rows = 24

From f0ca1f780dfee93f1f918bcdd473d4c6f1416a06 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 19:10:11 -0700
Subject: [PATCH 10/25] terminal: use bash+su instead of login(1) for the
 host-credentials prompt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

util-linux login(1) refuses to run interactively when execv'd from a
regular process — it expects to be slave to getty/sshd, with specific
TTY ioctls, and exits silently otherwise. Confirmed end-to-end: even
with a real PTY allocated by Python and a controlling terminal set,
/bin/login produces no output and exits 1.

su(1) is a regular interactive program that works the way login should.
Replace the LoginMode exec target with a tiny inline bash script that:

  1. Prints a short banner with the hostname.
  2. Prompts for the username.
  3. exec su -l "$username".

su then prompts for the password through PAM (host /etc/pam.d/su rules),
authenticates, and execs the user's shell at the user's uid. The
password never touches Go, audit goes through PAM as before, and the
UX is identical to SSH: type user, type password, you're in.

LoginPath constant removed; replaced with the loginScript string. No
external file added — the script is small enough to live as a string
constant in pty.go.

Verified: a Python PTY harness around the same exec.Command path that
pty.New uses now prints "ControlRoom Terminal — host login at <host>"
followed by "username: " and waits for input, exactly like SSH.
---
 internal/pty/pty.go | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/internal/pty/pty.go b/internal/pty/pty.go
index e9986c9..d0157fc 100644
--- a/internal/pty/pty.go
+++ b/internal/pty/pty.go
@@ -82,12 +82,18 @@ type Options struct {
 	LoginMode bool
 }
 
-// LoginPath is the host's login(1) binary. /bin/login is universal on
-// Debian/RPi/Ubuntu and on usrmerge-style Fedora/Arch. Resolved from the
-// host's mount namespace at exec time, so a stat from the container
-// against this path would be misleading — we rely on exec failing with a
-// clear error if the host is missing it.
-const LoginPath = "/bin/login"
+// loginScript is what we hand bash via -c when LoginMode is enabled. We
+// don't use util-linux login(1) directly: its modern incarnation refuses
+// to run interactively when execv'd from a regular process (it expects to
+// be slave to getty/sshd, with specific TTY ioctls, and exits silently
+// otherwise). su -l is a regular interactive program that handles PAM
+// password prompts natively, which is exactly the UX we want.
+const loginScript = `
+printf '\nControlRoom Terminal — host login at %s\n' "$(hostname)"
+read -rp 'username: ' CR_USER
+[ -z "$CR_USER" ] && { echo 'no username — disconnecting'; exit 1; }
+exec su -l "$CR_USER"
+`
 
 // New starts a shell under a fresh PTY. The returned Session is hot — the
 // caller must Close() it eventually or the child leaks.
@@ -111,10 +117,10 @@ func New(id string, opts Options) (*Session, error) {
 	var cmd *exec.Cmd
 	switch {
 	case opts.HostShell && opts.LoginMode:
-		// Enter all host namespaces, then exec login(1). PAM prompts the user
-		// for host credentials directly in the xterm; on success login execs
+		// Enter all host namespaces, then prompt for username + run su -l.
+		// PAM authenticates via the host's /etc/pam.d/su; on success su execs
 		// the user's shell at the user's uid. The password never touches Go.
-		cmd = exec.Command(NsenterPath, "-t", "1", "-m", "-u", "-i", "-n", "-p", "--", LoginPath)
+		cmd = exec.Command(NsenterPath, "-t", "1", "-m", "-u", "-i", "-n", "-p", "--", "/bin/bash", "-c", loginScript)
 	case opts.HostShell:
 		// Enter all host namespaces (mount, uts, ipc, net, pid) via PID 1 so
 		// the operator gets a full host shell, not the container's view.

From aca51876a0d64dd72610108755eb92088dd64aac Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 19:15:33 -0700
Subject: [PATCH 11/25] terminal: drop to nobody before su so PAM actually
 authenticates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root invoking su(1) is special-cased to skip PAM authentication —
"root can become anyone" — so when the controlroom container (uid 0)
ran `su -l pi` the operator landed as pi without ever proving the
password. That's not the SSH-equivalent UX we wanted; it's worse than
the old root-shell default because now it's pretending to authenticate.

Drop to nobody:nogroup with setpriv before invoking su. su now sees a
non-root caller, runs full PAM auth via /etc/pam.d/su, the password is
prompted in the xterm, and on success the setuid bit on /bin/su lets
it escalate to root and then drop to the target user. Lockouts and
auth.log entries flow through PAM as expected.

Verified: a Python PTY harness around the new exec path now prints
"Password:" after entering the username, exactly like SSH.
---
 internal/pty/pty.go | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/internal/pty/pty.go b/internal/pty/pty.go
index d0157fc..6a7d7c5 100644
--- a/internal/pty/pty.go
+++ b/internal/pty/pty.go
@@ -82,17 +82,27 @@ type Options struct {
 	LoginMode bool
 }
 
-// loginScript is what we hand bash via -c when LoginMode is enabled. We
-// don't use util-linux login(1) directly: its modern incarnation refuses
-// to run interactively when execv'd from a regular process (it expects to
-// be slave to getty/sshd, with specific TTY ioctls, and exits silently
-// otherwise). su -l is a regular interactive program that handles PAM
-// password prompts natively, which is exactly the UX we want.
+// loginScript is what we hand bash via -c when LoginMode is enabled.
+//
+// Two non-obvious things going on:
+//
+// 1. We don't use util-linux login(1). Its modern incarnation refuses to
+//    run interactively when execv'd from a regular process (it expects to
+//    be slave to getty/sshd, with specific TTY ioctls, and exits silently
+//    otherwise). su(1) is a regular interactive program — it works.
+//
+// 2. We `setpriv --reuid=nobody` before invoking su. Root invoking su(1)
+//    is special-cased to skip PAM authentication ("root can become
+//    anyone") — without the privilege drop, the operator would get a
+//    shell as the target user without ever proving the password. After
+//    dropping to nobody:nogroup, su(1) runs full PAM auth, /etc/pam.d/su
+//    enforces lockouts and audit, and on success setuid root via the
+//    binary's setuid bit and then drops to the requested user.
 const loginScript = `
 printf '\nControlRoom Terminal — host login at %s\n' "$(hostname)"
 read -rp 'username: ' CR_USER
 [ -z "$CR_USER" ] && { echo 'no username — disconnecting'; exit 1; }
-exec su -l "$CR_USER"
+exec setpriv --reuid=nobody --regid=nogroup --clear-groups -- su -l "$CR_USER"
 `
 
 // New starts a shell under a fresh PTY. The returned Session is hot — the

From 83deeaa9e7804aeb716cbabd4585fc935eaa3898 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 19:23:45 -0700
Subject: [PATCH 12/25] network: initialize slice fields so JSON encodes [] /
 {} not null
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same bug class as 74dd538 fixed for the Docker client — Network.tsx
crashes the SPA with a blank screen when iface.ips or fw.data.rules
arrives as null instead of an empty array, because the frontend
dereferences .length directly.

Two fields needed nil-guards:

- internal/network/iface.go: Interface.IPs starts as a nil slice when
  an interface has no addresses (e.g. some down/dummy/bridge ifaces).
  Now initialized to []string{}. Flags inherits whatever `ip -j addr
  show` returns (which is non-nil in practice but not guaranteed) so
  we nil-guard that too.

- internal/network/ufw.go: UFWStatus.Rules starts as a nil slice when
  the firewall is disabled or has no rules. Now initialized to
  []UFWRule{} in parseUFWStatus before the parse loop.

Verified: rebuilt image, recreated container. The Network tab should
render an empty Interfaces grid + "No rules" instead of crashing.
---
 internal/network/iface.go | 7 ++++++-
 internal/network/ufw.go   | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/internal/network/iface.go b/internal/network/iface.go
index 24f7705..e7e57b7 100644
--- a/internal/network/iface.go
+++ b/internal/network/iface.go
@@ -67,13 +67,18 @@ func List(ctx context.Context) ([]Interface, error) {
 
 	out2 := make([]Interface, 0, len(raws))
 	for _, r := range raws {
+		flags := r.Flags
+		if flags == nil {
+			flags = []string{}
+		}
 		ifc := Interface{
 			Name:  r.IfName,
 			MAC:   r.Address,
 			State: r.Operstate,
 			MTU:   r.MTU,
 			Type:  r.LinkType,
-			Flags: r.Flags,
+			Flags: flags,
+			IPs:   []string{},
 		}
 		for _, a := range r.AddrInfo {
 			if a.Local == "" {
diff --git a/internal/network/ufw.go b/internal/network/ufw.go
index 409f128..d1355a9 100644
--- a/internal/network/ufw.go
+++ b/internal/network/ufw.go
@@ -45,7 +45,7 @@ func Status(ctx context.Context) (*UFWStatus, error) {
 var numberedRE = regexp.MustCompile(`^\[\s*(\d+)\]\s+(.+?)\s{2,}([A-Z][A-Z ]+?)\s{2,}(.+?)\s*$`)
 
 func parseUFWStatus(out []byte) *UFWStatus {
-	st := &UFWStatus{}
+	st := &UFWStatus{Rules: []UFWRule{}}
 	sc := bufio.NewScanner(bytes.NewReader(out))
 	for sc.Scan() {
 		line := sc.Text()

From f58ccf377bb5d00018b6cac10d81825f899f1ed2 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 19:35:14 -0700
Subject: [PATCH 13/25] docs: refresh README + INSTALL + SECURITY for v0.2; add
 CONFIG.md

The shipped docs lagged badly behind v0.2:
  - README claimed "v0.1 in development", didn't mention the
    Kubernetes tab, listed footprint targets that no longer apply,
    and warned that the Docker container deployment lost Services
    and Logs (we wired both via the fat-privileged container).
  - INSTALL.md only covered bare-metal + the old distroless docker
    flavor; nothing about the in-cluster Pod, host-shell login, or
    the new env vars.
  - SECURITY.md described privilege scoping for one shape only;
    the new fat-privileged container needed an explicit "this is
    effectively root on the host" callout, and the in-cluster Pod
    needed a section on the scoped ClusterRole.

This commit:

README.md (~140 lines)
  - v0.2 status; Kubernetes in the feature list; three deployment
    shapes table; quick-start per shape; updated project layout
    (deploy/k8s, deploy/scripts, internal/k8s, internal/api/k8s);
    Go 1.25+; doc index pointing at INSTALL/CONFIG/SECURITY/SPEC.

docs/INSTALL.md (rewritten, ~340 lines)
  - Choose-a-shape comparison table with privilege model + which
    tabs work in each.
  - Path A bare-metal: prerequisites, install, first-run wizard,
    update, uninstall, common pitfalls.
  - Path B Docker fat-privileged: full mount/cap inventory, the
    nsenter+setpriv+su login flow explained step-by-step, common
    pitfalls (terminal misbehaviors, kubeconfig issues).
  - Path C in-cluster Pod: prerequisites, image-loading on
    multi-node K3s, ClusterRole scope (current + Phase C plans),
    three access patterns (Ingress / port-forward / NodePort),
    common pitfalls (ImagePullBackOff, missing pods/log RBAC).
  - TLS modes section; Kubernetes integration section covering
    the four kubeconfig discovery paths.
  - Post-install checklist.

docs/CONFIG.md (new, ~180 lines)
  - Every CR_* env var with default + purpose, grouped by Core,
    TLS, Integrations, Container-only, Compose helpers.
  - Per-tab capability matrix (which tab works in which shape and
    what mount/cap each one needs).
  - Per-shape file paths table.
  - Capability detection / debugging walkthrough.
  - Compose env-file pattern.

docs/SECURITY.md (rewritten, ~180 lines)
  - Bumped to v0.2.
  - Privilege scoping section split into three subsections
    (bare-metal / fat-privileged container / in-cluster Pod) with
    explicit compromise-impact statements.
  - Audit section calls out PAM/auth.log + apt history.log as the
    real audit trail for the fat-privileged container's host ops.
  - Public-bind detection updated to mention RFC 6598 / Tailscale
    CGNAT awareness (was listed as a gap; now shipped).
  - Known gaps refreshed: K8s Phase C/D, cert-manager TLS for the
    Pod shape, etc.
---
 README.md        | 125 +++++++------
 docs/CONFIG.md   | 173 +++++++++++++++++
 docs/INSTALL.md  | 471 ++++++++++++++++++++++++++++++++++++++++-------
 docs/SECURITY.md | 198 ++++++++++++++++----
 4 files changed, 804 insertions(+), 163 deletions(-)
 create mode 100644 docs/CONFIG.md

diff --git a/README.md b/README.md
index e1f3573..136b3d2 100644
--- a/README.md
+++ b/README.md
@@ -1,61 +1,67 @@
 # ControlRoom
 
-Lightweight, modern web UI for managing headless Linux homelab servers.
+A modern, single-binary admin UI for headless Linux homelab servers — designed
+to replace routine SSH for the things you do over and over.
 
-> **Status:** v0.1 in development. The full feature set from the
-> [`SPEC.md`](./SPEC.md) is implemented through milestone M9; see
-> [`MILESTONES.md`](./MILESTONES.md) for what's done and what's deferred.
+> **Status:** v0.2 in development on the [`v0.2`](https://github.com/tm4rtin17/ControlRoom/tree/v0.2) branch.
+> v0.1 (tag `v0.1.0`) is the last fully-released cut. See [`MILESTONES.md`](./MILESTONES.md)
+> for what's done and the roadmap.
 
-## What is it?
+## Features
 
-A single Go binary that serves a Vite/React SPA over HTTPS and replaces
-routine SSH for:
+| Tab | What it does | Backed by |
+|---|---|---|
+| **Dashboard** | Live CPU / memory / disks / temperatures / network rates / uptime / load (1 Hz over WebSocket). | `/proc`, `/sys` |
+| **Updates** | `apt list --upgradable`, one-click check/apply with live job streaming, reboot-required banner. | `apt`, `sudo`, `systemctl` |
+| **Services** | List / start / stop / restart / enable / disable systemd units; live `journalctl -fu` log tail. | dbus |
+| **Containers** | Docker (and Podman socket-compatible) list with Compose-project grouping; per-container live logs + CPU/MEM stats; lifecycle actions. | `/var/run/docker.sock` |
+| **Kubernetes** | Read-only cluster view: nodes, namespaces, workloads (Deployment / StatefulSet / DaemonSet), pods, services. Per-resource detail drawer with conditions + events. Live pod log streaming. *(Phase A + B; lifecycle actions in Phase C)* | client-go |
+| **Terminal** | Full PTY in the browser via xterm.js. Either a local shell or — in container deployments — a real host shell after PAM login. | `/dev/pty`, `nsenter`, `su` |
+| **Network** | Read-only interfaces + UFW rules editor (add / delete / enable / disable). | `ip -j`, `ufw`, `sudo` |
+| **Logs** | journald browser with unit / priority / since / search filters and live tail. Falls back to streaming docker container logs when journald isn't reachable. | `journalctl`, `/var/run/docker.sock` |
+| **Settings** | Change password, manage 2FA, view server config + audit log. | SQLite |
 
-- **Dashboard** — live CPU, memory, disks, temperatures, network rates,
-  uptime, load (1 Hz over WebSocket).
-- **Updates** — `apt list --upgradable`, one-click check + apply with live
-  job streaming and a reboot-required banner.
-- **Services** — list / start / stop / restart / enable / disable systemd
-  units; live `journalctl -fu` log tail.
-- **Containers** — Docker / Podman list with Compose-project grouping; per
-  container live logs + CPU/MEM stats; start / stop / restart / delete.
-- **Terminal** — full PTY in the browser via xterm.js.
-- **Network** — read-only interfaces + UFW rules editor.
-- **Logs** — journald browser with filters and live tail.
-- **Settings** — change password, manage 2FA, view server config.
+## Three deployment shapes
 
-## Footprint targets
+| Shape | What runs where | Privilege model | When to pick |
+|---|---|---|---|
+| **Bare-metal** (`deploy/install.sh`) | Single Go binary as a hardened systemd unit; dedicated `controlroom` user; tight sudoers fragment for the privileged commands. | Unprivileged user + scoped sudoers. Compromise = whatever the sudoers fragment allows. | Recommended default. Smallest blast radius for the full feature set. |
+| **Docker container** (`deploy/docker-compose.yml`) | Single container with `network_mode: host`, `pid: host`, `cap_add: SYS_ADMIN/SYS_PTRACE/NET_ADMIN`, host bind mounts for dbus / journal / apt / kubeconfig. Runs as root inside. | Effectively root on the host. | Single-user homelab where the operator already has root and wants one image to deploy. |
+| **In-cluster Kubernetes Pod** (`deploy/k8s/`) | Manifests for namespace + ServiceAccount + ClusterRole (`get,list,watch` + `pods/log get`) + Deployment + Service + Ingress + PVC. Runs as nonroot uid 65532, drop ALL caps, readOnlyRootFilesystem. | Scoped RBAC. Cluster-only feature surface — **no host integrations** (no Services / Updates / Network / host Terminal). | Cluster-only ControlRoom. Pair with bare-metal or container ControlRoom on the host if you also want host management. |
 
-| Metric          | Goal     |
-|-----------------|----------|
-| Idle RSS        | ≤ 50 MB  |
-| Image size      | ≤ 25 MB  |
-| First paint     | < 1 s    |
+Detailed install instructions for each: [`docs/INSTALL.md`](./docs/INSTALL.md).
+Full env-var reference + per-tab capability matrix: [`docs/CONFIG.md`](./docs/CONFIG.md).
+Per-shape threat model: [`docs/SECURITY.md`](./docs/SECURITY.md).
 
-## Install
+## Quick start
 
-### Bare-metal (Debian / Ubuntu)
+### Bare-metal (Debian / Ubuntu / Raspberry Pi OS)
 
 ```bash
 sudo deploy/install.sh
 sudo journalctl -u controlroom -n 200 | grep setup_token
 ```
 
-Visit `https://<host>:8443`, paste the setup token, create your admin
-account, optionally enable 2FA.
+### Docker container (host-privileged)
 
-Full guide: [`docs/INSTALL.md`](./docs/INSTALL.md).
+```bash
+docker compose -f deploy/docker-compose.yml up -d
+docker compose -f deploy/docker-compose.yml logs --tail 200 | grep setup_token
+```
 
-### Docker
+### In-cluster Kubernetes Pod
 
 ```bash
-docker compose -f deploy/docker-compose.yml up -d
-docker compose logs --tail 200 | grep setup_token
+kubectl apply -f deploy/k8s/namespace.yaml \
+              -f deploy/k8s/rbac.yaml \
+              -f deploy/k8s/pvc.yaml \
+              -f deploy/k8s/deployment.yaml \
+              -f deploy/k8s/service.yaml
+kubectl -n controlroom logs deployment/controlroom | grep setup_token
 ```
 
-Note: the container can't reach the host's systemd dbus or journald, so the
-**Services** and **Logs** pages will return 503 inside Docker. Bare-metal
-install is required for those.
+In all three shapes: open `https://<host>:8443`, paste the token from the
+log, create your admin account, optionally enable 2FA.
 
 ## Develop
 
@@ -67,52 +73,53 @@ make dev-web    # Vite dev server
 ```
 
 Open <http://localhost:5173>. Vite proxies `/api` and `/ws` to the Go backend
-on `:8443` (CR_DEV mode → plain HTTP, non-Secure cookies).
+on `:8443` (`CR_DEV` mode → plain HTTP, non-Secure cookies).
 
-Prerequisites: Go 1.23+, Node 20+, [`air`](https://github.com/air-verse/air)
+Prerequisites: **Go 1.25+**, **Node 20+**, [`air`](https://github.com/air-verse/air)
 for backend hot reload.
 
 ## Project layout
 
 ```
 cmd/controlroom/                  # entrypoint
-internal/                         # backend packages
+internal/
   api/                            # HTTP routes + middleware
-    {auth,containers,logs,network,services,settings,setup,system,terminal,updates}/
+    {auth,containers,k8s,logs,network,services,settings,setup,system,terminal,updates}/
   auth/                           # password, TOTP, JWT, sessions, ratelimit
   cert/                           # self-signed + ACME (autocert)
   collectors/                     # /proc and /sys readers
   config/                         # env-based config
   docker/                         # Docker client wrapper
   jobs/                           # generic job runner with ring buffer
+  k8s/                            # client-go wrapper (read-only)
   logs/                           # journalctl wrapper
   network/                        # ip + ufw wrappers
-  pty/                            # PTY session manager
+  pty/                            # PTY session manager (incl. host-shell + login flow)
   store/                          # SQLite migrations + accessors
   systemd/                        # dbus client wrapper
   web/                            # embed.FS for the SPA
 web/                              # Vite + React + TS + Tailwind + shadcn/ui
-deploy/                           # Dockerfile, install.sh, systemd unit, sudoers, compose
-docs/                             # SECURITY.md, INSTALL.md
+deploy/
+  Dockerfile                      # fat-privileged container image
+  docker-compose.yml              # docker deployment
+  install.sh                      # bare-metal installer
+  controlroom.service             # hardened systemd unit
+  controlroom.sudoers             # tight sudoers fragment
+  k8s/                            # in-cluster manifests
+  scripts/                        # host-side helpers (e.g. setup-host-kubeconfig.sh)
+docs/
+  INSTALL.md                      # per-shape install + first-run
+  CONFIG.md                       # env vars + per-tab requirements
+  SECURITY.md                     # threat model per deployment shape
 ```
 
-## Security
-
-Single trusted operator, LAN-first. Read [`docs/SECURITY.md`](./docs/SECURITY.md)
-for the threat model. Highlights:
-
-- bcrypt(cost 12) + optional TOTP.
-- HS256 access JWTs (15 min) + opaque rotating refresh tokens (7 days) with
-  reuse detection that revokes the entire token family.
-- HttpOnly + Secure + SameSite=Strict cookies; CSRF double-submit token.
-- Per-IP rate limit + per-user exponential backoff on login.
-- Hardened systemd unit (`NoNewPrivileges`, `ProtectSystem=strict`, system
-  call filtering); tight `/etc/sudoers.d/controlroom` fragment validated
-  before install.
-- Full audit log of every privileged action. **Keystrokes are never recorded.**
+## Documentation
 
-Always behind a VPN, SSH tunnel, or reverse proxy with strict firewall rules
-when accessing remotely.
+- [`docs/INSTALL.md`](./docs/INSTALL.md) — detailed install for all three shapes.
+- [`docs/CONFIG.md`](./docs/CONFIG.md) — every environment variable + which tabs need what.
+- [`docs/SECURITY.md`](./docs/SECURITY.md) — threat model and what's actually enforced.
+- [`SPEC.md`](./SPEC.md) — design spec.
+- [`MILESTONES.md`](./MILESTONES.md) — what shipped when.
 
 ## License
 
diff --git a/docs/CONFIG.md b/docs/CONFIG.md
new file mode 100644
index 0000000..31e6c6b
--- /dev/null
+++ b/docs/CONFIG.md
@@ -0,0 +1,173 @@
+# Configuration reference
+
+Everything ControlRoom can be configured with, plus the per-tab
+"what does this need to actually work" matrix.
+
+## Environment variables
+
+All settings are environment variables. There is no on-disk config file —
+in bare-metal install they live in `/etc/controlroom/controlroom.env`
+(read by the systemd unit), in Docker they go in the `environment:` block
+of `docker-compose.yml`, and in the K8s Pod they go in the Deployment's
+`spec.template.spec.containers[0].env`.
+
+### Core
+
+| Var | Default | Purpose |
+|---|---|---|
+| `CR_ADDR` | `:8443` | TCP bind address for the HTTPS listener (or plain HTTP when `CR_DEV=true`). Use `127.0.0.1:8080` when fronting with a TLS-terminating reverse proxy. |
+| `CR_DATA_DIR` | `/var/lib/controlroom` | Where TLS material, the JWT signing key, the SQLite DB, and the audit log live. Must be absolute. The directory is created with mode 0750 if missing. |
+| `CR_LOG_LEVEL` | `info` | `debug` / `info` / `warn` / `error`. Controls zerolog filter. |
+| `CR_HOST_NAME` | (kernel hostname) | Display name in the SPA title bar. Cosmetic only. |
+| `CR_SESSION_HOURS` | `168` (7 days) | Refresh-token lifetime. Access tokens are always 15 min. Reducing this forces more frequent re-logins. |
+| `CR_VERSION_CHECK` | `false` | When `true`, ControlRoom does a daily release-check against GitHub releases and surfaces an "update available" badge. Off by default to avoid outbound calls. |
+| `CR_DEV` | `false` | Plain HTTP + non-Secure cookies. **Development only** — never set in production. |
+
+### TLS
+
+| Var | Default | Purpose |
+|---|---|---|
+| `CR_TLS_MODE` | `selfsigned` | `selfsigned` / `acme` / `proxy`. See [`INSTALL.md` → TLS modes](./INSTALL.md#tls-modes). |
+| `CR_ACME_HOST` | — | Required when `CR_TLS_MODE=acme`. The hostname Let's Encrypt issues against. DNS must already point at the host. |
+| `CR_ACME_EMAIL` | — | Required when `CR_TLS_MODE=acme`. Account email for the ACME directory. |
+| `CR_TRUST_PROXY` | `false` | When `true`, honor `X-Forwarded-For` and `X-Forwarded-Proto` for client IP and scheme detection. Set this only when ControlRoom is *actually* behind a trusted reverse proxy — setting it on an exposed server lets clients lie about their IP. |
+
+### Integrations
+
+| Var | Default | Purpose |
+|---|---|---|
+| `CR_DOCKER_SOCK` | `/var/run/docker.sock` | Unix socket path for the Docker daemon. Set to empty (`""`) to disable the Docker integration entirely (Containers tab gets hidden via the capability flag). |
+| `KUBECONFIG` | (none) | Standard kubeconfig path. ControlRoom's K8s client checks: (1) in-cluster SA, (2) `$KUBECONFIG`, (3) `~/.kube/config`, (4) `/etc/rancher/k3s/k3s.yaml`. First match wins. |
+
+### Container-only
+
+These only matter for the Docker deployment. The bare-metal systemd unit
+spawns shells directly as the controlroom user; the in-cluster Pod has no
+host shell to spawn at all.
+
+| Var | Default | Purpose |
+|---|---|---|
+| `CR_HOST_SHELL` | `false` | When `true`, the Terminal tab spawns its shell via `nsenter -t 1 -m -u -i -n -p` to enter the host's namespaces. Requires the container to run with `pid: host` and `cap_add: SYS_ADMIN`. The fat-privileged compose sets this `true`. |
+| `CR_TERMINAL_LOGIN` | `false` | When `true` (and `CR_HOST_SHELL=true`), the Terminal prompts for username, then `setpriv --reuid=nobody -- su -l <user>`. PAM handles the password prompt; on success drops to that user's shell. **Strongly recommended** whenever `CR_HOST_SHELL=true` — without it you land directly as root inside the host namespaces. |
+
+### Compose helpers
+
+These aren't read by the Go binary — they're consumed by `docker-compose.yml`
+expansion only.
+
+| Var | Default | Purpose |
+|---|---|---|
+| `DOCKER_GID` | `999` | The host's `docker` group GID. Used by `group_add` so the controlroom container can read `/var/run/docker.sock` even when running as a non-root user. Get it with `getent group docker \| cut -d: -f3`. (The default fat-privileged compose runs as root and doesn't strictly need `group_add`, but the var is preserved for users who run a less-privileged variant.) |
+
+---
+
+## Per-tab capability matrix
+
+What each tab needs to function, by deployment shape.
+
+| Tab | Backend integration | Bare-metal | Docker (fat-privileged) | In-cluster Pod |
+|---|---|:-:|:-:|:-:|
+| **Dashboard** | `/proc`, `/sys` reads | ✅ | ✅ | ✅ host metrics not the cluster |
+| **Updates** | `apt`, `apt-get`, `sudo`, `systemctl reboot` | ✅ via sudoers | ✅ binaries in image, host `/etc/apt` + `/var/cache/apt` mounted | ❌ (no apt in cluster) |
+| **Services** | dbus + `systemctl` | ✅ via dbus session | ✅ `/var/run/dbus/system_bus_socket` mounted | ❌ |
+| **Containers** | `/var/run/docker.sock` | ✅ if controlroom user is in `docker` group | ✅ socket mounted ro | ❌ |
+| **Kubernetes** | client-go with kubeconfig or in-cluster SA | ✅ if `kubectl` works as the controlroom user | ✅ `/etc/rancher/k3s/k3s.yaml` mounted | ✅ in-cluster ServiceAccount |
+| **Terminal** | PTY + (optional) `nsenter`+`su` | ✅ shell as controlroom user | ✅ host shell via nsenter+PAM login | ❌ |
+| **Network** | `ip -j addr show`, `sudo ufw …` | ✅ via sudoers | ✅ via `network_mode: host` + NET_ADMIN | ❌ shows Pod's network ns only |
+| **Logs** | `journalctl` + (fallback) docker logs | ✅ via `adm` group | ✅ `/run/log/journal` + `/etc/machine-id` mounted | ❌ host journal not reachable |
+| **Settings** | SQLite + JWT key | ✅ | ✅ | ✅ |
+
+ControlRoom auto-detects which integrations are working at boot and
+exposes the result at `GET /api/system/capabilities`:
+
+```json
+{
+  "systemd": true,
+  "docker": true,
+  "journal": true,
+  "kubernetes": true
+}
+```
+
+The SPA reads this on every page load and **hides the nav entries** for
+features that aren't reachable. Failed integrations log a warning at
+startup but never crash the binary — every integration is best-effort.
+
+---
+
+## Per-shape file paths
+
+Where things live on disk in each shape.
+
+| Path | Bare-metal | Docker | In-cluster Pod |
+|---|---|---|---|
+| Binary | `/opt/controlroom/controlroom` | `/app/controlroom` (in image) | `/app/controlroom` (in image) |
+| Data dir | `/var/lib/controlroom/` | Docker volume `controlroom-data` (mountpoint `/var/lib/docker/volumes/controlroom-data/_data` on host) | PVC `controlroom-data` (1Gi, RWO, `local-path`) |
+| SQLite DB | `$DATA_DIR/controlroom.db` | same | same |
+| JWT signing key | `$DATA_DIR/jwt.key` (mode 0600) | same | same |
+| TLS cert+key | `$DATA_DIR/tls/{server.crt,server.key}` | same | same |
+| ACME cache | `$DATA_DIR/acme/` (when `CR_TLS_MODE=acme`) | same | same |
+| Systemd unit | `/etc/systemd/system/controlroom.service` | n/a | n/a |
+| Sudoers fragment | `/etc/sudoers.d/controlroom` | n/a (root in container) | n/a (Pod, no sudoers) |
+| Env file | `/etc/controlroom/controlroom.env` | inline in compose `environment:` | inline in Deployment env |
+| Logs | `journalctl -u controlroom` | `docker logs controlroom` | `kubectl logs -n controlroom deployment/controlroom` |
+
+---
+
+## Capability detection — debugging
+
+If a tab is hidden in the SPA and you expected it to work:
+
+1. Look at the boot log. ControlRoom logs one warning per failed
+   integration at startup:
+   - `systemd unavailable; /api/services disabled`
+   - `journalctl not in PATH; /api/logs/journal will return 503`
+   - `docker unavailable; /api/containers disabled`
+   - `kubernetes unavailable; /api/k8s disabled`
+
+2. Hit the capabilities endpoint as a logged-in user (you can grab the
+   cookie from devtools and curl):
+   ```
+   curl -sk -b "cr_access=<token>" https://<host>:8443/api/system/capabilities
+   ```
+   The booleans tell you what the SPA is using to gate the nav.
+
+3. For Docker-shape deployments specifically, double-check the bind mount
+   actually exists inside the container:
+   ```
+   docker exec controlroom ls -la /var/run/docker.sock
+   docker exec controlroom ls -la /var/run/dbus/system_bus_socket
+   docker exec controlroom ls -la /etc/k3s/kubeconfig
+   docker exec controlroom which journalctl systemctl ip ufw apt
+   ```
+
+4. For the Kubernetes tab specifically, run a probe from inside the
+   container:
+   ```
+   docker exec controlroom sh -c '
+     KUBECONFIG=/etc/k3s/kubeconfig kubectl version --client
+     KUBECONFIG=/etc/k3s/kubeconfig kubectl get nodes 2>&1 | head
+   '
+   ```
+
+---
+
+## Compose env-file pattern
+
+Rather than putting all `CR_*` vars in `docker-compose.yml`, you can write
+an `.env` file next to it:
+
+```ini
+# .env
+CR_TLS_MODE=acme
+CR_ACME_HOST=ctrl.example.com
+CR_ACME_EMAIL=admin@example.com
+DOCKER_GID=999
+```
+
+Compose auto-loads it. The `.env` file is `.gitignore`d by default in
+this repo.
+
+For bare-metal, the equivalent is `/etc/controlroom/controlroom.env` —
+the systemd unit reads it via `EnvironmentFile=`. Same syntax (`KEY=value`,
+no quotes needed).
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 7c1a2d1..fde29f0 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -1,43 +1,103 @@
 # Installing ControlRoom
 
-ControlRoom v0.1 supports Debian and Ubuntu (LTS releases). Two install paths
-are supported: a one-shot bare-metal installer and a Docker Compose deployment.
+ControlRoom ships in three deployment shapes. Pick the one that matches your
+constraints — they're not mutually exclusive (you can run, e.g., a bare-metal
+ControlRoom on the host *and* an in-cluster ControlRoom in K3s for the
+cluster-management UI).
 
-## Prerequisites
+## Choosing a shape
 
-- Debian 12+ or Ubuntu 22.04+ (older releases haven't been tested).
-- A user with `sudo` (only for installation; ControlRoom itself runs as a
-  dedicated `controlroom` system user afterwards).
-- Optional but recommended: `ufw`, `journalctl` (always present), and Docker
-  if you want to manage containers.
+| | Bare-metal | Docker container | In-cluster K8s Pod |
+|---|---|---|---|
+| **Where it runs** | Host, as a systemd unit | Host, as a Docker container | A Pod in your K3s/k8s cluster |
+| **Privilege** | Dedicated `controlroom` user + scoped sudoers | Root inside container, host PID/network namespaces, broad capabilities | Nonroot (uid 65532), `drop: [ALL]`, scoped ClusterRole |
+| **Image size** | ~20 MB binary + ~1 MB SPA | ~230 MB | ~230 MB |
+| **Idle RSS** | ~40 MB | ~50 MB | ~50 MB |
+| **Tabs that work** | All (Dashboard, Updates, Services, Containers, Kubernetes\*, Terminal, Network, Logs, Settings) | All | Kubernetes + Dashboard + Settings only — no host integrations |
+| **Best for** | Single-host homelab, smallest blast radius, the canonical path. | Single-user homelabs that want to manage the whole host *and* keep ControlRoom in a container. | Cluster operations only; pair with bare-metal/container ControlRoom for host management. |
 
-## Option A — bare-metal (recommended for full feature set)
+\* Kubernetes tab on bare-metal works if `kubectl` finds a kubeconfig — see
+the [Kubernetes integration](#kubernetes-integration) section.
 
-The installer creates a `controlroom` system user, installs the binary under
-`/opt/controlroom`, persists data in `/var/lib/controlroom`, drops a hardened
-systemd unit, and writes a tight sudoers fragment after validating it with
-`visudo -c`.
+> **Security note.** The Docker container shape is *fat-privileged*: a
+> compromise of the ControlRoom binary inside the container is effectively
+> root on the host. That's the deliberate tradeoff to make every host
+> integration work from a container. If your threat model doesn't accept
+> that, use bare-metal. See [`SECURITY.md`](./SECURITY.md).
+
+---
+
+## Path A — Bare-metal (Debian / Ubuntu / Raspberry Pi OS)
+
+The most polished path, smallest blast radius. The installer:
+
+- Creates a dedicated `controlroom` system user and group.
+- Installs the binary to `/opt/controlroom/controlroom`.
+- Creates the data directory `/var/lib/controlroom/` (mode 0750, owned by
+  the controlroom user). TLS material, the JWT signing key, the SQLite DB
+  and the audit log all live here.
+- Drops `/etc/systemd/system/controlroom.service` — a hardened unit with
+  `NoNewPrivileges`, `ProtectSystem=strict`, `ProtectHome`, system-call
+  filtering, and supplementary groups (`adm` for journal, `docker` if
+  present).
+- Drops `/etc/sudoers.d/controlroom` — a tight allowlist for the few
+  commands ControlRoom needs to escalate (`apt-get update/install`,
+  `systemctl reboot`, the specific `ufw` verbs the SPA exposes). Validated
+  with `visudo -c` before install — the script aborts on parse failure.
+
+### Prerequisites
+
+- Debian 12+ / Ubuntu 22.04+ / Raspberry Pi OS Bookworm. Older releases
+  haven't been tested.
+- A user with `sudo` (only used for the install — ControlRoom doesn't run
+  as root).
+- Optional but expected for full feature parity: `ufw`, Docker (if you want
+  the Containers tab), `kubectl` configured against your cluster (if you
+  want the Kubernetes tab).
+
+### Install
+
+From a clone of the repo:
 
 ```bash
 sudo deploy/install.sh
 ```
 
-Or, if you cloned the repo and want to build from source first:
+If you want to build from the cloned source rather than fetching a
+pre-built binary, add `--from-source`:
 
 ```bash
 sudo deploy/install.sh --from-source
 ```
 
-When the service starts it logs a one-time **setup token** — the installer
-tails it for you, but you can also run:
+The installer prints a one-time **setup token** at the end of its run and
+also tails it from the journal. If you missed it, retrieve it with:
 
 ```bash
 sudo journalctl -u controlroom -n 200 | grep setup_token
 ```
 
-Visit `https://<host>:8443` (the self-signed cert will be flagged by your
-browser the first time), paste the token into the wizard, create your admin
-account, optionally enable 2FA, and you're in.
+### First-run setup
+
+1. Open `https://<host>:8443` in a browser. The first time, your browser
+   will warn about the self-signed certificate — accept it for now, or
+   switch to ACME / a reverse proxy later (see [TLS modes](#tls-modes)).
+2. Paste the setup token in the wizard.
+3. Pick an admin username + a strong password.
+4. Optionally scan the QR code with Authy / 1Password / Aegis to enable
+   TOTP. Verify the 6-digit code.
+5. Done — you're logged in.
+
+### Updating
+
+```bash
+cd /path/to/repo
+git pull
+sudo deploy/install.sh --from-source
+```
+
+The script preserves `/var/lib/controlroom/` (your data), restarts the
+unit, and re-validates the sudoers fragment.
 
 ### Uninstall
 
@@ -45,61 +105,340 @@ account, optionally enable 2FA, and you're in.
 sudo deploy/install.sh --uninstall
 ```
 
-The data directory at `/var/lib/controlroom` is preserved by default — delete
-it manually if you want a truly fresh install.
+The data directory at `/var/lib/controlroom/` is *preserved* by default —
+delete it manually for a truly fresh slate (you'll lose your account, JWT
+key, TLS material, and audit log).
+
+### Common pitfalls
+
+- **`apt update` fails inside the apt job log**: the sudoers fragment
+  whitelists `apt-get` not `apt`. The Go code calls `apt-get` for
+  privileged ops; a bare `apt list --upgradable` runs unprivileged. If you
+  see "sudo: a password is required", the fragment didn't install — check
+  `sudo visudo -c -f /etc/sudoers.d/controlroom`.
+- **Services tab empty**: the `controlroom` user needs to be in the `adm`
+  group (for journal access) and able to talk to dbus. The installer does
+  this automatically — verify with `id controlroom`.
+- **Containers tab 503**: Docker daemon not present, or `controlroom` user
+  not in the `docker` group. Add them: `sudo usermod -aG docker controlroom`,
+  then `sudo systemctl restart controlroom`.
+
+---
 
-## Option B — Docker Compose
+## Path B — Docker container (fat-privileged)
 
-Container deployment is simpler but loses access to the host's systemd dbus
-and journald. The `Services` and `Logs` pages will return 503; everything
-else works.
+Single container that does everything. Drops distroless for `debian:bookworm-slim`
+plus `bash`, `sudo`, `util-linux` (nsenter), `procps`, `iproute2`, `iptables`,
+`ufw`, `systemd` (journalctl + systemctl + libsystemd0), `apt-utils`. Runs as
+root with broad capabilities and host namespaces.
+
+### Prerequisites
+
+- Docker Engine 20.10+ (or compatible — Podman with the docker-compose plugin
+  works too).
+- The host's `docker` group GID (run `getent group docker | cut -d: -f3`).
+
+If you want the Kubernetes tab to work in this shape, you also need:
+- A reachable kubeconfig (`/etc/rancher/k3s/k3s.yaml` for K3s on the same
+  host is the easiest case).
+- Either `network_mode: host` (the default in our compose, so K3s'
+  `127.0.0.1:6443` becomes reachable directly), **or** a host IP that's in
+  your cluster's TLS SAN — see [Kubernetes integration](#kubernetes-integration).
+
+### Install
 
 ```bash
+git clone https://github.com/tm4rtin17/ControlRoom.git
+cd ControlRoom
+
+# Set DOCKER_GID for the compose file (only needed if you don't use
+# network_mode:host or run as root — the default compose runs as root and
+# doesn't need group_add, but it's still pulled from this var).
+export DOCKER_GID=$(getent group docker | cut -d: -f3)
+
 docker compose -f deploy/docker-compose.yml up -d
 docker compose -f deploy/docker-compose.yml logs --tail 200 | grep setup_token
 ```
 
-To manage other containers, mount the Docker socket read-only (the default
-compose file already does this).
+### What the container can reach (and how)
+
+The default `deploy/docker-compose.yml` mounts:
+
+| Path | Mode | Used for |
+|---|---|---|
+| `/var/run/docker.sock` | ro | Containers tab |
+| `/var/run/dbus/system_bus_socket` | rw | Services tab (systemctl via dbus) |
+| `/run/log/journal` | ro | Logs tab (volatile journal) |
+| `/var/log/journal` | ro | Logs tab (persistent journal, if enabled) |
+| `/etc/machine-id` | ro | journalctl needs the host's machine-id to identify entries |
+| `/etc/rancher/k3s/k3s.yaml` | ro | Kubernetes tab (mounted at `/etc/k3s/kubeconfig`) |
+| `/var/cache/apt` | rw | Updates tab (apt cache; rw so `apt-get update` can refresh) |
+| `/etc/apt` | ro | Updates tab (sources, preferences) |
+| `/var/lib/dpkg` | ro | Updates tab (dpkg state) |
+| `controlroom-data` | rw | App data (JWT key, SQLite, TLS) — Docker named volume |
+
+Plus:
+- `network_mode: host` so `ip`, `ufw`, and the K3s API at `127.0.0.1:6443`
+  all see the host directly.
+- `pid: host` so `nsenter -t 1 ...` finds the host's PID 1 (systemd).
+- `cap_add: [SYS_ADMIN, SYS_PTRACE, NET_ADMIN]` for nsenter, host `ps`/`top`,
+  and ufw/iptables.
+- `security_opt: [apparmor:unconfined, seccomp:unconfined]` so the default
+  Docker AppArmor and seccomp profiles don't block the host commands.
+
+### Terminal: host login flow
+
+The container sets `CR_HOST_SHELL=true` and `CR_TERMINAL_LOGIN=true` by
+default. When you click the Terminal tab:
+
+1. ControlRoom spawns `nsenter -t 1 -m -u -i -n -p -- /bin/bash -c <login script>`.
+   This enters the host's mount, UTS, IPC, network, and PID namespaces.
+2. The login script prints `ControlRoom Terminal — host login at <hostname>`
+   and prompts for `username:`.
+3. You type your host username, hit enter.
+4. The script `exec`s `setpriv --reuid=nobody --regid=nogroup --clear-groups
+   -- su -l <username>`. Dropping privileges first is critical: root
+   invoking `su` skips PAM authentication ("root can become anyone").
+5. `su` runs full PAM auth via `/etc/pam.d/su`, prompts for `Password:`,
+   authenticates against `/etc/shadow`, logs the attempt to
+   `/var/log/auth.log`, and on success drops to the user's shell at the
+   user's uid.
+
+Set `CR_TERMINAL_LOGIN=false` to skip the login flow (you land directly as
+root inside the host namespaces — convenient but not recommended).
+
+### Updating
+
+```bash
+git pull
+docker compose -f deploy/docker-compose.yml up -d --build
+```
+
+For a published release tag, swap the `image:` in the compose file from
+`controlroom:dev` (local build) to `ghcr.io/tm4rtin17/controlroom:v0.2.x`
+and `docker compose pull && docker compose up -d`.
+
+### Uninstall
+
+```bash
+docker compose -f deploy/docker-compose.yml down
+docker volume rm controlroom-data    # nukes admin account, JWT key, TLS, audit log
+```
+
+### Common pitfalls
+
+- **All tabs say "unavailable" on first load**: the boot log will show
+  exactly which integration is failing. `docker compose logs controlroom`
+  and look for `systemd unavailable`, `journalctl not in PATH`, etc. Each
+  warning maps to a specific mount that didn't apply.
+- **Terminal: "no usable shell on host"**: the image isn't the
+  fat-privileged one (still distroless). Rebuild: `docker compose build`.
+- **Terminal: drops you to root without password**: confirm
+  `CR_TERMINAL_LOGIN=true` is set. `docker exec controlroom env | grep
+  TERMINAL`. If it's set and you still skip the password prompt, check
+  that `/usr/bin/setpriv` exists in the image: `docker exec controlroom
+  which setpriv`.
+- **Kubernetes tab hidden**: the host kubeconfig isn't mounted, or the
+  network can't reach the API server. Verify the bind mount:
+  `docker exec controlroom ls -la /etc/k3s/kubeconfig`. From the host:
+  `curl -sk https://127.0.0.1:6443/livez` should return `ok`.
+- **Logs tab works but Services doesn't**: the dbus socket isn't writable
+  in the container, or the host doesn't run systemd (e.g. Alpine). Check
+  `ls -la /var/run/dbus/system_bus_socket` on the host and `docker exec
+  controlroom ls -la /var/run/dbus/system_bus_socket` in the container.
+
+---
+
+## Path C — In-cluster Kubernetes Pod
+
+Run ControlRoom *inside* the cluster it manages. Useful when you want a
+ControlRoom that's only for the K8s tab — the host integrations (Services,
+Updates, Network, host Terminal, Journal Logs) are intentionally not wired
+in this shape.
+
+### Prerequisites
+
+- A K3s / k8s cluster you can `kubectl apply` to.
+- The `controlroom` image available to the cluster's runtime. Two options:
+  1. Pull from a registry: edit `deploy/k8s/deployment.yaml` to point at
+     `ghcr.io/tm4rtin17/controlroom:v0.2.x` and ensure your nodes can pull
+     from GHCR.
+  2. Side-load a locally-built image: `make image && docker save controlroom:dev
+     | sudo k3s ctr images import -` (run on **every** node in a multi-node
+     cluster — k3s' embedded containerd doesn't share images cluster-wide).
+- Storage class. The PVC requests `local-path` (the K3s default). If your
+  cluster uses a different storage class, edit `deploy/k8s/pvc.yaml`.
+- An ingress controller if you want hostname-based access. The default
+  `deploy/k8s/ingress.yaml` is a `networking.k8s.io/v1` Ingress with
+  `ingressClassName: traefik` (K3s default).
+
+### Install
+
+```bash
+kubectl apply -f deploy/k8s/namespace.yaml
+kubectl apply -f deploy/k8s/rbac.yaml
+kubectl apply -f deploy/k8s/pvc.yaml
+kubectl apply -f deploy/k8s/deployment.yaml
+kubectl apply -f deploy/k8s/service.yaml
+# Optional:
+kubectl apply -f deploy/k8s/ingress.yaml
+
+kubectl -n controlroom rollout status deployment/controlroom --timeout=90s
+kubectl -n controlroom logs deployment/controlroom | grep setup_token
+```
+
+The pod uses the projected ServiceAccount token to talk to the API server.
+No kubeconfig is needed.
+
+### What the ClusterRole grants
+
+Phase A + B — strictly read-only. See `deploy/k8s/rbac.yaml` for the
+canonical list:
+
+```yaml
+rules:
+  - apiGroups: [""]
+    resources: [nodes, namespaces, pods, services, configmaps, events, endpoints]
+    verbs: [get, list, watch]
+  - apiGroups: [""]
+    resources: [pods/log]
+    verbs: [get]
+  - apiGroups: ["apps"]
+    resources: [deployments, statefulsets, daemonsets, replicasets]
+    verbs: [get, list, watch]
+```
+
+No `secrets`, no `persistentvolumes`, no write verbs. Phase C will widen
+this to include `patch` and `delete` on Deployments / Pods for lifecycle
+actions.
+
+### Accessing the SPA
+
+Three options, in order of typical preference:
+
+1. **Ingress** (`deploy/k8s/ingress.yaml`): edit the host (defaults to
+   `controlroom.roninlab.dev`), apply, point DNS at the ingress controller.
+   For TLS, wire cert-manager separately — the manifest leaves it as a TODO
+   comment.
+2. **Port-forward** (works without ingress): `kubectl -n controlroom
+   port-forward svc/controlroom 8443:443 --address 0.0.0.0` then visit
+   `https://<your-machine>:8443`.
+3. **NodePort** (edit the Service `spec.type` to `NodePort`): cluster-wide
+   `:30443` or whatever NodePort gets assigned.
+
+### First-run setup
+
+Same wizard as the other shapes — paste the token, create your admin, etc.
+
+### Updating
+
+```bash
+git pull
+make image
+docker save controlroom:dev | sudo k3s ctr images import -    # repeat on every node
+kubectl -n controlroom rollout restart deployment/controlroom
+kubectl -n controlroom rollout status deployment/controlroom --timeout=90s
+```
+
+### Uninstall
+
+```bash
+kubectl delete namespace controlroom    # nukes everything including the PVC
+```
+
+### Common pitfalls
+
+- **`ImagePullBackOff` after install**: the image isn't on the node.
+  `make image` only writes to your local Docker daemon, not k3s'
+  containerd. Run the `docker save | k3s ctr images import` dance on every
+  node.
+- **`/api/k8s` returns 503 once you log in**: the projected SA token wasn't
+  picked up. `kubectl -n controlroom describe pod -l app.kubernetes.io/name=controlroom`
+  and check that `serviceAccountName: controlroom` is set on the spec.
+- **Pod logs streaming fails with 403**: the ClusterRole is missing
+  `pods/log`. Make sure you applied `rbac.yaml` from this branch (Phase A's
+  rbac didn't include it; Phase B does).
+
+---
 
 ## TLS modes
 
-| `CR_TLS_MODE` | Behaviour                                                     |
-|---------------|----------------------------------------------------------------|
-| `selfsigned`  | (default) Generates a 10-year ECDSA self-signed cert at first boot under `$DATA_DIR/tls/`. |
-| `acme`        | Uses Let's Encrypt via HTTP-01. Requires `CR_ACME_HOST` and `CR_ACME_EMAIL`. The host must be reachable on **port 80** from the public internet during issuance and renewal. |
-| `proxy`       | Stub for "TLS terminated by an upstream reverse proxy." Bind plain HTTP on the loopback (e.g. `CR_ADDR=127.0.0.1:8080`) and let the proxy speak HTTPS. |
-
-Pair `acme` with `--ports 80:80 8443:443` (or your reverse proxy) and ensure
-DNS for `CR_ACME_HOST` already resolves to the host before starting.
-
-## Configuration reference
-
-All settings are environment variables. Persist them in
-`/etc/controlroom/controlroom.env` (read by the systemd unit) for bare-metal,
-or pass them to `docker compose` via `environment:`.
-
-| Var                  | Default                       | Purpose                                  |
-|----------------------|-------------------------------|-------------------------------------------|
-| `CR_ADDR`            | `:8443`                        | TLS bind address.                         |
-| `CR_DATA_DIR`        | `/var/lib/controlroom`         | TLS material, SQLite, audit log.          |
-| `CR_TLS_MODE`        | `selfsigned`                   | `selfsigned` \| `acme` \| `proxy`.        |
-| `CR_ACME_HOST`       | —                              | Required when `acme`.                     |
-| `CR_ACME_EMAIL`      | —                              | Required when `acme`.                     |
-| `CR_TRUST_PROXY`     | `false`                        | Honour `X-Forwarded-*` (proxy mode).      |
-| `CR_LOG_LEVEL`       | `info`                         | `debug` \| `info` \| `warn` \| `error`.   |
-| `CR_DOCKER_SOCK`     | `/var/run/docker.sock`         | Empty disables container management.      |
-| `CR_SESSION_HOURS`   | `168` (7d)                     | Refresh-token lifetime.                   |
-| `CR_HOST_NAME`       | (kernel hostname)              | Display name in the SPA title bar.        |
-| `CR_VERSION_CHECK`   | `false`                        | Opt-in: daily release check on GitHub.    |
-| `CR_DEV`             | `false`                        | Plain HTTP + non-Secure cookies. Dev only.|
-
-## After install
-
-1. Read [`SECURITY.md`](./SECURITY.md) for the threat model and what's
-   actually enforced today.
-2. Lock down inbound access. ControlRoom is not designed to be exposed
-   directly to the public internet — put it behind a VPN, SSH tunnel, or
-   reverse proxy with strict firewall rules.
-3. Enable two-factor authentication (Settings → Two-factor authentication)
-   on every admin account.
+All three deployment shapes share the same TLS configuration. Set with
+`CR_TLS_MODE`.
+
+| Mode | Behaviour |
+|---|---|
+| `selfsigned` (default) | Generates an ECDSA P-256 self-signed cert at first boot under `$CR_DATA_DIR/tls/`. 10-year validity. SAN entries: `localhost`, the kernel hostname, every non-loopback IPv4 on the host. |
+| `acme` | Let's Encrypt via HTTP-01 (`golang.org/x/crypto/acme/autocert`). Requires `CR_ACME_HOST` and `CR_ACME_EMAIL`. The host must be reachable on **port 80** from the public internet during issuance and renewal. Cache lives in `$CR_DATA_DIR/acme/`. |
+| `proxy` | Bind plain HTTP and front with a TLS-terminating reverse proxy. Set `CR_ADDR=127.0.0.1:8080` (or similar) so only the proxy can reach the backend, and `CR_TRUST_PROXY=true` so `X-Forwarded-*` is honored for client IP / scheme. |
+
+For container deployments using `acme`, you'll also need to add `- "80:80"`
+to the `ports:` section (or remove `network_mode: host` and use port mapping).
+
+For the in-cluster Pod, `acme` is not the right model — terminate TLS at
+the ingress controller via cert-manager and run ControlRoom with
+`CR_TLS_MODE=proxy` (or keep `selfsigned` and let the ingress proxy to
+HTTPS).
+
+---
+
+## Kubernetes integration
+
+ControlRoom's K8s client (`internal/k8s/client.go`) tries connection
+sources in this order:
+
+1. **In-cluster** (`rest.InClusterConfig()`) — uses the projected
+   ServiceAccount token at `/var/run/secrets/kubernetes.io/serviceaccount/`.
+   Used automatically when ControlRoom runs as a Pod with a SA mounted.
+2. **`$KUBECONFIG`** — explicit override. Set this to point at any
+   kubeconfig file readable by the controlroom process.
+3. **`~/.kube/config`** — the standard local kubeconfig path.
+4. **`/etc/rancher/k3s/k3s.yaml`** — K3s default location.
+
+If none works, `/api/system/capabilities` reports `kubernetes: false` and
+the SPA hides the Kubernetes tab.
+
+### From a Docker container with a non-host network
+
+If you run the container with a custom bridge instead of `network_mode: host`,
+the kubeconfig's `server: https://127.0.0.1:6443` won't resolve to the host's
+loopback. Use `deploy/scripts/setup-host-kubeconfig.sh` to generate a copy
+with the server URL rewritten to a host IP that's in the cert SAN:
+
+```bash
+sudo deploy/scripts/setup-host-kubeconfig.sh
+```
+
+The script auto-detects the IP from `/etc/rancher/k3s/config.yaml` `node-ip`,
+falling back to `hostname -I`. Override with `HOST_IP=`.
+
+It writes `/var/lib/controlroom/kubeconfig` mode 0600 owned by 65532. Mount
+that into the container at `/etc/k3s/kubeconfig` and set `KUBECONFIG=/etc/k3s/kubeconfig`.
+
+---
+
+## After install — checklist
+
+1. **Read [`SECURITY.md`](./SECURITY.md)** for the threat model that matches
+   your deployment shape.
+2. **Lock down inbound access.** ControlRoom is not designed to be exposed
+   directly to the public internet. Put it behind a VPN (Tailscale,
+   WireGuard), an SSH tunnel, or a reverse proxy with strict firewall
+   rules.
+3. **Enable two-factor authentication** in Settings → Two-factor
+   authentication. Required on every admin account in shared
+   environments.
+4. **Set strong host passwords** for any user the Terminal tab will let
+   operators authenticate as. PAM is doing the work; weak host passwords
+   = weak terminal access.
+5. **Verify the audit log is writing**. Settings → Audit log. You should
+   see your own login event from a moment ago.
+
+## Next steps / further reading
+
+- [`docs/CONFIG.md`](./CONFIG.md) — every environment variable and which
+  tabs depend on each.
+- [`docs/SECURITY.md`](./SECURITY.md) — full threat model, per-shape
+  privilege scoping, what's enforced and what's a known gap.
+- [`SPEC.md`](../SPEC.md) — design spec.
+- [`MILESTONES.md`](../MILESTONES.md) — milestone tracker.
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index ef57f2d..a9a6a84 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -1,14 +1,15 @@
-# Security model — v0.1
+# Security model
 
 This document describes ControlRoom's threat model and the implementation
-choices made through v0.1. It tracks what's *actually shipped*; for the
+choices made through v0.2. It tracks what's *actually shipped*; for the
 forward-looking design, see [`../SPEC.md`](../SPEC.md) §5.
 
 ## Threat model
 
 ControlRoom is designed for a single trusted operator (or a small team) on
-a LAN, with optional remote access via a reverse proxy or VPN. **It is not
-designed to be exposed raw to the public internet.**
+a LAN, with optional remote access via a VPN (Tailscale / WireGuard / SSH
+tunnel) or a TLS-terminating reverse proxy with strict firewall rules.
+**It is not designed to be exposed raw to the public internet.**
 
 In scope:
 - Network attacker who can read TLS-protected requests but can't break
@@ -29,9 +30,9 @@ Out of scope:
 | Surface | Implementation |
 |---|---|
 | Password hashing | bcrypt cost 12 (`internal/auth/password.go`). |
-| TOTP | RFC 6238, 6 digits / 30 s / SHA-1, ±1-step verify (`internal/auth/totp.go`). Optional. |
-| Access token | HS256 JWT, 15 min TTL. Key in `$DATA_DIR/jwt.key` (mode 0600). |
-| Refresh token | Opaque `<session_id>.<32-byte-secret>`; only sha256 stored in `sessions.refresh_hash`. 7 day TTL. |
+| TOTP | RFC 6238, 6 digits / 30 s / SHA-1, ±1-step verify (`internal/auth/totp.go`). Optional but recommended. |
+| Access token | HS256 JWT, 15 min TTL. Key in `$CR_DATA_DIR/jwt.key` (mode 0600). |
+| Refresh token | Opaque `<session_id>.<32-byte-secret>`; only sha256 stored in `sessions.refresh_hash`. 7 day TTL by default (`CR_SESSION_HOURS`). |
 | Rotation | Every refresh creates a new session in the same `family_id` and revokes the parent. |
 | Reuse detection | Presenting a revoked session that already has a child → entire family revoked (`internal/auth/sessions.go`). Logged-out childless sessions are simply invalid (no family burn). |
 | Brute force | Per-IP token bucket (5/min) on login + per-username exponential backoff (30 s → 1 h cap). |
@@ -54,7 +55,14 @@ group only — login/refresh/setup are exempt because they have no prior session
 to mirror from. `SameSite=Strict` on every cookie blocks cross-origin POSTs in
 modern browsers.
 
-## Privilege scoping (bare-metal install)
+## Privilege scoping by deployment shape
+
+The privilege model differs significantly between the three deployment
+shapes — pick the one whose blast radius matches your threat model.
+
+### Shape A — Bare-metal (`deploy/install.sh`)
+
+The default path. Lowest privilege.
 
 The systemd unit (`deploy/controlroom.service`) runs as a dedicated
 `controlroom` system user with:
@@ -67,17 +75,103 @@ The systemd unit (`deploy/controlroom.service`) runs as a dedicated
   Docker socket when present.
 
 A tight `/etc/sudoers.d/controlroom` fragment NOPASSWDs only the exact
-commands ControlRoom needs (apt update/upgrade, systemctl reboot, the UFW
-verbs used by `/api/network/firewall/*`). Everything else still requires the
-operator to authenticate.
-
-The fragment is validated with `visudo -c` before installation —
-`install.sh` aborts on parse failure.
+commands ControlRoom needs:
+- `apt-get update`, `apt-get install -y --only-upgrade …`
+- `systemctl reboot`
+- The specific `ufw` verbs used by `/api/network/firewall/*`
+
+Everything else still requires the operator to authenticate. The fragment
+is validated with `visudo -c` before installation — `install.sh` aborts
+on parse failure.
+
+**Compromise impact**: an attacker who pwns the controlroom binary can:
+- Read the journal (group `adm`).
+- Talk to the Docker daemon (group `docker`).
+- Run the exact sudoers-allowlisted commands as root.
+- Read `$CR_DATA_DIR` (the JWT key, the audit log, the SQLite DB).
+
+They **cannot** spawn arbitrary root shells, edit `/etc/sudoers`, install
+packages outside the allowlisted apt verbs, or read other users' homes.
+
+### Shape B — Docker container (`deploy/docker-compose.yml`)
+
+The fat-privileged path. Highest blast radius. Read this section.
+
+The container runs as **root** (uid 0) with:
+- `network_mode: host` — shares the host's network namespace.
+- `pid: host` — shares the host's PID namespace; `nsenter -t 1` reaches
+  systemd as PID 1.
+- `cap_add: [SYS_ADMIN, SYS_PTRACE, NET_ADMIN]`.
+- `security_opt: [apparmor:unconfined, seccomp:unconfined]`.
+
+And bind-mounts:
+- `/var/run/docker.sock:ro` (the Docker daemon)
+- `/var/run/dbus/system_bus_socket:rw` (host systemd dbus)
+- `/run/log/journal`, `/var/log/journal`, `/etc/machine-id` (host journal)
+- `/etc/rancher/k3s/k3s.yaml:ro` (kubeconfig with cluster-admin creds)
+- `/var/cache/apt:rw`, `/etc/apt:ro`, `/var/lib/dpkg:ro` (host apt state)
+
+**Compromise impact**: an attacker who pwns the controlroom binary in this
+shape has **effective root on the host**. They can `nsenter -t 1` to PID 1
+and execute arbitrary commands as root, read the K3s admin kubeconfig and
+take over the cluster, write to `/var/cache/apt` and arrange for any apt
+operation to install attacker-controlled packages, talk to the Docker
+daemon and create privileged containers.
+
+This is the deliberate tradeoff for getting all host integrations working
+from a container without sidecars. **Use only on single-user homelabs
+where the operator already has root** and where the convenience is
+explicitly worth the loss of container isolation.
+
+If your threat model doesn't accept this, use Shape A.
+
+### Shape C — In-cluster Kubernetes Pod (`deploy/k8s/`)
+
+Cluster-only path. Constrained privilege within the cluster, no host
+reach.
+
+The Pod runs as:
+- `runAsNonRoot: true`, `runAsUser: 65532`, `runAsGroup: 65532`,
+  `fsGroup: 65532` (so the PVC is writable by the nonroot user).
+- `seccompProfile: RuntimeDefault`.
+- `allowPrivilegeEscalation: false`.
+- `readOnlyRootFilesystem: true` (binary doesn't need a writable root;
+  `/data` is the only writable mount, via the PVC).
+- `capabilities: { drop: [ALL] }`.
+
+Cluster permissions are scoped via the `controlroom-reader` `ClusterRole`:
+
+```yaml
+rules:
+  - apiGroups: [""]
+    resources: [nodes, namespaces, pods, services, configmaps, events, endpoints]
+    verbs: [get, list, watch]
+  - apiGroups: [""]
+    resources: [pods/log]
+    verbs: [get]
+  - apiGroups: ["apps"]
+    resources: [deployments, statefulsets, daemonsets, replicasets]
+    verbs: [get, list, watch]
+```
+
+**Explicitly excluded** from Phase A/B: `secrets`, `persistentvolumes`,
+`persistentvolumeclaims` (cluster-scoped), and **all write verbs**. Phase
+C will widen this to `patch`/`delete` on Deployments and Pods for
+lifecycle actions; it will not add `secrets` access without a separate
+opt-in.
+
+**Compromise impact**: an attacker who pwns the controlroom binary in
+this shape can read everything the ClusterRole grants — that's the cluster
+inventory, pod logs, and configmaps. They cannot mutate the cluster, read
+secrets, escape the Pod, or reach the host.
+
+This is the lowest-risk shape but doesn't give you the host integrations
+(no Services / Updates / Network / Logs / host Terminal).
 
 ## Audit
 
-Every privileged action writes a row to `audit_log` (best-effort; never fails
-the parent request):
+Every privileged action writes a row to `audit_log` (best-effort; never
+fails the parent request):
 
 - Auth: login success/failure (with reason), logout, refresh, refresh-reuse,
   TOTP enable/disable, password change.
@@ -85,40 +179,68 @@ the parent request):
 - Services / containers: each lifecycle action with target + outcome.
 - Updates: check / apply / reboot job starts.
 - Firewall: rule add/delete + enable/disable with the rule spec.
-- Terminal: `session_start` and `session_end` (duration, bytes_in, bytes_out,
-  exit code). Keystrokes are **never** recorded.
+- Terminal: `session_start` and `session_end` (duration, bytes_in,
+  bytes_out, exit code). **Keystrokes are never recorded.**
+
+For Shape B specifically, host-level auth events flow through PAM rather
+than ControlRoom's audit table:
+- The Terminal's `su -l <user>` invocation writes to `/var/log/auth.log`
+  via `pam_unix`. Lockouts (`pam_faillock` if configured) apply.
+- `apt-get` operations are logged in `/var/log/apt/history.log` and
+  `/var/log/apt/term.log`.
+
+This is intentional — the host's audit trail survives ControlRoom
+restarts and re-creates.
 
 Retention is unbounded today — see "Known gaps" below.
 
 ## TLS
 
-Three modes:
+Three modes, set with `CR_TLS_MODE`. See [`INSTALL.md` → TLS modes](./INSTALL.md#tls-modes)
+for operator instructions.
+
+In every mode:
+- TLS 1.2+ only. Older protocols disabled.
+- Cipher suites exclude CBC / RC4 / 3DES; TLS 1.3 uses the std-lib's
+  fixed list.
+- ALPN advertises `http/1.1` only (no h2 in this version — h2 had a
+  goroutine leak interaction with the WS upgrader that's still being
+  triaged).
+- ECDSA P-256 keys preferred over RSA where we generate.
+
+## Public-bind detection
 
-- `selfsigned` — generated at first boot under `$DATA_DIR/tls/`, ECDSA P-256,
-  10-year validity, SAN entries for `localhost`, the kernel hostname, and
-  every non-loopback IPv4 on the host.
-- `acme` — Let's Encrypt via HTTP-01 (`golang.org/x/crypto/acme/autocert`),
-  cache in `$DATA_DIR/acme/`. Port 80 must be reachable.
-- `proxy` — bind plain HTTP on loopback and front with a TLS-terminating
-  reverse proxy.
+The SPA shows a destructive banner ("Public-looking address") when reached
+from an IP that doesn't look like:
+- RFC 1918 (10/8, 172.16/12, 192.168/16)
+- Link-local (169.254/16, fe80::/10)
+- IPv6 ULA (fc00::/7)
+- Loopback (127/8, ::1)
+- **RFC 6598 / Tailscale CGNAT (100.64.0.0/10)** — added so admins reaching
+  ControlRoom over Tailscale don't get a misleading warning.
 
-In every mode, the cipher suite list excludes anything below TLS 1.2 and the
-deprecated CBC/RC4/3DES suites. TLS 1.3 uses the std-lib's fixed list.
+This is a heuristic on `window.location.hostname` — it's about the URL the
+operator dialed, not what the server is bound to. False negatives are
+possible (e.g. a bare hostname like `homelab.local`).
 
-## Known gaps (post-v0.1)
+## Known gaps (post-v0.2)
 
 These are documented and tracked, not silently missing:
 
 - **Settings persistence**: host display name and the version-check toggle
-  are read from env only — no UI write yet. Comes with v0.2 alongside RBAC.
-- **API integration tests** for the auth/setup flows. Unit tests cover the
-  security-critical pieces (rotation, reuse, password, TOTP, ratelimit
-  validation).
-- **Audit log retention/rotation**. Grows unbounded today.
-- **HSTS / CSP headers**. Planned for the next polish pass.
-- **Netplan editing**. Read-only interfaces today.
-- **Public-bind detection** in the SPA is best-effort (RFC 1918 heuristic on
-  the URL bar).
+  are read from env only — no UI write yet. Promotion to a settings table
+  comes with the v0.3 RBAC work.
+- **Audit log retention/rotation**: grows unbounded today.
+- **HSTS / CSP headers**: planned for the next polish pass.
+- **Netplan editing**: read-only interfaces today.
+- **K8s lifecycle actions** (Phase C of the Kubernetes tab): scale,
+  restart, delete, cordon. Read-only through Phase A + B.
+- **K8s exec / manifest edit** (Phase D): kubectl-exec into pods, Monaco
+  editor for manifest YAML, ConfigMap and Secret editors. Separate auth
+  story to design.
+- **TLS-via-cert-manager** in the in-cluster shape: the default
+  `deploy/k8s/ingress.yaml` leaves TLS as a TODO comment for the
+  operator's chosen ClusterIssuer.
 
 ## Reporting
 

From 7755b9a2d6beeb5f2d555f1bfad06cfe3e81000a Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 20:52:48 -0700
Subject: [PATCH 14/25] =?UTF-8?q?k8s:=20Phase=20C=20lifecycle=20actions=20?=
 =?UTF-8?q?=E2=80=94=20restart,=20scale,=20delete=20pod,=20cordon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the four standard cluster operations to the SPA, with audit and
RBAC scoped to exactly what's needed.

Backend (internal/k8s/actions.go, internal/api/k8s/k8s.go)
  - RestartWorkload(ns, kind, name): merge-patches the pod template
    annotations with kubectl.kubernetes.io/restartedAt = now.
    Same trick `kubectl rollout restart` uses. Works for Deployment /
    StatefulSet / DaemonSet via case-insensitive kind dispatch.
  - ScaleWorkload(ns, kind, name, replicas): GetScale → mutate
    Spec.Replicas → UpdateScale, preserving resourceVersion so the
    optimistic-concurrency check in the API server actually fires.
    Deployment + StatefulSet only; DaemonSet returns 400.
  - DeletePod(ns, name, gracePeriod, force): Delete with optional
    grace-period override. force=true hard-overrides ?grace=N to 0.
  - CordonNode(name, cordoned): merge-patches spec.unschedulable.
    Distinct audit actions for cordon vs uncordon so the trail
    captures intent.

  - Validation: every :namespace, :name, :kind goes through the
    existing DNS-1123 regex + length guard. Replicas bounds-checked
    0..1000 server-side.
  - Audit: every action writes a store.AuditEntry with
    target=ns/name (or just name for cluster-scoped Node), detail
    map carrying the relevant params. Outcome=failure includes the
    error message. Best-effort write, never fails the request.
  - DB threaded into k8sapi.Deps; router updated.

RBAC widening (deploy/k8s/rbac.yaml)
  - apps/{deployments,statefulsets,daemonsets}: patch  (restart)
  - apps/{deployments,statefulsets}/scale:    update (scale)
  - core/pods:                                 delete (rotate)
  - core/nodes:                                patch  (cordon)
  - Still NO secrets, NO persistentvolumes, NO delete on apps/*
    (would let the SPA wipe a workload outside GitOps).

Frontend (web/src/lib/k8s.ts + the three Detail drawers)
  - useRestartWorkload, useScaleWorkload, useDeletePod, useCordonNode
    — each useMutation invalidates the matching list + detail keys
    on success. Pattern matches useContainerAction.
  - WorkloadDetail: Restart button (always); Scale button with a
    number input prefilled from ready.desired (Deployment+STS only).
  - PodDetail: red Delete button with a "Force (skip graceful
    shutdown)" checkbox; closes the drawer on success via a new
    onClose prop wired up from routes/Kubernetes.tsx.
  - NodeDetail: toggle button derives current cordon state from the
    node.kubernetes.io/unschedulable taint (which `kubectl cordon`
    applies), falling back to the SchedulingDisabled condition.
  - Every destructive action goes through AlertDialog with the
    impact spelled out. Pending state + inline error on failure.

Verified end-to-end:
  - make image succeeds at 230MB.
  - Image loaded to both K3s nodes.
  - kubectl apply rbac.yaml; rollout restart succeeds.
  - 4 new endpoints all return 401 (auth required, routes mounted).
  - kubectl auth can-i {patch deployments, update deployments/scale,
    delete pods, patch nodes} as the SA → all "yes".
  - SPA bundle contains all four action mutation hooks.
---
 deploy/k8s/rbac.yaml                      |  30 +++-
 internal/api/k8s/k8s.go                   | 200 +++++++++++++++++++++-
 internal/api/router.go                    |   2 +-
 internal/k8s/actions.go                   | 110 ++++++++++++
 web/src/components/k8s/NodeDetail.tsx     |  78 ++++++++-
 web/src/components/k8s/PodDetail.tsx      |  92 +++++++++-
 web/src/components/k8s/WorkloadDetail.tsx | 120 ++++++++++++-
 web/src/lib/k8s.ts                        |  62 ++++++-
 web/src/routes/Kubernetes.tsx             |   1 +
 9 files changed, 672 insertions(+), 23 deletions(-)
 create mode 100644 internal/k8s/actions.go

diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
index 02ea952..4e5da0e 100644
--- a/deploy/k8s/rbac.yaml
+++ b/deploy/k8s/rbac.yaml
@@ -7,8 +7,15 @@ metadata:
 ---
 # Phase A: read-only access to core cluster resources.
 # Phase B widens with pods/log so the SPA can stream container output.
-# Phase C will widen further for write actions; do NOT add secrets,
-# persistentvolumes, or any write verb here yet.
+# Phase C widens with the verbs needed for lifecycle actions:
+#   - patch on apps/{deployments,statefulsets,daemonsets} for `rollout restart`
+#     (annotation patch on .spec.template.metadata).
+#   - update on apps/{deployments,statefulsets}/scale subresource.
+#   - delete on pods (controller-driven recreate).
+#   - patch on nodes for cordon/uncordon (.spec.unschedulable).
+# We still do NOT grant access to secrets, persistentvolumes, or destructive
+# verbs on workloads (delete on apps/* would let the operator wipe a workload
+# from the SPA without going through GitOps).
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -28,6 +35,14 @@ rules:
     resources:
       - pods/log
     verbs: [get]
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs: [delete]
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs: [patch]
   - apiGroups: ["apps"]
     resources:
       - deployments
@@ -35,6 +50,17 @@ rules:
       - daemonsets
       - replicasets
     verbs: [get, list, watch]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+    verbs: [patch]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments/scale
+      - statefulsets/scale
+    verbs: [update]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
index 2d4308b..2ad24cf 100644
--- a/internal/api/k8s/k8s.go
+++ b/internal/api/k8s/k8s.go
@@ -1,4 +1,4 @@
-// Package k8s serves /api/k8s/* — read-only cluster inspection.
+// Package k8s serves /api/k8s/* — read-only cluster inspection plus write actions.
 // If Client is nil the module is disabled and every handler returns 503.
 package k8s
 
@@ -15,12 +15,15 @@ import (
 	"github.com/gofiber/websocket/v2"
 	"github.com/rs/zerolog"
 
+	"github.com/tm4rtin17/controlroom/internal/api/middleware"
 	"github.com/tm4rtin17/controlroom/internal/k8s"
+	"github.com/tm4rtin17/controlroom/internal/store"
 )
 
 // Deps mirrors the pattern used by api/services and api/containers.
 type Deps struct {
 	Client *k8s.Client // nil → module disabled
+	DB     *store.DB
 	Logger zerolog.Logger
 }
 
@@ -40,16 +43,20 @@ func validK8sName(s string) bool {
 	return len(s) > 0 && len(s) <= 253 && dns1123RE.MatchString(s)
 }
 
-// MountHTTP registers GET routes on the authenticated router group.
+// MountHTTP registers REST endpoints on the authenticated router group.
 func MountHTTP(authed fiber.Router, d Deps) {
 	g := authed.Group("/k8s")
 	g.Get("/nodes", d.nodesHandler)
 	g.Get("/nodes/:name", d.nodeDetailHandler)
+	g.Post("/nodes/:name/cordon", d.cordonNodeHandler)
 	g.Get("/namespaces", d.namespacesHandler)
 	g.Get("/workloads", d.workloadsHandler)
 	g.Get("/workloads/:namespace/:kind/:name", d.workloadDetailHandler)
+	g.Post("/workloads/:namespace/:kind/:name/restart", d.restartWorkloadHandler)
+	g.Post("/workloads/:namespace/:kind/:name/scale", d.scaleWorkloadHandler)
 	g.Get("/pods", d.podsHandler)
 	g.Get("/pods/:namespace/:name", d.podDetailHandler)
+	g.Delete("/pods/:namespace/:name", d.deletePodHandler)
 	g.Get("/services", d.servicesHandler)
 	g.Get("/services/:namespace/:name", d.serviceDetailHandler)
 }
@@ -227,6 +234,195 @@ func (d Deps) serviceDetailHandler(c *fiber.Ctx) error {
 	return c.JSON(detail)
 }
 
+// ---- write action handlers ----
+
+func (d Deps) restartWorkloadHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	kind := c.Params("kind")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validWorkloadKind(kind) {
+		return fiber.NewError(http.StatusBadRequest, fmt.Sprintf("invalid workload kind %q: must be deployment, statefulset, or daemonset", kind))
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid workload name")
+	}
+
+	normalKind := strings.ToLower(kind)
+	err := d.Client.RestartWorkload(c.Context(), namespace, normalKind, name)
+	entry := store.AuditEntry{
+		IP:      c.IP(),
+		Action:  "k8s." + normalKind + ".restart",
+		Target:  namespace + "/" + name,
+		Outcome: "success",
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{"error": err.Error()}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+		return fiber.NewError(http.StatusInternalServerError, "restart failed: "+err.Error())
+	}
+	_ = d.DB.WriteAudit(c.Context(), entry)
+	return c.JSON(fiber.Map{"ok": true, "message": "rollout restarted"})
+}
+
+func (d Deps) scaleWorkloadHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	kind := c.Params("kind")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	normalKind := strings.ToLower(kind)
+	if normalKind == "daemonset" {
+		return fiber.NewError(http.StatusBadRequest, "daemonsets cannot be scaled")
+	}
+	if normalKind != "deployment" && normalKind != "statefulset" {
+		return fiber.NewError(http.StatusBadRequest, fmt.Sprintf("invalid workload kind %q: must be deployment or statefulset", kind))
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid workload name")
+	}
+
+	var body struct {
+		Replicas *int32 `json:"replicas"`
+	}
+	if err := c.BodyParser(&body); err != nil {
+		return fiber.NewError(http.StatusBadRequest, "invalid request body")
+	}
+	if body.Replicas == nil {
+		return fiber.NewError(http.StatusBadRequest, "replicas is required")
+	}
+	if *body.Replicas < 0 || *body.Replicas > 1000 {
+		return fiber.NewError(http.StatusBadRequest, "replicas must be between 0 and 1000")
+	}
+
+	newCount, err := d.Client.ScaleWorkload(c.Context(), namespace, normalKind, name, *body.Replicas)
+	entry := store.AuditEntry{
+		IP:      c.IP(),
+		Action:  "k8s." + normalKind + ".scale",
+		Target:  namespace + "/" + name,
+		Outcome: "success",
+		Detail:  map[string]any{"replicas": *body.Replicas},
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{"replicas": *body.Replicas, "error": err.Error()}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+		return fiber.NewError(http.StatusInternalServerError, "scale failed: "+err.Error())
+	}
+	_ = d.DB.WriteAudit(c.Context(), entry)
+	return c.JSON(fiber.Map{"ok": true, "replicas": newCount})
+}
+
+func (d Deps) deletePodHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid pod name")
+	}
+
+	force := c.Query("force") == "true"
+	var gracePeriod *int64
+	if g := c.Query("grace"); g != "" {
+		var n int64
+		if _, err := fmt.Sscanf(g, "%d", &n); err != nil || n < 0 || n > 600 {
+			return fiber.NewError(http.StatusBadRequest, "grace must be an integer between 0 and 600")
+		}
+		gracePeriod = &n
+	}
+
+	detail := map[string]any{"force": force}
+	if gracePeriod != nil {
+		detail["grace"] = *gracePeriod
+	}
+
+	err := d.Client.DeletePod(c.Context(), namespace, name, gracePeriod, force)
+	entry := store.AuditEntry{
+		IP:      c.IP(),
+		Action:  "k8s.pod.delete",
+		Target:  namespace + "/" + name,
+		Outcome: "success",
+		Detail:  detail,
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{"force": force, "error": err.Error()}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+		return fiber.NewError(http.StatusInternalServerError, "delete pod failed: "+err.Error())
+	}
+	_ = d.DB.WriteAudit(c.Context(), entry)
+	return c.JSON(fiber.Map{"ok": true})
+}
+
+func (d Deps) cordonNodeHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	name := c.Params("name")
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid node name")
+	}
+
+	var body struct {
+		Cordoned *bool `json:"cordoned"`
+	}
+	if err := c.BodyParser(&body); err != nil {
+		return fiber.NewError(http.StatusBadRequest, "invalid request body")
+	}
+	if body.Cordoned == nil {
+		return fiber.NewError(http.StatusBadRequest, "cordoned is required")
+	}
+
+	action := "k8s.node.cordon"
+	if !*body.Cordoned {
+		action = "k8s.node.uncordon"
+	}
+
+	err := d.Client.CordonNode(c.Context(), name, *body.Cordoned)
+	entry := store.AuditEntry{
+		IP:      c.IP(),
+		Action:  action,
+		Target:  name,
+		Outcome: "success",
+		Detail:  map[string]any{"cordoned": *body.Cordoned},
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{"cordoned": *body.Cordoned, "error": err.Error()}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+		return fiber.NewError(http.StatusInternalServerError, action+" failed: "+err.Error())
+	}
+	_ = d.DB.WriteAudit(c.Context(), entry)
+	return c.JSON(fiber.Map{"ok": true, "cordoned": *body.Cordoned})
+}
+
 // ---- WebSocket ----
 
 type wsLogFrame struct {
diff --git a/internal/api/router.go b/internal/api/router.go
index af9564b..9b9fbe5 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -122,7 +122,7 @@ func NewRouter(d Deps) *fiber.App {
 
 	networkapi.MountHTTP(guarded, networkapi.Deps{DB: d.DB, Logger: d.Logger})
 	logsapi.MountHTTP(guarded, logsapi.Deps{Logger: d.Logger})
-	k8sapi.MountHTTP(guarded, k8sapi.Deps{Client: d.K8s, Logger: d.Logger})
+	k8sapi.MountHTTP(guarded, k8sapi.Deps{Client: d.K8s, DB: d.DB, Logger: d.Logger})
 	settingsapi.MountHTTP(guarded, settingsapi.Deps{Cfg: d.Cfg, DB: d.DB})
 
 	// Catch-all 404 for unknown /api paths.
diff --git a/internal/k8s/actions.go b/internal/k8s/actions.go
new file mode 100644
index 0000000..3aca37f
--- /dev/null
+++ b/internal/k8s/actions.go
@@ -0,0 +1,110 @@
+package k8s
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// RestartWorkload triggers a controller-driven rollout by patching the pod
+// template annotation — the same mechanism as `kubectl rollout restart`.
+// kind is case-insensitive: deployment | statefulset | daemonset.
+func (c *Client) RestartWorkload(ctx context.Context, namespace, kind, name string) error {
+	restartedAt := time.Now().UTC().Format(time.RFC3339)
+	patch := map[string]any{
+		"spec": map[string]any{
+			"template": map[string]any{
+				"metadata": map[string]any{
+					"annotations": map[string]any{
+						"kubectl.kubernetes.io/restartedAt": restartedAt,
+					},
+				},
+			},
+		},
+	}
+	raw, err := json.Marshal(patch)
+	if err != nil {
+		return fmt.Errorf("marshal patch: %w", err)
+	}
+
+	switch strings.ToLower(kind) {
+	case "deployment":
+		_, err = c.cs.AppsV1().Deployments(namespace).Patch(ctx, name, types.MergePatchType, raw, metav1.PatchOptions{})
+	case "statefulset":
+		_, err = c.cs.AppsV1().StatefulSets(namespace).Patch(ctx, name, types.MergePatchType, raw, metav1.PatchOptions{})
+	case "daemonset":
+		_, err = c.cs.AppsV1().DaemonSets(namespace).Patch(ctx, name, types.MergePatchType, raw, metav1.PatchOptions{})
+	default:
+		return fmt.Errorf("unknown workload kind: %s", kind)
+	}
+	return err
+}
+
+// ScaleWorkload updates the scale subresource for a Deployment or StatefulSet.
+// DaemonSets cannot be scaled and callers should reject that kind before calling.
+// Returns the post-update replica count.
+func (c *Client) ScaleWorkload(ctx context.Context, namespace, kind, name string, replicas int32) (int32, error) {
+	switch strings.ToLower(kind) {
+	case "deployment":
+		s, err := c.cs.AppsV1().Deployments(namespace).GetScale(ctx, name, metav1.GetOptions{})
+		if err != nil {
+			return 0, err
+		}
+		s.Spec.Replicas = replicas
+		updated, err := c.cs.AppsV1().Deployments(namespace).UpdateScale(ctx, name, s, metav1.UpdateOptions{})
+		if err != nil {
+			return 0, err
+		}
+		return updated.Spec.Replicas, nil
+	case "statefulset":
+		s, err := c.cs.AppsV1().StatefulSets(namespace).GetScale(ctx, name, metav1.GetOptions{})
+		if err != nil {
+			return 0, err
+		}
+		s.Spec.Replicas = replicas
+		updated, err := c.cs.AppsV1().StatefulSets(namespace).UpdateScale(ctx, name, s, metav1.UpdateOptions{})
+		if err != nil {
+			return 0, err
+		}
+		return updated.Spec.Replicas, nil
+	default:
+		return 0, fmt.Errorf("unknown or unscalable workload kind: %s", kind)
+	}
+}
+
+// DeletePod deletes a single pod. The owning controller (Deployment/STS/DS/Job)
+// will recreate it. gracePeriod nil means use the pod's own terminationGracePeriodSeconds.
+// force=true sets gracePeriodSeconds=0 and propagationPolicy=Background.
+func (c *Client) DeletePod(ctx context.Context, namespace, name string, gracePeriod *int64, force bool) error {
+	opts := metav1.DeleteOptions{}
+	if force {
+		zero := int64(0)
+		opts.GracePeriodSeconds = &zero
+		bg := metav1.DeletePropagationBackground
+		opts.PropagationPolicy = &bg
+	} else if gracePeriod != nil {
+		opts.GracePeriodSeconds = gracePeriod
+	}
+	return c.cs.CoreV1().Pods(namespace).Delete(ctx, name, opts)
+}
+
+// CordonNode patches spec.unschedulable on the named node.
+// cordoned=true cordons; cordoned=false uncordons.
+func (c *Client) CordonNode(ctx context.Context, name string, cordoned bool) error {
+	patch := map[string]any{
+		"spec": map[string]any{
+			"unschedulable": cordoned,
+		},
+	}
+	raw, err := json.Marshal(patch)
+	if err != nil {
+		return fmt.Errorf("marshal patch: %w", err)
+	}
+	_, err = c.cs.CoreV1().Nodes().Patch(ctx, name, types.MergePatchType, raw, metav1.PatchOptions{})
+	return err
+}
diff --git a/web/src/components/k8s/NodeDetail.tsx b/web/src/components/k8s/NodeDetail.tsx
index 3554a52..dc24df4 100644
--- a/web/src/components/k8s/NodeDetail.tsx
+++ b/web/src/components/k8s/NodeDetail.tsx
@@ -1,5 +1,20 @@
-import { useK8sNodeDetail } from '@/lib/k8s'
+import { useState } from 'react'
+import { Loader2 } from 'lucide-react'
+
+import { useK8sNodeDetail, useCordonNode } from '@/lib/k8s'
 import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import {
+  AlertDialog,
+  AlertDialogContent,
+  AlertDialogHeader,
+  AlertDialogTitle,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogCancel,
+  AlertDialogAction,
+} from '@/components/ui/alert-dialog'
+import { Button } from '@/components/ui/button'
+import { Alert, AlertDescription } from '@/components/ui/alert'
 import { Badge } from '@/components/ui/badge'
 import { K8sNodeStatusPill } from './K8sStatusPill'
 import { ConditionsTable } from './ConditionsTable'
@@ -24,17 +39,49 @@ export function NodeDetail({
   onOpenChange: (open: boolean) => void
 }) {
   const { data } = useK8sNodeDetail(open ? name : null)
+  const cordon = useCordonNode()
+  const [cordonOpen, setCordonOpen] = useState(false)
+
+  // Detect current cordon state from taints: NoSchedule taint on node.kubernetes.io/unschedulable
+  // is what kubectl cordon applies; fall back to checking SchedulingDisabled in conditions.
+  const isCordoned =
+    data?.taints.some((t) => t.key === 'node.kubernetes.io/unschedulable' && t.effect === 'NoSchedule') ??
+    data?.conditions.some((c) => c.type === 'SchedulingDisabled' && c.status === 'True') ??
+    false
+
+  const cordonLabel = isCordoned ? 'Uncordon' : 'Cordon'
+  const nextCordoned = !isCordoned
+
+  function handleCordonConfirm() {
+    if (!name) return
+    cordon.mutate({ name, cordoned: nextCordoned }, { onSuccess: () => setCordonOpen(false) })
+  }
 
   return (
     <Sheet open={open} onOpenChange={onOpenChange}>
       <SheetContent className="overflow-y-auto">
         <SheetHeader>
-          <SheetTitle className="font-mono break-all">{data?.node.name ?? name}</SheetTitle>
-          <SheetDescription>
-            {data ? `${data.node.os} / ${data.node.arch} · ${data.node.version}` : ''}
-          </SheetDescription>
+          <div className="flex items-start justify-between gap-2">
+            <div className="min-w-0">
+              <SheetTitle className="font-mono break-all">{data?.node.name ?? name}</SheetTitle>
+              <SheetDescription>
+                {data ? `${data.node.os} / ${data.node.arch} · ${data.node.version}` : ''}
+              </SheetDescription>
+            </div>
+            <div className="shrink-0 pt-0.5">
+              <Button size="sm" variant="outline" onClick={() => setCordonOpen(true)}>
+                {cordonLabel}
+              </Button>
+            </div>
+          </div>
         </SheetHeader>
 
+        {cordon.isError && (
+          <Alert variant="destructive" className="mt-3">
+            <AlertDescription>{(cordon.error as Error).message}</AlertDescription>
+          </Alert>
+        )}
+
         {data && (
           <div className="mt-4 flex flex-col gap-6">
             <div className="flex items-center gap-2">
@@ -77,6 +124,27 @@ export function NodeDetail({
           </div>
         )}
       </SheetContent>
+
+      {/* Cordon/Uncordon confirmation */}
+      <AlertDialog open={cordonOpen} onOpenChange={setCordonOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>{cordonLabel} node?</AlertDialogTitle>
+            <AlertDialogDescription>
+              {nextCordoned
+                ? 'Cordoning prevents new pods from being scheduled on this node. Existing pods are unaffected.'
+                : 'Uncordoning allows new pods to be scheduled on this node again.'}
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={cordon.isPending}>Cancel</AlertDialogCancel>
+            <AlertDialogAction onClick={handleCordonConfirm} disabled={cordon.isPending}>
+              {cordon.isPending && <Loader2 className="h-4 w-4 animate-spin" />}
+              {cordonLabel}
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
     </Sheet>
   )
 }
diff --git a/web/src/components/k8s/PodDetail.tsx b/web/src/components/k8s/PodDetail.tsx
index b2f8b40..e1b9256 100644
--- a/web/src/components/k8s/PodDetail.tsx
+++ b/web/src/components/k8s/PodDetail.tsx
@@ -1,7 +1,20 @@
 import { useState } from 'react'
+import { Loader2 } from 'lucide-react'
 
-import { useK8sPodDetail } from '@/lib/k8s'
+import { useK8sPodDetail, useDeletePod } from '@/lib/k8s'
 import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import {
+  AlertDialog,
+  AlertDialogContent,
+  AlertDialogHeader,
+  AlertDialogTitle,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogCancel,
+  AlertDialogAction,
+} from '@/components/ui/alert-dialog'
+import { Button } from '@/components/ui/button'
+import { Alert, AlertDescription } from '@/components/ui/alert'
 import { Badge } from '@/components/ui/badge'
 import { cn } from '@/lib/utils'
 import { K8sPodStatusPill } from './K8sStatusPill'
@@ -23,32 +36,68 @@ export function PodDetail({
   name,
   open,
   onOpenChange,
+  onClose,
 }: {
   namespace: string | null
   name: string | null
   open: boolean
   onOpenChange: (open: boolean) => void
+  onClose?: () => void
 }) {
   const { data } = useK8sPodDetail(open ? namespace : null, open ? name : null)
   const [activeContainer, setActiveContainer] = useState<string | null>(null)
+  const [deleteOpen, setDeleteOpen] = useState(false)
+  const [force, setForce] = useState(false)
+
+  const deletePod = useDeletePod()
 
   const containers = data?.containers ?? []
-  // Resolve active container: use state if valid, else first container
   const resolvedContainer =
     (activeContainer && containers.find((c) => c.name === activeContainer)?.name) ||
     containers[0]?.name ||
     null
 
+  function handleDeleteConfirm() {
+    if (!namespace || !name) return
+    deletePod.mutate(
+      { namespace, name, force },
+      {
+        onSuccess: () => {
+          setDeleteOpen(false)
+          onClose?.()
+          onOpenChange(false)
+        },
+      }
+    )
+  }
+
   return (
     <Sheet open={open} onOpenChange={onOpenChange}>
       <SheetContent className="overflow-y-auto">
         <SheetHeader>
-          <SheetTitle className="font-mono break-all">{data?.pod.name ?? name}</SheetTitle>
-          <SheetDescription>
-            {data ? `${data.pod.namespace} · ${data.node_name || '—'} · ${data.pod.pod_ip || '—'} · ${data.qos_class}` : (namespace ?? '')}
-          </SheetDescription>
+          <div className="flex items-start justify-between gap-2">
+            <div className="min-w-0">
+              <SheetTitle className="font-mono break-all">{data?.pod.name ?? name}</SheetTitle>
+              <SheetDescription>
+                {data
+                  ? `${data.pod.namespace} · ${data.node_name || '—'} · ${data.pod.pod_ip || '—'} · ${data.qos_class}`
+                  : (namespace ?? '')}
+              </SheetDescription>
+            </div>
+            <div className="shrink-0 pt-0.5">
+              <Button size="sm" variant="destructive" onClick={() => setDeleteOpen(true)}>
+                Delete pod
+              </Button>
+            </div>
+          </div>
         </SheetHeader>
 
+        {deletePod.isError && (
+          <Alert variant="destructive" className="mt-3">
+            <AlertDescription>{(deletePod.error as Error).message}</AlertDescription>
+          </Alert>
+        )}
+
         {data && (
           <div className="mt-4 flex flex-col gap-6">
             <div className="flex items-center gap-2">
@@ -111,7 +160,6 @@ export function PodDetail({
 
             {namespace && name && resolvedContainer && (
               <Section title="Logs">
-                {/* container picker */}
                 {containers.length > 1 && (
                   <div className="mb-2 flex flex-wrap gap-1.5">
                     {containers.map((c) => (
@@ -140,6 +188,36 @@ export function PodDetail({
           </div>
         )}
       </SheetContent>
+
+      {/* Delete confirmation */}
+      <AlertDialog open={deleteOpen} onOpenChange={setDeleteOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Delete pod?</AlertDialogTitle>
+            <AlertDialogDescription>
+              Delete pod {namespace}/{name}? The controller will recreate it.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <div className="px-1 py-2">
+            <label className="flex cursor-pointer items-center gap-2 text-sm">
+              <input
+                type="checkbox"
+                checked={force}
+                onChange={(e) => setForce(e.target.checked)}
+                className="h-4 w-4 rounded border"
+              />
+              Force (skip graceful shutdown)
+            </label>
+          </div>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={deletePod.isPending}>Cancel</AlertDialogCancel>
+            <AlertDialogAction variant="destructive" onClick={handleDeleteConfirm} disabled={deletePod.isPending}>
+              {deletePod.isPending && <Loader2 className="h-4 w-4 animate-spin" />}
+              Delete
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
     </Sheet>
   )
 }
diff --git a/web/src/components/k8s/WorkloadDetail.tsx b/web/src/components/k8s/WorkloadDetail.tsx
index 996c20f..1d119e2 100644
--- a/web/src/components/k8s/WorkloadDetail.tsx
+++ b/web/src/components/k8s/WorkloadDetail.tsx
@@ -1,5 +1,21 @@
-import { useK8sWorkloadDetail } from '@/lib/k8s'
+import { useState } from 'react'
+import { Loader2 } from 'lucide-react'
+
+import { useK8sWorkloadDetail, useRestartWorkload, useScaleWorkload } from '@/lib/k8s'
 import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import {
+  AlertDialog,
+  AlertDialogContent,
+  AlertDialogHeader,
+  AlertDialogTitle,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogCancel,
+  AlertDialogAction,
+} from '@/components/ui/alert-dialog'
+import { Button } from '@/components/ui/button'
+import { Input } from '@/components/ui/input'
+import { Alert, AlertDescription } from '@/components/ui/alert'
 import { Badge } from '@/components/ui/badge'
 import { cn } from '@/lib/utils'
 import { ConditionsTable } from './ConditionsTable'
@@ -33,20 +49,65 @@ export function WorkloadDetail({
     open ? name : null
   )
 
+  const restart = useRestartWorkload()
+  const scale = useScaleWorkload()
+
+  const [restartOpen, setRestartOpen] = useState(false)
+  const [scaleOpen, setScaleOpen] = useState(false)
+  const [scaleReplicas, setScaleReplicas] = useState<number>(0)
+
   const w = data?.workload
   const pct = w && w.ready.desired > 0 ? (w.ready.current / w.ready.desired) * 100 : 0
   const healthy = w ? w.ready.current >= w.ready.desired : false
+  const canScale = w?.kind === 'Deployment' || w?.kind === 'StatefulSet'
+
+  function handleScaleOpen() {
+    setScaleReplicas(w?.ready.desired ?? 0)
+    setScaleOpen(true)
+  }
+
+  function handleRestartConfirm() {
+    if (!namespace || !kind || !name) return
+    restart.mutate({ namespace, kind, name }, { onSuccess: () => setRestartOpen(false) })
+  }
+
+  function handleScaleConfirm() {
+    if (!namespace || !kind || !name) return
+    scale.mutate({ namespace, kind, name, replicas: scaleReplicas }, { onSuccess: () => setScaleOpen(false) })
+  }
 
   return (
     <Sheet open={open} onOpenChange={onOpenChange}>
       <SheetContent className="overflow-y-auto">
         <SheetHeader>
-          <SheetTitle className="font-mono break-all">{w?.name ?? name}</SheetTitle>
-          <SheetDescription>
-            {w ? `${w.kind} · ${w.namespace}` : (kind && namespace ? `${kind} · ${namespace}` : '')}
-          </SheetDescription>
+          <div className="flex items-start justify-between gap-2">
+            <div className="min-w-0">
+              <SheetTitle className="font-mono break-all">{w?.name ?? name}</SheetTitle>
+              <SheetDescription>
+                {w ? `${w.kind} · ${w.namespace}` : (kind && namespace ? `${kind} · ${namespace}` : '')}
+              </SheetDescription>
+            </div>
+            <div className="flex shrink-0 gap-2 pt-0.5">
+              {canScale && (
+                <Button size="sm" variant="outline" onClick={handleScaleOpen}>
+                  Scale
+                </Button>
+              )}
+              <Button size="sm" variant="outline" onClick={() => setRestartOpen(true)}>
+                Restart
+              </Button>
+            </div>
+          </div>
         </SheetHeader>
 
+        {(restart.isError || scale.isError) && (
+          <Alert variant="destructive" className="mt-3">
+            <AlertDescription>
+              {restart.isError ? (restart.error as Error).message : (scale.error as Error).message}
+            </AlertDescription>
+          </Alert>
+        )}
+
         {data && w && (
           <div className="mt-4 flex flex-col gap-6">
             {/* Ready bar */}
@@ -86,6 +147,55 @@ export function WorkloadDetail({
           </div>
         )}
       </SheetContent>
+
+      {/* Restart confirmation */}
+      <AlertDialog open={restartOpen} onOpenChange={setRestartOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Restart workload?</AlertDialogTitle>
+            <AlertDialogDescription>
+              Trigger a rollout restart of {kind}/{name}? Pods will be recreated one by one
+              according to the workload&apos;s strategy.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={restart.isPending}>Cancel</AlertDialogCancel>
+            <AlertDialogAction onClick={handleRestartConfirm} disabled={restart.isPending}>
+              {restart.isPending && <Loader2 className="h-4 w-4 animate-spin" />}
+              Restart
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
+
+      {/* Scale modal */}
+      <AlertDialog open={scaleOpen} onOpenChange={setScaleOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Scale workload</AlertDialogTitle>
+            <AlertDialogDescription>
+              Set the desired replica count for {kind}/{name}.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <div className="px-1 py-2">
+            <label className="mb-1.5 block text-sm font-medium">Replicas</label>
+            <Input
+              type="number"
+              min={0}
+              max={1000}
+              value={scaleReplicas}
+              onChange={(e) => setScaleReplicas(Number(e.target.value))}
+            />
+          </div>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={scale.isPending}>Cancel</AlertDialogCancel>
+            <AlertDialogAction onClick={handleScaleConfirm} disabled={scale.isPending}>
+              {scale.isPending && <Loader2 className="h-4 w-4 animate-spin" />}
+              Apply
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
     </Sheet>
   )
 }
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
index 565ac70..9b162e5 100644
--- a/web/src/lib/k8s.ts
+++ b/web/src/lib/k8s.ts
@@ -1,4 +1,4 @@
-import { useQuery } from '@tanstack/react-query'
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 
 import { apiFetch } from './api'
 
@@ -221,6 +221,66 @@ export function useK8sServiceDetail(namespace: string | null, name: string | nul
   })
 }
 
+export function useRestartWorkload() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({ namespace, kind, name }: { namespace: string; kind: string; name: string }) =>
+      apiFetch<{ ok: true; message: string }>(
+        `/api/k8s/workloads/${encodeURIComponent(namespace)}/${encodeURIComponent(kind.toLowerCase())}/${encodeURIComponent(name)}/restart`,
+        { method: 'POST' }
+      ),
+    onSuccess: (_data, { namespace, kind, name }) => {
+      qc.invalidateQueries({ queryKey: ['k8s', 'workloads', namespace, kind, name, 'detail'] })
+      qc.invalidateQueries({ queryKey: ['k8s', 'workloads', namespace] })
+    },
+  })
+}
+
+export function useScaleWorkload() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({ namespace, kind, name, replicas }: { namespace: string; kind: string; name: string; replicas: number }) =>
+      apiFetch<{ ok: true; replicas: number }>(
+        `/api/k8s/workloads/${encodeURIComponent(namespace)}/${encodeURIComponent(kind.toLowerCase())}/${encodeURIComponent(name)}/scale`,
+        { method: 'POST', body: JSON.stringify({ replicas }) }
+      ),
+    onSuccess: (_data, { namespace, kind, name }) => {
+      qc.invalidateQueries({ queryKey: ['k8s', 'workloads', namespace, kind, name, 'detail'] })
+      qc.invalidateQueries({ queryKey: ['k8s', 'workloads', namespace] })
+    },
+  })
+}
+
+export function useDeletePod() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({ namespace, name, force }: { namespace: string; name: string; force?: boolean }) =>
+      apiFetch<{ ok: true }>(
+        `/api/k8s/pods/${encodeURIComponent(namespace)}/${encodeURIComponent(name)}${force ? '?force=true' : ''}`,
+        { method: 'DELETE' }
+      ),
+    onSuccess: (_data, { namespace }) => {
+      qc.invalidateQueries({ queryKey: ['k8s', 'pods', namespace] })
+      qc.invalidateQueries({ queryKey: ['k8s', 'pods'] })
+    },
+  })
+}
+
+export function useCordonNode() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({ name, cordoned }: { name: string; cordoned: boolean }) =>
+      apiFetch<{ ok: true; cordoned: boolean }>(
+        `/api/k8s/nodes/${encodeURIComponent(name)}/cordon`,
+        { method: 'POST', body: JSON.stringify({ cordoned }) }
+      ),
+    onSuccess: (_data, { name }) => {
+      qc.invalidateQueries({ queryKey: ['k8s', 'nodes', name, 'detail'] })
+      qc.invalidateQueries({ queryKey: ['k8s', 'nodes'] })
+    },
+  })
+}
+
 export function podLogsURL(namespace: string, name: string, container: string): string {
   const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
   return `${proto}//${window.location.host}/ws/k8s/pods/${encodeURIComponent(namespace)}/${encodeURIComponent(name)}/logs?container=${encodeURIComponent(container)}&tail=200`
diff --git a/web/src/routes/Kubernetes.tsx b/web/src/routes/Kubernetes.tsx
index de3fe9a..68af2c4 100644
--- a/web/src/routes/Kubernetes.tsx
+++ b/web/src/routes/Kubernetes.tsx
@@ -172,6 +172,7 @@ export function Kubernetes() {
         name={openPod?.name ?? null}
         open={!!openPod}
         onOpenChange={(o) => { if (!o) setOpenPod(null) }}
+        onClose={() => setOpenPod(null)}
       />
       <ServiceDetail
         namespace={openService?.namespace ?? null}

From 4ffa35750f1214dbd0619a8e754d3f59a18cc499 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 21:43:00 -0700
Subject: [PATCH 15/25] =?UTF-8?q?k8s:=20Phase=20D1=20=E2=80=94=20pod=20exe?=
 =?UTF-8?q?c=20via=20SPDY=20=E2=86=92=20WebSocket=20bridge?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds "shell into a container" to the Kubernetes tab. Equivalent to
`kubectl exec -it <pod> -c <container> -- /bin/sh`, but in the browser.

Backend (internal/k8s/exec.go + internal/api/k8s/k8s.go)
  - Client.PodExec uses k8s.io/client-go/tools/remotecommand to open a
    SPDY exec stream to the API server. Stashes the rest.Config on the
    Client struct (NewSPDYExecutor needs it; the existing typed
    clientset wasn't enough).
  - WS handler at /ws/k8s/pods/:namespace/:name/exec wires:
      WS binary in   → io.Pipe → SPDY stdin
      SPDY stdout    → wsExecWriter → WS binary out
      SPDY stderr    → wsExecWriter → WS binary out (merged; xterm
                                       doesn't distinguish)
      WS text JSON   → resize        → wsSizeQueue → SPDY resize stream
  - Wire format mirrors /ws/terminal exactly so the frontend can clone
    Terminal.tsx's xterm wiring with minimal changes:
      init: { rows, cols, container, command? }   (default command ["/bin/sh"])
      err:  { type: "error", err: "..." }
  - Lifecycle correctness: cancelling ctx unblocks StreamWithContext,
    closing stdinW unblocks any blocked SPDY stdin read, closing
    sq.ch causes wsSizeQueue.Next to return nil so the SPDY size
    tracker exits cleanly. No goroutine leaks.
  - Audit: k8s.pod.exec.start at session open, k8s.pod.exec.end on
    close with bytes_in/bytes_out/duration_ms — same shape as
    terminal.session_end so a single audit query catches both.
  - Idle timeout 30 min, matching the terminal handler.

RBAC (deploy/k8s/rbac.yaml)
  - core/pods/exec: [create]. Minimum verb needed for the K8s API
    server to accept the SubjectAccessReview that the SPDY exec call
    triggers. Nothing else widened in this commit.

Frontend (web/src/components/k8s/PodExecModal.tsx + PodDetail.tsx)
  - Sheet-based modal: container picker, command picker (sh / bash /
    custom), Reconnect, status pill — same xterm theme + addons as
    routes/Terminal.tsx.
  - PodDetail Containers table gets an Exec column. Click → modal
    opens with that container preselected. e.stopPropagation on the
    button so it doesn't fight the row's log-viewer container picker.
  - Reconnect generation counter bumps on container or command change,
    forcing a clean WS rebuild with the new init frame.
  - podExecURL helper added to web/src/lib/k8s.ts.

Dependency churn
  - go mod tidy pulled in the SPDY transitive set:
      github.com/gorilla/websocket
      github.com/moby/spdystream
      github.com/mxk/go-flowrate
    All transitive of k8s.io/client-go/tools/remotecommand. No new
    direct dependencies.

Verified end-to-end:
  - make image succeeds.
  - Image loaded into both K3s nodes.
  - kubectl apply rbac.yaml; rollout restart succeeds.
  - kubectl auth can-i create --subresource=exec pods → yes (SA's
    perms via can-i --list also confirm pods/exec [create]).
  - WS upgrade attempt returns 401 unauthenticated (route mounted,
    auth gate firing).
  - SPA bundle contains the new PodExecModal + podExecURL strings.
---
 deploy/k8s/rbac.yaml                    |   4 +
 go.mod                                  |   3 +
 go.sum                                  |   8 +
 internal/api/k8s/k8s.go                 | 290 ++++++++++++++++++++++
 internal/k8s/client.go                  |   6 +-
 internal/k8s/exec.go                    |  48 ++++
 web/src/components/k8s/PodDetail.tsx    |  26 +-
 web/src/components/k8s/PodExecModal.tsx | 315 ++++++++++++++++++++++++
 web/src/lib/k8s.ts                      |   5 +
 9 files changed, 702 insertions(+), 3 deletions(-)
 create mode 100644 internal/k8s/exec.go
 create mode 100644 web/src/components/k8s/PodExecModal.tsx

diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
index 4e5da0e..d7530c8 100644
--- a/deploy/k8s/rbac.yaml
+++ b/deploy/k8s/rbac.yaml
@@ -35,6 +35,10 @@ rules:
     resources:
       - pods/log
     verbs: [get]
+  - apiGroups: [""]
+    resources:
+      - pods/exec
+    verbs: [create]
   - apiGroups: [""]
     resources:
       - pods
diff --git a/go.mod b/go.mod
index f28f4f1..74ff62f 100644
--- a/go.mod
+++ b/go.mod
@@ -47,6 +47,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -57,12 +58,14 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.1.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
diff --git a/go.sum b/go.sum
index baedcfb..3ecf877 100644
--- a/go.sum
+++ b/go.sum
@@ -4,6 +4,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M=
 github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
@@ -82,6 +84,8 @@ github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2
 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -115,6 +119,8 @@ github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6T
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8=
+github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
 github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
@@ -130,6 +136,8 @@ github.com/morikuni/aec v1.1.0 h1:vBBl0pUnvi/Je71dsRrhMBtreIqNMYErSAbEeb8jrXQ=
 github.com/morikuni/aec v1.1.0/go.mod h1:xDRgiq/iw5l+zkao76YTKzKttOp2cwPEne25HDkJnBw=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
index 2ad24cf..d702ec3 100644
--- a/internal/api/k8s/k8s.go
+++ b/internal/api/k8s/k8s.go
@@ -5,15 +5,19 @@ package k8s
 import (
 	"bufio"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"regexp"
 	"strings"
+	"sync/atomic"
 	"time"
 
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/websocket/v2"
 	"github.com/rs/zerolog"
+	"k8s.io/client-go/tools/remotecommand"
 
 	"github.com/tm4rtin17/controlroom/internal/api/middleware"
 	"github.com/tm4rtin17/controlroom/internal/k8s"
@@ -34,6 +38,15 @@ const (
 
 	tailDefault = 200
 	tailMax     = 5000
+
+	wsExecWriteWait    = 5 * time.Second
+	wsExecReadWait     = 70 * time.Second
+	wsExecPingInterval = 30 * time.Second
+	wsExecIdleTimeout  = 30 * time.Minute
+	wsExecIdleCheck    = 15 * time.Second
+
+	execCmdMaxLen   = 256
+	execSizeQueueCh = 8
 )
 
 // dns1123RE matches a DNS-1123 subdomain (k8s name and namespace format).
@@ -65,6 +78,7 @@ func MountHTTP(authed fiber.Router, d Deps) {
 func MountWS(wsGroup fiber.Router, d Deps) {
 	g := wsGroup.Group("/k8s")
 	g.Get("/pods/:namespace/:name/logs", websocket.New(d.podLogsWS, websocket.Config{HandshakeTimeout: 5 * time.Second}))
+	g.Get("/pods/:namespace/:name/exec", websocket.New(d.podExecWS, websocket.Config{HandshakeTimeout: 5 * time.Second}))
 }
 
 func (d Deps) requireClient() error {
@@ -532,3 +546,279 @@ func (d Deps) podLogsWS(c *websocket.Conn) {
 		}
 	}
 }
+
+// ---- pod exec WebSocket ----
+
+// execInitMsg is the first text frame the client must send.
+type execInitMsg struct {
+	Rows      int      `json:"rows"`
+	Cols      int      `json:"cols"`
+	Container string   `json:"container"`
+	Command   []string `json:"command,omitempty"`
+}
+
+// execControlMsg is a subsequent text frame from the client.
+type execControlMsg struct {
+	Type string `json:"type"`
+	Rows int    `json:"rows,omitempty"`
+	Cols int    `json:"cols,omitempty"`
+}
+
+// execErrorFrame is a fatal text frame sent server → client before close.
+type execErrorFrame struct {
+	Type string `json:"type"`
+	Err  string `json:"err"`
+}
+
+// wsSizeQueue implements remotecommand.TerminalSizeQueue via a buffered channel.
+type wsSizeQueue struct {
+	ch chan remotecommand.TerminalSize
+}
+
+func (q *wsSizeQueue) Next() *remotecommand.TerminalSize {
+	s, ok := <-q.ch
+	if !ok {
+		return nil
+	}
+	return &s
+}
+
+// wsWriter serialises binary writes to the WebSocket with a per-write deadline.
+// It is used for both stdout and stderr (merged).
+type wsExecWriter struct {
+	conn     *websocket.Conn
+	bytesOut *atomic.Int64
+}
+
+func (w *wsExecWriter) Write(p []byte) (int, error) {
+	_ = w.conn.SetWriteDeadline(time.Now().Add(wsExecWriteWait))
+	if err := w.conn.WriteMessage(websocket.BinaryMessage, p); err != nil {
+		return 0, err
+	}
+	w.bytesOut.Add(int64(len(p)))
+	return len(p), nil
+}
+
+func clampExecDim(n int) int {
+	if n < 1 {
+		return 1
+	}
+	if n > 500 {
+		return 500
+	}
+	return n
+}
+
+func (d Deps) podExecWS(c *websocket.Conn) {
+	defer func() { _ = c.Close() }()
+
+	if d.Client == nil {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "kubernetes not available"})
+		return
+	}
+
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "invalid namespace"})
+		return
+	}
+	if !validK8sName(name) {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "invalid pod name"})
+		return
+	}
+
+	_ = c.SetReadDeadline(time.Now().Add(wsExecReadWait))
+	c.SetPongHandler(func(string) error { return c.SetReadDeadline(time.Now().Add(wsExecReadWait)) })
+
+	// Expect text init frame first.
+	mt, raw, err := c.ReadMessage()
+	if err != nil {
+		return
+	}
+	if mt != websocket.TextMessage {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "expected JSON init frame first"})
+		return
+	}
+
+	var init execInitMsg
+	if err := json.Unmarshal(raw, &init); err != nil {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "invalid init frame: " + err.Error()})
+		return
+	}
+
+	// Validate container (required, DNS-1123 label).
+	if init.Container == "" {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "container is required"})
+		return
+	}
+	if !validK8sName(init.Container) {
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "invalid container name"})
+		return
+	}
+
+	// Validate / default command.
+	command := init.Command
+	if len(command) == 0 {
+		command = []string{"/bin/sh"}
+	} else {
+		for i, part := range command {
+			if part == "" {
+				_ = c.WriteJSON(execErrorFrame{Type: "error", Err: fmt.Sprintf("command[%d] is empty", i)})
+				return
+			}
+			if len(part) > execCmdMaxLen {
+				_ = c.WriteJSON(execErrorFrame{Type: "error", Err: fmt.Sprintf("command[%d] exceeds max length", i)})
+				return
+			}
+		}
+	}
+
+	rows := clampExecDim(init.Rows)
+	cols := clampExecDim(init.Cols)
+
+	// Audit user.
+	userID := int64(0)
+	if u, ok := c.Locals(middleware.CtxUser).(*store.User); ok && u != nil {
+		userID = u.ID
+	}
+	startedAt := time.Now()
+
+	_ = d.DB.WriteAudit(context.Background(), store.AuditEntry{
+		UserID:  userID,
+		IP:      c.RemoteAddr().String(),
+		Action:  "k8s.pod.exec.start",
+		Target:  namespace + "/" + name,
+		Outcome: "success",
+		Detail:  map[string]any{"container": init.Container, "command": command},
+	})
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Byte counters.
+	var bytesIn, bytesOut atomic.Int64
+
+	// Stdin pipe: WS read loop → stdinW → SPDY.
+	stdinR, stdinW := io.Pipe()
+
+	// Size queue.
+	sq := &wsSizeQueue{ch: make(chan remotecommand.TerminalSize, execSizeQueueCh)}
+	// Seed with initial size.
+	sq.ch <- remotecommand.TerminalSize{Width: uint16(cols), Height: uint16(rows)}
+
+	// stdout/stderr writer.
+	writer := &wsExecWriter{conn: c, bytesOut: &bytesOut}
+
+	// Launch SPDY exec in background.
+	execDone := make(chan error, 1)
+	go func() {
+		execDone <- d.Client.PodExec(ctx, namespace, name, init.Container, command, stdinR, writer, writer, sq)
+		_ = stdinR.Close()
+	}()
+
+	// Activity tracker for idle timeout.
+	lastActivity := time.Now()
+	activityCh := make(chan struct{}, 1)
+	bumpActivity := func() {
+		lastActivity = time.Now()
+		select {
+		case activityCh <- struct{}{}:
+		default:
+		}
+	}
+
+	// Idle / ping goroutine.
+	stopIdle := make(chan struct{})
+	go func() {
+		defer close(stopIdle)
+		ticker := time.NewTicker(wsExecIdleCheck)
+		ping := time.NewTicker(wsExecPingInterval)
+		defer ticker.Stop()
+		defer ping.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-activityCh:
+				continue
+			case <-ping.C:
+				_ = c.SetWriteDeadline(time.Now().Add(wsExecWriteWait))
+				if err := c.WriteMessage(websocket.PingMessage, nil); err != nil {
+					cancel()
+					return
+				}
+			case <-ticker.C:
+				if time.Since(lastActivity) > wsExecIdleTimeout {
+					_ = c.SetWriteDeadline(time.Now().Add(wsExecWriteWait))
+					_ = c.WriteJSON(execErrorFrame{Type: "error", Err: "idle timeout"})
+					cancel()
+					return
+				}
+			}
+		}
+	}()
+
+	// WS read loop: binary → stdin, text → resize.
+	var readLoopErr error
+	for {
+		mt, data, err := c.ReadMessage()
+		if err != nil {
+			readLoopErr = err
+			break
+		}
+		bumpActivity()
+		switch mt {
+		case websocket.BinaryMessage:
+			bytesIn.Add(int64(len(data)))
+			if _, err := stdinW.Write(data); err != nil {
+				goto done
+			}
+		case websocket.TextMessage:
+			var ctrl execControlMsg
+			if jsonErr := json.Unmarshal(data, &ctrl); jsonErr != nil {
+				continue
+			}
+			if ctrl.Type == "resize" {
+				r := clampExecDim(ctrl.Rows)
+				col := clampExecDim(ctrl.Cols)
+				select {
+				case sq.ch <- remotecommand.TerminalSize{Width: uint16(col), Height: uint16(r)}:
+				default:
+				}
+			}
+		}
+	}
+done:
+	// Cancel context and close stdin pipe so SPDY and size queue both unblock.
+	cancel()
+	_ = stdinW.Close()
+	close(sq.ch)
+
+	// Wait for exec to finish; capture any error to decide if we send an error frame.
+	execErr := <-execDone
+
+	<-stopIdle
+
+	// Only send an error frame if exec failed (not a normal shell exit) and the
+	// read loop didn't already detect a closed WS.
+	if execErr != nil && readLoopErr == nil {
+		_ = c.SetWriteDeadline(time.Now().Add(wsExecWriteWait))
+		_ = c.WriteJSON(execErrorFrame{Type: "error", Err: execErr.Error()})
+	}
+
+	_ = d.DB.WriteAudit(context.Background(), store.AuditEntry{
+		UserID:  userID,
+		IP:      c.RemoteAddr().String(),
+		Action:  "k8s.pod.exec.end",
+		Target:  namespace + "/" + name,
+		Outcome: "success",
+		Detail: map[string]any{
+			"container":   init.Container,
+			"command":     command,
+			"duration_ms": time.Since(startedAt).Milliseconds(),
+			"bytes_in":    bytesIn.Load(),
+			"bytes_out":   bytesOut.Load(),
+		},
+	})
+}
diff --git a/internal/k8s/client.go b/internal/k8s/client.go
index 0cc6e8d..667fea9 100644
--- a/internal/k8s/client.go
+++ b/internal/k8s/client.go
@@ -22,10 +22,12 @@ import (
 // ErrUnavailable mirrors the docker package sentinel; handlers return 503.
 var ErrUnavailable = errors.New("kubernetes is not available")
 
-// Client holds a typed clientset and a dynamic client.
+// Client holds a typed clientset, a dynamic client, and the REST config
+// needed by remotecommand.NewSPDYExecutor for pod exec streams.
 type Client struct {
 	cs  *kubernetes.Clientset
 	dyn dynamic.Interface
+	cfg *rest.Config
 }
 
 // New constructs a Client. It never returns a non-nil Client alongside a
@@ -43,7 +45,7 @@ func New(ctx context.Context) (*Client, error) {
 	if err != nil {
 		return nil, fmt.Errorf("%w: %s", ErrUnavailable, err.Error())
 	}
-	c := &Client{cs: cs, dyn: dyn}
+	c := &Client{cs: cs, dyn: dyn, cfg: cfg}
 	if err := c.Ping(ctx); err != nil {
 		return nil, fmt.Errorf("%w: %s", ErrUnavailable, err.Error())
 	}
diff --git a/internal/k8s/exec.go b/internal/k8s/exec.go
new file mode 100644
index 0000000..59208e8
--- /dev/null
+++ b/internal/k8s/exec.go
@@ -0,0 +1,48 @@
+package k8s
+
+import (
+	"context"
+	"io"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/remotecommand"
+)
+
+// PodExec opens a SPDY exec stream to the named container and pipes stdin to
+// the container, multiplexing stdout+stderr back to the provided writers.
+// The provided context cancels the stream when done. sizeQueue may be nil to
+// skip TTY resize tracking.
+func (c *Client) PodExec(
+	ctx context.Context,
+	namespace, pod, container string,
+	command []string,
+	stdin io.Reader,
+	stdout, stderr io.Writer,
+	sizeQueue remotecommand.TerminalSizeQueue,
+) error {
+	req := c.cs.CoreV1().RESTClient().Post().
+		Resource("pods").Name(pod).Namespace(namespace).
+		SubResource("exec").
+		VersionedParams(&corev1.PodExecOptions{
+			Container: container,
+			Command:   command,
+			Stdin:     true,
+			Stdout:    true,
+			Stderr:    true,
+			TTY:       true,
+		}, scheme.ParameterCodec)
+
+	exec, err := remotecommand.NewSPDYExecutor(c.cfg, "POST", req.URL())
+	if err != nil {
+		return err
+	}
+
+	return exec.StreamWithContext(ctx, remotecommand.StreamOptions{
+		Stdin:             stdin,
+		Stdout:            stdout,
+		Stderr:            stderr,
+		Tty:               true,
+		TerminalSizeQueue: sizeQueue,
+	})
+}
diff --git a/web/src/components/k8s/PodDetail.tsx b/web/src/components/k8s/PodDetail.tsx
index e1b9256..ecbd322 100644
--- a/web/src/components/k8s/PodDetail.tsx
+++ b/web/src/components/k8s/PodDetail.tsx
@@ -1,8 +1,9 @@
 import { useState } from 'react'
-import { Loader2 } from 'lucide-react'
+import { Loader2, Terminal as TerminalIcon } from 'lucide-react'
 
 import { useK8sPodDetail, useDeletePod } from '@/lib/k8s'
 import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { PodExecModal } from './PodExecModal'
 import {
   AlertDialog,
   AlertDialogContent,
@@ -46,6 +47,7 @@ export function PodDetail({
 }) {
   const { data } = useK8sPodDetail(open ? namespace : null, open ? name : null)
   const [activeContainer, setActiveContainer] = useState<string | null>(null)
+  const [execContainer, setExecContainer] = useState<string | null>(null)
   const [deleteOpen, setDeleteOpen] = useState(false)
   const [force, setForce] = useState(false)
 
@@ -114,6 +116,7 @@ export function PodDetail({
                       <th className="py-1.5 pr-3 font-medium">Ready</th>
                       <th className="py-1.5 pr-3 font-medium">Restarts</th>
                       <th className="py-1.5 pr-3 font-medium">State</th>
+                      <th className="py-1.5 font-medium" />
                     </tr>
                   </thead>
                   <tbody className="divide-y">
@@ -143,6 +146,16 @@ export function PodDetail({
                             {c.state}
                           </Badge>
                         </td>
+                        <td className="py-1.5">
+                          <button
+                            title="Open shell"
+                            onClick={(e) => { e.stopPropagation(); setExecContainer(c.name) }}
+                            className="rounded p-1 text-muted-foreground hover:bg-accent/50 hover:text-foreground transition-colors"
+                          >
+                            <TerminalIcon className="h-3.5 w-3.5" aria-hidden />
+                            <span className="sr-only">Exec into {c.name}</span>
+                          </button>
+                        </td>
                       </tr>
                     ))}
                   </tbody>
@@ -189,6 +202,17 @@ export function PodDetail({
         )}
       </SheetContent>
 
+      {/* Pod exec shell */}
+      {namespace && name && execContainer && (
+        <PodExecModal
+          namespace={namespace}
+          podName={name}
+          containers={containers}
+          initialContainer={execContainer}
+          onClose={() => setExecContainer(null)}
+        />
+      )}
+
       {/* Delete confirmation */}
       <AlertDialog open={deleteOpen} onOpenChange={setDeleteOpen}>
         <AlertDialogContent>
diff --git a/web/src/components/k8s/PodExecModal.tsx b/web/src/components/k8s/PodExecModal.tsx
new file mode 100644
index 0000000..a2da935
--- /dev/null
+++ b/web/src/components/k8s/PodExecModal.tsx
@@ -0,0 +1,315 @@
+import { useCallback, useEffect, useRef, useState } from 'react'
+import { Terminal as XTerm } from '@xterm/xterm'
+import { FitAddon } from '@xterm/addon-fit'
+import { WebLinksAddon } from '@xterm/addon-web-links'
+import { RotateCcw, Terminal as TerminalIcon } from 'lucide-react'
+import '@xterm/xterm/css/xterm.css'
+
+import { Button } from '@/components/ui/button'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { K8sContainerStatus, podExecURL } from '@/lib/k8s'
+
+type Status = 'connecting' | 'open' | 'closed' | 'error'
+
+const COMMAND_OPTIONS = ['/bin/sh', '/bin/bash']
+
+const xtermTheme = {
+  background: 'rgba(0,0,0,0)',
+  foreground: '#e5edf6',
+  cursor: '#7dd3fc',
+  cursorAccent: '#020617',
+  black: '#1e293b',
+  red: '#f87171',
+  green: '#4ade80',
+  yellow: '#fbbf24',
+  blue: '#60a5fa',
+  magenta: '#c084fc',
+  cyan: '#22d3ee',
+  white: '#e2e8f0',
+  brightBlack: '#475569',
+  brightRed: '#fca5a5',
+  brightGreen: '#86efac',
+  brightYellow: '#fde68a',
+  brightBlue: '#93c5fd',
+  brightMagenta: '#d8b4fe',
+  brightCyan: '#67e8f9',
+  brightWhite: '#f1f5f9',
+}
+
+export function PodExecModal({
+  namespace,
+  podName,
+  containers,
+  initialContainer,
+  onClose,
+}: {
+  namespace: string
+  podName: string
+  containers: K8sContainerStatus[]
+  initialContainer: string
+  onClose: () => void
+}) {
+  const containerRef = useRef<HTMLDivElement | null>(null)
+  const termRef = useRef<XTerm | null>(null)
+  const fitRef = useRef<FitAddon | null>(null)
+  const wsRef = useRef<WebSocket | null>(null)
+
+  const [status, setStatus] = useState<Status>('connecting')
+  const [error, setError] = useState<string | null>(null)
+  const [generation, setGeneration] = useState(0)
+
+  const [selectedContainer, setSelectedContainer] = useState(initialContainer)
+  const [selectedCommand, setSelectedCommand] = useState('/bin/sh')
+  const [customCommand, setCustomCommand] = useState('')
+  const [useCustom, setUseCustom] = useState(false)
+
+  // Resolved command array — never empty
+  const resolvedCommand = useCustom
+    ? customCommand.trim() || '/bin/sh'
+    : selectedCommand
+
+  const sendBytes = useCallback((data: Uint8Array) => {
+    const ws = wsRef.current
+    if (ws && ws.readyState === WebSocket.OPEN) {
+      ws.send(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength))
+    }
+  }, [])
+
+  useEffect(() => {
+    if (!containerRef.current) return
+
+    const term = new XTerm({
+      fontFamily: 'ui-monospace, SFMono-Regular, Menlo, Consolas, monospace',
+      fontSize: 13,
+      lineHeight: 1.2,
+      cursorBlink: true,
+      allowProposedApi: true,
+      theme: xtermTheme,
+      scrollback: 5000,
+      convertEol: false,
+    })
+    const fit = new FitAddon()
+    term.loadAddon(fit)
+    term.loadAddon(new WebLinksAddon())
+    term.open(containerRef.current)
+    termRef.current = term
+    fitRef.current = fit
+
+    setStatus('connecting')
+    setError(null)
+
+    try {
+      fit.fit()
+    } catch {
+      // ignore; container may still be measuring
+    }
+    const dims = fit.proposeDimensions() ?? { rows: 24, cols: 80 }
+
+    const ws = new WebSocket(podExecURL(namespace, podName))
+    ws.binaryType = 'arraybuffer'
+    wsRef.current = ws
+
+    ws.onopen = () => {
+      setStatus('open')
+      ws.send(
+        JSON.stringify({
+          rows: dims.rows,
+          cols: dims.cols,
+          container: selectedContainer,
+          command: [resolvedCommand],
+        })
+      )
+      term.focus()
+    }
+    ws.onmessage = (evt) => {
+      if (typeof evt.data === 'string') {
+        try {
+          const msg = JSON.parse(evt.data) as { type?: string; err?: string }
+          if (msg.type === 'error') {
+            setError(msg.err ?? 'exec error')
+          }
+        } catch {
+          // ignore
+        }
+        return
+      }
+      term.write(new Uint8Array(evt.data as ArrayBuffer))
+    }
+    ws.onclose = () => setStatus('closed')
+    ws.onerror = () => {
+      setStatus('error')
+      setError('connection error')
+    }
+
+    const dataDisposable = term.onData((data) => {
+      const bytes = new TextEncoder().encode(data)
+      sendBytes(bytes)
+    })
+
+    const resizeDisposable = term.onResize(({ rows, cols }) => {
+      if (ws.readyState === WebSocket.OPEN) {
+        ws.send(JSON.stringify({ type: 'resize', rows, cols }))
+      }
+    })
+
+    const ro = new ResizeObserver(() => {
+      try {
+        fit.fit()
+      } catch {
+        // ignore
+      }
+    })
+    ro.observe(containerRef.current)
+
+    return () => {
+      ro.disconnect()
+      dataDisposable.dispose()
+      resizeDisposable.dispose()
+      ws.close()
+      term.dispose()
+      termRef.current = null
+      fitRef.current = null
+      wsRef.current = null
+    }
+    // generation is the reconnect key; selectedContainer + resolvedCommand change it via handlers below
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [generation, sendBytes])
+
+  function handleContainerChange(name: string) {
+    setSelectedContainer(name)
+    setGeneration((g) => g + 1)
+  }
+
+  function handleCommandChange(val: string) {
+    if (val === '__custom__') {
+      setUseCustom(true)
+    } else {
+      setUseCustom(false)
+      setSelectedCommand(val)
+      setGeneration((g) => g + 1)
+    }
+  }
+
+  function handleCustomCommandCommit() {
+    if (!customCommand.trim()) return
+    setGeneration((g) => g + 1)
+  }
+
+  return (
+    <Sheet open onOpenChange={(open) => { if (!open) onClose() }}>
+      <SheetContent className="flex flex-col sm:max-w-3xl">
+        <SheetHeader className="shrink-0">
+          <div className="flex items-center gap-2">
+            <TerminalIcon className="h-4 w-4 text-muted-foreground" aria-hidden />
+            <SheetTitle className="font-mono text-sm">
+              {podName}
+            </SheetTitle>
+            <StatusPill status={status} />
+          </div>
+          <SheetDescription className="sr-only">
+            Interactive exec shell for pod {podName}
+          </SheetDescription>
+        </SheetHeader>
+
+        {/* Top bar: container + command pickers + reconnect */}
+        <div className="flex flex-wrap items-center gap-2 shrink-0 pt-1">
+          <select
+            value={selectedContainer}
+            onChange={(e) => handleContainerChange(e.target.value)}
+            className="h-7 rounded border bg-background px-2 text-xs text-foreground focus:outline-none focus:ring-1 focus:ring-ring"
+          >
+            {containers.map((c) => (
+              <option key={c.name} value={c.name}>
+                {c.name}
+              </option>
+            ))}
+          </select>
+
+          <select
+            value={useCustom ? '__custom__' : selectedCommand}
+            onChange={(e) => handleCommandChange(e.target.value)}
+            className="h-7 rounded border bg-background px-2 text-xs text-foreground focus:outline-none focus:ring-1 focus:ring-ring"
+          >
+            {COMMAND_OPTIONS.map((cmd) => (
+              <option key={cmd} value={cmd}>
+                {cmd}
+              </option>
+            ))}
+            <option value="__custom__">Custom…</option>
+          </select>
+
+          {useCustom && (
+            <input
+              type="text"
+              value={customCommand}
+              onChange={(e) => setCustomCommand(e.target.value)}
+              onKeyDown={(e) => { if (e.key === 'Enter') handleCustomCommandCommit() }}
+              placeholder="/bin/sh"
+              className="h-7 rounded border bg-background px-2 text-xs text-foreground focus:outline-none focus:ring-1 focus:ring-ring"
+            />
+          )}
+
+          <Button
+            variant="outline"
+            size="sm"
+            className="h-7 text-xs"
+            onClick={() => setGeneration((g) => g + 1)}
+            disabled={status === 'connecting'}
+          >
+            <RotateCcw className="h-3 w-3" aria-hidden />
+            {status === 'open' ? 'Reset' : 'Reconnect'}
+          </Button>
+        </div>
+
+        {error && (
+          <Alert variant="destructive" className="shrink-0">
+            <AlertDescription>{error}</AlertDescription>
+          </Alert>
+        )}
+
+        {/* Terminal area */}
+        <div className="flex-1 overflow-hidden rounded border bg-black/80 p-2 min-h-0">
+          <div ref={containerRef} className="h-full w-full" />
+        </div>
+
+        {/* Footer */}
+        <p className="shrink-0 text-xs text-muted-foreground">
+          Connected as the pod's user. exec exits when the shell exits.
+        </p>
+      </SheetContent>
+    </Sheet>
+  )
+}
+
+function StatusPill({ status }: { status: Status }) {
+  const styles = {
+    connecting: 'bg-amber-500/10 text-amber-500 ring-amber-500/30',
+    open: 'bg-emerald-500/10 text-emerald-500 ring-emerald-500/30',
+    closed: 'bg-muted text-muted-foreground ring-muted',
+    error: 'bg-destructive/10 text-destructive ring-destructive/30',
+  }[status]
+  const label = {
+    connecting: 'Connecting',
+    open: 'Live',
+    closed: 'Closed',
+    error: 'Error',
+  }[status]
+  return (
+    <span className={`inline-flex items-center gap-1.5 rounded-full px-2 py-0.5 text-xs ring-1 ${styles}`}>
+      <span
+        className={`inline-block h-1.5 w-1.5 rounded-full ${
+          status === 'open'
+            ? 'bg-emerald-500 animate-pulse'
+            : status === 'connecting'
+            ? 'bg-amber-500 animate-pulse'
+            : status === 'error'
+            ? 'bg-destructive'
+            : 'bg-muted-foreground'
+        }`}
+        aria-hidden
+      />
+      {label}
+    </span>
+  )
+}
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
index 9b162e5..1e33b09 100644
--- a/web/src/lib/k8s.ts
+++ b/web/src/lib/k8s.ts
@@ -285,3 +285,8 @@ export function podLogsURL(namespace: string, name: string, container: string):
   const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
   return `${proto}//${window.location.host}/ws/k8s/pods/${encodeURIComponent(namespace)}/${encodeURIComponent(name)}/logs?container=${encodeURIComponent(container)}&tail=200`
 }
+
+export function podExecURL(namespace: string, name: string): string {
+  const proto = window.location.protocol === 'https:' ? 'wss:' : 'ws:'
+  return `${proto}//${window.location.host}/ws/k8s/pods/${namespace}/${name}/exec`
+}

From 33d3b0cd7a72f950b422d4eb10e0428e8e37070f Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Fri, 8 May 2026 23:24:49 -0700
Subject: [PATCH 16/25] =?UTF-8?q?k8s:=20Phase=20D2=20=E2=80=94=20ConfigMap?=
 =?UTF-8?q?=20viewer=20+=20editor?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a ConfigMaps tab to the Kubernetes route, with full list / view /
edit. Uses a simple key-value editor for now (no Monaco — that lands
with D4's manifest editor for the full YAML edit experience).

Backend (internal/k8s/configmaps.go + internal/api/k8s/k8s.go)
  - GET  /api/k8s/configmaps?namespace=
         → { configmaps: [{name, namespace, keys[], age}] }
         List omits data values to keep responses small; only metadata
         and the lex-sorted key list.
  - GET  /api/k8s/configmaps/:ns/:name
         → ConfigMapDetail (configmap + labels + annotations + data
         + binary_keys + events).
         binary_keys lists names of binaryData entries; the bytes
         themselves aren't returned (avoids accidentally exposing
         non-text secrets-in-configmaps).
  - PUT  /api/k8s/configmaps/:ns/:name
         body: { data: Record<string,string> }
         resp: {ok: true} / 400 (invalid key) / 404 / 409 (conflict)
              / 413 (over 1 MiB).
         Uses Update (not Patch) so the API server's
         resourceVersion-based optimistic concurrency check fires and
         we get 409 instead of silent overwrite when two operators
         edit at once.
  - Validation: key matches `^[a-zA-Z0-9._-]+$`, total `len(k)+len(v)`
         under 1 MiB. Audit row per update with key_count + size_bytes.
         metadata.name/namespace are URL-canonical and not editable;
         labels/annotations are read-only here (D4 will handle them
         via manifest edit).

Frontend (lib/k8s.ts + components/k8s/ConfigMap{List,Detail}.tsx)
  - Three new TS interfaces matching the backend contract; three
    hooks (useK8sConfigMaps, useK8sConfigMapDetail,
    useUpdateConfigMap) following the Phase B/C invalidation pattern.
  - ConfigMapList: table with Name / Namespace / Keys-count / Age,
    namespace picker driven from the existing parent state.
  - ConfigMapDetail: Sheet drawer with key/value table editor
    (`<Input>` for keys, multi-line `<textarea>` for values),
    add/remove rows, Save with AlertDialog confirmation showing
    key count + total bytes via formatBytes. Dirty detection via
    JSON.stringify of sorted entries against the original snapshot.
  - 409 conflict UX: dedicated inline Alert with a Reload button
    that refetches detail and discards local edits.
  - Read-only sections for labels (chips), annotations (collapsible),
    binary_keys ("Edit via kubectl; not editable here"), events
    (reuses existing EventsTable).

RBAC (deploy/k8s/rbac.yaml)
  - core/configmaps: [update]. get/list/watch were already in scope
    from Phase A. No widening for binary data — read still returns
    only key names.

Verified end-to-end:
  - make image succeeds.
  - Image loaded into both K3s nodes; rollout restart clean.
  - Docker compose container recreated with the new image.
  - kubectl auth can-i update/list configmaps as the SA → both yes.
  - All 3 endpoints return 401 (mounted, auth-gated).
  - SPA bundle contains ConfigMapList / ConfigMapDetail / hooks.
---
 deploy/k8s/rbac.yaml                       |   4 +
 internal/api/k8s/k8s.go                    | 115 ++++++
 internal/k8s/configmaps.go                 | 131 +++++++
 web/src/components/k8s/ConfigMapDetail.tsx | 388 +++++++++++++++++++++
 web/src/components/k8s/ConfigMapList.tsx   |  81 +++++
 web/src/lib/k8s.ts                         |  55 +++
 web/src/routes/Kubernetes.tsx              |  25 +-
 7 files changed, 797 insertions(+), 2 deletions(-)
 create mode 100644 internal/k8s/configmaps.go
 create mode 100644 web/src/components/k8s/ConfigMapDetail.tsx
 create mode 100644 web/src/components/k8s/ConfigMapList.tsx

diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
index d7530c8..b3f6738 100644
--- a/deploy/k8s/rbac.yaml
+++ b/deploy/k8s/rbac.yaml
@@ -47,6 +47,10 @@ rules:
     resources:
       - nodes
     verbs: [patch]
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    verbs: [update]
   - apiGroups: ["apps"]
     resources:
       - deployments
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
index d702ec3..53d5b3d 100644
--- a/internal/api/k8s/k8s.go
+++ b/internal/api/k8s/k8s.go
@@ -17,6 +17,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/websocket/v2"
 	"github.com/rs/zerolog"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/client-go/tools/remotecommand"
 
 	"github.com/tm4rtin17/controlroom/internal/api/middleware"
@@ -72,6 +73,9 @@ func MountHTTP(authed fiber.Router, d Deps) {
 	g.Delete("/pods/:namespace/:name", d.deletePodHandler)
 	g.Get("/services", d.servicesHandler)
 	g.Get("/services/:namespace/:name", d.serviceDetailHandler)
+	g.Get("/configmaps", d.listConfigMapsHandler)
+	g.Get("/configmaps/:namespace/:name", d.configMapDetailHandler)
+	g.Put("/configmaps/:namespace/:name", d.updateConfigMapHandler)
 }
 
 // MountWS registers WebSocket routes on the ws group.
@@ -248,6 +252,117 @@ func (d Deps) serviceDetailHandler(c *fiber.Ctx) error {
 	return c.JSON(detail)
 }
 
+// ---- configmap handlers ----
+
+const cmSizeLimit = 1 << 20 // 1 MiB
+
+type configMapsResp struct {
+	ConfigMaps []k8s.ConfigMap `json:"configmaps"`
+}
+
+func (d Deps) listConfigMapsHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	cms, err := d.Client.ListConfigMaps(c.Context(), c.Query("namespace"))
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list configmaps: "+err.Error())
+	}
+	return c.JSON(configMapsResp{ConfigMaps: cms})
+}
+
+func (d Deps) configMapDetailHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid configmap name")
+	}
+	detail, err := d.Client.GetConfigMap(c.Context(), namespace, name)
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			return fiber.NewError(http.StatusNotFound, "configmap not found")
+		}
+		if k8serrors.IsForbidden(err) {
+			return fiber.NewError(http.StatusForbidden, "forbidden")
+		}
+		return fiber.NewError(http.StatusInternalServerError, "get configmap: "+err.Error())
+	}
+	return c.JSON(detail)
+}
+
+type updateConfigMapReq struct {
+	Data map[string]string `json:"data"`
+}
+
+func (d Deps) updateConfigMapHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid configmap name")
+	}
+
+	var body updateConfigMapReq
+	if err := c.BodyParser(&body); err != nil {
+		return fiber.NewError(http.StatusBadRequest, "invalid request body")
+	}
+	if body.Data == nil {
+		return fiber.NewError(http.StatusBadRequest, "data is required")
+	}
+
+	// Validate each key and compute total size.
+	var totalSize int
+	for k, v := range body.Data {
+		if !k8s.ValidConfigMapKey(k) {
+			return fiber.NewError(http.StatusBadRequest, fmt.Sprintf("invalid configmap key %q: must match ^[a-zA-Z0-9._-]+$", k))
+		}
+		totalSize += len(k) + len(v)
+	}
+	if totalSize > cmSizeLimit {
+		return fiber.NewError(http.StatusRequestEntityTooLarge, fmt.Sprintf("data size %d bytes exceeds 1 MiB limit", totalSize))
+	}
+
+	err := d.Client.UpdateConfigMap(c.Context(), namespace, name, body.Data)
+	entry := store.AuditEntry{
+		IP:      c.IP(),
+		Action:  "k8s.configmap.update",
+		Target:  namespace + "/" + name,
+		Outcome: "success",
+		Detail:  map[string]any{"key_count": len(body.Data), "size_bytes": totalSize},
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{"key_count": len(body.Data), "size_bytes": totalSize, "error": err.Error()}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+		if k8serrors.IsNotFound(err) {
+			return fiber.NewError(http.StatusNotFound, "configmap not found")
+		}
+		if k8serrors.IsForbidden(err) {
+			return fiber.NewError(http.StatusForbidden, "forbidden")
+		}
+		if k8serrors.IsConflict(err) {
+			return fiber.NewError(http.StatusConflict, "configmap was modified by another process; please reload and retry")
+		}
+		return fiber.NewError(http.StatusInternalServerError, "update configmap: "+err.Error())
+	}
+	_ = d.DB.WriteAudit(c.Context(), entry)
+	return c.JSON(fiber.Map{"ok": true})
+}
+
 // ---- write action handlers ----
 
 func (d Deps) restartWorkloadHandler(c *fiber.Ctx) error {
diff --git a/internal/k8s/configmaps.go b/internal/k8s/configmaps.go
new file mode 100644
index 0000000..d548c81
--- /dev/null
+++ b/internal/k8s/configmaps.go
@@ -0,0 +1,131 @@
+package k8s
+
+import (
+	"context"
+	"regexp"
+	"sort"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// configmap key rule: ^[a-zA-Z0-9._-]+$
+var cmKeyRE = regexp.MustCompile(`^[a-zA-Z0-9._\-]+$`)
+
+// ValidConfigMapKey reports whether s is a valid configmap data key.
+func ValidConfigMapKey(s string) bool {
+	return len(s) > 0 && cmKeyRE.MatchString(s)
+}
+
+// ConfigMap is the list-level representation (no data values).
+type ConfigMap struct {
+	Name      string   `json:"name"`
+	Namespace string   `json:"namespace"`
+	Keys      []string `json:"keys"` // never nil; lex-sorted
+	Age       string   `json:"age"`  // RFC3339
+}
+
+// ConfigMapDetail is the full detail view.
+type ConfigMapDetail struct {
+	ConfigMap   ConfigMap         `json:"configmap"`
+	Labels      map[string]string `json:"labels"`      // never nil
+	Annotations map[string]string `json:"annotations"` // never nil
+	Data        map[string]string `json:"data"`        // never nil
+	BinaryKeys  []string          `json:"binary_keys"` // never nil
+	Events      []Event           `json:"events"`      // never nil
+}
+
+// sortedKeys returns the sorted keys of a map[string]string.
+func sortedKeys(m map[string]string) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// ListConfigMaps lists configmaps. namespace="" means all namespaces.
+func (c *Client) ListConfigMaps(ctx context.Context, namespace string) ([]ConfigMap, error) {
+	list, err := c.cs.CoreV1().ConfigMaps(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	out := make([]ConfigMap, 0, len(list.Items))
+	for _, cm := range list.Items {
+		keys := sortedKeys(cm.Data)
+		if keys == nil {
+			keys = []string{}
+		}
+		out = append(out, ConfigMap{
+			Name:      cm.Name,
+			Namespace: cm.Namespace,
+			Keys:      keys,
+			Age:       cm.CreationTimestamp.UTC().Format(time.RFC3339),
+		})
+	}
+	return out, nil
+}
+
+// GetConfigMap returns full detail for a configmap including events.
+func (c *Client) GetConfigMap(ctx context.Context, namespace, name string) (*ConfigMapDetail, error) {
+	cm, err := c.cs.CoreV1().ConfigMaps(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	labels := cm.Labels
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	annotations := cm.Annotations
+	if annotations == nil {
+		annotations = map[string]string{}
+	}
+	data := cm.Data
+	if data == nil {
+		data = map[string]string{}
+	}
+
+	binaryKeys := make([]string, 0, len(cm.BinaryData))
+	for k := range cm.BinaryData {
+		binaryKeys = append(binaryKeys, k)
+	}
+	sort.Strings(binaryKeys)
+
+	keys := sortedKeys(cm.Data)
+	if keys == nil {
+		keys = []string{}
+	}
+
+	events, err := c.ListEvents(ctx, namespace, "ConfigMap", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &ConfigMapDetail{
+		ConfigMap: ConfigMap{
+			Name:      cm.Name,
+			Namespace: cm.Namespace,
+			Keys:      keys,
+			Age:       cm.CreationTimestamp.UTC().Format(time.RFC3339),
+		},
+		Labels:      labels,
+		Annotations: annotations,
+		Data:        data,
+		BinaryKeys:  binaryKeys,
+		Events:      events,
+	}, nil
+}
+
+// UpdateConfigMap replaces the data field of a configmap preserving binaryData.
+// Uses Get+Update for resourceVersion conflict detection (409 on conflict).
+func (c *Client) UpdateConfigMap(ctx context.Context, namespace, name string, newData map[string]string) error {
+	cm, err := c.cs.CoreV1().ConfigMaps(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+	cm.Data = newData
+	_, err = c.cs.CoreV1().ConfigMaps(namespace).Update(ctx, cm, metav1.UpdateOptions{})
+	return err
+}
diff --git a/web/src/components/k8s/ConfigMapDetail.tsx b/web/src/components/k8s/ConfigMapDetail.tsx
new file mode 100644
index 0000000..7c41bdd
--- /dev/null
+++ b/web/src/components/k8s/ConfigMapDetail.tsx
@@ -0,0 +1,388 @@
+import { useState, useEffect, useRef, useCallback } from 'react'
+import { Trash2, Plus, RefreshCw } from 'lucide-react'
+
+import { useK8sConfigMapDetail, useUpdateConfigMap } from '@/lib/k8s'
+import { ApiError } from '@/lib/api'
+import { formatBytes } from '@/lib/format'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { Button } from '@/components/ui/button'
+import { Input } from '@/components/ui/input'
+import { Badge } from '@/components/ui/badge'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTitle,
+} from '@/components/ui/alert-dialog'
+import { EventsTable } from './EventsTable'
+
+const KEY_PATTERN = /^[a-zA-Z0-9._-]+$/
+
+interface DataEntry {
+  key: string
+  value: string
+}
+
+function Section({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <p className="mb-2 text-xs uppercase tracking-wider text-muted-foreground">{title}</p>
+      {children}
+    </div>
+  )
+}
+
+function dataToEntries(data: Record<string, string>): DataEntry[] {
+  return Object.entries(data)
+    .sort(([a], [b]) => a.localeCompare(b))
+    .map(([key, value]) => ({ key, value }))
+}
+
+function entriesToSortedJson(entries: DataEntry[]): string {
+  const sorted = [...entries].sort((a, b) => a.key.localeCompare(b.key))
+  return JSON.stringify(sorted.map((e) => ({ key: e.key, value: e.value })))
+}
+
+function totalBytes(entries: DataEntry[]): number {
+  return entries.reduce((sum, e) => sum + new TextEncoder().encode(e.value).length, 0)
+}
+
+function CollapsibleSection({ title, children }: { title: string; children: React.ReactNode }) {
+  const [open, setOpen] = useState(false)
+  return (
+    <div>
+      <button
+        className="mb-2 flex items-center gap-1 text-xs uppercase tracking-wider text-muted-foreground hover:text-foreground"
+        onClick={() => setOpen((o) => !o)}
+        type="button"
+      >
+        <span>{open ? '▾' : '▸'}</span>
+        {title}
+      </button>
+      {open && children}
+    </div>
+  )
+}
+
+export function ConfigMapDetail({
+  namespace,
+  name,
+  open,
+  onOpenChange,
+}: {
+  namespace: string | null
+  name: string | null
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const detailQ = useK8sConfigMapDetail(open ? namespace : null, open ? name : null)
+  const updateMut = useUpdateConfigMap()
+
+  const [entries, setEntries] = useState<DataEntry[]>([])
+  const [originalJson, setOriginalJson] = useState('')
+  const [confirmOpen, setConfirmOpen] = useState(false)
+  const [saveError, setSaveError] = useState<string | null>(null)
+  const [saveSuccess, setSaveSuccess] = useState(false)
+  const [conflictError, setConflictError] = useState(false)
+
+  const newKeyRefs = useRef<HTMLInputElement[]>([])
+
+  const detail = detailQ.data
+
+  // Sync entries when detail loads or reloads
+  useEffect(() => {
+    if (!detail) return
+    const initial = dataToEntries(detail.data)
+    setEntries(initial)
+    setOriginalJson(entriesToSortedJson(initial))
+    setSaveError(null)
+    setSaveSuccess(false)
+    setConflictError(false)
+  }, [detail])
+
+  const dirty = entries.length > 0
+    ? entriesToSortedJson(entries) !== originalJson
+    : originalJson !== '[]'
+
+  const duplicateKeys = (() => {
+    const seen = new Set<string>()
+    const dupes = new Set<string>()
+    for (const e of entries) {
+      if (seen.has(e.key)) dupes.add(e.key)
+      seen.add(e.key)
+    }
+    return dupes
+  })()
+
+  const invalidKeys = entries.filter((e) => e.key && !KEY_PATTERN.test(e.key)).map((e) => e.key)
+
+  const canSave = dirty && duplicateKeys.size === 0 && invalidKeys.length === 0
+
+  const handleReload = useCallback(() => {
+    detailQ.refetch()
+  }, [detailQ])
+
+  function updateEntry(idx: number, field: 'key' | 'value', val: string) {
+    setEntries((prev) => prev.map((e, i) => i === idx ? { ...e, [field]: val } : e))
+    setSaveError(null)
+    setSaveSuccess(false)
+  }
+
+  function removeEntry(idx: number) {
+    setEntries((prev) => prev.filter((_, i) => i !== idx))
+  }
+
+  function addEntry() {
+    setEntries((prev) => {
+      const next = [...prev, { key: '', value: '' }]
+      // Focus the new key input after render
+      setTimeout(() => {
+        const el = newKeyRefs.current[next.length - 1]
+        el?.focus()
+      }, 50)
+      return next
+    })
+  }
+
+  function handleSave() {
+    if (!canSave) return
+    setConfirmOpen(true)
+  }
+
+  function confirmSave() {
+    if (!namespace || !name) return
+    const data: Record<string, string> = {}
+    for (const e of entries) {
+      data[e.key] = e.value
+    }
+    updateMut.mutate(
+      { namespace, name, data },
+      {
+        onSuccess: () => {
+          setSaveSuccess(true)
+          setSaveError(null)
+          setConflictError(false)
+          // originalJson will be updated when detail refetches via invalidation
+        },
+        onError: (err) => {
+          if (err instanceof ApiError && err.status === 409) {
+            setConflictError(true)
+            setSaveError(null)
+          } else {
+            setSaveError(err instanceof Error ? err.message : 'Save failed.')
+            setConflictError(false)
+          }
+        },
+      }
+    )
+  }
+
+  const cm = detail?.configmap
+
+  return (
+    <>
+      <Sheet open={open} onOpenChange={onOpenChange}>
+        <SheetContent className="overflow-y-auto sm:max-w-2xl">
+          <SheetHeader>
+            <div className="flex items-start justify-between gap-2">
+              <div className="min-w-0">
+                <SheetTitle className="font-mono break-all">{cm?.name ?? name}</SheetTitle>
+                <SheetDescription>
+                  {cm
+                    ? `${cm.namespace}${detail && detail.binary_keys.length > 0 ? ` · ${cm.keys.length} data keys · ${detail.binary_keys.length} binary keys (read-only)` : ` · ${cm.keys.length} data keys`}`
+                    : (namespace ?? '')}
+                </SheetDescription>
+              </div>
+              <div className="flex shrink-0 items-center gap-2">
+                {(updateMut.isPending) && (
+                  <span className="text-xs text-muted-foreground">Saving…</span>
+                )}
+                {saveSuccess && !updateMut.isPending && (
+                  <Badge variant="success">Saved</Badge>
+                )}
+                <Button
+                  size="sm"
+                  variant="outline"
+                  onClick={handleReload}
+                  title="Reload and discard local edits"
+                >
+                  <RefreshCw className="h-3.5 w-3.5" />
+                </Button>
+                <Button
+                  size="sm"
+                  disabled={!canSave || updateMut.isPending}
+                  onClick={handleSave}
+                >
+                  Save
+                </Button>
+              </div>
+            </div>
+          </SheetHeader>
+
+          {conflictError && (
+            <Alert variant="destructive" className="mt-4">
+              <AlertDescription>
+                This configmap was edited elsewhere. Reload to see the latest version, then re-apply your changes.
+                <Button size="sm" variant="outline" className="ml-2 h-6 text-xs" onClick={handleReload}>
+                  Reload
+                </Button>
+              </AlertDescription>
+            </Alert>
+          )}
+
+          {saveError && !conflictError && (
+            <Alert variant="destructive" className="mt-4">
+              <AlertDescription>{saveError}</AlertDescription>
+            </Alert>
+          )}
+
+          {detail && cm && (
+            <div className="mt-4 flex flex-col gap-6">
+              {/* Data editor */}
+              <Section title="Data">
+                <div className="overflow-x-auto">
+                  <table className="w-full text-xs">
+                    <thead>
+                      <tr className="border-b text-left text-muted-foreground">
+                        <th className="py-1.5 pr-2 font-medium w-[35%]">Key</th>
+                        <th className="py-1.5 pr-2 font-medium">Value</th>
+                        <th className="py-1.5 w-8" />
+                      </tr>
+                    </thead>
+                    <tbody className="divide-y">
+                      {entries.map((entry, idx) => {
+                        const keyInvalid = entry.key && !KEY_PATTERN.test(entry.key)
+                        const keyDupe = duplicateKeys.has(entry.key)
+                        return (
+                          <tr key={idx}>
+                            <td className="py-1.5 pr-2 align-top">
+                              <Input
+                                ref={(el) => { if (el) newKeyRefs.current[idx] = el }}
+                                value={entry.key}
+                                onChange={(e) => updateEntry(idx, 'key', e.target.value)}
+                                className={`h-7 font-mono text-xs ${keyInvalid || keyDupe ? 'border-destructive ring-destructive' : ''}`}
+                                placeholder="key"
+                                aria-label="Entry key"
+                              />
+                              {keyInvalid && (
+                                <p className="mt-0.5 text-[10px] text-destructive">Invalid characters</p>
+                              )}
+                              {keyDupe && (
+                                <p className="mt-0.5 text-[10px] text-destructive">Duplicate key</p>
+                              )}
+                            </td>
+                            <td className="py-1.5 pr-2 align-top">
+                              <textarea
+                                value={entry.value}
+                                onChange={(e) => updateEntry(idx, 'value', e.target.value)}
+                                rows={Math.min(10, Math.max(1, entry.value.split('\n').length))}
+                                className="flex w-full rounded-md border border-input bg-background px-3 py-1.5 font-mono text-xs ring-offset-background placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 resize-y"
+                                placeholder="value"
+                                aria-label="Entry value"
+                              />
+                            </td>
+                            <td className="py-1.5 align-top">
+                              <Button
+                                size="icon"
+                                variant="ghost"
+                                className="h-7 w-7"
+                                onClick={() => removeEntry(idx)}
+                                title="Remove entry"
+                              >
+                                <Trash2 className="h-3.5 w-3.5 text-muted-foreground" />
+                              </Button>
+                            </td>
+                          </tr>
+                        )
+                      })}
+                    </tbody>
+                  </table>
+                </div>
+                <Button size="sm" variant="outline" className="mt-2 h-7 text-xs gap-1" onClick={addEntry}>
+                  <Plus className="h-3.5 w-3.5" />
+                  Add key
+                </Button>
+              </Section>
+
+              {/* Labels */}
+              {Object.keys(detail.labels).length > 0 && (
+                <Section title="Labels">
+                  <div className="flex flex-wrap gap-1.5">
+                    {Object.entries(detail.labels).map(([k, v]) => (
+                      <Badge key={k} variant="muted">{k}={v}</Badge>
+                    ))}
+                  </div>
+                </Section>
+              )}
+
+              {/* Annotations */}
+              {Object.keys(detail.annotations).length > 0 && (
+                <CollapsibleSection title="Annotations">
+                  <div className="flex flex-wrap gap-1.5">
+                    {Object.entries(detail.annotations).map(([k, v]) => (
+                      <Badge key={k} variant="muted" className="max-w-xs truncate" title={`${k}=${v}`}>
+                        {k}={v}
+                      </Badge>
+                    ))}
+                  </div>
+                </CollapsibleSection>
+              )}
+
+              {/* Binary keys */}
+              {detail.binary_keys.length > 0 && (
+                <Section title="Binary Keys">
+                  <div className="flex flex-col gap-1">
+                    {detail.binary_keys.map((bk) => (
+                      <span key={bk} className="font-mono text-xs text-muted-foreground">{bk}</span>
+                    ))}
+                    <p className="mt-1 text-xs text-muted-foreground">Edit via kubectl; not editable here.</p>
+                  </div>
+                </Section>
+              )}
+
+              {/* Events */}
+              <Section title="Events">
+                <EventsTable events={detail.events} />
+              </Section>
+            </div>
+          )}
+
+          {detailQ.isLoading && !detail && (
+            <p className="mt-6 text-sm text-muted-foreground">Loading…</p>
+          )}
+          {detailQ.error && !detail && (
+            <Alert variant="destructive" className="mt-4">
+              <AlertDescription>{detailQ.error instanceof Error ? detailQ.error.message : 'Failed to load configmap.'}</AlertDescription>
+            </Alert>
+          )}
+        </SheetContent>
+      </Sheet>
+
+      {/* Save confirmation dialog */}
+      <AlertDialog open={confirmOpen} onOpenChange={setConfirmOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Update ConfigMap</AlertDialogTitle>
+            <AlertDialogDescription>
+              Update configmap{' '}
+              <span className="font-mono">
+                {namespace}/{name}
+              </span>
+              ? {entries.length} {entries.length === 1 ? 'key' : 'keys'}, total{' '}
+              {formatBytes(totalBytes(entries))}.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel>Cancel</AlertDialogCancel>
+            <AlertDialogAction onClick={confirmSave}>Update</AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
+    </>
+  )
+}
diff --git a/web/src/components/k8s/ConfigMapList.tsx b/web/src/components/k8s/ConfigMapList.tsx
new file mode 100644
index 0000000..c12f060
--- /dev/null
+++ b/web/src/components/k8s/ConfigMapList.tsx
@@ -0,0 +1,81 @@
+import type { K8sConfigMap } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Card, CardContent } from '@/components/ui/card'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+
+interface Props {
+  configmaps: K8sConfigMap[]
+  loading: boolean
+  error: Error | null
+  search: string
+  onOpen?: (namespace: string, name: string) => void
+}
+
+export function ConfigMapList({ configmaps, loading, error, search, onOpen }: Props) {
+  if (loading) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">Loading…</CardContent>
+      </Card>
+    )
+  }
+  if (error) {
+    return (
+      <Alert variant="destructive">
+        <AlertDescription>{error.message || 'Could not fetch configmaps.'}</AlertDescription>
+      </Alert>
+    )
+  }
+
+  const needle = search.toLowerCase()
+  const filtered = needle
+    ? configmaps.filter(
+        (cm) =>
+          cm.name.toLowerCase().includes(needle) ||
+          cm.namespace.toLowerCase().includes(needle)
+      )
+    : configmaps
+
+  if (filtered.length === 0) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+          {configmaps.length === 0 ? 'No configmaps found' : 'No configmaps match'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  return (
+    <Card>
+      <CardContent className="p-0">
+        <div className="overflow-x-auto">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b text-left text-xs text-muted-foreground">
+                <th className="px-4 py-3 font-medium">Name</th>
+                <th className="px-4 py-3 font-medium">Namespace</th>
+                <th className="px-4 py-3 font-medium">Keys</th>
+                <th className="px-4 py-3 font-medium">Age</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y">
+              {filtered.map((cm) => (
+                <tr
+                  key={`${cm.namespace}/${cm.name}`}
+                  className={onOpen ? 'cursor-pointer hover:bg-accent/30' : 'hover:bg-accent/30'}
+                  onClick={() => onOpen?.(cm.namespace, cm.name)}
+                >
+                  <td className="px-4 py-3 font-mono text-xs font-medium">{cm.name}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{cm.namespace}</td>
+                  <td className="px-4 py-3 text-xs tabular-nums">{cm.keys.length}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{formatRelativeTime(cm.age)}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </CardContent>
+    </Card>
+  )
+}
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
index 1e33b09..17ffed2 100644
--- a/web/src/lib/k8s.ts
+++ b/web/src/lib/k8s.ts
@@ -124,6 +124,22 @@ export interface K8sService {
   age: string
 }
 
+export interface K8sConfigMap {
+  name: string
+  namespace: string
+  keys: string[]
+  age: string
+}
+
+export interface K8sConfigMapDetail {
+  configmap: K8sConfigMap
+  labels: Record<string, string>
+  annotations: Record<string, string>
+  data: Record<string, string>
+  binary_keys: string[]
+  events: K8sEvent[]
+}
+
 export function useK8sNodes() {
   return useQuery({
     queryKey: ['k8s', 'nodes'],
@@ -221,6 +237,45 @@ export function useK8sServiceDetail(namespace: string | null, name: string | nul
   })
 }
 
+export function useK8sConfigMaps(namespace: string) {
+  return useQuery({
+    queryKey: ['k8s', 'configmaps', namespace],
+    queryFn: () =>
+      apiFetch<{ configmaps: K8sConfigMap[] }>(
+        `/api/k8s/configmaps${namespace ? `?namespace=${encodeURIComponent(namespace)}` : ''}`
+      ),
+    refetchInterval: 10_000,
+    staleTime: 2_000,
+  })
+}
+
+export function useK8sConfigMapDetail(namespace: string | null, name: string | null) {
+  return useQuery({
+    queryKey: ['k8s', 'configmap', 'detail', namespace, name],
+    queryFn: () =>
+      apiFetch<K8sConfigMapDetail>(
+        `/api/k8s/configmaps/${encodeURIComponent(namespace!)}/${encodeURIComponent(name!)}`
+      ),
+    enabled: !!(namespace && name),
+    refetchInterval: 10_000,
+  })
+}
+
+export function useUpdateConfigMap() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({ namespace, name, data }: { namespace: string; name: string; data: Record<string, string> }) =>
+      apiFetch<{ ok: true }>(
+        `/api/k8s/configmaps/${encodeURIComponent(namespace)}/${encodeURIComponent(name)}`,
+        { method: 'PUT', body: JSON.stringify({ data }) }
+      ),
+    onSuccess: (_data, { namespace, name }) => {
+      qc.invalidateQueries({ queryKey: ['k8s', 'configmaps', namespace] })
+      qc.invalidateQueries({ queryKey: ['k8s', 'configmap', 'detail', namespace, name] })
+    },
+  })
+}
+
 export function useRestartWorkload() {
   const qc = useQueryClient()
   return useMutation({
diff --git a/web/src/routes/Kubernetes.tsx b/web/src/routes/Kubernetes.tsx
index 68af2c4..8ac7525 100644
--- a/web/src/routes/Kubernetes.tsx
+++ b/web/src/routes/Kubernetes.tsx
@@ -2,7 +2,7 @@ import { useState } from 'react'
 import { Search } from 'lucide-react'
 
 import { ApiError } from '@/lib/api'
-import { useK8sNodes, useK8sNamespaces, useK8sWorkloads, useK8sPods, useK8sServices } from '@/lib/k8s'
+import { useK8sNodes, useK8sNamespaces, useK8sWorkloads, useK8sPods, useK8sServices, useK8sConfigMaps } from '@/lib/k8s'
 import { Input } from '@/components/ui/input'
 import { Card, CardContent } from '@/components/ui/card'
 import { Label } from '@/components/ui/label'
@@ -11,24 +11,28 @@ import { NodeList } from '@/components/k8s/NodeList'
 import { WorkloadList } from '@/components/k8s/WorkloadList'
 import { PodList } from '@/components/k8s/PodList'
 import { ServiceList } from '@/components/k8s/ServiceList'
+import { ConfigMapList } from '@/components/k8s/ConfigMapList'
 import { NodeDetail } from '@/components/k8s/NodeDetail'
 import { WorkloadDetail } from '@/components/k8s/WorkloadDetail'
 import { PodDetail } from '@/components/k8s/PodDetail'
 import { ServiceDetail } from '@/components/k8s/ServiceDetail'
+import { ConfigMapDetail } from '@/components/k8s/ConfigMapDetail'
 
-type Tab = 'nodes' | 'workloads' | 'pods' | 'services'
+type Tab = 'nodes' | 'workloads' | 'pods' | 'services' | 'configmaps'
 
 const TABS: { id: Tab; label: string }[] = [
   { id: 'nodes', label: 'Nodes' },
   { id: 'workloads', label: 'Workloads' },
   { id: 'pods', label: 'Pods' },
   { id: 'services', label: 'Services' },
+  { id: 'configmaps', label: 'ConfigMaps' },
 ]
 
 interface NodeOpen { name: string }
 interface WorkloadOpen { namespace: string; kind: string; name: string }
 interface PodOpen { namespace: string; name: string }
 interface ServiceOpen { namespace: string; name: string }
+interface ConfigMapOpen { namespace: string; name: string }
 
 export function Kubernetes() {
   const [tab, setTab] = useState<Tab>('nodes')
@@ -39,12 +43,14 @@ export function Kubernetes() {
   const [openWorkload, setOpenWorkload] = useState<WorkloadOpen | null>(null)
   const [openPod, setOpenPod] = useState<PodOpen | null>(null)
   const [openService, setOpenService] = useState<ServiceOpen | null>(null)
+  const [openConfigMap, setOpenConfigMap] = useState<ConfigMapOpen | null>(null)
 
   const namespacesQ = useK8sNamespaces()
   const nodesQ = useK8sNodes()
   const workloadsQ = useK8sWorkloads(namespace)
   const podsQ = useK8sPods(namespace)
   const servicesQ = useK8sServices(namespace)
+  const configMapsQ = useK8sConfigMaps(namespace)
 
   // Surface 503 from the namespaces call as a top-level unavailable state.
   const unavailable = namespacesQ.error instanceof ApiError && namespacesQ.error.status === 503
@@ -153,6 +159,15 @@ export function Kubernetes() {
           onOpen={(ns, name) => setOpenService({ namespace: ns, name })}
         />
       )}
+      {tab === 'configmaps' && (
+        <ConfigMapList
+          configmaps={configMapsQ.data?.configmaps ?? []}
+          loading={configMapsQ.isLoading}
+          error={configMapsQ.error}
+          search={search}
+          onOpen={(ns, name) => setOpenConfigMap({ namespace: ns, name })}
+        />
+      )}
 
       {/* Detail drawers — rendered outside tab content so state persists across tab switches */}
       <NodeDetail
@@ -180,6 +195,12 @@ export function Kubernetes() {
         open={!!openService}
         onOpenChange={(o) => { if (!o) setOpenService(null) }}
       />
+      <ConfigMapDetail
+        namespace={openConfigMap?.namespace ?? null}
+        name={openConfigMap?.name ?? null}
+        open={!!openConfigMap}
+        onOpenChange={(o) => { if (!o) setOpenConfigMap(null) }}
+      />
     </div>
   )
 }

From f7917ac89c52673fe316c8bed7a60d4008201b12 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 08:44:27 -0700
Subject: [PATCH 17/25] =?UTF-8?q?ci:=20fix=20workflow=20drift=20=E2=80=94?=
 =?UTF-8?q?=20Go=20from=20go.mod,=20correct=20embed=20path,=20v*=20trigger?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CI has been failing at workflow startup since before v0.2 (the m9
push to main also failed). Three real issues plus a couple of polish
items:

1. Go version drift. ci.yml pinned Go 1.23 while go.mod requires
   go 1.25.0 (k8s.io/client-go pulled in via Phase A). setup-go would
   install 1.23 and `go mod download` would fail. Switched to
   `go-version-file: go.mod` so the toolchain follows go.mod and
   can't drift again.

2. Wrong embed-stub path. internal/web/web.go does
       //go:embed all:dist
   from its own package directory, so the embed needs
   internal/web/dist/index.html — not web/dist/index.html. The old
   stub step created the wrong path; the Go compile would fail with
   "no matching files for embed". Fixed.

3. Trigger only ran on `push: [main]`, never on dev branches. Added
   "v*" so v0.2 (and future v0.3, v0.4) get CI feedback before merge.

Polish:
   - Added a `Vet` step (cheap, fast, often catches things lint
     misses).
   - Scoped the test run to ./internal/... ./cmd/... — ./... would
     descend into web/node_modules/flatted/golang/pkg/flatted (an
     npm dep that ships an embedded .go file) and fail to compile.
   - npm cache + cache-dependency-path on the web job for faster
     reruns.
   - Lint kept on `latest` with a comment explaining we'll pin if
     it ever flakes from a release upgrade.

The Docker image job is unchanged. It builds the same fat-privileged
runtime image we deploy from. Image size is ~230MB now (vs ~25MB
when ci.yml was first written) — the existing "Inspect image size"
step just reports, no enforcement, so no further change needed.
---
 .github/workflows/ci.yml | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e96528e..cf498c7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,7 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
+      - "v*"
   pull_request:
 
 permissions:
@@ -10,33 +12,47 @@ permissions:
 
 jobs:
   go:
-    name: Go (lint + test)
+    name: Go (vet + lint + test)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          # Pull the Go version from go.mod so CI can't drift from the
+          # toolchain the binary actually requires.
+          go-version-file: go.mod
           cache: true
 
-      - name: Ensure web/dist exists for embed
+      - name: Ensure embedded SPA stub exists
+        # internal/web/web.go does //go:embed all:dist from its own
+        # package directory, so the dir internal/web/dist/ must exist
+        # with an index.html for the Go side to compile. CI doesn't
+        # run the Vite build in this job — a placeholder is enough.
         run: |
-          mkdir -p web/dist
-          if [ ! -f web/dist/index.html ]; then
-            echo '<!doctype html><title>stub</title>' > web/dist/index.html
+          mkdir -p internal/web/dist
+          if [ ! -f internal/web/dist/index.html ]; then
+            echo '<!doctype html><title>stub</title>' > internal/web/dist/index.html
           fi
 
       - name: Download modules
         run: go mod download
 
+      - name: Vet
+        run: go vet ./...
+
       - name: Lint
         uses: golangci/golangci-lint-action@v6
         with:
+          # `latest` resolves to a release new enough to handle Go 1.25.
+          # Pin if we ever see CI flake from a lint upgrade.
           version: latest
-          args: --timeout=5m
+          args: --timeout=10m
 
       - name: Test
-        run: go test -race ./...
+        # Scoped to our own packages — `./...` would also descend into
+        # web/node_modules/flatted/golang/pkg/flatted (an npm dep that
+        # ships an embedded .go file in its tree).
+        run: go test -race ./internal/... ./cmd/...
 
   web:
     name: Web (typecheck + build)
@@ -49,6 +65,8 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
+          cache: npm
+          cache-dependency-path: web/package-lock.json
       - name: Install
         run: |
           if [ -f package-lock.json ]; then npm ci; else npm install; fi

From 8ad03568c84fca2af404025c348e3b3f398dc892 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 08:46:41 -0700
Subject: [PATCH 18/25] ci: fix invalid YAML in 'inspect image size' step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

That step's run: scalar contained `image size: %.1f` — YAML plain
scalars can't contain colon-space, which made the parser see the
`%.1f` as a value of an implicit mapping with key `image size`. The
result was the entire workflow failing at startup with "this run
likely failed because of a workflow file issue" — zero jobs running,
zero seconds duration. Same bug existed on v0.1; main's m9 push hit
it too.

Switched to `run: |` block scalar so the awk format string is opaque
to YAML.
---
 .github/workflows/ci.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cf498c7..07c9049 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -94,4 +94,8 @@ jobs:
             VERSION=ci-${{ github.sha }}
             COMMIT=${{ github.sha }}
       - name: Inspect image size
-        run: docker image inspect controlroom:ci --format '{{ .Size }}' | awk '{ printf "image size: %.1f MB\n", $1/1024/1024 }'
+        # Block scalar — the awk format string contains `: ` (colon
+        # space) which would be parsed as an inline mapping value if
+        # this were a plain `run:` scalar.
+        run: |
+          docker image inspect controlroom:ci --format '{{ .Size }}' | awk '{ printf "image size: %.1f MB\n", $1/1024/1024 }'

From 675dbb9588ec7305120f456228f3973828c96ad1 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 08:50:25 -0700
Subject: [PATCH 19/25] ci: track package-lock.json + bump golangci-lint to
 v2.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two fixes for the first real-execution CI run:

1. web/package-lock.json wasn't tracked, so the runner couldn't
   resolve `cache-dependency-path`, the cache step errored, and
   `npm ci` would have fallen through to `npm install` anyway —
   neither reproducible nor cached. Tracked the lock file (188K,
   one-time inflation; future updates will be small diffs).

2. golangci-lint v1.64.8 (which the v6 action's `latest` resolves
   to) is built with Go 1.24 and refuses to lint code targeting
   Go 1.25 ("the Go language version used to build golangci-lint
   is lower than the targeted Go version"). Bumped to action @v8
   pinned at v2.5.0 (built with Go 1.25). v2.x has a different
   config format but we have no .golangci.yml, so default linters
   run unchanged.
---
 .github/workflows/ci.yml |   10 +-
 web/package-lock.json    | 5298 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 5304 insertions(+), 4 deletions(-)
 create mode 100644 web/package-lock.json

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 07c9049..5089aed 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,11 +41,13 @@ jobs:
         run: go vet ./...
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v8
         with:
-          # `latest` resolves to a release new enough to handle Go 1.25.
-          # Pin if we ever see CI flake from a lint upgrade.
-          version: latest
+          # The lint binary itself must be built with Go ≥ go.mod's go
+          # directive — otherwise it refuses with "language version
+          # used to build golangci-lint is lower than the targeted
+          # Go version". v2.5.0+ is built with Go 1.25.
+          version: v2.5.0
           args: --timeout=10m
 
       - name: Test
diff --git a/web/package-lock.json b/web/package-lock.json
new file mode 100644
index 0000000..9707a89
--- /dev/null
+++ b/web/package-lock.json
@@ -0,0 +1,5298 @@
+{
+  "name": "controlroom-web",
+  "version": "0.0.1",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "controlroom-web",
+      "version": "0.0.1",
+      "dependencies": {
+        "@hookform/resolvers": "^3.9.0",
+        "@radix-ui/react-alert-dialog": "^1.1.2",
+        "@radix-ui/react-dialog": "^1.1.2",
+        "@radix-ui/react-dropdown-menu": "^2.1.2",
+        "@radix-ui/react-label": "^2.1.0",
+        "@radix-ui/react-separator": "^1.1.0",
+        "@radix-ui/react-slot": "^1.1.0",
+        "@tanstack/react-query": "^5.59.0",
+        "@xterm/addon-fit": "^0.10.0",
+        "@xterm/addon-web-links": "^0.11.0",
+        "@xterm/xterm": "^5.5.0",
+        "class-variance-authority": "^0.7.0",
+        "clsx": "^2.1.1",
+        "input-otp": "^1.4.1",
+        "lucide-react": "^0.453.0",
+        "react": "^18.3.1",
+        "react-dom": "^18.3.1",
+        "react-hook-form": "^7.53.0",
+        "react-router-dom": "^6.27.0",
+        "tailwind-merge": "^2.5.4",
+        "tailwindcss-animate": "^1.0.7",
+        "zod": "^3.23.8"
+      },
+      "devDependencies": {
+        "@types/node": "^22.7.5",
+        "@types/react": "^18.3.11",
+        "@types/react-dom": "^18.3.0",
+        "@typescript-eslint/eslint-plugin": "^8.8.1",
+        "@typescript-eslint/parser": "^8.8.1",
+        "@vitejs/plugin-react": "^4.3.2",
+        "autoprefixer": "^10.4.20",
+        "eslint": "^8.57.1",
+        "eslint-plugin-react-hooks": "^5.0.0",
+        "eslint-plugin-react-refresh": "^0.4.12",
+        "postcss": "^8.4.47",
+        "tailwindcss": "^3.4.13",
+        "typescript": "^5.6.2",
+        "vite": "^5.4.8"
+      }
+    },
+    "node_modules/@alloc/quick-lru": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/@alloc/quick-lru/-/quick-lru-5.2.0.tgz",
+      "integrity": "sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@babel/code-frame": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+      "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-validator-identifier": "^7.28.5",
+        "js-tokens": "^4.0.0",
+        "picocolors": "^1.1.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/compat-data": {
+      "version": "7.29.3",
+      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.3.tgz",
+      "integrity": "sha512-LIVqM46zQWZhj17qA8wb4nW/ixr2y1Nw+r1etiAWgRM6U1IqP+LNhL1yg440jYZR72jCWcWbLWzIosH+uP1fqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/core": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
+      "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.29.0",
+        "@babel/generator": "^7.29.0",
+        "@babel/helper-compilation-targets": "^7.28.6",
+        "@babel/helper-module-transforms": "^7.28.6",
+        "@babel/helpers": "^7.28.6",
+        "@babel/parser": "^7.29.0",
+        "@babel/template": "^7.28.6",
+        "@babel/traverse": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "@jridgewell/remapping": "^2.3.5",
+        "convert-source-map": "^2.0.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.2",
+        "json5": "^2.2.3",
+        "semver": "^6.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/babel"
+      }
+    },
+    "node_modules/@babel/core/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/@babel/generator": {
+      "version": "7.29.1",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+      "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "@jridgewell/gen-mapping": "^0.3.12",
+        "@jridgewell/trace-mapping": "^0.3.28",
+        "jsesc": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-compilation-targets": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.28.6.tgz",
+      "integrity": "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/compat-data": "^7.28.6",
+        "@babel/helper-validator-option": "^7.27.1",
+        "browserslist": "^4.24.0",
+        "lru-cache": "^5.1.1",
+        "semver": "^6.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-compilation-targets/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/@babel/helper-globals": {
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz",
+      "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-module-imports": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
+      "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/traverse": "^7.28.6",
+        "@babel/types": "^7.28.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-module-transforms": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
+      "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-module-imports": "^7.28.6",
+        "@babel/helper-validator-identifier": "^7.28.5",
+        "@babel/traverse": "^7.28.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/@babel/helper-plugin-utils": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.28.6.tgz",
+      "integrity": "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-option": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz",
+      "integrity": "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helpers": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.2.tgz",
+      "integrity": "sha512-HoGuUs4sCZNezVEKdVcwqmZN8GoHirLUcLaYVNBK2J0DadGtdcqgr3BCbvH8+XUo4NGjNl3VOtSjEKNzqfFgKw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/template": "^7.28.6",
+        "@babel/types": "^7.29.0"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/parser": {
+      "version": "7.29.3",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.3.tgz",
+      "integrity": "sha512-b3ctpQwp+PROvU/cttc4OYl4MzfJUWy6FZg+PMXfzmt/+39iHVF0sDfqay8TQM3JA2EUOyKcFZt75jWriQijsA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.29.0"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@babel/plugin-transform-react-jsx-self": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-self/-/plugin-transform-react-jsx-self-7.27.1.tgz",
+      "integrity": "sha512-6UzkCs+ejGdZ5mFFC/OCUrv028ab2fp1znZmCZjAOBKiBK2jXD1O+BPSfX8X2qjJ75fZBMSnQn3Rq2mrBJK2mw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.27.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/plugin-transform-react-jsx-source": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-source/-/plugin-transform-react-jsx-source-7.27.1.tgz",
+      "integrity": "sha512-zbwoTsBruTeKB9hSq73ha66iFeJHuaFkUbwvqElnygoNbj/jHRsSeokowZFN3CZ64IvEqcmmkVe89OPXc7ldAw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.27.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
+      }
+    },
+    "node_modules/@babel/template": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+      "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.28.6",
+        "@babel/parser": "^7.28.6",
+        "@babel/types": "^7.28.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/traverse": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+      "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.29.0",
+        "@babel/generator": "^7.29.0",
+        "@babel/helper-globals": "^7.28.0",
+        "@babel/parser": "^7.29.0",
+        "@babel/template": "^7.28.6",
+        "@babel/types": "^7.29.0",
+        "debug": "^4.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/types": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz",
+      "integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz",
+      "integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz",
+      "integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.21.5.tgz",
+      "integrity": "sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.21.5.tgz",
+      "integrity": "sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.21.5.tgz",
+      "integrity": "sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.21.5.tgz",
+      "integrity": "sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.21.5.tgz",
+      "integrity": "sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.21.5.tgz",
+      "integrity": "sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.21.5.tgz",
+      "integrity": "sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.21.5.tgz",
+      "integrity": "sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.21.5.tgz",
+      "integrity": "sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.21.5.tgz",
+      "integrity": "sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.21.5.tgz",
+      "integrity": "sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.21.5.tgz",
+      "integrity": "sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.21.5.tgz",
+      "integrity": "sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.21.5.tgz",
+      "integrity": "sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.21.5.tgz",
+      "integrity": "sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.21.5.tgz",
+      "integrity": "sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.21.5.tgz",
+      "integrity": "sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.21.5.tgz",
+      "integrity": "sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.21.5.tgz",
+      "integrity": "sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.21.5.tgz",
+      "integrity": "sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@eslint-community/eslint-utils": {
+      "version": "4.9.1",
+      "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.9.1.tgz",
+      "integrity": "sha512-phrYmNiYppR7znFEdqgfWHXR6NCkZEK7hwWDHZUjit/2/U0r6XvkDl0SYnoM51Hq7FhCGdLDT6zxCCOY1hexsQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "eslint-visitor-keys": "^3.4.3"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^6.0.0 || ^7.0.0 || >=8.0.0"
+      }
+    },
+    "node_modules/@eslint-community/regexpp": {
+      "version": "4.12.2",
+      "resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.12.2.tgz",
+      "integrity": "sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^12.0.0 || ^14.0.0 || >=16.0.0"
+      }
+    },
+    "node_modules/@eslint/eslintrc": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.4.tgz",
+      "integrity": "sha512-269Z39MS6wVJtsoUl10L60WdkhJVdPG24Q4eZTH3nnF6lpvSShEK3wQjDX9JRWAUPvPh7COouPpU9IrqaZFvtQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ajv": "^6.12.4",
+        "debug": "^4.3.2",
+        "espree": "^9.6.0",
+        "globals": "^13.19.0",
+        "ignore": "^5.2.0",
+        "import-fresh": "^3.2.1",
+        "js-yaml": "^4.1.0",
+        "minimatch": "^3.1.2",
+        "strip-json-comments": "^3.1.1"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/@eslint/eslintrc/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@eslint/eslintrc/node_modules/brace-expansion": {
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/@eslint/eslintrc/node_modules/ignore": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4"
+      }
+    },
+    "node_modules/@eslint/eslintrc/node_modules/minimatch": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/@eslint/js": {
+      "version": "8.57.1",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.57.1.tgz",
+      "integrity": "sha512-d9zaMRSTIKDLhctzH12MtXvJKSSUhaHcjV+2Z+GK+EEY7XKpP5yR4x+N3TAcHTcu963nIr+TMcCb4DBCYX1z6Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      }
+    },
+    "node_modules/@floating-ui/core": {
+      "version": "1.7.5",
+      "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.5.tgz",
+      "integrity": "sha512-1Ih4WTWyw0+lKyFMcBHGbb5U5FtuHJuujoyyr5zTaWS5EYMeT6Jb2AuDeftsCsEuchO+mM2ij5+q9crhydzLhQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/utils": "^0.2.11"
+      }
+    },
+    "node_modules/@floating-ui/dom": {
+      "version": "1.7.6",
+      "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.7.6.tgz",
+      "integrity": "sha512-9gZSAI5XM36880PPMm//9dfiEngYoC6Am2izES1FF406YFsjvyBMmeJ2g4SAju3xWwtuynNRFL2s9hgxpLI5SQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/core": "^1.7.5",
+        "@floating-ui/utils": "^0.2.11"
+      }
+    },
+    "node_modules/@floating-ui/react-dom": {
+      "version": "2.1.8",
+      "resolved": "https://registry.npmjs.org/@floating-ui/react-dom/-/react-dom-2.1.8.tgz",
+      "integrity": "sha512-cC52bHwM/n/CxS87FH0yWdngEZrjdtLW/qVruo68qg+prK7ZQ4YGdut2GyDVpoGeAYe/h899rVeOVm6Oi40k2A==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/dom": "^1.7.6"
+      },
+      "peerDependencies": {
+        "react": ">=16.8.0",
+        "react-dom": ">=16.8.0"
+      }
+    },
+    "node_modules/@floating-ui/utils": {
+      "version": "0.2.11",
+      "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.11.tgz",
+      "integrity": "sha512-RiB/yIh78pcIxl6lLMG0CgBXAZ2Y0eVHqMPYugu+9U0AeT6YBeiJpf7lbdJNIugFP5SIjwNRgo4DhR1Qxi26Gg==",
+      "license": "MIT"
+    },
+    "node_modules/@hookform/resolvers": {
+      "version": "3.10.0",
+      "resolved": "https://registry.npmjs.org/@hookform/resolvers/-/resolvers-3.10.0.tgz",
+      "integrity": "sha512-79Dv+3mDF7i+2ajj7SkypSKHhl1cbln1OGavqrsF7p6mbUv11xpqpacPsGDCTRvCSjEEIez2ef1NveSVL3b0Ag==",
+      "license": "MIT",
+      "peerDependencies": {
+        "react-hook-form": "^7.0.0"
+      }
+    },
+    "node_modules/@humanwhocodes/config-array": {
+      "version": "0.13.0",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz",
+      "integrity": "sha512-DZLEEqFWQFiyK6h5YIeynKx7JlvCYWL0cImfSRXZ9l4Sg2efkFGTuFf6vzXjK1cq6IYkU+Eg/JizXw+TD2vRNw==",
+      "deprecated": "Use @eslint/config-array instead",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@humanwhocodes/object-schema": "^2.0.3",
+        "debug": "^4.3.1",
+        "minimatch": "^3.0.5"
+      },
+      "engines": {
+        "node": ">=10.10.0"
+      }
+    },
+    "node_modules/@humanwhocodes/config-array/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@humanwhocodes/config-array/node_modules/brace-expansion": {
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/@humanwhocodes/config-array/node_modules/minimatch": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/@humanwhocodes/module-importer": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
+      "integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=12.22"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/nzakas"
+      }
+    },
+    "node_modules/@humanwhocodes/object-schema": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.3.tgz",
+      "integrity": "sha512-93zYdMES/c1D69yZiKDBj0V24vqNzB/koF26KPaagAfd3P/4gUlh3Dys5ogAK+Exi9QyzlD8x/08Zt7wIKcDcA==",
+      "deprecated": "Use @eslint/object-schema instead",
+      "dev": true,
+      "license": "BSD-3-Clause"
+    },
+    "node_modules/@jridgewell/gen-mapping": {
+      "version": "0.3.13",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.0",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/remapping": {
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/resolve-uri": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@jridgewell/sourcemap-codec": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+      "license": "MIT"
+    },
+    "node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.31",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
+      "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.1.0",
+        "@jridgewell/sourcemap-codec": "^1.4.14"
+      }
+    },
+    "node_modules/@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@radix-ui/primitive": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/primitive/-/primitive-1.1.3.tgz",
+      "integrity": "sha512-JTF99U/6XIjCBo0wqkU5sK10glYe27MRRsfwoiq5zzOEZLHU3A3KCMa5X/azekYRCJ0HlwI0crAXS/5dEHTzDg==",
+      "license": "MIT"
+    },
+    "node_modules/@radix-ui/react-alert-dialog": {
+      "version": "1.1.15",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-alert-dialog/-/react-alert-dialog-1.1.15.tgz",
+      "integrity": "sha512-oTVLkEw5GpdRe29BqJ0LSDFWI3qu0vR1M0mUkOQWDIUnY/QIkLpgDMWuKxP94c2NAC2LGcgVhG1ImF3jkZ5wXw==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-dialog": "1.1.15",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-slot": "1.2.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-alert-dialog/node_modules/@radix-ui/react-slot": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz",
+      "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-arrow": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-arrow/-/react-arrow-1.1.7.tgz",
+      "integrity": "sha512-F+M1tLhO+mlQaOWspE8Wstg+z6PwxwRd8oQ8IXceWz92kfAmalTRf0EjrouQeo7QssEPfCn05B4Ihs1K9WQ/7w==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-primitive": "2.1.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-collection": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-collection/-/react-collection-1.1.7.tgz",
+      "integrity": "sha512-Fh9rGN0MoI4ZFUNyfFVNU4y9LUz93u9/0K+yLgA2bwRojxM8JU1DyvvMBabnZPBgMWREAJvU2jjVzq+LrFUglw==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-slot": "1.2.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-collection/node_modules/@radix-ui/react-slot": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz",
+      "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-compose-refs": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-compose-refs/-/react-compose-refs-1.1.2.tgz",
+      "integrity": "sha512-z4eqJvfiNnFMHIIvXP3CY57y2WJs5g2v3X0zm9mEJkrkNv4rDxu+sg9Jh8EkXyeqBkB7SOcboo9dMVqhyrACIg==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-context": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-context/-/react-context-1.1.2.tgz",
+      "integrity": "sha512-jCi/QKUM2r1Ju5a3J64TH2A5SpKAgh0LpknyqdQ4m6DCV0xJ2HG1xARRwNGPQfi1SLdLWZ1OJz6F4OMBBNiGJA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-dialog": {
+      "version": "1.1.15",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-dialog/-/react-dialog-1.1.15.tgz",
+      "integrity": "sha512-TCglVRtzlffRNxRMEyR36DGBLJpeusFcgMVD9PZEzAKnUs1lKCgX5u9BmC2Yg+LL9MgZDugFFs1Vl+Jp4t/PGw==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-dismissable-layer": "1.1.11",
+        "@radix-ui/react-focus-guards": "1.1.3",
+        "@radix-ui/react-focus-scope": "1.1.7",
+        "@radix-ui/react-id": "1.1.1",
+        "@radix-ui/react-portal": "1.1.9",
+        "@radix-ui/react-presence": "1.1.5",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-use-controllable-state": "1.2.2",
+        "aria-hidden": "^1.2.4",
+        "react-remove-scroll": "^2.6.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-dialog/node_modules/@radix-ui/react-slot": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz",
+      "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-direction": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-direction/-/react-direction-1.1.1.tgz",
+      "integrity": "sha512-1UEWRX6jnOA2y4H5WczZ44gOOjTEmlqv1uNW4GAJEO5+bauCBhv8snY65Iw5/VOS/ghKN9gr2KjnLKxrsvoMVw==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-dismissable-layer": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-dismissable-layer/-/react-dismissable-layer-1.1.11.tgz",
+      "integrity": "sha512-Nqcp+t5cTB8BinFkZgXiMJniQH0PsUt2k51FUhbdfeKvc4ACcG2uQniY/8+h1Yv6Kza4Q7lD7PQV0z0oicE0Mg==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-callback-ref": "1.1.1",
+        "@radix-ui/react-use-escape-keydown": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-dropdown-menu": {
+      "version": "2.1.16",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-dropdown-menu/-/react-dropdown-menu-2.1.16.tgz",
+      "integrity": "sha512-1PLGQEynI/3OX/ftV54COn+3Sud/Mn8vALg2rWnBLnRaGtJDduNW/22XjlGgPdpcIbiQxjKtb7BkcjP00nqfJw==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-id": "1.1.1",
+        "@radix-ui/react-menu": "2.1.16",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-controllable-state": "1.2.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-focus-guards": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-focus-guards/-/react-focus-guards-1.1.3.tgz",
+      "integrity": "sha512-0rFg/Rj2Q62NCm62jZw0QX7a3sz6QCQU0LpZdNrJX8byRGaGVTqbrW9jAoIAHyMQqsNpeZ81YgSizOt5WXq0Pw==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-focus-scope": {
+      "version": "1.1.7",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-focus-scope/-/react-focus-scope-1.1.7.tgz",
+      "integrity": "sha512-t2ODlkXBQyn7jkl6TNaw/MtVEVvIGelJDCG41Okq/KwUsJBwQ4XVZsHAVUkK4mBv3ewiAS3PGuUWuY2BoK4ZUw==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-callback-ref": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-id": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-id/-/react-id-1.1.1.tgz",
+      "integrity": "sha512-kGkGegYIdQsOb4XjsfM97rXsiHaBwco+hFI66oO4s9LU+PLAC5oJ7khdOVFxkhsmlbpUqDAvXw11CluXP+jkHg==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-use-layout-effect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-label": {
+      "version": "2.1.8",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-label/-/react-label-2.1.8.tgz",
+      "integrity": "sha512-FmXs37I6hSBVDlO4y764TNz1rLgKwjJMQ0EGte6F3Cb3f4bIuHB/iLa/8I9VKkmOy+gNHq8rql3j686ACVV21A==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-primitive": "2.1.4"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-label/node_modules/@radix-ui/react-primitive": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.4.tgz",
+      "integrity": "sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-slot": "1.2.4"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-menu": {
+      "version": "2.1.16",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-menu/-/react-menu-2.1.16.tgz",
+      "integrity": "sha512-72F2T+PLlphrqLcAotYPp0uJMr5SjP5SL01wfEspJbru5Zs5vQaSHb4VB3ZMJPimgHHCHG7gMOeOB9H3Hdmtxg==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-collection": "1.1.7",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-direction": "1.1.1",
+        "@radix-ui/react-dismissable-layer": "1.1.11",
+        "@radix-ui/react-focus-guards": "1.1.3",
+        "@radix-ui/react-focus-scope": "1.1.7",
+        "@radix-ui/react-id": "1.1.1",
+        "@radix-ui/react-popper": "1.2.8",
+        "@radix-ui/react-portal": "1.1.9",
+        "@radix-ui/react-presence": "1.1.5",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-roving-focus": "1.1.11",
+        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-use-callback-ref": "1.1.1",
+        "aria-hidden": "^1.2.4",
+        "react-remove-scroll": "^2.6.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-menu/node_modules/@radix-ui/react-slot": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz",
+      "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-popper": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-popper/-/react-popper-1.2.8.tgz",
+      "integrity": "sha512-0NJQ4LFFUuWkE7Oxf0htBKS6zLkkjBH+hM1uk7Ng705ReR8m/uelduy1DBo0PyBXPKVnBA6YBlU94MBGXrSBCw==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/react-dom": "^2.0.0",
+        "@radix-ui/react-arrow": "1.1.7",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-callback-ref": "1.1.1",
+        "@radix-ui/react-use-layout-effect": "1.1.1",
+        "@radix-ui/react-use-rect": "1.1.1",
+        "@radix-ui/react-use-size": "1.1.1",
+        "@radix-ui/rect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-portal": {
+      "version": "1.1.9",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-portal/-/react-portal-1.1.9.tgz",
+      "integrity": "sha512-bpIxvq03if6UNwXZ+HTK71JLh4APvnXntDc6XOX8UVq4XQOVl7lwok0AvIl+b8zgCw3fSaVTZMpAPPagXbKmHQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-layout-effect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-presence": {
+      "version": "1.1.5",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-presence/-/react-presence-1.1.5.tgz",
+      "integrity": "sha512-/jfEwNDdQVBCNvjkGit4h6pMOzq8bHkopq458dPt2lMjx+eBQUohZNG9A7DtO/O5ukSbxuaNGXMjHicgwy6rQQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-use-layout-effect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-primitive": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.3.tgz",
+      "integrity": "sha512-m9gTwRkhy2lvCPe6QJp4d3G1TYEUHn/FzJUtq9MjH46an1wJU+GdoGC5VLof8RX8Ft/DlpshApkhswDLZzHIcQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-slot": "1.2.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-primitive/node_modules/@radix-ui/react-slot": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz",
+      "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-roving-focus": {
+      "version": "1.1.11",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-roving-focus/-/react-roving-focus-1.1.11.tgz",
+      "integrity": "sha512-7A6S9jSgm/S+7MdtNDSb+IU859vQqJ/QAtcYQcfFC6W8RS4IxIZDldLR0xqCFZ6DCyrQLjLPsxtTNch5jVA4lA==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-collection": "1.1.7",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-direction": "1.1.1",
+        "@radix-ui/react-id": "1.1.1",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-callback-ref": "1.1.1",
+        "@radix-ui/react-use-controllable-state": "1.2.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-separator": {
+      "version": "1.1.8",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-separator/-/react-separator-1.1.8.tgz",
+      "integrity": "sha512-sDvqVY4itsKwwSMEe0jtKgfTh+72Sy3gPmQpjqcQneqQ4PFmr/1I0YA+2/puilhggCe2gJcx5EBAYFkWkdpa5g==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-primitive": "2.1.4"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-separator/node_modules/@radix-ui/react-primitive": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.4.tgz",
+      "integrity": "sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-slot": "1.2.4"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-slot": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.4.tgz",
+      "integrity": "sha512-Jl+bCv8HxKnlTLVrcDE8zTMJ09R9/ukw4qBs/oZClOfoQk/cOTbDn+NceXfV7j09YPVQUryJPHurafcSg6EVKA==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-callback-ref": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-callback-ref/-/react-use-callback-ref-1.1.1.tgz",
+      "integrity": "sha512-FkBMwD+qbGQeMu1cOHnuGB6x4yzPjho8ap5WtbEJ26umhgqVXbhekKUQO+hZEL1vU92a3wHwdp0HAcqAUF5iDg==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-controllable-state": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-controllable-state/-/react-use-controllable-state-1.2.2.tgz",
+      "integrity": "sha512-BjasUjixPFdS+NKkypcyyN5Pmg83Olst0+c6vGov0diwTEo6mgdqVR6hxcEgFuh4QrAs7Rc+9KuGJ9TVCj0Zzg==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-use-effect-event": "0.0.2",
+        "@radix-ui/react-use-layout-effect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-effect-event": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-effect-event/-/react-use-effect-event-0.0.2.tgz",
+      "integrity": "sha512-Qp8WbZOBe+blgpuUT+lw2xheLP8q0oatc9UpmiemEICxGvFLYmHm9QowVZGHtJlGbS6A6yJ3iViad/2cVjnOiA==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-use-layout-effect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-escape-keydown": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-escape-keydown/-/react-use-escape-keydown-1.1.1.tgz",
+      "integrity": "sha512-Il0+boE7w/XebUHyBjroE+DbByORGR9KKmITzbR7MyQ4akpORYP/ZmbhAr0DG7RmmBqoOnZdy2QlvajJ2QA59g==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-use-callback-ref": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-layout-effect": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-layout-effect/-/react-use-layout-effect-1.1.1.tgz",
+      "integrity": "sha512-RbJRS4UWQFkzHTTwVymMTUv8EqYhOp8dOOviLj2ugtTiXRaRQS7GLGxZTLL1jWhMeoSCf5zmcZkqTl9IiYfXcQ==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-rect": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-rect/-/react-use-rect-1.1.1.tgz",
+      "integrity": "sha512-QTYuDesS0VtuHNNvMh+CjlKJ4LJickCMUAqjlE3+j8w+RlRpwyX3apEQKGFzbZGdo7XNG1tXa+bQqIE7HIXT2w==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/rect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-use-size": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-use-size/-/react-use-size-1.1.1.tgz",
+      "integrity": "sha512-ewrXRDTAqAXlkl6t/fkXWNAhFX9I+CkKlw6zjEwk86RSPKwZr3xpBRso655aqYafwtnbpHLj6toFzmd6xdVptQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@radix-ui/react-use-layout-effect": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/rect": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@radix-ui/rect/-/rect-1.1.1.tgz",
+      "integrity": "sha512-HPwpGIzkl28mWyZqG52jiqDJ12waP11Pa1lGoiyUkIEuMLBP0oeK/C89esbXrxsky5we7dfd8U58nm0SgAWpVw==",
+      "license": "MIT"
+    },
+    "node_modules/@remix-run/router": {
+      "version": "1.23.2",
+      "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.23.2.tgz",
+      "integrity": "sha512-Ic6m2U/rMjTkhERIa/0ZtXJP17QUi2CbWE7cqx4J58M8aA3QTfW+2UlQ4psvTX9IO1RfNVhK3pcpdjej7L+t2w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-beta.27",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.27.tgz",
+      "integrity": "sha512-+d0F4MKMCbeVUJwG96uQ4SgAznZNSq93I3V+9NHA4OpvqG8mRCpGdKmK8l/dl02h2CCDHwW2FqilnTyDcAnqjA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@rollup/rollup-android-arm-eabi": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.60.3.tgz",
+      "integrity": "sha512-x35CNW/ANXG3hE/EZpRU8MXX1JDN86hBb2wMGAtltkz7pc6cxgjpy1OMMfDosOQ+2hWqIkag/fGok1Yady9nGw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-android-arm64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.60.3.tgz",
+      "integrity": "sha512-xw3xtkDApIOGayehp2+Rz4zimfkaX65r4t47iy+ymQB2G4iJCBBfj0ogVg5jpvjpn8UWn/+q9tprxleYeNp3Hw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-arm64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.60.3.tgz",
+      "integrity": "sha512-vo6Y5Qfpx7/5EaamIwi0WqW2+zfiusVihKatLvtN1VFVy3D13uERk/6gZLU1UiHRL6fDXqj/ELIeVRGnvcTE1g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-darwin-x64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.60.3.tgz",
+      "integrity": "sha512-D+0QGcZhBzTN82weOnsSlY7V7+RMmPuF1CkbxyMAGE8+ZHeUjyb76ZiWmBlCu//AQQONvxcqRbwZTajZKqjuOw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-arm64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.60.3.tgz",
+      "integrity": "sha512-6HnvHCT7fDyj6R0Ph7A6x8dQS/S38MClRWeDLqc0MdfWkxjiu1HSDYrdPhqSILzjTIC/pnXbbJbo+ft+gy/9hQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-freebsd-x64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.60.3.tgz",
+      "integrity": "sha512-KHLgC3WKlUYW3ShFKnnosZDOJ0xjg9zp7au3sIm2bs/tGBeC2ipmvRh/N7JKi0t9Ue20C0dpEshi8WUubg+cnA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.60.3.tgz",
+      "integrity": "sha512-DV6fJoxEYWJOvaZIsok7KrYl0tPvga5OZ2yvKHNNYyk/2roMLqQAbGhr78EQ5YhHpnhLKJD3S1WFusAkmUuV5g==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.60.3.tgz",
+      "integrity": "sha512-mQKoJAzvuOs6F+TZybQO4GOTSMUu7v0WdxEk24krQ/uUxXoPTtHjuaUuPmFhtBcM4K0ons8nrE3JyhTuCFtT/w==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.60.3.tgz",
+      "integrity": "sha512-Whjj2qoiJ6+OOJMGptTYazaJvjOJm+iKHpXQM1P3LzGjt7Ff++Tp7nH4N8J/BUA7R9IHfDyx4DJIflifwnbmIA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-arm64-musl": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.60.3.tgz",
+      "integrity": "sha512-4YTNHKqGng5+yiZt3mg77nmyuCfmNfX4fPmyUapBcIk+BdwSwmCWGXOUxhXbBEkFHtoN5boLj/5NON+u5QC9tg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.60.3.tgz",
+      "integrity": "sha512-SU3kNlhkpI4UqlUc2VXPGK9o886ZsSeGfMAX2ba2b8DKmMXq4AL7KUrkSWVbb7koVqx41Yczx6dx5PNargIrEA==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-loong64-musl": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.60.3.tgz",
+      "integrity": "sha512-6lDLl5h4TXpB1mTf2rQWnAk/LcXrx9vBfu/DT5TIPhvMhRWaZ5MxkIc8u4lJAmBo6klTe1ywXIUHFjylW505sg==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.60.3.tgz",
+      "integrity": "sha512-BMo8bOw8evlup/8G+cj5xWtPyp93xPdyoSN16Zy90Q2QZ0ZYRhCt6ZJSwbrRzG9HApFabjwj2p25TUPDWrhzqQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-ppc64-musl": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.60.3.tgz",
+      "integrity": "sha512-E0L8X1dZN1/Rph+5VPF6Xj2G7JJvMACVXtamTJIDrVI44Y3K+G8gQaMEAavbqCGTa16InptiVrX6eM6pmJ+7qA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.60.3.tgz",
+      "integrity": "sha512-oZJ/WHaVfHUiRAtmTAeo3DcevNsVvH8mbvodjZy7D5QKvCefO371SiKRpxoDcCxB3PTRTLayWBkvmDQKTcX/sw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-riscv64-musl": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.60.3.tgz",
+      "integrity": "sha512-Dhbyh7j9FybM3YaTgaHmVALwA8AkUwTPccyCQ79TG9AJUsMQqgN1DDEZNr4+QUfwiWvLDumW5vdwzoeUF+TNxQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-s390x-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.60.3.tgz",
+      "integrity": "sha512-cJd1X5XhHHlltkaypz1UcWLA8AcoIi1aWhsvaWDskD1oz2eKCypnqvTQ8ykMNI0RSmm7NkTdSqSSD7zM0xa6Ig==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.60.3.tgz",
+      "integrity": "sha512-DAZDBHQfG2oQuhY7mc6I3/qB4LU2fQCjRvxbDwd/Jdvb9fypP4IJ4qmtu6lNjes6B531AI8cg1aKC2di97bUxA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-linux-x64-musl": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.60.3.tgz",
+      "integrity": "sha512-cRxsE8c13mZOh3vP+wLDxpQBRrOHDIGOWyDL93Sy0Ga8y515fBcC2pjUfFwUe5T7tqvTvWbCpg1URM/AXdWIXA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/@rollup/rollup-openbsd-x64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.60.3.tgz",
+      "integrity": "sha512-QaWcIgRxqEdQdhJqW4DJctsH6HCmo5vHxY0krHSX4jMtOqfzC+dqDGuHM87bu4H8JBeibWx7jFz+h6/4C8wA5Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ]
+    },
+    "node_modules/@rollup/rollup-openharmony-arm64": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.60.3.tgz",
+      "integrity": "sha512-AaXwSvUi3QIPtroAUw1t5yHGIyqKEXwH54WUocFolZhpGDruJcs8c+xPNDRn4XiQsS7MEwnYsHW2l0MBLDMkWg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-arm64-msvc": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.60.3.tgz",
+      "integrity": "sha512-65LAKM/bAWDqKNEelHlcHvm2V+Vfb8C6INFxQXRHCvaVN1rJfwr4NvdP4FyzUaLqWfaCGaadf6UbTm8xJeYfEg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-ia32-msvc": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.60.3.tgz",
+      "integrity": "sha512-EEM2gyhBF5MFnI6vMKdX1LAosE627RGBzIoGMdLloPZkXrUN0Ckqgr2Qi8+J3zip/8NVVro3/FjB+tjhZUgUHA==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-gnu": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.60.3.tgz",
+      "integrity": "sha512-E5Eb5H/DpxaoXH++Qkv28RcUJboMopmdDUALBczvHMf7hNIxaDZqwY5lK12UK1BHacSmvupoEWGu+n993Z0y1A==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@rollup/rollup-win32-x64-msvc": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.60.3.tgz",
+      "integrity": "sha512-hPt/bgL5cE+Qp+/TPHBqptcAgPzgj46mPcg/16zNUmbQk0j+mOEQV/+Lqu8QRtDV3Ek95Q6FeFITpuhl6OTsAA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/@tanstack/query-core": {
+      "version": "5.100.9",
+      "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.100.9.tgz",
+      "integrity": "sha512-SJSFw1S8+kQ0+knv/XGfrbocWoAlT7vDKsSImtLx3ZPQmEcR46hkDjLSvynSy25N8Ms4tIEini1FuBd5k7IscQ==",
+      "license": "MIT",
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/tannerlinsley"
+      }
+    },
+    "node_modules/@tanstack/react-query": {
+      "version": "5.100.9",
+      "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.100.9.tgz",
+      "integrity": "sha512-Oa44XkaI3kCNN6ME0KByU3xT3SEUNOMfZpHxL6+wFoTm+OeUFYHKdeYVe0aOXlRDm/f15sgLwEt2HDorIdW8+A==",
+      "license": "MIT",
+      "dependencies": {
+        "@tanstack/query-core": "5.100.9"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/tannerlinsley"
+      },
+      "peerDependencies": {
+        "react": "^18 || ^19"
+      }
+    },
+    "node_modules/@types/babel__core": {
+      "version": "7.20.5",
+      "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.20.5.tgz",
+      "integrity": "sha512-qoQprZvz5wQFJwMDqeseRXWv3rqMvhgpbXFfVyWhbx9X47POIA6i/+dXefEmZKoAgOaTdaIgNSMqMIU61yRyzA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.20.7",
+        "@babel/types": "^7.20.7",
+        "@types/babel__generator": "*",
+        "@types/babel__template": "*",
+        "@types/babel__traverse": "*"
+      }
+    },
+    "node_modules/@types/babel__generator": {
+      "version": "7.27.0",
+      "resolved": "https://registry.npmjs.org/@types/babel__generator/-/babel__generator-7.27.0.tgz",
+      "integrity": "sha512-ufFd2Xi92OAVPYsy+P4n7/U7e68fex0+Ee8gSG9KX7eo084CWiQ4sdxktvdl0bOPupXtVJPY19zk6EwWqUQ8lg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "node_modules/@types/babel__template": {
+      "version": "7.4.4",
+      "resolved": "https://registry.npmjs.org/@types/babel__template/-/babel__template-7.4.4.tgz",
+      "integrity": "sha512-h/NUaSyG5EyxBIp8YRxo4RMe2/qQgvyowRwVMzhYhBCONbW8PUsg4lkFMrhgZhUe5z3L3MiLDuvyJ/CaPa2A8A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.1.0",
+        "@babel/types": "^7.0.0"
+      }
+    },
+    "node_modules/@types/babel__traverse": {
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.28.0.tgz",
+      "integrity": "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.28.2"
+      }
+    },
+    "node_modules/@types/estree": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/node": {
+      "version": "22.19.18",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.18.tgz",
+      "integrity": "sha512-9v00a+dn2yWVsYDEunWC4g/TcRKVq3r8N5FuZp7u0SGrPvdN9c2yXI9bBuf5Fl0hNCb+QTIePTn5pJs2pwBOQQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "undici-types": "~6.21.0"
+      }
+    },
+    "node_modules/@types/prop-types": {
+      "version": "15.7.15",
+      "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.15.tgz",
+      "integrity": "sha512-F6bEyamV9jKGAFBEmlQnesRPGOQqS2+Uwi0Em15xenOxHaf2hv6L8YCVn3rPdPJOiJfPiCnLIRyvwVaqMY3MIw==",
+      "devOptional": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/react": {
+      "version": "18.3.28",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-18.3.28.tgz",
+      "integrity": "sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw==",
+      "devOptional": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/prop-types": "*",
+        "csstype": "^3.2.2"
+      }
+    },
+    "node_modules/@types/react-dom": {
+      "version": "18.3.7",
+      "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-18.3.7.tgz",
+      "integrity": "sha512-MEe3UeoENYVFXzoXEWsvcpg6ZvlrFNlOQ7EOsvhI3CfAXwzPfO8Qwuxd40nepsYKqyyVQnTdEfv68q91yLcKrQ==",
+      "devOptional": true,
+      "license": "MIT",
+      "peerDependencies": {
+        "@types/react": "^18.0.0"
+      }
+    },
+    "node_modules/@typescript-eslint/eslint-plugin": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.2.tgz",
+      "integrity": "sha512-j/bwmkBvHUtPNxzuWe5z6BEk3q54YRyGlBXkSsmfoih7zNrBvl5A9A98anlp/7JbyZcWIJ8KXo/3Tq/DjFLtuQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@eslint-community/regexpp": "^4.12.2",
+        "@typescript-eslint/scope-manager": "8.59.2",
+        "@typescript-eslint/type-utils": "8.59.2",
+        "@typescript-eslint/utils": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
+        "ignore": "^7.0.5",
+        "natural-compare": "^1.4.0",
+        "ts-api-utils": "^2.5.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "@typescript-eslint/parser": "^8.59.2",
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/parser": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.59.2.tgz",
+      "integrity": "sha512-plR3pp6D+SSUn1HM7xvSkx12/DhoHInI2YF35KAcVFNZvlC0gtrWqx7Qq1oH2Ssgi0vlFRCTbP+DZc7B9+TtsQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/scope-manager": "8.59.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
+        "debug": "^4.4.3"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/project-service": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.59.2.tgz",
+      "integrity": "sha512-+2hqvEkeyf/0FBor67duF0Ll7Ot8jyKzDQOSrxazF/danillRq2DwR9dLptsXpoZQqxE1UisSmoZewrlPas9Vw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/tsconfig-utils": "^8.59.2",
+        "@typescript-eslint/types": "^8.59.2",
+        "debug": "^4.4.3"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/scope-manager": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.59.2.tgz",
+      "integrity": "sha512-JzfyEpEtOU89CcFSwyNS3mu4MLvLSXqnmX05+aKBDM+TdR5jzcGOEBwxwGNxrEQ7p/z6kK2WyioCGBf2zZBnvg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/tsconfig-utils": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.59.2.tgz",
+      "integrity": "sha512-BKK4alN7oi4C/zv4VqHQ+uRU+lTa6JGIZ7s1juw7b3RHo9OfKB+bKX3u0iVZetdsUCBBkSbdWbarJbmN0fTeSw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/type-utils": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.59.2.tgz",
+      "integrity": "sha512-nhqaj1nmTdVVl/BP5omXNRGO38jn5iosis2vbdmupF2txCf8ylWT8lx+JlvMYYVqzGVKtjojUFoQ3JRWK+mfzQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2",
+        "@typescript-eslint/utils": "8.59.2",
+        "debug": "^4.4.3",
+        "ts-api-utils": "^2.5.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/types": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.59.2.tgz",
+      "integrity": "sha512-e82GVOE8Ps3E++Egvb6Y3Dw0S10u8NkQ9KXmtRhCWJJ8kDhOJTvtMAWnFL16kB1583goCWXsr0NieKCZMs2/0Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/typescript-estree": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.59.2.tgz",
+      "integrity": "sha512-o0XPGNwcWw+FIwStOWn+BwBuEmL6QXP0rsvAFg7ET1dey1Nr6Wb1ac8p5HEsK0ygO/6mUxlk+YWQD9xcb/nnXg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/project-service": "8.59.2",
+        "@typescript-eslint/tsconfig-utils": "8.59.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/visitor-keys": "8.59.2",
+        "debug": "^4.4.3",
+        "minimatch": "^10.2.2",
+        "semver": "^7.7.3",
+        "tinyglobby": "^0.2.15",
+        "ts-api-utils": "^2.5.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/utils": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.59.2.tgz",
+      "integrity": "sha512-Juw3EinkXqjaffxz6roowvV7GZT/kET5vSKKZT6upl5TXdWkLkYmNPXwDDL2Vkt2DPn0nODIS4egC/0AGxKo/Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@eslint-community/eslint-utils": "^4.9.1",
+        "@typescript-eslint/scope-manager": "8.59.2",
+        "@typescript-eslint/types": "8.59.2",
+        "@typescript-eslint/typescript-estree": "8.59.2"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      },
+      "peerDependencies": {
+        "eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
+        "typescript": ">=4.8.4 <6.1.0"
+      }
+    },
+    "node_modules/@typescript-eslint/visitor-keys": {
+      "version": "8.59.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.59.2.tgz",
+      "integrity": "sha512-NwjLUnGy8/Zfx23fl50tRC8rYaYnM52xNRYFAXvmiil9yh1+K6aRVQMnzW6gQB/1DLgWt977lYQn7C+wtgXZiA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@typescript-eslint/types": "8.59.2",
+        "eslint-visitor-keys": "^5.0.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/typescript-eslint"
+      }
+    },
+    "node_modules/@typescript-eslint/visitor-keys/node_modules/eslint-visitor-keys": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
+      "integrity": "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || >=24"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/@ungap/structured-clone": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.1.tgz",
+      "integrity": "sha512-mUFwbeTqrVgDQxFveS+df2yfap6iuP20NAKAsBt5jDEoOTDew+zwLAOilHCeQJOVSvmgCX4ogqIrA0mnyr08yQ==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/@vitejs/plugin-react": {
+      "version": "4.7.0",
+      "resolved": "https://registry.npmjs.org/@vitejs/plugin-react/-/plugin-react-4.7.0.tgz",
+      "integrity": "sha512-gUu9hwfWvvEDBBmgtAowQCojwZmJ5mcLn3aufeCsitijs3+f2NsrPtlAWIR6OPiqljl96GVCUbLe0HyqIpVaoA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/core": "^7.28.0",
+        "@babel/plugin-transform-react-jsx-self": "^7.27.1",
+        "@babel/plugin-transform-react-jsx-source": "^7.27.1",
+        "@rolldown/pluginutils": "1.0.0-beta.27",
+        "@types/babel__core": "^7.20.5",
+        "react-refresh": "^0.17.0"
+      },
+      "engines": {
+        "node": "^14.18.0 || >=16.0.0"
+      },
+      "peerDependencies": {
+        "vite": "^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0"
+      }
+    },
+    "node_modules/@xterm/addon-fit": {
+      "version": "0.10.0",
+      "resolved": "https://registry.npmjs.org/@xterm/addon-fit/-/addon-fit-0.10.0.tgz",
+      "integrity": "sha512-UFYkDm4HUahf2lnEyHvio51TNGiLK66mqP2JoATy7hRZeXaGMRDr00JiSF7m63vR5WKATF605yEggJKsw0JpMQ==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@xterm/xterm": "^5.0.0"
+      }
+    },
+    "node_modules/@xterm/addon-web-links": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/@xterm/addon-web-links/-/addon-web-links-0.11.0.tgz",
+      "integrity": "sha512-nIHQ38pQI+a5kXnRaTgwqSHnX7KE6+4SVoceompgHL26unAxdfP6IPqUTSYPQgSwM56hsElfoNrrW5V7BUED/Q==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@xterm/xterm": "^5.0.0"
+      }
+    },
+    "node_modules/@xterm/xterm": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
+      "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
+      "license": "MIT"
+    },
+    "node_modules/acorn": {
+      "version": "8.16.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
+      "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "acorn": "bin/acorn"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
+    "node_modules/acorn-jsx": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz",
+      "integrity": "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==",
+      "dev": true,
+      "license": "MIT",
+      "peerDependencies": {
+        "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      }
+    },
+    "node_modules/ajv": {
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.15.0.tgz",
+      "integrity": "sha512-fgFx7Hfoq60ytK2c7DhnF8jIvzYgOMxfugjLOSMHjLIPgenqa7S7oaagATUq99mV6IYvN2tRmC0wnTYX6iPbMw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fast-deep-equal": "^3.1.1",
+        "fast-json-stable-stringify": "^2.0.0",
+        "json-schema-traverse": "^0.4.1",
+        "uri-js": "^4.2.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/any-promise": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/any-promise/-/any-promise-1.3.0.tgz",
+      "integrity": "sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A==",
+      "license": "MIT"
+    },
+    "node_modules/anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "license": "ISC",
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/arg": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz",
+      "integrity": "sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==",
+      "license": "MIT"
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "dev": true,
+      "license": "Python-2.0"
+    },
+    "node_modules/aria-hidden": {
+      "version": "1.2.6",
+      "resolved": "https://registry.npmjs.org/aria-hidden/-/aria-hidden-1.2.6.tgz",
+      "integrity": "sha512-ik3ZgC9dY/lYVVM++OISsaYDeg1tb0VtP5uL3ouh1koGOaUMDPpbFIei4JkFimWUFPn90sbMNMXQAIVOlnYKJA==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/autoprefixer": {
+      "version": "10.5.0",
+      "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.5.0.tgz",
+      "integrity": "sha512-FMhOoZV4+qR6aTUALKX2rEqGG+oyATvwBt9IIzVR5rMa2HRWPkxf+P+PAJLD1I/H5/II+HuZcBJYEFBpq39ong==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/autoprefixer"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "browserslist": "^4.28.2",
+        "caniuse-lite": "^1.0.30001787",
+        "fraction.js": "^5.3.4",
+        "picocolors": "^1.1.1",
+        "postcss-value-parser": "^4.2.0"
+      },
+      "bin": {
+        "autoprefixer": "bin/autoprefixer"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      },
+      "peerDependencies": {
+        "postcss": "^8.1.0"
+      }
+    },
+    "node_modules/balanced-match": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/baseline-browser-mapping": {
+      "version": "2.10.29",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.29.tgz",
+      "integrity": "sha512-Asa2krT+XTPZINCS+2QcyS8WTkObE77RwkydwF7h6DmnKqbvlalz93m/dnphUyCa6SWSP51VgtEUf2FN+gelFQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "baseline-browser-mapping": "dist/cli.cjs"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/binary-extensions": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
+      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^4.0.2"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/braces": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "license": "MIT",
+      "dependencies": {
+        "fill-range": "^7.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/browserslist": {
+      "version": "4.28.2",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz",
+      "integrity": "sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "baseline-browser-mapping": "^2.10.12",
+        "caniuse-lite": "^1.0.30001782",
+        "electron-to-chromium": "^1.5.328",
+        "node-releases": "^2.0.36",
+        "update-browserslist-db": "^1.2.3"
+      },
+      "bin": {
+        "browserslist": "cli.js"
+      },
+      "engines": {
+        "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
+      }
+    },
+    "node_modules/callsites": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
+      "integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/camelcase-css": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/camelcase-css/-/camelcase-css-2.0.1.tgz",
+      "integrity": "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/caniuse-lite": {
+      "version": "1.0.30001792",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001792.tgz",
+      "integrity": "sha512-hVLMUZFgR4JJ6ACt1uEESvQN1/dBVqPAKY0hgrV70eN3391K6juAfTjKZLKvOMsx8PxA7gsY1/tLMMTcfFLLpw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/caniuse-lite"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "CC-BY-4.0"
+    },
+    "node_modules/chalk": {
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
+      "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.1.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
+    "node_modules/chokidar": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
+      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
+      "license": "MIT",
+      "dependencies": {
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
+      },
+      "engines": {
+        "node": ">= 8.10.0"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/chokidar/node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/class-variance-authority": {
+      "version": "0.7.1",
+      "resolved": "https://registry.npmjs.org/class-variance-authority/-/class-variance-authority-0.7.1.tgz",
+      "integrity": "sha512-Ka+9Trutv7G8M6WT6SeiRWz792K5qEqIGEGzXKhAE6xOWAY6pPH8U+9IY3oCMv6kqTmLsv7Xh/2w2RigkePMsg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "clsx": "^2.1.1"
+      },
+      "funding": {
+        "url": "https://polar.sh/cva"
+      }
+    },
+    "node_modules/clsx": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/clsx/-/clsx-2.1.1.tgz",
+      "integrity": "sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/commander": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-4.1.1.tgz",
+      "integrity": "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/concat-map": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+      "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/convert-source-map": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
+      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/cross-spawn": {
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/cssesc": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz",
+      "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==",
+      "license": "MIT",
+      "bin": {
+        "cssesc": "bin/cssesc"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/csstype": {
+      "version": "3.2.3",
+      "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
+      "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==",
+      "devOptional": true,
+      "license": "MIT"
+    },
+    "node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/deep-is": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
+      "integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/detect-node-es": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/detect-node-es/-/detect-node-es-1.1.0.tgz",
+      "integrity": "sha512-ypdmJU/TbBby2Dxibuv7ZLW3Bs1QEmM7nHjEANfohJLvE0XVujisn1qPJcZxg+qDucsr+bP6fLD1rPS3AhJ7EQ==",
+      "license": "MIT"
+    },
+    "node_modules/didyoumean": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/didyoumean/-/didyoumean-1.2.2.tgz",
+      "integrity": "sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==",
+      "license": "Apache-2.0"
+    },
+    "node_modules/dlv": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/dlv/-/dlv-1.1.3.tgz",
+      "integrity": "sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==",
+      "license": "MIT"
+    },
+    "node_modules/doctrine": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/doctrine/-/doctrine-3.0.0.tgz",
+      "integrity": "sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "esutils": "^2.0.2"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/electron-to-chromium": {
+      "version": "1.5.353",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.353.tgz",
+      "integrity": "sha512-kOrWphBi8TOZyiJZqsgqIle0lw+tzmnQK83pV9dZUd01Nm2POECSyFQMAuarzZdYqQW7FH9RaYOuaRo3h+bQ3w==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/esbuild": {
+      "version": "0.21.5",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.21.5.tgz",
+      "integrity": "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.21.5",
+        "@esbuild/android-arm": "0.21.5",
+        "@esbuild/android-arm64": "0.21.5",
+        "@esbuild/android-x64": "0.21.5",
+        "@esbuild/darwin-arm64": "0.21.5",
+        "@esbuild/darwin-x64": "0.21.5",
+        "@esbuild/freebsd-arm64": "0.21.5",
+        "@esbuild/freebsd-x64": "0.21.5",
+        "@esbuild/linux-arm": "0.21.5",
+        "@esbuild/linux-arm64": "0.21.5",
+        "@esbuild/linux-ia32": "0.21.5",
+        "@esbuild/linux-loong64": "0.21.5",
+        "@esbuild/linux-mips64el": "0.21.5",
+        "@esbuild/linux-ppc64": "0.21.5",
+        "@esbuild/linux-riscv64": "0.21.5",
+        "@esbuild/linux-s390x": "0.21.5",
+        "@esbuild/linux-x64": "0.21.5",
+        "@esbuild/netbsd-x64": "0.21.5",
+        "@esbuild/openbsd-x64": "0.21.5",
+        "@esbuild/sunos-x64": "0.21.5",
+        "@esbuild/win32-arm64": "0.21.5",
+        "@esbuild/win32-ia32": "0.21.5",
+        "@esbuild/win32-x64": "0.21.5"
+      }
+    },
+    "node_modules/escalade": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
+      "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/escape-string-regexp": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz",
+      "integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/eslint": {
+      "version": "8.57.1",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.1.tgz",
+      "integrity": "sha512-ypowyDxpVSYpkXr9WPv2PAZCtNip1Mv5KTW0SCurXv/9iOpcrH9PaqUElksqEB6pChqHGDRCFTyrZlGhnLNGiA==",
+      "deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@eslint-community/eslint-utils": "^4.2.0",
+        "@eslint-community/regexpp": "^4.6.1",
+        "@eslint/eslintrc": "^2.1.4",
+        "@eslint/js": "8.57.1",
+        "@humanwhocodes/config-array": "^0.13.0",
+        "@humanwhocodes/module-importer": "^1.0.1",
+        "@nodelib/fs.walk": "^1.2.8",
+        "@ungap/structured-clone": "^1.2.0",
+        "ajv": "^6.12.4",
+        "chalk": "^4.0.0",
+        "cross-spawn": "^7.0.2",
+        "debug": "^4.3.2",
+        "doctrine": "^3.0.0",
+        "escape-string-regexp": "^4.0.0",
+        "eslint-scope": "^7.2.2",
+        "eslint-visitor-keys": "^3.4.3",
+        "espree": "^9.6.1",
+        "esquery": "^1.4.2",
+        "esutils": "^2.0.2",
+        "fast-deep-equal": "^3.1.3",
+        "file-entry-cache": "^6.0.1",
+        "find-up": "^5.0.0",
+        "glob-parent": "^6.0.2",
+        "globals": "^13.19.0",
+        "graphemer": "^1.4.0",
+        "ignore": "^5.2.0",
+        "imurmurhash": "^0.1.4",
+        "is-glob": "^4.0.0",
+        "is-path-inside": "^3.0.3",
+        "js-yaml": "^4.1.0",
+        "json-stable-stringify-without-jsonify": "^1.0.1",
+        "levn": "^0.4.1",
+        "lodash.merge": "^4.6.2",
+        "minimatch": "^3.1.2",
+        "natural-compare": "^1.4.0",
+        "optionator": "^0.9.3",
+        "strip-ansi": "^6.0.1",
+        "text-table": "^0.2.0"
+      },
+      "bin": {
+        "eslint": "bin/eslint.js"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/eslint-plugin-react-hooks": {
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react-hooks/-/eslint-plugin-react-hooks-5.2.0.tgz",
+      "integrity": "sha512-+f15FfK64YQwZdJNELETdn5ibXEUQmW1DZL6KXhNnc2heoy/sg9VJJeT7n8TlMWouzWqSWavFkIhHyIbIAEapg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "eslint": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0-0 || ^9.0.0"
+      }
+    },
+    "node_modules/eslint-plugin-react-refresh": {
+      "version": "0.4.26",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-react-refresh/-/eslint-plugin-react-refresh-0.4.26.tgz",
+      "integrity": "sha512-1RETEylht2O6FM/MvgnyvT+8K21wLqDNg4qD51Zj3guhjt433XbnnkVttHMyaVyAFD03QSV4LPS5iE3VQmO7XQ==",
+      "dev": true,
+      "license": "MIT",
+      "peerDependencies": {
+        "eslint": ">=8.40"
+      }
+    },
+    "node_modules/eslint-scope": {
+      "version": "7.2.2",
+      "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-7.2.2.tgz",
+      "integrity": "sha512-dOt21O7lTMhDM+X9mB4GX+DZrZtCUJPL/wlcTqxyrx5IvO0IYtILdtrQGQp+8n5S0gwSVmOf9NQrjMOgfQZlIg==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "esrecurse": "^4.3.0",
+        "estraverse": "^5.2.0"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/eslint-visitor-keys": {
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.3.tgz",
+      "integrity": "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/eslint/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/eslint/node_modules/brace-expansion": {
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/eslint/node_modules/ignore": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4"
+      }
+    },
+    "node_modules/eslint/node_modules/minimatch": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/espree": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/espree/-/espree-9.6.1.tgz",
+      "integrity": "sha512-oruZaFkjorTpF32kDSI5/75ViwGeZginGGy2NoOSg3Q9bnwlnmDm4HLnkl0RE3n+njDXR037aY1+x58Z/zFdwQ==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "acorn": "^8.9.0",
+        "acorn-jsx": "^5.3.2",
+        "eslint-visitor-keys": "^3.4.1"
+      },
+      "engines": {
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/eslint"
+      }
+    },
+    "node_modules/esquery": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.7.0.tgz",
+      "integrity": "sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "estraverse": "^5.1.0"
+      },
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/esrecurse": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.3.0.tgz",
+      "integrity": "sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "estraverse": "^5.2.0"
+      },
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/estraverse": {
+      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.3.0.tgz",
+      "integrity": "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=4.0"
+      }
+    },
+    "node_modules/esutils": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
+      "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/fast-deep-equal": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
+      "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/fast-glob": {
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz",
+      "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==",
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.stat": "^2.0.2",
+        "@nodelib/fs.walk": "^1.2.3",
+        "glob-parent": "^5.1.2",
+        "merge2": "^1.3.0",
+        "micromatch": "^4.0.8"
+      },
+      "engines": {
+        "node": ">=8.6.0"
+      }
+    },
+    "node_modules/fast-glob/node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/fast-json-stable-stringify": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
+      "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/fast-levenshtein": {
+      "version": "2.0.6",
+      "resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz",
+      "integrity": "sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/fastq": {
+      "version": "1.20.1",
+      "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz",
+      "integrity": "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==",
+      "license": "ISC",
+      "dependencies": {
+        "reusify": "^1.0.4"
+      }
+    },
+    "node_modules/file-entry-cache": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-6.0.1.tgz",
+      "integrity": "sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "flat-cache": "^3.0.4"
+      },
+      "engines": {
+        "node": "^10.12.0 || >=12.0.0"
+      }
+    },
+    "node_modules/fill-range": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+      "license": "MIT",
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/find-up": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz",
+      "integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "locate-path": "^6.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/flat-cache": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-3.2.0.tgz",
+      "integrity": "sha512-CYcENa+FtcUKLmhhqyctpclsq7QF38pKjZHsGNiSQF5r4FtoKDWabFDl3hzaEQMvT1LHEysw5twgLvpYYb4vbw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "flatted": "^3.2.9",
+        "keyv": "^4.5.3",
+        "rimraf": "^3.0.2"
+      },
+      "engines": {
+        "node": "^10.12.0 || >=12.0.0"
+      }
+    },
+    "node_modules/flatted": {
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/fraction.js": {
+      "version": "5.3.4",
+      "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-5.3.4.tgz",
+      "integrity": "sha512-1X1NTtiJphryn/uLQz3whtY6jK3fTqoE3ohKs0tT+Ujr1W59oopxmoEh7Lu5p6vBaPbgoM0bzveAW4Qi5RyWDQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/rawify"
+      }
+    },
+    "node_modules/fs.realpath": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
+      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/gensync": {
+      "version": "1.0.0-beta.2",
+      "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz",
+      "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/get-nonce": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-nonce/-/get-nonce-1.0.1.tgz",
+      "integrity": "sha512-FJhYRoDaiatfEkUK8HKlicmu/3SGFD51q3itKDGoSTysQJBnfOcxU5GxnhE1E6soB76MbT0MBtnKJuXyAx+96Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/glob": {
+      "version": "7.2.3",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
+      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.1.1",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/glob-parent": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
+      "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==",
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.3"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/glob/node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/glob/node_modules/brace-expansion": {
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0",
+        "concat-map": "0.0.1"
+      }
+    },
+    "node_modules/glob/node_modules/minimatch": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/globals": {
+      "version": "13.24.0",
+      "resolved": "https://registry.npmjs.org/globals/-/globals-13.24.0.tgz",
+      "integrity": "sha512-AhO5QUcj8llrbG09iWhPU2B204J1xnPeL8kQmVorSsy+Sjj1sk8gIyh6cUocGmH4L0UuhAJy+hJMRA4mgA4mFQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "type-fest": "^0.20.2"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/graphemer": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz",
+      "integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/has-flag": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ignore": {
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
+      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 4"
+      }
+    },
+    "node_modules/import-fresh": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz",
+      "integrity": "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "parent-module": "^1.0.0",
+        "resolve-from": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/imurmurhash": {
+      "version": "0.1.4",
+      "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
+      "integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.8.19"
+      }
+    },
+    "node_modules/inflight": {
+      "version": "1.0.6",
+      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
+      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
+      "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "once": "^1.3.0",
+        "wrappy": "1"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/input-otp": {
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/input-otp/-/input-otp-1.4.2.tgz",
+      "integrity": "sha512-l3jWwYNvrEa6NTCt7BECfCm48GvwuZzkoeG3gBL2w4CHeOXW3eKFmf9UNYkNfYc3mxMrthMnxjIE07MT0zLBQA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0.0 || ^19.0.0-rc"
+      }
+    },
+    "node_modules/is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "license": "MIT",
+      "dependencies": {
+        "binary-extensions": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-core-module": {
+      "version": "2.16.2",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.2.tgz",
+      "integrity": "sha512-evOr8xfXKxE6qSR0hSXL2r3sd7ALj8+7jQEUvPYcm5sgZFdJ+AYzT6yNmJenvIYQBgIGwfwz08sL8zoL7yq2BA==",
+      "license": "MIT",
+      "dependencies": {
+        "hasown": "^2.0.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "license": "MIT",
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/is-path-inside": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.3.tgz",
+      "integrity": "sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/isexe": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
+      "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/jiti": {
+      "version": "1.21.7",
+      "resolved": "https://registry.npmjs.org/jiti/-/jiti-1.21.7.tgz",
+      "integrity": "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==",
+      "license": "MIT",
+      "bin": {
+        "jiti": "bin/jiti.js"
+      }
+    },
+    "node_modules/js-tokens": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
+      "license": "MIT"
+    },
+    "node_modules/js-yaml": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
+    "node_modules/jsesc": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
+      "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "jsesc": "bin/jsesc"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/json-buffer": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
+      "integrity": "sha512-4bV5BfR2mqfQTJm+V5tPPdf+ZpuhiIvTuAB5g8kcrXOZpTT/QwwVRWBywX1ozr6lEuPdbHxwaJlm9G6mI2sfSQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/json-schema-traverse": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
+      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/json-stable-stringify-without-jsonify": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz",
+      "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/json5": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "json5": "lib/cli.js"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/keyv": {
+      "version": "4.5.4",
+      "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",
+      "integrity": "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "json-buffer": "3.0.1"
+      }
+    },
+    "node_modules/levn": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz",
+      "integrity": "sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "prelude-ls": "^1.2.1",
+        "type-check": "~0.4.0"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/lilconfig": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.3.tgz",
+      "integrity": "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/antonk52"
+      }
+    },
+    "node_modules/lines-and-columns": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz",
+      "integrity": "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==",
+      "license": "MIT"
+    },
+    "node_modules/locate-path": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz",
+      "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "p-locate": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/lodash.merge": {
+      "version": "4.6.2",
+      "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
+      "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/loose-envify": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz",
+      "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
+      "license": "MIT",
+      "dependencies": {
+        "js-tokens": "^3.0.0 || ^4.0.0"
+      },
+      "bin": {
+        "loose-envify": "cli.js"
+      }
+    },
+    "node_modules/lru-cache": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
+      "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "yallist": "^3.0.2"
+      }
+    },
+    "node_modules/lucide-react": {
+      "version": "0.453.0",
+      "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-0.453.0.tgz",
+      "integrity": "sha512-kL+RGZCcJi9BvJtzg2kshO192Ddy9hv3ij+cPrVPWSRzgCWCVazoQJxOjAwgK53NomL07HB7GPHW120FimjNhQ==",
+      "license": "ISC",
+      "peerDependencies": {
+        "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0-rc"
+      }
+    },
+    "node_modules/merge2": {
+      "version": "1.4.1",
+      "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
+      "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/micromatch": {
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
+      "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
+      "license": "MIT",
+      "dependencies": {
+        "braces": "^3.0.3",
+        "picomatch": "^2.3.1"
+      },
+      "engines": {
+        "node": ">=8.6"
+      }
+    },
+    "node_modules/minimatch": {
+      "version": "10.2.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
+      "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "brace-expansion": "^5.0.5"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/mz": {
+      "version": "2.7.0",
+      "resolved": "https://registry.npmjs.org/mz/-/mz-2.7.0.tgz",
+      "integrity": "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q==",
+      "license": "MIT",
+      "dependencies": {
+        "any-promise": "^1.0.0",
+        "object-assign": "^4.0.1",
+        "thenify-all": "^1.0.0"
+      }
+    },
+    "node_modules/nanoid": {
+      "version": "3.3.12",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz",
+      "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "bin": {
+        "nanoid": "bin/nanoid.cjs"
+      },
+      "engines": {
+        "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+      }
+    },
+    "node_modules/natural-compare": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz",
+      "integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/node-releases": {
+      "version": "2.0.38",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.38.tgz",
+      "integrity": "sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-hash": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz",
+      "integrity": "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
+    "node_modules/optionator": {
+      "version": "0.9.4",
+      "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
+      "integrity": "sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "deep-is": "^0.1.3",
+        "fast-levenshtein": "^2.0.6",
+        "levn": "^0.4.1",
+        "prelude-ls": "^1.2.1",
+        "type-check": "^0.4.0",
+        "word-wrap": "^1.2.5"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/p-limit": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz",
+      "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "yocto-queue": "^0.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz",
+      "integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "p-limit": "^3.0.2"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/parent-module": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
+      "integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "callsites": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-is-absolute": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
+      "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/path-key": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-parse": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
+      "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
+      "license": "MIT"
+    },
+    "node_modules/picocolors": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+      "license": "ISC"
+    },
+    "node_modules/picomatch": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/pify": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz",
+      "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/pirates": {
+      "version": "4.0.7",
+      "resolved": "https://registry.npmjs.org/pirates/-/pirates-4.0.7.tgz",
+      "integrity": "sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/postcss": {
+      "version": "8.5.14",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.14.tgz",
+      "integrity": "sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "nanoid": "^3.3.11",
+        "picocolors": "^1.1.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
+    "node_modules/postcss-import": {
+      "version": "15.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-import/-/postcss-import-15.1.0.tgz",
+      "integrity": "sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==",
+      "license": "MIT",
+      "dependencies": {
+        "postcss-value-parser": "^4.0.0",
+        "read-cache": "^1.0.0",
+        "resolve": "^1.1.7"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "postcss": "^8.0.0"
+      }
+    },
+    "node_modules/postcss-js": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/postcss-js/-/postcss-js-4.1.0.tgz",
+      "integrity": "sha512-oIAOTqgIo7q2EOwbhb8UalYePMvYoIeRY2YKntdpFQXNosSu3vLrniGgmH9OKs/qAkfoj5oB3le/7mINW1LCfw==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "camelcase-css": "^2.0.1"
+      },
+      "engines": {
+        "node": "^12 || ^14 || >= 16"
+      },
+      "peerDependencies": {
+        "postcss": "^8.4.21"
+      }
+    },
+    "node_modules/postcss-load-config": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-6.0.1.tgz",
+      "integrity": "sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "lilconfig": "^3.1.1"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "peerDependencies": {
+        "jiti": ">=1.21.0",
+        "postcss": ">=8.0.9",
+        "tsx": "^4.8.1",
+        "yaml": "^2.4.2"
+      },
+      "peerDependenciesMeta": {
+        "jiti": {
+          "optional": true
+        },
+        "postcss": {
+          "optional": true
+        },
+        "tsx": {
+          "optional": true
+        },
+        "yaml": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/postcss-nested": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-nested/-/postcss-nested-6.2.0.tgz",
+      "integrity": "sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "postcss-selector-parser": "^6.1.1"
+      },
+      "engines": {
+        "node": ">=12.0"
+      },
+      "peerDependencies": {
+        "postcss": "^8.2.14"
+      }
+    },
+    "node_modules/postcss-selector-parser": {
+      "version": "6.1.2",
+      "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz",
+      "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==",
+      "license": "MIT",
+      "dependencies": {
+        "cssesc": "^3.0.0",
+        "util-deprecate": "^1.0.2"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/postcss-value-parser": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz",
+      "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==",
+      "license": "MIT"
+    },
+    "node_modules/prelude-ls": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
+      "integrity": "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/punycode": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
+      "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/queue-microtask": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
+      "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT"
+    },
+    "node_modules/react": {
+      "version": "18.3.1",
+      "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
+      "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==",
+      "license": "MIT",
+      "dependencies": {
+        "loose-envify": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/react-dom": {
+      "version": "18.3.1",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz",
+      "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==",
+      "license": "MIT",
+      "dependencies": {
+        "loose-envify": "^1.1.0",
+        "scheduler": "^0.23.2"
+      },
+      "peerDependencies": {
+        "react": "^18.3.1"
+      }
+    },
+    "node_modules/react-hook-form": {
+      "version": "7.75.0",
+      "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.75.0.tgz",
+      "integrity": "sha512-Ovv94H+0p3sJ7B9B5QxPuCP1u8V/cHuVGyH55cSwodYDtoJwK+fqk3vjfIgSX59I2U/bU4z0nRJ9HMLpNiWEmw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/react-hook-form"
+      },
+      "peerDependencies": {
+        "react": "^16.8.0 || ^17 || ^18 || ^19"
+      }
+    },
+    "node_modules/react-refresh": {
+      "version": "0.17.0",
+      "resolved": "https://registry.npmjs.org/react-refresh/-/react-refresh-0.17.0.tgz",
+      "integrity": "sha512-z6F7K9bV85EfseRCp2bzrpyQ0Gkw1uLoCel9XBVWPg/TjRj94SkJzUTGfOa4bs7iJvBWtQG0Wq7wnI0syw3EBQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/react-remove-scroll": {
+      "version": "2.7.2",
+      "resolved": "https://registry.npmjs.org/react-remove-scroll/-/react-remove-scroll-2.7.2.tgz",
+      "integrity": "sha512-Iqb9NjCCTt6Hf+vOdNIZGdTiH1QSqr27H/Ek9sv/a97gfueI/5h1s3yRi1nngzMUaOOToin5dI1dXKdXiF+u0Q==",
+      "license": "MIT",
+      "dependencies": {
+        "react-remove-scroll-bar": "^2.3.7",
+        "react-style-singleton": "^2.2.3",
+        "tslib": "^2.1.0",
+        "use-callback-ref": "^1.3.3",
+        "use-sidecar": "^1.1.3"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/react-remove-scroll-bar": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/react-remove-scroll-bar/-/react-remove-scroll-bar-2.3.8.tgz",
+      "integrity": "sha512-9r+yi9+mgU33AKcj6IbT9oRCO78WriSj6t/cF8DWBZJ9aOGPOTEDvdUDz1FwKim7QXWwmHqtdHnRJfhAxEG46Q==",
+      "license": "MIT",
+      "dependencies": {
+        "react-style-singleton": "^2.2.2",
+        "tslib": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/react-router": {
+      "version": "6.30.3",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.30.3.tgz",
+      "integrity": "sha512-XRnlbKMTmktBkjCLE8/XcZFlnHvr2Ltdr1eJX4idL55/9BbORzyZEaIkBFDhFGCEWBBItsVrDxwx3gnisMitdw==",
+      "license": "MIT",
+      "dependencies": {
+        "@remix-run/router": "1.23.2"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "react": ">=16.8"
+      }
+    },
+    "node_modules/react-router-dom": {
+      "version": "6.30.3",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.30.3.tgz",
+      "integrity": "sha512-pxPcv1AczD4vso7G4Z3TKcvlxK7g7TNt3/FNGMhfqyntocvYKj+GCatfigGDjbLozC4baguJ0ReCigoDJXb0ag==",
+      "license": "MIT",
+      "dependencies": {
+        "@remix-run/router": "1.23.2",
+        "react-router": "6.30.3"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      },
+      "peerDependencies": {
+        "react": ">=16.8",
+        "react-dom": ">=16.8"
+      }
+    },
+    "node_modules/react-style-singleton": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/react-style-singleton/-/react-style-singleton-2.2.3.tgz",
+      "integrity": "sha512-b6jSvxvVnyptAiLjbkWLE/lOnR4lfTtDAl+eUC7RZy+QQWc6wRzIV2CE6xBuMmDxc2qIihtDCZD5NPOFl7fRBQ==",
+      "license": "MIT",
+      "dependencies": {
+        "get-nonce": "^1.0.0",
+        "tslib": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/read-cache": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz",
+      "integrity": "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==",
+      "license": "MIT",
+      "dependencies": {
+        "pify": "^2.3.0"
+      }
+    },
+    "node_modules/readdirp": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
+      "license": "MIT",
+      "dependencies": {
+        "picomatch": "^2.2.1"
+      },
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/resolve": {
+      "version": "1.22.12",
+      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz",
+      "integrity": "sha512-TyeJ1zif53BPfHootBGwPRYT1RUt6oGWsaQr8UyZW/eAm9bKoijtvruSDEmZHm92CwS9nj7/fWttqPCgzep8CA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "is-core-module": "^2.16.1",
+        "path-parse": "^1.0.7",
+        "supports-preserve-symlinks-flag": "^1.0.0"
+      },
+      "bin": {
+        "resolve": "bin/resolve"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/resolve-from": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
+      "integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/reusify": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz",
+      "integrity": "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==",
+      "license": "MIT",
+      "engines": {
+        "iojs": ">=1.0.0",
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/rimraf": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
+      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
+      "deprecated": "Rimraf versions prior to v4 are no longer supported",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "glob": "^7.1.3"
+      },
+      "bin": {
+        "rimraf": "bin.js"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/rollup": {
+      "version": "4.60.3",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.3.tgz",
+      "integrity": "sha512-pAQK9HalE84QSm4Po3EmWIZPd3FnjkShVkiMlz1iligWYkWQ7wHYd1PF/T7QZ5TVSD6uSTon5gBVMSM4JfBV+A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "1.0.8"
+      },
+      "bin": {
+        "rollup": "dist/bin/rollup"
+      },
+      "engines": {
+        "node": ">=18.0.0",
+        "npm": ">=8.0.0"
+      },
+      "optionalDependencies": {
+        "@rollup/rollup-android-arm-eabi": "4.60.3",
+        "@rollup/rollup-android-arm64": "4.60.3",
+        "@rollup/rollup-darwin-arm64": "4.60.3",
+        "@rollup/rollup-darwin-x64": "4.60.3",
+        "@rollup/rollup-freebsd-arm64": "4.60.3",
+        "@rollup/rollup-freebsd-x64": "4.60.3",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.60.3",
+        "@rollup/rollup-linux-arm-musleabihf": "4.60.3",
+        "@rollup/rollup-linux-arm64-gnu": "4.60.3",
+        "@rollup/rollup-linux-arm64-musl": "4.60.3",
+        "@rollup/rollup-linux-loong64-gnu": "4.60.3",
+        "@rollup/rollup-linux-loong64-musl": "4.60.3",
+        "@rollup/rollup-linux-ppc64-gnu": "4.60.3",
+        "@rollup/rollup-linux-ppc64-musl": "4.60.3",
+        "@rollup/rollup-linux-riscv64-gnu": "4.60.3",
+        "@rollup/rollup-linux-riscv64-musl": "4.60.3",
+        "@rollup/rollup-linux-s390x-gnu": "4.60.3",
+        "@rollup/rollup-linux-x64-gnu": "4.60.3",
+        "@rollup/rollup-linux-x64-musl": "4.60.3",
+        "@rollup/rollup-openbsd-x64": "4.60.3",
+        "@rollup/rollup-openharmony-arm64": "4.60.3",
+        "@rollup/rollup-win32-arm64-msvc": "4.60.3",
+        "@rollup/rollup-win32-ia32-msvc": "4.60.3",
+        "@rollup/rollup-win32-x64-gnu": "4.60.3",
+        "@rollup/rollup-win32-x64-msvc": "4.60.3",
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/run-parallel": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
+      "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "queue-microtask": "^1.2.2"
+      }
+    },
+    "node_modules/scheduler": {
+      "version": "0.23.2",
+      "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.2.tgz",
+      "integrity": "sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==",
+      "license": "MIT",
+      "dependencies": {
+        "loose-envify": "^1.1.0"
+      }
+    },
+    "node_modules/semver": {
+      "version": "7.8.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
+      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/shebang-command": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "shebang-regex": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/shebang-regex": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/source-map-js": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-json-comments": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
+      "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/sucrase": {
+      "version": "3.35.1",
+      "resolved": "https://registry.npmjs.org/sucrase/-/sucrase-3.35.1.tgz",
+      "integrity": "sha512-DhuTmvZWux4H1UOnWMB3sk0sbaCVOoQZjv8u1rDoTV0HTdGem9hkAZtl4JZy8P2z4Bg0nT+YMeOFyVr4zcG5Tw==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.2",
+        "commander": "^4.0.0",
+        "lines-and-columns": "^1.1.6",
+        "mz": "^2.7.0",
+        "pirates": "^4.0.1",
+        "tinyglobby": "^0.2.11",
+        "ts-interface-checker": "^0.1.9"
+      },
+      "bin": {
+        "sucrase": "bin/sucrase",
+        "sucrase-node": "bin/sucrase-node"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      }
+    },
+    "node_modules/supports-color": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "has-flag": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/supports-preserve-symlinks-flag": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
+      "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/tailwind-merge": {
+      "version": "2.6.1",
+      "resolved": "https://registry.npmjs.org/tailwind-merge/-/tailwind-merge-2.6.1.tgz",
+      "integrity": "sha512-Oo6tHdpZsGpkKG88HJ8RR1rg/RdnEkQEfMoEk2x1XRI3F1AxeU+ijRXpiVUF4UbLfcxxRGw6TbUINKYdWVsQTQ==",
+      "license": "MIT",
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/dcastil"
+      }
+    },
+    "node_modules/tailwindcss": {
+      "version": "3.4.19",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.19.tgz",
+      "integrity": "sha512-3ofp+LL8E+pK/JuPLPggVAIaEuhvIz4qNcf3nA1Xn2o/7fb7s/TYpHhwGDv1ZU3PkBluUVaF8PyCHcm48cKLWQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@alloc/quick-lru": "^5.2.0",
+        "arg": "^5.0.2",
+        "chokidar": "^3.6.0",
+        "didyoumean": "^1.2.2",
+        "dlv": "^1.1.3",
+        "fast-glob": "^3.3.2",
+        "glob-parent": "^6.0.2",
+        "is-glob": "^4.0.3",
+        "jiti": "^1.21.7",
+        "lilconfig": "^3.1.3",
+        "micromatch": "^4.0.8",
+        "normalize-path": "^3.0.0",
+        "object-hash": "^3.0.0",
+        "picocolors": "^1.1.1",
+        "postcss": "^8.4.47",
+        "postcss-import": "^15.1.0",
+        "postcss-js": "^4.0.1",
+        "postcss-load-config": "^4.0.2 || ^5.0 || ^6.0",
+        "postcss-nested": "^6.2.0",
+        "postcss-selector-parser": "^6.1.2",
+        "resolve": "^1.22.8",
+        "sucrase": "^3.35.0"
+      },
+      "bin": {
+        "tailwind": "lib/cli.js",
+        "tailwindcss": "lib/cli.js"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/tailwindcss-animate": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/tailwindcss-animate/-/tailwindcss-animate-1.0.7.tgz",
+      "integrity": "sha512-bl6mpH3T7I3UFxuvDEXLxy/VuFxBk5bbzplh7tXI68mwMokNYd1t9qPBHlnyTwfa4JGC4zP516I1hYYtQ/vspA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "tailwindcss": ">=3.0.0 || insiders"
+      }
+    },
+    "node_modules/text-table": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz",
+      "integrity": "sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/thenify": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/thenify/-/thenify-3.3.1.tgz",
+      "integrity": "sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==",
+      "license": "MIT",
+      "dependencies": {
+        "any-promise": "^1.0.0"
+      }
+    },
+    "node_modules/thenify-all": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/thenify-all/-/thenify-all-1.6.0.tgz",
+      "integrity": "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA==",
+      "license": "MIT",
+      "dependencies": {
+        "thenify": ">= 3.1.0 < 4"
+      },
+      "engines": {
+        "node": ">=0.8"
+      }
+    },
+    "node_modules/tinyglobby": {
+      "version": "0.2.16",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
+      "integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==",
+      "license": "MIT",
+      "dependencies": {
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/SuperchupuDev"
+      }
+    },
+    "node_modules/tinyglobby/node_modules/fdir": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+      "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "peerDependencies": {
+        "picomatch": "^3 || ^4"
+      },
+      "peerDependenciesMeta": {
+        "picomatch": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/tinyglobby/node_modules/picomatch": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "license": "MIT",
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/ts-api-utils": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.5.0.tgz",
+      "integrity": "sha512-OJ/ibxhPlqrMM0UiNHJ/0CKQkoKF243/AEmplt3qpRgkW8VG7IfOS41h7V8TjITqdByHzrjcS/2si+y4lIh8NA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.12"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.8.4"
+      }
+    },
+    "node_modules/ts-interface-checker": {
+      "version": "0.1.13",
+      "resolved": "https://registry.npmjs.org/ts-interface-checker/-/ts-interface-checker-0.1.13.tgz",
+      "integrity": "sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA==",
+      "license": "Apache-2.0"
+    },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "license": "0BSD"
+    },
+    "node_modules/type-check": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
+      "integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "prelude-ls": "^1.2.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/type-fest": {
+      "version": "0.20.2",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-0.20.2.tgz",
+      "integrity": "sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==",
+      "dev": true,
+      "license": "(MIT OR CC0-1.0)",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/typescript": {
+      "version": "5.9.3",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
+      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/undici-types": {
+      "version": "6.21.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
+      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/update-browserslist-db": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",
+      "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "escalade": "^3.2.0",
+        "picocolors": "^1.1.1"
+      },
+      "bin": {
+        "update-browserslist-db": "cli.js"
+      },
+      "peerDependencies": {
+        "browserslist": ">= 4.21.0"
+      }
+    },
+    "node_modules/uri-js": {
+      "version": "4.4.1",
+      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
+      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "punycode": "^2.1.0"
+      }
+    },
+    "node_modules/use-callback-ref": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/use-callback-ref/-/use-callback-ref-1.3.3.tgz",
+      "integrity": "sha512-jQL3lRnocaFtu3V00JToYz/4QkNWswxijDaCVNZRiRTO3HQDLsdu1ZtmIUvV4yPp+rvWm5j0y0TG/S61cuijTg==",
+      "license": "MIT",
+      "dependencies": {
+        "tslib": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/use-sidecar": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/use-sidecar/-/use-sidecar-1.1.3.tgz",
+      "integrity": "sha512-Fedw0aZvkhynoPYlA5WXrMCAMm+nSWdZt6lzJQ7Ok8S6Q+VsHmHpRWndVRJ8Be0ZbkfPc5LRYH+5XrzXcEeLRQ==",
+      "license": "MIT",
+      "dependencies": {
+        "detect-node-es": "^1.1.0",
+        "tslib": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
+      "license": "MIT"
+    },
+    "node_modules/vite": {
+      "version": "5.4.21",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz",
+      "integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "esbuild": "^0.21.3",
+        "postcss": "^8.4.43",
+        "rollup": "^4.20.0"
+      },
+      "bin": {
+        "vite": "bin/vite.js"
+      },
+      "engines": {
+        "node": "^18.0.0 || >=20.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/vitejs/vite?sponsor=1"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      },
+      "peerDependencies": {
+        "@types/node": "^18.0.0 || >=20.0.0",
+        "less": "*",
+        "lightningcss": "^1.21.0",
+        "sass": "*",
+        "sass-embedded": "*",
+        "stylus": "*",
+        "sugarss": "*",
+        "terser": "^5.4.0"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        },
+        "less": {
+          "optional": true
+        },
+        "lightningcss": {
+          "optional": true
+        },
+        "sass": {
+          "optional": true
+        },
+        "sass-embedded": {
+          "optional": true
+        },
+        "stylus": {
+          "optional": true
+        },
+        "sugarss": {
+          "optional": true
+        },
+        "terser": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/which": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "node-which": "bin/node-which"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/word-wrap": {
+      "version": "1.2.5",
+      "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+      "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/yallist": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
+      "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/yocto-queue": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",
+      "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/zod": {
+      "version": "3.25.76",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz",
+      "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    }
+  }
+}

From 0673ce897e9f2ee8fe7886818d7db48a228d2487 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 09:11:31 -0700
Subject: [PATCH 20/25] ci: add .golangci.yml + fix the two real lint findings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

golangci-lint v2 doesn't run any linters without an explicit config
(v1 silently ran the standard set). Added a minimal v2 config that
enables the same set v1 had on by default — errcheck, govet,
ineffassign, staticcheck, unused — plus targeted exclusion rules
for idiomatic patterns we don't want to flag:

  - `defer x.Close()` — the canonical Go idiom; close-on-defer
    failures aren't actionable.
  - `.Set(Read|Write)Deadline(...)` on websocket conns — same idea;
    a failed deadline just means the next op will error and we'll
    exit cleanly.
  - `_ = d.DB.WriteAudit(...)` — audits are best-effort by design.
  - tests routinely ignore cleanup errors.

Two real findings fixed in source:

  - internal/docker/fake.go:98 — staticcheck QF1008 flagged
    `c.Container.State = state` as redundant once `c.State = state`
    was already on the line above. Embedded field rewrites are
    transparent here; dropped the duplicate.
  - internal/api/auth/auth.go:191 — `type pendingEnrollments
    struct{}` was declared with a TODO comment but never referenced.
    Removed; the TODO now lives in MILESTONES.md territory rather
    than dead code.

Local `golangci-lint run` against the same v2.5.0 the CI runs is
clean: 0 issues.
---
 .golangci.yml             | 72 ++++++++++++++++++++-------------------
 internal/api/auth/auth.go |  9 -----
 internal/docker/fake.go   |  1 -
 3 files changed, 37 insertions(+), 45 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 4b75748..65daf32 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,40 +1,42 @@
-run:
-  timeout: 3m
-  tests: true
+# golangci-lint v2 config.
+#
+# v2 requires an explicit config; v1 ran the standard linter set by
+# default. We declare the same set here so behavior matches what CI
+# used to do before the v1 → v2 jump.
+version: "2"
 
 linters:
-  disable-all: true
+  default: none
   enable:
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - unused
-    - gofmt
-    - goimports
-    - revive
-    - gosec
-    - misspell
-    - bodyclose
-    - errorlint
-    - nolintlint
+    - errcheck      # unhandled error returns
+    - govet         # standard go vet (also run separately)
+    - ineffassign   # ineffectual assignments
+    - staticcheck   # broad correctness/style checks
+    - unused        # unused functions / vars / types
 
-linters-settings:
-  goimports:
-    local-prefixes: github.com/tm4rtin17/controlroom
-  revive:
+  exclusions:
+    # Generated client-go and embedded SPA assets shouldn't fail lint.
+    paths:
+      - internal/web/dist
+      - web/node_modules
     rules:
-      - name: exported
-        arguments: ["disableStutteringCheck"]
-
-issues:
-  exclude-dirs:
-    - web
-    - deploy
-    - docs
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - gosec
-        - errcheck
+      # Tests routinely ignore errors on cleanup paths.
+      - path: _test\.go
+        linters:
+          - errcheck
+      # Audit writes are intentionally best-effort; the existing code
+      # uses the `_ = d.DB.WriteAudit(...)` pattern throughout.
+      - source: 'WriteAudit'
+        linters:
+          - errcheck
+      # `defer x.Close()` is idiomatic Go; the only failure that can
+      # happen on close-on-defer is one we couldn't act on anyway.
+      - source: '^\s*defer .*\.Close\(\)\s*$'
+        linters:
+          - errcheck
+      # Same for SetReadDeadline / SetWriteDeadline on a websocket —
+      # if the deadline can't be set the next read/write will fail
+      # and we'll exit cleanly.
+      - source: '\.Set(Read|Write)Deadline\('
+        linters:
+          - errcheck
diff --git a/internal/api/auth/auth.go b/internal/api/auth/auth.go
index 90a798b..303f99a 100644
--- a/internal/api/auth/auth.go
+++ b/internal/api/auth/auth.go
@@ -185,15 +185,6 @@ func (d Deps) meHandler(c *fiber.Ctx) error {
 
 // ---- 2FA management (post-login) ----
 
-// pendingEnrollments holds in-progress TOTP enrollments keyed by user id.
-// Stored only in memory so a restart cancels enrollment in flight; the user
-// just enrolls again. Keeps unverified secrets out of the DB.
-type pendingEnrollments struct {
-	// (TODO: M9 polish — promote to a struct map with TTL eviction. For the
-	// homelab single-user surface, the user id key + verify-then-store flow
-	// is sufficient.)
-}
-
 type totpEnrollResp struct {
 	Secret    string `json:"secret"`
 	URI       string `json:"uri"`
diff --git a/internal/docker/fake.go b/internal/docker/fake.go
index d0bff0f..9c668d8 100644
--- a/internal/docker/fake.go
+++ b/internal/docker/fake.go
@@ -95,7 +95,6 @@ func (f *Fake) transition(id, state string, started, finished time.Time) error {
 		return errors.New("not found")
 	}
 	c.State = state
-	c.Container.State = state
 	if !started.IsZero() {
 		c.StartedAt = started
 		c.FinishedAt = time.Time{}

From c8fb01c3be23cea973e9fd248fb5540eca256ea2 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 09:17:14 -0700
Subject: [PATCH 21/25] ci: align Dockerfile COPY with vite outDir (web/dist,
 not internal/web/dist)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The committed web-builder stage writes its bundle to /src/web/dist
(vite.config.ts has `outDir: 'dist'` resolved relative to web/), but
the go-builder COPY was reading from /src/internal/web/dist —
nothing there, build error:

    failed to compute cache key: ... "/src/internal/web/dist": not found

`make image` worked locally because my working-tree Dockerfile had
the correct path, but I never committed that fix; the broken COPY
from a pre-v0.2 in-flight relocation attempt has been on origin/v0.2
since the fat-privileged container rewrite. Aligning the path so
the bundle from web-builder actually reaches go-builder for embed.

Embed target inside the runtime image is unchanged — internal/web/dist
relative to the Go module — only the source path of the COPY changed.
---
 deploy/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index 36538ac..f446633 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -53,7 +53,7 @@ COPY go.mod go.sum* ./
 RUN go mod download
 
 COPY . .
-COPY --from=web-builder /src/internal/web/dist ./internal/web/dist
+COPY --from=web-builder /src/web/dist ./internal/web/dist
 
 # Pre-create the data dir so we can COPY it into the runtime stage.
 RUN mkdir -p /out/data

From 8bb856412000db0b61c2990e544d7681e6ef4b56 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 10:08:06 -0700
Subject: [PATCH 22/25] =?UTF-8?q?k8s:=20Phase=20D3=20=E2=80=94=20read-only?=
 =?UTF-8?q?=20Secret=20viewer=20(masked=20+=20per-read=20audit)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a Secrets tab to the Kubernetes route. Read-only — no edit/create/
delete. Most-sensitive RBAC widening so far; the design choices reflect
that.

Backend (internal/k8s/secrets.go + internal/api/k8s/k8s.go)
  - GET  /api/k8s/secrets?namespace=
         → { secrets: [{name, namespace, type, keys[], age}] }
         List omits values; only metadata + lex-sorted key list. Type
         is the K8s SecretType (Opaque, kubernetes.io/tls,
         dockerconfigjson, etc.).
  - GET  /api/k8s/secrets/:ns/:name
         → SecretDetail (secret + labels + annotations + data + events).
         data values are base64-decoded to plaintext on the backend.
         Non-UTF-8 bytes get U+FFFD substitution via standard JSON
         encoder behavior — most secrets are text, this is acceptable.

  - Per-detail audit: every detail GET (success or failure) writes a
    store.AuditEntry with action `k8s.secret.read`, target `ns/name`,
    detail `{"key_count": N}`. Key NAMES are not logged, values are
    not logged. The audit table records THAT a secret was read, not
    what was in it. List endpoint is intentionally NOT audited (no
    values exposed there).

RBAC (deploy/k8s/rbac.yaml)
  - core/secrets: [get, list]
  - Deliberately NOT watch — keeps a long-lived stream of all cluster
    secrets from being established. Reads are point-in-time and
    audited; watch would not be.
  - Comment explicitly explains the trade.

Frontend (web/src/components/k8s/Secret{List,Detail}.tsx + lib hooks)
  - SecretList: table with Name/Namespace/Type-badge/Keys/Age. Type
    badge strips the kubernetes.io/ prefix for compactness.
  - SecretDetail: Sheet drawer with:
      • muted informational banner: "Read-only. Values are sensitive
        — every detail view writes an audit row." (informational, not
        alarmist red.)
      • Reveal All / Hide All toggle resets to OFF every time the
        drawer opens — re-opening always re-masks.
      • Per-row eye toggle + copy-to-clipboard button.
      • Masking: 8 fixed bullets regardless of value length so the
        DOM never leaks length information.
      • JSON pretty-print: try/catch around JSON.parse + stringify;
        falls back to raw text on parse failure.
      • TLS-shaped values (start with -----BEGIN, contain newlines)
        rendered in a monospace <pre>.
      • Copy fallback: navigator.clipboard.writeText with a hidden
        <textarea>+execCommand fallback for insecure contexts.
  - useK8sSecretDetail uses staleTime: 60s and refetchOnWindowFocus:
    false so re-opening doesn't immediately re-hit the API and pile
    up audit rows.

Verified end-to-end:
  - Local golangci-lint v2.5.0 clean (0 issues), tsc --noEmit clean.
  - make image succeeds at 230MB.
  - Image loaded into both K3s nodes; deployment rolled clean.
  - Docker compose container recreated with the standard
    fat-privileged flags.
  - kubectl auth can-i: list secrets=yes, get secrets=yes,
    watch secrets=no (intentional).
  - Both endpoints return 401 (mounted, auth-gated).
  - SPA bundle contains 24 references to SecretList/SecretDetail/
    useK8sSecrets/secrets path.

Side change: deploy/docker-compose.yml `image:` flipped from
ghcr.io/tm4rtin17/controlroom:latest to controlroom:dev so
`docker compose up` matches the local-build workflow without
forcing a registry pull. Production deployments should pin a
specific tag.
---
 deploy/docker-compose.yml               |   2 +-
 deploy/k8s/rbac.yaml                    |   8 +
 internal/api/k8s/k8s.go                 |  63 +++++
 internal/k8s/secrets.go                 | 107 +++++++++
 web/src/components/k8s/SecretDetail.tsx | 290 ++++++++++++++++++++++++
 web/src/components/k8s/SecretList.tsx   |  92 ++++++++
 web/src/lib/k8s.ts                      |  42 ++++
 web/src/routes/Kubernetes.tsx           |  25 +-
 8 files changed, 626 insertions(+), 3 deletions(-)
 create mode 100644 internal/k8s/secrets.go
 create mode 100644 web/src/components/k8s/SecretDetail.tsx
 create mode 100644 web/src/components/k8s/SecretList.tsx

diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index a30f237..1c1609b 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -34,7 +34,7 @@
 
 services:
   controlroom:
-    image: ghcr.io/tm4rtin17/controlroom:latest
+    image: controlroom:dev
     container_name: controlroom
     restart: unless-stopped
 
diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
index b3f6738..7ab1b9f 100644
--- a/deploy/k8s/rbac.yaml
+++ b/deploy/k8s/rbac.yaml
@@ -51,6 +51,14 @@ rules:
     resources:
       - configmaps
     verbs: [update]
+  # Secrets read access. Deliberately get/list only — NOT watch — so we
+  # don't keep a long-lived stream of all cluster secret values open.
+  # Every detail view writes an audit row (k8s.secret.read) so the
+  # operator's read history is recoverable.
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs: [get, list]
   - apiGroups: ["apps"]
     resources:
       - deployments
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
index 53d5b3d..fbcaf99 100644
--- a/internal/api/k8s/k8s.go
+++ b/internal/api/k8s/k8s.go
@@ -76,6 +76,8 @@ func MountHTTP(authed fiber.Router, d Deps) {
 	g.Get("/configmaps", d.listConfigMapsHandler)
 	g.Get("/configmaps/:namespace/:name", d.configMapDetailHandler)
 	g.Put("/configmaps/:namespace/:name", d.updateConfigMapHandler)
+	g.Get("/secrets", d.listSecretsHandler)
+	g.Get("/secrets/:namespace/:name", d.secretDetailHandler)
 }
 
 // MountWS registers WebSocket routes on the ws group.
@@ -363,6 +365,67 @@ func (d Deps) updateConfigMapHandler(c *fiber.Ctx) error {
 	return c.JSON(fiber.Map{"ok": true})
 }
 
+// ---- secret handlers ----
+
+type secretsResp struct {
+	Secrets []k8s.Secret `json:"secrets"`
+}
+
+func (d Deps) listSecretsHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	ns := c.Query("namespace")
+	if ns != "" && !validK8sName(ns) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	secrets, err := d.Client.ListSecrets(c.Context(), ns)
+	if err != nil {
+		return fiber.NewError(http.StatusInternalServerError, "list secrets: "+err.Error())
+	}
+	return c.JSON(secretsResp{Secrets: secrets})
+}
+
+func (d Deps) secretDetailHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	namespace := c.Params("namespace")
+	name := c.Params("name")
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid secret name")
+	}
+
+	detail, err := d.Client.GetSecret(c.Context(), namespace, name)
+	entry := store.AuditEntry{
+		IP:     c.IP(),
+		Action: "k8s.secret.read",
+		Target: namespace + "/" + name,
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{"error": err.Error()}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+		if k8serrors.IsNotFound(err) {
+			return fiber.NewError(http.StatusNotFound, "secret not found")
+		}
+		if k8serrors.IsForbidden(err) {
+			return fiber.NewError(http.StatusForbidden, "forbidden")
+		}
+		return fiber.NewError(http.StatusInternalServerError, "get secret: "+err.Error())
+	}
+	entry.Outcome = "success"
+	entry.Detail = map[string]any{"key_count": len(detail.Secret.Keys)}
+	_ = d.DB.WriteAudit(c.Context(), entry)
+	return c.JSON(detail)
+}
+
 // ---- write action handlers ----
 
 func (d Deps) restartWorkloadHandler(c *fiber.Ctx) error {
diff --git a/internal/k8s/secrets.go b/internal/k8s/secrets.go
new file mode 100644
index 0000000..7febf04
--- /dev/null
+++ b/internal/k8s/secrets.go
@@ -0,0 +1,107 @@
+package k8s
+
+import (
+	"context"
+	"sort"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Secret is the list-level representation (no data values).
+type Secret struct {
+	Name      string   `json:"name"`
+	Namespace string   `json:"namespace"`
+	Type      string   `json:"type"` // K8s SecretType e.g. "Opaque", "kubernetes.io/tls"
+	Keys      []string `json:"keys"` // never nil; lex-sorted
+	Age       string   `json:"age"`  // RFC3339
+}
+
+// SecretDetail is the full detail view.
+type SecretDetail struct {
+	Secret      Secret            `json:"secret"`
+	Labels      map[string]string `json:"labels"`      // never nil
+	Annotations map[string]string `json:"annotations"` // never nil
+	Data        map[string]string `json:"data"`        // never nil; values are base64-decoded plaintext
+	Events      []Event           `json:"events"`      // never nil
+}
+
+// sortedSecretKeys returns alphabetically sorted keys from a map[string][]byte.
+func sortedSecretKeys(m map[string][]byte) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// ListSecrets lists secrets. namespace="" means all namespaces.
+func (c *Client) ListSecrets(ctx context.Context, namespace string) ([]Secret, error) {
+	list, err := c.cs.CoreV1().Secrets(namespace).List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	out := make([]Secret, 0, len(list.Items))
+	for _, s := range list.Items {
+		keys := sortedSecretKeys(s.Data)
+		if keys == nil {
+			keys = []string{}
+		}
+		out = append(out, Secret{
+			Name:      s.Name,
+			Namespace: s.Namespace,
+			Type:      string(s.Type),
+			Keys:      keys,
+			Age:       s.CreationTimestamp.UTC().Format(time.RFC3339),
+		})
+	}
+	return out, nil
+}
+
+// GetSecret returns full detail for a secret including events.
+// client-go already base64-decodes s.Data values; we cast []byte to string directly.
+func (c *Client) GetSecret(ctx context.Context, namespace, name string) (*SecretDetail, error) {
+	s, err := c.cs.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	labels := s.Labels
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	annotations := s.Annotations
+	if annotations == nil {
+		annotations = map[string]string{}
+	}
+
+	data := make(map[string]string, len(s.Data))
+	for k, v := range s.Data {
+		data[k] = string(v)
+	}
+
+	keys := sortedSecretKeys(s.Data)
+	if keys == nil {
+		keys = []string{}
+	}
+
+	events, err := c.ListEvents(ctx, namespace, "Secret", name)
+	if err != nil {
+		events = []Event{}
+	}
+
+	return &SecretDetail{
+		Secret: Secret{
+			Name:      s.Name,
+			Namespace: s.Namespace,
+			Type:      string(s.Type),
+			Keys:      keys,
+			Age:       s.CreationTimestamp.UTC().Format(time.RFC3339),
+		},
+		Labels:      labels,
+		Annotations: annotations,
+		Data:        data,
+		Events:      events,
+	}, nil
+}
diff --git a/web/src/components/k8s/SecretDetail.tsx b/web/src/components/k8s/SecretDetail.tsx
new file mode 100644
index 0000000..d0a8645
--- /dev/null
+++ b/web/src/components/k8s/SecretDetail.tsx
@@ -0,0 +1,290 @@
+import { useState, useCallback, type ReactNode } from 'react'
+import { Eye, EyeOff, Copy } from 'lucide-react'
+
+import { useK8sSecretDetail } from '@/lib/k8s'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import { Button } from '@/components/ui/button'
+import { Badge } from '@/components/ui/badge'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { EventsTable } from './EventsTable'
+
+const MASK = '••••••••'
+
+function isTlsLike(v: string): boolean {
+  return v.includes('-----BEGIN') || (v.length > 200 && v.includes('\n'))
+}
+
+function parseJsonPretty(v: string): string | null {
+  if (!v.startsWith('{') && !v.startsWith('[')) return null
+  try {
+    return JSON.stringify(JSON.parse(v), null, 2)
+  } catch {
+    return null
+  }
+}
+
+async function copyToClipboard(text: string): Promise<boolean> {
+  if (navigator.clipboard?.writeText) {
+    try {
+      await navigator.clipboard.writeText(text)
+      return true
+    } catch {
+      // fall through to execCommand
+    }
+  }
+  // Fallback for insecure contexts
+  try {
+    const ta = document.createElement('textarea')
+    ta.value = text
+    ta.style.position = 'fixed'
+    ta.style.opacity = '0'
+    document.body.appendChild(ta)
+    ta.focus()
+    ta.select()
+    const ok = document.execCommand('copy')
+    document.body.removeChild(ta)
+    return ok
+  } catch {
+    return false
+  }
+}
+
+function typeLabel(t: string): string {
+  const prefix = 'kubernetes.io/'
+  if (t.startsWith(prefix)) return t.slice(prefix.length)
+  return t
+}
+
+function Section({ title, children }: { title: string; children: ReactNode }) {
+  return (
+    <div>
+      <p className="mb-2 text-xs uppercase tracking-wider text-muted-foreground">{title}</p>
+      {children}
+    </div>
+  )
+}
+
+function CollapsibleSection({ title, children }: { title: string; children: ReactNode }) {
+  const [open, setOpen] = useState(false)
+  return (
+    <div>
+      <button
+        className="mb-2 flex items-center gap-1 text-xs uppercase tracking-wider text-muted-foreground hover:text-foreground"
+        onClick={() => setOpen((o) => !o)}
+        type="button"
+      >
+        <span>{open ? '▾' : '▸'}</span>
+        {title}
+      </button>
+      {open && children}
+    </div>
+  )
+}
+
+interface SecretRowProps {
+  secretKey: string
+  value: string
+  revealAll: boolean
+}
+
+function SecretRow({ secretKey, value, revealAll }: SecretRowProps) {
+  const [revealed, setRevealed] = useState(false)
+  const [copyState, setCopyState] = useState<'idle' | 'copied' | 'failed'>('idle')
+
+  const isRevealed = revealAll || revealed
+
+  const handleCopy = useCallback(async () => {
+    const ok = await copyToClipboard(value)
+    setCopyState(ok ? 'copied' : 'failed')
+    setTimeout(() => setCopyState('idle'), 1500)
+  }, [value])
+
+  let displayValue: ReactNode = null
+  if (isRevealed) {
+    const pretty = parseJsonPretty(value)
+    const usePre = isTlsLike(value) || pretty !== null
+    const text = pretty ?? value
+    if (usePre) {
+      displayValue = (
+        <pre className="whitespace-pre-wrap break-all font-mono text-[11px] text-foreground">{text}</pre>
+      )
+    } else {
+      displayValue = <span className="font-mono text-xs text-foreground break-all">{text}</span>
+    }
+  } else {
+    displayValue = <span className="font-mono text-xs text-muted-foreground select-none">{MASK}</span>
+  }
+
+  return (
+    <tr className="border-b last:border-0 align-top">
+      <td className="py-2 pr-3 w-[35%]">
+        <span className="font-mono text-xs">{secretKey}</span>
+      </td>
+      <td className="py-2 pr-2 min-w-0 max-w-[300px]">
+        <div className="break-all">{displayValue}</div>
+      </td>
+      <td className="py-2 whitespace-nowrap">
+        <div className="flex items-center gap-1">
+          <Button
+            size="icon"
+            variant="ghost"
+            className="h-6 w-6"
+            title={isRevealed ? 'Hide value' : 'Reveal value'}
+            onClick={() => setRevealed((r) => !r)}
+          >
+            {isRevealed ? <EyeOff className="h-3.5 w-3.5" /> : <Eye className="h-3.5 w-3.5" />}
+          </Button>
+          <Button
+            size="icon"
+            variant="ghost"
+            className="h-6 w-6"
+            title="Copy value"
+            onClick={handleCopy}
+          >
+            <Copy className="h-3.5 w-3.5" />
+          </Button>
+          {copyState !== 'idle' && (
+            <span className={`text-[10px] ${copyState === 'copied' ? 'text-emerald-500' : 'text-destructive'}`}>
+              {copyState === 'copied' ? 'Copied' : 'Copy failed'}
+            </span>
+          )}
+        </div>
+      </td>
+    </tr>
+  )
+}
+
+export function SecretDetail({
+  namespace,
+  name,
+  open,
+  onOpenChange,
+}: {
+  namespace: string | null
+  name: string | null
+  open: boolean
+  onOpenChange: (open: boolean) => void
+}) {
+  const detailQ = useK8sSecretDetail(open ? namespace : null, open ? name : null)
+  const [revealAll, setRevealAll] = useState(false)
+
+  // Reset reveal state each time drawer opens
+  const handleOpenChange = useCallback(
+    (o: boolean) => {
+      if (!o) setRevealAll(false)
+      onOpenChange(o)
+    },
+    [onOpenChange]
+  )
+
+  const detail = detailQ.data
+  const secret = detail?.secret
+
+  const dataEntries = detail
+    ? Object.entries(detail.data).sort(([a], [b]) => a.localeCompare(b))
+    : []
+
+  return (
+    <Sheet open={open} onOpenChange={handleOpenChange}>
+      <SheetContent className="overflow-y-auto sm:max-w-2xl">
+        <SheetHeader>
+          <div className="flex items-start justify-between gap-2">
+            <div className="min-w-0">
+              <SheetTitle className="font-mono break-all">{secret?.name ?? name}</SheetTitle>
+              <SheetDescription>
+                {secret
+                  ? `${secret.namespace} · ${secret.keys.length} key${secret.keys.length === 1 ? '' : 's'}`
+                  : (namespace ?? '')}
+              </SheetDescription>
+            </div>
+            {secret && (
+              <div className="flex shrink-0 items-center gap-2">
+                <Badge variant="muted">{typeLabel(secret.type)}</Badge>
+                <Button
+                  size="sm"
+                  variant="outline"
+                  onClick={() => setRevealAll((r) => !r)}
+                >
+                  {revealAll ? <><EyeOff className="mr-1.5 h-3.5 w-3.5" />Hide All</> : <><Eye className="mr-1.5 h-3.5 w-3.5" />Reveal All</>}
+                </Button>
+              </div>
+            )}
+          </div>
+        </SheetHeader>
+
+        {/* Informational banner */}
+        <div className="mt-4 rounded-md border border-border bg-muted/40 px-3 py-2 text-xs text-muted-foreground">
+          Read-only. Values are sensitive — every detail view writes an audit row.
+        </div>
+
+        {detail && secret && (
+          <div className="mt-4 flex flex-col gap-6">
+            {/* Data viewer */}
+            <Section title="Data">
+              {dataEntries.length === 0 ? (
+                <p className="text-xs text-muted-foreground">No data keys.</p>
+              ) : (
+                <div className="overflow-x-auto">
+                  <table className="w-full text-xs">
+                    <thead>
+                      <tr className="border-b text-left text-muted-foreground">
+                        <th className="py-1.5 pr-3 font-medium w-[35%]">Key</th>
+                        <th className="py-1.5 pr-3 font-medium">Value</th>
+                        <th className="py-1.5 font-medium" />
+                      </tr>
+                    </thead>
+                    <tbody>
+                      {dataEntries.map(([k, v]) => (
+                        <SecretRow key={k} secretKey={k} value={v} revealAll={revealAll} />
+                      ))}
+                    </tbody>
+                  </table>
+                </div>
+              )}
+            </Section>
+
+            {/* Labels */}
+            {Object.keys(detail.labels).length > 0 && (
+              <Section title="Labels">
+                <div className="flex flex-wrap gap-1.5">
+                  {Object.entries(detail.labels).map(([k, v]) => (
+                    <Badge key={k} variant="muted">{k}={v}</Badge>
+                  ))}
+                </div>
+              </Section>
+            )}
+
+            {/* Annotations */}
+            {Object.keys(detail.annotations).length > 0 && (
+              <CollapsibleSection title="Annotations">
+                <div className="flex flex-wrap gap-1.5">
+                  {Object.entries(detail.annotations).map(([k, v]) => (
+                    <Badge key={k} variant="muted" className="max-w-xs truncate" title={`${k}=${v}`}>
+                      {k}={v}
+                    </Badge>
+                  ))}
+                </div>
+              </CollapsibleSection>
+            )}
+
+            {/* Events */}
+            <Section title="Events">
+              <EventsTable events={detail.events} />
+            </Section>
+          </div>
+        )}
+
+        {detailQ.isLoading && !detail && (
+          <p className="mt-6 text-sm text-muted-foreground">Loading…</p>
+        )}
+        {detailQ.error && !detail && (
+          <Alert variant="destructive" className="mt-4">
+            <AlertDescription>
+              {detailQ.error instanceof Error ? detailQ.error.message : 'Failed to load secret.'}
+            </AlertDescription>
+          </Alert>
+        )}
+      </SheetContent>
+    </Sheet>
+  )
+}
diff --git a/web/src/components/k8s/SecretList.tsx b/web/src/components/k8s/SecretList.tsx
new file mode 100644
index 0000000..995f87b
--- /dev/null
+++ b/web/src/components/k8s/SecretList.tsx
@@ -0,0 +1,92 @@
+import type { K8sSecret } from '@/lib/k8s'
+import { formatRelativeTime } from '@/lib/format'
+import { Card, CardContent } from '@/components/ui/card'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { Badge } from '@/components/ui/badge'
+
+function typeLabel(t: string): string {
+  const prefix = 'kubernetes.io/'
+  if (t.startsWith(prefix)) return t.slice(prefix.length)
+  return t
+}
+
+interface Props {
+  secrets: K8sSecret[]
+  loading: boolean
+  error: Error | null
+  search: string
+  onOpen?: (namespace: string, name: string) => void
+}
+
+export function SecretList({ secrets, loading, error, search, onOpen }: Props) {
+  if (loading) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">Loading…</CardContent>
+      </Card>
+    )
+  }
+  if (error) {
+    return (
+      <Alert variant="destructive">
+        <AlertDescription>{error.message || 'Could not fetch secrets.'}</AlertDescription>
+      </Alert>
+    )
+  }
+
+  const needle = search.toLowerCase()
+  const filtered = needle
+    ? secrets.filter(
+        (s) =>
+          s.name.toLowerCase().includes(needle) ||
+          s.namespace.toLowerCase().includes(needle)
+      )
+    : secrets
+
+  if (filtered.length === 0) {
+    return (
+      <Card>
+        <CardContent className="px-4 py-12 text-center text-sm text-muted-foreground">
+          {secrets.length === 0 ? 'No secrets found' : 'No secrets match'}
+        </CardContent>
+      </Card>
+    )
+  }
+
+  return (
+    <Card>
+      <CardContent className="p-0">
+        <div className="overflow-x-auto">
+          <table className="w-full text-sm">
+            <thead>
+              <tr className="border-b text-left text-xs text-muted-foreground">
+                <th className="px-4 py-3 font-medium">Name</th>
+                <th className="px-4 py-3 font-medium">Namespace</th>
+                <th className="px-4 py-3 font-medium">Type</th>
+                <th className="px-4 py-3 font-medium">Keys</th>
+                <th className="px-4 py-3 font-medium">Age</th>
+              </tr>
+            </thead>
+            <tbody className="divide-y">
+              {filtered.map((s) => (
+                <tr
+                  key={`${s.namespace}/${s.name}`}
+                  className={onOpen ? 'cursor-pointer hover:bg-accent/30' : 'hover:bg-accent/30'}
+                  onClick={() => onOpen?.(s.namespace, s.name)}
+                >
+                  <td className="px-4 py-3 font-mono text-xs font-medium">{s.name}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{s.namespace}</td>
+                  <td className="px-4 py-3 text-xs">
+                    <Badge variant="muted">{typeLabel(s.type)}</Badge>
+                  </td>
+                  <td className="px-4 py-3 text-xs tabular-nums">{s.keys.length}</td>
+                  <td className="px-4 py-3 text-xs text-muted-foreground">{formatRelativeTime(s.age)}</td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </CardContent>
+    </Card>
+  )
+}
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
index 17ffed2..8718846 100644
--- a/web/src/lib/k8s.ts
+++ b/web/src/lib/k8s.ts
@@ -140,6 +140,22 @@ export interface K8sConfigMapDetail {
   events: K8sEvent[]
 }
 
+export interface K8sSecret {
+  name: string
+  namespace: string
+  type: string
+  keys: string[]
+  age: string
+}
+
+export interface K8sSecretDetail {
+  secret: K8sSecret
+  labels: Record<string, string>
+  annotations: Record<string, string>
+  data: Record<string, string>
+  events: K8sEvent[]
+}
+
 export function useK8sNodes() {
   return useQuery({
     queryKey: ['k8s', 'nodes'],
@@ -261,6 +277,32 @@ export function useK8sConfigMapDetail(namespace: string | null, name: string | n
   })
 }
 
+export function useK8sSecrets(namespace: string) {
+  return useQuery({
+    queryKey: ['k8s', 'secrets', namespace],
+    queryFn: () =>
+      apiFetch<{ secrets: K8sSecret[] }>(
+        `/api/k8s/secrets${namespace ? `?namespace=${encodeURIComponent(namespace)}` : ''}`
+      ),
+    refetchInterval: 30_000,
+    staleTime: 5_000,
+  })
+}
+
+export function useK8sSecretDetail(namespace: string | null, name: string | null) {
+  return useQuery({
+    queryKey: ['k8s', 'secret', 'detail', namespace, name],
+    queryFn: () =>
+      apiFetch<K8sSecretDetail>(
+        `/api/k8s/secrets/${encodeURIComponent(namespace!)}/${encodeURIComponent(name!)}`
+      ),
+    enabled: !!(namespace && name),
+    refetchOnWindowFocus: false,
+    staleTime: 60_000,
+    refetchInterval: false,
+  })
+}
+
 export function useUpdateConfigMap() {
   const qc = useQueryClient()
   return useMutation({
diff --git a/web/src/routes/Kubernetes.tsx b/web/src/routes/Kubernetes.tsx
index 8ac7525..d4f148c 100644
--- a/web/src/routes/Kubernetes.tsx
+++ b/web/src/routes/Kubernetes.tsx
@@ -2,7 +2,7 @@ import { useState } from 'react'
 import { Search } from 'lucide-react'
 
 import { ApiError } from '@/lib/api'
-import { useK8sNodes, useK8sNamespaces, useK8sWorkloads, useK8sPods, useK8sServices, useK8sConfigMaps } from '@/lib/k8s'
+import { useK8sNodes, useK8sNamespaces, useK8sWorkloads, useK8sPods, useK8sServices, useK8sConfigMaps, useK8sSecrets } from '@/lib/k8s'
 import { Input } from '@/components/ui/input'
 import { Card, CardContent } from '@/components/ui/card'
 import { Label } from '@/components/ui/label'
@@ -17,8 +17,10 @@ import { WorkloadDetail } from '@/components/k8s/WorkloadDetail'
 import { PodDetail } from '@/components/k8s/PodDetail'
 import { ServiceDetail } from '@/components/k8s/ServiceDetail'
 import { ConfigMapDetail } from '@/components/k8s/ConfigMapDetail'
+import { SecretList } from '@/components/k8s/SecretList'
+import { SecretDetail } from '@/components/k8s/SecretDetail'
 
-type Tab = 'nodes' | 'workloads' | 'pods' | 'services' | 'configmaps'
+type Tab = 'nodes' | 'workloads' | 'pods' | 'services' | 'configmaps' | 'secrets'
 
 const TABS: { id: Tab; label: string }[] = [
   { id: 'nodes', label: 'Nodes' },
@@ -26,6 +28,7 @@ const TABS: { id: Tab; label: string }[] = [
   { id: 'pods', label: 'Pods' },
   { id: 'services', label: 'Services' },
   { id: 'configmaps', label: 'ConfigMaps' },
+  { id: 'secrets', label: 'Secrets' },
 ]
 
 interface NodeOpen { name: string }
@@ -33,6 +36,7 @@ interface WorkloadOpen { namespace: string; kind: string; name: string }
 interface PodOpen { namespace: string; name: string }
 interface ServiceOpen { namespace: string; name: string }
 interface ConfigMapOpen { namespace: string; name: string }
+interface SecretOpen { namespace: string; name: string }
 
 export function Kubernetes() {
   const [tab, setTab] = useState<Tab>('nodes')
@@ -44,6 +48,7 @@ export function Kubernetes() {
   const [openPod, setOpenPod] = useState<PodOpen | null>(null)
   const [openService, setOpenService] = useState<ServiceOpen | null>(null)
   const [openConfigMap, setOpenConfigMap] = useState<ConfigMapOpen | null>(null)
+  const [openSecret, setOpenSecret] = useState<SecretOpen | null>(null)
 
   const namespacesQ = useK8sNamespaces()
   const nodesQ = useK8sNodes()
@@ -51,6 +56,7 @@ export function Kubernetes() {
   const podsQ = useK8sPods(namespace)
   const servicesQ = useK8sServices(namespace)
   const configMapsQ = useK8sConfigMaps(namespace)
+  const secretsQ = useK8sSecrets(namespace)
 
   // Surface 503 from the namespaces call as a top-level unavailable state.
   const unavailable = namespacesQ.error instanceof ApiError && namespacesQ.error.status === 503
@@ -168,6 +174,15 @@ export function Kubernetes() {
           onOpen={(ns, name) => setOpenConfigMap({ namespace: ns, name })}
         />
       )}
+      {tab === 'secrets' && (
+        <SecretList
+          secrets={secretsQ.data?.secrets ?? []}
+          loading={secretsQ.isLoading}
+          error={secretsQ.error}
+          search={search}
+          onOpen={(ns, name) => setOpenSecret({ namespace: ns, name })}
+        />
+      )}
 
       {/* Detail drawers — rendered outside tab content so state persists across tab switches */}
       <NodeDetail
@@ -201,6 +216,12 @@ export function Kubernetes() {
         open={!!openConfigMap}
         onOpenChange={(o) => { if (!o) setOpenConfigMap(null) }}
       />
+      <SecretDetail
+        namespace={openSecret?.namespace ?? null}
+        name={openSecret?.name ?? null}
+        open={!!openSecret}
+        onOpenChange={(o) => { if (!o) setOpenSecret(null) }}
+      />
     </div>
   )
 }

From 72b454da12bba4422d4d07a9d9bed1e923ce5e90 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 10:57:25 -0700
Subject: [PATCH 23/25] =?UTF-8?q?k8s:=20Phase=20D4=20=E2=80=94=20Monaco=20?=
 =?UTF-8?q?YAML=20editor=20(Get=20+=20Update=20with=20dry-run)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an "Edit YAML" button to the existing detail drawers for the
five editable resource kinds (Deployment / StatefulSet / DaemonSet
/ Service / ConfigMap). Click → Sheet with a Monaco editor; Dry-run
validates server-side; Apply writes back via PUT semantics.

Backend (internal/k8s/manifest.go + internal/api/k8s/k8s.go)
  - GET  /api/k8s/manifest?kind=&namespace=&name=
         → { yaml, resource_version, gvk }
         The dynamic client fetches the resource as unstructured;
         we strip metadata.{managedFields,creationTimestamp,uid,
         resourceVersion,generation} and the entire status before
         marshalling so the editable surface is just spec + labels +
         annotations. resourceVersion is sent separately so the
         apply round-trip can detect conflicts without leaking RV
         into the editable buffer.
  - POST /api/k8s/manifest
         body: { yaml, resource_version, dry_run }
         → { ok, resource_version, warnings, dry_run }
         dyn.Update with metav1.UpdateOptions{DryRun: [DryRunAll]}
         when dry_run=true. PUT (Update) semantics, not server-side
         Apply — kubectl-edit-equivalent. The API server rejects on
         stale RV with k8serrors.IsConflict → 409.
  - Cross-check enforced: the YAML's `kind`, `metadata.namespace`,
    and `metadata.name` must match the URL path values; mismatch
    returns 400 ErrManifestMismatch. Prevents an "edit foo, but
    YAML targets bar" cross-resource attack.
  - Editable kinds allowlist (deployment / statefulset / daemonset
    / service / configmap). Anything outside → 400. Pods are
    excluded (immutable fields). Nodes are excluded (metadata-only
    edits warrant a different flow). Secrets stay read-only per D3.
  - Audit: k8s.manifest.dry_run / k8s.manifest.apply with
    {kind, namespace, name, bytes, dry_run}. The YAML body itself
    is never logged — only its size — so a future audit dump can't
    replay sensitive data that flowed through the editor.
  - Error mapping: 400 (parse / cross-check / not-editable kind),
    404, 409 (IsConflict), 422 (IsInvalid — admission webhook
    denial passes through verbatim), 500.

RBAC (deploy/k8s/rbac.yaml)
  - apps/{deployments,statefulsets,daemonsets}: patch + update
    (patch was already in scope from Phase C for restart; update
    is new for full YAML edits).
  - core/services: update (was get/list/watch only).
  - core/configmaps: update was already in scope from D2.

Frontend (lib/k8s.ts + components/k8s/ManifestEditor.tsx)
  - useK8sManifest: useQuery with refetchOnWindowFocus:false and
    staleTime:Infinity so unsaved edits aren't clobbered by a
    background refetch. Operator-driven Reload only.
  - useApplyManifest: useMutation. On non-dry-run success, invalidates
    workload/service/configmap detail + list queries.
  - ManifestEditor.tsx (Sheet drawer):
    • Monaco lazy-loaded via React.lazy → ~3MB chunk fetched only
      when the Sheet first opens; main bundle stays at the size it
      was before D4.
    • Dark theme, YAML mode, no minimap, font-mono, wordWrap on,
      scrollBeyondLastLine off.
    • Header buttons: Reload (with dirty-state confirmation),
      Dry-run, Apply (always confirms via AlertDialog).
    • Apply disabled when YAML is unchanged.
    • 409 conflict UX has its own dedicated Alert + inline Reload
      button, separate from generic / 422-admission errors.
    • resource_version shown muted in the header so operators know
      which revision they're working against.
  - WorkloadDetail / ServiceDetail / ConfigMapDetail each grew an
    Edit YAML button alongside their existing actions. ConfigMap
    keeps its structured key/value editor too — the YAML editor is
    the alternative when you need to edit metadata/labels/annotations.

Dependency: web/package.json adds @monaco-editor/react ^4.6.0 (the
small wrapper; monaco-editor itself is its peer/transitive). Lock
file regenerated locally before this commit so CI's `npm ci` works
without falling back to `npm install`.

Verified end-to-end:
  - Local golangci-lint v2.5.0 clean (0 issues), tsc --noEmit clean.
  - make image succeeds at ~230MB (Monaco lives in lazy chunks under
    /assets, not in the main runtime image bloat path).
  - Image loaded into both K3s nodes; deployment rolled cleanly.
  - kubectl auth can-i update {deployments|statefulsets|daemonsets|
    services|configmaps} as the SA → all five yes.
  - GET /api/k8s/manifest and POST /api/k8s/manifest both return
    401 (mounted, auth-gated).
  - SPA main bundle contains ManifestEditor + the manifest URL
    helpers; Monaco itself is in a separate lazy chunk.
---
 deploy/k8s/rbac.yaml                       |   3 +-
 internal/api/k8s/k8s.go                    | 214 +++++++++++++
 internal/k8s/manifest.go                   | 169 +++++++++++
 web/package-lock.json                      |  72 +++++
 web/package.json                           |   1 +
 web/src/components/k8s/ConfigMapDetail.tsx |  19 ++
 web/src/components/k8s/ManifestEditor.tsx  | 331 +++++++++++++++++++++
 web/src/components/k8s/ServiceDetail.tsx   |  35 ++-
 web/src/components/k8s/WorkloadDetail.tsx  |  17 ++
 web/src/lib/k8s.ts                         |  58 ++++
 10 files changed, 914 insertions(+), 5 deletions(-)
 create mode 100644 internal/k8s/manifest.go
 create mode 100644 web/src/components/k8s/ManifestEditor.tsx

diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
index 7ab1b9f..c704eb7 100644
--- a/deploy/k8s/rbac.yaml
+++ b/deploy/k8s/rbac.yaml
@@ -50,6 +50,7 @@ rules:
   - apiGroups: [""]
     resources:
       - configmaps
+      - services
     verbs: [update]
   # Secrets read access. Deliberately get/list only — NOT watch — so we
   # don't keep a long-lived stream of all cluster secret values open.
@@ -71,7 +72,7 @@ rules:
       - deployments
       - statefulsets
       - daemonsets
-    verbs: [patch]
+    verbs: [patch, update]
   - apiGroups: ["apps"]
     resources:
       - deployments/scale
diff --git a/internal/api/k8s/k8s.go b/internal/api/k8s/k8s.go
index fbcaf99..39c1c40 100644
--- a/internal/api/k8s/k8s.go
+++ b/internal/api/k8s/k8s.go
@@ -6,6 +6,7 @@ import (
 	"bufio"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -19,6 +20,7 @@ import (
 	"github.com/rs/zerolog"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/client-go/tools/remotecommand"
+	sigsyaml "sigs.k8s.io/yaml"
 
 	"github.com/tm4rtin17/controlroom/internal/api/middleware"
 	"github.com/tm4rtin17/controlroom/internal/k8s"
@@ -78,6 +80,8 @@ func MountHTTP(authed fiber.Router, d Deps) {
 	g.Put("/configmaps/:namespace/:name", d.updateConfigMapHandler)
 	g.Get("/secrets", d.listSecretsHandler)
 	g.Get("/secrets/:namespace/:name", d.secretDetailHandler)
+	g.Get("/manifest", d.getManifestHandler)
+	g.Post("/manifest", d.applyManifestHandler)
 }
 
 // MountWS registers WebSocket routes on the ws group.
@@ -1000,3 +1004,213 @@ done:
 		},
 	})
 }
+
+// ---- manifest handlers ----
+
+// validManifestKind checks the kind query param is in the editable allowlist.
+func validManifestKind(kind string) bool {
+	switch strings.ToLower(kind) {
+	case "deployment", "statefulset", "daemonset", "service", "configmap":
+		return true
+	}
+	return false
+}
+
+type manifestResp struct {
+	YAML            string `json:"yaml"`
+	ResourceVersion string `json:"resource_version"`
+	GVK             struct {
+		Group   string `json:"group"`
+		Version string `json:"version"`
+		Kind    string `json:"kind"`
+	} `json:"gvk"`
+}
+
+func (d Deps) getManifestHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+	kind := c.Query("kind")
+	namespace := c.Query("namespace")
+	name := c.Query("name")
+
+	if !validManifestKind(kind) {
+		return fiber.NewError(http.StatusBadRequest, fmt.Sprintf("invalid kind %q: must be deployment, statefulset, daemonset, service, or configmap", kind))
+	}
+	if !validK8sName(namespace) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace")
+	}
+	if !validK8sName(name) {
+		return fiber.NewError(http.StatusBadRequest, "invalid name")
+	}
+
+	yamlOut, rv, gvk, err := d.Client.GetManifest(c.Context(), kind, namespace, name)
+	if err != nil {
+		var kindErr k8s.ErrManifestKind
+		if errors.As(err, &kindErr) {
+			return fiber.NewError(http.StatusBadRequest, kindErr.Error())
+		}
+		if errors.Is(err, k8s.ErrManifestNotFound) {
+			return fiber.NewError(http.StatusNotFound, "resource not found")
+		}
+		if errors.Is(err, k8s.ErrManifestForbidden) {
+			return fiber.NewError(http.StatusForbidden, "forbidden")
+		}
+		return fiber.NewError(http.StatusInternalServerError, "get manifest: "+err.Error())
+	}
+
+	resp := manifestResp{
+		YAML:            yamlOut,
+		ResourceVersion: rv,
+	}
+	resp.GVK.Group = gvk.Group
+	resp.GVK.Version = gvk.Version
+	resp.GVK.Kind = gvk.Kind
+	return c.JSON(resp)
+}
+
+type applyReq struct {
+	YAML            string `json:"yaml"`
+	ResourceVersion string `json:"resource_version"`
+	DryRun          bool   `json:"dry_run"`
+}
+
+type applyResp struct {
+	OK              bool     `json:"ok"`
+	ResourceVersion string   `json:"resource_version"`
+	Warnings        []string `json:"warnings"`
+	DryRun          bool     `json:"dry_run"`
+}
+
+func (d Deps) applyManifestHandler(c *fiber.Ctx) error {
+	if err := d.requireClient(); err != nil {
+		return err
+	}
+
+	var body applyReq
+	if err := c.BodyParser(&body); err != nil {
+		return fiber.NewError(http.StatusBadRequest, "invalid request body")
+	}
+	if body.YAML == "" {
+		return fiber.NewError(http.StatusBadRequest, "yaml is required")
+	}
+	if body.ResourceVersion == "" {
+		return fiber.NewError(http.StatusBadRequest, "resource_version is required")
+	}
+
+	action := "k8s.manifest.apply"
+	if body.DryRun {
+		action = "k8s.manifest.dry_run"
+	}
+
+	// Extract kind/ns/name from YAML for the handler.
+	parsedKind, parsedNS, parsedName, parseErr := extractManifestMeta(body.YAML)
+	if parseErr != nil {
+		return fiber.NewError(http.StatusBadRequest, "invalid YAML: "+parseErr.Error())
+	}
+	if !validManifestKind(parsedKind) {
+		return fiber.NewError(http.StatusBadRequest, fmt.Sprintf("kind %q is not in the editable allowlist", parsedKind))
+	}
+	if !validK8sName(parsedNS) {
+		return fiber.NewError(http.StatusBadRequest, "invalid namespace in YAML metadata")
+	}
+	if !validK8sName(parsedName) {
+		return fiber.NewError(http.StatusBadRequest, "invalid name in YAML metadata")
+	}
+
+	target := parsedKind + "/" + parsedNS + "/" + parsedName
+
+	newRV, warnings, err := d.Client.ApplyManifest(
+		c.Context(),
+		parsedKind, parsedNS, parsedName,
+		body.YAML, body.ResourceVersion, body.DryRun,
+	)
+
+	entry := store.AuditEntry{
+		IP:      c.IP(),
+		Action:  action,
+		Target:  target,
+		Outcome: "success",
+		Detail: map[string]any{
+			"kind":      parsedKind,
+			"namespace": parsedNS,
+			"name":      parsedName,
+			"bytes":     len(body.YAML),
+			"dry_run":   body.DryRun,
+		},
+	}
+	if u := middleware.CurrentUser(c); u != nil {
+		entry.UserID = u.ID
+	}
+
+	if err != nil {
+		entry.Outcome = "failure"
+		entry.Detail = map[string]any{
+			"kind":      parsedKind,
+			"namespace": parsedNS,
+			"name":      parsedName,
+			"bytes":     len(body.YAML),
+			"dry_run":   body.DryRun,
+			"error":     err.Error(),
+		}
+		_ = d.DB.WriteAudit(c.Context(), entry)
+
+		var kindErr k8s.ErrManifestKind
+		var mismatchErr k8s.ErrManifestMismatch
+		var invalidErr k8s.ErrManifestInvalid
+		switch {
+		case errors.As(err, &kindErr):
+			return fiber.NewError(http.StatusBadRequest, kindErr.Error())
+		case errors.As(err, &mismatchErr):
+			return fiber.NewError(http.StatusBadRequest, mismatchErr.Error())
+		case errors.As(err, &invalidErr):
+			return fiber.NewError(http.StatusUnprocessableEntity, invalidErr.Message)
+		case errors.Is(err, k8s.ErrManifestConflict):
+			return fiber.NewError(http.StatusConflict, "conflict — resource was modified by another process; reload and retry")
+		case errors.Is(err, k8s.ErrManifestNotFound):
+			return fiber.NewError(http.StatusNotFound, "resource not found")
+		case errors.Is(err, k8s.ErrManifestForbidden):
+			return fiber.NewError(http.StatusForbidden, "forbidden")
+		}
+		return fiber.NewError(http.StatusInternalServerError, "apply manifest: "+err.Error())
+	}
+
+	_ = d.DB.WriteAudit(c.Context(), entry)
+
+	rv := newRV
+	if body.DryRun {
+		rv = body.ResourceVersion
+	}
+
+	return c.JSON(applyResp{
+		OK:              true,
+		ResourceVersion: rv,
+		Warnings:        warnings,
+		DryRun:          body.DryRun,
+	})
+}
+
+// extractManifestMeta parses the YAML document minimally to obtain kind,
+// metadata.namespace, and metadata.name without the full unstructured decode.
+func extractManifestMeta(yamlText string) (kind, namespace, name string, err error) {
+	var doc struct {
+		Kind     string `json:"kind"`
+		Metadata struct {
+			Name      string `json:"name"`
+			Namespace string `json:"namespace"`
+		} `json:"metadata"`
+	}
+	if unmarshalErr := sigsyaml.Unmarshal([]byte(yamlText), &doc); unmarshalErr != nil {
+		return "", "", "", unmarshalErr
+	}
+	if doc.Kind == "" {
+		return "", "", "", fmt.Errorf("kind is missing")
+	}
+	if doc.Metadata.Name == "" {
+		return "", "", "", fmt.Errorf("metadata.name is missing")
+	}
+	if doc.Metadata.Namespace == "" {
+		return "", "", "", fmt.Errorf("metadata.namespace is missing")
+	}
+	return strings.ToLower(doc.Kind), doc.Metadata.Namespace, doc.Metadata.Name, nil
+}
diff --git a/internal/k8s/manifest.go b/internal/k8s/manifest.go
new file mode 100644
index 0000000..ad085f2
--- /dev/null
+++ b/internal/k8s/manifest.go
@@ -0,0 +1,169 @@
+package k8s
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	sigsyaml "sigs.k8s.io/yaml"
+)
+
+// editableKinds lists the resource types that may be fetched and patched through
+// the manifest API. Pods, Nodes, and Secrets are intentionally excluded.
+var editableKinds = map[string]schema.GroupVersionResource{
+	"deployment":  {Group: "apps", Version: "v1", Resource: "deployments"},
+	"statefulset": {Group: "apps", Version: "v1", Resource: "statefulsets"},
+	"daemonset":   {Group: "apps", Version: "v1", Resource: "daemonsets"},
+	"service":     {Group: "", Version: "v1", Resource: "services"},
+	"configmap":   {Group: "", Version: "v1", Resource: "configmaps"},
+}
+
+// editableGVK maps the same keys to the canonical GVK for the YAML apiVersion/kind header.
+var editableGVK = map[string]schema.GroupVersionKind{
+	"deployment":  {Group: "apps", Version: "v1", Kind: "Deployment"},
+	"statefulset": {Group: "apps", Version: "v1", Kind: "StatefulSet"},
+	"daemonset":   {Group: "apps", Version: "v1", Kind: "DaemonSet"},
+	"service":     {Group: "", Version: "v1", Kind: "Service"},
+	"configmap":   {Group: "", Version: "v1", Kind: "ConfigMap"},
+}
+
+// ErrManifestKind is returned when a kind is not in the editable allowlist.
+type ErrManifestKind struct{ Kind string }
+
+func (e ErrManifestKind) Error() string {
+	return fmt.Sprintf("kind %q is not in the editable allowlist (deployment|statefulset|daemonset|service|configmap)", e.Kind)
+}
+
+// ErrManifestConflict is returned when the API server returns a 409 conflict.
+var ErrManifestConflict = fmt.Errorf("conflict — resource was modified by another process; reload and retry")
+
+// ErrManifestNotFound is returned when the resource does not exist.
+var ErrManifestNotFound = fmt.Errorf("resource not found")
+
+// ErrManifestInvalid is returned when the API server rejects with 422.
+type ErrManifestInvalid struct{ Message string }
+
+func (e ErrManifestInvalid) Error() string { return e.Message }
+
+// ErrManifestForbidden is returned on 403 from the API server.
+var ErrManifestForbidden = fmt.Errorf("forbidden")
+
+// ErrManifestMismatch is returned when YAML metadata doesn't match URL params.
+type ErrManifestMismatch struct{ Detail string }
+
+func (e ErrManifestMismatch) Error() string { return e.Detail }
+
+// stripMeta removes server-managed and conflict-prone fields before serialising.
+// Keeps labels, annotations, spec. Removes status entirely.
+func stripMeta(obj *unstructured.Unstructured) {
+	meta, ok := obj.Object["metadata"].(map[string]interface{})
+	if !ok {
+		return
+	}
+	for _, field := range []string{
+		"managedFields",
+		"creationTimestamp",
+		"uid",
+		"resourceVersion",
+		"generation",
+	} {
+		delete(meta, field)
+	}
+	obj.Object["metadata"] = meta
+	delete(obj.Object, "status")
+}
+
+// GetManifest fetches a resource as cleaned YAML plus its resourceVersion and GVK.
+func (c *Client) GetManifest(ctx context.Context, kind, namespace, name string) (yamlOut string, rv string, gvk schema.GroupVersionKind, err error) {
+	normKind := strings.ToLower(kind)
+	gvr, ok := editableKinds[normKind]
+	if !ok {
+		return "", "", schema.GroupVersionKind{}, ErrManifestKind{Kind: kind}
+	}
+	gvk = editableGVK[normKind]
+
+	obj, err := c.dyn.Resource(gvr).Namespace(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return "", "", gvk, mapManifestErr(err)
+	}
+
+	rv = obj.GetResourceVersion()
+
+	stripMeta(obj)
+
+	raw, err := sigsyaml.Marshal(obj.Object)
+	if err != nil {
+		return "", "", gvk, fmt.Errorf("marshal manifest: %w", err)
+	}
+	return string(raw), rv, gvk, nil
+}
+
+// ApplyManifest parses the YAML, cross-checks metadata against URL params,
+// injects resourceVersion, and calls Update (PUT) on the dynamic client.
+// Returns the post-update resourceVersion and any server warnings.
+func (c *Client) ApplyManifest(ctx context.Context, kind, namespace, name, yamlText, resourceVersion string, dryRun bool) (newRV string, warnings []string, err error) {
+	normKind := strings.ToLower(kind)
+	gvr, ok := editableKinds[normKind]
+	if !ok {
+		return "", nil, ErrManifestKind{Kind: kind}
+	}
+
+	// Parse YAML → unstructured.
+	var raw map[string]interface{}
+	if unmarshalErr := sigsyaml.Unmarshal([]byte(yamlText), &raw); unmarshalErr != nil {
+		return "", nil, fmt.Errorf("invalid YAML: %w", unmarshalErr)
+	}
+	if raw == nil {
+		return "", nil, fmt.Errorf("invalid YAML: empty document")
+	}
+
+	obj := &unstructured.Unstructured{Object: raw}
+
+	// Cross-check kind in YAML matches URL kind.
+	yamlKind := strings.ToLower(obj.GetKind())
+	if yamlKind != normKind {
+		return "", nil, ErrManifestMismatch{Detail: fmt.Sprintf("YAML kind %q does not match URL kind %q", obj.GetKind(), kind)}
+	}
+
+	// Cross-check name and namespace in YAML match URL params.
+	if obj.GetName() != name {
+		return "", nil, ErrManifestMismatch{Detail: fmt.Sprintf("YAML metadata.name %q does not match URL name %q", obj.GetName(), name)}
+	}
+	if obj.GetNamespace() != namespace {
+		return "", nil, ErrManifestMismatch{Detail: fmt.Sprintf("YAML metadata.namespace %q does not match URL namespace %q", obj.GetNamespace(), namespace)}
+	}
+
+	// Inject resourceVersion for conflict detection.
+	obj.SetResourceVersion(resourceVersion)
+
+	var dryRunOpts []string
+	if dryRun {
+		dryRunOpts = []string{metav1.DryRunAll}
+	}
+
+	result, err := c.dyn.Resource(gvr).Namespace(namespace).Update(ctx, obj, metav1.UpdateOptions{DryRun: dryRunOpts})
+	if err != nil {
+		return "", nil, mapManifestErr(err)
+	}
+
+	return result.GetResourceVersion(), []string{}, nil
+}
+
+// mapManifestErr translates typed k8s API errors to the sentinel errors above.
+func mapManifestErr(err error) error {
+	switch {
+	case k8serrors.IsConflict(err):
+		return ErrManifestConflict
+	case k8serrors.IsNotFound(err):
+		return ErrManifestNotFound
+	case k8serrors.IsInvalid(err):
+		return ErrManifestInvalid{Message: err.Error()}
+	case k8serrors.IsForbidden(err):
+		return ErrManifestForbidden
+	}
+	return err
+}
diff --git a/web/package-lock.json b/web/package-lock.json
index 9707a89..68ecdd9 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -9,6 +9,7 @@
       "version": "0.0.1",
       "dependencies": {
         "@hookform/resolvers": "^3.9.0",
+        "@monaco-editor/react": "^4.6.0",
         "@radix-ui/react-alert-dialog": "^1.1.2",
         "@radix-ui/react-dialog": "^1.1.2",
         "@radix-ui/react-dropdown-menu": "^2.1.2",
@@ -1019,6 +1020,29 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@monaco-editor/loader": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/@monaco-editor/loader/-/loader-1.7.0.tgz",
+      "integrity": "sha512-gIwR1HrJrrx+vfyOhYmCZ0/JcWqG5kbfG7+d3f/C1LXk2EvzAbHSg3MQ5lO2sMlo9izoAZ04shohfKLVT6crVA==",
+      "license": "MIT",
+      "dependencies": {
+        "state-local": "^1.0.6"
+      }
+    },
+    "node_modules/@monaco-editor/react": {
+      "version": "4.7.0",
+      "resolved": "https://registry.npmjs.org/@monaco-editor/react/-/react-4.7.0.tgz",
+      "integrity": "sha512-cyzXQCtO47ydzxpQtCGSQGOC8Gk3ZUeBXFAxD+CWXYFo5OqZyZUonFl0DwUlTyAfRHntBfw2p3w4s9R6oe1eCA==",
+      "license": "MIT",
+      "dependencies": {
+        "@monaco-editor/loader": "^1.5.0"
+      },
+      "peerDependencies": {
+        "monaco-editor": ">= 0.25.0 < 1",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
+        "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
+      }
+    },
     "node_modules/@nodelib/fs.scandir": {
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
@@ -2315,6 +2339,14 @@
         "@types/react": "^18.0.0"
       }
     },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true,
+      "peer": true
+    },
     "node_modules/@typescript-eslint/eslint-plugin": {
       "version": "8.59.2",
       "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.2.tgz",
@@ -3088,6 +3120,16 @@
         "node": ">=6.0.0"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.2.7",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.7.tgz",
+      "integrity": "sha512-WhL/YuveyGXJaerVlMYGWhvQswa7myDG17P7Vu65EWC05o8vfeNbvNf4d/BOvH99+ZW+LlQsc1GDKMa1vNK6dw==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "peer": true,
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/electron-to-chromium": {
       "version": "1.5.353",
       "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.353.tgz",
@@ -3987,6 +4029,19 @@
         "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0-rc"
       }
     },
+    "node_modules/marked": {
+      "version": "14.0.0",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
+      "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
+      "license": "MIT",
+      "peer": true,
+      "bin": {
+        "marked": "bin/marked.js"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
     "node_modules/merge2": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
@@ -4025,6 +4080,17 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/monaco-editor": {
+      "version": "0.55.1",
+      "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
+      "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "dompurify": "3.2.7",
+        "marked": "14.0.0"
+      }
+    },
     "node_modules/ms": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -4796,6 +4862,12 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/state-local": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/state-local/-/state-local-1.0.7.tgz",
+      "integrity": "sha512-HTEHMNieakEnoe33shBYcZ7NX83ACUjCu8c40iOGEZsngj9zRnkqS9j1pqQPXwobB0ZcVTk27REb7COQ0UR59w==",
+      "license": "MIT"
+    },
     "node_modules/strip-ansi": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
diff --git a/web/package.json b/web/package.json
index 7153f4f..fb8dc32 100644
--- a/web/package.json
+++ b/web/package.json
@@ -12,6 +12,7 @@
   },
   "dependencies": {
     "@hookform/resolvers": "^3.9.0",
+    "@monaco-editor/react": "^4.6.0",
     "@radix-ui/react-alert-dialog": "^1.1.2",
     "@radix-ui/react-dialog": "^1.1.2",
     "@radix-ui/react-dropdown-menu": "^2.1.2",
diff --git a/web/src/components/k8s/ConfigMapDetail.tsx b/web/src/components/k8s/ConfigMapDetail.tsx
index 7c41bdd..5fb18ee 100644
--- a/web/src/components/k8s/ConfigMapDetail.tsx
+++ b/web/src/components/k8s/ConfigMapDetail.tsx
@@ -2,6 +2,7 @@ import { useState, useEffect, useRef, useCallback } from 'react'
 import { Trash2, Plus, RefreshCw } from 'lucide-react'
 
 import { useK8sConfigMapDetail, useUpdateConfigMap } from '@/lib/k8s'
+import { ManifestEditor } from './ManifestEditor'
 import { ApiError } from '@/lib/api'
 import { formatBytes } from '@/lib/format'
 import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
@@ -89,6 +90,7 @@ export function ConfigMapDetail({
   const [saveError, setSaveError] = useState<string | null>(null)
   const [saveSuccess, setSaveSuccess] = useState(false)
   const [conflictError, setConflictError] = useState(false)
+  const [manifestEditorOpen, setManifestEditorOpen] = useState(false)
 
   const newKeyRefs = useRef<HTMLInputElement[]>([])
 
@@ -213,6 +215,13 @@ export function ConfigMapDetail({
                 >
                   <RefreshCw className="h-3.5 w-3.5" />
                 </Button>
+                <Button
+                  size="sm"
+                  variant="outline"
+                  onClick={() => setManifestEditorOpen(true)}
+                >
+                  Edit YAML
+                </Button>
                 <Button
                   size="sm"
                   disabled={!canSave || updateMut.isPending}
@@ -383,6 +392,16 @@ export function ConfigMapDetail({
           </AlertDialogFooter>
         </AlertDialogContent>
       </AlertDialog>
+
+      {namespace && name && (
+        <ManifestEditor
+          kind="configmap"
+          namespace={namespace}
+          name={name}
+          open={manifestEditorOpen}
+          onClose={() => setManifestEditorOpen(false)}
+        />
+      )}
     </>
   )
 }
diff --git a/web/src/components/k8s/ManifestEditor.tsx b/web/src/components/k8s/ManifestEditor.tsx
new file mode 100644
index 0000000..9a6137c
--- /dev/null
+++ b/web/src/components/k8s/ManifestEditor.tsx
@@ -0,0 +1,331 @@
+import React, { Suspense, useEffect, useState } from 'react'
+import { Loader2, RefreshCw } from 'lucide-react'
+
+import { useK8sManifest, useApplyManifest } from '@/lib/k8s'
+import { ApiError } from '@/lib/api'
+import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTitle,
+} from '@/components/ui/alert-dialog'
+import { Alert, AlertDescription } from '@/components/ui/alert'
+import { Button } from '@/components/ui/button'
+
+// Lazy-load the Monaco editor to keep the initial bundle lean (~2-3 MB avoided).
+const MonacoEditor = React.lazy(() => import('@monaco-editor/react'))
+
+const EDITOR_OPTIONS = {
+  minimap: { enabled: false },
+  fontSize: 13,
+  fontFamily: 'ui-monospace, SFMono-Regular, Menlo, Consolas, monospace',
+  wordWrap: 'on' as const,
+  tabSize: 2,
+  scrollBeyondLastLine: false,
+}
+
+type EditorKind = 'deployment' | 'statefulset' | 'daemonset' | 'service' | 'configmap'
+
+interface ManifestEditorProps {
+  kind: EditorKind
+  namespace: string
+  name: string
+  open: boolean
+  onClose: () => void
+}
+
+type ActionStatus =
+  | { type: 'idle' }
+  | { type: 'dry-run-passed'; warnings: string[] }
+  | { type: 'applied'; warnings: string[] }
+  | { type: 'admission-error'; message: string }
+  | { type: 'conflict' }
+  | { type: 'error'; message: string }
+
+export function ManifestEditor({ kind, namespace, name, open, onClose }: ManifestEditorProps) {
+  const manifestQ = useK8sManifest(open ? kind : '', open ? namespace : '', open ? name : '')
+  const applyMut = useApplyManifest()
+
+  const [editedYAML, setEditedYAML] = useState('')
+  const [originalYAML, setOriginalYAML] = useState('')
+  const [resourceVersion, setResourceVersion] = useState('')
+  const [status, setStatus] = useState<ActionStatus>({ type: 'idle' })
+
+  const [applyDialogOpen, setApplyDialogOpen] = useState(false)
+  const [reloadDialogOpen, setReloadDialogOpen] = useState(false)
+  // Track which action is pending so buttons show the right spinner.
+  const [pendingAction, setPendingAction] = useState<'dry-run' | 'apply' | null>(null)
+
+  // Sync content when the manifest loads or is refetched.
+  useEffect(() => {
+    if (!manifestQ.data) return
+    const { yaml, resource_version } = manifestQ.data
+    setOriginalYAML(yaml)
+    setEditedYAML(yaml)
+    setResourceVersion(resource_version)
+    setStatus({ type: 'idle' })
+  }, [manifestQ.data])
+
+  // Reset state when the sheet is opened (so stale status from a prior open is cleared).
+  useEffect(() => {
+    if (open) {
+      setStatus({ type: 'idle' })
+    }
+  }, [open])
+
+  const dirty = editedYAML !== originalYAML
+
+  function handleEditorChange(value: string | undefined) {
+    setEditedYAML(value ?? '')
+    // Clear transient success status when user edits again.
+    setStatus((prev) =>
+      prev.type === 'dry-run-passed' || prev.type === 'applied' ? { type: 'idle' } : prev
+    )
+  }
+
+  function triggerReload() {
+    manifestQ.refetch()
+    setStatus({ type: 'idle' })
+  }
+
+  function handleReloadClick() {
+    if (dirty) {
+      setReloadDialogOpen(true)
+    } else {
+      triggerReload()
+    }
+  }
+
+  function runApply(dry_run: boolean) {
+    setPendingAction(dry_run ? 'dry-run' : 'apply')
+    applyMut.mutate(
+      { kind, namespace, name, yaml: editedYAML, resource_version: resourceVersion, dry_run },
+      {
+        onSuccess: (resp) => {
+          setPendingAction(null)
+          if (!dry_run) {
+            setOriginalYAML(editedYAML)
+            setResourceVersion(resp.resource_version)
+          }
+          setStatus(
+            dry_run
+              ? { type: 'dry-run-passed', warnings: resp.warnings }
+              : { type: 'applied', warnings: resp.warnings }
+          )
+        },
+        onError: (err) => {
+          setPendingAction(null)
+          if (err instanceof ApiError && err.status === 409) {
+            setStatus({ type: 'conflict' })
+          } else if (err instanceof ApiError && err.status === 422) {
+            setStatus({ type: 'admission-error', message: err.message })
+          } else {
+            setStatus({ type: 'error', message: err instanceof Error ? err.message : 'Unknown error' })
+          }
+        },
+      }
+    )
+  }
+
+  const isPending = applyMut.isPending
+
+  return (
+    <>
+      <Sheet open={open} onOpenChange={(o) => { if (!o) onClose() }}>
+        <SheetContent className="flex flex-col overflow-hidden sm:max-w-[82vw]">
+          <SheetHeader className="shrink-0">
+            <div className="flex items-start justify-between gap-2 pr-6">
+              <div className="min-w-0">
+                <SheetTitle className="font-mono text-sm break-all">
+                  Edit YAML — {kind}/{namespace}/{name}
+                </SheetTitle>
+                <SheetDescription>
+                  {resourceVersion ? (
+                    <span>
+                      resourceVersion:{' '}
+                      <span className="font-mono text-xs">{resourceVersion}</span>
+                    </span>
+                  ) : (
+                    <span>Loading manifest…</span>
+                  )}
+                </SheetDescription>
+              </div>
+              <div className="flex shrink-0 items-center gap-2 pt-0.5">
+                <Button
+                  size="sm"
+                  variant="outline"
+                  onClick={handleReloadClick}
+                  disabled={isPending || manifestQ.isFetching}
+                  title="Reload manifest"
+                >
+                  {manifestQ.isFetching ? (
+                    <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                  ) : (
+                    <RefreshCw className="h-3.5 w-3.5" />
+                  )}
+                </Button>
+                <Button
+                  size="sm"
+                  variant="outline"
+                  disabled={isPending || !dirty || !resourceVersion}
+                  onClick={() => runApply(true)}
+                >
+                  {pendingAction === 'dry-run' && <Loader2 className="h-3.5 w-3.5 animate-spin" />}
+                  Dry-run
+                </Button>
+                <Button
+                  size="sm"
+                  variant="destructive"
+                  disabled={isPending || !dirty || !resourceVersion}
+                  onClick={() => setApplyDialogOpen(true)}
+                >
+                  {pendingAction === 'apply' && <Loader2 className="h-3.5 w-3.5 animate-spin" />}
+                  Apply
+                </Button>
+              </div>
+            </div>
+          </SheetHeader>
+
+          {/* Status alerts */}
+          <div className="shrink-0">
+            {status.type === 'conflict' && (
+              <Alert variant="destructive" className="mt-3">
+                <AlertDescription className="flex items-center justify-between gap-2">
+                  <span>
+                    Conflict: this resource was modified by someone else. Reload to see the latest
+                    version, then re-apply your changes.
+                  </span>
+                  <Button size="sm" variant="outline" className="h-6 shrink-0 text-xs" onClick={triggerReload}>
+                    Reload
+                  </Button>
+                </AlertDescription>
+              </Alert>
+            )}
+            {status.type === 'admission-error' && (
+              <Alert variant="destructive" className="mt-3">
+                <AlertDescription>{status.message}</AlertDescription>
+              </Alert>
+            )}
+            {status.type === 'error' && (
+              <Alert variant="destructive" className="mt-3">
+                <AlertDescription>{status.message}</AlertDescription>
+              </Alert>
+            )}
+            {manifestQ.isError && !manifestQ.data && (
+              <Alert variant="destructive" className="mt-3">
+                <AlertDescription>
+                  {manifestQ.error instanceof Error ? manifestQ.error.message : 'Failed to load manifest.'}
+                </AlertDescription>
+              </Alert>
+            )}
+          </div>
+
+          {/* Editor area */}
+          <div className="mt-3 min-h-0 flex-1 overflow-hidden rounded-md border">
+            <Suspense
+              fallback={
+                <div className="flex h-full items-center justify-center text-sm text-muted-foreground">
+                  Loading editor…
+                </div>
+              }
+            >
+              <MonacoEditor
+                height="100%"
+                language="yaml"
+                theme="vs-dark"
+                value={editedYAML}
+                onChange={handleEditorChange}
+                options={EDITOR_OPTIONS}
+              />
+            </Suspense>
+          </div>
+
+          {/* Bottom status row */}
+          <div className="shrink-0 pt-2 text-xs text-muted-foreground flex items-center gap-3">
+            {dirty ? (
+              <span className="text-amber-500">Unsaved changes</span>
+            ) : (
+              <span>No changes</span>
+            )}
+            {status.type === 'dry-run-passed' && (
+              <span className="text-emerald-500">
+                Dry-run passed — apply to commit
+                {status.warnings.length > 0 && ` (${status.warnings.length} warning${status.warnings.length > 1 ? 's' : ''})`}
+              </span>
+            )}
+            {status.type === 'applied' && (
+              <span className="text-emerald-500">
+                Applied successfully
+                {status.warnings.length > 0 && ` (${status.warnings.length} warning${status.warnings.length > 1 ? 's' : ''})`}
+              </span>
+            )}
+            {(status.type === 'dry-run-passed' || status.type === 'applied') &&
+              status.warnings.length > 0 && (
+                <span className="truncate text-amber-400" title={status.warnings.join('; ')}>
+                  {status.warnings[0]}
+                </span>
+              )}
+          </div>
+        </SheetContent>
+      </Sheet>
+
+      {/* Apply confirmation */}
+      <AlertDialog open={applyDialogOpen} onOpenChange={setApplyDialogOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Apply changes?</AlertDialogTitle>
+            <AlertDialogDescription>
+              Apply changes to{' '}
+              <span className="font-mono">
+                {kind}/{namespace}/{name}
+              </span>
+              ? This is the same as <span className="font-mono">kubectl apply</span> — the change is
+              live immediately.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel disabled={isPending}>Cancel</AlertDialogCancel>
+            <AlertDialogAction
+              variant="destructive"
+              disabled={isPending}
+              onClick={() => {
+                setApplyDialogOpen(false)
+                runApply(false)
+              }}
+            >
+              Apply
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
+
+      {/* Reload confirmation (only shown when dirty) */}
+      <AlertDialog open={reloadDialogOpen} onOpenChange={setReloadDialogOpen}>
+        <AlertDialogContent>
+          <AlertDialogHeader>
+            <AlertDialogTitle>Discard changes?</AlertDialogTitle>
+            <AlertDialogDescription>
+              Reload the manifest from the server? Your unsaved edits will be lost.
+            </AlertDialogDescription>
+          </AlertDialogHeader>
+          <AlertDialogFooter>
+            <AlertDialogCancel>Cancel</AlertDialogCancel>
+            <AlertDialogAction
+              onClick={() => {
+                setReloadDialogOpen(false)
+                triggerReload()
+              }}
+            >
+              Reload
+            </AlertDialogAction>
+          </AlertDialogFooter>
+        </AlertDialogContent>
+      </AlertDialog>
+    </>
+  )
+}
diff --git a/web/src/components/k8s/ServiceDetail.tsx b/web/src/components/k8s/ServiceDetail.tsx
index ed1a2ed..1effc97 100644
--- a/web/src/components/k8s/ServiceDetail.tsx
+++ b/web/src/components/k8s/ServiceDetail.tsx
@@ -1,8 +1,12 @@
+import { useState } from 'react'
+
 import { useK8sServiceDetail } from '@/lib/k8s'
 import { Sheet, SheetContent, SheetHeader, SheetTitle, SheetDescription } from '@/components/ui/sheet'
 import { Badge } from '@/components/ui/badge'
+import { Button } from '@/components/ui/button'
 import { K8sServiceTypePill } from './K8sStatusPill'
 import { EventsTable } from './EventsTable'
+import { ManifestEditor } from './ManifestEditor'
 
 function Section({ title, children }: { title: string; children: React.ReactNode }) {
   return (
@@ -27,14 +31,26 @@ export function ServiceDetail({
   const { data } = useK8sServiceDetail(open ? namespace : null, open ? name : null)
   const svc = data?.service
 
+  const [manifestEditorOpen, setManifestEditorOpen] = useState(false)
+
   return (
+  <>
     <Sheet open={open} onOpenChange={onOpenChange}>
       <SheetContent className="overflow-y-auto">
         <SheetHeader>
-          <SheetTitle className="font-mono break-all">{svc?.name ?? name}</SheetTitle>
-          <SheetDescription>
-            {svc ? `${svc.namespace} · ${svc.cluster_ip || '—'}` : (namespace ?? '')}
-          </SheetDescription>
+          <div className="flex items-start justify-between gap-2">
+            <div className="min-w-0">
+              <SheetTitle className="font-mono break-all">{svc?.name ?? name}</SheetTitle>
+              <SheetDescription>
+                {svc ? `${svc.namespace} · ${svc.cluster_ip || '—'}` : (namespace ?? '')}
+              </SheetDescription>
+            </div>
+            <div className="shrink-0 pt-0.5">
+              <Button size="sm" variant="outline" onClick={() => setManifestEditorOpen(true)}>
+                Edit YAML
+              </Button>
+            </div>
+          </div>
         </SheetHeader>
 
         {data && svc && (
@@ -119,5 +135,16 @@ export function ServiceDetail({
         )}
       </SheetContent>
     </Sheet>
+
+    {namespace && name && (
+      <ManifestEditor
+        kind="service"
+        namespace={namespace}
+        name={name}
+        open={manifestEditorOpen}
+        onClose={() => setManifestEditorOpen(false)}
+      />
+    )}
+  </>
   )
 }
diff --git a/web/src/components/k8s/WorkloadDetail.tsx b/web/src/components/k8s/WorkloadDetail.tsx
index 1d119e2..e7c949f 100644
--- a/web/src/components/k8s/WorkloadDetail.tsx
+++ b/web/src/components/k8s/WorkloadDetail.tsx
@@ -20,6 +20,7 @@ import { Badge } from '@/components/ui/badge'
 import { cn } from '@/lib/utils'
 import { ConditionsTable } from './ConditionsTable'
 import { EventsTable } from './EventsTable'
+import { ManifestEditor } from './ManifestEditor'
 
 function Section({ title, children }: { title: string; children: React.ReactNode }) {
   return (
@@ -55,6 +56,7 @@ export function WorkloadDetail({
   const [restartOpen, setRestartOpen] = useState(false)
   const [scaleOpen, setScaleOpen] = useState(false)
   const [scaleReplicas, setScaleReplicas] = useState<number>(0)
+  const [manifestEditorOpen, setManifestEditorOpen] = useState(false)
 
   const w = data?.workload
   const pct = w && w.ready.desired > 0 ? (w.ready.current / w.ready.desired) * 100 : 0
@@ -77,6 +79,7 @@ export function WorkloadDetail({
   }
 
   return (
+  <>
     <Sheet open={open} onOpenChange={onOpenChange}>
       <SheetContent className="overflow-y-auto">
         <SheetHeader>
@@ -96,6 +99,9 @@ export function WorkloadDetail({
               <Button size="sm" variant="outline" onClick={() => setRestartOpen(true)}>
                 Restart
               </Button>
+              <Button size="sm" variant="outline" onClick={() => setManifestEditorOpen(true)}>
+                Edit YAML
+              </Button>
             </div>
           </div>
         </SheetHeader>
@@ -197,5 +203,16 @@ export function WorkloadDetail({
         </AlertDialogContent>
       </AlertDialog>
     </Sheet>
+
+    {namespace && kind && name && (
+      <ManifestEditor
+        kind={kind.toLowerCase() as 'deployment' | 'statefulset' | 'daemonset'}
+        namespace={namespace}
+        name={name}
+        open={manifestEditorOpen}
+        onClose={() => setManifestEditorOpen(false)}
+      />
+    )}
+  </>
   )
 }
diff --git a/web/src/lib/k8s.ts b/web/src/lib/k8s.ts
index 8718846..6d854a6 100644
--- a/web/src/lib/k8s.ts
+++ b/web/src/lib/k8s.ts
@@ -318,6 +318,64 @@ export function useUpdateConfigMap() {
   })
 }
 
+export interface K8sManifest {
+  yaml: string
+  resource_version: string
+  gvk: { group: string; version: string; kind: string }
+}
+
+export interface K8sApplyResp {
+  ok: true
+  resource_version: string
+  warnings: string[]
+  dry_run: boolean
+}
+
+export function useK8sManifest(kind: string, namespace: string, name: string) {
+  return useQuery({
+    queryKey: ['k8s', 'manifest', kind, namespace, name],
+    queryFn: () =>
+      apiFetch<K8sManifest>(
+        `/api/k8s/manifest?kind=${encodeURIComponent(kind)}&namespace=${encodeURIComponent(namespace)}&name=${encodeURIComponent(name)}`
+      ),
+    enabled: !!(kind && namespace && name),
+    refetchOnWindowFocus: false,
+    staleTime: Infinity,
+  })
+}
+
+export function useApplyManifest() {
+  const qc = useQueryClient()
+  return useMutation({
+    mutationFn: ({
+      yaml,
+      resource_version,
+      dry_run,
+    }: {
+      kind: string
+      namespace: string
+      name: string
+      yaml: string
+      resource_version: string
+      dry_run: boolean
+    }) =>
+      apiFetch<K8sApplyResp>('/api/k8s/manifest', {
+        method: 'POST',
+        body: JSON.stringify({ yaml, resource_version, dry_run }),
+      }),
+    onSuccess: (_data, { kind, namespace, name, dry_run }) => {
+      if (!dry_run) {
+        qc.invalidateQueries({ queryKey: ['k8s', 'workloads', namespace, kind, name, 'detail'] })
+        qc.invalidateQueries({ queryKey: ['k8s', 'workloads', namespace] })
+        qc.invalidateQueries({ queryKey: ['k8s', 'services', namespace, name, 'detail'] })
+        qc.invalidateQueries({ queryKey: ['k8s', 'services', namespace] })
+        qc.invalidateQueries({ queryKey: ['k8s', 'configmap', 'detail', namespace, name] })
+        qc.invalidateQueries({ queryKey: ['k8s', 'configmaps', namespace] })
+      }
+    },
+  })
+}
+
 export function useRestartWorkload() {
   const qc = useQueryClient()
   return useMutation({

From a4187c81a4fb610aabe8c28b9221ab33d3e94c2f Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 11:06:36 -0700
Subject: [PATCH 24/25] deploy: declare controlroom-data volume as external
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`docker compose up` namespaces named volumes with the project name —
when run from deploy/ the volume becomes deploy_controlroom-data, not
controlroom-data. That silently creates a fresh empty volume rather
than reusing the host-level one, stranding the operator's admin user,
JWT signing key, and TLS material on the other volume; the SPA then
shows the first-run setup wizard as if it were a clean install.

Marking the volume external means compose refuses to start if the
volume isn't already present (operator runs `docker volume create
controlroom-data` once on first install) AND uses that exact named
volume thereafter. Switching between `docker run -v controlroom-data:
/data` and `docker compose up` now lands on the same persistent state.
---
 deploy/docker-compose.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 1c1609b..57e6714 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -107,4 +107,11 @@ services:
       # CR_TRUST_PROXY: "true"   # set when behind a reverse proxy
 
 volumes:
+  # External so compose reuses the existing host-level volume instead of
+  # creating a project-namespaced one (`deploy_controlroom-data`). Without
+  # this, switching between `docker run -v controlroom-data:/data` and
+  # `docker compose up` silently lands on different volumes — operator's
+  # admin account, JWT key, and TLS material are stranded on the other
+  # volume and the SPA shows the first-run setup wizard.
   controlroom-data:
+    external: true

From c49b84e76e3e1c209429d9d6abf7d132b362fe03 Mon Sep 17 00:00:00 2001
From: tm4rtin17 <tm4rtin17@gmail.com>
Date: Sat, 9 May 2026 11:20:15 -0700
Subject: [PATCH 25/25] docs: changelog + D3/D4 + volume-external for v0.2
 release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add CHANGELOG.md (Keep-a-Changelog) covering v0.1.0 → v0.2.0. The
  Unreleased section is reserved for post-merge work on main.
- README features table: rewrite the Kubernetes row to mention
  D1 exec, D2 ConfigMap edit, D3 Secret view, D4 manifest editor.
  Add a CHANGELOG link to the doc index.
- docs/INSTALL.md: rewrite the in-cluster ClusterRole table (Phase A
  → D verbs grouped by phase that introduced them, with explicit
  exclusions); add the `docker volume create controlroom-data` step
  to the compose path now that the volume is `external: true`.
- docs/CONFIG.md: per-tab capability matrix gains rows for the K8s
  sub-features (exec, lifecycle, configmap edit, secret view,
  manifest edit) so operators can see which RBAC verbs each one
  needs.
- docs/SECURITY.md: in-cluster Pod section's RBAC table updated for
  the full Phases A→D verb set; per-Secret-read and per-manifest-edit
  audit rows called out; Known gaps refreshed (K8s tab moved from
  "open" to "closed in v0.2", multi-cluster + RBAC roles added as
  v0.3 candidates).

Audit re-run before this commit: zero secret-shaped strings introduced
across the 24 commits in v0.2; runtime data still under /var/lib/* outside
the repo; .claude/ still ignored.
---
 CHANGELOG.md     | 222 +++++++++++++++++++++++++++++++++++++++++++++++
 README.md        |   3 +-
 docs/CONFIG.md   |   5 ++
 docs/INSTALL.md  |  51 +++++++----
 docs/SECURITY.md |  84 +++++++++++-------
 5 files changed, 316 insertions(+), 49 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..54d4efc
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,222 @@
+# Changelog
+
+All notable changes to ControlRoom are documented here. The format is loosely
+based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the
+project follows [Semantic Versioning](https://semver.org/) — minor releases
+(0.x.0) deliver feature work and may include backward-incompatible changes
+to deploy artifacts before 1.0.
+
+## [Unreleased]
+
+Tracks ongoing work on `main` after the v0.2 release.
+
+## [0.2.0] — 2026-05-09
+
+The Kubernetes release. Adds a full-feature Kubernetes management tab,
+turns the Docker container into an option that drives every host
+integration, fixes CI from end to end, and tightens up several rough
+edges discovered along the way.
+
+### Added — Kubernetes tab
+
+- **Phase A — read-only inventory**: list views for Nodes, Namespaces,
+  Workloads (Deployment / StatefulSet / DaemonSet), Pods, Services. Backed
+  by `client-go`. New `internal/k8s/` package with auto-detection of
+  in-cluster auth, `$KUBECONFIG`, `~/.kube/config`, and `/etc/rancher/k3s/k3s.yaml`
+  in that order. Capability-gated: `/api/system/capabilities` reports
+  `kubernetes: bool` so the SPA hides the tab when no cluster is reachable.
+  ([#9e2d3fe])
+- **Phase A — in-cluster deployment manifests** at `deploy/k8s/`:
+  Namespace + ServiceAccount + ClusterRole + ClusterRoleBinding +
+  Deployment + Service + Ingress + PVC. Pod runs as nonroot uid 65532,
+  drop ALL caps, readOnlyRootFilesystem. ([#9e2d3fe])
+- **Phase B — detail drawers + pod log streaming**: per-resource Sheet
+  drawers showing conditions, events, container statuses, etc. Live pod
+  log streaming via WebSocket, multi-container picker, pause/resume.
+  ([#dff99cc])
+- **Phase C — lifecycle actions**: restart workload (annotation patch),
+  scale Deployment / StatefulSet (UpdateScale subresource preserves
+  resourceVersion for optimistic concurrency), delete pod (controller-
+  recreate), cordon / uncordon node. Every action writes an audit row
+  with target + intent. ([#7755b9a])
+- **Phase D1 — pod exec**: SPDY → WebSocket bridge so the existing xterm
+  in the SPA can attach to any container. Frame protocol mirrors
+  `/ws/terminal` so the frontend cloned `Terminal.tsx` with minimal
+  changes. Container picker, command picker (`/bin/sh`/`/bin/bash`/
+  custom), audit on session start + end. ([#4ffa357])
+- **Phase D2 — ConfigMap viewer + editor**: list view; structured
+  key/value editor (validates DNS-1123 keys, enforces 1 MiB cap). Update
+  via PUT (not Patch) so resourceVersion conflicts surface as 409 with a
+  dedicated Reload UX instead of silent overwrite. ([#33d3b0c])
+- **Phase D3 — Secret viewer (read-only)**: list + masked detail viewer.
+  Eight fixed bullets regardless of value length so the DOM never leaks
+  size. Per-row reveal-on-click + copy-to-clipboard with insecure-context
+  fallback. JSON pretty-print and PEM detection. Every detail GET writes
+  a `k8s.secret.read` audit row carrying `key_count` only — never names
+  or values. RBAC widening is `secrets: get,list`; `watch` is
+  intentionally excluded so we don't keep a long-lived stream of all
+  cluster secret values open. ([#8bb8564])
+- **Phase D4 — Monaco YAML editor**: edit any of Deployment / StatefulSet /
+  DaemonSet / Service / ConfigMap as YAML. `metadata.{managedFields,
+  creationTimestamp,uid,resourceVersion,generation}` and the entire
+  `status` are stripped from the editable buffer; resourceVersion is sent
+  separately so optimistic concurrency works. Dry-run via
+  `metav1.DryRunAll` validates with admission webhooks before commit.
+  Apply requires AlertDialog confirmation. Monaco lazy-loaded via
+  `React.lazy` so the main bundle stays the same size. URL/body
+  cross-check (`kind` / `metadata.namespace` / `metadata.name` in YAML
+  must match URL params) prevents cross-resource attacks. ([#72b454d])
+
+### Added — non-Kubernetes
+
+- **Capability-gated navigation** (`/api/system/capabilities`): the SPA
+  hides Services, Containers, Kubernetes (and others) when their backend
+  isn't reachable instead of showing dead-end 503 pages. ([#395b640])
+- **Logs page falls back to Docker container logs** when journald isn't
+  available, with a Source toggle so the operator can view either.
+  ([#638fbdb])
+- **Tailscale CGNAT awareness** in the public-bind warning banner —
+  100.64.0.0/10 (RFC 6598) is treated as private. ([#638fbdb])
+- **Fat-privileged Docker deployment**: optional. The `deploy/docker-compose.yml`
+  flavor now runs as root with `network_mode: host`, `pid: host`,
+  `cap_add: SYS_ADMIN/SYS_PTRACE/NET_ADMIN`, and host bind mounts so
+  every host integration (Services, Updates, Network, Logs/journal,
+  Terminal, Kubernetes) works from a container. Image switches from
+  distroless to `debian:bookworm-slim` and grows from ~25 MB to ~230 MB.
+  Documented as the higher-blast-radius option; bare-metal install
+  remains the unprivileged path. ([#f52c126])
+- **Terminal — PAM-authenticated host login**: when `CR_HOST_SHELL=true`
+  and `CR_TERMINAL_LOGIN=true` (set by the fat-privileged compose), the
+  terminal spawns a host shell through `nsenter -t 1`. Operator types
+  username, then the spawned bash drops to nobody via `setpriv` and
+  `exec su -l <user>` runs full PAM authentication (lockouts and
+  `/var/log/auth.log` entries flow through normally). Without the
+  privilege drop, root invoking `su` would skip authentication. ([#2d353e7],
+  [#f0ca1f7], [#aca5187])
+- **`docs/CONFIG.md`**: new reference covering every `CR_*` env var, a
+  per-tab capability matrix across the three deployment shapes, per-shape
+  data paths, and capability-detection debugging. ([#f58ccf3])
+
+### Changed
+
+- **README, INSTALL, SECURITY** rewritten for the three deployment shapes
+  (bare-metal / fat-privileged container / in-cluster Pod) with explicit
+  compromise-impact statements per shape. ([#f58ccf3])
+- **`deploy/docker-compose.yml`** now declares `controlroom-data` as
+  `external: true` so `docker compose up` and raw `docker run -v
+  controlroom-data:/data` always land on the same persistent volume.
+  Without this, switching between the two silently created
+  `deploy_controlroom-data` and the operator's admin account vanished
+  on the next boot. First-time install now requires
+  `docker volume create controlroom-data`. ([#a4187c8])
+
+### Fixed
+
+- **Container-deployment Docker tab returned `null` for ports/labels**,
+  blanking the SPA. Initialize Docker `Container` slice/map fields to
+  non-nil empty values before JSON encoding. ([#74dd538])
+- **Network tab blank-screen** with the same nil-slice JSON
+  serialization bug. `Interface.IPs`, `Interface.Flags`, and
+  `UFWStatus.Rules` now default to `[]` not `null`. ([#83deeaa])
+- **Logs page returned 500** when running in the distroless container
+  (no `journalctl`). Now returns a clean 503 with a "switch to
+  Containers source or run on bare metal" message; the SPA shows the
+  real error instead of "Could not fetch logs." ([#638fbdb])
+- **Services / Containers tabs were dead-ends** when the host integration
+  was missing. Capability-gated nav now hides them. ([#395b640])
+
+### CI
+
+- The CI pipeline had been failing at workflow startup since v0.1 (the
+  `m9 polish` push to main also failed at 0s). Fixed in five steps:
+  - Pin Go version from `go.mod` instead of a hard-coded `1.23` that
+    drifted out of sync. ([#f7917ac])
+  - Block-scalar the awk format string in the image-size step. The
+    string `"image size: %.1f MB\n"` made YAML's plain-scalar parser
+    treat `image size:` as a key. ([#8ad0356])
+  - Track `web/package-lock.json` so `npm ci` works and the CI cache
+    step resolves; bump golangci-lint action `@v6` → `@v8` and pin to
+    v2.5.0 (built with Go 1.25). ([#675dbb9])
+  - Add a minimal `.golangci.yml` (v2 doesn't run anything without one);
+    fix the two real findings (redundant assignment in `internal/docker/fake.go`,
+    unused stub type in `internal/api/auth/auth.go`). ([#0673ce8])
+  - Align Dockerfile COPY path with vite's `outDir` —
+    `/src/web/dist` not `/src/internal/web/dist`. ([#c8fb01c])
+- Added `go vet ./...` as a separate step (faster feedback than running
+  the full test suite). Scoped `go test` to `./internal/... ./cmd/...`
+  so it doesn't descend into `web/node_modules/flatted/golang/pkg/flatted`
+  (an npm dep that ships an embedded `.go` file). ([#f7917ac])
+
+### Security
+
+- **Per-Secret-read audit** (`k8s.secret.read`): every detail GET, success
+  or failure, writes a row carrying `key_count` only. Recoverable
+  read-history without leaking what was read.
+- **Per-manifest-edit audit** (`k8s.manifest.apply` / `…dry_run`):
+  records `kind`, `namespace`, `name`, `bytes` of the YAML payload —
+  never the body itself.
+- **Secret value mass-leakage**: 8 fixed-length bullets in the SPA so
+  the DOM doesn't expose value length even when masked.
+- **Cross-resource attack on manifest edit**: server enforces that the
+  YAML's `kind` / `metadata.namespace` / `metadata.name` match the URL
+  params. ([#72b454d])
+
+### Migration notes
+
+- **Container deployment**: run `docker volume create controlroom-data`
+  once before `docker compose up`. The compose volume is now `external`.
+  If you upgraded mid-session and your data appears empty, the data is
+  most likely on `deploy_controlroom-data` (project-namespaced volume
+  created by the prior compose; the original is still on
+  `controlroom-data`).
+- **In-cluster deployment**: re-apply `deploy/k8s/rbac.yaml` to pick up
+  the widened verbs (`pods/exec: create`, `pods: delete`,
+  `nodes: patch`, `apps/*: patch,update`, `apps/*/scale: update`,
+  `services/configmaps: update`, `secrets: get,list`).
+
+[#9e2d3fe]: https://github.com/tm4rtin17/ControlRoom/commit/9e2d3fe
+[#dff99cc]: https://github.com/tm4rtin17/ControlRoom/commit/dff99cc
+[#7755b9a]: https://github.com/tm4rtin17/ControlRoom/commit/7755b9a
+[#4ffa357]: https://github.com/tm4rtin17/ControlRoom/commit/4ffa357
+[#33d3b0c]: https://github.com/tm4rtin17/ControlRoom/commit/33d3b0c
+[#8bb8564]: https://github.com/tm4rtin17/ControlRoom/commit/8bb8564
+[#72b454d]: https://github.com/tm4rtin17/ControlRoom/commit/72b454d
+[#395b640]: https://github.com/tm4rtin17/ControlRoom/commit/395b640
+[#638fbdb]: https://github.com/tm4rtin17/ControlRoom/commit/638fbdb
+[#f52c126]: https://github.com/tm4rtin17/ControlRoom/commit/f52c126
+[#2d353e7]: https://github.com/tm4rtin17/ControlRoom/commit/2d353e7
+[#f0ca1f7]: https://github.com/tm4rtin17/ControlRoom/commit/f0ca1f7
+[#aca5187]: https://github.com/tm4rtin17/ControlRoom/commit/aca5187
+[#f58ccf3]: https://github.com/tm4rtin17/ControlRoom/commit/f58ccf3
+[#a4187c8]: https://github.com/tm4rtin17/ControlRoom/commit/a4187c8
+[#74dd538]: https://github.com/tm4rtin17/ControlRoom/commit/74dd538
+[#83deeaa]: https://github.com/tm4rtin17/ControlRoom/commit/83deeaa
+[#f7917ac]: https://github.com/tm4rtin17/ControlRoom/commit/f7917ac
+[#8ad0356]: https://github.com/tm4rtin17/ControlRoom/commit/8ad0356
+[#675dbb9]: https://github.com/tm4rtin17/ControlRoom/commit/675dbb9
+[#0673ce8]: https://github.com/tm4rtin17/ControlRoom/commit/0673ce8
+[#c8fb01c]: https://github.com/tm4rtin17/ControlRoom/commit/c8fb01c
+
+## [0.1.0] — 2026-05-08
+
+Initial release. See [`MILESTONES.md`](./MILESTONES.md) for the full M1–M9
+breakdown.
+
+Highlights:
+
+- Single Go binary serving an embedded Vite/React SPA over HTTPS.
+- Tabs: Dashboard, Updates, Services, Containers, Terminal, Network,
+  Logs, Settings.
+- Auth: bcrypt(cost 12) + optional TOTP, HS256 access JWT (15 min) +
+  rotating opaque refresh tokens (7 days) with reuse detection,
+  per-IP rate limit + per-user backoff.
+- TLS modes: self-signed, Let's Encrypt (HTTP-01 via autocert), and
+  proxy.
+- Bare-metal installer (`deploy/install.sh`): hardened systemd unit,
+  scoped sudoers fragment, dedicated `controlroom` system user.
+- Docker Compose deployment as a (then-distroless) alternative.
+- Audit log for every privileged action; keystrokes never recorded.
+
+[Unreleased]: https://github.com/tm4rtin17/ControlRoom/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/tm4rtin17/ControlRoom/compare/v0.1.0...v0.2.0
+[0.1.0]: https://github.com/tm4rtin17/ControlRoom/releases/tag/v0.1.0
diff --git a/README.md b/README.md
index 136b3d2..64d8545 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@ to replace routine SSH for the things you do over and over.
 | **Updates** | `apt list --upgradable`, one-click check/apply with live job streaming, reboot-required banner. | `apt`, `sudo`, `systemctl` |
 | **Services** | List / start / stop / restart / enable / disable systemd units; live `journalctl -fu` log tail. | dbus |
 | **Containers** | Docker (and Podman socket-compatible) list with Compose-project grouping; per-container live logs + CPU/MEM stats; lifecycle actions. | `/var/run/docker.sock` |
-| **Kubernetes** | Read-only cluster view: nodes, namespaces, workloads (Deployment / StatefulSet / DaemonSet), pods, services. Per-resource detail drawer with conditions + events. Live pod log streaming. *(Phase A + B; lifecycle actions in Phase C)* | client-go |
+| **Kubernetes** | Cluster management — list / detail / events for nodes, namespaces, workloads (Deployment/StatefulSet/DaemonSet), pods, services, configmaps, secrets. Pod log streaming. Pod **exec** in the browser (xterm.js + SPDY). Lifecycle actions: restart workload, scale, delete pod, cordon/uncordon node. ConfigMap structured key/value editor. Secret read-only viewer (masked-by-default, audited). Monaco-based **YAML editor** with server-side dry-run + conflict detection. | client-go |
 | **Terminal** | Full PTY in the browser via xterm.js. Either a local shell or — in container deployments — a real host shell after PAM login. | `/dev/pty`, `nsenter`, `su` |
 | **Network** | Read-only interfaces + UFW rules editor (add / delete / enable / disable). | `ip -j`, `ufw`, `sudo` |
 | **Logs** | journald browser with unit / priority / since / search filters and live tail. Falls back to streaming docker container logs when journald isn't reachable. | `journalctl`, `/var/run/docker.sock` |
@@ -118,6 +118,7 @@ docs/
 - [`docs/INSTALL.md`](./docs/INSTALL.md) — detailed install for all three shapes.
 - [`docs/CONFIG.md`](./docs/CONFIG.md) — every environment variable + which tabs need what.
 - [`docs/SECURITY.md`](./docs/SECURITY.md) — threat model and what's actually enforced.
+- [`CHANGELOG.md`](./CHANGELOG.md) — release-by-release feature + fix log.
 - [`SPEC.md`](./SPEC.md) — design spec.
 - [`MILESTONES.md`](./MILESTONES.md) — what shipped when.
 
diff --git a/docs/CONFIG.md b/docs/CONFIG.md
index 31e6c6b..c02bee0 100644
--- a/docs/CONFIG.md
+++ b/docs/CONFIG.md
@@ -72,6 +72,11 @@ What each tab needs to function, by deployment shape.
 | **Services** | dbus + `systemctl` | ✅ via dbus session | ✅ `/var/run/dbus/system_bus_socket` mounted | ❌ |
 | **Containers** | `/var/run/docker.sock` | ✅ if controlroom user is in `docker` group | ✅ socket mounted ro | ❌ |
 | **Kubernetes** | client-go with kubeconfig or in-cluster SA | ✅ if `kubectl` works as the controlroom user | ✅ `/etc/rancher/k3s/k3s.yaml` mounted | ✅ in-cluster ServiceAccount |
+| ↳ Pod **exec** | client-go remotecommand (SPDY) | ✅ | ✅ | ✅ requires `pods/exec: create` in ClusterRole |
+| ↳ Lifecycle actions | dynamic-client patch / scale / delete / node-patch | ✅ | ✅ | ✅ requires `patch`/`update`/`delete` per resource |
+| ↳ ConfigMap edit | dynamic-client update | ✅ | ✅ | ✅ requires `configmaps: update` |
+| ↳ Secret view (read-only) | typed-client get/list, base64 decoded server-side | ✅ | ✅ | ✅ requires `secrets: get,list` |
+| ↳ Manifest YAML edit | dynamic-client update with DryRunAll option | ✅ | ✅ | ✅ requires `update` on the editable kind |
 | **Terminal** | PTY + (optional) `nsenter`+`su` | ✅ shell as controlroom user | ✅ host shell via nsenter+PAM login | ❌ |
 | **Network** | `ip -j addr show`, `sudo ufw …` | ✅ via sudoers | ✅ via `network_mode: host` + NET_ADMIN | ❌ shows Pod's network ns only |
 | **Logs** | `journalctl` + (fallback) docker logs | ✅ via `adm` group | ✅ `/run/log/journal` + `/etc/machine-id` mounted | ❌ host journal not reachable |
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index fde29f0..839f2f8 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -151,6 +151,13 @@ If you want the Kubernetes tab to work in this shape, you also need:
 git clone https://github.com/tm4rtin17/ControlRoom.git
 cd ControlRoom
 
+# One-time: create the persistent data volume. The compose file declares
+# `controlroom-data` as `external: true` so docker compose reuses this
+# named volume instead of creating a project-namespaced one
+# (`deploy_controlroom-data`) — admin account, JWT key, and TLS material
+# would be stranded if the names diverged.
+docker volume create controlroom-data
+
 # Set DOCKER_GID for the compose file (only needed if you don't use
 # network_mode:host or run as root — the default compose runs as root and
 # doesn't need group_add, but it's still pulled from this var).
@@ -292,25 +299,33 @@ No kubeconfig is needed.
 
 ### What the ClusterRole grants
 
-Phase A + B — strictly read-only. See `deploy/k8s/rbac.yaml` for the
-canonical list:
-
-```yaml
-rules:
-  - apiGroups: [""]
-    resources: [nodes, namespaces, pods, services, configmaps, events, endpoints]
-    verbs: [get, list, watch]
-  - apiGroups: [""]
-    resources: [pods/log]
-    verbs: [get]
-  - apiGroups: ["apps"]
-    resources: [deployments, statefulsets, daemonsets, replicasets]
-    verbs: [get, list, watch]
-```
+The `controlroom-reader` ClusterRole was widened across Phases A → D as
+features landed. The current canonical version lives in
+`deploy/k8s/rbac.yaml`. Summary:
 
-No `secrets`, no `persistentvolumes`, no write verbs. Phase C will widen
-this to include `patch` and `delete` on Deployments / Pods for lifecycle
-actions.
+| Resource | Verbs | Phase | Used for |
+|---|---|---|---|
+| `nodes` / `namespaces` / `pods` / `services` / `configmaps` / `events` / `endpoints` | `get,list,watch` | A | List + detail views |
+| `apps/deployments` / `statefulsets` / `daemonsets` / `replicasets` | `get,list,watch` | A | Workload lists + detail |
+| `pods/log` | `get` | B | Pod log streaming |
+| `pods/exec` | `create` | D1 | Pod exec / shell-in-browser |
+| `pods` | `delete` | C | Delete pod (controller-recreate) |
+| `nodes` | `patch` | C | Cordon / uncordon |
+| `apps/deployments` / `statefulsets` / `daemonsets` | `patch,update` | C + D4 | Restart annotation + full YAML edit |
+| `apps/deployments/scale` / `statefulsets/scale` | `update` | C | Scale |
+| `services` / `configmaps` | `update` | D2 + D4 | ConfigMap edit + manifest YAML edit |
+| `secrets` | `get,list` (NOT `watch`) | D3 | Read-only viewer; intentionally narrow |
+
+**Explicitly excluded**: `secrets/watch` (would establish a long-lived
+stream of all cluster secrets — point-in-time reads + audit are
+preferred); `delete` on workloads (would let the SPA wipe a Deployment
+outside GitOps); `persistentvolumes` (cluster-scoped, dangerous);
+`create` on most resources (Phase D4 is edit-only — no create-from-
+nothing path).
+
+Every secret detail GET writes a `k8s.secret.read` audit row; every
+manifest apply writes a `k8s.manifest.apply` (or `…dry_run`) row. The
+audit table records *that* a secret was read, not what was in it.
 
 ### Accessing the SPA
 
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index a9a6a84..6f53ada 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -139,34 +139,49 @@ The Pod runs as:
   `/data` is the only writable mount, via the PVC).
 - `capabilities: { drop: [ALL] }`.
 
-Cluster permissions are scoped via the `controlroom-reader` `ClusterRole`:
-
-```yaml
-rules:
-  - apiGroups: [""]
-    resources: [nodes, namespaces, pods, services, configmaps, events, endpoints]
-    verbs: [get, list, watch]
-  - apiGroups: [""]
-    resources: [pods/log]
-    verbs: [get]
-  - apiGroups: ["apps"]
-    resources: [deployments, statefulsets, daemonsets, replicasets]
-    verbs: [get, list, watch]
-```
-
-**Explicitly excluded** from Phase A/B: `secrets`, `persistentvolumes`,
-`persistentvolumeclaims` (cluster-scoped), and **all write verbs**. Phase
-C will widen this to `patch`/`delete` on Deployments and Pods for
-lifecycle actions; it will not add `secrets` access without a separate
-opt-in.
+Cluster permissions are scoped via the `controlroom-reader` `ClusterRole`.
+The role grew in tightly-scoped steps as Phases A → D landed; the current
+shape is in `deploy/k8s/rbac.yaml`. Headline:
+
+| Resource | Verbs | Why |
+|---|---|---|
+| `nodes`/`namespaces`/`pods`/`services`/`configmaps`/`events`/`endpoints` | `get,list,watch` | Read views (Phase A) |
+| `apps/deployments`/`statefulsets`/`daemonsets`/`replicasets` | `get,list,watch` | Workload reads (A) |
+| `pods/log` | `get` | Pod log streaming (B) |
+| `pods/exec` | `create` | Browser exec (D1) |
+| `pods` | `delete` | Pod rotate (C) |
+| `nodes` | `patch` | Cordon/uncordon (C) |
+| `apps/deployments`/`statefulsets`/`daemonsets` | `patch,update` | Restart annotation + YAML edit (C + D4) |
+| `apps/deployments/scale`/`statefulsets/scale` | `update` | Scale (C) |
+| `services`/`configmaps` | `update` | Edit (D2 + D4) |
+| `secrets` | `get,list` only | Read-only viewer (D3) |
+
+**Explicitly excluded** at every phase boundary:
+- `secrets/watch` — would keep a long-lived stream of every cluster
+  secret value open. Point-in-time reads + per-read audit (see below)
+  are the trade.
+- `delete` on `apps/*` — would let the SPA wipe a Deployment / STS / DS
+  outside whatever GitOps tooling owns it.
+- `persistentvolumes` (cluster-scoped) and `persistentvolumeclaims`.
+- `create` on most resources — Phase D4's manifest editor is
+  edit-existing-only; there's no create-from-nothing path.
+
+**Per-read audit** for sensitive resources:
+- `k8s.secret.read` on every Secret detail GET (success or failure),
+  detail = `{"key_count": N}` only — never key names or values.
+- `k8s.manifest.apply` / `k8s.manifest.dry_run` on every YAML edit, with
+  `bytes` of the edited YAML but never the body itself.
 
 **Compromise impact**: an attacker who pwns the controlroom binary in
-this shape can read everything the ClusterRole grants — that's the cluster
-inventory, pod logs, and configmaps. They cannot mutate the cluster, read
-secrets, escape the Pod, or reach the host.
+this shape can read everything the ClusterRole grants (cluster inventory,
+pod logs, configmaps, secret values), and can mutate the limited write
+surface (rollout restart, scale, delete pod, cordon, configmap update,
+manifest YAML update on the 5 editable kinds). They **cannot** create
+new resources, delete workloads, watch secrets, escape the Pod, or
+reach the host. The audit log records who did what to which target.
 
-This is the lowest-risk shape but doesn't give you the host integrations
-(no Services / Updates / Network / Logs / host Terminal).
+This is still the lowest-risk shape vs. the fat-privileged container,
+just no longer "read-only" after Phase D.
 
 ## Audit
 
@@ -233,14 +248,23 @@ These are documented and tracked, not silently missing:
 - **Audit log retention/rotation**: grows unbounded today.
 - **HSTS / CSP headers**: planned for the next polish pass.
 - **Netplan editing**: read-only interfaces today.
-- **K8s lifecycle actions** (Phase C of the Kubernetes tab): scale,
-  restart, delete, cordon. Read-only through Phase A + B.
-- **K8s exec / manifest edit** (Phase D): kubectl-exec into pods, Monaco
-  editor for manifest YAML, ConfigMap and Secret editors. Separate auth
-  story to design.
 - **TLS-via-cert-manager** in the in-cluster shape: the default
   `deploy/k8s/ingress.yaml` leaves TLS as a TODO comment for the
   operator's chosen ClusterIssuer.
+- **RBAC user roles**: `users.role` is stored but not enforced — every
+  authenticated user has admin authority across all tabs. Real
+  multi-user RBAC is a v0.3 item.
+- **Multi-cluster Kubernetes**: the K8s tab targets exactly one cluster
+  (whatever the in-cluster SA reaches or the kubeconfig's first context
+  points at). No context switcher.
+
+Closed in v0.2 (these were gaps in v0.1):
+- **K8s tab**: Phases A–D shipped — read-only inventory, detail drawers,
+  pod log streaming, pod exec, lifecycle actions (restart / scale / delete /
+  cordon), ConfigMap and Secret viewers, Monaco YAML editor.
+- **Public-bind detection**: now treats Tailscale CGNAT (100.64.0.0/10)
+  as private so admins reaching ControlRoom over Tailscale don't see a
+  misleading warning.
 
 ## Reporting